Application of the EAST-BL method on a MASS system for Hazard Identification and Risk Assessment

As can be seen through the continuous research on the Marine Autonomous Surface Ships (MASS) in recent years, several positive as well as optimistic results have been emerged, along with several concerns. In particular, the risk analysis process regarding MASS faces many difficulties as the lack of respective data may lead the estimation of probability or frequency to be extremely uncertain or even biased. To this end, the application of risk informed approaches, that are based on the traditional definition of risk, can be quite misleading. This paper presents a methodology for risk assessment on MASS based on the utilisation of the EAST-BL, a system-based methodology that combines the output of three different networks (i.e., task, social and information) for human and non-human agents of a system to identify hazards and the DNV’s framework for risk assessment from the RBAT study. The objective of the paper is to provide insights regarding the application of EAST-BL on MASS as well as the way that system-based methods can be utilised to enhance the hazard identification and risk assessment processes for MASS.


Introduction
Maritime industry is investing in the development of autonomous ships, i.e.Marine Autonomous Surface Ships (MASS), and in general in the utilisation of automation.The main goal is that the safety of the autonomous ships should be ensured at levels at least equal to the conventional ships [1].Automation, both in shipping and in other domains, aims to reduce or even eliminate mistakes and accidents due to the human factor, which currently accounts for 75-95 % [2].Most ships today include very complex automated systems.The increased capabilities of data collection, processing and interconnection that allow automated systems to be controlled from a remote location or through the utilization of Artificial Intelligence, will change the role of human within the MASS system [3].
Therefore, the interaction of human with the MASS system is highly depends on the level of autonomy that the system has.To this end, the dependencies among the system agents alter based on the role of the human in the system (e.g., in the loop, on the loop, in command [4]).All these interactions and their possible alterations during the operation of the MASS highly increase the overall complexity of the system [5] and consequently create emerging risks that traditional risk identification methods like HAZard and OPerability Analysis (HAZOP), Failure Mode and Effects Analysis (FMEA), Fault Tree Analysis (FTA), etc. cannot capture [6].
Systems thinking methods represent "a way of seeing and talking about reality that helps us better understand and work with systems to influence the quality of our lives" [7] and they are considered a tool that can enhance the safety analysis of complex systems [8].The term "systems thinking methods" is used to describe a philosophy which is applied to assist on understanding and optimizing the behaviour in work as well as sociotechnical systems.A principle of systems thinking is that behaviour, safety, and accidents can be emerged from indirect interactions between multiple components across sociotechnical systems [9].
The research presented in this paper, deals with two main aspects.The first is regarding the application of the system thinking method Event Analysis of Systemic Teamwork Broken Links (EAST-BL) on a MASS system, which consists one of the first attempts to utilise the specific method in the risk identification process for a MASS system.Whereas the second, is an effort to combine EAST-BL outcomes with the risk model presented in the Risk Based Assessment Tool Study [10] study to assess the control measures for the mitigation of the identified hazards from the application of EAST-BL.The purpose of the present research is to assess the results as well as the applicability of the EAST-BL and exploit its utilisation in the hazard identification process of MASS.The rest of the paper is structure as follows: Section 2 briefly presents the current state-of-the-art regarding the risk analysis in MASS and the research performed for the role of human within these systems.In Section 3, the methodology that was applied in the research is analysed.Then in Section 4, the application of the proposed methodology on a specific case study is highlighted followed by Section 5, where the results are presented and discussed.The paper concludes with insights regarding the application of EAST-BL in the risk assessment process for MASS as well as the future steps of the research.

