A systems-theoretic approach to hazard identification of marine systems with dynamic autonomy

Autonomous marine systems may switch between various operational modes with different levels of autonomy (LoA), due to a rapidly changing environment and the complex nature of tasks. The dynamic autonomy brings an additional layer of complexity to ensuring safe marine operations, but this functionality is not sufficiently considered in current risk analysis methods. Hence, this paper proposes an approach to hazard identification based on the system theoretic process analysis (STPA) that includes unsafe transitions between different LoA in systems. A case study of a remotely operated vehicle (ROV) with four operational modes with different LoAs is used to illustrate the approach. The results show that the proposed approach contributes to: 1) communicating a shift of responsibilities among human operator and system controller in different operational modes by specifying how the allocation of the responsibility between human operators and the controller changes, and what updated process model of the operator and the controller are to ensure a successful transition; 2) refining safety constraints to be more concrete to improve system design, and operational procedures and 3) identifying triggering events for marine system modes’ transitions to handle environmental interaction systematically and sufficiently.


Introduction
Technological developments in software and hardware have led to a rapid increase in autonomous functionality in several systems and applications. Examples include transportations systems, such as autonomous cars, ships and trains, and systems for research in harsh, remote environments for reducing human exposure (Fan et al., 2020;Ramos et al., 2019a). A desired outcome of autonomy is the development of systems that operate in a more cost-effective and safe manner.
Autonomy means that the system has the "ability of integrated sensing, perceiving, analysing, communicating, planning, decisionmaking and acting to achieve the goals assigned by human operators through designed human-machine interface" (Utne et al., 2017a). Autonomous systems may have different levels of autonomy (LoA), and there are different classifications of LoAs. In this paper, we adopt the definition from Ludvigsen and Sørensen (2016) and Utne et al. (2017b), which classifies autonomous operations into four levels: (i) automatic operation (remote operation), (ii) management by consent, (iii) semi-autonomous or management by exception, and (iv) highly autonomous.
Autonomous marine systems may switch between various operational modes with different LoA due to rapidly changing environment or complex nature of tasks. This means that the operation, for example, may start in a lower level of autonomy (e.g. remote control mode) by a human operator, evolves into a higher level of autonomy (e.g. semiautonomous mode) with the operator then acting as a supervisor, and later return to a lower level again in a subsequent moment, due to operational requirements and changing external conditions. For instance, dynamic LoA is expected for underwater vehicles (Ludvigsen and Sørensen, 2016;Schjølberg and Utne, 2015;Sørensen and Ludvigsen, 2015) and autonomous ships (Ramos et al., 2019b;Wu et al., 2020). The changes in LoA resulted from switching between operational modes may take place in a very short period of time (e.g. minutes) and under severe sea conditions. The development process of autonomous marine systems must consider the risks involved in its operation to ensure safety for humans, minimal negative impact on the environment, and asset integrity (Utne et al., 2017b). For autonomous ships expected to come into operation within a few years, the efforts have been on identifying high-level hazards originating from both design and operation (Burmeister et al., 2014;Heikkilä et al., 2017;Rødseth and Burmeister, 2015;Wróbel et al., 2016). For underwater vehicles, risk and reliabilities analyses have so far primarily focused on technical failures (Harris et al., 2016;Hinz et al., 2010;Thieme et al., 2015;Xiang et al., 2017;Xinqian et al., 2009;Xu et al., 2013), in addition to human failures to a limited extent (Ho et al., 2011;Thieme and Utne, 2017). Yet, dynamic autonomy brings an additional layer of complexity to the systems and operations, especially regarding the interactions among human operators, software, hardware. Interaction associated hazards may lead to accidents if not well recognized and controlled. Still, no risk analysis method has thus far considered how dynamic autonomy as a functionality can be handled in the hazard identification process.
The objective of this paper is to bridge this gap by proposing an approach to identifying hazards and safety requirements for safe operational mode transitions. Traditional hazard identification methods, such as HAZard IDentification (HAZID), checklists, and accident investigation reports, are often a basis for identifying what can go wrong, which is the first step in risk analysis (Rausand, 2011). The Systems-Theoretic Process Analysis (STPA) is a relatively new hazard analysis technique based on the causality model called the Systems-Theoretic Accident Model and Processes (STAMP) (Leveson, 2011). It defines safety as a control problem, which makes it desirable for complex systems. The STPA has been applied to identify and analyse hazards in several different domains, including autonomous ships (Valdez Banda et al., 2019;Wróbel et al., 2018b) and dynamic positioning (DP) systems on maritime vessels (Rokseth et al., 2017(Rokseth et al., , 2018. Yet, to this moment system dependencies resulting from shifts in LoA has not been addressed. This paper proposes an approach that uses the STPA as a foundation and further expands it for autonomous functionality, with a particular focus on dynamic LoA resulted from mode shifting in operation. The proposed approach can contribute to the safe design of autonomous marine systems, such as underwater vehicles. The paper is structured as follows: the approach is described in Section 2. In Section 3, the application of the approach is illustrated with a case study for the net inspection with a remotely operated vehicle (ROV) of a fish cage in aquaculture, which is followed by a discussion of the results in Section 4. Section 5 concludes the work.

