**Article 14**

**Design Decisions Regarding Human Oversight**

Pipeline Safety Guardian (PSG) has been developed to facilitate oversight by natural persons during operation through a streamlined user interface focusing on rapid alert delivery. The interface presents binary or categorical fault classification alerts derived from CNN and Random Forest ensemble outputs without integrated confidence scores, uncertainty quantification, or explanatory insights about model decision rationale. This design choice was motivated by the operational need for immediacy and clarity in field conditions, as indicated by user feedback during iterative field trials involving 45 pipeline operator teams over an 18-month period. These trials showed that complex probabilistic outputs or interpretability visualizations reduced responsiveness under routine monitoring scenarios. Consequently, the system prioritizes alert speed over interpretability aids, consistent with PSG’s emphasis on rapid anomaly detection in potentially hazardous pipeline environments.

While PSG integrates multiple sensor data streams—time-series pressure, flow readings, and environmental metadata captured at 100 Hz sampling rates—the interface does not explicitly communicate model limitations or failure modes. Internal validation has identified notable performance degradation under conditions of extreme pressure fluctuations (above ±15% nominal operational threshold sustained for >10 seconds) and elevated sensor noise mimicking electromagnetic interference or hardware faults. These conditions reduce the CNN fault classification accuracy from a baseline 94.7% F1-score (on a test corpus exceeding 300,000 labeled sensor-event sequences) to approximately 77.2%, as established by stress testing with simulated anomaly injections. Despite this documented variability, PSG conveys alerts invariantly as standard fault notifications without indicators of degraded confidence or warnings related to environmental conditions.

**Measures to Support Operational Awareness and Oversight**

PSG’s pre-market development included prototypical measures intended to support human oversight, such as internal dashboards exposing real-time sensor noise metrics and pressure stability indices. However, these were deprioritized from the final release due to complexity observed during operator usability assessments, where expert technicians expressed concern over cognitive overload and delayed reactions. Meridian Safety Systems concluded that current deployment contexts favored a minimalist alert-focused presentation, with additional system state information relegated to backend logs accessible only to technical maintenance teams. As such, PSG’s interface currently lacks human-machine interface tools designed explicitly to convey model uncertainty, environmental degradation factors, or possible error states to end users charged with direct supervision.

The system architecture supports override functionalities allowing operators to disregard or cancel alerts via manual input controls; however, this capacity is conditioned strictly on operator judgment without system-driven prompts or confidence advisories. No automated “stop” or safe-halt mechanisms integrated into the CNN fault classifier’s operations are exposed at the user interface level. Intervention capabilities focus primarily on system maintenance mode activation and sensor recalibration commands, accessible through secure supervisory modules separate from frontline alert views.

**Contextual Considerations and Limitations in Interpretability**

The complexity of PSG’s hybrid AI model—comprising convolutional layers optimized for spatial-temporal feature extraction, alongside ensemble Random Forest classifiers for anomaly synthesis—produces outputs not accompanied by standard interpretability layers such as saliency mapping or confidence interval tagging. The decision to omit these features was driven by the domain-specific constraints of real-time pipeline monitoring, where operator workflows emphasize binary objectivity and timely hazard mitigation over nuanced probabilistic insight. The lack of output interpretability and confidence metrics reflects a trade-off aligned with practical constraints but inherently limits the user’s ability to assess when outputs may be unreliable, particularly in scenarios involving rare or unmodeled environmental disturbances.

Recorded operational data indicate that during periods of sensor degradation or atypical pressure oscillations—phenomena outside the typical training data distribution—anomalous classifications occur with increased false positive/negative rates. These phenomena are tracked within system health logs but are not surfaced directly to users, creating a reliance on operator situational awareness independent of AI system advisories. No built-in alerts or visual cues currently signal increased uncertainty, automation bias risk, or model performance drift to end users during active monitoring.

**Provision of Processing Records and Data Handling**

Pipeline Safety Guardian collects and processes only non-personal operational data (pressure, flow, sensor status) and does not engage with special categories of personal data. Accordingly, no special category data processing records or justifications pursuant to Articles related to personal data protection (Regulations (EU) 2016/679 and (EU) 2018/1725) are applicable. Data processing activities are logged comprehensively for performance auditing and fault traceability, with records maintained according to Meridian Safety Systems’ standard industrial security protocols.

---

This documentation reflects the current design and operational characteristics of Pipeline Safety Guardian relevant to human oversight provisions, explicitly detailing interface constraints and decisions that affect operator awareness of model confidence, failure modes, and environment-dependent performance limitations.