Incident: AI-Powered Autonomous Ship Encounters Mechanical Failure During Transatlantic Voyage

Published Date: 2021-09-24

Postmortem Analysis
Timeline 1. The software failure incident happened during the attempted transatlantic expedition of the crewless ocean vessel powered by artificial intelligence, which started in June [118613]. Therefore, the software failure incident likely occurred in June 2021.
System 1. Generator and exhaust system of the ship failed, leading to a mechanical issue during the attempted transatlantic expedition [118613]. 2. Metal piece on the generator fractured, causing reliance solely on solar power, which was insufficient for the rough seas and bad weather [118613].
Responsible Organization 1. ProMare [118613] 2. IBM [118613]
Impacted Organization 1. The Mayflower Autonomous Ship Project [118613] 2. ProMare, the nonprofit promoting marine research behind the project [118613]
Software Causes 1. The incident was caused by a leak in the ship's generator and exhaust system, which was a problem onboard software couldn't resolve [118613]. 2. The ship experienced a mechanical issue with its generator, specifically a metal piece on the generator fractured, leading to reliance solely on solar power, which was insufficient for the journey through rough seas and bad weather [118613].
Non-software Causes 1. Mechanical issue with the ship's generator and exhaust system, leading to a fracture in a metal piece and subsequent reliance solely on solar power [118613]. 2. Damage to the ship's generator caused by a leak in the ship's generator and exhaust system [118613].
Impacts 1. The software failure incident caused the crewless ocean vessel, powered by artificial intelligence, to suffer a minor mechanical issue three days into its voyage, leading to the ship reversing course [Article 118613]. 2. The incident resulted in the ship's average speed slowing down during the attempted transatlantic expedition, indicating mechanical damage to the generator, which was caused by a leak in the ship's generator and exhaust system that the onboard software couldn't resolve [Article 118613]. 3. The software failure incident forced the vessel to rely solely on solar power due to a fractured metal piece on the generator, which was not sufficient to complete the trip through rough seas and bad weather [Article 118613]. 4. Engineers had to replace the generator and redesign the metal part to prevent the problem from happening again, indicating the impact of the software failure on the vessel's systems [Article 118613]. 5. The setback highlighted the importance of thorough testing, with researchers acknowledging that they should have tested the vessel more before the transatlantic expedition, indicating a lesson learned from the software failure incident [Article 118613].
Preventions 1. Conducting more extensive and rigorous testing of the software before embarking on the transatlantic journey could have potentially prevented the software failure incident [118613]. 2. Implementing redundant systems or backup mechanisms in the software to ensure continued operation in case of mechanical issues or failures could have mitigated the impact of the incident [118613]. 3. Enhancing the software's ability to detect and proactively address potential mechanical issues or anomalies in real-time could have helped prevent the generator damage that occurred during the voyage [118613].
Fixes 1. Researchers pushed out a software update to fix the software failure incident on the autonomous ship powered by IBM's AI software [118613]. 2. Engineers replaced the generator and redesigned the metal part to prevent the problem from happening again, addressing the software failure incident [118613].
References 1. ProMare [118613] 2. Brett Phaneuf, co-director of the Mayflower Autonomous Ship Project [118613] 3. Richard Jenkins, CEO of Saildrone [118613] 4. IBM [118613]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident happened again at one_organization: The Mayflower autonomous ship, powered by IBM's AI software, experienced a software failure incident during its attempted transatlantic voyage. The incident involved a mechanical issue with the ship's generator and exhaust system, which led to a decrease in speed and reliance solely on solar power, causing the ship to be unable to complete the journey [118613]. (b) The software failure incident happened again at multiple_organization: There is no information in the provided article indicating that a similar software failure incident has occurred at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where it mentions that during the attempted transatlantic expedition, the ship's average speed began to slow, leading researchers to think that its generator had mechanical damage. They spent four months addressing the damage, eventually discovering the issue was caused by a leak in the ship’s generator and exhaust system, a problem onboard software couldn’t resolve [118613]. (b) The software failure incident related to the operation phase can be observed in the article where it describes that something caused a metal piece on the generator to fracture, forcing the vessel to rely solely on solar power, which wasn’t enough to complete the trip through rough seas and bad weather. Engineers replaced the generator and redesigned the metal part to prevent the problem from happening again, indicating an operational issue that affected the software's ability to manage the power supply effectively [118613].
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the Mayflower autonomous ship was primarily within the system. The incident involved a mechanical issue with the ship's generator and exhaust system, leading to a decrease in speed during the transatlantic expedition. The issue was caused by a leak in the ship's generator and exhaust system, which the onboard software couldn't resolve. Engineers had to address the mechanical damage and replace the generator to prevent the problem from happening again [118613].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article was primarily due to non-human actions. The autonomous ship powered by IBM's AI software experienced a mechanical issue during its voyage, leading to the need for a software update to reverse course [118613]. The incident was caused by a leak in the ship's generator and exhaust system, which was a problem onboard software couldn't resolve. Engineers had to replace the generator and redesign a metal part to prevent the issue from happening again [118613]. (b) Human actions also played a role in the software failure incident. The setback taught researchers the importance of testing more thoroughly, indicating that more extensive sea trials should have been conducted before the transatlantic expedition [118613]. Additionally, the ship's downtime was used to upgrade some edge computing devices to increase onboard processing power, which was a decision made by the project team [118613].