517
1 INTRODUCTION
Theideaofanautonomousshipisnotanewone.In
fact, automatically controlled surface vessels have
existed already for decades. Fully automatic
dynamically positioned vessels became common in
theoffshoreindustryinthe1970ʹsandtheuseofon
autonomous cargo ship was studied and
demonstrated in Japan in the 1980ʹs. Today fully
aut
onomous Unmanned Surface Vessels (USV’s) are
widely used in ocean research, coast guard and
militaryapplications.
Thetechnologyofanautonomousandunmanned
shiphasbeenasubjectoflivelydiscussioninrecent
journals,conferencesandseminarsondevelopmentof
marine technology. An aut
onomous ship is a sea‐
going surface vessel which is capable of operating
without any crew onboard. The interpretation of an
autonomous ship by the MUNIN‐project is a
combination of fully autonomous operation and
remotehumancontrol.Theship’sowncontrolsystem
canaskforassistancebytheremoteoperatorinsuch
situationswheretheonboarddecisionma
kingsystem
cannotsolvethesituationforonereasonorother.The
autonomous ship can thus operate fully
independently or it can be in some situations
remotelyoperated.
Theautonomousshipping isseen asa possibility
formaritimetransporttomeettomorrow’schallenges.
Themostimport
antargumentsaretheimprovement
insafetyandthereductionofcosts,i.e.improvement
in competitiveness. Recent European research and
The Human Element and Autonomous Ships
S.Ahvenjärvi
SatakuntaUniversityofAppliedSciences,Rauma,Finland
ABSTRACT:Theautonomousshiptechnologyhasbecomea“hot”topicinthediscussionaboutmoreefficient,
environmentally friendly and safer sea transportation solutions. The time is becoming mature for the
introduction of commercially sensible solutions for unmanned and fully autonomous cargo and passenger
ships. Safety will be the most int
eresting and important aspect in this development. The utilization of the
autonomous ship technology will have many effects on the safety, both positive and negative. It has been
announcedthatthegoalistomakethesafetyofanunmannedshipbetterthatthesafetyofamannedship.
However,itmustbeunderstoodtha
tthehumanelementwillstillbepresentwhenfullyunmannedshipsare
beingused.Theshore‐basedcontrolofashipcontainsnewsafetyaspectsandaninterestingquestionwillbe
the interaction of manned and unmanned ships in the same t
raffic area. The autonomous ship technology
shouldthereforebetakenintoaccountonthetrainingofseafarers.Alsoitshouldnotbeforgottenthatevery
singlecontrolalgorithmandruleoftheinternaldecisionmakinglogicoftheautonomouslynavigatingshiphas
beendesignedandcodedbyahumansoftwareengineer.Thusthehumanelementispresentalsointhi
spoint
ofthelifetimenavigationsystemoftheautonomousship.
http://www.transnav.eu
the International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 10
Number 3
September 2016
DOI:10.12716/1001.10.03.18
518
development projects on this field are the MUNIN‐
project, financed by the EU, and the Norwegian
ReVoltprojectbyDNVGLsupportedbyTransnova,
Norway. The third major European project on this
subject is AAWA, financed by a group of Finnish
companies and the state‐owned Finnish Funding
Agencyfor
Innovation,TEKES.
OneofthefundamentaloutcomesoftheMUNIN‐
projectwasthefindingthattheunmannedvesselscan
indeed contribute to the aim of a more sustainable
maritimetransportindustryandthattheautonomous
ship bears the potential to reduce operational
expenses, reduce environmental impact and attract
seagoing professionals.
Also the fully autonomous,
unmanned, battery powered and electrically driven
concept ship ReVolt was estimated to have a
considerable potential for cost savings compared to
an ordinary diesel‐run ship, over a million euros
annually.
