Keywords

1 Introduction

For the operation of ships with a certain degree of autonomy, the International Maritime Organization (IMO, 2013) and state authorities, such as the Norwegian Maritime Authority (NMA), require a gap analysis to identify disparities between the proposed design solution and the applicable regulations (IMO, 2013; NMA, 2020). Gap analysis is used to describe how the design and operational solution address particular regulatory requirements. For automated passenger ferries, two key aspects need to be addressed: (1) the distribution of tasks between the automated functions and the operators, and (2) the safe execution of tasks through meaningful information exchange and clear procedures. Since automated passenger ferries are a recent phenomenon, there is little guidance for efficient completion of these processes.

The classification society Det Norske Veritas (DNV) (2021) provides a framework for implementing novel technologies to achieve automated, autonomous, or remotely controlled ships. The framework is risk-based and aim to assist users to get approval for new design concepts. For this purpose, the document describes functional and technical guidance where possible (Holte et al., 2021) analyzed the safety requirements for automated passenger vessels by evaluating the current legislation. Based on their evaluation, they assign functions either to automated control systems, on board operators, or human remote supervision located in a remote supervision center (RSC). This is described for several scenarios, such as evacuation, collision, stranding, water ingress, fire on board, and man overboard. The term Remote Control Center is often used in the context of autonomous ships (IMO, 2021), since the ferry concept is normally supervised RSC was deliberately chosen to differentiate from a remotely controlled ferry.

The human element is an important aspect of an automated passenger ferry concept, both onboard the ferry and in the RSC. The operators need to have sufficient situational awareness, however technical failures or sabotage may lead to loss of situational awareness and thus increase the risk related to operating the ferry (Thieme et al., 2019). To achieve a high level of situational awareness, information needs to be tailored to the users' needs, avoiding unnecessary or distracting information (Endsley et al., 2021).

This chapter describes the process of gap analysis of automated passenger ferries and their closure through new operational procedures and meaningful information exchange between remote operators, passengers, and the automated functions. For this purpose, a task analysis is conducted using concurrent task analysis (CoTA), building on the principles of safety critical task analysis (SCTA). Finally, the chapter points out shortcomings in the existing regulations regarding the operation of automated passenger ferries and their land-based infrastructure. The use-case is taken from the AutoSafe project, where the main objective is to develop safety solutions for automated and autonomous passenger ferries. The work presented focuses on the operational phase and emergency procedures relating to accidental events of an autonomous ferry. Events related to terror, sabotage, and vandalism are not explicitly covered. The details of the use-case are given in the respective section later in this chapter.

2 Relevant Rules and Regulations

For ships and ferries operating in domestic waters mainly national rules apply. These cover design, construction, equipment, and operational arrangements. Two particular regulations are frequently referred to and relevant for navigation, International Regulations for Preventing Collisions at Sea, 1972 (COLREGs, 1972) and the International Convention for the Safety of Life at Sea, 1974 (SOLAS, 1974). Especially, SOLAS is often referred to regarding safety equipment and demonstration of safety compliance.

FSA-Formal Safety Assessment (IMO, 2018)) is the safety assessment process to be used for decision-making regarding maritime regulations. The FSA emphasizes using risk assessment as a tool to determine the benefit of measures to improve passenger safety. Ship operators can also use the process to demonstrate the safety of their implemented safety system in case this is required. MSC.1/Circ.1455. (IMO, 2013) provides guidance on demonstrating equivalent safety of a proposed solution that deviates from the prescribed safety measures of novel concepts.

The NMA, in its circular letter RSV 12-2020, picks up on IMO's MSC.1/Circ.1455 and adopts it for the requirements and guidance for the building or installation of automated functionalities on ships to achieve partly or fully uncrewed ship operation. One of several requirements stated in the circular RSV 12-2020, is a gap analysis of the proposed ship system concerning the rules, identifying where the design deviates from these rules (Norwegian Maritime Authority, 2020). For each deviation and novel solution introduced in the ship system, a risk assessment is necessary to demonstrate equivalent safety. Following IMO's requirements, the relevant authorities need to be involved from the early system design phase. Relevant documents need to be presented, such as the concept of operations (CONOPS), safety concept, hazard assessment of the ship system, and risk analysis. For areas that deviate from the current rules, e.g., procedures and technical solutions, a third-party verification is required. The documentation of deviations is similar to the requirements outlined in the IMO rules, MSC.1/Circ.1455 (IMO, 2013).

