International Journal of Reliability, Quality and Safety Engineering

 World Scientific Publishing Company

ENHANCING SAFETY IN SHIP’S CRITICAL SYSTEMS USING

MARKOV MODELING

EVANGELOS MENNIS
Department of Shipping Trade and Transport, University of the Aegean, Korai 2a
Chios, 82100, Greece
v.mennis@aegean.gr

AGAPIOS PLATIS
Department of Financial and Management Engineering, University of the Aegean
Chios, 82100, Greece
platis@aegean.gr

NIKITAS NIKITAKOS
Department of Shipping Trade and Transport, University of the Aegean, Korai 2a
Chios, 82100, Greece
nnik@aegean.gr

JEAN GUY FONTAINE

Ecole Nationale Supérieure d'Ingénieurs
10 boulevard lahitolle 18020 Bourges cedex, France
jean-guy.fontaine@ensi-bourges.fr

Received (Day Month Year)

Revised (Day Month Year)

The current study uses reliability models for the improvement of the operation of a ship’s “bilge –
water separator” system. A “bilge-water separator” is a mechanism which cleans and inspects the
ship’s bilge water before it is discharged into the sea. Homogeneous continuous time Markov
models have been used to record and estimate possible hazards and system failures in two different
operational scenarios. If the photocell unit of the system fails, the ship may cause severe sea
pollution. This study attempts to estimate the probability of sea pollution based on empirical data. In
addition, the results of the model are compared with those of a system in which a second metering
unit is added in an effort to to find out if this alteration improves the systems’ efficiency.

Keywords: Markov, Formal Safety Assessment, Marine Critical Systems

1. Introduction
In recent years the effort of protecting the environment has become a major necessity.
Catastrophic sea polluting accidents have occured such as those involving the “Exxon
Valdez” in Alaska, the “Prestige” in the Mediterranean sea etc. One of the steps taken by
the international community to address this issue was the formation of regulatory
framework which aims at the reduction of sea pollution risk. Among the measures
adopted by International Maritime Organization (IMO) is the “Formal Safety

1
2     Evangelos Mennis, Agapios Platis, Nikitas Nikitakos

Assessment”, a systematic and integrated methodology used for the improvement of

measures and regulations related to maritime safety. This paper examines how Markov
models could support the FSA methodology for the control of pollution risk.
 Current literature shows PRA (probabilistic risk assessment) research on nuclear
power plants, chemical industry, oil excavation etc. In comparison with these sectors less
research is available regarding maritime safety. Sii et al [1] have used a fuzzy logic
approach to model design variables of marine safety systems. Most of the studies (e.g.
Matsuoka [3], Antao [4]) have used event and fault tree analysis to estimate risks. In
addition, numerous studies have been conducted using mostly fault trees, by the
International Maritime Organization [9] on risk analysis of ship design and construction,
navigation, cargo management and maritime accidents.
This study focuses on failures on ship critical systems, which could lead to pollution.
Markov models are effective in modeling failures that follow an exponential distribution
and occur in several parts of a ship such as, radars, cooling systems etc [8]. The system
under examination is called “bilge – water separator” (BWS).
The aim of the paper is to assess the probability of pollution states by using the BWS.
For this purpose, homogeneous continuous time Markov models are used in two
operational scenarios.
The following section represents the notation used in the paper. In section three there
is a brief description of Markov methodology, followed by an illustration of the models
and numerical examples. The last section presents the conclusions of the paper.

2. Notation
 “P” photocell unit that measures the quality of the water.
 “ Valve ” the unit responsible for the extraction of the water into the sea.
If the valve is closed the water goes back into the ship, and it is collected in a special
tank until it is suitable again.
 “A” automation system which accepts the command of the
photocell in order to close the valve. In addition, the valve can be closed manually if
the staff observes sea pollution.
 “ λΑ, λΑ2 ” automation failure rate.
 “ λP, λp1_F “ photocell failure rate.
 “λoil” frequency presence of oil in the BW
 “ μΑ, μΑ2 ” automation repair rate.
 “ μP, μp1_F “ photocell repair rate.
 “ γΑ , γΑ1 , γΑ2 “ probability that automations breaks down
 “ μtx ” (x=2, 4, 6, 8) rates for states 2, 4, 6, 8
 “ P1 , P2 ” Two photocell units in the system.
 “ A1 ” Automation that activates P2 when P1 fails.
 “ A2 ” Automation that closes the valve
 Enhancing safety in ship’s critical systems using Markov modeling     3

