The hybrid method combined STPA and SLIM to assess the reliability of the human interaction system to the emergency shutdown system of LNG ship-to-ship bunkering

By introducing autonomous or software-controlled systems, human operators are increasingly required to perform cognitive-intensive tasks in addition to existing labour-intensive tasks. As a result, it will be more difficult to identify human roles in future complex systems with traditional approaches such as hierarchical task analysis used in the conventional HRA. This paper proposes a novel systematic approach for a human reliability assessment to better understand human activities in complex systems. The proposed framework is a hybrid method combining the System Theoretic Process Analysis (STPA) and the Success Likelihood Index Method (SLIM) to assess the system reliability. The STPA is adopted to analyse the interaction relationship between different system components. The primary purpose of STPA is to find and analyse human activities that affect the risk in human-machine interaction systems. Then the identified human activities are evaluated and quantified by the SLIM as a probability of human error. The system reliability block diagram represents the derived human error probabilities to assess the entire system for a probabilistic risk assessment. Furthermore, the study proposed system alternations by comparing three different system configurations. Results demonstrate the importance of human performance in a complex system where humans, machines, and software interact.


Introduction
The development of new technologies in the marine industry brings about a drastic change in how the marine industry approaches new challenges and opportunities. Modern ships' operations have changed with state-of-the-art technology to partially or fully automated control systems. Due to these changes, human roles in cognitive-intensive behaviour are becoming increasingly crucial in maritime operations in addition to the existing labour-intensive behaviour. In terms of safety management, it will be more difficult to identify human roles with traditional approaches such as hierarchical task analysis commonly used in the conventional Human Reliability Assessment (HRA) in future complex systems. Traditionally used hazard analysis techniques such as failure tree analysis (FTA) and failure mode and impact analysis (FMEA) have been in widespread use for decades. However, conventional approaches are not suitable for capturing the effects of changes in modern, more complex systems that are software-intensive and have a sociotechnological component. In particular, techniques for identifying and quantifying the rapidly changing human roles are not adequately considered in human reliability analysis. Therefore, it is necessary to examine what improvements have been made to apply the existing HRA techniques to the changed or added human role. In this context, this paper proposes utilising a novel systematic approach for a human reliability assessment in a human-machine interaction system. In the field of hazard analysis, the System Theoretic Process Analysis (STPA) is considered to be a relatively new technique that is based on the System-Theoretic Accident Model and Processes (STAMP) (Leveson and Thomas, 2018). On the other hand, the Success Likelihood Index Method (SLIM) is an established HRA technique for determining the likelihood of human error while completing a specific task (Embrey et al., 1984). In this study, the System Theoretic Process Analysis (STPA) is employed to identify human roles and defective interactions between different types of system components in a complex system. The SLIM is embedded in human error quantification to be incorporated into probabilistic risk assessment. For an illustration of this new approach for a complicated system in maritime operation, the emergency shutdown system for the LNG ship-to-ship bunkering process is adopted. The emergency response through the human-machine interaction during safety-critical operations like LNG bunkering should be carefully evaluated in terms of safety to prevent loss of life, environmental pollution, and property damage.
In this regard, this paper provides a framework for evaluating system reliability, including human errors, based on a hybrid method combining the STPA and the SLIM. With this objective, the paper is organised: The following section is a literature review, and the third section presents the proposed methodology. The case study and findings are presented in section four, followed by the conclusion in section five.