In an analysis of regulations applicable to autonomous passenger ferry operations in Norway, five were found to be particularly relevant (Holte et al., 2021). They are used as basis for the gap analysis presented herein. These regulations relate to the involvement of human operators for safe operation of passenger ships, and ultimately which tasks that need to be overtaken by automated functionalities. The considered regulations for this chapter are:

  1. 1.

    Safety in passenger spaces (Reg. 2021-12-17-3666);

  2. 2.

    Manning of Norwegian ships (Reg. 2009-06-18-666);

  3. 3.

    Watchkeeping on passenger ships and cargo ships (Reg. 1999-04-27-537);

  4. 4.

    Concerning operating arrangements on Norwegian ships (Reg. 1992-09-15-704); and

  5. 5.

    Life-saving appliances on ships (Reg. 2014-07-01-1019).

The regulation on Safety in Passenger spaces (Norwegian Maritime Authority, 2021) sets requirements to design-related safety measures on passenger vessels. For ships under the length of 15 m, simplified rules apply regarding equipment and ship design. With respect to operation, §14 and §15 are highly relevant for the automated passenger ferries since they pertain to steering position in passenger spaces (e.g., uninterrupted lookout) and the non-obstructive stowage of passengers' luggage, respectively. Additional requirements are made for the operation and maintenance of the passenger vessel.

The regulations on the Manning of Norwegian ships (Norwegian Maritime Authority, 2009) apply to all ships transporting passengers. It summarizes requirements to on board crew and minimum level of safety crew. The minimum crew level is determined based on safety assessment, risk analysis, and an evacuation analysis, among others. The regulation is highly relevant for the current chapter since some functions and roles are transferred to automated systems (or supported by automation).

The regulation on Watchkeeping on passenger ships and cargo ships (Norwegian Maritime Authority, 1999) prescribes arrangements and principles for watchkeeping for passenger vessels over 50 tons or operating in areas defined as Great coasting or larger. In addition, requirements are provided for certification of crew, voyage planning, watchkeeping and engineering watchkeeping. These tasks will be carried out by the automated ferry and to a lesser degree by human crew.

The regulations Concerning operating arrangements on Norwegian ships (Norwegian Maritime Authority, 1992) applies to all Norwegian passenger ships, and provides requirements for operational aids and watch arrangements in the engine room. Functional tests are required for automated functions and systems. If an engine room is (periodically) uncrewed, this needs to be approved by the NMA.

The regulations on Life-saving appliances on ships (Norwegian Maritime Authority, 2014) is based on the SOLAS requirements, whereas reduced requirements apply to ships solely used in national operation (SOLAS, 1974). Among others, the regulation specifies requirements for number of life-vests, marine evacuation equipment, alarm systems, and other appliances on board based on passenger capacity.

3 Method

A four-step process is applied to identify operational procedures and requirements to information:

  1. 1.

    Gap analysis—Identification of gaps that need procedures for human–operator interaction;

  2. 2.

    Development of the relevant scenario;

  3. 3.

    Concurrent Task Analysis focusing on safety critical tasks;

  4. 4.

    Development of operational procedures with decision criteria and information needs.

3.1 Gap Analysis

The gap analysis identifies the areas where the planned solution deviates from the applicable international and domestic rules laid. The relevant rules need to be mapped out beforehand. The identification of applicable rules depends highly on different parameters, such as the ship's length, the number of passengers, trade area the ship will operate in, length of journey, cruising speed, and tonnage (Holte et al., 2021). For the gap analysis the existing information on the ferry and its planned operation is reviewed, i.e., CONOPS, safety concept, design drawings, etc. For each applicable regulation (i.e., the five key regulations identified), each paragraph is assessed for its relevance (some may not apply due to design or other factors mentioned previously). If a paragraph applies, the CONOPS and design documentation are used to evaluate if the requirements in the paragraph are implemented or not. If not, it is noted how this requirement will be addressed: (a) through modifying design and operation to implement it, (b) through an alternative design/operation, (c) through compensating measures, i.e., increasing robustness, (d) through applying for dispensation of the requirement. Additionally, the relevant person/party is noted for both the design phase and the operation phase where necessary. To support such an analysis, a spreadsheet-based tool is being developed by the AutoSafe project for autonomous ships planning to operate in Norway.

3.2 Development of Scenarios

In this step, the relevant scenarios for which procedures are needed have to be described. This process is supported by available documentation, such as hazard analysis, CONOPS, safety concept, etc. The resulting scenarios should be documented in an event sequence diagram or operational flowchart.

