Towards supervisory risk control of autonomous ships

https://doi.org/10.1016/j.ress.2019.106757Get rights and content

Highlights

  • A new framework for online risk modelling for autonomous ships is proposed.

  • A case-study demonstrating the proposed framework is presented.

  • The proposed framework is a first step towards embedding risk management capabilities in control systems for autonomous ships.

  • The proposed framework has a general relevance for other systems than autonomous ships, both manned and unmanned and with different levels of autonomy.

Abstract

The objective of this paper is to outline a framework for online risk modelling for autonomous ships. There is a clear trend towards increased autonomy and intelligence in ships because it enables new functionality, as well as safer and more cost-efficient operations. Nevertheless, emerging risks are involved, related to lack of knowledge and operational experience with the autonomous systems, the dependency on complex software-based control systems, as well as a limited ability to verify the safe performance of such systems. The framework presented in the paper is the first step towards supervisory risk control, i.e., developing control systems for autonomous systems with risk management capabilities to improve the decision-making and intelligence of such systems. The framework consists of two main phases, (i) hazard identification and analysis through the systems theoretic process analysis (STPA), and (ii) generating risk models represented by Bayesian Belief Networks (BBN) based on the outcomes of the STPA. The application in the paper is aimed at autonomous ships, but the results of the paper have a general relevance for both manned and unmanned systems with different levels of autonomy, complexity, and major hazard potential.

Introduction

The development towards maritime autonomous surface ships (MASS) is currently an important technolocial trend due to the potential for increased safety and efficiency, and optimized ship performance ([1], [2], [3]). Autonomous ships are expected to become a cost-efficient alternative to conventional ships and improve safety and environmental impact at sea. It is expected that the introduction of autonomy will reduce the number of human injuries and fatalities ([4], [5]), which globally amounted to 8000 fatalities from 2008-2012 [6]. Nevertheless, it is essential to ensure that autonomous ships have the desired level of reliability, availability, maintainability and safety to be acceptable for widespread use at sea [1]. Hence, risk assessments are necessary to ensure safe operations [7].

An autonomous system includes improved perception, situation awareness, and planning/re-planning capabilities and may be characterized as deliberative control systems based on the feedback loops of sense, model, plan and act. Failures in critical ship functions, such as in the automatic sailing system or the dynamic positioning (DP) system, are not viable and may lead to loss of position and in the worst case; collision causing severe damage and human fatalities. Therefore, supervisory risk control is a dynamic functionality that needs to be designed and implemented into an autonomous ship's control system, providing the ship with the ability and system integrity to assess and control risks during the operation.

MASS may have functionality with different levels of autonomy (LoA), impacting the ship's operator dependency, communication structure, human-machine interface (HMI), intelligence, planning functionalities, and mission and operation capabilities. The LoA may, for example, be divided into: LoA 1: Automatic operation (remote control), LoA 2: Management by consent (teleoperation), LoA 3: Semi-autonomous or management by exception, and LoA 4: Highly autonomous during a misson or operation [8], [9]. Other catergorizations may distinguish between the LoA differently, depending on the specific application [10]. Motivated by NIST [11], the four-level version used here is relatively general and aligned with other mobile robotic applications, such as NFAS [12].

Conventional manned ships either have low LoA or are approaching with some functionality higher LoA. A ship may also have onboard systems with functionality in different LoA, and operators may be able manoeuver across different LoA, i.e., move the system from a high LoA into a manual mode and take over control (low LoA). Advanced ships in DP operation, for example, rely on the operator being onboard to take over control if the ship is in a situation that the control system cannot handle. In addition, LoA may change for the different operational modes, i.e., from departure, transit/sailing and docking.

Unmanned ships, on the other hand, may be implemented with a high degree of remote control and monitoring, and low LoA correspondingly, i.e.; remotely controlled by operators onshore, or performing all operations autonomously (high LoA), but this requires a change in the current maritime regulation regime.

For systems with low LoA, situation awareness of both the exterior surroundings, as well as the integrity of the system itself are mainly related to relatively simple alarm systems associated with the ship control systems and the human operator's perception and understanding of the system and operation. Similarly, the ability for the system itself to plan and replan the mission may be limited. For systems with high LoA, situation awareness (SA) is to a large extent “transferred" from the operator to the autonomous system, including learning cababilities and decision making. To design and utilize systems with an acceptable risk level that cooperate, possibly replace, and outperform human capabilities, means that supervisory risk control is decisive.