Itisa veryoftenrepeatedclaimthatabout80%of
marinecasualtiesarecaused,at
leastinpart,bysome
formofahumanerror.However,thisclaimhasbeen
challengedbymanyresearchers.Themainweakness
about this claim is the interpretation of the human
error. Why humans behave in the way they doand
what cankind of behaviour canbe expected from
a
human operator? It was argued already by
Rasmussen(1982)that”humanerror”isnota useful
term and should be replaced by considering such
events to be ”human‐task mismatches”. One could
thinkthattheautonomousshipwouldbethesolution
to this kind of unlucky events, because it is
unmanned. Wouldn’t it eliminate completely the
humanerror–orthehuman‐taskmismatch‐fromthe
navigation process? Unfortunately the answer is no.
Theassumptionisclearlynotcorrect,eventhoughthe
operationoftheshiptakesplacewithoutanyhuman
involvement. The human factor is still very much
present,
butinanotherform.
It is apparent that when the ship is unmanned,
certaintypes ofhumanerrors arenotpossible.Such
as errors due to operator fatigue, due to forgetting
somethingimportantorduetowrongattitudes.Also
suchbasicoperatorerrorsasslipsandlapseswould
be avoided. But
still, the human element is present
andthereisalsoroomforhumanerrors.
The human element is present on the unmanned
ship,becauseithasbeendesignedandconstructedby
a human being. The human factor has been shifted
from the actual moment of operation to an earlier
phase
of the life‐time of the ship, when the whole
technical system was designed, built and tested.
Leveson (1995) expresses this by stating that
“removing dependence on an operator by installing
an automatic device to take over the operator’s
functiononlyshiftsthatdependenceontothehumans
whodesign,install,test,
andmaintaintheautomatic
equipment–whoalsomakemistakes.”
Arethedesignersoftheautonomousshipableto
anticipatealldifferentoperationalsituationsinorder
tomaketheshipbehavealwaysinasafeway?Itmust
be taken into account that the autonomous ship
interactswithothervessels,
unmannedoroperatedby
humanbeings.Howtheautonomousshipaffectsthe
behaviourofthedeckofficersoftheothershipsinthe
sametrafficarea?Thisinteractioncreatesanewtype
of human element that also could lead to a human
error.
Thehuman elementis presentalsoin the
remote
control of the unmanned ship. How this should be
taken into account? Is the remote control of the
unmanned ship similar to the on‐site control of the
ship?Thesethemeswillbediscussedinthefollowing
chapters.
2 THEAUTONOMOUSSHIPISDESIGNEDBYA
HUMANBEING
The
autonomous ship including the computer
equipment,thatcontrolstheoperationoftheshipare
designed and constructed by a human being. The
software,i.e.thebehaviourofthesystemindifferent
operational situations, is also designed by a human
being. It is obvious that the human element is
involvedinevery
singleactoftheautonomousship,
even though it is unmanned. In case of an
autonomous ship, the size of the total software
package ishugeandthestructureof thispackage is
very complicated. It is divided into subsystems and
smaller entities inside a large amount of different
devices
communicatingwitheachother.
Potentiallytherecanbeoneormoresoftwarebugs
causedbyahumanerrorineverysinglepieceofthe
large system. The process of developing and testing
the control software for the autonomous ship is
thereforeextremelycritical.Whatkindoferrorscould
thesoftware engineers
make?The developmentof a
real‐time software system is a complicated iterative
process consisting of different phases, such as
requirementdefinitionandanalysis,planningofdata
structuresandoperationalgorithms,planningofdata
transmission,designingthestructureofthesoftware,
defining the scheduling and priorities of the tasks,
designing
theself‐diagnosticsandthealgorithmsfor
exceptionalsituations,codingthemodules,testingon
the module level, integration, testing on the system
leveletc.
Itisbeyondthescopeofthispapertodiscussthe
methods ofcreating goodsoftwarefor safety‐critical
systems. There are hundreds of books and papers
written on this topic and many international
standards published to support the development of
safety‐critical systems, such as IEC61508, ISO 26262
andIEC62304,justtomentionafewofthem.