3. Modeling Methodologies

3.1. Reliability methodologies

Researchers have developed several modeling methodologies in reliability analysis.
Among the most important and worth mentioning are “Events failure analysis of
systems”, “Functionality and risk analysis”, “Markov Models” and “Event – fault tree
analysis”. The first two methods are qualitative, while the others are quantitative. A
widely used deductive method is the fault tree analysis, which has been proved as a
manageable and efficient tool for the reliability analysis of technological systems
(Limnios [5]).
Markov theory offers the capability of recording the dynamic evolution of a system
through the state-space method. The system is described by its states and by the possible
transitions between these states illustrated by a state – space diagram, also known as the
Markov diagram. The various system states are defined by the components comprising
the system. By the state – space method the components are not restricted to having only
two possible states.
The system components may be in functioning, standby, completely failed, and under
maintenance mode. The various failure modes may also be defined as states. The
transitions among the states are caused by various mechanisms and activities such as
failures, repairs, replacements, and switching operations. This method can be used to
model rather complicated repairs and switching strategies.
Dealing with Markov graphs allows the visualization of the progress of alternate
failures and repairs as time passes, leading to system failure, and the computation of the
probability of measures being taken before a complete system failure. On the other hand,
using Markov models is not easy due to the complexity of the graphs and the resolution
of large system of linear equations in case of complex systems.
The simplest, and the most commonly used Markov model is the Homogeneous
Markov Chain (HMC) which is characterized by the fact that the transition rates among
the states are constant. A more complex type is the Non-Homogeneous Markov Chain
(NHMC) where the transition rates are functions of a global “clock” (elapsed mission
time for instance). Homogeneous Continuous Time Markov Chains are used in the
paper’s case study. HCTMC concern stochastic processes which pass from state to state
in accordance with a Markov chain, but in a manner that the amount of time it spends in
each state, before proceeding to the next state, is exponentially distributed.
Generally, it can be assumed that the failure rate of the separator’s system follows a
standard bath tube curve. However it can be considered that the system is functioning
under the useful life period (wear out period is avoided by preventive maintenance and
infant mortality period is avoided by preliminary testing). Hence the failure rate is
considered constant (random failures) and can be modeled by the exponential
distribution. Repairs and restoration rates are assumed to be constant too. In the case of
4     Evangelos Mennis, Agapios Platis, Nikitas Nikitakos

non constant repair and restoration rates a semi Markov model could be used. This will
be the logical continuation of a further research.

3.2. Formal Safety Assessment

Formal Safety Assessment is a process developed and applied to International Maritime
Organization, for supporting the evaluation of new regulations or for comparing the
proposing changes with existing standards.
The process analyzing a system follows a five step approach:

 Identification of hazards.
 Assessment of risks.
 Risk control options.
 Cost – benefit assessment.
 Recommendations of decision making

The first step aims at identifying the hazards concerning the problem under
examination. The process involves experienced personnel for the designation of hazards.
In this step several safety assessment techniques have been used such as Preliminary
Hazard Analysis (PHA), Failure Mode Effects and Criticality Analysis (FMECA), and
Hazard – Operability (HAZOP) study.
The purpose of the second step is to assess risks and factors concerning safety. In this
phase, the analysts try to record in which way hazardous events develop and interact to
cause an accident. In comparison with the previous techniques Markov models provide
the following advantages:

 They take into account the repairs of the components.

 The reliability and availability computations can be carried out.
 The normal / standby operating sequences and the changes in the configuration of
the system under study can also be considered.

The management of risks aims at proposing efficient risk control options. High risk
events can be defined based on conclusions from risk assessment. Risk control measures
affect the frequency of failures or they may mitigate their consequences.
In the phase of cost benefit assessment, the intention is to assess the benefits from
reduced risks by applying the risk control options. Finally, the data derived by the
research in the previous phases is used for making decisions and recommendations for
safety improvements .