Methodology
In STPA, there are three basic constructs: 1) safety constraints; 2) hierarchical control structures; and 3) process models. The safety constraints specify system conditions or behaviours that need to be satisfied to prevent hazards (Leveson and Thomas, 2018). The safety constraints should be reinforced through the behaviour of the system by an effective control system. The hierarchical control structure is "a system model that is composed of feedback control loops" (Leveson and Thomas, 2018). The process model represents internal beliefs of the controller(s) concerning the process being controlled, as well as other relevant aspects of the system or the environment. The process model thus reflects how the controller(s) perceive the system variables and their current states, the relationship between the variables and the way the process can change the states.
STPA analysis aims to determine how the safety constraints can be violated or insufficiently enforced to eliminate, mitigate and control the emergence of hazards that may develop into accidents.
For a system that has operational modes with different LoAs, smooth and safe transitions are critical for successful commission. In other words, operators must be able to take over control when needed. One merit of STPA is that it investigates dysfunctional controller interactions as a cause for flawed process execution. A regular STPA, however, does not provide explicit guidance to analysis of possible failures during operational transitions and associated shifts between different LoA. These failures are the focus of the proposed approach, as shown in Fig. 1. A color-coding is used in the figure, where there are standard procedures are marked as gray, and added procedures are marked white. A detailed description of its phases and steps is provided in the following.

Phase 1: define the purpose of the analysis
In a standard STPA, the first part of the analysis comprises: • step 1.1: Identify losses (i.e., something of value to stakeholders); • Step 1.2: Identify system-level hazards; and to identify system-level safety constraints.
The following additional steps are proposed to be integrated into phase 1 to aid in establishing control structures considering different responsibilities and process models (i.e., human operator and system controller's internal beliefs used to make decisions): Step 1.3: Identify operational modes and corresponding LoAs The human-machine interactions and cooperation are expressed by various LoAs, with each level specify a different degree to which an operation is in between fully manual performance and fully autonomous conditions (Vagia et al., 2016). The definition of LoA are subject to applications and should be selected to satisfy the system's own needs. In this paper, we use the following four LoAs defined by Ludvigsen and Sørensen (2016) and Utne et al. (2017b) for marine systems: 1. LoA 1 -Automatic operation (remote control): The human operator directs and controls all high-level mission planning. The environmental conditions and sensor data are presented to the operator through a Human-Machine-Interface (HMI); 2. LoA 2-Management by consent: The system automatically makes recommendations for missions or actions related to specific functions. The system can perform some tasks independently of human control when previously delegated by the human. 3. LoA 3 -Semi-autonomous operation (management by exception): The system automatically executes mission-related functions. The human may override or change parameters, and cancel or redirect actions with defined timelines. The operator's attention is only brought to exceptions for certain decisions. 4. Highly autonomous operation: The system automatically executes missions or process-related functions in an unstructured environment with the ability to plan and replan the mission. The system is independent and intelligent. In this paper, an operational mode refers to a functional configuration of a system. Inside an operational mode, "the system can perform specific operational scenarios, and so activate the corresponding functions" (Faisandier, 2013). The LoA is fixed or consistent for each operational mode. For various operational modes integrated into one marine system, the LoAs can vary across a continuum of intermediate levels between manual operation and fully autonomous.

APS
Step 1.4: Describe tasks involving different operational modes This step should focus on how an operation may be performed from the beginning to the end. The description does not need to be comprehensive, but to include how the controllers (i.e., both human operator and system controller) may adapt operational modes to foreseen various circumstance. The aim is to have an initial illustration of how dynamic the operation can be.