Literature review
Modern process systems are confronted with new safety challenges as a result of the introduction of new technology. Maritime operating systems have become more software-intensive in recent years, and they are constituted not just of hardware components but also logic control devices, software, and an increasing number of sensors, among other things (Sultana et al., 2019). In light of the rapid technological change and shift to more complicated relationships between humans and automation, a new strategy is required since the limitations of current accident models and safety engineering technologies are becoming increasingly apparent (Leveson, 2004). Furthermore, evaluating system reliability based on human errors or equipment failures in complex systems involving humans, machines, and software is challenging. Therefore, a more thorough analytical process is necessary for complex systems (Kirwan, 1994). In this context, the Functional Resonance Analysis Method (FRAM) and System Theoretic Process Analysis (STPA) introduce new approaches applicable to these socio-technical and complex systems.
Based on Resilience Engineering, the FRAM approach begins with a description of characteristic functions and investigates ways to increase a system's ability to respond, monitor, learn, and anticipate (Erik Hollnagel, 2017). Resiliency engineering aims to ensure that an organisation can function efficiently under normal operating conditions and ensure that routine work is completed correctly. (Erik Hollnagel, 2017). Therefore, the FRAM described the system as work-as-done rather than work-as-imagined. FRAM was also applied to the following research relating to maritime safety. Lee and Chung (2018) conducted a study to quantify the impact of the variability of the human-system interaction by FRAM for maritime accidents. Salihoglu and Beşikçi (2021) applied the FRAM for qualitative risk analysis to the Prestige oil spill accident. Lee et al. (2020) used the FRAM approach to investigate human collaboration in maritime operations. However, it was not explicitly presented how to use the outcome of FRAM analysis in practical cases and how to replace the existing risk assessment framework through quantitative analysis. The FRAM approach focuses on the variability of performance rather than probability due to the uncertainty of the human and organisation's contribution to the failure of the system. In this regard, Praetorius et al. (2017) applied FRAM to Formal Safety Assessment (FSA), which is commonly used as a risk assessment framework in the maritime industry. The findings indicate that FRAM can be considered as a complement to established risk assessment methodologies such as FTAs, but that it is unlikely to be viewed as a stand-alone method suited for the FSA. Therefore, a specific framework should be developed to replace existing methods of evaluating human and overall system reliability.
The System-Theoretic Accident Model and Processes (STAMP) is the name of the accident causality model based on systems theory, which addresses safety as a dynamic control problem rather than a failure prevention problem. However, the STAMP is not an analysis method; instead, it is the theoretical underpinning for analysis methods (Leveson and Thomas, 2018). Today, the two STAMP-based techniques that are most extensively used are System Theoretic Process Analysis (STPA) and Causal Analysis based on Systems Theory (CAST). The STPA is a proactive analysis method that examines the potential causes of accidents throughout development to avoid or control risks. The CAST, on the other hand, is a retrospective analysis method that investigates accidents and identifies the elements that contributed to them. The STPA presupposes those accidents can also be induced by unsafe interactions between system components, none of which may have failed independently of component failures. STAMP-based methods were applied to maritime research, including an autonomous ship and various operations to identify hazards and safety barriers. They were also utilised to investigate the causes of an accident. A framework for modelling an autonomous ship's STPA hierarchical control structure was introduced by Chaal et al. (2020), while Dghaym et al. (2021) applied STPA to the Maritime autonomous system to identify safety and security requirements. Rokseth et al. (2017) investigated the feasibility of using a systematic approach for the dynamic positioned system, and Gil et al. (2019) evaluated control actions STPA-based model for ship collision avoidance.
The STPA can identify new hazards not discovered by existing risk analysis methods. The STPA effectively reflects the effects of human and organisational factors but needs to be supplemented to utilise the STPA approach for a comprehensive risk assessment in risk identification, quantification, and reduction. This is not just a matter of error quantification. As mentioned, the roles of humans in safety-related systems such as maritime operations are vital. In STPA, humans are evaluated from a controller perspective. However, human decision-making processes and behaviour are more complex than the software controller's process model. Furthermore, human performance is primarily affected by Performance Shaping Factors (PSF). Therefore, an integrated method to deal with entire reliability, including humans, should be considered.
The maritime industry has used a range of approaches for assessing human reliability in various operations, including emergency response, critical processes, and maintenance. The CREAM was the most frequently used HRA method in the maritime sector. The CREAM has been applied to assess human reliability in ship accident scenarios such as cargo oil pump shutdown, ship capsizing accidents, LNG spill accidents and collision avoidance (Yang et al. (2013); Ung (2015); Wu et al. (2017); Zhou et al. (2017); Xi et al. (2017)). The studies for LPG cargo loading processes by Akyuz and Celik (2015) and emergency preparedness by Ahn and Kurt (2020) used CREAM based approach. Additionally, the SLIM technique has been widely used to assess human reliability in a variety of scenarios, including ship maintenance, emergency procedures, and even autonomous surface ship operation (Abbassi et al. (2015); Islam et al. (2016); Akyuz (2016); (Liu et al., 2021)). Other human reliability analysis approaches utilised in the marine industry include the HEART method for ship maintenance operations (Noroozi et al. (2014); Akyuz et al. (2016)) and Fuzzy-AHP-based human reliability analysis for ship navigation (Uflaz et al., 2022). For accident investigation analysis, the HFACS approach was applied (Zhang et al., 2019).
The most significant contribution made by previous human reliability assessments in the maritime sector was the ability to deal with uncertainties through expert judgement, the assignment of nominal failure probability for specific tasks, and the selection of performance shaping factors that influence human performance. Human reliability assessment is expected to evaluate how humans contribute negatively or positively to the system by considering human roles in the entire system and then incorporating them into the overall risk picture. However, the maritime human reliability assessments were primarily concerned with quantifying human error to address the maritime probabilistic risk assessment needs. As a result, less attention has been paid to the configuration of risk models representing interactions between system elements such as human-machine interactions and human recovery actions. To address these research gaps, this paper provides a new approach for the complex systems in maritime operation and illustrates system reliability assessment for the emergency shutdown system for the LNG ship-to-ship bunkering process.