4. Bilge – water separator system modeling

The everyday operations of a ship’s machine creates water concentration in the sediments
of the ship, due to steam, cleaning or other reasons. This water contains ingredients such
as oil, rust, several chemical essences and it is called “bilge water” (BW). When its level
 Enhancing safety in ship’s critical systems using Markov modeling     5

rises to a certain level then it must be discarded to the sea under the condition that it has
been cleaned according to international regulations (filtering can be done in several ways
not examined in this paper).
International Maritime Organization (MARPOL 73/78 Annex IV guidelines) defines
the quality of effluent which may be discharged to the sea with no limitation or proximity
to the nearest land, and the sewage treatment plant must be certified in accordance with
these guidelines, included in resolution MEPC.2 (VI).
Bilge water separator system is a complicated device which removes oils and other
ingredients from the ship’s BW. The filtration is conducted in two different stages. In the
first stage oils are removed with the help of specific plates or filters while the water by
gravity moves to the lower part of the tank. An adjustable sensor activates a valve to send
oil in the sludge tank. In the second stage the remaining water is filtered again with
several methodologies according to every device. After the BW filtering, a metering unit
(comprised by a photocell subsystem) makes the final examination of the BW before it is
dicharged into the sea. The photocell subsystem is the item under study in this paper.
The maximum limit of oil in the water is 15 parts per million. In case this limit is
exceeded the photocell gives command to a valve to redirect the BW into a special tank
for further processing. It must be pointed out that the inspection is executed constantly,
for a specific sample of the material.
The BWS system is extremely critical for the operation of the ship. The discharge of
contaminated water into the sea is considered serious crime. According to expert’s
information, ships that travel in the Mediterranean Sea should not discard water, as the
Mediterranean Sea is a protected territory. This fact increases the probability of failure
when the BWS is finally used.
In the next paragraph follows the model used for the representation of the system.
The model is designed under the assumption that during the water discharge, the staff of
the ship supervises the procedure.

4.1. Single photocell model

The first model uses one photocell unit which meters the water for the existence of oil.
The state transition diagram (Fig. 1) is described as follows:

 S1 (State1): Covers in the same state two events with common effect. In the first
case there is no oil in the water and the valve is opened, while in the other state the
water contains oil and the valve is closed. The photocell and the valve work
properly. It concerns the safe state of the system. The rate “λΑ” is computed by the
multiplication of the oil frequency in the water “λoil” and the automation probability
failure “γΑ”.
 S2 (State2): While the photocell operates normally the automation is damaged so the
valve remains opened, since it does not receive the closing command. The water is
discharged into the sea. This is the first pollution state. The failure in the present
state (this concerns states four and six too) has not been noticed, so “μtx” is the rate in
which the personnel has been aware of the failure and gives the command of manual
6     Evangelos Mennis, Agapios Platis, Nikitas Nikitakos

closing of the valve. The rate “μtx” is computed by “1/t” where “t” is the transition
time to the next state [10].
 S3 (State3): The ship maintains adequate number of spare parts so the automation is
replaced. In the mean time the valve is closed manually. The value “μΑ” concerns the
replacement time of the automation.
 S4 (State4): The water contains oil, but the photocell fails to perform the proper
metering. The automation is operational but the valve doesn’t close so the current
state causes pollution. The value “λP” is the photocell frequency failure while “1-γA”
is the probability of automation operation.
 S5 (State5): Process of repairing the photocell and closing of the valve manually,
before the system returns in safe state on rate “μP” which declares the repair rate of
the photocell.
 S6 (State6): The valve remains open again since there is concurrent failure of the
photocell and the automation. The rate “λP γA” declares the photocell failure rate and
the probability of automation failure.
 S7 (State7): Repairing and replacement of the inoperable parts and manual closing of
the valve in rate “μP”.