Phase 2: model the control structures
The standard STPA is functionality oriented. For each function, one control structure, rather than a physical component diagram, can be prepared at a high level and zoomed in with more details if necessary. The control structure is "a system model that is composed of feedback control loops" (Leveson and Thomas, 2018). The first three standard steps in this phase include modeling control structure, assign ing responsibilities (including process models), and deriving feedback. A repetition loop is added to analyse all the operational modes in the same manner. The control structures can help designers to understand the dynamic controller interactions associated with the shifting of LoAs to perceive, comprehend, project, and decide to complete the mission.

Phase 3: identify unsafe control actions
STPA defines an unsafe control action (UCA) as a control action that, in a particular context and worst-case environment, will lead to a hazard (Leveson and Thomas, 2018). The standard STPA procedure prescribes identifying UCAs for each operational mode (Step 3.1 in Fig. 1). In addition to the UCAs, we define unsafe transition control actions (UTCA). Those can be identified through the following three additional steps: Step 3.2 Identify operational modes' transitions A state transition diagram (STD) is used to analyse possible transitions between operational modes. STD was originally proposed by David Harel (1987), and is commonly applied in computer science to provide an abstract description of system behaviours. The main idea of applying STD is to demonstrate the possible transition among various operational modes with different LoA. Each transition can be investigated while analysing unsafe control action from either operator or autonomous system's controller or both. The STD is an intuitive method and perceived well represents the states of the system after shifts between finite operational modes. Fig. 2 presents a simplified STD for possible transitions between two operational modes (states). The nodes denote the modes (states), and the arrows denote transitions. The transition happens when triggering events occur in state A, and guard conditions are satisfied (Harel, 1987).
Step 3.3 Identify triggering events In general, the triggering events can be internal stimuli or external stimuli. Internal stimuli are events that occur within the autonomous system, while external stimuli are events in the surrounding operational environment. The external and internal stimuli can be described in connection with the following four types of triggering events, as adapted from (Friedenthal et al., 2014): • A change event that happens when some condition has been satisfied; • A timeout event that initiates after the specified amount of time elapses;  • A call event that indicates an operation has been requested by, e.g., a human operator; and • A completion event that takes place when everything that needs to be done in the current mode is completed.
Examples of triggering events under each category are further described in detail in the case study (Section 3.3).
Step 3.4 Identify unsafe transition control actions (UTCAs) A transition control action is an action that is either provided by a human operator or the autonomous system's controller upon transitions between modes. There are four ways a control action can be unsafe (Leveson, 2011), which also apply to unsafe transition control actions: • not providing transition control action; • providing a transition control action (e.g., provides a wrong transition); • providing a transition control action too early, too late or out of order; • the transition control action lasts too long, or is stopped too soon.
The unsafe transition control actions are defined based on the transition diagram, triggering events, responsibilities, and process models of the controllers.

Phase 4: identify loss scenarios
Once the unsafe transition control actions are identified, the next step is to identify loss scenarios and refine safety constraints if necessary. Two types of loss scenarios should be considered: (1) the scenarios that lead to a UTCA, and (2) scenarios in which the transitions are improperly executed or not executed. The first type may involve failures related to the controller, an inadequate control algorithm, an unsafe control input, and an insufficient process model (Leveson, 2011). The scenarios concerning an improper or no execution of a transition (type 2) involve a control path, which transfers transition control action to the controlled process. These scenarios might include: i) a transition control action not executed; ii) a transition control action improperly executed; and iii) the controlled process does not respond or responds incorrectly though transition control actions received (Leveson and Thomas, 2018).

