Models of human error in structural reliability

,Structural S~{/e{v. 1 (1983) 167 175 1 b,cvier Science Publishers B.V., Amsterdam Printedin The Netherlands

167

MODELS OF HUMAN ERROR IN STRUCTURAL RELIABILITY * Niels C. Lind Department of Civil Engineering, University of Waterloo, Waterloo, Ontario N2L 3G1 (Canada)

( Received August 27, 1982; accepted ,lanuar~ 5, 1983)

ABSTRACT Among the many human factors that ]zat,e importance for structural re/iabilio,, human error i.s' domimznt. With many a[ternatice error mechanisms operati~e, many mathenzatica[ modeLv must be studied and compared with ohserpation to select a best strateyIv for ma.vi-

re/iabilitl'. Three/ypes are presenled here." a simph, discrete model, a filter model of error elimination, and a n error combimztion model. Resuhs are calculated ,/or e.vamph,s with parameter ealues commo/z in ( ' i r e Engineering structura] practice.

INTRODUCTION

interests of society as a whole. The motivation behind the theory is to strive to give the client the " r i g h t " structure, that is the most efficient structure to satisfy the structural need. In this expansion of structural engineering theory human factors have, surprinsingly, become very important. Human physiology, for example, is a factor in modelling deflection (vibration) performance. Psychological factors are important, moreover, in ~election of acceptable tolerances for these deflections: this is perhaps the most important problem outstanding in the program of limit states design. H u m a n values, ethics and philosophy of the state are permanent factors in the theory of rational design of all engineered products: how' safe is safe enough, when A is paying for B's safety? Does the state have a right to dictate safety levels--even in cases

The production of structures rests on a theoretical basis that is expanding fast. This construct of ideas, postulates, and procedures, the " t h e o r y of structural engineering" is not just the analysis of stress and deformation in frameworks under specified loads. It encompasses methods of optimization of such frameworks, methods to model real loads as specified loads, influence of uncertainty in the decisions involved, and principles of what constraints (in tile form of codes and standards of design, testing and inspection) to impose on the individual structure from the

* Presented at AS('E-meeting, Portland, Oregon, April 1980 0167-4730/83,'$03.00

mum

' 1983 Elsevier Science Publishers B.V.

168 where the loss is merely economical or esthetic? H u m a n error, finally, is the dominant "cause" ascribed to structural malfunction. What, precisely, is "structural failure"? Before you can deal rationally with human error in this context, this question must be settled. Clearly, it is neither just structural collapse. nor just the cases that terminate by payment of insurance claims for structural damages. Structures fail to perform as one could reasonably wish by cracking, by flimsiness, by rot, corrosion, decay, and so on. Ideally we would wish a structure to last forever without maintenance. But this wish is so unrealistic that we settle for less, without talking of loss. or failure, or h u m a n error. Hammurabi's much quoted paragraphs, prescribing punishment for the builder of a house that collapses with loss of life, in effect define what could reasonably be expected from a building structure at that time, and define malfunction, at least implicitly and legally. The definition is workable, i.e., efficient for the legal process. but it would today be far too narrow. We can reasonably expect much more from our structures (than that they not collapse with loss of life), and we define structural failure accordingly. In passing, it is worthwhile to mention our assumption that we can think rationally in these matters. It should be remembered that the destruction of Lisbon by an earthquake in the 18th Century (often called "'the age of reason") was widely attributed to human shortcomings (sinful living). H u m a n error as a factor in structural hazards is the topic of this paper. First. human error will be defined in a manner suitable for the purpose. It is not a simple matter to give an overview of the multiplicity of types of h u m a n error that have structural significance. As N o w a k [1] has pointed out. it seems best at first to study various error models individually to get an appreciation of their influence and determine the best adjustment to the hazard of human error.