Background
The implementation of MASS is expected to affect not only purely technical issues such as reliability, but also aspects related to social (working conditions and comfort of potential passengers) as well as various legal aspects [11].Currently, there are many ongoing IMO activities aimed at identifying the need to amend IMO provisions, which allow for the operation of ships with a higher degree of automation.Nevertheless, through the research conducted so far on MASS there are three main challenges that have to be addressed: 1) That autonomous systems and/or vessels should be at least as safe as conventional ones [1], 2) the role of human within the MASS system and the interactions with it remains vague, hence further research is required on this matter to clearly define the role of human according to the level of autonomy [3,5], and 3) new methodologies for hazard identification and risk assessment are required to deal with the emerging risks and the increase complexity of MASS [12].Furthermore, it is expected that the presence of human within the system and the interactions with it will not be eliminated, human will always be part of the overall system [13].Therefore, based on Stanton and Harvey [14] the analysis of such systems can be included in the framework of Socio-Technical Systems (STS).
To this end the system-thinking methods are considered a useful tool not only to deal with the increased complexity and but also to capture the interrelations among the systems agents, including the role of human [15].The most commonly applied, system-thinking methods for hazard identification are the System-Theoretic Process Analysis (STPA) [16], the Event Analysis of Systemic Teamwork -Broken Links (EAST-BL) [14] and NETworked Hazard Analysis and Risk Management System (NET-Harms) [17].These methods have been utilized in various domains, e.g., aviation, offshore, automotive for autonomous cars, etc. [15].However, in the maritime domain STPA has been mainly applied on MASS systems for hazard identification [18][19][20], compared to the rest of methods that are considered quite innovative, and they still have not been tested in this domain [3].
Compared to the rest of the systems thinking methods, EAST-BL models and analyses the interactions within a system at the Socio Technical level.One of its main advantages is that it encompasses the whole system, as opposed to deductive methods that divide a system into component parts for analysis [15].Therefore, in this study it is considered to be an appropriate technique to represent an STS and possible non-normative behaviour.Hulme et al. compared the reliability and validity of EAST-BL when used to identify hazards highlighting that the method did support relatively novice analysts in identifying reliable system risks [21].EAST-BL has been applied in various domains ranging from aviation, road and rail transport to defense, elite sports and dark web markets [15].The most related study in the maritime domain the one of Stanton et al. that analysed the communications between various agents inside a submarine control room [22].
Furthermore, the majority of the risk analysis researches for MASS are focusing on: a) the interaction of MASS with conventional vessels, b) navigational issues, c) cyber-security issues and not on the role of human in the system [23], moreover they offer qualitative results.There are though some researches that try deal with the risk assessment of MASS in quantitative approach.These researches can be divided into main two categories.The first category is called hybrid methods as they combine system-based hazard identification methods with traditional risk assessment methods like event sequence diagrams with concurrent task analysis and Bayesian Network (BN) [24] and STPA with BN [25].Whereas the second includes methods/frameworks that approach the issue innovatively like the framework proposed by DNV where the probability in the risk assessment equation is replaced by the effectiveness of the Risk Control Measures (RCMs) [10] or the framework proposed by Ventikos and Louzis that utilises artificial immune system for hazard identification and risk assessment on MASS [26].