Case study
A case study has been performed to test the feasibility of the proposed approach. The case study focuses on preventing fish escape from fish cages for aquaculture in ROV operations. Fish escape in aquaculture has severe environmental effects, and the authorities continuously put much effort to avoid escapes and mitigate the impact of escapes (Holen et al., 2019;Norwegian Ministry of Trade Industry and Fisheries, 2017).
According to the statistics for fish escape from 2010 to 2016 in seabased aquaculture operations, most fish escapes (72%) are due to holes in the net (Føre and Thorvaldsen, 2017). The mandatory net inspection after aquaculture operations is one of the primary measures to reduce the risk of fish escape (Yang et al., 2020). The aim is to discover the holes caused by operations and to initiate necessary recovery actions as early as possible.
ROVs are prevalent in aquaculture operations, such as net inspections, but also generally to increase operation regularity, reduce exposure of the workers to the harsh environment, and increase the weather window for operations (e.g., delousing, net cleaning). ROVs have tethers that limit their manoeuvrability and increase the risk of entanglement. Nevertheless, they have a transparent and shared control process (i.e., the human controller shares control with an autonomous controller), which increases their potential for use in specific applications and environments. For instance, the shared control provides advantages when handling flexible structures, demanding environments with currents and large waves, and changing geometry in an undetermined pattern. The potential losses for such operations are primarily the loss of life due to human overboard, the loss of fish, and damage to property.
The ROVs currently adopted in the industry mainly have low LoA, i. e., they are remote-controlled by an operator. ROV operation could benefit from more autonomous functionalities to increase inspection quality and effectiveness and reduce operator fatigue (Bjelland et al., 2015). Industrial (Sperre ROV Technology, 2017) and research SINTEF Ocean, 2016) efforts have been focusing on developing higher-level autonomous ROV systems .
The proposed approach is applied to an observation class ROV provided by a vendor with extensive offshore ROV operating experience in the oil and gas industry. It engages in developing autonomous functionalities for aquaculture operations. The ROV is used for net inspection inside the fish cage (Fig. 3). The steps described in the previous section are applied to this operation in the following.

Phase 1: define the purpose of the analysis
Step 1.1: Identify losses The main concerning loss in ROV net inspection in this case study is the loss of fish, which will result in loss of profits, loss of reputation, and biological degradation of the wild fish stocks.
Step 1.2: Identify system-level hazards and constraints We primarily focus on the loss of fish due to: i) failures of the ROV to detect existing holes in the net; and ii) damage to the net caused by the ROV itself during operation.
The scope of the analysis is limited to two system-levels hazards:

Fig. 3. Illustration of a net inspection operation in a fish cage.
• H-1: ROV is unable to successfully complete the inspection (incl. holes not detected); • H-2: ROV collides with net structure or tangles with the net.
Additional system-level hazards, such as the ROV leak of hydraulic oil, the high voltage electrical hazard, frame integrity lost, and water leakage into ROVs, are not considered in this case study. Table 1 describes the safety constraints that the system conditions or behaviours need to satisfy to prevent hazards and ultimately prevent losses.
The ROV system comprises the ROV, the handling system, the surface control system, and all associated equipment. The following four ROV operational modes are considered in this case study: manual control mode (MCM), station keeping mode (SKM) and relative station keeping mode (RSKM), and net-pen tracking mode (NTM). The ROV should be capable of operating in multiple levels of autonomy to ensure operational performance.
Manual control mode (LoA 1) In this mode, the ROV operator has direct control of each thruster via operation control (e.g., joysticks or control console). The ROV operator has visual feedback on display from cameras and data from sensors (e.g., depth sensor, compass) to steer the ROV by sending control forces to the thrusters. The steering also includes a heading and depth control system that automatically keeps a given reference heading and depth provided by the operator. The raw data from the sensors are filtered to remove noises, such as inputs to the control system. The desired RPM (revolutions per minute) is allocated to each thruster, accordingly, from both the operator's and controller's input. The operator is provided with a rough heading and depth indication and the visual feedback to control the ROV. The control of the position and heading of the ROV to compensate for ROV dynamics and environmental disturbances (i.e. wind, waves and current) demands considerable effort from the operator. Moreover, preventing entanglement is dependent on the skill and experience of the ROV operator. The manual control mode is representative of LoA 1.

Station keeping mode and relative station keeping mode (LoA 2)
The ROV is equipped with a dynamic positioning (DP) system, to keep the position and orientation within certain excursion limits (Sørensen, 2012). For the ROV to hold its position and move along with the net, it depends on data fusion between various navigation sensors. The motion control system compensates for environmental disturbance and ROV dynamics. The navigation system is responsible for estimating the position, velocity, heading, depth, and altitude of an ROV in a given reference system. The navigation sensors need to make the system observable and controllable (Chen, 1998), which may contain a compass, a pressure gauge, and an ultrashort, short or long baseline network consisting of acoustic positioning systems (APSs), Doppler velocity log (DVL), gyroscopes and accelerometers (Dukan, 2014). The ROV senses any variation from the desired position, determines what thrust vector is required, and sends instructions to maintain the position and orientation.
In this operational mode, the ROV operator has the authority to take over control and control the thrusters directly. In this case, the operation switches modes from LoA2 to LoA1. Relative station keeping is similar to station-keeping, but instead of maintaining a constant position and heading, the ROV will maintain a constant distance and relative heading to the net. The initiation of relative station keeping requires the ROV to be close and pointing towards the net-pen.