Survey of recent work Structural design under uncertainty and risk is nowadays often formulated in terms of well-behaved continuous random variables. Some kinds of human error, for example shoddy workmanship, can indeed be included within these f o r m u l a t i o n s - - w h a t is acceptable variability of workmanship in one country, or in one set of circumstances, as unacceptable m another. Nevertheless. doubts have been voiced that not all human error can be treated as just another random variable. Failures have been studied systematically in recent years. The principal question is whether failures are caused b3 excusable and unavoidable circumstances, or whether they are caused by human shortcomings. Smith [2], for example, considered 143 bridge failures and concluded that 70 were caused by "flood and foundation movement". 22 by "'unsuitable or defective permanent material" and so on. He does not point to human shortcomings. Matousek [3], in contrast, found that human error was almost always a factor in a sample of some 800 cases. Chilver [4] presented a diagram of classification which, in effect, ascribes all failure to human shortcoming. A critical examination of these conflicting stories suggests that it wilt be infertile to enquire into causality of structural failures by a statistical or other macroscopic approach. But detailed case studies appear to be very instructive, e.g. the comprehensive DC-10 cargo door failure study be Eddy, Potter and Page [5] or the Open University case studies [6]. The many varied aspects of the human error problem in engineered systems have been treated by Ingles [7]. Pugsley [8] and Blockley [9] take a macroscopic approach, attempting to identify error-prone structures in terms of socio technological indicators, such as novelty (of material, design, and production methods. etc.) or social, economical, or political climate. Rackwitz [10] and N o w a k [1] took the alter-

16q

native approach, considering detailed models of the mechanisms of error generation and error elimination. A combinatorial model of errors producing structural failures was developed by the author [11]. It can be considered intermediate between the two approaches, "[he combinatorial model is developed further m this paper. Two other models are presented: a discrete-valued error model similar to the work of Nowak [1] and an errorelim, ination continuous model. It may seem unreasonable to develop such models in the abscnce of solid numerical data. However, such data cannot be developed unless a theoretical framework ("paradigm") is available. The justification for each model must be sought more in the quality of the questions it tends to generate than in the questions it answers.

DISCRETE ERROR MODEL Consider the case of a single limit state with two basic random variables R and S and safe domain R > S. Without loss of generality the variables are scaled so that S has unit nlean.

The reliability index for error-free R is then 3o =

0

1

(1)

(0:~;) + U ) '~ in which 0 is the central safety factor, f{) the C.o.V. of R and fs the C.o.V. of S. Assume that R and S are represented by normal distributions fitted at the design point, and that B, is calculated for the statistics of these variables. Then the probability of failure for error-free R is approximated b~ 8, = ¢ ( - # , , )

(2)

PE I

0

8

1

r,s

0

F

r, s

(b)ERROR FACTOR

(o) ERROR - FREE ME : VR(EX.1 ),,.

O'E:O"R(EX~ )2 . L\ /

"'"/I

," .-"

ff,.\V

22

x\

', ' r,s

rts

(c) FLAWED

POPULATIONS

Fig. 1. D i s c r e t e e r r o r rnodel.

(d) TOTAL POPULAT ION

170

Assume next that an error occurs with probability PE which lowers R by a factor F, see Fig. 1. Then the probability of failure of the error-free R drops to ( 1 - PE)P0, while the probability of failure of R with error becomes PER(--BE) in which =

OF- 1 (OZFZVZ+V2) '/2

(3)

The total probability of failure changes to

(4)

PE) (I) ( -- #o) + PE(I)( -- fiE)

P,-(1-

Expressed in a different way, the safety index changes to

fl, = -e-'(P,)

(5)

The proportion of structures with error in the failed population is

ot = P E ¢ ( - - f i E ) / P ,

(6)

Example 1 A set of values that is representative of common civil engineering structures is: VR = 0.15 and Vs = 0.30 with a central safety factor of 8 = 3. giving flo = 4.02 by eqn. 1. If we consider a discrete error that reduces the strength R by 2 standard deviations, then F = 1 - 2(0.15} = 0.7. Figure 2 shows the variation of the failure probability P , with error frequency PE for/9 = 3 and other values of the central safety factor. The figure shows not surprisingly that highly reliable designs are more sensitive to the presence of human error. On the basis of scanty information from the aircraft industry, the frequency of human error can be estimated, very roughly, as P~ -= 10%. With a central safety factor of 3. eqn. 4 indicates that approximately I out of t000 structures should fail in a lifetime, while eqn. 6 indicates that some 85 percent of these

PF

Vs = 0.3

VRO=O. f5

VS --O.3

e :

V

......_--- 2 ~

m62

R

0 :

o

=

O

.

I

~

2 ~

,d 2

>IJ

J

@

3 I

,.,n

139 0 n~ Q..

m 0 Q,.

,6 4

I.U

/tJ

-4

IO

w

re"

4 f

,--I

J

I

U_

5 -------'--6

-6

IO

,o

/ /

PE

o ERROR

= 16°/'

PROBABILITY

Fig. 2. Total failure probability as a function of the probability of human error in Example 1 (multiplicative error),

/

......./

J

o

5 ERROR

PE: I°°/°

PROBABILITY

Fig. 3. Total failure probability as function of the probability of human error in example 2 (additive error) full line. Example 1 values shown dotted for comparison.