Therearesimplehumanerrorsthatcantakeplace
during the software development work, such as
typing errors
and common human carelessness
duringthecodingphase,whichcouldcausesoftware
bugs with a great variety of symptoms. A bit more
irritatingerrorsresultfrompoorinterfacedesignand
unpracticaloperatingalgorithms.Butthegoodthing
about this kind of software errors is that they are
obviousandcanbe
easilycorrected.Themoremature
thesoftwarebecomes,thelessitcontainsthiskindof
errors, sincethe softwaredoes notwear out, i.e.the
amountoferrorswillnotincreasebecauseofaging.
Themost difficultand dangeroussoftware errors
arethosethatareconnectedwithabnormalsituations
and
algorithms in exceptional circumstances. Many
maritime accidents have resulted from a poorly
519
designed algorithm leading to an unexpected and
dangerous operation under exceptional
circumstances. Nobody knew beforehand how the
system would behave in such situation. Some
accidents of this type are analysed in Ahvenjärvi
(2009). The problem of this kind of software design
errors is that they are very difficult to reveal
beforehand. It may happen that the exceptional
situationwasnotanticipatedbythegroupofexperts
who wrote the requirement definition for the
software. The operation of the system in such
situationmight betheresultofdecisionsmade bya
softwareengineer,whoisnotanexpertofnavigation.
Thereisagoodreasontoaskifthesoftwareengineer
isabletonavigateaship.Ahvenjärvi(2002a)risesthis
questionandgivessomeexamplesofsoftwareerrors
causedbypoorlydesignedalgorithmsforexceptional
situations: “Onboard a passenger ferry a navigating
computer, after a sensor failure, kept on controlling
thespeed oftheship withoutknowing thespeed of
the ship. Onboard another ship the automation
system controlled the pitch of the propeller to zero
afteramainengineclutchfailure,despitethefactthat
the other main engine was still running.” Another
grounding of a passenger ship was
caused by a
curiosityinthesoftwareoftheautopilotoftheship.
Noneofthedeckofficerswasawareofthebehaviour
of the autopilot before the fateful stormy night in
December2001arrived,and theshipgroundedwith
820 persons onboard (Onnettomuustutkintakeskus
2001).
Adifficultcaseforthedesigner
ofthesoftwareis
tofindouthowtheautonomousshipshouldactina
situationwhereonlyreallypooralternativesareleft.
For example, should the ship intentionally collide
withanothershiporinsteadsailaground?Theseare
difficult questions and the human element is very
muchpresent
increatingalgorithmsforsolvingsuch
problems. The responsibility can not be laid on the
computer system. It is the man‐made software that
makesthesystemdowhatitdoes.Butwhotakesthe
responsibility of an accident caused by a poor
decision algorithm of the autonomous ship? It is
beyondthescopeofthispapertodiscussthismatter.
Allinall,itismorethanlikelythatthere willbe
moreorlessdangeroussoftwareerrorsinthecontrol
systemsof autonomousships.Thegoodthingabout
softwareerrorsisthattheydonotmultiplyduringthe
lifetime
of the system.Instead,by testing and using
the system errors will be revealed and the software
can be corrected and updated. Anyhow, the human
elementisstillthere,evenwhenallpossibleefforthas
been put into testing and correcting the software
beforetheautonomousshipisputintotraffic.
3 INFLUENCEONTHECREWOFTHEMANNED
SHIPS
Although it may sound a little bit strange scenario,
thecrewonamannedshipmightlearnnewoperating
habits when they are in regular contact with an
unmanned ship. It is a commonly known fact that
automationhasthetendency
tocreatenewandrisky
habitsforthemwhoareinregularcontactwithit.Itis
notdifficulttofindexamples ofthis.Thegrounding
ofM/SRoyalMajesty(NSCB,1997)isaclassicalone,
but also in everyday life we can see examples of
changes inhuman behaviourcaused
byautomation.
Justconsideracardriverthathasanewcarequipped
withaparkingradar.Inthebeginningthecardriver
checksthepossiblenearbyobstaclesfromthemirrors
andthewindows,eventhoughtheradaristhere. But
gradually the driver learns that there will be a
warninggivenbytheradarsystemwheneverthereis
something behind the car. And after some time the
driverlearnstorelyontheparkingradarandbegins
toneglect lookingat themirrors.It canhappen that
thedriverstartstousealittlebitmorespeedduring
parkingbecause
oftherelianceontheradarsystem!
