- Email: [email protected]
Safety Analysis of Aviation Flight-Deck Procedures Using Systemic Accident Model
13th IFAC/IFIP/IFORS/IEA Symposium on 13th IFAC/IFIP/IFORS/IEA Symposium on 13th IFAC/IFIP/IFORS/IEA Symposium on Analysis, Design, and Evaluation of Human-Machine Systems 13th IFAC/IFIP/IFORS/IEA Symposium on Analysis, Design, and Evaluation of Human-Machine Available onlineSystems at www.sciencedirect.com Analysis, Design, and Evaluation of Human-Machine Systems Aug. 30 Sept. 2, 2016. Kyoto, Japan Analysis, Design, and Evaluation of Human-Machine Systems Aug. 30 Sept. 2, 2016. Kyoto, Japan Aug. Aug. 30 30 -- Sept. Sept. 2, 2, 2016. 2016. Kyoto, Kyoto, Japan Japan
ScienceDirect
IFAC-PapersOnLine 49-19 (2016) 019–024
Safety Analysis of Aviation Flight-Deck Safety Analysis of Aviation Flight-Deck Safety Analysis of Aviation Flight-Deck Safety Analysis of Aviation Flight-Deck Procedures Using Systemic Accident Procedures Using Systemic Accident Procedures Using Systemic Accident Procedures Using Systemic Accident Model Model Model Model ∗ ∗ ∗ Takayuki Hirose ∗ , Tetsuo Sawaragi∗ , Yukio Horiguchi∗ ∗ , Tetsuo Sawaragi∗ , Yukio Horiguchi∗ Takayuki Hirose ∗ , Tetsuo Sawaragi∗ , Yukio Horiguchi∗ Takayuki Hirose Takayuki Hirose , Tetsuo Sawaragi , Yukio Horiguchi ∗ ∗ Department of Mechanical Engineering and Science, Kyoto ∗ Department of Mechanical Engineering and Science, Kyoto ∗ Department of Mechanical Engineering and University, Kyoto, Japan Department of Mechanical Engineering and Science, Science, Kyoto Kyoto University, Kyoto, Japan University, Kyoto, Japan (e-mail: [email protected], University, Kyoto, Japan (e-mail: [email protected], (e-mail: [email protected], {sawaragi, horiguchi}@me.kyoto-u.ac.jp) (e-mail: [email protected], {sawaragi, {sawaragi, horiguchi}@me.kyoto-u.ac.jp) horiguchi}@me.kyoto-u.ac.jp) {sawaragi, horiguchi}@me.kyoto-u.ac.jp)
Abstract: Analyzing Analyzing the the feasibility of of procedures is is important for for ensuring ensuring safety when when using using Abstract: Abstract: Analyzing the feasibility feasibility of procedures procedures is important important for ensuring safety safety when using systems that feature human operations and highly developed automation. This is certainly Abstract: Analyzing the feasibility of procedures is important for ensuring safety when using systems that feature human operations and highly developed automation. This is certainly systems human operations and automation. This the case case that withfeature flight-deck procedures due tohighly their developed complexity, which sometimes sometimes leads to to systems that feature human operationsdue andto highly developed automation. This is is certainly certainly the with flight-deck procedures their complexity, which leads the case with flight-deck procedures due to their complexity, which sometimes leads to deviation from standard operation procedures (SOPs) and other serious outcomes (e.g., air crash the case with flight-deck procedures due to their complexity, which sometimes leads to deviation from standard operation procedures (SOPs) and other serious outcomes (e.g., air crash deviation standard operation procedures (SOPs) other serious outcomes (e.g., crash accidents).from To analyze analyze the feasibility of procedures, procedures, weand adopt the functional resonance analysis deviation from standardthe operation procedures (SOPs)we and other serious outcomes (e.g., air air crash accidents). To feasibility of adopt the functional resonance analysis accidents). To analyze the feasibility of procedures, we adopt the functional resonance analysis method (FRAM) (Hollganel, 2004) to examine the safety management of flight-deck procedures. accidents). To analyze the feasibility of procedures, we adopt the functional resonance analysis method (FRAM) (Hollganel, 2004) to examine the safety management of flight-deck procedures. method (Hollganel, to the safety management of However,(FRAM) FRAM is is essentially2004) a theoretic theoretic method, and there are currently currently no specific specific procedures. approaches method (FRAM) (Hollganel, 2004) to examine examine the and safety management of flight-deck flight-deck procedures. However, FRAM essentially a method, there are no approaches However, FRAM is essentially a theoretic method, and there are currently no specific approaches or supportive tools to bridge the gap between theory and practice. In this paper, we propose an an However, FRAM is essentially a theoretic method, and there are currently no specific approaches or supportive tools to bridge the gap between theory and practice. In this paper, we propose or supportive tools to bridge the gap between theory and practice. In this paper, we propose an adaptation of the cognitive reliability and error analysis method (CREAM) (Hollnagel (1998)) or supportive tools to bridge the gap between theory and practice. In this paper, we propose an adaptation of of the the cognitive cognitive reliability reliability and and error error analysis analysis method method (CREAM) (CREAM) (Hollnagel (Hollnagel (1998)) (1998)) adaptation that we we call callofFuzzy Fuzzy CREAMreliability for systematic systematic andanalysis quantitative FRAM analysis. We applied applied the adaptation the cognitive and error method (CREAM) (Hollnagel (1998)) that