The Importance of Assuring Algorithm-based Verification Agents

Safety verification is about creating trust and building confidence that a system is safe and conforms to the specified requirements. The term confidence means the assurance level which is built by generating objective evidence through activities such as testing. In the maritime industry, classification societies (a.k.a. class) are instrumental in the assurance process of maritime safety-critical systems. These systems become more and more software-intensive, enabling a high degree of complexity and even autonomy. Automatization in the verification effort emerges as system complexity increases and cost-pressure rises. An automatic condition-based survey scheme, utilizing data from sensors and algorithms is seen as more efficient and effective than the traditional calendar-based survey scheme performed by trained class surveyors (people) today. In the assurance of self-learning adaptive systems such as autonomous navigation systems, possibly based upon Machine Learning (ML), online safety monitors may become instrumental in creating relevant safety evidence. These monitors may also be based on ML and may be adaptive, resulting in one adaptive ML-algorithm verifying another adaptive ML-based target system. Class surveyors are test engineers who are verification agents and generate evidence about the system safety level. The verification algorithms, such as a Condition Monitoring system should also be categorized as a verification agent; an Algorithm-based Verification Agent (AVA). Moreover, class surveyors represent an independent Verification Organization. Independence in the verification effort increases the assurance level because the level of evidence objectiveness increases. If the AVA is developed by the target system developer, it decreases the evidence objectiveness and affects the agency of humans in the verification. This paper argues that AVAs must be assured at a level reflecting their agency within the verification effort, and the target system criticality. The same cognitive and societal biases infecting the target system may also affect the AVA if it is developed by the same organization as the developer, possibly masking critical defects, and making the generated evidence less trustworthy

Fast Augmented STPA

All elements (agents) in the STPA control structure (control algorithm, actuator, sensor system, process model) consist of a set of functions. These can be visualised and analysed using the Functional Analysis System Technique (FAST). The control action is executed by the control algorithm agent. By using FAST we can analyse the sub-functions of the control action and identify scenarios that may cause unsafe control actions. In the same way, the actuator agent, sensor agent and the process model agent can be visualised and analysed through FAST to identify scenarios that may cause unsafe control actions. When identifying scenarios that may lead to unsafe control actions, analysts tacitly create a mental model of these dependencies. One of the strengths of STPA is in agent analysis, by identifying the system agents responsible for enforcing safety constraints as well as other agents whose actions (or lack of them) may cause unsafe control actions. The strength of FAST is function analysis through making the functional dependencies explicit. Small FAST trees within the STPA control structure increase the information density without creating too much clutter. The semantics in FAST are relatively easy and quick to learn for Subject Matter Experts (SMEs) and others. FAST trees can guide refinement of the control structure by identifying functions as new lower-level or higher-level control actions that need further investigation in new control structures. The original purpose of FAST was to spark the creativity to find an alternative solution to a problem, or alternative ways of achieving a function. This is valuable early in the concept and design phase of any system development, including when using STPA in early system safety engineering phases

Safety Verification for Autonomous Ships

Autonomous and unmanned ships are approaching reality. One of several unsolved challenges related to these systems is how to perform safety verification. Although this challenge represents a many-faceted problem, which must be addressed at several levels, it seems likely that simulatorbased testing of high-level computer control systems will be an important technique. In the field of reliability verification and testing, design verification refers to the process of verifying that specified functions are satisfied over the life of a system. A basic requirement for any autonomous ship is that it has to be safe. In this paper, we propose to use the Systems-Theoretic Process Analysis (STPA) to (i) derive potential loss scenarios for autonomous ships and safety requirements to prevent them from occurring, and (ii) to develop a safety verification program, including test cases, intended to verify safety. Loss scenarios and associated safety requirements are derived using STPA. To derive a safety verification program, these unsafe scenarios and safety requirements are used to identify key variables, verification objectives, acceptance criteria and a set of suitable verification activities related to each scenario. The paper describes the proposed methodology and demonstrates it in a case study. Test cases for simulator-based testing and practical sea-trials are derived for autonomous ships. The case study shows that the proposed method is feasible as a way of generating a holistic safety verification program for autonomous ships

