Automated out of the loop and onto a shoal, Part II

Summarizing the situation presented in the last newsletter: on June 9, 1995, Royal Majesty with 1,500 aboard departed Bermuda for Boston. Her autopilot’s selected “position receiver†was the GPS, assumed to be backed up by Loran-C should the satellite signal be degraded or lost. In addition to GPS input, a pre-programmed “map†(desired track, waypoints, buoys, etc) was loaded into the ARPA. 

(For those who missed Part I, a caution. When reading summaries of the event, the term “GPS” is used in two contexts: first, the unit or “box” that transmits “position data” to other integrated navigation system components, whether or not satellite derived; and second, the satellite-determined position.)

During the 2000 to 2400 watch, the ARPA map (as well as the manually charted plot) indicated the vessel tracking in the Boston inbound TSS marked by buoys BA through BF. A mark consistent with BA’s anticipated position was detected by radar and subsequently visually passed (but not identified) and later BB was reported as “seen.†Red lights on the port bow and then white and blue water dead ahead were reported by the lookouts, but no action taken by the watch. Stranding followed shortly thereafter. Returning quickly to the bridge, the master increased the radar range scale to 12 miles, revealing the southeast Nantucket coast 10 miles to the northwest, putting the vessel’s position 17 miles west of her intended/programmed track.

The GPS unit had been designed to default to either a hybrid mode (providing Loran-C or Omega position data) or to a DR mode when satellite data was not available. During construction of the vessel, it was assumed that “the GPS would be backed up by a Loran-C system during periods of satellite signal loss.†The cruise line, however, had configured the GPS to default to the DR mode, but the system manufacturer “was not told.†The reason the autopilot didn’t detect that the data source had autonomously changed lay in the electronic pathway. The same mode identifier code was used for both satellite and DR information — an electronic master key of sorts that gained entry to the autopilot and ARPA map computations without revealing the identity of the data source (satellite vs. DR).

Immediately after the stranding, the master noted the discrepancy between the Loran coordinates and those from the GPS. Course fluctuations recorded by the bell-log isolated the problem to separation of the GPS antenna cable about an hour after the departure from Bermuda. Upon loss of satellite data, the GPS unit defaulted its output to the DR mode, thus DR — not satellite data — was the “position data†sent not only to the autopilot and the pre-programmed map ARPA display, but was also used for the manual paper plot — as it was presumed to be satellite derived since it was from the GPS unit.

In the event of GPS default, two small indicators on the GPS unit’s digital screen would occur (“DR†and “SOLâ€), each about one-sixth the size of, and squeezed in between, the lat/long data being projected on the screen; these notations would be accompanied by a one-second beep (“similar to that of a wrist-watchâ€). In addition, an electronic switch was provided to activate an aural/visual alarm — but was not connected.

Although Loran-C and GPS position data were simultaneously sent to the NC25 console, it was not designed to electronically compare or to display both simultaneously for visual comparison. Any observation/comparison would have to be done at the units themselves — behind a curtain in the chart room.

In regards to the position-fix alarm, the National Transportation Safety Board analysis noted that it was set to activate only when the position data provided the autopilot by the “GPS†and the DR position data generated by the autopilot itself differed by more than 200 meters. Recall that the same gyro/speed log data for generating a DR were being transmitted to both autopilot and GPS, and the comparison being made was between two identical “position messages†— in effect comparing one position with its maternal twin — no difference, no alarm. Essentially, the vessel DRd itself onto the shoal.

And what of the BA mark seen to pass down the port side at about 1920? Although a mark was initially detected on radar at about the bearing, range and time expected of BA, when it was seen passing abeam it was not identified due to late-day sun glare. By coincidence, another navigation mark, AR, 16 nm west southwest of BA was the mark seen. When the watch advised the master of its appearance on radar, the question of its identity confirmation as BA didn’t arise. At that point, the vessel would have been about 15 miles west southwest of where her ARPA “map†had her. Keep in mind that the autopilot was adjusting the course, not in reference to a satellite determined position but essentially to a DR — thus no compensation for set/drift. (Recall the 8-knot northeast wind for the previous 34 hours.) 

As for the 2000 to 2400 watch, little more need be said. Buoy BB twice reported to the master as seen, when it wasn’t; taking no action to identify the red lights or to the “green and white water sighted dead aheadâ€; taking no action to monitor, log and plot a Loran position. The watch officer testified that he relied on position data from the GPS, that he considered Loran to be a backup system and that it was not his practice to use it to verify GPS accuracy.