CREAM for and quantitative FRAM analysis. We the that we call Fuzzy CREAM for systematic and quantitative FRAM analysis. We applied the proposed method to an actual air crash accident that occurred near Cali Airport, Colombia that we call Fuzzy CREAM for systematic and quantitative FRAM analysis. We applied the proposed method to an actual air crash accident that occurred near Cali Airport, Colombia proposed method to actual air accident occurred near Cali Airport, Colombia in 1995 1995 and and conclude that the accident accident was due to tothat deviation from SOPs. On the basis basis of our our proposed method to an an actual air crash crashwas accident that occurred near CaliOn Airport, Colombia in conclude that the due deviation from SOPs. the of in 1995 and conclude that the accident was due to deviation from SOPs. On the basis of our analysis, we show that FRAM can identify potential hazardous paths that may lead to an in 1995 and conclude that the accident was due to deviation from SOPs. On the basis of our analysis, we we show show that that FRAM FRAM can can identify identify potential potential hazardous hazardous paths paths that that may may lead lead to to an an analysis, accident. We also propose a new method using FRAM for pre-analysis of the safety of designed analysis, we show that FRAM can identify potential hazardous paths that may lead to an accident. We also propose a new method using FRAM for pre-analysis of the safety of designed accident. We procedures. accident. We also also propose propose a a new new method method using using FRAM FRAM for for pre-analysis pre-analysis of of the the safety safety of of designed designed procedures. procedures. procedures. © 2016, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: Functional Functional Resonance Resonance Analysis Analysis Method Method (FRAM), (FRAM), Fuzzy Fuzzy Cognitive Cognitive Reliability Reliability and and Keywords: Keywords: Functional Resonance Analysis Quantitative Method (FRAM), (FRAM), Fuzzy Cognitive Reliability Reliability and and Error Analysis Method (Fuzzy CREAM), FRAM Analysis Keywords: Functional Resonance Analysis Method Fuzzy Cognitive Error Analysis Method (Fuzzy CREAM), Quantitative FRAM Analysis Error Analysis Method (Fuzzy CREAM), Quantitative FRAM Analysis Error Analysis Method (Fuzzy CREAM), Quantitative FRAM Analysis 1. INTRODUCTION 1. 1. INTRODUCTION INTRODUCTION 1. INTRODUCTION Automation is is increasingly being being introduced introduced to to reduce Automation Automation isofincreasingly increasingly being introduced to reduce reduce the workload humans and improve the accuracy of Automation is increasingly being introduced to reduce the workload of humans and improve the accuracy of the workload of humans and improve the accuracy of task performance. At the same time, automation brings the workload of humans and improve the accuracy of task performance. At same automation brings task performance. At the the operators same time, time, automation brings aboutperformance. changes to to what what must do (e.g., (e.g., change change task At the same time, automation brings about changes the operators must do about changes to what the operators must do (e.g., change from direct manipulation to the supervision of instruments about changes to what thetooperators must do (e.g., change from direct manipulation of from direct manipulation to the the supervision supervision of instruments instruments or task task management), causing accidents that that cannot be be from direct manipulation to the supervision of instruments or management), causing accidents cannot or task management), causing accidents that cannot be explained by the conventional tenets of accident analysis. or task management), causing accidents that cannot be explained by the tenets of analysis. explained byone theofconventional conventional tenetsforms of accident accident analysis. In aviation, aviation, the most most typical typical of this this accident, accident, explained by the conventional tenets of accident analysis. In one of the forms of In aviation, one of ofInto the Terrain” most typical typical forms occurs of this this accident, accident, ”Control Flight (CFIT), when an In aviation, one the most forms of ”Control Flight Into Terrain” (CFIT), occurs when an ”Control Flightinto Intothe Terrain” (CFIT), occurs when an aircraft crashes terrain but there are no fatalities ”Control Flight Into Terrain” (CFIT), occurs when an aircraft crashes into the but there are no aircraft crashes into aircraft the terrain terrain but there are no fatalities fatalities or damage damage to the the nor but anythere fatalare errors by the the aircraft crashes into the terrain no fatalities or to aircraft nor any fatal errors by or damage to the aircraft nor any fatal errors by due the crew. This type of accident is thought to be mainly or damage to the aircraft nor any fatal errors by the crew. This of is thought to be due crew. This type typebetween of accident accident is thought of to equipment be mainly mainly and due to discrepancy discrepancy the is operation crew. This type of accident thought to be mainly due to between the operation of equipment and to discrepancy between the operation of equipment and human cognition or deviation from the standard operation to discrepancy between