Report - Petroleumstilsynet

This report is based on a brief commissioned by the Petroleum Safety Authority Norway (PSA) with the theme of human-centered design and human-machine interfaces in the development and implementation of autonomous systems in drilling and wells. This report is based on a brief commissioned by the Petroleum Safety Authority Norway (PSA) with the theme of human-centered design in the development and implementation of autonomous systems in drilling and wells.

Key terms and knowledge

The work is carried out in close collaboration with industry by a multidisciplinary project group with expertise in drilling and wells, technology, organization and human factors. International Ergonomics Association (IEA): "Human Factors is the scientific discipline concerned with the understanding of interactions between humans and other elements of a system, and the profession that applies theory, principles, data and other methods to design to optimize human well-being and overall system performance".

Table 1.1: Overview of the level of automation and the interaction between operator and system

Findings from literature review and experience of autonomy

It can also contribute to more efficient drilling and provide support for earlier detection of failure events. A high level of quality is required in human-machine interfaces, and the operation of automated systems must be transparent to allow a better understanding of the process and to enable the prediction of future actions.

Findings from the investigation reports

The investigations suggest that HF should be better integrated into development processes, and that users should be given a more central place in the design, testing and approval of the systems. The systems described in many of the reports were fragmented, and the coordination and integration of interactive systems needs to be improved.

Key findings from the interviews with the industry

The key findings regarding the investigation methods were the insufficient use of HF expertise and the methods used. In a number of the investigations, the organization was also fragmented and the delegation of responsibility unclear regarding important tasks, issues that could be overcome by better integrated technical systems, clearer organization and better training.

Reflections linked to the regulatory framework

Summary of key standards that should be given more attention

Infrastructure and systems assurance should be addressed through the IEC 62443 standard and the certification schemes it recommends based on the framework conditions provided by NOROG 104. User-centered design and meaningful human control should be applied as principles regarding the introduction of automation. where man still has an important role to play.

Summary of findings and initiatives from the workshop

Summary of key findings and proposed initiatives from the project

Need for stronger focus on meaningful human control: Automation can help transfer tedious, dangerous, difficult and dirty operations from operators to machines/automation, but it also reduces user involvement and understanding. T5] Investigations should include HF and design decisions: Initiative: Investigations of incidents should include knowledge of HF and an assessment of design.

Summary of proposals for further work

The purpose of the assignment was to collect and summarize knowledge related to human factors in the development, testing, implementation and use of new automated technology/autonomous systems that will be useful/critical to drilling and wells. The results are based on inductive analysis (i.e. analysis based on empirical data) as well as deductive analysis (i.e. analysis based on relevant human factors theory), in addition to the evaluation of the project group.

Project delimitation - automated systems in drilling and well operations

Different levels of autonomy

Effects of initiatives and improvements

Accidents and human factors from an MTO perspective

A systematic analysis of available investigation reports indicated that a high percentage of all accidents and incidents are due to poor design (Kinnersley et al., 2007; Moura et al., 2016). Resilient practice is based on principles such as redundancy, flexibility, reduction of complexity and overview of safety margins (Hollnagel et al., 2006).

Figure 2.3: Human factors in the term ‘MTO’ (Karwowski, 2012)

Importance and effect of human factors

The perspective also makes it possible to address organizational and operational conditions, and can be further strengthened in combination with methods that put people at the center. A number of perspectives are often needed to understand accidents and incidents and how they can be dealt with.

Strategies and frameworks linked to automation and autonomy generally

Barrier management is an important perspective used in the petroleum sector to improve safety related to oil extraction (PSA, 2017). The use of drones in the oil sector in the High North is discussed by Bakken et al.

Human factors in system development and operation

Situational awareness (SA) and sensemaking
Human-machine interfaces (HMI) and alarms
Distributed organisations
Organisational factors in connection with the introduction of new technology
MTO perspectives in development

The theory linked to situational awareness (Endsley) and sensemaking (Weick, 2001) is part of the HF that can be used to improve design and solutions for automated systems. A literature review of the status of autonomous systems in 2020 (state of the art) identified four challenges associated with automation: 1) access to reliable and robust systems; 2) interfaces with human operators; 3) the need for artificial intelligence that supports resilience and security; and 4) reliability in unstructured environments (Johnsen & Kilskar, 2020).

Figure 3.1: "Sensemaking" is influenced by design, training and surroundings and is the process for achieving SA (SMACS, 2020)

Automated transport solutions with transfer value

Unmanned metros
Autonomous road vehicles
Autonomy within shipping
Autonomy within the aviation industry – manned aviation and remotely controlled

There has been a focus on learning and establishing barriers to reduce accidents and incidents. From the limited experience gained regarding autonomous/automated ships, it is too early to identify transferable lessons.

Autonomous solutions in offshore drilling and wells

Offline models
Data infrastructure and quality assurance
Handling of machinery
Higher level of automation
Automated drilling
Automated drilling mud handling
Automated well control

Delays in time and space between downhole tools and models represent one of the most challenging aspects of automated drilling, according to (Sugiura 2015). This will lead to changes in roles and responsibilities for the parties involved in case of the introduction of new technology, and this may affect the quality of the processes.

