1. Introduction
With more than five decades of production and supply chain experience, exporting around the world, the oil and gas sector is a UK industrial success story [
1]. Nevertheless, it is facing a number of significant challenges over both the short and long term, including ageing infrastructure, declining production rates, reduced drilling exploration success rates, and an ageing workforce [
2]. More recently, these have been compounded by low oil prices and the demand to shift to more renewable energy sources. All of this has led to a drive to increase competitiveness by reducing the overall cost of the operation of existing energy fields. One of the solutions being explored to achieve this is the increased use of unmanned and autonomous robotic platforms.
Autonomous systems are systems which decide for themselves what to do [
3]. Typically, these decisions are made using computer software, which controls the system(s) in question and performs operations that might otherwise be performed by a human—in essence, the cognitive element of performing a task. For example, an autonomous unmanned aerial system (UAS, aka “drone”), the focus of this paper, will need to contain computer systems that can replace the function of a human pilot operating the UAS by remote control when operating beyond visual line of sight [
4].
In this paper, an autonomous system is defined as the following:
An unmanned system (UMS) wherein the UMS receives its mission from the human and accomplishes that mission with or without further human–robot interaction
Traditionally, autonomous robotic systems are considered to be well suited for tasks carried out in hazardous environments; the so-called dull, dirty, and/or dangerous missions (commonly referred to as the “three Ds”). More recently, however, the need to use such systems within demanding, distant, and distributed missions has also been established [
6]. This is a result of their increasing capability and desirability in terms of reduced cost and increased safety. Offshore energy field operations, such as unmanned inspection and maintenance of oil platforms and wind farms, are prime examples of these latter “three Ds”. This makes unmanned aerial autonomous systems strong candidates for these missions.
In all environments, but in particular in hazardous environments, autonomous systems must operate safely and be safe to operate. Operating safely in this context means that the system should not carry out acts or behave in a manner that would be considered to be hazardous, such as colliding with an asset or a person. An autonomous system that is safe to operate is one where operating procedures and/or onboard software/systems have been developed to minimize the risk of the system causing damage or harm. This paper illustrates a method intended to contribute to both of these aspects of safety.
One means to ascertain where it is safe to operate the system would be by the definition of an operational envelope for the offshore asset-autonomous system combination in question (e.g., UAS and oil rig), inside of which the confidence in the safety of the mission is, in some sense, “high”, although perhaps not “guaranteed”.
In one sense, this is not a new problem. A closely related task is the clearance of aircraft operating onto and from a ship. Here, aerial vehicles are operating in the presence of bluff body structures that give rise to local unsteady flows which can be hazardous to the operation. In the UK military, this maritime problem is addressed as follows. To provide helicopter operators with guidance as to which environmental conditions are safe for take-off and landing operations from ships, a ship–helicopter operating limit (SHOL) is created for each helicopter–ship combination [
7]. This is generally constructed via what are known as first of class flight trials (FOCFTs). The SHOL indicates to the ship/helicopter operator both the wind speeds and directions (relative to the ship) for which it has been demonstrated that helicopter operations are safe to carry out to that class of ship during the FOCFT. The larger the SHOL envelope, the greater the operational capability of a specific helicopter type operating from a given ship. An example of such an envelope can be seen in
Figure 1.
First of class flight trials are performed at sea. They are, inevitably, expensive and it can typically take weeks to construct a full SHOL envelope. The full range of wind and sea conditions may not be available during the trials, resulting in the published SHOL being more conservative than would otherwise be necessary [
8].
In addition to the operational piloting limits being established during the FOCFT, pilots use the Deck Interface Pilot Effort Scale (DIPES) [
9]. This is a 5-point rating scale where the test pilot awards a rating for the landing. It is based on the amount of effort the pilot has to expend to remain in control based on workload (or pilot compensation), performance, accuracy, and consistency. The pilot then makes a subjective assessment of the landing as to whether or not the average pilot would be able to make the landing. This assessment then appears in the DIPES scale as a numerical value, where a 3 or less indicates a safe landing. A rating that is higher therefore indicates the contrary. The SHOL envelope thus indicates the transition in environmental conditions between the safe and unsafe landing of the helicopter to a particular ship.
As per the oil and gas sector, the global military community is under pressure to reduce the costs of their operations. To try to achieve this for the FOCFT, they have turned to modelling and simulation [
10,
11,
12], not as a means to completely replace at-sea trials, but as a means to inform the most effective conditions for live testing. In its most common form, the use of modelling and simulation for SHOL development has been the use of pilot-in-the-loop testing to derive helicopter/ship operational guidelines and to construct preliminary simulated SHOL envelopes [
13,
14]. Of particular note, piloted flight simulation was used extensively to prepare for the F-35B Lightning II FOCFTs on the UK’s new aircraft carrier, HMS Queen Elizabeth [
15].
The autonomous systems problem, of course, differs in that there is no pilot on board to provide either the pilotage or the subjective feedback as to any deficiencies encountered that might provide information pertinent to the construction of an operational limit. This has started to be addressed, for example, in [
16] where a pilot model is used. Whilst the model developed was demonstrated to show that it could predict a SHOL accurately, the limitation of this approach is that no equivalent to the DIPES rating could be provided, i.e., it was not able to diagnose why the limit was reached.
For an autonomous system to be used in a real-world environment, the safety of its operation needs to be agreed with the regulator of that environment [
17]. In the UK, there is not yet a standard method to assess whether or not an autonomous UAS operation is safe. Each request for a particular operation is reviewed by the Civil Aviation Authority (CAA) on a case-by-case basis, using a submitted safety case/risk assessment for the planned operation [
4]
To demonstrate this safety case, for an autonomous system, therefore means that the decisions being made by the system, the reasons why they have been made, and the actions that result from these decisions need to be verified for all practical operating conditions. For a safety case, this must be demonstrable and underpinned by evidence. This evidence also needs to be understandable, holistic, and repeatable. It is argued that a system is not verified, or proven to be safe, if only a few physical or simulation tests have been carried out; or if only part of the system’s autonomy has been tested. It is expected that a rigorous and systematic method for assessing the autonomous behavior is required.
It is, however, clear that if the tools and techniques developed for and implemented by the manned aviation SHOL testing community (both simulated and live) can be adapted to the needs of the autonomous oil and gas sector, then there is the potential for it to assist in achieving the goal of cost savings whilst maintaining safe operational capability. This paper describes the first attempt at the development of such a simulation system to demonstrate how this can be achieved.
Thus, the question asked in this paper is as follows:
Using manned SHOL simulation techniques as the inspiration, how can an autonomous UAS be analyzed to determine the conditions under which it fails and to also indicate why it failed?
The paper is arranged as follows:
The simulation environment is described and followed by the method to analyze the response.
The experimental setup, including the cases simulated and under what condition, is given.
The resultant operating envelopes are shown for a single case and for a range of performance specifications.
Extracted responses for a selection of points on the operating envelope are shown.
The discussion and conclusion are given, drawing out the implications and future works.