the operation of equipment and human cognition or from the operation human cognition or deviation deviation from the standard standard operation procedures (SOPs). Designingfrom an interface interface that shows shows the human cognition or deviation the standard operation procedures (SOPs). Designing an that the procedures (SOPs). Designing an interface that shows the behavior of equipment in a simple and clear way or that procedures (SOPs). Designing an interface that shows the behavior of equipment in simple and clear way or behavior of equipment in a simple and is clear way or that that considers of which procedures are feasible keyway in terms terms of behavior equipment in aa are simple and clear or that considers which procedures feasible is key in of considers which procedures are feasible is key in terms of preventing these accidents. considers which procedures are feasible is key in terms of preventing preventing these these accidents. accidents. preventing these accidents. To analyze this type type of accident, Hollnagel Hollnagel (2004) (2004) proproTo analyze this of To analyze this type typeresonance of accident, accident, Hollnagel (2004) proposed the functional analysis method (FRAM), To analyze this of accident, Hollnagel (2004) proposed the functional resonance analysis method (FRAM), posed the functional resonance analysis method (FRAM), which the is based based on aa systemic systemic accident model. With FRAM posed functional resonance analysis method (FRAM), which is on accident model. With FRAM which is based on a systemic accident model. With FRAM analysis, the potential hazards in a given procedure can be be which is based on a systemic accident model. With FRAM analysis, the potential hazards in can analysis, the potentialfrom hazards in a a given given procedure procedure canenbe identified. Moreover, the perspective of resilience analysis, the potential hazards in a given procedure can be identified. Moreover, from the of resilience enidentified. Moreover, from the perspective perspective ofprocedures resilience are engineering, FRAM FRAM canfrom identify whether the theof identified. Moreover, the perspective resilience engineering, can identify whether procedures are gineering, FRAM can identify whether the procedures are resilient against given disturbances. However, thus are far gineering, FRAMthe can identify whether the procedures resilient resilient against against the the given given disturbances. disturbances. However, However, thus thus far far resilient against the given disturbances. However, thus far
FRAM has has typically functioned functioned as as a qualitative qualitative method; method; FRAM FRAM has typically typically functioned as aaaanalysis qualitative method; a systematic way of using FRAM has not yet FRAM has typically functioned as qualitative method; aa systematic way of FRAM has not systematic way In of using using FRAMtoanalysis analysis has analysis not yet yet been established. this paper, make the abeen systematic way of using FRAM analysis has not yet established. In this paper, to make the analysis been established. In this paper, to make the analysis more objective, we propose integrating FRAM and a new been established. In this paper, to make theand analysis more objective, we propose integrating FRAM new more objective, wethe propose integrating FRAM and a new method based on on cognitive reliability and error error analmore objective, we propose integrating FRAM and aaanalnew method based the cognitive reliability and method based on the cognitive reliability and error analysis method (CREAM) that we call gFuzzy CREAMh method based on the cognitive reliability and error analysis method (CREAM) that we call gFuzzy CREAMh ysis method (CREAM) that we call gFuzzymethod CREAMh (Hollnagel (1998)). Then,that with we thiscall integrated as a ysis method (CREAM) gFuzzy CREAMh (Hollnagel (1998)). Then, with this integrated method as (Hollnagel (1998)). Then, with this integrated method asofa basis, we propose a method for evaluating the dynamics (Hollnagel (1998)). Then, with this integrated method as aa basis, we aa method for the dynamics of basis, we propose propose method for evaluating evaluating thethe dynamics of the growing disturbances. Finally, we applied proposed basis, we propose a method for evaluating the dynamics of the growing disturbances. Finally, we the the growing disturbances. Finally, we applied applied the proposed proposed method to an an actual air air crash crash accident that occurred occurred near the growing disturbances. Finally, we applied the proposed method to actual accident that near method to an actual air crash accident that occurred near Cali Airport, Colombia in 1995 and show how the deviamethod to an actual air crash accident that occurred near Cali Airport, Colombia in 1995 and show how the Cali Airport, Colombia in grew 1995 in and show how eventually the deviadeviation of of SOPs started started and theshow cockpit, Cali Airport, Colombia in 1995 and how the deviation SOPs and grew in the cockpit, eventually tion of SOPs SOPs started and grew grew in in the the cockpit, cockpit, eventually eventually leading to the fatal accident. tion of started and leading leading to to the the fatal fatal accident. accident. leading to the fatal accident. 2. 2. 2. 2.