The NTSB report states that “according to the chief officer and the navigator, they periodically compared the GPS data with the Loran-C data during the voyage,†but it was neither logged nor plotted.

A comparison of the vessel’s position (GPS vs. Loran-C) would have depended on the viewer’s attention being drawn to the lat/long being displayed by the GPS and Loran-C units. When comparing the coordinates, although the latitude difference varied very slowly over the 34 hours (max about 5’), the longitude difference was changing significantly. Due to current and wind set, the longitude difference displayed by the GPS and the Loran-C units was steadily increasing, ultimately would have been 25’– approximately 17 miles at that latitude. 

The fathometer provided a continuous digital display capability at the NC25 console, available at the press of a button, and was equipped with a recorder that was “not on at the time of the accident,†and provided data to the “depth-below-keel†alarm that would sound when the ship entered water shallower than a pre-set depth. This had not been reset from 0 to 3 meters when leaving Bermuda, and thus would not be activated. 

The vessel’s draft was 29 feet 6 inches and the alarm would have sounded when the ship passed over Davis and Great Rip shoals. (Ironically, a plot shows that about 2040 she passed very close to where Argo Merchant had grounded and broken up on Fishing Rip Shoal 19 years before.)

The NTSB analysis concluded with a focus on automation to the virtual exclusion of basics when it determined that the probable cause of the grounding of Royal Majesty was the watch officers’ over-reliance on the automated features of the integrated bridge system, automation training, automation design deficiencies, lack of international automation standards, etc. Only tangentially was standard, basic navigation practice mentioned — a portion of one sentence noting “the second officer’s failure to take corrective action after several cues indicated that the vessel was off course.â€

Each individual unit functioned per design, but their critical interface mismatch was an inherent (some might say generic) failure of automation — that of sending an undetected error cascading downstream, magnifying its effect as it expands through multiple systems (the “butterfly effectâ€) and delaying corrective intervention until it is at best difficult, at worst impossible, to correct, since the human had been automated out of the loop under the guise of “efficiency†(aka economy).

It would seem that the overriding cause of the stranding was the failure to make use of all available information. Approaching landfall near “one of the more treacherous areas of North America†(U.S. Coast Pilot) with the radar on short scale (six miles); failure to monitor the fathometer; failure to log, plot and compare Loran positions as a standard procedure and relying on one source for position information when others were available. All of these have traditionally been routine, prudent navigational practice. Any one of them would have alerted the watch to “something’s wrong.â€

The points made in a 2001 paper by U.S. Air Force Maj. W.A. Olson illustrate the traps common to automated systems: “failure of the human operator to track, monitor or anticipate the actions of automated systems leading to unintended system behavior. … with the introduction of automated systems … (roles have) … changed from system controller to system supervisor…. these issues … not unique to the aviation domain but generalize to any system that incorporates highly powerful agent-like automated systems.â€

Has today’s mariner been automated out of the control loop? Writing in Professional Mariner (March 2009), U.S. Coast Guard Lt. Craig Allen Jr. suggests that “electronic sensors, satellite positioning and automated functions have all but removed the sailor from the process of collecting and plotting navigation information,†and he asks whether “a foundation in traditional navigation continues to have value despite the overwhelming momentum toward e-Nav.† 

Noting that over-reliance on GPS systems has become a leading cause of groundings, he concludes with the observation that only a solid foundation in the principles of navigation can provide the essential link between human judgment and technology.

With the mariner automated out of the loop, will “seaman’s eye†— instinct born of long experience — find itself displaced by presumed infallibility of authoritative screen displays — safety presumably assured by multiple alarms overseeing autonomously generated digitized orders? Along with the compass, lead line and sextant, will “verify†be (or has it been) relegated to navigation history, replaced by “agent-like automated systems†in the name of “efficiency†but in fact, economy?

About the Author:

Following graduation from the U.S. Naval Academy, Jim Austin served aboard both a destroyer and cruiser with duties that included navigator, assistant CIC (combat information center) officer and air intercept controller. He subsequently worked on the submarine launched ballistic missile program for the General Electric Co.’s Ordnance Division. He holds a U.S. Coast Guard master’s license and writes frequently on ship collisions as seen through the twin lenses of the navigation rules and maritime law. He’s a retired physician living in Burlington, Vt.

By Professional Mariner Staff