Oil
S2
P Oper
λΑ A Fail μ t2
S1
Valve Open
No Oil + Oil
Valve Open + Close S3
P OK A repair
A OK μΑ Valve Closed
λP (1-γΑ)
(manually)
S4 Oil
P Fail
λ Ρ γΑ A Oper
Valve Open
μΡ
μt4
Oil
S6
P Fail μΡμΑ
A Fail S5
P Repair
Valve Open
Valve Closed
(manually)
μ t6
S7
Repair A,P
Valve Closed
(manually)

Fig. 1: State transition diagram for single photocell model

 Enhancing safety in ship’s critical systems using Markov modeling     7

Table 1 illustrates the values of the model variables for calculating the steady – state
probabilities which indicate the probability that a certain state will occur after a long
period of time. The data is empirical based on interviews with experts. The initial
assumption is that the photocell failure occurs five times per year and oil remains in the
water twenty times a year (after the filtering of the water). The rates are computed based
on the hypothesis that a year contains 8.640 hours.

Table 1: Failure rates and repair

Rates Times or freq/cy

λp 5 failures / year
μt2 0.033 h-1
μp 1 h-1
μt4 0.033 h-1
μΑ 0.133 h-1
γΑ 0.004
μt6 0.033 h-1
λoil 20 times / year

Using the above values we calculate the steady-state probabilities in Table 2. The
steady-state probability vector Π of the Markov chain is the solution of the linear system:
(Eq. 1)

(1)

Where Q = [qij] is the n by n generator matrix, with qij denoting the transition rate
from state i to state j and n denoting the number of states (n = 0, 1, 2) Smith [6], Trivedi
[7].

Table 2: Comparing steady-states for different λp

States λP = 5 f / y λP = 2 f / y
λoil = 20 t / y λoil = 20 t / y
1 0.9993 0.9997
2 3.084E-07 3.085E-07
3 6.939E-05 1.234E-06
4 1.927E-05 7.714E-06
5 0.00057 0.00023
6 1.387E-07 5.554E-08
7 2.313E-06 9.260E-07
8     Evangelos Mennis, Agapios Platis, Nikitas Nikitakos

The result of summing the probabilities of Table 2 in states two, four and six provides
the total pollution probability. By comparing the total probability before and after the
reduction of “λp” (from five to two per year) a reduction of the total probability from
1.97E-05 to 8.07E-06 is observed. Since the data used in the study is experimental, the
steady states equations for pollution states (two, four and six) are given in equation two.
So the total pollution probability vector can be computed for any range of data. Equation
two is computed by solving the linear system (1) presented in the previous page for “π2”
“π4” and “π6”.

The next section examines the case of inserting a second photocell unit in the
metering system. The new unit is supported by a second automation and will be used as a
backup. It is activated only in case the first photocell is not operational. The purpose of
the study is to show the variation of the pollution probability after the insertion of the
second photocell.

TPP 
4.2. Double photocell model
It is obvious that in this case the model has become more complicated. The description of
the states is the following:

 S1 (State1): Proportional to the first state in the previous model. The system works,

t 2
but P2 may be in failure. Since P1 works properly if there is “Oil”, the valve is closed.
If the value is “No Oil” the valve is opened. In this condition the system doesn’t
pollute.
 S2 (State2): Suppose that P1 fails with rate [λ P1_F (1-γA1)] because the probability that
A1 fails is “γA1”. Since A1 works it diagnoses the failure of P1 and activates P2. A2
works properly so P2 closes the valve before oil is dropped in the sea.
 S3 (State3): The system remains in State2 for “μt2”, P1 is repaired and the water is
sent back to the ship tank until it is cleared. Then, the Valve of the system opens
again. The time for returning in safe state is “μP1_F”.
 S4 (State4): In this state A2 is out of order. So even if P1 or P2 works properly the
valve of the ship cannot be closed. That is why state four is the first pollution state.
 S5 (State5): The pollution is noticed in time “μ t4” and the water is sent back to the
tank. A2 is replaced with a spare part and the valve opens again. It must be pointed
out, that concerning A2 “λA2 = γA2 λoil”. For the rest of the states, “γ A2” is used when
A2 fails. The valve closes manually.
 S6 (State6): A failure in P1, activates P2 so long as A1 is operational. P2 works
properly, but A2 is damaged so it is not obtainable to close the gate. State six is the
second pollution state.
 S7 (State7): P1 and A2 are in repair state and the valve closes manually.
 Enhancing safety in ship’s critical systems using Markov modeling     9

 S8 (State8): In the case that P1 and A1 fail simultaneously, but P2 works properly, the
good operation of P2 doesn’t serve the system, so long as A1 is the component that
activates P2. The valve remains open, the water is discharged to the sea and this is the
third pollution state.
 S9 (State9): After “μt8” P1 and A1 get in repair state. The valve closes manually.