Summary of literature and experience concerning automated solutions

In addition, the presentation of automated systems must be transparent to allow a good understanding of the process and to predict future actions. This is important for the development of automated drilling operations where some aspects of the process can often be automated, e.g.

Table 3.1 links the various levels of automation with ODD.

Boeing 737 Max

The reports identify several layers of the causes of the accidents, emphasizing the importance of appointing an investigative team with a wide range of expertise. Weakness in the design of the control system – it was not sufficiently adapted to the needs of users/pilots in critical situations and did not follow recognized standards [T2], [T3].

PSV Sjoborg and Statfjord A (collision between ship and platform due to DP position loss)

Overall, it was considered a challenge for the crew to understand the implications of the alarms and the consequent need for any action. During the development of the systems at Sjøborg, insufficient attention was paid to the holistic integration of the systems.

KNM Helge Ingstad

It was also noted that three out of the seven officers on the bridge had a good/adequate view. Weaknesses in the design of the bridge and the working environment (noise, location and quality of equipment, many alarms).

Nine DP incidents

Organizational factors are related to various parties involved in the development and operation of DP systems, such as operators, verification bodies, vendors and public authorities. These reasons can be seen in the context of challenges linked to cooperation between different parties and lack of expertise on human factors in the development phase.

Fatal road traffic accident involving a Tesla (Joshua Brown) in the USA - Investigated by NTSB 54

The design of the system was not adapted to the safety-critical tasks being performed [T3]. Change Management MOC – Lack of control related to the BOP upgrade and ADS system installation on West Hercules.

Macondo-blowout

We can point out a number of system parts that show HF-related failure. The design and use of the systems used on Deepwater Horizon was not sufficiently adapted to the needs of the users.

Pryor Trust - Blow out and subsequent rig fire

Insufficient account was taken of HF and processes when developing the systems on board the drilling rig. Many of the causes of the incident were related to the failure of these barriers.

Mærsk Gallant – Well control event

The design of the drilling systems and the alarm system was inadequate and little consideration was given to human factors. Discrepancies between different measurements were not understood and the operators did not have a sufficient understanding of the automated systems.

Summary of results from the review of investigations

Investigation method

After an incident, it can be easy to point out that the incident was caused by an inadequate risk assessment or lack of action on a risk, because we know what happened. We see no reflection on findings that are repeated - it is easy to speak of 'non-compliance' - but were the methods used inadequate, with the result that no changes were made, or not at all.

Causes identified by the investigations

In such projects the development of the systems (design) must follow established methods for Human Factors, i.e. the assessment of mental workload and personnel is a natural part of the development process for the systems and must be included as part of stress tests/reviews of critical scenarios.

About the case projects – description and purpose

Aim of the projects

The projects and the different suppliers seem to have somewhat different approaches and starting points. One of the projects decided to use a single main supplier, while the other project used multiple suppliers.

Figure 5.1 The projects which were selected as cases. Facsimile: PSA.

Methods, standards and guidelines used in the projects

Challenges faced by the projects relating to automation

Interfaces between operators and systems
Technology-driven development
Poor use of methods which structure the project work and weak use of techniques
What goes on behind the systems/automation?
Alarm management which safeguards control
Training

One of the system suppliers highlighted the challenges associated with actual access to end users. This could be viewed in the context of complex organizational interfaces within projects.

What factors appear to have been the most important/positive for the projects?

Human factors prioritised by management
Clear delimitation of the project and what constituted priority areas
Good dialogue with the PSA
Strong user involvement at an early stage
Positive experiences with resources allocated to training
Nuanced prospects with automation and robotisation of drilling operations
Follow-up of human factors from operators represents a challenge

In one of the interviews, the respondent stated that the later versions of the software were "virtually. Some of the interviewees found that the necessary attention to human factors is not reflected in the initial project budgets.

Summary of the conclusions – what lessons can the PSA and the industry learn?

Use of appropriate methods for planning and managing projects
User-centred development with safeguarding of users' skills and knowledge
Clearer involvement of the PSA at an earlier stage and during the process
Focus on ensuring that automation improves safety – but addresses grey zones
Learning from successful factors/projects

In other words, it will be important to ensure that the operators who are project owners clarify this need in budgets and follow up projects to ensure that human factors are part of the project. However, safety and human factors must be explicitly part of the development process to ensure that these considerations are adequately addressed.

Structure of the regulations

Furthermore, the guideline states that the representativeness, validity and limitations of the data should be emphasized. The guidance to Section 21 notes that an analysis of the human-machine interface should be performed, including task and function analyzes as necessary.

Table 6.1 lists the regulations in the form of the HSE regulations and sections where some contain references to standards for human factors in the guidance which are relevant to automation

Summary - Structure of the regulations - Some reflections

However, few professionals have human factors/psychology expertise in the industry (both in the supervisory body and among key players). The required standards were not included in the regulations. The chapter consists of two parts - the first part is about HF standards; this is followed by a short list of specific standards related to safety aspects related to robotization and digitization.