171

failures could be ascribed to human error. Both these observations are in general agreement with facts. Example 2 While in Example 1 a multiplicative discrete error was considered, an additive discrete error with the same mean effect is now studied for comparison. Figure l(c) shows the change from example 1 in the distribution of the flawed population. Figure 3 shows the effect of P~< on I ' , to be much more severe for additive errors, especially for populations of high reliability.

ERROR ELIMINATION MODEL

task in which the error was originally committed. This suggests that the likelihood of error elimination increases significantly with the magnitude or "seriousness" of the error. And it suggests, as a corollary, that small errors have a better chance of survival than larger ones. Consider therefore a system with scalar capacity R if correctly designed and built but with actual capacity R - E , where E is an additive error. E is random variable. Consider the filtering of the distribution of E in the inspection process. Let p~(x) be the density of error, i.e. pE(.v) dx is the probability of an error between x and x + dx in magnitude: pt~(.v)d.v = Pr(x ~ E <_v + d.v)

A different error model is suggested by the observation that errors are committed with high frequency but, through a continuous checking process (feedback), mostly eliminated shortly after they are made. This viewpoint would, if the subject were the steering of vehicle, consider the process as one of continuous correction of the steering error. l h e error m the process is then the net error surviving the continuous elimination process. Moreover, error is often detected because something "doesn't look quite r i g h t " - - t h a t is, by intuition rather than by repetition of the

(7)

Let t be a measure of the amount of inspection, for example the time invested in inspection. Then p>(.v) decreases with t, except in the case that there is zero error, .v--0. The rate of decrease dpL/dt is assumed proportional to the amount of error present, i.e., p~. Assuming furthermore, that it is a function of the magnitude of the error, h( .v ), gives

dpF(.v)fldt= -coh(x)p~ (x}

(8)

where % is a constant, yielding p~:(x) = p E o ( x ) e x p ( - h ( . v ) c . t )

(9)

Po

7j.,o t

v

X

I

Fig. 4. Distribution density of additive error term E in the Error Elimination Model (Concentrated probability mass at 0 not shown).

172

Consider first the special case that the initial error density is uniform, p Eo(X ) = P0, and that h ( x ) is quadratic: h( x l = c~x 2. Then

P E ( x ) =P0 exp{ - ½x2(2coc,t)}

I10)

Equation 10 shows that the error is normally distributed for t > 0. Choosing a normally distributed initial error gives the same result, of course, but avoids the complication of infinite error probability for t = 0. Thus. assume l

P E 0 ( X ) = n(0, S 2 ) ~

e

,:~/2s z

Ill

s(2~r) '/2 That is, at t = 0 error is certain to occur. PE(0) = 1, and normally distributed with zero mean and variance s 2. Then (see Fig. 4)

p (x)

1

e - ~z/2s 2 e_(X:/2s2)(t/t. ~

s(2~r) '/2 1

e -~xe/2"~e~ l +'/'''~

1121

s(21r l 1/2 in which t o is a constant. With the notation P E ( t ) = ( 1 + t / t o ) ,/2

(13)

OF = sPE(t)

(14)

spections of two assemblies by ten experienced inspectors were carried out. The results were reported graphically m terms of percentage of defects detected as a function of the number of independent inspections. Their results are given as the data points in Fig. 5. together with fitted exponentials for "critical" and "non-critical" defects. There is a general agreement with the notion that both kinds of defects decay exponentially. As expected, the rate of decay is less for non-critical defects. Moreover. little increase in inspection accuracy was observed for critical defects when more than six independent inspections were employed. In the present model, this effect can be explained, in terms ol a reduction of the average size of critical defect -the larger ones being more visible and subject to a higher rate of decay. In this model, then. the capacity population R separates into two. ciz. an error-free normally distributed sub-population N(m,,. 02) with probability 1 - P E ( t } and a flawed normally distributed subpopulation N(rn,,, o + o2) with probability P~(t ) Example 3 For a numerical example repre-

I00

we have

pE(X ) = PEn(O, O2)

(15)

The measure t o of the amount of inspection is in arbitrary units. As a convention, choose PE(1) = 0.1. Thus a unit of inspection is the a m o u n t that brings the probability of error down from 100% to 10%. By eqn. 13, t o = 1/99 and P E ( t ) = (1 + 99t) - ' / 2

(16)

The model implies exponential decay with t of the density of any error of fixed magnitude x. The total error probability PE(t) however, decays slower with t, as indicated by eqn. 13. Harris and Chaney (12) report an experiment on inspection accuracy of electronic module assemblies. Repeated independent in-

I.d

/

0..

v

NON-CRITICAL L

i

I

O

t

IO NUMBER OF I N S P E C T IONS

Fig. 5. Experimental data of Harris and Chaney [12] with fitted exponential functions according to the Error Elimination Model.