Itispossible,ifnotprobable,thattheautonomous
shipwillcausesomekindoflearningprocessamong
the deck officers of manned ships operating in the
same traffic area. When the operation of the
unmannedshipisknownandpredictable,itcould
be
utilised in some way to make the navigation of a
mannedshipeasierormoreeffective,forexamplein
encounteringandpassingsituations.
The potential dangerous utilisation of the
predictablebehaviouroftheautonomousshipshould
be taken into consideration. In the worst case that
could result in degrading safety
and new types of
hazardous situations in the shipping routes and
fairways.Theautonomousshipsshouldbeequipped
withextensiverecordingcapacityinordertomakeit
possible to afterwards analyse the odd traffic
situationsandincidentscausedbymannedships.
4 THEHUMANELEMENTINTHEREMOTE
CONTROLOF
THEUNMANNEDSHIP
Asmentionedabove,theautonomousshipcanalsobe
remotelycontrolled.Thehumanelementispresentin
thismodeofoperationinthesamewayasitisonthe
bridgeofthemannedship.Maintainingthesituation
awarenessisessentialforsafeandefficientcontrolof
the
ship. Therefore the quality of the information
presented to the human operator in the remote
controlcentreiscrucial.
The operator needs to have up‐to‐date and
essentialinformationaboutthestatusoftheshipitself
andaboutthetrafficsituationaroundit.Thereisalot
publications about
the ergonomics and other factors
affectingtheperformanceofthehumancontrollerofa
technicalsystem.
If the operator in the remote control centre gets
exactlythesameinformationaswouldbeavailableon
thebridgeoftheship,thereisvirtuallynodifference
betweentheremotecontrolandtheonboard
control.
This is technically quite possible, provided that the
datatransmissioncapacitybetweentheshipandthe
remotecontrolcentreenablesthenecessaryreal‐time
informationexchange.
According to the MUNIN project the Human‐
Machine‐Interface(HMI)oftheremotecontrolcentre
mustbedevelopedusing decision‐making heuristics
that
compliment the operator’s ability to obtain and
maintain situational awareness and remain “in the
loop”. A user‐centred design will be critical to
520
develop the remote control centre good for safe
passageofautonomous,unmannedships.
ApotentialareaofdevelopmentoftheHMIofthe
remote control centre would be the utilisation of
auditory feedback in monitoring of the operation of
theship’sequipment.Incaseoftheremotecontrolof
the
autonomousshipitcouldbearecorderrealsound
oranartificialsounddescribingtheoperationofthe
critical equipment.This topic hasbeen discussed by
Ahvenjärvi (2002b). Ahvenjärvi proposes that the
monitoring of safety‐critical signals could be
improved by producing a suitable non‐disturbing
continuous background sound to
the control room.
Thechangesinthebackgroundsoundwoulddescribe
theoperationalchangesoftheruddersandthemain
propellers. Byusing auditoryfeedback thedetection
of critical faults in the navigation system would be
enhancedandthesafetyofnavigationbeimproved.
5 WILLTHEBESTOFTHEHUMAN
ELEMENTBE
LOST?
Obvious strengths of the human operator of a
complex system are flexibility and creativity. The
human ability to adapt to surprising situations has
positive effectsin thesafety of thesystem, although
thehumanabilitytoadapt‐i.e.theabilitytolearn‐
canalsobeaweakness,
asdiscussedearlier.
The problem of a surprising situation from the
softwaredeveloper’spointofviewisthatitcannotbe
anticipated.Particularlychallengingsituationsforthe
autonomousshipcouldbeforexamplemultipleand
simultaneous sensor faults, or faults in the
communication equipment, intentionally caused to
disturbtheship
(bya groupofpirates,forexample).
Thiskindofscenariosdescribeanothertypeofhuman
elementinfluencingtheoperationoftheautonomous
ship.