Net-pen tracking mode (LoA 3)
The net-pen tracking is a desired semi-autonomous operation functionality (LoA 3) within aquaculture, currently under research (Duda et al., 2015;Rundtop and Frank, 2016). In this mode, the ROV follows the shape of the net to perform the inspection autonomously. Nonetheless, obtaining the relative position of the net pen is challenging, as the net-pen deforms by current-induced drag forces, which makes it an undetermined shape (Lader et al., 2008). For instance, a current velocity of 0.5 m/s may lead to a 20% volume reduction in an exposed net-pen (Lader et al., 2008). In this mode, DVL may function as a net relative sensor to provide net-pen relative velocities, range, and heading when the ROV is directed towards the net-pen. The desired velocities of the ROV can then be generated as the ROV moves along the varying net-pen, using the relative net-pen measurements. The guidance system of the ROV produces the desired reference velocity aiming to keep the ROV with a fixed net-pen relative range and heading, and keeping a plan for traversing the whole net-pen using the navigation system and the dynamics of the ROV. Note that the guidance system does not require prior knowledge of the whole net-pen.
In the net-pen tracking mode, the ROV operator is a supervisor, having the authority to intervene in case of an emergency or change of mission plan. This can be achieved by overriding (i.e., switch to station keeping mode or relative station keeping mode) or directly control the thrusters using joysticks (i.e. switch to manual control mode). In this mode, the operator provides a mission (i.e., an inspection of the whole net cage), with the ROV containing specific safe navigation rules in the presence of moving or static obstacles as an input to path re-planning. A set of waypoints are established according to the mission plan, the weather, the operation, among other factors. A smooth feasible trajectory is generated so that the ROV can follow. The raw data from the sensors, including images from the camera, are processed into the navigation system to give the relative net-pen position, position measurement, velocity, and heading estimates. Based on relative net-pen position and position measurement, a map is generated during operation to enhance the operator's operation monitoring. An example of such a representation of a fish cage is a 3D occupancy grid map (Hornung et al., 2013), which is sent to the graphical user interface (GUI).
Step 1.4 Describe tasks involving different operational mode -Net inspection task To initiate the net inspection task, the operator launches the ROV into the fish cage. The mission is to traverse and inspect the entire fish cage. The ROV is initially set to manual control mode and manually manoeuvred to the side of the net. The operator configures the ROV for the preferred relative distance and heading to the net, as well as the desired velocity. Once the ROV is in position, the operator activates the net-pen tracking mode. The net inspection process is initiated, and the ROV operator supervises the operation and handles the ROV tether.
In case a hole is detected by the ROV, the relative station keeping mode is automatically activated, and an alarm is sent to the GUI to bring ROV operator's attention to the detected hole. The hole is examined and logged, and the ROV operator reactivates the net-pen tracking mode to continue the inspection. If the ROV is tangled in the ropes inside the cage, the station-keeping mode is activated, and at the same time, the ROV operator is informed. The operator turns the ROV to manual mode to untangle itself. If the ROV is tangled in the net, the ROV operator is informed, and the thrusters are automatically turned off. A further investigation of the situation will then be needed to decide how to proceed. When obstacles are detected on the planned path (i.e., the produced desired trajectory), safe navigation rules are applied, and the ROV operator is informed. If the operator disagrees with the rule in certain situations, the ROV is switched to manual control mode, and the operator takes over to manoeuvre it to a safe location, and net-pen tracking mode is reactivated. Fig. 4 illustrates the main tasks performed during the net inspection and the operation modes involved: The control structures focus on two controllers: the human operator and ROV controller. ROV controllers need to collaborate to complete a mission by switching between operational modes at different LoAs upon different operational contexts. The lists of responsibilities specify the tasks each agent needs to accomplish for the safety constrains to be enforced. Due to limited space, Fig. 5 presents partial examples of assigned responsibilities at each operational mode for net inspection function and collision avoidance, with their corresponding process models and feedback. Note that the relative station keeping is not demonstrated separately due to its similarity with the station-keeping mode and net-pen tracking mode. The steps 2.1-2.5 are combined in one figure for the convenience of comparison among different operational modes.