λΑ2 = λ oil * γ A2 να εξηγη

θεί στο κείμενο
S3
P1 In repair
μ t2 NoOil
Valve Open
S2
Oil
P1 Fails
A1,P2,A2 OK
S8 Oil Valve Closed
P1 Fails μP1_F
A1 Fails
μ t8 P2 Inactive8
Valve Open λ P1_F(1-γ )
A1
S9 Pollution
P1,A1 repair S4 Oil
P2 Inactive λ P1_Fγ A1 P1 OK
S1 λ A2
Valve C.M. P2 SB
P1 OK
A2 Fails
μP1_F P2 SB & Fails
Valve Open
OIL + NOT OIL μ t4
Pollution
Valve Open
Valve Closed S5
λ P1_F γ A2(1-γ ) μA2 P1 OK
A1 P2 SB
A2 in repair
Valve C.M.
Oil
S6 P1 Fails
A1 OK μP1_F
P2 OK
A2 Fails
Valve open
Pollution
μ t6 S7
A1,P2 OK
P1,A2 in repair
Valve C.M.

Fig. 2: Double photocell system state transition diagram

In the above model the case of “No Oil” in the water hasn’t been taken into account
(except in State One) because there is no interest in that event. The main aim is to find
the probability of polluting the sea due to possible states four, six and eight. In turn this
probability is compared with the corresponding one in the “single photocell system”.
Table 3 presents the data used for the computation of the steady states.

Table 3: Data for model “Double photocell system” (time in hours)

Rates Times or Freq/cy

λP1 5 failures / year
γA1 0.002
10     Evangelos Mennis, Agapios Platis, Nikitas Nikitakos

μt2 0.5 h-1

μP1 1h
μt4 0.033 h-1
μΑ2 0.133 h-1
γΑ2 0.004
μt6 0.033 h-1
μt8 0.033 h-1
λoil 20 times / year

Table 4 provides the values of the nine steady states.

Table 4: Steady states for “Double photocell system”

λP = 5 f / y λP = 2 f / y
States λoil = 20 t / y λoil = 20 t / y
1 0.9991 0.9996
2 0.00023 9.23E-05
3 0.00057 0.000230
4 3.08E-07 3.08E-07
5 6.93E-05 6.94E-05
6 7.69E-08 3.07E-08
7 2.30E-06 9.23E-07
8 6.93E-08 2.77E-08
9 1.15E-06 4.62E-07

As in the previous model the solution of a 9x9 numeration gives the following
equations corresponds to steady states six, eight and four. The sum of the probabilities
derived by the two equations gives the total pollution probability for the second model..

Where Α = μτ7μτ8{μτ2μτ4[λpμΑ2(1+γΑ2–γΑ1γΑ2)+μp(λΑ2–μΑ2)]–μΑ2μp(μτ2λΑ2+μτ4λp)}
+μτ4μτ7λpμΑ2μpγΑ1(μτ2-μτ8)–μτ2 μτ4 μτ8 γΑ2 λp μΑ2 μp (1+γΑ1)

(6   8)  t2 t7
Where Β = μτ7 μτ8 {μτ 2μτ4 [λp μΑ2 (1+γΑ2–γΑ1 γΑ2)+μp (λΑ2–μΑ2)]+μΑ2 μp (μτ2 λΑ2-μτ4 λp)}-μτ4 μτ7
λp μΑ2 μp γΑ1 (μτ2-μτ8)–μτ2 μτ4 μτ8 γΑ2 λp μΑ2 μp (1-γΑ1)

4
t8 p 2


 Enhancing safety in ship’s critical systems using Markov modeling     11

Fig. 4 illustrates how the pollution probability evolves when the frequency of oil in
the water reduces (axis X). Gray and black bars represent the reduction of the photocell
failure rate.