Fast Augmented STPA

All elements (agents) in the STPA control structure (control algorithm, actuator, sensor system, process model) consist of a set of functions. These can be visualised and analysed using the Functional Analysis System Technique (FAST). The control action is executed by the control algorithm agent. By using FAST we can analyse the sub-functions of the control action and identify scenarios that may cause unsafe control actions. In the same way, the actuator agent, sensor agent and the process model agent can be visualised and analysed through FAST to identify scenarios that may cause unsafe control actions. When identifying scenarios that may lead to unsafe control actions, analysts tacitly create a mental model of these dependencies. One of the strengths of STPA is in agent analysis, by identifying the system agents responsible for enforcing safety constraints as well as other agents whose actions (or lack of them) may cause unsafe control actions. The strength of FAST is function analysis through making the functional dependencies explicit. Small FAST trees within the STPA control structure increase the information density without creating too much clutter. The semantics in FAST are relatively easy and quick to learn for Subject Matter Experts (SMEs) and others. FAST trees can guide refinement of the control structure by identifying functions as new lower-level or higher-level control actions that need further investigation in new control structures. The original purpose of FAST was to spark the creativity to find an alternative solution to a problem, or alternative ways of achieving a function. This is valuable early in the concept and design phase of any system development, including when using STPA in early system safety engineering phases

Safety Verification for Autonomous Ships

Autonomous and unmanned ships are approaching reality. One of several unsolved challenges related to these systems is how to perform safety verification. Although this challenge represents a many-faceted problem, which must be addressed at several levels, it seems likely that simulatorbased testing of high-level computer control systems will be an important technique. In the field of reliability verification and testing, design verification refers to the process of verifying that specified functions are satisfied over the life of a system. A basic requirement for any autonomous ship is that it has to be safe. In this paper, we propose to use the Systems-Theoretic Process Analysis (STPA) to (i) derive potential loss scenarios for autonomous ships and safety requirements to prevent them from occurring, and (ii) to develop a safety verification program, including test cases, intended to verify safety. Loss scenarios and associated safety requirements are derived using STPA. To derive a safety verification program, these unsafe scenarios and safety requirements are used to identify key variables, verification objectives, acceptance criteria and a set of suitable verification activities related to each scenario. The paper describes the proposed methodology and demonstrates it in a case study. Test cases for simulator-based testing and practical sea-trials are derived for autonomous ships. The case study shows that the proposed method is feasible as a way of generating a holistic safety verification program for autonomous ships

Comparison of Hazardous Scenarios for Different Ship Autonomy Types using Systems-Theoretic Process Analysis

The area of autonomous and remotely operated ships is developing fast but is still an immature field where new ideas and novel technology solutions are being introduced. As part of these efforts, the Norwegian Forum for Autonomous Ships (NFAS) has defined six autonomy types for autonomous ships: two for continuously manned bridge, and four for fully or periodically unmanned systems. Different bridge manning levels and operational autonomy levels are allocated to each autonomy type, and therefore, each autonomy type could be associated with different kinds of scenarios leading to hazards. To support the decision making of the stakeholders, it is necessary to identify which autonomy type is related with which scenarios. The main objective of this paper is to identify and compare the scenarios leading to hazards of the six autonomy types. To analyse hazards of autonomous and remotely operated ships, we apply Systems-Theoretic Process Analysis (STPA). STPA is a relatively new hazard analysis technique that was developed to analyse hazards of modern complex and software-intensive control systems. STPA models the systems as a hierarchical control structure, and identifies scenarios leading to unsafe control actions that may lead to hazardous states or conditions. Six STPA analyses are conducted in this study to identify scenarios leading to hazards of the six autonomy types, and the results are compared and discussed