3.3 Concurrent Task Analysis

The required procedures and tasks are developed with the Concurrent Task Analysis (CoTA) framework (Ramos et al., 2020a, 2020b), addressing safety critical tasks (Smith & Roels, 2020). The CoTA builds on task analysis (TA) theory (Shepherd, 2001) and introduces new elements: specific stop rules, parallel tasks, interface tasks, and trigger tasks. The system is analyzed as a whole and concurrently, for all agents, and stop rules to provide guidance when decomposing smaller tasks into sub-tasks, so-called redescription.

TA is “the collective noun used in the field of ergonomics, which includes human computer interaction, for all the methods of collecting, classifying, and interpreting data on the performance of systems that include at least one person as a system component” (Annett & Stanton, 2000). The tasks must be carried out in a certain order to achieve the higher-level goals, described by plans. In many complex systems, some tasks should be performed constantly, while others are carried out only on demand. This includes, for example, but is not limited to, information collection (by a system), transferring data between different agents, or monitoring systems while executing other tasks. In CoTA, these are represented by parallel tasks.

In addition to parallel tasks, the CoTA introduces interface tasks to account for interactions between the different agents of a system. Interface tasks either depend on input from another agent’s task or give output to another system agent’s task.

The redescription of tasks into sub-tasks could technically go on infinitely. For obtaining comparable and reproducible results, the CoTA uses clear stop rules for the redescription. These stop rules are based on the Information, Decision, Action (IDA) model, originally developed for modeling Nuclear Power Plants operators (Smidts, Shen, & Mosleh, 1997). The CoTA extends IDA to modeling the technical aspects of the autonomous system as, similarly to humans, they collect and pre-process information (I-Phase), make decisions and assess a situation (D-Phase) and take necessary actions (A-Phase).

The guidelines for developing the CoTA from an operational flow chart can be summarized as follows:

  • Definition of agents to be analyzed;

  • Definition of Task 0: the main task to be accomplished by the system’s agents. This may be to recover successfully from a disturbing initiating event or to perform normal operation;

  • Definition of high-level tasks;

  • Identification of parallel tasks;

  • Re-description of tasks until stop rules are satisfied:

    • The sub-tasks are associated with only one of the IDA phases;

    • The interface tasks are explicitly identified: if the accomplishment of the task is dependent on another agent, or if the output of the task is an information or command to be sent to another agent, the task is re-described until this interaction can be clearly characterized;

    • The trigger tasks are explicitly identified: if the performance of a task is dependent on the outcome of a previous task, i.e., if the task should be performed only if an earlier task “triggers” it, the task is re-described until this interaction can be clearly characterized.

The CoTA can be visualized through graphical symbols These symbols are explained in Fig. 1. In addition, the plans for the CoTA are described in Fig. 2:

Fig. 1
The symbol illustrates C o T A, the square box defines the task to be performed by the agent to accomplish task 0, and the diagonal square box defines the undeveloped task, the diamond box defines triggering tasks, the agent A task 1 and agent B task 2, the round circle defines the interface tasks, the agent A task 1, and agent B task 2.

Symbols used in the CoTA with explanation (Source Authors)

Fig. 2
The three-plan notation has a type of sequential tasks, non-sequential tasks, exclusive tasks, parallel tasks, triggered tasks, and example tasks 1 and example tasks 2. Notations are given respectively to the types and definitions to perform the tasks.

Explanation of the plan notation used in the CoTA (Source Authors)

3.4 Developing Operational Procedures

Having analyzed the tasks in the operation, the procedures can be developed based on the necessary steps identified in the CoTA. A tabular form is suggested that records the steps in a parallel order for the agents. Additionally, through the CoTA exchanged information can be identified and should be recorded. This information has the purpose of developing decision criteria and build the foundation for identifying information requirement, such as necessary HMI.

4 Use-Case—Highly Automated Local Passenger Ferry

To demonstrate and exemplify the gap analysis process and procedure development, a use-case from the AutoSafe project is analyzed. The use-case ferry is planned to transport up to 25 passengers in the Norwegian city of Florø between the city center and an offshore supply base, which is a few kilometers outside the city center. Sailing distance and time is 2.6 km and 15–20 minutes when cruising at 5–6 knots. The battery powered ferry has a planned length of 11 m and width of 4.5 m and charging points located at both quays.