Standards and guidelines relating to human factors and autonomy

The regulations and selected sections relating to human factors (ideally as part of the MTO concept) are listed in Table 7.1. This table gives an indication of the current status of the use of standards in the regulations.

Table 7.1 Regulations and sections which currently refer to human factors

General principles and methods

ISO 11064 is a recognized standard that describes good practice for development, which can often be referred to as good practice for user-centered development that takes into account the MTO perspective. EN 894 and NS-EN 614 are relatively detailed standards, and focus more on purely ergonomic factors rather than cognitive factors.

Key standards for interaction design and alarm management

Suggestions for key standards for attention to human factors

Standards and guidelines linked to technical development - automation

Standards for the development of solutions

One of the principles of agile development states the following principle: "Our highest priority is to satisfy the customer through early and continuous delivery of software that has value." In most projects, aspects of the security life cycle (eg Waterfall and V model) are combined with SafeScrum or other similar approaches.

Standards for the risk assessment of automated systems (including robotisation)

In IEC 61508, the committee switched in 2014 from being somewhat skeptical of agile methods to considering that agile methods are acceptable. Of course, it is necessary to meet all applicable requirements and perform all relevant analysis, even if agile methods are used.

Summary of key standards that should be given more attention

Robots; — Part 2: Robotic systems and integration The standard lists and discusses safety features that may be relevant. Relevant to the security of control systems and describes, inter alia, the certification schemes that must be implemented.

Human factors related to development/design

Balance between technology focus and human factors
Application of standards that address human factors
Fragmented structure of development
Updated regulations and supervision

Human factors should be included in both government and internal incident investigations [T5]. In contracts, operators can clarify the responsibilities incumbent on all parties to ensure the early and ongoing integration of human factors into development projects.

Human factors during investigations

Breadth of investigations
Design assessments in investigations
Lessons from successful factors
Near misses

Industry should focus more on what stakeholders perceive, understand and support the overall MTO system. Norwegian Board of Inquiry report on Helge Ingstad and CSB's Deepwater Horizon investigation, with seminars on these investigations.

Summary of findings and measures from the workshop

The positive, user-oriented development of automation should continue based on lessons learned from pilot projects. Below we summarize the findings and proposals for measures, based on the results of the project activities (where the measures [Tx] can be traced).

Figure 9.1 The human who uses a technology must be involved in communication with

Strong technology focus and technology optimism

User-centred development has been successful and resulted in positive experiences

Users must make time to specify requirements, assist during the innovation process and have time to test, trial and document procedures related to the use of the systems. An estimated breakdown of time spent on a project should be established based on a code/scope of procedures/organizational changes, but this is normally the case.

Need for stronger focus on meaningful human control

The systems must be able to provide an overview of the status in relation to the limit values for the operating area. Autonomous systems must be able to switch to a safe mode in case of failure or if the unexpected happens ("Both safe and secure").

Poor learning between accidents and incidents, investigations and

Systematic CRM training has led, among other things, to a reduction in the number of accidents and lower insurance premiums (Flin et al., 2002). In the petroleum industry, many stakeholders have adopted this approach and the IOGP has recommended the introduction of CRM training (IOGP, 2014).

The measures must be implemented at as early a stage as possible for the best possible

In an accident, the operators' perceptions during the unfolding course of events must be documented. In the case of major incidents or analyzes of relationships, there should be cooperation with an independent investigation group that has knowledge of HF (e.g. Havarikommissionen Norway).

Proposals for further work

PSA (2017) Principles for Barrier Management in the Oil Industry Barrier memo 2017 from https://www.ptil.no/fagstoff/utforsk-fagstoff/faartikler/2017/barrierenotat/. Norwegian Government Strategy for Artificial Intelligence - National Strategy for Artificial Intelligence - (2020) https://www.regjeringen.no/no/dokumenter/nasjonal-strategi-for-kunstig-.

Abbreviations and terms used in the report

This process can be influenced by work environment, training/knowledge, support systems and other safety-critical factors. By "safety critical" we mean that when a system fails, we can perceive critical HSE events (such as critical injury to people and damage to equipment and the environment).

Implementation of project activities and method use

The Norwegian Petroleum Safety Authority defines risk as "risks are the consequences of activities and related uncertainties"; ref. As part of the work related to gathering information from the industry (chapter 4), interviews were conducted with various actors in the oil industry.

Table A.2 Search strings used in literature search

Suggested further activities for discussion and priorities

Many aspects of the projects we examined had a positive impact on safety levels. Here one must carefully review key aspects of the division of responsibilities between operator, contractor and supplier, i.e.

Figure V7.1 Theme for AI – see https://www.ai-safety.org

Table from accident investigations DP

Results from Workshop

In the petroleum sector (and other areas) it is important to involve HF expertise from the beginning in more studies than is the case today. If the theme is HF in the design of automated systems, how can this be addressed in studies.