Methodology
The suggested framework is a hybrid method for assessing system reliability that combines the STPA and the SLIM. As new technologies, like autonomous ships and software control systems, have been integrated into maritime operations, human responsibilities in the marine system have shifted away from labour-intensive behaviours and demand intense cognitive activities. As a result, it is vital to improve current HRA methods to assess the new type of human roles caused by emerging technologies. Therefore, systematic approaches are proposed to understand human activities in the complex system better.
In this context, the STPA is adopted to analyse the interactions between various system components (i.e., humans, software, and machines). The fundamental objective of STPA in this study is to identify human actions that influence the system risk. The SLIM evaluates and quantifies the identified human activities as a form of human error probability. The computed human error probabilities are then utilised to assess system reliability with a system reliability block diagram for a probabilistic risk assessment. Meanwhile, unsafe control actions discovered by STPA can be studied further, as needed by the study scope, to identify potential loss scenarios to develop further requirements, identify mitigations, and make safety recommendations. This technique enables qualitative or quantitative assessment of system reliability, or a combination of the two, depending on the analysis objective. The suggested method's flow chart is depicted in Fig. 1.

Systematic approach
The STPA is divided into four distinct stages (Leveson and Thomas, 2018). The first stage is to define the analysis's purpose. Defining the purpose of the analysis implies the identification of losses, system-level hazards, system-level constraints, and the refinement of hazards. This   Ahn et al. Ocean Engineering 265 (2022) 112643 stage can also be described as defining the losses to be avoided, the system description, and the system boundary. The second stage is to build what is known as a control structure, which is a model of the system. The control structure describes the system as a feedback and control actions loop representing functional linkages and interactions. Typically, the control structure begins at an abstract level and is adjusted repeatedly to incorporate more detailed knowledge about the system. The third stage is to analyse the control action to determine how it can result in the loss. The discovered unsafe control actions are then utilised to define the system's functional needs and restrictions. Finally, the last stage is determining the reasons for unsafe control in the system, which means identifying loss scenarios. The following section 4 will discuss the details of these four steps with a case study.

Human controller modelling
Humans can be viewed as a system component from a system perspective. In comparison to logical computer controllers, human decision-making processes, on the other hand, are difficult to predict and far more complicated. France (2017) introduced a new extension to STPA and applied a human controller model to an automated car parking assist system. The created model provided a more thorough explanation of the human controller process than the logic controller. The model, however, does not consider the performance shaping factors that affect human performance. To predict the response of human controllers in a specific environment, the process model for human controllers must incorporate both human mental models and PSFs. In this context, a novel process model for human controllers was presented, as seen in Fig. 2, to explain human errors and identify contributing factors more efficiently. The model of the human controller is divided into two components: diagnosis and actions (i.e., execution) (Gertman et al., 2005). It contains PSFs that affect human performance. The diagnosis is further divided into the 'sensation & perception' processes to know updated system conditions and the 'decision-making' process to decide how to act. Sensation and perception are separate processes but are very closely related. The sensation is related to human sensory organs, while the perception is related to interpreting the information (Coren et al., 2004). Although it is challenging to distinguish processes accurately, using different terms in this study supports identifying specific PSFs affecting each process. For example, if a fire alarm is activated, the sound level is more associated with the sensation, while the type and interval of the sound may influence the perception.
In this paper, system inputs representing the beliefs about process are classified into process variables, process environment, and process behaviour. The process variable is the value of a specific part of a current measured process, such as speed or pressure. The process environment is defined as an event that is not directly controlled by the system controller but affects the process. The last factor, process behaviour, indicates responsibility for the control action. Process behaviour can be expressed in control modes such as automatic and manual modes. For these three factors, a loss scenario can be created by considering the factors affecting each process of sensation and perception. Diagnosis's following process consists of making decisions about action objects, action types, and action sequences based on the updated system information. When the diagnosis process is over, the next stage of execution appears as physical behaviour. Each of the boxes in the human model is useful for identifying specific performance shaping factors which affect the human controller's thoughts and behaviours.

PSFs derivation
Although numerous studies have been undertaken on PSF, there is still considerable uncertainty regarding its effect on human performance (Erdem and Akyuz, 2021;Gertman et al., 2005;Yang et al., 2013). Additionally, expert opinion is employed to establish the relative relevance and ranking of PSF. However, the evaluation results vary significantly depending on each expert group. The manner in which PSF affects human performance is frequently mischaracterised, and evaluations are frequently conducted without using suitable criteria. As seen in Table 1, the evaluation criteria for customised PSF were created to mitigate this issue.
The presented PSFs are derived from a review of the literature for existing HRA methods such as HEART (Williams, 1985), THERP (Swain, 1964), CREAM (Hollnagel, 1998) and SPAR-H (Blackman et al., 2008). The most effective strategy to cope with uncertainty is to break it down to a level we can easily understand. The SLIM approach uses the PSFs to estimate the human error probability for the identified task. The high-level tasks are decomposed into more detailed tasks. However, the derived PSF for the specific task is not sufficiently described. Therefore, each PSF should be more detailed and straightforward to understand. Thus, the possible application types for the PSF were identified to provide further information. On the other hand, PSF keywords of PSFs are used to identify the loss scenario systematically. The developed PSF taxonomy can be used for both quantitative and qualitative analysis.