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: The software failure incident in the article was attributed to a mechanical issue with the ship's generator and exhaust system, which caused a metal piece on the generator to fracture. This hardware issue led to the vessel having to rely solely on solar power, which was insufficient for the rough seas and bad weather encountered during the voyage [118613]. (b) The software failure incident related to software: While the article primarily focuses on hardware issues, it does mention that the ship's onboard software was unable to resolve the mechanical damage caused by the leak in the ship's generator and exhaust system. The incident summary obtained by The Washington Post indicated that the onboard software couldn't address the issue, leading to the vessel's reliance on solar power [118613].
Objective (Malicious/Non-malicious) non-malicious (a) The articles do not mention any malicious intent or actions contributing to the software failure incident. It was primarily a non-malicious failure caused by mechanical issues, specifically a leak in the ship's generator and exhaust system, which the onboard software couldn't resolve [118613]. The incident led to the ship relying solely on solar power, which was not sufficient to complete the voyage through rough seas and bad weather. Engineers had to replace the generator and redesign the metal part to prevent the issue from happening again. The setback was attributed to the need for more testing and sea trials to ensure the ship's readiness for future expeditions.
Intent (Poor/Accidental Decisions) accidental_decisions (a) The software failure incident related to the Mayflower autonomous ship project was not primarily due to poor decisions but rather due to technical issues and unforeseen circumstances. The incident was described as a "minor mechanical issue" that led to the ship having to reverse course [118613]. The issue was related to a leak in the ship's generator and exhaust system, which caused mechanical damage and slowed down the ship's average speed during its transatlantic expedition. Engineers later discovered that a metal piece on the generator had fractured, leading to the vessel relying solely on solar power, which was insufficient for the rough seas and bad weather [118613]. (b) The software failure incident was more aligned with accidental decisions or unintended consequences rather than poor decisions. The setback was attributed to technical issues such as a leak in the generator and a fractured metal piece, which were not a result of deliberate poor decisions but rather unforeseen problems that arose during the voyage [118613]. The incident highlighted the importance of thorough testing and continuous improvement in the development and deployment of autonomous vessels like the Mayflower.
Capability (Incompetence/Accidental) accidental (a) The software failure incident in the article was not primarily attributed to development incompetence. The setback experienced by the autonomous ship during its attempted transatlantic voyage was mainly due to mechanical issues, such as a leak in the ship's generator and exhaust system, which the onboard software couldn't resolve [118613]. (b) The software failure incident in the article was more aligned with an accidental failure. The incident was caused by a fracture in a metal piece on the ship's generator, leading to reliance solely on solar power, which was insufficient to complete the journey through rough seas and bad weather. Engineers replaced the generator and redesigned the metal part to prevent a recurrence of the issue, indicating an accidental failure rather than one due to incompetence [118613].
Duration temporary The software failure incident related to the Mayflower autonomous ship project was temporary. The incident occurred three days into the voyage when the ship experienced a minor mechanical issue, leading to the need for a software update to reverse course [118613]. The issue was related to a leak in the ship's generator and exhaust system, which caused mechanical damage to the generator. The onboard software was unable to resolve this issue, leading to the ship relying solely on solar power, which was not sufficient for the rough seas and bad weather conditions [118613]. Engineers were able to address the problem by replacing the generator and redesigning the metal part to prevent a recurrence of the issue. This incident highlights a temporary software failure that was resolved through hardware modifications and updates.
Behaviour other (a) crash: The software failure incident in the article did not involve a crash where the system lost state and did not perform any of its intended functions. The incident was related to a mechanical issue with the autonomous ship, specifically a leak in the ship's generator and exhaust system that caused a slowdown in speed during the transatlantic expedition [118613]. (b) omission: The software failure incident did not involve the system omitting to perform its intended functions at an instance(s). The issue was more related to a mechanical problem with the ship's generator and exhaust system, which led to a decrease in speed during the voyage [118613]. (c) timing: The software failure incident was not due to the system performing its intended functions correctly but too late or too early. The incident was more focused on a mechanical issue with the ship's generator and exhaust system that affected its speed during the transatlantic journey [118613]. (d) value: The software failure incident did not involve the system performing its intended functions incorrectly. The issue was related to a mechanical problem with the ship's generator and exhaust system, which led to a decrease in speed during the voyage [118613]. (e) byzantine: The software failure incident did not involve the system behaving erroneously with inconsistent responses and interactions. The incident was more related to a mechanical issue with the ship's generator and exhaust system that impacted its performance during the transatlantic expedition [118613]. (f) other: The software failure incident was primarily attributed to a mechanical issue with the ship's generator and exhaust system, specifically a leak that caused a slowdown in speed during the transatlantic journey. The incident highlighted the importance of thorough testing and the challenges of operating an autonomous vessel in challenging ocean conditions [118613].