FUNCTIONAL FUNCTIONAL FUNCTIONAL FUNCTIONAL
RESONANCE RESONANCE RESONANCE (FRAM) RESONANCE (FRAM) (FRAM) (FRAM)
ANALYSIS ANALYSIS ANALYSIS ANALYSIS
METHOD METHOD METHOD METHOD
The functional functional resonance resonance analysis method method (FRAM) (FRAM) is is The The functional resonanceof analysis analysis method (FRAM) is based on the principle functional resonance caused The functional resonance analysis method (FRAM) is based on the of resonance caused based on the principle principle of functional functional resonance and caused by the the on variability of an an operator’s operator’s performance the based the principle of functional resonance caused by variability of performance and the by the variability of an operator’s performance and the surrounding context. It enables the analysis of deviation by the variability of an operator’s performance and the surrounding context. It enables the of deviation surrounding context. It to enables the analysis analysis ofSOPs). deviation from what what is iscontext. expectedIt be performed performed (e.g.,of In surrounding enables the analysis deviation from expected to be (e.g., SOPs). In from what is expected to be performed (e.g., SOPs). In this method, a procedure is assumed to consist of various from what is expected to be performed (e.g., SOPs). In this method, a procedure is to of this method, procedure is assumed assumed to consist consist of various various functions thataa have have complex dependencies on each each other. this method, procedure is assumed to consist of various functions that complex dependencies on other. functions that have complex dependencies on each other. Hollnagel (2004) identified six aspects of these functions functions that have complex dependencies on each other. Hollnagel (2004) six aspects of functions Hollnagel (2004)1)identified identified six aspects of these theseclear. functions (shown in in Table Table to make make six suchaspects dependencies Hollnagel (2004) identified of these functions (shown 1) to such dependencies clear. (shown in Table 1) to make such dependencies clear. (shown in Table 1) to make such dependencies clear.
Copyright 2016 IFAC 19 Hosting by Elsevier Ltd. All rights reserved. 2405-8963 © 2016, IFAC (International Federation of Automatic Control) Copyright © 2016 IFAC 19 Copyright 2016 IFAC 19 Peer review© of International Federation of Automatic Copyright ©under 2016 responsibility IFAC 19 Control. 10.1016/j.ifacol.2016.10.455
2016 IFAC/IFIP/IFORS/IEA HMS 20 Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
Effects, as shown in Table 2. For example, if the CPC ”Working Conditions” in Table 2 is rated as ”Advantageous”, it has a ”Positive” effect on the progress status.
Table 1. Six aspects of function Aspect
Description
Input Output Precondition
Input to the functions, trigger Outcome of functions Conditions that must be satisfied before functions are carried out What is consumed during the process (fuel, energy, labor force...) What supervises or restricts the function Time required to accomplish the process
Resource Control Time
Table 2. Examples of CPC Level and Effect CPC
Level
Effect
Working Condition
Advantageous Compatible Incompatible
Positive Not Significant Negative
Then, the number of CPCs found to be ”Positive” and ”Negative” is plotted onto the chart shown in Fig. 2. Depending on the plotted point in Fig. 2, control modes that represent the progress status of given tasks are identified.
Functions, each consisting of six aspects, are visually represented as hexagons and used to build a network in accordance with the dependencies between the aspects, as shown in Fig. 1.
Fig. 1. Visual representation of FRAM Once the variability in a function is generated, even if its magnitude is small, it will be amplified by the FRAM network, which can sometimes lead to serious outcomes.
Fig. 2. Relation between CPC effect and control modes. Also, with respect to each control mode, the intervals of probability of action failure (PAF), by which we mean the probability that the human performance will fail under a certain circumstance, are defined. The correspondence between control modes and the intervals of PAF is shown in Table 3. Table 3. PAF intervals with respect to control modes
This is the basic principle of FRAM analysis, and there has been much research on the best methods to use with it. However, FRAM analysis is qualitative, and no clear approach has yet been established. In this work, to overcome this problem, we introduce Fuzzy CREAM, an advanced cognitive reliability and error analysis method, and propose a novel method integrating FRAM and Fuzzy CREAM. 3. CREAM AND FUZZY CREAM 3.1 Basic Principle of CREAM Cognitive reliability and error analysis method (CREAM) is the second-generation form of human reliability analysis (HRA) proposed by Hollnagel (1998). Conventionally, in first-generation HRA (e.g., technique for human error rate prediction (THERP)), human error was thought to stem from inherent deficiencies and the fact that humans naturally fail to perform tasks just the same as machines or structures can fail. However, extensive study of HRA revealed that the contextual conditions under which a task is performed have a greater effect on human failure, which led to the development of the second-generation HRA.