The ferry is designed based on a “safety by design” philosophy. Through hull compartmentation and strategic use of floatation foam in the hull, the ferry will only have a small angle of inclination in conditions where ship stability is compromised. Other important safety design choices are redundant physically separated power and propulsion systems, and an emergency anchor drop.

The ferry is uncrewed during normal operation and supported by two people located on land. One safety supervisor and one permanent crew, both located in the RSC. An emergency button is available for passengers to call for assistance from the people in the RSC. The crew in the RSC will be able to communicate with the passengers. Additionally, both the safety supervisor and the permanent crew in the RSC can communicate with local emergency services if necessary. The permanent crew in the RSC has a better possibility to communicate and coordinate necessary efforts, but also share needed information in a timely manner compared to the safety supervisor assisting the passengers on the ferry.

In case of an emergency, the safety supervisor can reach the ferry with a dedicated boat within minutes. In previous work on the ferry concept, fire, water ingress due to a collision or grounding, evacuation, and passenger medical emergencies were deemed as the main hazards (Johnsen et al., n.d.). When on board the ferry, the safety supervisor has available a simple user interface with basic functions to control the ferry, whereas the main task will be to take care of passengers and their needs. Upon arrival, the safety supervisor can thus assess the situation of the ferry visually, interact with external parties, maneuver the ferry, or tow it to the shore. While the RSC permanent crew has a full overview over the ferry state and can give additional information and assistance to the safety supervisor. The autonomous system, safety supervisor, and RSC are carrying out the tasks as summarized in Table 1.

Table 1 Functions and tasks to be carried out by the autonomous system, safety supervisor, and RSC (Source Authors)

The ferry will only be operated in weather conditions and sea states that are compatible with its design and the capabilities of the safety supervisor’s boat. Four minimum risk conditions (MRC) are identified, ensuring passenger safety in case of an accident However, there may be conditions where none of the described MRC’s can be attained, and these issues are treated later in this section (e.g., in case of a fire onboard or if the ferry is sinking):

  1. 1.

    Stay at quay—the ferry remains at the current quay, i.e., in adverse weather conditions, problems with the ferry control system, low battery level, etc.;

  2. 2.

    Head to closest quay—the ferry is returning/continuing to the closest quay. This will be the primary choice for the safety supervisor in case of a safety critical situation, such as failure on the propulsion system, a medical emergency, partial loss of power, etc.;

  3. 3.

    Stop and stay in position—using its dynamic positioning system, the ferry remains at the current position by station keeping. This may be necessary, for example, if the ferry leaves its designated operational area or a malfunction in the autonomous navigation system, etc. The ferry is then maneuvered or towed to a nearby quay for passengers to safely disembark. An evacuation of the ferry through a Marine Evacuation System (MES) is not included in the design; and

  4. 4.

    Drop of the emergency anchoring system—a physical anchor is released, preventing the ferry from drifting. The anchor is released automatically if the ferry loses power or if the safety supervisor deems it necessary. The ferry can be towed to the closest shore, where the passengers can leave the ferry.

When viewed in isolation, this use-case with basically two crew needed to support one ferry operation is not highly attractive from a commercial point of view. However, the solution with a safety supervisor and a permanent RSC crew enables the future support of several ferries. The RSC is designed to support a series of ferry networks at different locations. However, the role of an RSC or Emergency Response Center must be defined with agreed response times.

5 Results

5.1 Gap Analysis

Table 2 summarizes the findings of the gap analysis. Regulation (3) on Watchkeeping on passenger ships and cargo ships was assessed not to apply and hence not covered by the analysis. For regulation (1) on Safety in passenger spaces, most of the requirements are met through ship design measures. However, the paragraph on steering position in the passenger area is quite relevant for the procedures. As stated, the safety supervisor will have a portable joystick control interface available when on board, enabling freedom to choose the most beneficial steering position with good visibility. Facilitated by an appropriate HMI-solution, the safety supervisor is provided with critical and correct information of the technical status of the ferry and its position.

Table 2 Regulation addressed and assessed for the case study (Source Authors)

Regarding (2), the regulations on Manning of Norwegian ships, all functions will be carried out through either the autonomous ferry system (watchkeeping, navigation, counting of passengers), the safety supervisor (emergency handling, emergency exercises, watchkeeping, medical help to passengers), or the RSC crew (supporting the safety supervisor). Even though the safety supervisor is located on land, the functions of timely assistance can be ensured through the proximity of the ferry operation to shore and the use of a sufficiently powerful boat that can intervene or assist rapidly. However, further analysis and documentation is needed to validate that this operational profile is indeed as safe as a conventional crewing scheme.

