Sentinel_Cab — Business Process Review

The operational gaps we’re closing

Two distinct gaps in the current logsheet workflow drive this build — one is about identity and evidence, the other is about admin time burden. Both come from the same root cause: the current workflow is paper-based at origin and only becomes digital after a manual transcription step that costs time and loses fidelity.

Gap 1 — Identity and evidence

The current logsheet workflow — inherited from the legacy HALO system — produces a complete record of what happened during each shift (operating, loading, dumping, delays, downtime) with start times, end times, codes, and durations. What it does not produce, despite having two columns reserved for exactly this purpose, is any evidence of who performed each activity. The Verified By and Verified At fields exist in every row but are populated in none of them.

This creates a series of operational problems that supervisors and PJOs/GMs experience daily but cannot easily fix within the existing workflow:

Shift-attribution disputes. When fuel usage, mechanical damage, or productivity outliers are traced back to a specific shift, the driver named in the logsheet can credibly deny they were the one operating the truck during that shift. No evidence supports either side.
Handover ambiguity. When two drivers swap on the same truck mid-shift, neither the system nor the supervisor can prove who was responsible for which portion of the timeline. Coaching becomes guesswork.
Breakdown-reassignment record gaps. When a truck breaks down and a driver moves to a different truck, the connection between the two shift records is informal — reconstructed after the fact from memory, radio chatter, or whoever happened to write it down.
Pre-existing-fault deniability. When a fault is discovered during operation, the driver can credibly claim the warning was already on when they started. Without a shift-start record, the prior-shift driver bears the assumption.
Audit and compliance weakness. The logsheet exists but cannot satisfy any audit that asks “prove this person did this work at this time on this asset.” The narrative is there; the evidence is not.

Gap 2 — Admin time burden from paper-to-system transcription

Today’s logsheet workflow is paper-based at origin. Drivers fill out the logsheet by hand during the shift; at the end of the operational day, those paper sheets move to the site admin, who has to manually type every row into the reporting system. Current estimate: 3–5 hours per admin per day are spent on this transcription step alone. That is 3–5 hours of professional time spent moving data from one format to another, with no value added in the process and several risks of fidelity loss along the way:

Direct labour cost. 3–5 hours daily, across the operational year, per site — a meaningful share of the site admin’s working day spent on a mechanical, non-judgement task.
Transcription errors. Times, codes, truck IDs, and driver names get mis-keyed; handwriting on the paper logsheet is sometimes ambiguous; the reporting system gets data that does not exactly match what the driver wrote.
Reporting lag. The reporting system is always at least a day behind reality, because transcription only happens after the shift closes. Supervisors who want to know what happened during the current shift cannot use the reporting system to find out.
No realistic path to faster reporting. The bottleneck is human typing speed; throwing more admin hours at the problem does not scale, and asking drivers to type the logsheets themselves on a PC at the end of shift creates its own friction.
Admin attention diverted from higher-value work. Driver records, code maintenance, exception follow-up, site coordination — all the things the admin should be doing instead of typing — get squeezed.

Sentinel_Cab v1 closes both gaps with a single intervention: the logsheet is digital at origin. Drivers tap on the tablet during their shift instead of writing on paper; the data flows directly to the backend; the admin’s 3–5 hour transcription step collapses to a few minutes of exporting an already-prepared CSV that matches the existing reporting system’s expected shape (per SCP-7). The admin’s time is freed up for the higher-value work that Sentinel_Cab also requires (driver enrollment, code-library maintenance, configuration), and the reporting system gains access to within-shift data instead of next-day-only data.

Every shift also produces a PIN entry, a selfie photo of the driver, a timestamped dashboard photo with odometer and fuel readings, a five-item walkaround result, and a continuous activity timeline with geofence-tagged locations — closing the identity / evidence gap at the same time. The system does not interpret this evidence in v1; it captures and stores it, makes it visible to supervisors on demand, and exports it in a CSV shape compatible with the existing reporting pipeline.

Important to understand: v1 is deliberately a digitisation layer, not an intelligence layer. There is no automated face matching, no automated cross-checking against truck sensors, no scoring of operator performance. Those features are planned for later releases on top of the same captured evidence. v1’s value proposition is that the evidence exists, is reliable, and is accessible — and that the manual transcription step that consumes 3–5 admin-hours per day disappears entirely.

