There are a number of challenging environments that would benefit from fully autonomous operations including oil & gas, nuclear decommissioning and undersea exploration. However, there are a number of limitations that have to be overcome before that desire can be fulfilled. Firstly, there has to be a sensing suite that can be used to navigate adequately in all these environments and be able to undertake the various missions. We have to be able to convince users, regulators and insurers that any such deployed system will always do what is needed. More importantly, we have to be sure that it won’t do what we don’t want it to do - ever; and we also need to show what the behaviour will be when [not if!] something goes wrong. Evidence from the development has to be made available to support a system safety and, where applicable, security case.
Introducing the A2I2 consortium
A consortium of Rovco (project lead), Forth Engineering, D-RisQ, Thales, the University of Manchester and the National Oceanography Centre will be using its combined expertise to produce two demonstrators of fully autonomous underwater vehicles, one to meet the requirements of off-shore coring and one to operate in wet nuclear storage pond inspections and interactions. Key features of the demonstrators that are being developed will be the use of enhanced autonomy and perception, hover capability, and the application of software verification tools to ensure robust and safe operation. The consortium strength is the combination of skills from the advanced underwater communications being developed by Manchester University, the Rovco optical sensor, advanced automatic verification from D-RisQ, the integration and market access by Rovco, Forth and Thales as well as the high profile use in underwater exploration by the National Oceanography Centre. The facilities, knowledge and backgrounds of the individuals involved is a great strength with industrial expertise from diverse backgrounds in aerospace, automotive, defence and cyber security all bringing value add to the project.
The solution we developed is a small (<200kg) hover capable Autonomous Underwater Vehicles (AUVs) equipped with a novel visual mapping system and enhanced and verified on-board autonomy. The design of the platforms was scalable enabling it to work across domains. It is capable of conducting very close inspection and intervention tasks, such as, cathodic protection surveys (oil and gas), coring (offshore), visual inspection (nuclear) and moving small items (nuclear). Successful delivery of the A2I2 prototypes has paved the way for more complex future projects looking at move to more complex interventions, such as valve turning and decommissioning work. One of the main challenges was to be able to show that human interaction with the autonomous system would be intuitive to an appropriately qualified user and that there should be no surprises in the behaviour of the vessel.
Programme Success.... and Extension
The project commenced January 2019 and completed after a series of highly successful developments and trials in early 2021. The project was so successful, that a further 6 months were added to the project to extend demonstrations in off-shore with Rovco, NOC and D-RisQ involved.
2 Weeks for Safety Critical Code
The behaviour of the vehicle was adapted from the main A2I2 programme. Once this was agreed as a set of System Requirements Allocated to Software (SRATS), D-RisQ was able to turn round the development of the new software within 2 weeks. This was using Kapture for the software requirements, undertaking a manual review with Rovco, adjusting where necessary either the SRATS or the software requirements. We then undertook a design in Simulink and then verified that the design satisfied the software requirements. Code was automatically produced and some limited test/simulation was undertaken prior to delivery to Rovco for integration onto the vehicle. Some adjustments were subsequently required but the whole process took less than 2 weeks.
“It’s like skidding on glass”
The demonstration and further trials were conducted at the Offshore Renewable Energy Catapult facility at Blyth. While the software had been run through simulations, this was the first time that it had been integrated onto the vehicle. It was also the first time in-water tests were to be conducted for this version of the software. The software worked first time, exactly as expected. The vehicle had various sensors and, for these trials, a qualified Remotely Operated Vehicle driver. Every time he tried to make the vehicle collide with an obstacle, the vehicle ...or rather our software... refused and he commented that “It’s like skidding on glass” and “this would be great for training [operators as they simply could not collide with anything]”. The first set of trials and demonstrations were in the dock and then taken off-shore the following day, throughout all of which the software worked perfectly.
The actual C code was not verified formally as, at the time, we had not completed development of CLawZ which would automatically, formally verify the output of the autocoder. Similarly, we had not developed our automatic binary code formal verification tool, FEVER. Over the next few months, both of these tools will be developed and made available for use. In particular, they will be used on our 2 further subsea projects SEAMless and Demeter; more details on these projects and FEVER in 2023
The A2I2 consortium members gratefully acknowledge the support funding from Innovate UK without which this project would not be possible.