Control Mode
Intervals of probability of action failures
Strategic Tactical Opportunistic Scrambled
0.5e − 5 < p < 0.01 0.001 < p < 0.1 0.01 < p < 0.5 0.1 < p < 1.0
However, the evaluation of the CPCs and the identification of control modes are too linguistic, and there is a problem with objectivity. Therefore, quantification of CREAM analysis is required, and various quantitative approaches for CREAM have been developed in recent years. One such approach, Fuzzy CREAM, enables us to evaluate linguistic representations such as ”Working Condition is Advantageous” or ”Working Condition is Compatible” with continuous quantitative values by introducing fuzzy linguistic variables.
In the CREAM method, E. Hollnagel referred to these contextual conditions collectively as the Common Performance Condition (CPC) and defined it to include nine factors: ”Adequacy of Organization”, ”Working Conditions”, ”Adequacy of Man-Machine Interface”, ”Availability of Procedures/Plans”, ”Number of Simultaneous Goals”, ”Available Time”, ”Time of Day”, ”Adequacy of Training and Experience”, and ”Crew Collaboration Quality”. The CPC contains various CPC Levels and CPC
3.2 Fuzzy CREAM For the quantitative approach, fuzzy logic theory was introduced to modify the original CREAM method. In Fuzzy CREAM, a crisp value of PAF and a control mode are obtained from input variables comprised of CPC scores corresponding to the linguistic values of CPC Levels. Several methods for this have been proposed in the past. 20
2016 IFAC/IFIP/IFORS/IEA HMS Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
Step 2: Construction of IF-THEN Rules
In this paper, we adopt the weighted CREAM model proposed by Ung (2015), for the following reasons. First, the weight of each CPC under certain circumstances has not been adequately considered in other methods, as pointed out by Ung (2015). Also, although the chart in Fig. 2 is often used as the basis for determining control mode from the combination of CPC status, ideally this chart should be regarded as just an example to identify the control mode with the status of CPCs in Hollnagel (1998), and the adopted method can construct the rules without the chart.
In this step, the rules between the combinations of CPC Levels and the control mode are established. The rules are constructed by an IF-THEN Rule, where the IF-part (antecedent) corresponds to a combination of the linguistic values of CPC Levels and the THEN-part (consequent) corresponds to the linguistic values of Control Modes. Ideally, these rules should be established on the basis of statistical data and/or the knowledge of experts. However, since each of the nine CPCs has three or four CPC Levels (as shown in the example in Table 2), there are tens of thousands of combinations of CPC Levels. Therefore, some systematic way to selectively define the rules is required. To identify which combination of CPC Levels belongs to which control mode, the index C k is defined as n Ck = Aji · wi (1)
3.3 Weighted CREAM Model (Ung (2015)) This method consists of four steps: Step 1: Definition of membership function for linguistic values of CPC Levels
i=1
The score of the CPC status, which is a continuous value varying from 0 to 100, is determined and used as input variables to obtain a result. Membership functions for each linguistic value, which vary from 0 to 1, can also be defined. If the value of the membership function with respect to the CPC score reaches 1, the status of the CPC is a complete match with the linguistic values. An example of the membership function of the ”Working Condition” CPC is shown in Fig. 3. Also, the membership function of the control modes can be defined with Table 3. An example is shown in Fig. 4. In Fig. 4, the logarithm of the probability is used in the abscissa for better output(Konstandinidou et al. (2006) and Ung (2015)).
where Aji is the significance of linguistic values for the ith CPC’s jth CPC Level, which is defined as the value of the abscissa when its membership function reaches 1. For example, the significance of ”Advantageous”, ”Compatible”, and ”Incompatible” is 0, 50, and 100, respectively in Fig. 3. Also, wi is the normalized weight of the ith CPC determined by analysts on the basis of pertinent data or their own knowledge. Let the index C k be a percentage of the abscissa in Fig. 4. The value on the abscissa indicated by C k can then be obtained. By comparing this value with the intervals listed in Table 4, which are defined by applying OR operation of fuzzy theory for Fig. 4, a linguistic value of the control mode (THEN-part) that belongs to a certain combination of CPC Levels (IF-part) is identified. In the end, multiple combinations of CPC Levels will belong to one control mode. The consequences of these rules are calculated in the next step.