Who’s involved and what they own

Sentinel_Cab introduces no new permanent roles. Four existing roles plus the system itself participate in the v1 processes. Each role’s scope of authority is bounded by what they can already do within current site operations — the system does not grant or require new permissions outside of what the role already exercises.

Role	What they do in Sentinel_Cab	Time commitment (estimated)
Driver	Authenticates at shift start (PIN + selfie), completes shift-start checks, logs activities throughout the shift, ends the shift cleanly. Handles continuation events (handover, breakdown) per defined sub-processes.	~2 minutes at shift start, ~1 minute at shift end, brief taps during the shift to change activity. Roughly the same total interaction time as the current paper logsheet.
Supervisor	Reviews the exception inbox, performs manual identity verification on disputed shifts, unlocks PIN-locked drivers, resets PINs, exports daily logsheets. Owns the process performance for their site.	~15–30 minutes per shift dedicated to exception review at the start; expected to drop to ~10 minutes per shift once the team settles into the workflow.
Admin	Enrolls new drivers (initial baseline photos + initial PIN), maintains the activity-code library for the site, manages truck assignments, configures geofence zones. One person per site, can be shared with another responsibility.	~1–2 hours per new driver onboarded. Ongoing maintenance is minimal once the site is established.
PJO/GM / Site Manager	Reviews weekly process-performance metrics, signs off on exception trends, escalates unresolved disputes, approves changes to site-scoped configuration (new activity codes, zone changes).	~1 hour per week reviewing rollups. Same cadence as existing operational reviews.
System	The Sentinel_Cab software itself — the tablet app, the backend service, the supervisor dashboard. Listed here so process flows are unambiguous about which steps are automated and which require a human.	n/a

Driver Driver tap or action on the in-cab tablet

Supervisor Supervisor action via dashboard

Admin Admin action during onboarding or configuration

System Automated by Sentinel_Cab itself

Process catalogue

Seven processes cover the full v1 operational scope. Four are driver-facing and run during shifts; three are supervisor / admin-facing and run on a different cadence. Each process is detailed in the next section.

ID	Process name	Owner	Triggered by	Frequency
SCP-1	Driver Enrollment	Admin	New driver hired, or existing driver gains Sentinel_Cab access	One-time per driver; ~1–5 per month at steady state
SCP-2	Standard Shift Start	Driver	Driver arrives at assigned truck for scheduled shift	~70 per shift across the fleet; the most common process
SCP-3	In-Shift Activity Logging	Driver	Operational state change during a shift (start loading, finish dumping, etc.)	~70–120 events per driver per shift
SCP-4	Shift End & Continuation Events	Driver	Driver completes shift, hands over to another driver, or truck breaks down mid-shift	~70 normal ends + variable continuation events per shift
SCP-5	Exception Resolution	Supervisor	System flags an event requiring human review (off-zone activity, missing photo, PIN lockout, etc.)	Expected ~5% of shifts will surface at least one exception
SCP-6	Manual Identity Verification	Supervisor	Dispute raised about who performed a shift, or supervisor decides to spot-check	Ad-hoc; expected to be infrequent in normal operation
SCP-7	Daily Reporting & Logsheet Export	Supervisor	End of operational day or week	Daily (CSV export); weekly (KPI rollup)

Each process in detail

SCP-1

Driver Enrollment

One-time per driver

Trigger: HR confirms a new driver is joining the site, or an existing driver needs Sentinel_Cab access for the first time.
Actors: Admin (primary), Driver (present for photo capture)
Inputs: Driver’s HR record (full name, employee ID, license number), driver physically available, controlled-light photo capture location at the admin desk or office
Outputs: Active driver record in Sentinel_Cab, 3–5 baseline selfie photos stored, initial 4-digit PIN issued to driver, truck-assignment pool populated (primary truck plus 1–2 backups)

AdminReceives onboarding request and the driver’s HR record from the site supervisor or HR officer.
AdminOpens the Sentinel_Cab admin dashboard and creates a new driver record (full name, employee ID, license number, site assignment).
SystemGenerates an initial 4-digit PIN automatically. Writes the new driver to the active roster.
AdminUses the dashboard’s photo-capture flow to take 3–5 baseline selfies of the driver — good light, neutral facial expression, no sunglasses or hard hat, slight head-angle variation across the set.
SystemStores baseline photos in Cloudflare R2 (Singapore region), linked to the driver record. Photos are not used by any automated process in v1; they are reference evidence for manual review and future face-matching in v1.5.
AdminAssigns the driver to a truck pool (primary truck + 1–2 backup trucks). Records the assignment effective date.
AdminHands the initial PIN to the driver in person or via the site’s standard secure-handoff procedure. Records the handoff in the driver record.
DriverTests the PIN at their next assigned shift using the standard SCP-2 flow. If desired, changes the PIN to a memorable value from the in-app PIN-change screen.