Concerning the regulation (4) on Operating arrangements on Norwegian Ships, two main gaps are identified. Firstly, the electrical propulsion system will not require an engine room in the traditional sense, meaning that the rules regarding the crewing of the engine room cannot apply. Secondly, the ferry control system can be considered as automated system using the ship's steering gear. Therefore, the control system needs to be able to switch over to manual control within the allowable limits, under any conditions. Systems need to be in place ensuring remote control is possible from the RSC under foreseeable conditions, and that the ferry control system has an equivalent safety level as conventional systems.

The most significant gaps regarding existing rules were identified for regulation (5) on Life-saving appliances on ships. The ferry concept will deviate from the regulations regarding §8, §9, §10, and partly §7. These are all concerned with rescue boats, rafts, or MES. Due to the safety by design approach ensuring stability and flotation in damaged conditions, the ferry is not planned to have any of these on board. The safety supervisor will be taken over by the safety supervisor who will either control or tow the ferry to shore. Since this is the most critical gap, this chapter will further assess the procedure of reacting to a critical situation, before deciding on and implementing the best emergency procedure. Additional gaps in §7 concern SOS flares and VHF radio, as these will be with the safety supervisor and hence not on board the ferry.

Two gaps are related to the rigidity of the regulations. Firstly, the regulations require that an engine room must be crewed with the possibility of exception. In the described ferry concept, the propulsion unit is located in the actual thruster unit, making the engine room obsolete. Moreover, modern electrically driven propulsion systems do not fit in the current regulations and exemptions from the rules must be applied for.

Secondly, the operational environment and concept of the ferry do not fit well with existing rules on life-saving appliances. For small passenger ferries, as in this case, the required life-saving appliances will lead to an unnecessary complex design solution, which could be solved differently given the operational environment (sheltered water, close to shore). As such, regulations should be amended to also apply to these types of cases, without impacting passenger safety.

5.2 Developing Operational Procedure

The remainder of this chapter describes the development of the operational procedure for handling emergency situations where the ferry has entered MRC 3 or MRC 4. These situations generally occur if a failure in the autonomy system occurs,  rendering further autonomous operation unsafe, if a fire is detected on board, or if there is water ingress due to, e.g., a grounding or collision. In these scenarios, the ferry must alarm the personnel at the RSC and go to either MRC 3 or MRC 4. The safety supervisor, supported by the RSC, will then promptly navigate to the ferry, estimate the damage, and take action accordingly. The scenario is summarized in Fig. 3, as a flowchart of actions. Evacuation by means of life rafts or similar was deemed one of the major hazards, and thus the emergency procedure and ship design should ensure that passengers always have the possibility to safely evacuate to land.

Fig. 3
The flow diagram of minimum risk conditions has an autonomous ferry, safety supervisor, and remote supervision center. According to time flow, they detect problems such as fire, collision, grounding, water ingress, alarm, assess ferry condition, respond to alarm, assess alarm and problem, respond to alarm, assess need for and call emergency services, decide on M R C, drop anchor, hold position, navigate to ferry location, assess passenger and ferry condition and decide on further actions, navigate ferry to shore M R C 3, support safety supervisor, hold contact with passengers. coordinate emergency services, and finally assist passengers in leaving the ferry.

Summary of the scenario being considered for developing operational procedures. Arrows represent flow of events, and Arrows with broken lines represent bi-directional information exchange. Abbreviations: MRC—Minimum Risk Condition (Source Authors)

Fig. 4
The flow structure of the autonomous ferry has task 0 identify an emergency situation and take the correct response, collect system data, assess the status and identify the emergency situation, dynamic positioning to implement M R C, collect data, analyze system data for anomalies, implement measures to achieve M R C, maintain communication with R S C, decide on M R C, assess ferry condition, choose M R C, inform S a S u, transmit data on ferry status to R S, receive and implement control command by Sa S u.