Ideally, the membership functions should be designed using statistical data and/or the knowledge of experts. However, the membership functions in this paper are regarded as linear, shown in Fig. 3, for the sake of simplicity. 1 Incompatible Compatible Advantageous
0.9
21
Table 4. Intervals of abscissa in Fig. 4 for identificaton of control mode
0.8
Membership [-]
0.7
Intervals
Strategic [-5.30, -3.80]
Tactical (-3.80, -2.90]
Intervals
Opportunistic (-2.90, -1.03]
Scrambled (-1.03, 0]
0.6 0.5 0.4 0.3 0.2 0.1 0 0
10
20
30
40
50
60
70
80
Step 3: Obtaining conclusion fuzzy set
90 100
CPC score [-]
If n combinations of CPC Levels for a kth linguistic value of control mode are obtained in Step 2, the degree of matching for each linguistic value of control mode µk is obtained from the following equations: m µkl = µi,j (x) · wi (2)
Fig. 3. Membership functions of ”Working Condition”. 1 Strategic Tactical Opportunistic Scrambled
0.9 0.8
Membership [-]
0.7
i=1
0.6 0.5
µk =
0.4 0.3 0.2
0 -4
-3
-2
-1
l=1
n
µkl
(3)
where m is the number of CPC, µi,j (x) is the value of the membership function that represents the jth linguistic term of the ith CPC, and k and l represent the linguistic value of the control mode and the lth combination of CPC Levels, respectively. Finally, the conclusion fuzzy sets are defined as min(max(ν 1 (x), µ1 (x)), max(ν 2 (x), µ2 (x)), ...),
0.1 -5
n
0
log(PAF) [-]
Fig. 4. Membership functions of control modes. 21
2016 IFAC/IFIP/IFORS/IEA HMS 22 Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
To consider the dependencies of these CPCs, the updated CPC scores shown in the left column of Table 5 are calculated by x∗i = xi + (xj − xi ) × wj (5)
where ν k (x) is the membership function of the linguistic values of the kth control mode. Step 4: Defuzzification After the conclusion fuzzy set is obtained in Step 3, it is transformed into a crisp value using a process called defuzzification. The crisp value CV is obtained by x · µ(x)dx CV = D (4) µ(x)dx D
j
x∗i
where is the updated score of the ith CPC and xi is its original score. Also, xj is the score of the jth CPCs listed in the right column of Table 5, and wj is the normalized weight determined in subsection 3.3. Finally, the dependencies between functions with respect to the PAF are established. As a first step, the relation between the output of an upstream function and aspects of other downstream functions are determined. According to these relations, CPCs of downstream functions that are influenced by the output of an upstream function are also determined. This process should also be based on statistical data and/or the knowledge of experts. Then, the score of the relevant CPCs in the downstream functions will be changed in accordance with Eq. 6 if the variability of the function, i.e., the change of PAF as a result of the Fuzzy CREAM process, is actually generated. n P AFprev = xm∗ (6) × xm i i n P AFcurrent
where CV is the crisp value representing log(P AF ), D is the domain of integration, and µ(x) is the conclusion fuzzy set. 4. METHODOLOGY: INTEGRATION OF FUZZY CREAM AND FRAM
In this work, we propose integrating Fuzzy CREAM with FRAM analysis to make the analysis objective and quantitative. Conventional CREAM analysis including Fuzzy CREAM is designed to deal with certain circumstances as an analysis subject. However, from the perspective of the second-generation HRA, the functions of FRAM analysis are also influenced by the contextual conditions (i.e., the CPCs), and it should be possible to adopt the Fuzzy CREAM method for evaluating the control mode of each function. That is, the evolving values of each CPC score, and the results derived by Fuzzy CREAM (PAF), can be used for the variability scale of the functions. Moreover, once the dependencies between functions with respect to the PAF are determined, functional resonance becomes derivable and can be calculated as quantitative value. To accomplish the analysis, the following steps are taken.
where xm∗ and xm i i are the updated and original scores of the ith CPC in the mth downstream function, respectively. n n Also, P AFprevs and P AFcurrent respectively refer to the PAF value of a certain nth upstream function before and after the PAF value has been changed by the Fuzzy CREAM process. Therefore, quantitative FRAM analysis becomes possible by repeatedly updating the CPC scores calculated through the dependencies between CPCs in Eq. 5 and the propagation of scores made through the relations between the functions in Eq. 6 after the variability of some functions is generated by the Fuzzy CREAM process.
First, we add two more CPCs, ”Availability of Resources” and ”Quality of Communication”, to the original nine. The new CPCs were added in Hollnagel (2004), when FRAM analysis was proposed for the first time. In this way, a series of CPCs should be considered and changed depending on the case.
The above processes are implemented, which enables interactive analysis by assuming several variables. 5. APPLICATION OF PROPOSED METHOD TO ACTUAL AIR CRASH ACCIDENT
Second, the dependencies of CPCs are considered. The dependencies between CPCs are described in Hollnagel (1998), and the CPC Effects are updated in accordance with it. The dependencies between CPCs are listed in Table 5.