Methodology
The applied methodology for the hazard identification and risk assessment is analysed in this section.The purpose of the methodology is to assess the fallback states of a MASS system for the hazards identified through the application of the EAST-BL.To achieve that, the proposed RCMs and Fallback states are assessed based on the concept proposed by DNV [10].
In particular, the operational profile of the system is based on the DNV's SAFEMASS study, where the green circle represents the normal operation of the system, the cyan any abnormal condition, the yellow the Minimum Risk Conditions (MRC) and the red the last resort [27].At the beginning the operational boundaries related to the normal operations must be defined.Then the system is described by the three different network types that are based on the normal operation of the system, i.e. green circle, in Figure 1.The three networks are: • Social, which represents the agents (e.g., seafarers, operators, etc.) within the system as well as the communications between them.• Task, which represents the activities performed by the system and the relationships between them.• Information, which represents the information utilised by the system and provides the links between different types of information.The networks are developed individually and then they are combined to create a complete social workinformation network diagram, showing all the links and information flows (i.e., distributed knowledge) within the system.Following the development of the combined network, which combines all three networks into one, all links (one by one) are investigated (i.e., broken) to identify potential hazards to the safe operation of the system.
Following the hazard identification process (application of EAST-BL), Risk Control Measures (RCMs) for each identified hazard are proposed.Moreover, a Fallback state for the failure of every RCM is also defined.According to Yamada, Fallback state can be defined as a condition that the system enters by itself when it recognises that its current state is outside its operational envelope [28].In addition, the Minimum Risk Conditions (MRC) is defined by DNV [10] "as a state that the ship should enter when the autoremote infrastructure experiences situations that are outside those in which it can operate normally, but is still expected to deal with in one way or another", i.e. yellow area in Figure 1.Therefore, for the purpose of this research the assumption that is made is that MRC is considered the same condition with the Fallback State.However, better definitions of the terms MRC and Fallback state are required for future research.
After the development of RCMs and the definition of the respective Fallback states has been completed, expert interviews are conducted to assess the level of risk for each Fallback state.The assessment is conducted by a qualitative approach following the rationale of a risk matrix, which is based on equation (1) below [10].Risk = Mitigation measure effectiveness • Severity (1) where: the mitigation measure effectiveness corresponds to the effectiveness of the proposed RCM and the severity corresponds to the severity if the respective RCM fails.The scales for each parameter are shown in Figure 2.  In that way, the level of risk of the proposed RCMs and Fallback states can be assessed, and this can be utilised in an iterative process to for revision of the proposed RCMs and Fallback states for the system.

Case Study
The methodology presented in Section 3, is applied on an indicative case study.For comparison purposes, the MASS system is based on a case study utilised in the SAFEMASS study [27].In particular, the vessel/system is a container feeder vessel designed and operated according to the A3-B1 DNV's level of autonomy, that navigates in congested waters.More specifically, the MASS system is considered to be autonomous and the human (i.e., operator who is on-board and not on a remote-control center) is informed by the system only in case of emergency and can override the system if he/she deems necessary.All bridge/deck responsibilities are shared between two bridge/deck operators and all engine room responsibilities is also assigned to two engine room operators.
The first step in the application of EAST-BL involves the definition of the objectives for the analysis along with the task of the system under analysis.Then, the next step involves the development of the task network.Task networks are used to represent Hierarchical Task Analysis (HTA) outputs in the form of a network showing key tasks and the relationships between them [15].The task network, shown in the Figure 3, begins with determining the course of the ship, that sails in congested waters.The MASS system is responsible for the safe navigation, for planning direct courses and determining the necessary vessel speed based on the prevailing weather conditions, water depth, and other possible hazards.When the system determines the course, it will start implementing the plan for navigating in congested waters, which is initially the supervision of the ship's course.In case no danger occurs, the ship can continue its course normally and then provide the appropriate reference to the system by updating the data during the navigation so that it can further proceed to the necessary calculations based on the criteria and possible changes in the factors mentioned above to be ready for establishing a new plan.Then the supervision of the system is about finding the position of the nearby ships to set the limits of the safe zone that it is prescribed to follow based on the regulations in navigation in congested waters.If there is no hazard of collision with a nearby ship, the ship maintains its course.If there is a possibility of a collision, then the system sends a notification to the bridge and engine room officers to go to their positions and be ready.Furthermore, in case of collision the system alerts the nearby ships and initiates appropriate maneuvers to avoid collision.All information from the entire collision avoidance process is then sent to be used as data by the system and the MASS system for later use when the ship re-enters congested waters.
The next step consists of the development of the Social Network, that includes the MASS system and the four operators on board.The Social Network is used to describe and analyze the relationships between the involved agents and provides a visual representation which shows the connections between agents in terms of interactions as well as with their responsibilities (Figure 3).
Then the development of the third network, i.e. information network (gray circles on the left part of Figure 3), for the scenario under analysis is conducted.Information may be temporally or spatially related to an operator, tasks, or both.In the present case study, it is considered that the main agent is the MASS system.This concept includes the activities of the bridge and the information that the system utilises as a basis for developing information about each agent.
Once all three networks are completed, the composite network is developed, which consists of the combination of the three networks into one (Figure 3).Then the task network is first submitted to the EAST-BL process.This involves systematically breaking down each of the relationships (links) between tasks (one by one) in the task network and identifying the hazards, that arise when relevant information from the information network is not transferred between tasks.All the identified hazards from the EAST-BL application are shown in Table 1, below.The next step according to the methodology is to propose the RCMs to mitigate the identified hazards and then define the respective Fallback states.However, the present paper deals mainly with application of the EAST-BL method, the rest of the steps will be conducted in the future.