Phase 3: identify unsafe control actions
Step 3.2 Identify operational mode transitions The functional transitions between the four operational modes and shutdown mode are shown in Fig. 6.
Step 3.3 Identify triggering events The triggering events for the ROV operational mode transition can be divided into two categories: external stimuli and internal stimuli, as defined in section 2.3. The triggering events are summarized in Fig. 7 and exemplified in Table 2.
External stimuli When an ROV is on a mission, the human operator is an external stimulus who has the highest authority. The operator can always activate a transition of operational mode, following a call event (e.g., a request from an ROV operator). Another type of external stimulus is the change event, which covers the detection of interest (e.g., detect a hole in the net), a change in environmental features, and a detection of environmental objects.
The operational environment is critical to an ROV operation, and environmental interactions and consequent changes in environmental features should be anticipated. However, as pointed by Dogramadzi et al. (2014), the existing hazard identification methods do not encourage the safety analysis to consider different types of environmental interactions as an input to ensure safe robot operations. Changes in the environmental features are often associated with a change in sea conditions (e.g., sea state, a strong wind, strong current and tides, poor visibility due to fog or rain, salinity).
The detection of environmental obstacles includes the detection of objects and agents. Obstacles are related to obstructions to vehicle movements, such as fixed structures, surface floating obstructions (e.g., ships, buoys, anchor chains), objects suspended in the water column (e. g., fishing lines, loose netting) and bottom obstructions (e.g., subsurface structures, wrecks) (Christ and Wernli Sr, 2014). On the other hand, agents are the objects purposefully moving in the environment. Four categories of agents are suggested to capture the full range of behavioural patterns that any agent may exhibit and need to be perceived by the robot (Dogramadzi et al., 2014). They could be unintelligent (automatic systems), autonomous systems/other robots, animals and humans.

Internal stimuli
Internal stimuli take place within the ROV, which can cover timeout events, change events, and completion events. Timeout events may fire the transition when other awaited events do not occur within the specified time interval. The change events mainly originate from deviations of ROV performance, such as deviations in functional performance, technical failures, and software failures. An additional triggering event, or completion event, could also automatically initiate the transition from working mode to shutdown mode.
The ROV operator and ROV controller share the control and generate control actions following their responsibilities and update their process models based on feedback. Table 3 presents the responsibilities and process models that would enable a successful transition by a collaboration between the ROV operator and ROV controller. The process model is described by the status of process variables that would lead to a successful transition. Note that Table 3 explicitly describes the operator's responsibility of supervising the mission in cases where the operator's attention must be directed to one aspect of the operation, e.g., collision avoidance. Nonetheless, in addition to the ones identified in Table 3, the operator is responsible for the supervision of operations at all times and maintaining a situational awareness concerning the ROV mission and surrounding variables. Table 4 presents the UTCAs for both the ROV operator and ROV controller for transition actions. The UTCAs are identified by considering the contexts for transition, responsibilities and process models described in Table 3.

Phase 4 identify loss scenarios
The next step is to identify scenarios and causal factors for each UCA, so that related safety constraints for safe transitions can be further detailed and refined. In Table 5, Table 6, Table 7, Table 8, some causal scenarios, causal factors, and related safety constraints for selected UCAs