Human error quantification with SLIM
The Success Likelihood Index Method (SLIM) is an evaluation tool for human reliability used to quantify the likelihood of human error when completing a specific duty (Embrey et al., 1984). It is a practical and straightforward method to estimate human error when obtaining human error data is difficult (Park & Lee, 2008). Performance Shaping Factors (PSF), which have a significant impact on human performance, are quantified in SLIM and changed to a preference index form (Akyuz, 2016), allowing for the quantitative representation of external factors impacting human performance in the form of human error. SLIM consists of a six-step process that includes the following steps: 1) task analysis and scenario definition, 2) PSF derivation, 3) PSF weighting, 4) PSF rating, 5) Success Likelihood Index (SLI) calculation, and 6) SLI to Human Error Probability (HEP) conversion. In this paper, since the STPA, as mentioned above, analysis is adopted to identify human tasks in the complex system in more detail, the SLIM method is used for the rest steps except for the first step.

PSF weighting
Prior to assigning a rating to each PSF, its relative importance should be determined, as not all PSFs have the same effect on human performance. Additionally, to accurately reflect the features and characteristics of each task, the relative importance of PSFs should be measured for each task independently. Experts evaluate the significance of each PSF on a scale of 0-100 and then determine the mean weight value. As in equation (1), the normalised weight is generated by dividing the mean weight value by the sum of the mean weights

PSF rating
PSF rating refers to the expert judgment process determining how each PSF impacts each task. Selected experts assign a score to each PSF ranging from 0 to 100. To minimise the deviation of expert evaluations, the Likert scale and upper and lower bounds for the relevant ratings are provided in Table 2. According to evaluation criteria such as professional, service time, and experience, the selected expert group has relative importance (w j ). The consensus rating (R i ) for each PSF i is computed as the sum of the values obtained by multiplying the j-th expert's rating for the i-th PSF (R ij ) by the expert's relative importance (w j ) as specified in Equation (2). Note that since w j is a normalised value for all experts, a separate normalisation process is not required for the consensus rating.

Human error calculation
After the consensus rating R i and normalised weight W i of PSF i are determined, the Success likelihood Index (SLI) for each task is computed by equation (3).
Accordingly, the SLI value is converted into the HEP value by using equation (4), where a and b are constant (Embrey et al., 1984). The details of constant determination will be discussed in the following section 4.

Modelling system reliability
After deriving the probability of nominal failure, including human errors for each component, the method of integrating the system reliability of each task into the probability risk model should be considered. Therefore, this paper adopted an approach by Ahn et al. (2022) using a Reliability Block Diagram (RBD) by assuming each human task is a system component for reliability modelling. In addition to human tasks, events, functional elements, and any behaviour expressed as success and failure can be regarded as elements of the system. To model a reliability block diagram, the system configuration method and dependency between components must be defined. For system configuration, if a sub-system is essential for the mission success of the overall system, it should be modelled as a series component. The parallel configuration indicates that the primary function of that sub-system is duplicated, thus allowing a switch over to the redundancy in the event of failure. The example of each system is illustrated in Fig. 3. The next step is to determine dependence between components. Dependence can occur between and within people (Swain, 1964). In this study, dependence  Fig. 3. Example of serial and parallel system modelling.

Table 3
Calculating the reliability from Error Probability (EP) of system components (He et al., 2008).
between and within people and between people-machines or between events-other events is extended to the same principle. The dependence means how the probability of failure or success of one task can be related to the failure or success of another task. If the conditional probability of one event is the same regardless of whether another event occurs, the two events are independent, otherwise dependent. Conditional probabilities may be applied differently depending on the degree of dependence. However, this paper assumes that the relationship between the two components or events is independent to simplify the calculation process. Once the configuration and dependence of the system components are defined, the formulas in Table 3 are applied to calculate the reliability of the sub-system and the entire system.