Discussion
The results of the EAST-BL application in comparison to the hazards identified in SAFEMASS through the application of Hazard Identification process (HaZID) [27], are comparable.The hazards that were identified in the SAFEMASS project are divided into two main groups.The first group includes risks that may threaten the successful intervention by the operator when having to respond in an abnormal condition whereas, the second group includes risks that may lead to abnormal conditions.In particular, the analysis conducted in the SAFEMASS study was based on the identified risks and the application of the Fault Tree Analysis (FTA) to assess the identified risks [27].
The identified risks in both studies are related with the situational awareness of the operator and the level of trust that the operator presents to the autonomous systems.For instance, a common risk in both studies is that the definition of the operational parameters hance the boundaries of the MRCs cannot be easily defined and therefore the alarms of the MASS system may provide delayed notifications and/or alarms to the operator.The addition in the present paper is that the utilisation of EAST-BL assists on studying the role of the human within the system for specific conditions, e.g. during the collision avoidance process, how the information have to be provided to the operator, or if they are sufficient (i.e., information network) as well as the hazards inherent in that process.In that way the relations of the operator with system and the role of the operator can be further assessed and analysed.
Another added value from the utilization of EAST-BL is that it can assist on the MASS system development (through the three networks) whereas other processes like HaZID and FTA can be considered more generic.Additionally, the role of human can be captured in the EAST-BL, as human is considered an agent of the system.Furthermore, according to the proposed methodology for the hazards identified from the EAST-BL in the present research, specific RCMs can be proposed, and Fallback states to be defined.The experts evaluation, on these can be considered a useful tool, however further research and validation of the proposed methodology is required as Montewka et al. [6] said that the expert judgement maybe considered uncertain, due to lack of knowledge on MASS systems (due to the lack of operational data).

Conclusions
Performing a complete mapping of all functions on a MASS concept may seem overly comprehensive and time-consuming.However, it seems that it may assist on a better understanding of the overall system and to the identification of specific hazards for the system.The application of EAST-BL highlights that it can be considered an appropriate tool to analyze, at the STS level, the role of human for the safety analysis of MASS systems.However, as it is one of the first applications in this domain, more complicated applications (e.g., the presence of remote-control centre and operator, etc.) must be studied to assess and compare the emerging hazards.Moreover, the application of EAST-BL may also assist on the design and construction of remote-control centre, by adopting human-centred design principles and Human Factors Engineering techniques and standards.
Generally, the utilisation of systems-thinking methods can be considered a useful tool for the MASS system analysis, however the definition of the role of human in such systems requires more research.Methods, like EAST-BL, may enhance the identification of hazards for a predefined level of autonomy, but having in mind that the MASS system may alter its level of autonomy depending on the conditions then the analysis becomes a dynamic process that requires further research to assess how safety can be affected according to the changes on the level oof autonomy and the role of human.
Finally, as a future work following this study, is to try to combine the experts' evaluation and gradually evolve the risk assessment process to a quantitative analysis that can increase the situational awareness of MASS systems.

Figure 1 .
Figure 1.Schematic representation of the applied methodology.

Table 1 :
Identified hazards from the application of the EAST-BL.