173

deviation o v , let 90% of the failures be due to h u m a n error w h e n the a m o u n t of inspection is unity:

PF

0:2

-I

I0

0-1

id 2 bF-_1

\,

°'

id 3

t

l/0%,-] + ,,~

0

rr

LJ rr

in which Pl,.(1)= 0.1. With o s = 0 . 3 and v 0 = 0.15 as before, o H is determined from eqn. 17, Figure 6 shows the resulting failure probability.

id 4

_l

!

LL _1

io~

© t'-

i i

ic~61!

ERROR C O M B I N A T I O N MODEL

I

I i

0

0/5

0.10

0.15

0.20

In an earlier paper the author [11] suggested an error c o m b i n a t i o n mechanism of structural failure, based on the following observations: (a) Failures occur much more fiequently than established rationales suggest. However, failures occur very rarely: (b) Failures are almost invariably associated with h u m a n error: (c) C o m m o n l y , multiple h u m a n errors are found when a failure is investigated: (d) H u m a n errors are also frequently

0.25

t/to Fig. 6. l o t a l p r o b a b i l i t y of failure in the Error E l i m i n a n o n M o d e l as a function of the inspection parameter l

[~p.

sentative of c o m m o n civil engineering structures, take as before the means rn = 1 and m ~ , = O, for the d e m a n d and the capacity of the error-free populations. To fix the standard FABLE 1

("ombmation model Expected number of joint events, per million Number

Number n

17l

A I C? E1 s~ C I

;7

A I Q E1 .41 ~-~ C I E1 CI ('1 AI El

(I

a

c

0

CI No error

Total Failures

19 358 452 1864 8584 35 408 44 725 849 783 941 192 19

d 3

1 22 28 114 526 2168 2738 52 028 57 624 165

1 2 11 44 56 1068 1176 114

8 8 8

e Total

f

20 380 480 1980 9120 37 620 47520 902 880 1000 000

20 22 29 116 11 44 56 8

Failure

306

174

present in structures that do not fail. These observations are reflected in the following model. Observation (d) shows that there must be some mechanism which ordinarily prevents gross errors from causing failure. This suggests that undetected gross error modifies the strength by a factor that is close to unity. If load and strength are of normal magnitude, such a single error would not likely cause failure. It would take the coincidence of several errors of design, construction or use to precipitate failure. In [11] it was assumed that human error will cause failure if and only if it occurs in multiple fashion in a number, m, of combinations that depends on a measure, n, of the amount of random deviation from normal material strength and actions on the structure. H u m a n error was divided into those of the "architect" A, those of the "engineer" E, those of the "contractor" C, and those of the "authority (inspector)" 1. It was assumed that an error occurs in each of these activities with probability 0.1, 0.4, 0.5, and 0.1 respectively. "Excess load", Weak material", and " U s e r error", were each assumed to occur with probability 0.02. All these events were assumed mutually independent. The expected number of each error combination in one million structures is given in column (e) of Table 1. The frequency of simultaneous occurrences of a number, n, of these extrinsic effects is given in the penultimate row of Table 1. It was finally assumed that failure occurs when

m+n>~3

(18)

to each failure, uniformly distributed at rand o m over the contributors (with the exception of the "Authority", of course), "Architect error" would be assigned in ( 1 / 3 ) ( 2 0 ) + (1/'2) (22) + ( 1 / 2 ) (29) + 11 = 43 cases, "Engineering error" in 120 cases and " C o n t r a c t o r error" in 135 cases, compared with the proportions observed in Matousek's sample [3], which per 306 failures would assign 42, i18, and 145 to mistakes of the architect, engineer and contractor respectively. To facilitate a comparison with the other models in this paper, the model is modified. Architect and user errors are left out of explicit consideration. Designer error D, contractor error C, and inspector error I are considered, each of the type in Fig. l(b), with

( F, PE,)=( F, O.4 p), ( F, O.5 pj and( F, O. I p) respectively ( i - D, C, I). Figure 7 shows the results for Vs = 0.3, FRo = 0.15 in terms of the percentage PE of single or multiple errors for F = 0.85 and 0.70.