Findings from the case study
The ROV used in the case study is a representative autonomous marine system that has frequent operational mode transitions due to complex operating contexts inside of a confined area (i.e., inside of a fish cage). The ROV operator and ROV controller must collaborate closely to avoid tether entanglement, damage to the net structure, as well as inspect, report and temporarily block the holes (if necessary) in the net in time. The dynamic autonomy brought by shifting between various operational modes that have different LoAs adds an additional layer of complexity to ensure safe operation. However, this functionality has not been well addressed in current hazard identification methods. As commented on by Hollnagel (2005), co-agency specifically needs to be emphasized with a sound underlying model of the processes.
In this study, we proposed an approach based on STPA and a simplified state transition diagram in which a more explicit model of operational mode transitions is provided. The proposed method contributes to clearly communicating the shift of responsibilities by specifying i) how the allocation of the responsibility between human operators and the ROV controller changes under each operational mode; ii) what updated process model of the operator and the controller are to ensure a successful transition. The proposed approach makes it more visible as to what changes occur in the system when the operating mode is changed. The clarification of responsibilities under various situations can prepare the ROV operator better during the operation. For example, in NTM, the ROV needs to make decisions by itself to switch to RSKM or SKM and bring the ROV operator's attention to deal with the situation. The ROV operator is required to observe the deviations of functional   performance and react promptly to take over (i.e., switch to MCM) or assist in switching mode. When the ROV entangles with the net and fails to turn off its thrusters, the ROV operator must detect the emergency as soon as possible and manually shut down the ROV. Another example is the situation that the turbidity is too high that the camera optics are significantly degraded. If the ROV does not switch to SKM automatically, the operator should manually activate the SKM in time before the ROV goes too far in the detection. The holes in the net might be missed. The refined safety constraints based on the proposed approach also contribute to successfully completing a commission when there are dynamic control structures within one system. Some refined safety constraints from the case study especially emphasized the ensuring of safe transitions. Examples are as follows:  Switch from NTM to MCM ROV is on a collision course with an object in NTM (e.g., the safe navigation rules do not seem to work properly) Not providing causes a hazard   • The proposed collision avoidance path must be displayed in GUI to the ROV operator; • The ROV operator must be notified when the operational mode switches; • When the camera loses signals and does not respond to the ROV operator for a certain amount of time, the ROV must be shut down and floated to the surface; • The ROV operator should be informed when objects enter dangerous zones, regardless of an evaluated (no) collision risk by the ROV controller; • Training must be provided to the ROV operator to help become familiar with the capabilities of the system in various operational modes; and • Another separate operator should be assigned for tether management.
The refined safety constraints are more concrete and can be input to improve system design, and operational procedures. When the higherlevel autonomy is integrated into the system, the smooth transition faces the challenges of human action hazards such as skill degradation, loss of engagement, workload spikes, a lack of predictability associated with autonomous systems, and their overall complexity (Endsley, 2019). The human action hazards, in terms UTCAs for ROV operators, causal scenarios and the causal factors behind, need to be well considered while refining safety constraints. For example, it is clear from the results that the object avoidance functionality is not available in the SKM and RSKM modes. Without knowing the limitation, ROV operator may come to select the RSKM when an object is approaching on a collision course (i. e., how [NTM-RSKM]-UCA-OPERATOR-4 in Table 8 may occur).
In the case study, the proposed approach focuses on mode transitions and, as such, does not cover all aspects of the ROV. However, the analysis can be extended using standard STPA to analyse each operational mode and identify corresponding unsafe control actions and scenarios when the ROV is operated under such a mode. To limit the scope of this study, the above-mentioned analysis is not included in the case study.

Limitations and possibilities of proposed approach for autonomous operations
Investigating hazard identification for autonomous marine systems and operations, in general, can rapidly transform into a considerable effort. Nonetheless, it is a critical topic to be investigated. The proposed approach offers possibilities of application beyond the ROV case study presented in this paper. For a large part of possible applications of autonomy, autonomous systems with a LoA as high as "fully autonomous", in which no human would be necessary or supervision tasks or remote control, is not expected in the near future. In this sense, these systems also have shared control. Many of them may also have possibilities of changing LoAs during the operations. An example is autonomous ships, which are also expected to have dynamic LoA. For instance, when unmooring out of a harbour with heavy traffic, the ship can be controlled by operators working onshoreremote controland change the LoA to a higher level when reaching deep water with low traffic (Ramos et al., 2019b). Moreover, in case of a possible collision scenario, the operator may take over control of the ship, switching the LoA back to the remote control. Indeed, Ramos et al. (2020) states that the strong reliance on human-system interaction (shared control) and dynamic LoA present a challenge for risk assessments for autonomous ships.
The proposed approach allows for identifying triggering events for modes transition. This is particularly relevant for analysis of marine systems, which operate in a dynamic and complex environment. The existing hazard identification methods do not consider different types of environmental interaction systematically and sufficiently (Dogramadzi et al., 2014). The anticipation of possible environmental interactions is critical for a safe autonomous marine operation, particularly when the systems are moving toward the direction of being fully autonomous. The proposed method systematically identifies triggering events for transitions by dividing the events into external stimuli and internal stimuli events, and further into change event, timeout event, call event, and completion event. The results can serve as a basis to define triggering events in the design phase for other types of autonomous marine systems such as autonomous ships as well.
It is worth noting that, in some situations, simultaneous triggering events can create decision dilemmas. For example, when the ROV detects a suspected hole in the net, the ROV controller automatically switches to relative station keeping mode so that the hole can be logged and a further investigation can be carried out. If, at the same time, an agent is detected moving towards the ROV, the collision avoidance function is expected to be activated automatically as well. Under such a context, the best strategy might be to send a notification to the ROV operator and let the operator take over control to avoid a collision and then move back to a location to log information on the hole. If the hole is too big that fish start to escape, as an emergency procedure, the ROV should temporarily block the hole to mitigate fish escape until a remedy is implemented (e.g., send divers to repair). In such an emergent situation, the collision risk from moving the agent might be neglected. The identification of such decision dilemmas and the definition of corresponding strategies are critical to a robust and safe design of autonomous systems. The use of the proposed approach can shed light on identifying such dilemmas, through defined external and internal The ROV is close to the net, and the net is moving towards the ROV. The ROV operator is afraid to take manual control because a net collision may occur during the control transition.
(a) The operator would rather risk a collision with the obstacle than entangle with the net (a) Notification must be provided in time for the ROV operator when the minimum safe distance between the ROV and the object is violated (b) the operator must acknowledge change of current direction