IoT System Layer

Layer Option Rationale
Perception actuator, processing_unit, embedded_software (a) Sensor: The Mayflower vessel has six AI cameras and dozens of other sensors to spot and avoid potential hazards, such as wildlife or other boats. Its captain software was built to make decisions based on an obstacle’s size, direction, weather, and available power supply [118613]. (b) Actuator: The vessel uses solar panels to draw energy from the sun, and an onboard generator kicks in automatically when necessary under cloudy conditions. However, something caused a metal piece on the generator to fracture, forcing the vessel to rely solely on solar power, which wasn't enough to complete the trip through rough seas and bad weather. Engineers replaced the generator and redesigned the metal part to prevent the problem from happening again [118613]. (c) Processing Unit: During the attempted transatlantic expedition, the ship's average speed began to slow, leading researchers to think that its generator had mechanical damage. They spent four months addressing the damage, eventually discovering the issue was caused by a leak in the ship's generator and exhaust system, a problem onboard software couldn't resolve [118613]. (d) Network Communication: No specific information related to network communication errors was mentioned in the provided article. (e) Embedded Software: The incident summary obtained by The Washington Post mentioned that the ship's generator had mechanical damage due to a leak in the ship's generator and exhaust system, which was a problem onboard software couldn't resolve. Engineers replaced the generator and redesigned the metal part to prevent the problem from happening again [118613].
Communication unknown The software failure incident related to the communication layer of the cyber-physical system that failed was not explicitly mentioned in the provided article. Therefore, it is unknown whether the failure was at the link_level or connectivity_level.
Application FALSE The software failure incident related to the Mayflower autonomous ship project was not specifically attributed to the application layer of the cyber-physical system. The incident was primarily described as a mechanical issue with the ship's generator and exhaust system, leading to a decrease in speed during the transatlantic expedition. The issue was caused by a leak in the ship's generator and exhaust system, which the onboard software couldn't resolve. Engineers had to replace the generator and redesign a metal part to prevent a recurrence of the problem [118613]. Therefore, the failure was not directly related to the application layer as defined in the question.

Other Details

Category Option Rationale
Consequence delay, non-human, theoretical_consequence The consequence of the software failure incident was primarily related to delays in the project and the impact on the autonomous ship's operations. The software failure incident led to setbacks in the Mayflower Autonomous Ship Project, causing the ship to reverse course and return to shore for repairs and updates [118613]. The incident resulted in a delay in the ship's transatlantic expedition, as researchers had to spend four months addressing the mechanical damage to the ship's generator and exhaust system caused by a leak, which the onboard software couldn't resolve [118613]. Additionally, the setback prompted researchers to realize the importance of more extensive testing before embarking on such expeditions [118613]. The delay in the project's progress and the need for additional testing were the primary consequences of the software failure incident.
Domain information, transportation, knowledge, other (a) The failed system was intended to support the industry of information, specifically in the field of marine research and oceanography. The autonomous ship powered by IBM's AI software was designed to collect data about the ocean without the need for humans onboard, aiming to advance autonomous transportation at sea [Article 118613]. (i) The system was also related to the industry of knowledge as it was part of the Mayflower Autonomous Ship Project, which aimed to conduct marine research and gather data about the ocean using AI technology [Article 118613]. (m) Additionally, the system could be categorized under the "other" industry as it was a unique project involving the development of an autonomous vessel for research purposes, not fitting directly into the traditional industry categories mentioned [Article 118613].

Sources

Back to List