PF- PD PC PI = 0.4 Vs =0.3 F=OI?

/

/

O =2/~

/

0.01"~0.85

~

I-.J

~

_~

~

/ 4

-----" ~

~, 163

II1 (3, O._

The expected number of failures per million structures are shown in the last row of Table 1. The total expected failure rate was 306 per million, roughly of the right order of magnitude. Only 8 of these failures (less than 3%) occur in the absence of human error. The remaining 298 failures are distributed as 111 cases with a single error, 167 with two errors, and 20 with three errors. Thus, multiple error is frequent. If a single "cause" were assigned

/

0.5:0.1

Vo=0.15

1(5 4

"~T'~5

~

f

~i ~j

ne

Id s LL

-6 I0

/

0.85 0

20 ERROR

40 PROBABILITY

Fig. 7. E r r o r C o m b i n a t i o n M o d e l .

60%

175

CONCLUSIONS

REFERENCES

This paper c o n s i d e r s various m o d e l s of svstelns with random capacity to withstand a

1 A.S. Nowak, Effect of human error on structural safety. A ( ' I J., 76 (Sept. 19791 '45c] '~72. 2 D.W. Smith, Why do bridges fail. ('ix. Eng. (Anl. Soc. ('iv. Eng.), 47 (1977) 58 ,q2 3 M. Matousek, Outcomings of a survey on 8(i)0 construction failures. IABSE Colloquium on Inspection and Quality Control. 5 7 ,lulx, It,~77, Cambridge, England. 4 H. Chilver, Fitting Flixborough into a pattern. Nature, 265 (1977) 494 495. 5 P. Eddy, E. Potter and B. Page, Destination Disaster. Q u a d r a n g l e / T h e New York lime~ Book Co,, New York, N.Y., 1976. 6 V. Bignell, G. Peters and C. Pyre, Catastrophic Failures. The Open University Press, 1977. 7 O.G. Ingles, Human factor and error m civil engineering. Proc. 3rd Int. Conf. Appl. Star. and Prob. in Soil and Struct. Engrg., Uniscarch, Swtne~, NSW, 1979, Vol. 3, pp. 402 417. 8 A.G. Pugsley, The prediction of Ihe Pronenessto structural accidents. Struct. Engr., 51 (6), (19731 195 196. 9 D.T. Blockley, Predicting the likelihood of structural accidents. Proc. lnsln. ('iv. Engr~. 59, 12) (1975) 659 668. 10 R. Rackwitz. Note on the treatment of errors m structural reliability. T e c h n i s c h e Universitiit Munchen, Laboratorium ftir den Konstructiven lngenieurbau, Heft 21, 1977, pp. 23 35. 11 N.C. Lind, Optimization, cost benefit analysis, specifications. Proc. 3rd Int. Congr. Appl. Star. and Prob. m Soil and Struct. Engrg.. LInisearch, Sydney. NSW, 1979, Vol. 3, pp. 373 384. 12 D.H. Harris and F.B. Chanev. Human Factors m Quality Assurance. John Wile'~ and Sons, Inc., N e ~ York, 1969.

r a n d o m d e m a n d . Several e m p i r i c a l l y k n o w n

aspects of the influence of human e r r o r on the probability of failure of such systems, particularly structures, are reflected in these models. Simple discrete error models of the multiplicalive type (as in Example 1) show a moderate and g r a d u a l increase in failure probability with error probability. F o r c o m m o n values <,i the total failure probability ( 1 0 ) 10 5), the classical theor~ is in error by a fairly constant factor when the error probability is constant (Fig. 2). Additive human error is comparatively expensive, particularly at high reliability levels (Fig. 3). An error elimination, or filter, model leads to a normally distributed error f o r m in apparent agreement with s c a n t \ data (Figs. 4 and 5). The influence of inspection can be taken into account (Fig. 6). With appropriate cost data, this model should permii optimization of inspection expenditure tor a given target safety level and design .,aleI\' factor. Finally, an error combination m o d e l serves to explain how the near ubiquity c,t h u m a n e r r o r can be reconciled with the achieved high reliability, and in turn serves to justify the simpler discrete error models.

ACKNOWLEDGEMENTS The work reported in this paper is part of a study of the strength and safety of structures sponsored by the National Science and Engineering Research Council of Canada.