S4
The ROV operator detected the collision risk, but misjudged the movement of the object (that the agent will move in the opposite direction of the ROV) (a) The operator has a lack of predictability associated with the collision avoidance function.
(a) Information about the type of the object (i. e. obstacle or agent) must be provided to the ROV operator.
stimuli events (or conditions). This issue is not within the scope of this study but will be researched in further work. Furthermore, this study does not include the effects due to the interaction of external stimuli and internal stimuli (e.g., a stronger current and control system crash). Broader scenarios considering the possible interactions should be established in the later stage of STPA. The literature presents STPA as a valuable method for hazard identification of autonomous and remotely controlled ships operation (Wróbel et al., 2018a, b), and the applicability to other autonomous marine systems needs to be tested in further work. The different characteristics, operating environment, sensing, motion, and reaction capabilities may bring new insights into the method. To this moment, STPA applications have not explicitly explored the hazards arising from control modes transition. The approach presented in this paper, which needs to be validated for other autonomous systems, can be an initial step towards the consideration of the important feature of control mode transition in STPA.

Conclusion
This paper addresses the challenge of analysing the risk of autonomous marine systems, focusing on the first step of risk analysis, namely hazard identification. Autonomous systems may switch between different modes of operation and levels of autonomy, which increases the complexity, in particular with respect to interactions between the Table 6 Causal scenarios and refined safety constraints for [NTM-MCM]-UCA-ROV-1: The ROV controller does not send out a collision alarm when the ROV is close to colliding with certain objects [H-2].

No.
Causal

Causal scenarios Possible causal factors
Refined safety constraints S1 A hole is suspected by the ROV operator during NTM, but due to some turbidity, a further investigation is needed. The turbidity also causes the ROV operator not to detect an object on a collision course, and the ROV operator activates RSKM to investigate the suspected hole.
(a) Reduced visibility through the camera view (a) The ROV must employ sensors, in addition to the camera, to detect objects on a collision course (b) The ROV controller must clearly inform the ROV operator when detecting an object on a collision course

S2
The ROV operator is aware that an object is approaching the ROV on a collision course, but believes that the ROV will perform collision avoidance in the RSKM (a) The operator is not sufficiently familiar with the system (a) Training to be conducted to ensure that operators are aware of the different system capabilities in different operating modes human operator/supervisor, software, hardware, and the environmental conditions. These interactions impact risk but are challenging to identify and analyse. This aspect has not been paid enough attention in risk and safety studies of autonomous marine systems. The proposed approach in the paper uses STPA as a foundation, but explicitly includes dynamic control hierarchies representing the different LoA, and focuses on identifying unsafe transition control actions, scenarios, and causal factors. The proposed approach is exemplified for an ROV but is expected to be relevant for other autonomous marine systems such as autonomous ships. The results from the case study indicate that clarification of allocated responsibilities and updated process model of the operator and the controller are critical factors to ensure a safe operation. The defined safety constraints, as a result, focus specially on how to ensure the responsibilities and updated process models to be communicated clearly among controllers. The proposed classification of triggering events shed light on the systematic identification of possible environmental interactions to improve the design of autonomous marine systems. Further work includes applying and testing the proposed method in a wide selection of domains, to further improve and develop a systematic approach to identify the triggering events and conditions for modes transition as input to eliminating hazards that may originate from unsafe transitions in the design phase.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.