SCP-2

Standard Shift Start

~70 per shift, the most common process

Trigger: Driver arrives at the assigned truck at the start of their scheduled shift.
Actors: Driver (primary), System
Inputs: Driver’s 4-digit PIN, working tablet in the cab, driver visible to front camera, dashboard cluster visible to rear camera
Outputs: Open shift record, captured shift-start selfie, dashboard photo with odometer and fuel-percentage readings, five-item walkaround result, shift status of either “active” or “flagged”

DriverClimbs into the cab. Wakes the tablet from its kiosk-locked idle state.
SystemPresents the PIN entry keypad with the assigned truck’s name visible at the top of the screen.
DriverEnters 4-digit PIN.
SystemValidates PIN against the locally cached bcrypt hash. On success, advances to selfie capture. On failure, prompts retry (5 wrong attempts in 10 minutes triggers PIN lockout → SCP-5 exception).
SystemActivates front camera with a preview window. Driver sees themselves on the tablet screen.
DriverHolds the tablet at face level, holds still for about one second. Selfie is captured automatically when the driver’s face is detected in frame.
SystemStores the selfie in the local event queue, attached to the new shift record. Photo will sync to backend storage when connectivity is available. No automated face matching runs in v1.
DriverProceeds to the dashboard-photo step: rear camera fires, driver photographs the dashboard cluster showing both odometer and fuel gauge.
DriverTypes two values under the photo preview: odometer reading (km) and fuel level (%).
DriverCompletes the five-item walkaround check: cabin, engine, tyres, vessel, walkaround. Each item is a Pass or Fail tap.
SystemSets shift status to “active” if all required steps completed successfully. Any walkaround Fail triggers a supervisor alert (SCP-5) but does not block the shift from activating.

SCP-3

In-Shift Activity Logging

~70–120 events per driver per shift

Trigger: Operational state change during the shift. Driver judges that what they are doing now is a different activity from what they were just doing.
Actors: Driver (primary), System
Inputs: Driver’s awareness of the current operational state, geofence position (auto-detected from tablet GPS)
Outputs: Closed previous activity event (with end time), new activity event open (with start time, status, optional code, optional sub-zone)

DriverRecognises that the current activity has changed (e.g. just finished loading, now starting transit).
DriverTaps the activity-change button on the tablet.
SystemPresents the six-status picker: OPERATE, DELAY, LOADING, DUMPING, IDLE, DOWN.
DriverSelects the new status. If the status requires a code (DELAY, DOWN, IDLE, OPERATE), the code-picker bottom-sheet appears.
DriverPicks the code from the searchable list (Bahasa-first labels). For LOADING and DUMPING, the location dropdown appears instead (ROM Ulin, ROM Meranti, HOPPER, etc.) populated from site geofence zones.
DriverConfirms.
SystemCloses the previous activity event with an end-time of now. Opens a new event with the selected status, code, location, and current geofence position.
SystemApproximately 1 shift in 7, after a random period of activity, prompts the driver for a brief in-shift selfie. Driver takes it, photo is stored, no automated matching runs. Same evidence-capture-only behavior as SCP-2.

SCP-4

Shift End & Continuation Events

Normal end, handover, or breakdown

Trigger: Driver completes their shift, hands the truck to another driver mid-shift, or experiences a truck breakdown mid-shift.
Actors: Driver (outgoing); also Driver (incoming) in the handover variant
Inputs: Reason for ending shift; in handover variant, the incoming driver present at the truck; in breakdown variant, the driver’s availability for reassignment
Outputs: Closed shift record with end reason; in continuation variants, a new shift record linked to the previous one

Variant A — Normal shift end

DriverTaps “End Shift” on the tablet.
SystemPresents the end-reason picker: Normal end / Truck breakdown / Handover / Other.
DriverSelects “Normal end” and confirms.
SystemCloses the current activity event, closes the shift record with end-reason “normal,” releases the truck back to the unassigned pool. Tablet returns to idle / lock screen.