LNG bunkering process overview
On January 1, 2020, new regulations governing Sulphur emission limitations from ships became effective, following the MARPOL Annex IV amendment (IMO, 2018). The primary change of the MARPOL Annex VI is the addition of emission control zones (ECA) to gradually reduce Sulphur Oxides (SOx), Nitrogen Oxides (NOx), and Particulate Matter (PM) emissions globally and to reduce air pollutant emissions in designated waters to improve global air quality, preserve the environment, and protect human health. Several potential alternatives to traditional marine fuels, such as abatement technologies and alternative marine fuels, have been introduced to the marine industry over the previous two decades (Jang et al., 2021). In this context, LNG is being accepted as an alternative fuel for ships as a strategy for environmental compliance for vessels during navigation and port operations. LNG as a ship fuel has an immediate and significant impact on SOx, PM, and NOx emissions reduction. As a result, the applicable multilayer regulatory framework strongly favours the usage of LNG as fuel (EMSA, 2018). In addition, global initiatives to safeguard the environment will enhance the trend toward LNG-powered fleets and the need for LNG bunkering at the port.
In contrast, the rising concern is expressed that if LNG becomes widely employed as a ship fuel, the degree of risk associated with bunkering and the general procedures used in containment and operation would considerably increase. LNG is well recognised as a clean fuel that can be consumed entirely and effectively, with very little soot produced during small-scale combustion (Sun et al., 2014). On the other hand, LNG vapour in the air is explosive under certain concentration limits. Once ignited, free natural gas clouds burn very slowly, resulting in comparatively little overpressure in open space. However, if the flammable natural gas is generated in a confined space, the surrounding areas may experience higher overpressure. Fires and explosions are the primary dangers associated with LNG storage and bunkering, and they may occur due to leaks and spills in the presence of ignition sources (Aneziris et al., 2020).
Furthermore, liquefied natural gas is a cryogenic liquid stored at a very low temperature of −162 • C at atmospheric pressure. The cryogenic liquid that comes into touch with the hull structure will cause the fragile hull to fracture and lose ductility, destroying the ship's structure (Li and Huang, 2012). Moreover, it can cause cryogenic burns to human skin and an asphyxiant in an enclosed space. Therefore, LNG should be handled by establishing a very high level of safety measures and robust procedures. However, concerns about this risk are due to the complex system of LNG fuel ships and the feature that LNG bunkering progress in the interaction of several stakeholders with a different contexts. In system reliability assessment, humans are an inevitable component to consider since they play a significant part in increasing safety onboard; reliability assessment has always been a critical subject for researchers and decision-makers in this field (Kayisoglu et al., 2021).
Ship-to-ship LNG bunkering is supplying LNG from a bunker supply ship to a bunker receiving ship that uses LNG as fuel via a transfer hose, as illustrated in Fig. 4. The received fuel is used for propulsion and electrical power generation through the ship's main and auxiliary engines. The bunkering procedure may be separated into three phases: the pre-bunkering phase, which involves safe mooring and hose connection, the bunkering phase, which consists in filling LNG, and the postbunkering phase. While bunkering methods vary according to ship and facility, the following general sequences apply (EMSA, 2018).
Step1. Initial precooling Before starting the operation, precooling the filling lines, and the cargo pump at discharging unit is necessary.
Step 2. Connection of Bunker Hose After the previous precooling is complete, the transfer hoses are attached to the manifold. Sophisticated hose handling equipment like hose cranes or loading arms may be used to convey bunker hoses to the receiving vessel. Each manifold must be earthed, and an insulating flange near the coupling must be put on the receiving vessel to avoid ignition sources caused by electrostatic build-up.
Step 3. Inerting the connected system The inerting procedure involves injecting an inert gas into a system to substitute a hazardous gas already present. Nitrogen is used as an inerting gas to eliminate moisture and oxygen from storage tanks and the pipe that connects them. In particular, the presence of oxygen in the system causes an explosive environment within the LNG supply line, resulting in potentially hazardous scenarios that should be prevented using an inerting process.
Step 4. Purging the Connected System For the remaining nitrogen to be removed from the system following the engines, which consume LNG, specifications, the system is purged with natural gas until the ratio is between 97 and 98 per cent.
Step 5. LNG Filling The LNG filling process may begin when all the necessary preparations have been completed. There are two different methods of bottom filling and top filling in the filling sequence.
Step 6. Liquid Line Stripping After the pump has been turned off, the liquid collected in the bunker hoses must be discharged before the disconnection can be made. Step 7 Inerting In a process similar to Step 3, the LNG bunkering line should be inerted before disconnection at the end of the operation.
The strategy and planning for emergency events that may happen throughout the LNG bunkering operation are critical for protecting workers, the environment, the public, and assets in the case of an accident. Thus, building and executing appropriate LNG systems and bunkering operations (Guide for LNG Bunkering, 2017). The Emergency Shutdown (ESD) system is critical to the vessel's safety. The ESD system is installed as part of an LNG bunkering system designed safely and effectively to stop the flow of LNG (vapour as applicable) or prevent damage to the delivery system in an emergency. The control systems involved in the ESD, which is a linked system to allow both parties (onboard receiving ship and the bunkering ship) to shut down the transfer in an emergency, can be activated automatically or manually. ESD can be composed of two parts (Guide for LNG Bunkering (2017); LNG Bunkering Guidelines (2017); EMSA (2018)). The ESD stage 1 system shuts the LNG transfer process down in a controlled manner when it receives inputs from one or more hazardous events listed in Table 4. While the ESD stage 2 is a system that activates decoupling of the transfer system between the transfer vessels. Therefore, risk analysis for the ESD system should also consider the entire ship-to-ship LNG bunkering process. The ESD system is configured as a sub-system, and interactions between humans and machines including software should also be investigated for analysis.

