Towards supervisory risk control of autonomous ships
Introduction
The development towards maritime autonomous surface ships (MASS) is currently an important technolocial trend due to the potential for increased safety and efficiency, and optimized ship performance ([1], [2], [3]). Autonomous ships are expected to become a cost-efficient alternative to conventional ships and improve safety and environmental impact at sea. It is expected that the introduction of autonomy will reduce the number of human injuries and fatalities ([4], [5]), which globally amounted to 8000 fatalities from 2008-2012 [6]. Nevertheless, it is essential to ensure that autonomous ships have the desired level of reliability, availability, maintainability and safety to be acceptable for widespread use at sea [1]. Hence, risk assessments are necessary to ensure safe operations [7].
An autonomous system includes improved perception, situation awareness, and planning/re-planning capabilities and may be characterized as deliberative control systems based on the feedback loops of sense, model, plan and act. Failures in critical ship functions, such as in the automatic sailing system or the dynamic positioning (DP) system, are not viable and may lead to loss of position and in the worst case; collision causing severe damage and human fatalities. Therefore, supervisory risk control is a dynamic functionality that needs to be designed and implemented into an autonomous ship's control system, providing the ship with the ability and system integrity to assess and control risks during the operation.
MASS may have functionality with different levels of autonomy (LoA), impacting the ship's operator dependency, communication structure, human-machine interface (HMI), intelligence, planning functionalities, and mission and operation capabilities. The LoA may, for example, be divided into: LoA 1: Automatic operation (remote control), LoA 2: Management by consent (teleoperation), LoA 3: Semi-autonomous or management by exception, and LoA 4: Highly autonomous during a misson or operation [8], [9]. Other catergorizations may distinguish between the LoA differently, depending on the specific application [10]. Motivated by NIST [11], the four-level version used here is relatively general and aligned with other mobile robotic applications, such as NFAS [12].
Conventional manned ships either have low LoA or are approaching with some functionality higher LoA. A ship may also have onboard systems with functionality in different LoA, and operators may be able manoeuver across different LoA, i.e., move the system from a high LoA into a manual mode and take over control (low LoA). Advanced ships in DP operation, for example, rely on the operator being onboard to take over control if the ship is in a situation that the control system cannot handle. In addition, LoA may change for the different operational modes, i.e., from departure, transit/sailing and docking.
Unmanned ships, on the other hand, may be implemented with a high degree of remote control and monitoring, and low LoA correspondingly, i.e.; remotely controlled by operators onshore, or performing all operations autonomously (high LoA), but this requires a change in the current maritime regulation regime.
For systems with low LoA, situation awareness of both the exterior surroundings, as well as the integrity of the system itself are mainly related to relatively simple alarm systems associated with the ship control systems and the human operator's perception and understanding of the system and operation. Similarly, the ability for the system itself to plan and replan the mission may be limited. For systems with high LoA, situation awareness (SA) is to a large extent “transferred" from the operator to the autonomous system, including learning cababilities and decision making. To design and utilize systems with an acceptable risk level that cooperate, possibly replace, and outperform human capabilities, means that supervisory risk control is decisive.
Risk analysis consists of finding out what can go wrong, determine how likely is it, and what are the consequences [13]. Risk modeling is used to express risk qualitatively and/or quantitatively for a system or activity. Risk analysis employs risk modelling and is essential for risk management. Risk control can be defined as a “measure that is modifying risk” (ISO31000, [14]). Risk control of an autonomous ship should consider all relevant risk aspects to proactively avoid the need for activitating any contingency system. Generally, during operation of autonomo [15] us systems, risk control should be performed in two different but equally important “risk control modes” to support situation awareness and decision making [9]:
- i
By the human operator and the organization interacting, supervising and monitoring the autonomous system, and/or
- ii
By the autonomous system, which means supervisory risk control.
In low LoA, the prevailing system risk control mode is (i), whereas in high LoA, the risk control mode is mode (ii), which we denote supervisory risk control. Hence, a system may switch between risk control performed by the human operator (supervisor) and supervisory risk control executed by the autonomous system, depending on the context, phase of operation, and LoA. For example, Vinnem et al. [16] and Thieme and Utne [17] addressed mode (i). In this paper, the focus is on developing the basis for mode (ii), i.e., supervisory risk control by the autonomous system.
In general, the control system is divided into three main layers [8]; (i) the control execution layer (the reactive control layer), (ii) the guidance and optimization layer, and (iii) the operation or supervisory layer (the deliberate control layer). In the mission layer, the mission objective is defined and planned (and possibly replanned). In the guidance and optimization level, the waypoints and reference commands to the controller are handled. In the control execution level, the plant control and actuator control occur. Risk must be considered in all three levels. The supervisory risk control “module”, however, may be considered as a contribution to improved artificial intelligence, included in the operation/mission layer (iii) in the control architecture, supporting and enabling the autonomous system to model and plan its actions; i.e., making deliberate choices.