Variant B — Handover to another driver on the same truck

Driver (outgoing)Taps “End Shift,” selects “Handover” as the reason.
SystemCloses the outgoing shift, opens a 90-minute continuation window on the truck. The truck enters “awaiting handover” state.
Driver (incoming)Climbs into the cab. Wakes the tablet, which shows the “awaiting handover” state for this truck.
Driver (incoming)Completes the full SCP-2 flow: PIN, selfie, dashboard photo, walkaround.
SystemCreates a new shift record linked to the outgoing shift via “continuation_of_truck_shift_id.” Truck activity timeline continues uninterrupted from the supervisor’s view.

Variant C — Breakdown reassignment to a different truck

DriverTaps “End Shift,” selects “Truck breakdown” as the reason. Optionally adds free-text notes describing the fault.
SystemCloses the shift with end-reason “truck_breakdown.” Opens a 60-minute reassignment window for this driver.
DriverReports to the dispatcher / supervisor per existing site procedure to be reassigned to a replacement truck.
DriverWithin 60 minutes, climbs into the assigned replacement truck and completes the full SCP-2 flow on the new truck.
SystemCreates a new shift record linked via “continuation_of_shift_id” with continuation reason “breakdown.” The 24-hour-shift-uniqueness rule waives for this continuation; the driver is not blocked from opening a second shift in the same day.

SCP-5

Exception Resolution

Supervisor process, ad-hoc

Trigger: System generates an exception event requiring human review. Common types: shift activity outside expected geofence; missing selfie or photo capture; PIN lockout requiring unlock; walkaround item Fail; continuation window expired; missing shift end; multiple active shifts per driver.
Actors: Supervisor (primary), System; occasionally Driver (for clarification) and PJO/GM (for escalation)
Inputs: The exception event with associated context (driver, truck, time, location, related activity, captured evidence)
Outputs: Resolved exception with action taken, supervisor identity, timestamp, and resolution notes

SystemDetects a condition that matches one of the defined exception rules. Creates an exception record with full context (related shift, driver, truck, time, location, evidence references). Routes it to the appropriate supervisor’s inbox based on site assignment.
SupervisorSees the new exception in the inbox during normal dashboard review (live notification optional). Reviews the context, including any captured photos, the activity timeline before and after the event, and the driver’s recent history.
SupervisorDecides resolution action:
• Dismiss (false positive, no action needed)
• Acknowledge (real but acceptable, no action needed)
• Coach (real, requires conversation with driver, logged for follow-up)
• Escalate to PJO/GM (requires authority above supervisor level)
• Mark for re-training (recurring pattern, needs structured intervention)
SupervisorRecords the resolution with notes in the dashboard. Closes the exception record.
SystemCloses the exception, timestamps the resolution, attaches the supervisor’s identity. If escalated, routes to the PJO/GM’s inbox.

SCP-6

Manual Identity Verification

v1-specific; evolves in v1.5

Trigger: A dispute is raised about who actually performed a specific shift, or the supervisor decides to spot-check a shift (random audit, or pattern-based suspicion).
Actors: Supervisor (primary); occasionally PJO/GM (for final adjudication on a contested verification)
Inputs: The shift record in question; its associated shift-start selfie; the driver’s enrolled baseline photos
Outputs: Verification status on the shift: verified / disputed / unclear, with supervisor identity and notes

SupervisorOpens the disputed or selected shift in the dashboard.
SystemDisplays the shift-start selfie side-by-side with the driver’s enrolled baseline photos. Also shows shift metadata (start time, truck, location, in-shift selfie if any).
SupervisorMakes a visual comparison. Considers: do the faces match? Is the shift-start selfie clear enough to be sure? Are there other contextual signals (same person in in-shift selfie, expected truck, expected time)?
SupervisorRecords verification status with notes:
• Verified — same person, confident
• Disputed — not the same person, evidence is clear
• Unclear — cannot be sure either way, escalates
SystemAttaches the verification status, supervisor identity, and timestamp to the shift record. The verification becomes part of the shift’s permanent audit trail.
SupervisorIf status is Disputed or Unclear, follows up per site disciplinary or HR process — outside Sentinel_Cab scope.