System description: LNG bunkering and emergency shut down system
The system to be analysed and the boundary should be defined to identify system hazards (Leveson and Thomas, 2018). The abstraction of the Emergency Shutdown (ESD) system for ship-to-ship LNG bunkering is conceived in Fig. 5, and the interaction between humans and machines is modelled in Fig. 6 to support the system definition. The initial stage of the conceptual visual definition has been developed into a more detailed physical diagram in Fig. 7 to support a unified perspective and understanding of the participants for the assessment. LNG Bunkering is the practice of providing Liquefied Natural Gas (LNG) fuel to LNG fuelled ships. Depending on the LNG bunkering mode, it can be divided into ship-to-ship, truck-to-ship, or terminal-to-ship. In this study, the ship-to-ship bunkering mode was selected. A ship that supplies fuel is called a bunker supply vessel, and a ship that consumes LNG as fuel is called a receiving vessel. When the two ships are safely moored for LNG fuel supply, the two types of hoses are connected to the manifold flanges Table 4 Loss and Hazards definition.

Definition of System Loss and hazards
Loss L1. Failure of emergency response by the ESD system when the hazardous situation occurred. Hazards H1. Detection of gas in the cargo machinery space at levels more than 60% of the Low Exposure Limit (LEL) H2. Detection of gas in the bunkering manifold area at levels more than 60% of LEL H3. High pressure is generated at bunkering manifolds H4. High-high pressure is generated in the vapour return line H5. Power failure for the ESD valve H6. Activation of the emergency release system (ERS) by default H7. The liquid level in the LNG receiving tank has risen to a High-high level. H8. High-high pressure is generated in the LNG receiving tank H9. ESD signal generated manually or automatically by LNG receiving vessel H10. Fire detection onboard Fig. 5. Abstraction of the ESD system for ship-to-ship LNG bunkering process (simplified system). of both ships. One is a liquid filling hose, and the other is a vapour return hose. The operators are positioned in the control room and the manifold area, respectively, on both ships. A control monitoring system that controls the process of the system is installed on each ship. The LNG bunker transfer system is to be equipped with a linked and compatible ESD system that is completely independent of the installed control and monitoring system. This system will be used to halt bunker flow in an emergency (Guide for LNG Bunkering, 2017). ESD systems can be activated automatically or manually on each vessel, from both the control room and manifold side. The ESD systems on both vessels are linked. Emergency release coupling (ERC) is installed at each hose to disconnect the fuel supply in an emergency immediately. Remotely operated ESD valves must be installed in each bunkering line immediately adjacent to the manifold joining point.

Loss and hazard identification
Losses may include death or injury, ship structural damage, marine pollution, mission failure, or any other type of loss deemed undesirable by stakeholders (Leveson and Thomas, 2018). During ship-to-ship LNG bunkering, loss and hazards of the ESD system are defined as shown in Table 4. Hazards are defined as events that the ESD system that must be activated according to the Guide for LNG bunkering (Guide for LNG Bunkering, 2017)) and defined as loss as a state in which the ESD system

Model control structure
The control structure is a system model composed of control actions and feedback loops that impose safety restrictions on the system's behaviour. A process model is used to determine which control actions are required to maintain the system's effectiveness and explain and anticipate interactions between humans, their mental models, and the logic control system (Leveson and Thomas, 2018). As shown in Fig. 8, the control structure for the ESD system represents the responsibilities of humans and software according to the process model. The corresponding control action can be identified from the control structure for the ESD system.

Identification of the unsafe control actions (UCA)
After modelling the control structure, the next phase is to identify Unsafe Control Actions. The system is managed automatically or manually according to the system logic by two human controllers, a control room operator, a site operator near the manifold, and a software controller. This stage identifies Unsafe Control Activities, which are control actions that could result in a hazard in a particular context and worst-case setting. As illustrated in Table 5, hazardous control actions are recognised by possible error modes, including not providing controls, incorrect controls, and timing errors.

Identify loss scenarios
Loss scenarios can be considered the catalysts for hazardous control behaviour, i.e., scenarios that result in UCA and scenarios in which control actions are done wrongly or not done. The causes of unsafe control behaviour are divided into controller failure and decisionmaking error. The scenarios in which control actions are incorrectly executed (or are not executed at all) are the result of control path and control process issues. Fig. 9 shows a multi-level of hazards with pathways to cause hazardous scenarios. The human controller model was used to describe unsafe control behaviour in more detail. However, the process of identifying loss scenarios is a highly iterative task. Since the proposed framework for system reliability does not require complete STPA analysis, this section briefly describes how human models and PSFs in Table 1 are utilised to create loss scenarios. The causal scenarios that result in unsafe control actions are described in Table 6.

Human error calculation by the SLIM method
The SLIM was used to quantify human error probabilities for human responsibilities for incorporating them into the probabilistic risk assessment. In this study, five professionals with practical experience in LNG bunkering and human reliability assessment conducted the assessment. The details of the experts are illustrated in Table 7. The standard procedures (Guide for LNG Bunkering (2017); EMSA (2018); LNG Bunkering Guidelines (2017) and findings through STPA analysis were provided for judgement. The experts were asked to respond to questionnaires to determine the relative importance and rating of the PSFs. Each expert conducted the assessment separately to eliminate groupthink.