Fig. 4: Evolution of pollution probability by reducing oil rate

Fig. 5 illustrates the total pollution probability between the two models. Using the
current data the reduction is estimated at 98%.

Fig. 5: Evolution of pollution probability by adding second photocell unit

12     Evangelos Mennis, Agapios Platis, Nikitas Nikitakos

5. Conclusions
Markov modeling has been used successfully in pollution sensitive industries such as
nuclear power plants or chemical industry installations. Environmental pollution has
attracted the attention of the public and governments and many studies have been
conducted in national and international level. Formal safety assessment is a methodology
used broadly for the processing of those studies.
In this paper Continuous Time Markov Chains are used to model the operation of a
bilge water separator. The operation of this system is critical because if it fails it could
cause severe sea pollution. The study examines the case of adding a second photocell
metering unit in BWS and the total pollution probability variation when the system
operates with two photocell units. Since now, Formal Safety Assessment methodology
has adopted fault and event tree analysis for the risk estimation. Maybe Markov models
could be more effective in some aspects of the methodology so long as they take into
account the repair states of the system. The results which are based on expert data show
that the adoption of the specific risk control option (the addition of the second photocell
device) can significantly reduce the pollution probability.
Exponential distribution and Continuous Time M.C. were used because the data
shows that the failure and repair rates are constant [11], [12]. If the data seems to follow a
different distribution, future research could examine Semi Markov methodology for the
verification of the models.

Acknowledgements
The authors wish to thank Maistros Stylianos, Captain George Georgoulis and Chief
Engineer Ioannis Dagkinis for their cooperation and experience on technical matters of
the study. The research was partially supported by the Greek Ministry of Development
and the French Ministry of Education, PLATON Scientific Cooperation Research
Program.
 Enhancing safety in ship’s critical systems using Markov modeling     13

REFERENCES

1.   How Sing Sii, Tom Ruxtona and Jin Wang “A fuzzy-logic-based approach to qualitative
safety modelling for marine systems” Reliability Engineering and System safety, Feb 2001, pp
19 – 34
2.   Shenping Hu, Quangen Fang, Haibo Xia, Yongtao Xi “Formal safety assessment based on
relative risks model in ship navigation” Reliability Engineering and System safety, 2006
3.   Takeshi Matsuoka, Nobuo Mitomo and Fujio Kaneko National Maritime Research Institute
“Evaluation of Occurrence Frequencies of Marine Accidents by Event Tree Analysis” ESREL
2004 (European Safety & Reliability Conference)
4.   P. Antao and C. Guedes Soares “Analysis of accident scenarios of RoPax vessels” ESREL
2005 (European Safety & Reliability Conference)
5.   Limnios Nikolaos, “Fault Trees” ISTE Publishing Company, 2006.
6.   Smith R. M., Trivedi K. S., Rameshi A. M 1998, “Performability analysis: Measures, an
algorithm and a case study” IEEE Transactions on Computers, vol. C-37, No.4, pp. 406-417
7.   Trivedi K. S., Giardo G., Malhorta M. Sahner R. A. 1993, “Dependability and
Performability analysis”, Performance Evaluation of Computer and Communication Systems,
Lecture Notes in Computer Science, L. Dontatiella, R. Nelson (eds), pp.587-612
8.   V. Koutras, A. Platis, V. Mennis, N. Nikitakos “Software Rejuvenation in Maritime
Applications” ESREL 2005 (European Safety & Reliability Conference)
9.   Maritime Safety Committee, 76 th Session, “Bulk Carrier Safety”, MSC 76/5/5 13 September
2002, Submitted by the United Kingdom.
10.   Andrews J., Moss T. “Reliability and risk assessment”, Professional Engineering
Publishing, 2002, pp 300 – 309 and 289 – 290
11.   Limnios N., Oprisan G. “Semi-Markov Processes and Reliability”, Birkhäuser Boston, 2001
12.   Violentis G., Platis A., Gravvanis G., Lipitakis G., “Performance analysis of an electrical
substation via Semi Markov process computed by generalized approximate inverse
preconditioning”, Hermis, The International Journal of Computer Mathematics and its
applications, Volume 10, 2008