Thepreprogramedcomputersystemhasalimited,
ifany, abilitytoadaptto exceptionalandsurprising
situations. This could be a weakness of the
autonomous ship
compared to the traditional ship
withahumannavigatoronthebridge.Theneedtobe
abletocopewithunforeseensituationsmustbetaken
into serious consideration when the control
algorithms, emergency procedures and the decision
logic of the autonomous ship is being designed.
Effective ways to manage such situations
must be
introduced and tested before the fully autonomous
shipisreadyforwideruseinseatransportation.
6 CONCLUSIONS
Introductionoftheautonomousship doesnot mean
thatthereisnomoreahumanelementinvolvedinthe
navigationprocess.Althoughsometypesofoperator
errorswillbeeliminated,
thehumanelementandthe
humanerrorindifferentforms havetobetakeninto
account. In this paper, some aspects of the human
element related to the autonomous ship technology
havebeendiscussed.
The human element plays a major role in the
softwaredevelopmentphaseoftheautonomousship.
It
is of utmost importance to ensure that the
algorithms and decision making procedures of the
autonomous ship are carefully defined, correctly
coded and thoroughly tested‐not only for normal
operation conditions, but also for exceptional
circumstancesandsurprisingsituations.
It must also be taken into account that the
predictable operation
of the autonomous ship can
influencethebehaviour ofhuman navigators onthe
conventional manned ships. Potential unwanted
habitscausedbythiskindoflearningprocess might
be reducedby equipping theautonomousship with
comprehensiverecordingcapabilities.
The role of the human element in the remote
controlcentreofthe
autonomousshipissimilartothe
role it has onthebridgeof a manned ship. A user‐
centred design of the HMI of the remote control
centreisextremelyimportanttominimizeusererrors
andtomaximisethesafetyoftheremotelycontrolled
ship.Audiblefeedbackcouldbean
additionalmeans
toenhancethemonitoringcarriedoutbytheoperator
inthecontrolcentre.
The human element is often associated with
humanerrors.Thepositive sideofthehumanelement
isthehumancreativenessandtheabilitytoadaptto
unforeseen and surprising situations. This form of
resilience is a
strength, but sometimes also a
weakness, of the human deck officer of a ship. The
lack of similar ability to adapt to unforeseen
situationsisapotentialweakpointoftheautonomous
ship. There must be a lot of resilience built in the
control systemof the autonomousship to
make it a
safealternativeforthemarinetransportationneedsin
thefuture.
REFERENCES
Ahvenjärvi,S.2002a.CanaSoftwareEngineerNavigateand
Steer a Ship? Conference paper presented at
Nordcompass 2002 Femte nordiska seminariet om
passagerarfartyg11.‐12.3.2002
Ahvenjärvi, S. 2002b. Audible Feedback for Monitoring of
Critical Signals on Ships, Conference paper at Nordic
ErgonomicsSociety‐34thAnnualCongress
ʺHumansinComplexEnvironment.
Innovate,Integrate,
Implement”Linköping,Sweden
Ahvenjärvi, S. 2009. Safety of the Integrated Navigation
System of a Ship in Fault Situations, Doctoral thesis,
TampereUniversityofTechnology,Tampere.
Leveson,N. 1995.Safeware:SystemSafetyandComputers,
Addison‐WesleyPublishingCompany,USA,p.108.
MUNIN PROJECT. Technical reports at the MUNIN web
site:
http://www.unmanned‐ship.org/munin/ [acc. 2016‐
09‐10]
Onnettomuustutkintakeskus, 2001. Matkustaja‐autolautta
ISABELLA, pohjakosketus Staholmin luona
Ahvenanmaalla 20.12.2001 Onnettomuustutkinta‐
keskus,Helsinki.(inFinnish)
National Transportation Safety Board, NTSB, 1997.
Grounding of the Panamanian passenger ship Royal
MajestyonRoseandCrownshoalnearNantucket,MA,
June10,1995(MarineaccidentreportNTSB/MAR‐97/01).
WashingtonDC:NTSB
Rasmussen, J. 1982. Human errors: A taxonomy for
describing human malfunction in industrial
521
installations, Journal ofOccupational Accidents, vol.4,
ElsevierScientificPublishers,pp.311‐335.