Identification of human tasks
Through the control structure of STPA analysis, the tasks of the control room operator and site operator are identified in Table 8. First, however, it is necessary to analyse what context human role is required for more careful human error prediction. This is divided before and after the start of the LNG process. Before the process, the human role is to set up system parameter values for events that led to hazards in terms of the ESD system process. Next, the required human tasks during the process show what actions are required in which system context and who is responsible, as shown in Table 9.

PSF weighting
At this stage, the weighting of PSFs was estimated to evaluate the impact of each PSF on human performance. Again, linear scales from 0 to 100 were used for evaluation, and the determined mean weights that are normalised to indicate relative importance. Since the degree of PSFs contributing to each task is different, the relative importance of PSFs for each task was evaluated by the experts, as shown in Table 10.

PSF rating and SLI
The PSF evaluation procedure is essential for calculating human error. However, the criteria for assigning PSF ratings are unclear, and depending on the features of the selected expert group, the variance between results may appear substantial. For this reason, a Likert scale was provided, as mentioned in section 3.2.2. The selected expert group has the relative importance (w j ) which was assigned to 0.20, 0.18, 0.21, 0.20 and 0.21, according to evaluation criteria such as professional position, serviced time, and experience. Consensus rating R i for PSF i is computed for each task using equation (2), as demonstrated in Table 11, which shows values of R 1 to R 9 for task 1 based on expert judgments on PSF i . After the consensus rating R i and normalised weight W i for PSF i are determined, the Success likelihood Index (SLI) for all tasks was derived by equation (3), as shown in Table 12. The Success Likelihood Index (SLI) for tasks 1 through 3 in the control room varies little, whereas the SLI for task 4 performed by the site operator is relatively low. Poor working conditions and complex situations apparently contributed to the lower SLI.

Human error calculation
The human error probability is derived from SLI by calculating anchor values and performing the calibration equation (4). In the case of LNG ship-to-ship bunkering work, absolute probability judgment by experts was used for endpoints because there is no empirical data available for human failure probabilities. This method is used in rare event scenarios to estimate calibration tasks (Kayisoglu et al., 2021). This method allows experts to assume human error probability (HEP) of the best and worst scenarios which are used as boundaries of human errors to calculate constants 'a' and 'b'. For the control room operator and site operator, the constant values were determined as shown in Table 13 by experts considering the given context. Then, human error probability is derived by equation (4), as shown in Table 14.

System reliability assessment for human-machine interactive controller
To present human error in the system reliability model, it is necessary to understand how the interactive relationship between humans and machines is connected to the system process. The control structure for the ESD system for the ship-to-ship LNG bunkering process is defined in Fig. 8. The failure probabilities of software, sensors and equipment vary on factors such as built specification, manufacturer, and time dependency of the life cycle. However, considering the limited scope of this study, quantitative data collection for all parts of equipment needs to be assumed reasonably based on literature (Khalaquzzaman et al. (2014); Kang et al. (2009); Kamyab et al. (2013); Guide for LNG Bunkering (2017); EMSA (2018); LNG Bunkering Guidelines (2017). Therefore, the following assumptions for technical equipment failure are applied in this analysis. The software's failure probability was assumed to be 1.0E-3, including sensor, cable, and equipment failure. The failure probability of equipment which requires redundancy is assumed as 1.0E-6. The remained problem is how to interpret each role of human being in a reliability model. First, the failure of the control room operator to override and set system parameters is interpreted in terms of human errors because it degrades the reliability of the software. If any of them fails, the function of the human-software interactive controller fails, so three elements are connected in series.
On the other hand, if the main functional human-software controller fails, the ESD system can be manually activated by the control room operator and the site operator, respectively, so the human role here serves as a redundancy. Therefore, the role of humans in manually activating ESD is connected in parallel. The setup task is linked with the logical computer in serial connection, and their relation is dependent, but the logical computer and the override functions are independent. Considering these three factors, the calibrated error probability 7.34E-03 obtained by formulas in Table 3 becomes the error probability of the human-software interactive controller that carries out the primary automatic activation. The human roles of the control room operator and site operator for manual activation of ESD and main software functions are independent. The total system reliability calculated by the equation in Table 3 is 1.5E-06, considering the system configuration and dependence relationship as shown in Fig. 10. This is a relationship in which five components, from sensors to equipment, are connected in series and dependent, so in the end, the errors of the entire system are represented by maximum errors. In terms of reliability, the minimum reliability represents the overall system reliability. This means that the overall reliability increases only when the error probability of the controller composed of humans and software is decreased to 1.0E-06, which is the error level of other components.

Comparative analysis for system design alternatives
The current ESD system with an error probability of 1.5E-06 was used as the baseline to improve the controller reliability in which humans and software link. The following three different system configurations were used as alternatives for comparison. The first alternative is to install an additional independent ESD system. The second alternative is to place one supervisor in the control room. Finally, the third alternative is to deploy one supervisor at the site near the manifold. The system reliability block diagram for each case is illustrated as shown in Fig. 11, and the human-machine controller reliability of each system is obtained as shown in Fig. 12. Alternative 2 offers the highest reliability.