5.1 Overview of Accident We applied the above methodology to the analysis of an actual air crash accident that occurred near Cali Airport, Colombia in 1995. This was the first fatal accident of the high-tech B757 aircraft in its 13 years of exemplary service at that time. American Airline flight 965 was about to land at the airport close to Cali, Colombia. The flight was already two hours behind schedule due to a departure delay at Miami, and it was dark outside. During the approach, the ATC proposed a runway change for landing to the flight crew, who accepted it. However, just after doing so, the crew of flight 965 became busy in identifying a new approach course. They input the wrong course for landing to the flight management computer (FMC) and subsequently went off the correct course, which was not noticed for a while. Flight 965 flew into the mountains of the Andes and finally crashed into the terrain. Further details of this accident are presented in Simmon (1998)
Table 5. Dependencies between CPCs CPC
Depends on the Following CPCs
Working Conditions
Adequacy of Organization, Adequacy of MMI, Time of Day Availability of Resource, Available Time, Adequacy of Training and Experience Working Conditions, Adequacy of MMI, Availability of Procedures/Plans Working Conditions, Adequacy of MMI, Availability of Procedures/Plans, Number of Simultaneous Goals, Adequacy of Training and Experience Time of Day Adequacy of Organization, Time of Day, Quality of Communication
Number of Simultaneous Goals Available Time
Crew Collaboration Quality
22
2016 IFAC/IFIP/IFORS/IEA HMS Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
Table 7. Initial CPC status of ”Communication with ATC”
5.2 Demonstration of Proposed Method One of the most critical points of this accident is that the crew of flight 965 input the wrong course after they accepted the runway change proposal from ATC. Although runway changes are basically regarded as a normal event during operation, it seems to have led to the fatal error of the crew in this case. In the following, we focus on what took place from the time the crew accepted the runway change proposal from ATC to the time at which they input the wrong course to the FMC and then analyze these events using the proposed method. First, we define the five functions of FRAM analysis shown in Table 6, which are to be performed in the circumstances of the targeted events, and the dependencies between the functions, as shown in Fig. 5. Also, using the dependencies in Fig. 5, analysts determine which CPCs in downstream functions are affected by variability in the upstream functions.
Functions
1 2 3 4 5
Communication with ATC Input and execute the route to FMC Identifying approach course Descending for new approach course Review of flight plan for RWY change
CPC
Score
Weight
Availability of Resource Training and Experience Quality of Communication Adequacy of MMI Adequacy of Procedures/Plans Working Condition Number of Simultaneous Goals Available Time Time of Day Crew Collaboration Adequacy of Organization
100 100 100 100 100 100 100 100 100 100 100
0.10 0.10 0.51 0.00 0.00 0.051 0.051 0.051 0.051 0.051 0.026
functions of Control Modes are the same as those shown in Fig. 4. As its initial condition, the PAF value of every function is set to 1.59 × 10−5 . This is done because, in the Fuzzy CREAM method, every CPC score is initially set to 100, and the control mode of the THEN part mentioned in Step 3 of subsection 3.3 is identified as ”Strategic” only. Moreover, µstrategic of Eq. 3 becomes 1.0 under this condition. Therefore, the value log(P AF ) of all functions in Table 6 corresponds to the center of gravity of the triangle composed of one ”Strategic” line and two axes in Fig. 4.
Table 6. Functions list No.
23
1 Lv. 1 Lv. 2 Lv. 3 Lv. 4
0.9 0.8
Membership [-]
0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
10
20
30
40 50 60 CPC score [-]
70
80
90 100
Fig. 6. Membership functions for fuzzy values of four CPC Levels. According to the investigation in Simmon (1998), the captain of flight 965 misunderstood the runway change instructions from ATC, and ATC failed to correct it when the captain read back the instructions. This indicates a discrepancy of communication between the captain and ATC. Considering this, we set the score of the ”Quality of Communication” CPC in Communication with ATC as degraded to 20 at this point. Then, in accordance with the dependencies between CPCs, the score of ”Crew Collaboration” is affected if the score of ”Quality of Communication” has changed. The updated score of ”Crew Collaboration” is obtained with Eq. 5, whose score becomes 57.89(100 + (20 − 100) × 0.53). After the new CPC scores are obtained, we apply the Fuzzy CREAM method to the updated CPC scores and the new PAF value of the function is obtained as 1.85 × 10−3 . Once the PAF of the function is updated, the score of CPCs in its downstream function, i.e., Identify approach course and Review of flight plan for RWY change, is changed in accordance with Eq. 6. For example, the ”Availability of Resource” CPC in Identify approach course is affected by the variability of the Communication with ATC upstream function. In the above process, the PAF
Fig. 5. Dependencies among functions in Table 6. Each function shown in Table 6 has 11 CPCs, as discussed above. If we assume that everything was going well until the crew accepted the proposal of the runway change, the score of all CPCs is set to 100. The weights for those CPCs are defined by analysts who investigated the details of the accident report. For example, the score and weight of the CPCs of function no. 1, Communication with ATC, are shown in Table 7. The most important CPC for this function is apparently ”Quality of Communication”, and the weight of this CPC is therefore the highest. The other CPCs more or less contribute to this function, with their weights set as shown in Table 7. In addition to such CPC status, the membership function of those CPCs and Control Modes are defined. In this analysis, the shapes of the membership function of CPC are defined as shown in Figs. 3 (in this case, the CPC has three CPC Levels) and 6 (in this case, the CPC has four CPC Levels). Also, the membership 23
2016 IFAC/IFIP/IFORS/IEA HMS 24 Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
value of Communication with ATC has changed from 1.59 × 10−5 to 1.85 × 10−3 . Therefore, the score of the ”Availability of Resource” CPC in Identify approach course is changed from 100 to 0.86 in accordance with Eq. 6, resulting in changes to the scores of other CPCs and, in the end, the PAF value of the function.
waypoints on the FMC display, which was not noticed by the crew. Therefore, the score of ”Crew Collaboration” and ”Adequacy of MMI” is assumed to have become 0 at this point, and the PAF and control mode of this function respectively became 2.0×10−1 and ”Scrambled”, the most undesirable condition.