Risk analysis consists of finding out what can go wrong, determine how likely is it, and what are the consequences [13]. Risk modeling is used to express risk qualitatively and/or quantitatively for a system or activity. Risk analysis employs risk modelling and is essential for risk management. Risk control can be defined as a “measure that is modifying risk” (ISO31000, [14]). Risk control of an autonomous ship should consider all relevant risk aspects to proactively avoid the need for activitating any contingency system. Generally, during operation of autonomo [15] us systems, risk control should be performed in two different but equally important “risk control modes” to support situation awareness and decision making [9]:

  • i

    By the human operator and the organization interacting, supervising and monitoring the autonomous system, and/or

  • ii

    By the autonomous system, which means supervisory risk control.

In low LoA, the prevailing system risk control mode is (i), whereas in high LoA, the risk control mode is mode (ii), which we denote supervisory risk control. Hence, a system may switch between risk control performed by the human operator (supervisor) and supervisory risk control executed by the autonomous system, depending on the context, phase of operation, and LoA. For example, Vinnem et al. [16] and Thieme and Utne [17] addressed mode (i). In this paper, the focus is on developing the basis for mode (ii), i.e., supervisory risk control by the autonomous system.

In general, the control system is divided into three main layers [8]; (i) the control execution layer (the reactive control layer), (ii) the guidance and optimization layer, and (iii) the operation or supervisory layer (the deliberate control layer). In the mission layer, the mission objective is defined and planned (and possibly replanned). In the guidance and optimization level, the waypoints and reference commands to the controller are handled. In the control execution level, the plant control and actuator control occur. Risk must be considered in all three levels. The supervisory risk control “module”, however, may be considered as a contribution to improved artificial intelligence, included in the operation/mission layer (iii) in the control architecture, supporting and enabling the autonomous system to model and plan its actions; i.e., making deliberate choices.

Most work related to safety of autonomous ships have so far focused on hazard identification and analysis, but not on risk modelling, even though Bayesian Belief Networks (BBN) have been developed for risk related to autonomous underwater vehicles [17], [18], [19]. Rødseth and Tjora [20] discuss challenges with unmanned ships. Utne et al. [9] clarify, categorize, and classify risk related to autonomous marine systems and autonomous ships, and establish a foundation for risk management of such systems. Wrobel et al. [5] determine that the occurrence of navigational accidents may be reduced for autonomous ships, but the consequences from fire and structural failure may increase. Acanfora et al. [21] propose a method for route planning and execution by an autonomous ship, focusing on ship motion. Rokseth et al. [22], [71], [24] demonstrate that the system theoretic process analysis (STPA) is feasible for risk analysis of systems with complex control functionality, such as DP systems. Montewka et al. [25] propose research directions for safety and risk assessment and concludes that new risk analysis methods are needed. Thieme et al. [26] review 64 existing ship collision and grounding risk models but find none directly suitable for risk assessment of MASS. Zhou et al. [27] present a novel ship domain model for autonomous ships, focused on collision risk. Wrobel et al. [28] use STPA to identify potential means for improving the safety of a remotely controlled merchant vessel. Wrobel et al. [29] apply STPA for analysing hazardous scenarios and determining design requirements to autonomous ships, and Rokseth et al. [24] use STPA to derive a safety verification program for autonomous ships. They do not, however, apply STPA as a basis for developing online risk models as part of supervisory risk control, as we propose in this paper.

The objective of this paper is to outline a framework for developing online risk models as part of the deliberative layer of a control system for MASS. The framework is the first step towards supervisory risk control. The paper uses STPA for identifying hazardous events and corresponding scenarios, which provide direct input to the development of online risk models represented by BBN. The main focus of the paper is on the process of transforming the results from STPA into nodes and structure of a BBN. Constructing a BBN is usually performed using either subjective knowledge, the knowledge representation approach, or a machine learning approach [30]. For risk analysis, typically the subjective approach is used. Hence, a systematic and structured approach bridging results from hazard identification into risk modelling is missing, and the framework proposed in this paper is an attempt to do so.

The main scientific contribution of the paper is related to how the outcome of STPA directly enhances the development of the BBN in two ways; (i) in the identification of nodes, and (ii) in the structuring of arcs connecting the nodes. A case study illustrates the proposed framework for an autonomous ship. The results of the paper create a basis for implementing built-in intelligent risk assessment during operation of complex software-based systems, such as MASS.

Fault tolerant control [31] mainly aims at reducing the consequences of internal faults and includes methods for diagnosing on the control excecution level. Supervisory risk control, on the other hand, includes more than fault-tolerant control, related to the the capability of the autonomous systems to learn, adapt and improve.

