observation of trends of actual measurements against values predicted by models. This can be done by drillers, support personnel or automatically via detection software based on the model.
These are complex systems that can fail if HF is not taken into account during development (Ciavarelli, 2016). Overconfidence that systems can deal with any situation can also lead to problems. In the event of an incident where systems drop out or do not function as intended, the system may not be able to provide the necessary support, and personnel may lack the training needed to take over and operate the systems manually. The development of such systems therefore requires us to prioritise human-centred design when such systems are introduced, via user-centred development [T2] and ensure that principles such as "meaningful human control" are applied, [T3].
The automation of drilling operations which leads to changes in duties from an active role to more of a monitoring role can contribute to reduced situational awareness (out-of-the-loop). In addition, autonomous systems that use digital twins,for example, can increase in complexity throughout their life-cycle. This can lead to a lack of insight and understanding of the system, which in turn can lead to errors and incidents, particularly in situations where an autonomous system has to be overridden.
It is therefore essential that users are at the heart of the development of these systems, something that the aviation sector has had good experience of. In this industry, automation has also been introduced gradually, and there is a strong regulatory framework which focuses on thorough testing, verification and validation. User-centring also leads to better user experiences and user satisfaction, (Vredenburg et al. 2002), and in many cases higher productivity (Beuscart-Zéphir, 2007;
Sethi,2008) [T2].
The possibility of reduced situational awareness following the introduction of automated systems also impacts on the approach that must be followed during development, as it is essential to ensure that the systems (e.g. HMI) present the information that is needed for decision-making purposes at all times. Clear information concerning the state of the system and support for the transition between automatic and manual control will then be key factors in ensuring safety, something that requires a high-quality human-machine interface. In addition, the presentation of automated systems must be transparent to facilitate a good understanding of the process and enable future actions to be predicted. This can be addressed by applying the principle of meaningful human control [T3].
Another development that has implications for changes in roles and responsibilities following the introduction of more automated systems and models in drilling operations is that some functions can be transferred from the rig to an onshore operations centre. This requires automatic systems on the rig to be sufficiently robust and reliable, and to be remotely controlled in order to render the presence of experts on the rig unnecessary. As a result, automated systems cannot be viewed in isolation and must be supported by infrastructure, interaction with control centres and other parties (drones or other facilities), so that they get help in managing themselves [T3a]. A more distributed allocation of tasks between control functions must also be ensured through an analysis of task delegation during the development process, as well as through procedures and training. When using distributed operations and different suppliers, it is therefore important not to focus solely on the technological systems, but also to follow up the introduction of autonomous systems with organisational steps [T3c].
From the autonomous road transport and aviation sectors, we have also seen the necessity of ongoing data entry and analyses of rich data from operations, to enable an assessment of what works and obtain a sound basis for analysing accidents and incidents. Data collection should include different types of data (including video-recordings) that can be compiled to provide a comprehensive picture of events [T4].
Autonomous systems thus consist of technology (drones, infrastructure), organisation (with risk assessments, procedures and responsibilities) and humans (who must have knowledge and be placed in a situation where they can perform meaningful human control). Delimitations will then be
particularly important in order to facilitate the safe use of autonomous solutions, such as clarity as regards what systems can be used for and what constitutes a safe operating area (ODD - Operational Design Domain); see Table 3.1. ODD is therefore key to safe operation(Berman, 2019) and must be designed so as to minimise the risk of accidents and incidents. This includes analysing which
systems and tasks can be satisfactorily automated, and ensuring that protection is provided against accidents and incidents, e.g. via barriers. This is of relevance to the development of automated drilling operations, where certain aspects of the process can often be automated, e.g. the partial robotisation of drill floor and the introduction of semi-automated management systems.
Table 3.1 links the various levels of automation with ODD.
• For level 1 with no automation, the need for delimitation (ODD), infrastructure support and support from HMI/Alarms will remain unchanged.