SCP-7

Daily Reporting & Logsheet Export

Daily and weekly cadence

Trigger: End of operational day (for daily logsheet) or end of week (for KPI rollup).
Actors: Supervisor (primary), System; downstream consumers of the CSV in the existing reporting pipeline
Inputs: All shift records, activity events, exceptions, and verifications from the reporting period
Outputs: Daily CSV in HALO-compatible column shape (with Verified By and Verified At now populated); weekly KPI summary view in the dashboard

SupervisorOpens the dashboard’s export view at the end of the operational day.
SupervisorSelects the date range (defaults to the last 24 hours) and the truck or site scope.
SystemGenerates a CSV with the same column shape supervisors are used to from HALO: Status, Description, Operator, Company, Truck, Start Time, End Time, Duration, Code, Verified By, Verified At. The Verified By and Verified At columns now contain the PIN-entry method and the timestamp from the shift-start authentication.
SupervisorDownloads the CSV. Feeds it into the existing downstream pipeline (KPI rollup, compliance report, payroll feed, whatever the site uses today).
SystemGenerates a dashboard summary view alongside the export: counts per status, exception count, exception resolution rate, average shift duration, identity-verification rate. Available for the day, the week, or any custom range.

Where the control points sit

Every control point in v1 produces immutable evidence at the moment it fires. The full set, listed by where they appear in the day-to-day flow:

At enrollment (SCP-1): baseline photo set must contain at least 3 acceptable photos; admin identity captured for every action; PIN handoff procedure follows site standard.
At shift start (SCP-2): PIN entry validated against hashed credential; selfie capture cannot be skipped; dashboard photo + odometer + fuel readings cannot be skipped; walkaround items cannot be skipped; PIN lockout after 5 failed attempts.
During the shift (SCP-3): activity events tagged with current geofence position; out-of-zone activity flagged for review without blocking work; random in-shift selfie captured roughly 1 shift in 7.
At shift end (SCP-4): end-reason picked from controlled list; continuation windows enforced server-side; continuation links are immutable once created.
In supervisor review (SCP-5, SCP-6): every action carries the supervisor’s identity and timestamp; resolutions are immutable; corrections create new events referencing the original.
In reporting (SCP-7): CSV format locked by default; export operations logged with identity and timestamp; data scope respects role permissions.

For audit purposes, every action that could be relevant in a future dispute — a shift starting, a driver authenticating, a photo captured, an activity logged, an exception resolved, a verification recorded — produces a record that names who did it, when, and against what. None of these records can be deleted or modified once written; the only way to correct an error is to add a new record that supersedes the original, with the supervisor’s reasoning in writing.

What changes for existing roles

The goal is for Sentinel_Cab to feel like a digitisation of existing operational reality, not the imposition of new responsibilities. The realistic deltas for each role:

Drivers

Replaces the existing manual logsheet entries with tablet taps. Equivalent total interaction time.
New: a 4-digit PIN to remember and a brief selfie at the start of each shift.
New: a dashboard photo + odometer / fuel entry at shift start (replaces verbal handover for these readings).
Same: the walkaround check itself — cabin, engine, tyres, vessel, walkaround — is unchanged in substance; only the recording method differs.
Same: all operational actions (driving, loading, queueing, etc.) are unchanged. The tablet logs what the driver is doing; it does not direct or restrict it.

Supervisors

New: exception inbox review (~10–30 minutes per shift, dropping as the team settles in).
New: PIN unlock and reset (rare, ~once per supervisor per week expected).
New: manual identity verification on disputed shifts (ad-hoc, rare in normal operation).
Replaces: paper logsheet review — the digital dashboard surfaces the same information in a more navigable form.
Replaces: manual identity confirmation — was previously asking the driver or relying on radio chatter; now reviewing stored evidence.