The paper is structured as follows: Section 2 presents the methodological approach, Section 3 focuses on the case study, Section 4 includes the discussion, and Section 5 states the conclusions.

Section snippets

Background and needs

A traditional risk model is typically represented by a bow tie, as shown in Fig. 1. The left side represents the causes to the critical event, and the right side represents the consequences. A critical event may be caused by several different causes and lead to different consequences, which can be analyzed by fault trees, event trees, BBN, or a combination of these. The entire bow tie model represents an accident scenario.

Risk may be defined as the “effect of uncertainty on objectives” (ISO

STPA

An important prerequisite for supervisory risk control is to know which hazardous events should be prevented and their causal factors. The latter is of particular importance for enabling early warnings of potential violations of safety constraints. STPA provides a comprehensive process to identifying hazards and revealing causal factors, which is beneficial for novel and complex systems, such as autonomous ships, for which there is limited experience available and lack of empirical data. The

Conclusions

This paper presents the first step towards supervisory risk control of MASS; namely providing a systematic process for identifying and analyzing hazards that directly can be used to develop the content and structure of a risk model to be used by the control system of an autonomous ship. Supervisory risk control means that the autonomous system is capable of risk management, enchancing its intelligence, through the integration of a risk model into the supervisory (mission) layer of the

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

The work is partly sponsored by the Research Council of Norway through the Centre of Excellence funding scheme, project number 223254, AMOS, ORCAS with project number 280655 and UNLOCK with project number 274441. The authors would like to acknowledge the anonymous reviewers who contributed with valuable comments to earlier versions of the article.

References (70)

  • F. Khan et al.

    Dynamic risk management: a contemporary approach to process safety management

    Current Opin Chem Eng

    (2016)
  • E. Zio

    The future of risk assessment

    Reliab Eng Syst Saf

    (2018)
  • S. Barua et al.

    BN based dynamic operational risk assessment

    J Loss Prev Process Ind

    (2016)
  • N. Khakzad et al.

    Dynamic safety analysis of process systems by mapping bow-tie into Bayeisan network

    Process Saf Environ Prot

    (2013)
  • J. Rasmussen

    Risk management in a dynamic society: a modelling problem

    Saf Sci

    (1997)
  • K. Øien

    Risk indicators as a tool for risk control

    Reliab Eng Syst Saf

    (2001)
  • R.J. Bye et al.

    Maritime navigation accidents and risk indicators: An exploratory statistical analysis using AIS data and accident reports

    Reliab Eng Syst Saf

    (2018)
  • P. Chen et al.

    Probabilistic risk analysis for ship-ship collision: State-of-the-art

    Saf Sci

    (2019)
  • A. Mazaheri et al.

    Towards an evidence-based probabilistic risk model for ship-grounding accidents

    Saf Sci

    (2016)
  • S.J. Qin et al.

    A survey of industrial model predictive control technology

    Control Eng Pract

    (2003)
  • A.J. Sørensen

    A survey of dynamic positioning control systems

    IFAC J Ann Rev Control

    (2011)
  • E.M. Marszal

    Tolerable risk guidelines

    ISA Trans

    (2001)
  • B. Rokseth et al.

    Deriving verification objectives and scenarios for maritime systems using the systems-theoretic process analysis

    Reliab Eng Syst Saf

    (2018)
  • DNVGL, 2018. Remote-controlled and autonomous ships, DNVGL group technology & research, position paper 2018 in the...
  • Danish Maritime Authority (DMA), 2017. Analysis of regulatory barriers to the use of autonomous ships. Final Report,...
  • Global marine technology trends 2030, Lloyd's register

    (2015)
  • Department for Transport, 2019. Maritime 2050. Navigating for the Future. Report, OGL, London,...
  • IMO: International Maritime Organization, 2016. Seafarers rights 2016. Deaths and injuries at sea....
  • Norwegian Maritime Authority (NMA), 2018. Requirements to documentation for constructing autonomous, unmanned and/or...
  • I.B. Utne et al.

    Risk management of autonomous marine operations and systems

  • National Institute of Standards and Technology (NIST). 2008. Autonomy levels for unmanned systems (ALFUS) Framework....
  • Definitions for autonomous merchant ships

    Draft.

    (2017)
  • M. Rausand

    Risk assessment. Theory, methods, and applications

    (2011)
  • Risk management – guidelines

    (2018)
  • C.A. Thieme et al.

    A risk model for autonomous marine systems and operation focucing on human-autonomoy collaboration

  • Cited by (0)

    View full text