• For levels 2, 3 and 4, it will be necessary to consider delimitation (ODD), support from
infrastructure and support from HMI/alarms, where the automation takes over and assesses what needs to be done in the transition between the automation and the human, and what to do in the event of failure.
• For level 5 with autonomous systems, ODD is important in line with support from
infrastructure. Here, it is assumed that it will be possible to switch to a safe state in event of failure. Alarms and control must be assessed separately, because there may only be a control centre at overarching level (e.g. from existing overarching traffic control centres/emergency response centres) where emergency response/assistance will be necessary in the event of a collision/failure/fire or other accident or incident.
Table 3.1: Level of autonomy and need for support from ODD, Infrastructure and HMI/Alarms
Level- Autonomy
Operator System ODD Infras. HMI
1-No autonomy
All operations Warns, protects As before As before As before 2-Limited
support
Controls (In-the- loop)
Guides, supports
Assess Assess Assess
3-Tactical,
monitors Involved – continually monitors "On- the loop"
Controls within well-defined boundaries
Increased Increased Increased
4-Automated support Strategic
"Out-of-loop"
interruption- determined, prompted by the system
Operates independently, but can hand back control
Increased+ Increased +
Increased+
5-Autonomous Fully "out-of- loop"
Operates independently – switches to safe state itself
Increased++ Increased ++
New-Non- conformity
4 Review of investigation reports regarding methods and findings for drilling and wells We have reviewed nine investigation reports where we assessed autonomy and HF in order collate experiences relating to: 1) investigation methods, and 2) root causes and proposed measures. For each of the investigations, we assessed whether the investigation was sufficiently broad, i.e.
whether it looked at the interaction between human, technical and organisational factors. A particular focus was placed on assessing whether HF was included and whether the investigation assessed causes stemming from the design stage. The investigation reports were selected in cooperation with the PSA. Each event is summarised over two pages.
Due to the greater maturity and level of experience, we also looked at investigations with a high level of automation from areas other than petroleum. Incidents involving autonomous and automated systems from other industries may be of relevance to drilling and wells as regards both investigative methods and findings. The review will therefore consider reports from aviation (with automated control and safety systems), shipping (with highly automated systems, such as dynamic positioning, bridge systems,) road transport (automated vehicles), along with incidents from the petroleum sector (drilling and wells). By way of conclusion, we have summarised key findings from all the reviews.
The following incidents were reviewed with the theme of automation and HF:
1. Boeing 737 Max crashed (Endsley, 2019), (NTSB, 2019), (ECAA, 2019).
2. PSV Sjoborg and SFA, collision between ship and platform - Equinor (2019, 2019a).
3. KNM Helge Ingstad collision (AIBN, 2019), look at investigative methods and systems 4. DP operations (Dong, Vinnem & Utne, 2017), look at systems and alarms
5. Road traffic accident involving Tesla (Joshua Brown) in the USA – NTSB (2017) The following events were reviewed with the theme of drilling & wells and HF:
6. West Hercules - ADS Barents, (PSA, 2019)
7. Macondo Blowout (US-CSB, 2016) and (Tinmannsvik et al., 2011) 8. Pryor Trust – Blowout (US-CSB, 2019)
9. Mærsk Gallant – Well control event (Mærsk Drilling, 2015)
The following themes and factors are described in connection with the reviews:
- Description of each incident, the time at which it occurred, along with the immediate consequences and potential of the incident.
- Mandate and use of methods in the investigation, such as who investigated the incident, whether it was an internal investigation, or whether it was carried out by an external party and examined whether quality could have been affected by the way in which the investigations were organised. This may have had an impact on whether the investigations led to an understanding of the situational awareness amongst the parties involved. This understanding could be key to identifying organisational and technical measures.
- Causes linked to automation and HF, where we look at the underlying causes (such as design). Could the methods used in the investigations determine whether human factors were adequately addressed during the development phase of the systems involved in the accidents?
- Discussion and lessons based on mandate and causes