Admin (per site)

Eliminates: 3–5 hours per day of paper-to-system logsheet transcription. This is the single largest time impact of Sentinel_Cab on any existing role. The admin no longer types driver activity into the reporting system manually; the daily CSV export (SCP-7) takes a few minutes and feeds the same downstream pipeline.
New: driver enrollment ceremony (SCP-1) for each new driver — ~1–2 hours per driver, but only for new hires, not daily.
New: activity-code library maintenance for the site — expected to be infrequent after initial setup.
New: truck assignment management — updates as fleet changes.
Replaces: any existing driver-record administration that lived in spreadsheets or paper files.
Net effect: a meaningful reduction in daily admin workload, with the freed-up time available for higher-value coordination and follow-up work.

PJO/GM / Site Manager

New: weekly review of process-performance metrics (exception rate, verification rate, average shift duration trend).
New: adjudication on escalated identity disputes.
New: approval for changes to site-scoped configuration (new activity codes, zone changes, supervisor account changes).
Same: overall accountability for operational performance is unchanged; the data available to support that accountability is richer.

What I need the BP team to validate

These are the process-level assumptions baked into the v1 design that I want the Business Process team and the PJOs/GMs to push back on before we lock the build. Anything that is wrong here will create operational friction at the pilot.

Roles Is the role assignment correct?
Each process is owned by either Driver, Supervisor, Admin, or PJO/GM. Are those the right ownership lines for our sites? Is there a role I’m missing — HSE, dispatcher, foreman — that should be in the loop on any of these processes? Specifically curious about SCP-5 (exception resolution) and SCP-6 (identity verification) — is the supervisor the right owner, or should some categories of exception go directly to PJO/GM?
Enrollment SCP-1 in practice.
The estimated 1–2 hours per new driver for enrollment assumes the admin has time and a controlled photo-capture environment. Is that realistic? Should we be enrolling in batches (e.g. all new hires together) rather than one at a time? Who at each site has the bandwidth to be the enrollment admin?
Handover The 90-minute handover window.
SCP-4 Variant B gives the truck a 90-minute window for an incoming driver to take over after the outgoing one taps out. Is 90 minutes the right number? Too long and the truck is “in limbo” for too long; too short and a real handover that gets delayed by a few minutes triggers a false exception.
Breakdown The 60-minute breakdown reassignment window.
SCP-4 Variant C gives the driver 60 minutes to start a new shift on a different truck after a breakdown. In reality, how long does it usually take between a truck going down and a driver being assigned to a replacement? If it’s typically longer than 60 minutes, the window needs to expand; if it’s usually faster, we can tighten it.
Exception load SCP-5 review capacity.
Estimating ~10–30 minutes per shift for exception review. Is the supervisor going to have that time, given everything else they do during a shift? If not, do we need to triage exceptions into “must review during shift” vs “can wait for end-of-shift review”?
SLA Exception resolution SLA.
The proposed SLA is p50 ≤ 4 hours, auto-escalate to PJO/GM after 24h unresolved. Is that the right target? Some exceptions are urgent (e.g. truck moving without an active shift suggests theft or unauthorised use); others can wait days (e.g. walkaround Pass that should have been Fail). Should the SLA be per-exception-type rather than universal?
Reporting Who actually reads the daily CSV.
SCP-7 assumes the existing reporting pipeline consumes the HALO-shape CSV. Who downstream actually uses it today — KPI rollup, compliance report, payroll, the customer? If we know who the real consumers are, we can confirm the column shape is right and surface any format requirements we don’t know about.
Admin time The 3–5 hour admin transcription estimate.
The current estimate is 3–5 hours per admin per day spent typing paper logsheets into the reporting system. Is that the right number at each site, or does it vary significantly between BEK, TIS, and TCM? Is anything bundled into that number that won’t actually be eliminated by Sentinel_Cab (e.g. summary reports, payroll calculations, manual approvals)? Getting this number right matters for the business case and for setting realistic expectations with the admin team about what their day looks like after the pilot.
Disputes What happens after SCP-6 finds a real dispute.
Sentinel_Cab’s scope ends when the verification status is recorded. The HR / disciplinary follow-up is outside the system. Is there a clear, existing site process for handling a confirmed identity dispute, or does Sentinel_Cab’s ability to surface these mean we need to define one alongside?
Process owners Who is the process owner for each of these seven processes at each site?
For ISO and operational governance, each process needs a named owner who is accountable for its performance. Who are the right people at Adong, TIS, and TCM? Are they the same person across processes, or split by domain (supervisor for driver-facing, admin for setup, PJO/GM for governance)?