Most work related to safety of autonomous ships have so far focused on hazard identification and analysis, but not on risk modelling, even though Bayesian Belief Networks (BBN) have been developed for risk related to autonomous underwater vehicles [17], [18], [19]. Rødseth and Tjora [20] discuss challenges with unmanned ships. Utne et al. [9] clarify, categorize, and classify risk related to autonomous marine systems and autonomous ships, and establish a foundation for risk management of such systems. Wrobel et al. [5] determine that the occurrence of navigational accidents may be reduced for autonomous ships, but the consequences from fire and structural failure may increase. Acanfora et al. [21] propose a method for route planning and execution by an autonomous ship, focusing on ship motion. Rokseth et al. [22], [71], [24] demonstrate that the system theoretic process analysis (STPA) is feasible for risk analysis of systems with complex control functionality, such as DP systems. Montewka et al. [25] propose research directions for safety and risk assessment and concludes that new risk analysis methods are needed. Thieme et al. [26] review 64 existing ship collision and grounding risk models but find none directly suitable for risk assessment of MASS. Zhou et al. [27] present a novel ship domain model for autonomous ships, focused on collision risk. Wrobel et al. [28] use STPA to identify potential means for improving the safety of a remotely controlled merchant vessel. Wrobel et al. [29] apply STPA for analysing hazardous scenarios and determining design requirements to autonomous ships, and Rokseth et al. [24] use STPA to derive a safety verification program for autonomous ships. They do not, however, apply STPA as a basis for developing online risk models as part of supervisory risk control, as we propose in this paper.
The objective of this paper is to outline a framework for developing online risk models as part of the deliberative layer of a control system for MASS. The framework is the first step towards supervisory risk control. The paper uses STPA for identifying hazardous events and corresponding scenarios, which provide direct input to the development of online risk models represented by BBN. The main focus of the paper is on the process of transforming the results from STPA into nodes and structure of a BBN. Constructing a BBN is usually performed using either subjective knowledge, the knowledge representation approach, or a machine learning approach [30]. For risk analysis, typically the subjective approach is used. Hence, a systematic and structured approach bridging results from hazard identification into risk modelling is missing, and the framework proposed in this paper is an attempt to do so.
The main scientific contribution of the paper is related to how the outcome of STPA directly enhances the development of the BBN in two ways; (i) in the identification of nodes, and (ii) in the structuring of arcs connecting the nodes. A case study illustrates the proposed framework for an autonomous ship. The results of the paper create a basis for implementing built-in intelligent risk assessment during operation of complex software-based systems, such as MASS.
Fault tolerant control [31] mainly aims at reducing the consequences of internal faults and includes methods for diagnosing on the control excecution level. Supervisory risk control, on the other hand, includes more than fault-tolerant control, related to the the capability of the autonomous systems to learn, adapt and improve.
The paper is structured as follows: Section 2 presents the methodological approach, Section 3 focuses on the case study, Section 4 includes the discussion, and Section 5 states the conclusions.
Section snippets
Background and needs
A traditional risk model is typically represented by a bow tie, as shown in Fig. 1. The left side represents the causes to the critical event, and the right side represents the consequences. A critical event may be caused by several different causes and lead to different consequences, which can be analyzed by fault trees, event trees, BBN, or a combination of these. The entire bow tie model represents an accident scenario.
Risk may be defined as the “effect of uncertainty on objectives” (ISO
STPA
An important prerequisite for supervisory risk control is to know which hazardous events should be prevented and their causal factors. The latter is of particular importance for enabling early warnings of potential violations of safety constraints. STPA provides a comprehensive process to identifying hazards and revealing causal factors, which is beneficial for novel and complex systems, such as autonomous ships, for which there is limited experience available and lack of empirical data. The
Conclusions
This paper presents the first step towards supervisory risk control of MASS; namely providing a systematic process for identifying and analyzing hazards that directly can be used to develop the content and structure of a risk model to be used by the control system of an autonomous ship. Supervisory risk control means that the autonomous system is capable of risk management, enchancing its intelligence, through the integration of a risk model into the supervisory (mission) layer of the
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
The work is partly sponsored by the Research Council of Norway through the Centre of Excellence funding scheme, project number 223254, AMOS, ORCAS with project number 280655 and UNLOCK with project number 274441. The authors would like to acknowledge the anonymous reviewers who contributed with valuable comments to earlier versions of the article.
References (70)
- et al.
Towards the assessment of potential impact of unmanned vessels on maritime transportation safety
Reliab Eng Syst Saf
(2017) - et al.
Towards integrated autonomous underwater operations for ocean mapping and monitoring
IFAC J Ann Rev Control
(2016) - et al.
A literature review on the levels of automation during the years. What are the different taxonomies that have been proposed?
Appl Ergon
(2016) - et al.
Inforporation of human factos into ship collision risk models focusing on human centered design aspects
Reliab Eng Syst Saf
(2016) - et al.
On the need for online decision support in FPSO-shuttle tanker collision risk reduction
Ocean Eng
(2015) - et al.
A Bayesian approach for predicting risk of autonomous underwater vehicle loss during their missions
Reliab Eng Syst Saf
(2016) - et al.
A Bayesian approach to risk modeling of autonomous subsea intervention operations
Reliab Eng Syst Saf
(2018) - et al.
Toward a method for detecting large roll motions suitable for oceangoing ships
Appl Ocean Res
(2018) - et al.
System-theoretic approach to safety of remotely-controlled merchant vessel
Ocean Eng
(2018) - et al.
Towards the development of a system-theoretic model for safety assessment of autonomous merchant vessels
Reliab Eng Syst Saf
(2018)