Finding and discussions
The proposed method identified the flawed interaction between humans and other system components through a systematic approach, thereby recognising the potential unsafe control actions that may lead to hazardous situations from a system control perspective. The scenarios were explored based on identified UCAs as to what causes contribute and how unwanted dangerous situations occur. In addition, identified hazards, unsafe control action, and loss scenarios induce safety recommendations for each step. This qualitative analysis strengthens safety measures through better understanding and interpretation of the system while identifying human responsibilities in the system. According to the system situation, human responsibility identified through system analysis was expressed as expected human roles, as shown in Table 9. This means that within a complex system, the human role is not evaluated independently regardless of the system's situation but should be treated as a dependent human role in response to changes in the system situation. Next, the error probabilities of the identified system components were predicted, and human errors were obtained through the SLIM method. In quantifying human errors, the Likert scale and weighted normalised mean value were used to minimise uncertainty, ambiguity, and inconsistency according to expert groups, and experts carefully evaluate human error probability. In a control room, Interface (Input device) and Procedure are identified as the most significant factors affecting human error. While Interface (input & output), procedure and working conditions contribute to human error of site operators. Human errors from task 1 to task 4 were evaluated from a minimum of 3.68E-03 to a maximum of 5.64E-02. All the tasks 1 to 3 performed by control room workers showed similar probabilities of error at 3.6E-03. In contrast, the probability of human error at the site operator was 5.64E-02, indicating that the overall hostile working environment, shown by experts' PSF evaluation, had a more significant impact on the site operators' performance than the control room operators. When the probability of error in individual system components was obtained, they were modelled by the system reliability block diagram to evaluate the reliability of the entire system. Thus, individual system components constitute the system by two criteria, system description, serial or parallel and level of dependence. Finally, a comparative analysis of three different design options was conducted against the reliability of the integrated controller between humans and software analysed in the case study for design suggestions. The current system's reliability was (1 − 1.50E-06), while the reliability was the highest at (1 − 7.43E-10) when one more supervisor was placed in the control room and the reliability level of (1 − 8.48E-08) when one more supervisor was placed on the site. However, the system's overall reliability remains unchanged even with independent ESD deployed. The findings demonstrate the significance of human roles in complex systems. Since humans have priority authority over the system, their influence on the system's reliability is greater than that of any other system element. Human error is linked to major disasters (Kim and Bishu, 1996), and it is widely known that human operators are unreliable system components (Hollnagel, 1996).    Fig. 10. System reliability for ESD system for ship-to-ship LNG bunkering.
Nonetheless, a comparative evaluation of this study reveals that, from a safety standpoint, humans can potentially positively impact system performance. Identifying problematic human-machine interactions and abused interventions is crucial for enhancing the system's reliability. Consequently, human responsibilities in systems must be properly defined, and the elements that influence human performance must be effectively handled. When designing a system procedure, it should be considered that the human element could play a more significant role in recovering from system failures.

Conclusion
This study developed a new hybrid method combining STPA and SLIM to analyse the human role qualitatively and quantitatively in emergency shutdown operations during LNG vessel-to-vessel bunkering. This systemic approach based STPA was created to assist in understanding human process models and capturing additional causal scenarios. The human process model with PSFs is unique as it proposes a new simplified model of the human diagnosis process from a system perspective. The scenario development process is a newly proposed guideline that can be quickly applied to identify a rich set of scenarios related to human behaviour, including system information, human diagnosis processes, and performance shaping factors. The SLIM calculates quantitative human error probabilities from the identified human responsibilities by measuring the contribution of Performance Shaping Factors to human reliability. Traditional STPA does not pursue an error probability model, but quantification is an inevitable process that should be applied to probabilistic risk assessment frameworks currently used as Maritime's industrial standard. Furthermore, this method can represent errors of all system components to integrate HRA into the whole risk picture through the system reliability block diagram. In conclusion, in safety-critical systems that involve and rely on human interactions, human reliability assessment alone will not be sufficient to evaluate human behaviour without considering operators' interactions with the system. In such systems, the human operators' role should be viewed as a component of the system and analysed in relation to other components that they interact with. The approach demonstrated in this paper show promising results for calculating overall reliability in such operations.
Although current technologies offer substantial benefits to maritime operations, these also present new safety risks. For instance, the automation of ship operations, which is rapidly becoming a reality, no longer faces opposition. Thus, it is required to analyse the system reliability of new technology before implementing emerging technologies. Consequently, new technologies require fast action to address the increased hazards posed. In this context, for future studies to improve human reliability in maritime operation, it is essential to investigate the various situational awareness generated by introducing a human-machine interface environment such as augmented reality and remote-control stations. Fig. 11. System reliability block diagrams for different ESD system controller configurations. Fig. 12. Reliability of the ESD system controllers with different system configuration.