Concurrent Task Analysis for the autonomous ferry, regarding an emergency on board the ferry. Abbreviations: AF—Autonomous ferry, SaSu—Safety supervisor, RSC—Remote Supervision Center (Source Authors)

Fig. 5
The flow structure of the safety supervisor, respond to an alarm, navigate to A F location, assess if ferry conditions are compatible with M R C, tow ferry to shore, evaluate if the ferry is capable of holding position, communication with R S C, monitor requests from R S C and ferry passengers, acknowledge communication requests from R S C and A F passenger, and transmit requested information to R S C and passengers,

Concurrent Task Analysis for the safety supervisor, regarding an emergency on board the ferry (Source Authors)

Fig. 6
The flow structure of the remote supervision center coordinates emergency services, identify emergency services needed, request adequate emergency services, monitor emergency services operations, provide support and communication to passengers and to S a S u, monitors ferry operational data, acknowledges communication, transmits requested, acknowledge and process information received.

Concurrent Task Analysis for the RSC, regarding an emergency on board the ferry (Source Authors)

The CoTAs for the autonomous ferry, the safety supervisor, and the RSC are shown in Figs. 4, 5, and 6, respectively. The tasks identified in Fig. 3 are presented in more detail, highlighting triggers and interactions. These dependencies and triggers are the points where the agents interact. The task redescription in the CoTA focuses on the safety critical tasks, meaning those related to assessing the condition of passengers, technical status of the ferry, and the immediate help of these. Please note that due to the space limitations, not all tasks are further detailed.

Table 3 shows the proposed procedure, with decision criteria and information requirements for the autonomous ferry and the RSC, including the safety supervisor. The decision criteria and required information were identified from the CoTA through the involvement of partners in the AutoSafe project. The information requirements need to be addressed in the ferry design, through the inclusion of necessary sensors, human–machine interfaces with the right information and algorithms that can infer the technical status of the ferry. Examples are a fire detection system that can determine the location and severity accurately, and sensor that can detect the position of damages to the hull and level of water ingress.

Table 3 Developed operational procedure for the autonomous ferry, the safety supervisor, and the remote supervision center, including decision criteria and information needs

The ferry's role in the covered scenario is mainly to provide information and follow the commands of the safety supervisor. The safety supervisor's tasks are the physically most demanding: going to and entering the ferry, assisting passengers, and navigating the ferry safely to shore. The safety supervisor is supported by the RSC through exchanging important information. In addition, the RSC communicates with the passengers, while the safety supervisor is busy, and coordinating emergency services, such as police, ambulances, or firefighters, if needed.

6 Discussions

Despite the Norwegian focus and domestic regulations in force, key elements of this chapter are assumed transferable to other countries. Firstly, the method is generic and risk-based, and can be applied to other operational environments and countries, with the corresponding relevant regulations. Additionally, the Norwegian regulations are based and founded on international regulations ratified by the IMO, such as, SOLAS (1974), COLREGs (1972), and principles of safe manning (IMO, 2011).

Since more than ten different regulations could apply to the case study, the analyzed regulations do not cover all aspects of design and ship operation. However, due to the focus of this chapter on the safety supervisor and crew in the RSC, the early maturity stage of the case study and the limitation of available space these regulations are not further discussed here. Most of the regulations not covered in this chapter refer to the design and design elements of the ferry, i.e., how certain facilities should be designed, which materials should be used, etc. Regarding regulation (3) on Watchkeeping on passenger ships and cargo ships (Norwegian Maritime Authority, 1999), which is not applicable to the case study, appendix 1 of the said regulation may give guidance for the implementation of automated functions (navigational and watchkeeping).

The CoTA does not cover all identified tasks, but only those deemed most important with respect to risk. A full analysis may reveal further information needs and associated requirements. It is necessary to address the identified information needs through design of the ferry, human–machine interfaces, and the RSC, which may require additional analysis.

7 Conclusions

This chapter presents an approach to develop procedures for autonomous systems with remote human supervision. The process is applied to the case of an uncrewed automated passenger ferry with shore-based safety supervisors and remote supervision centers. The approach is based on a gap analysis of the solution regarding regulatory requirements and a Concurrent Task Analysis of the tasks to be executed by the different agents. The operational procedure for an emergency that requires the safety supervisor to board the ferry are developed from the Concurrent Task Analysis. The approach highlights decision criteria and information needed for the different agents. The application to the use-case revealed several gaps that need to be addressed through design solutions and demonstrated to be closed by verification and validation of the concept. These gaps relate to the navigational tasks, passenger handling in emergencies, and life-saving appliances on board the ferry.

The work described in this chapter is the basis for further analysis concerning design requirements and risk. One approach that will be further investigated is the exploration of the Crisis and Intervention Operability (CRIOP) method for selected critical scenarios, which has been applied successfully to control rooms of autonomous maritime surface ships and in other industries.