By repeating the above process, a change of the status of Input and execute the route to FMC, which is one of the most critical points of the accident, can be observed. Table 8 shows the simulation results indicating what happened in the cockpit based on Simmon (1998) before they entered the wrong course to FMC and the change of PAF and the control mode of Input and execute the route to FMC due to the events.
Note that the above result cannot be obtained if only one function fails. For example, Input and execute the route to FMC does not lead to such a serious result (e.g. PAF is 2.0 × 10−1 and control mode is ”Scrambled”) by just setting the score of CPCs in the function to 0. That is, growing disturbances(e.g. growing deviation from SOPs) is the cause of the serious outcomes, and the dependencies of functions have to be taken into account in order to analyze the feasibility of procedures.
Table 8. Events and PAF/Control Mode of Input and execute the route to FMC Event
PAF
Control Mode
Crew received the proposal of RWY change Crew accepted the RWY change without sufficient briefing Crew started descending for new approach course after they accepted the RWY change Crew become confused with identifying new approach course PNF entered the first letter of next point and hit the execution button without cross check
1.2 × 10−4
Strategic
1.9 × 10−3
Opportunistic
1.8 × 10−3
Opportunistic
1.1 × 10−2
Opportunistic
2.0 × 10−1
Scrambled
6. CONCLUSION Automation has been introduced to reduce the workload of humans and improve the accuracy of task performance. However, it has also brought about changes to the tasks of operators, and procedures often become too complex. That is, new automation tools may alter the situations in which the tasks occur and even the conditions that cause people to want to engage in the tasks. This result in accidents that have never been experienced before, which are mainly due to the discrepancy between the behavior of equipment and human cognition or deviation from the standard operation procedures (SOPs). To prevent such accidents, the feasibility of procedures must be analyzed. For this purpose, in this paper we proposed a systematic method of FRAM analysis. The proposed method was developed by integrating FRAM with the Fuzzy CREAM method, which enables interactive FRAM analysis by assuming several variables. The proposed method was applied to an actual air crash accident that occurred near Cali Airport, Colombia in 1995 and revealed how the deviation of SOPs started and grew in the cockpit. With further development, our method is expected to contribute not only to accident analysis but also to the pre-analysis of the safety of designed procedures.
Here, we briefly discuss the events in Table 8. In the first event of Table 8, when the crew of flight 965 received the proposal of runway change from ATC, there was a discrepancy of communication. Therefore, the score of ”Quality of Communication” in Communication with ATC is set to 20, and the PAF and control mode of Input and execute the route to FMC became 1.2 × 10−4 and ”Strategic”, respectively. After the event, Simmon (1998) pointed out that the runway change was accepted without sufficient review of the flight plan. Therefore, the score of ”Crew Collaboration” in Review of flight plan for RWY change was set to 0, whose PAF and control mode became 1.9×10−3 and ”Opportunistic”, respectively. Also, they started descending soon after they accepted the runway change, and the Pilot Flying (PF), who is responsible for controlling the aircraft, became occupied with this task. At this point, the score of ”Available Time” and ”Number of Simultaneous Goals” of Descend for New Approach Course became 0. This time, both the PAF and the control mode of Input and execute the route to FMC remained about the same as in the previous event. Then, the crews became confused when trying to identify the new approach course for the runway change, and the score of ”Available Time” and ”Number of Simultaneous Goals” in Identify approach course was supposed to have become 0 in this event. As a result, the PAF of Input and execute the route to FMC became 1.1×10−2 . Finally, the course was entered to FMC by the Pilot Not Flying (PNF), who is mainly responsible for supervising flight status, without cross checking with the PF. Moreover, although the PNF entered the first letter of the next waypoint to FMC and executed it, the letter showed a completely different place on the list of
REFERENCES Hollnagel, E. (1998). Cognitive Reliability and Error Analysis Method-CREAM. Oxford: Elsevier Science. Hollnagel, E. (2004). Barriers and Accident Prevention, Aldershot, UK: Ashgate Konstandinidou, M., Nivolianitou, Z., Kiranoudis, C. and Markatos, N. (2006). A fuzzy modeling application of CREAM methodology for human reliability analysis, Reliability Engineering & System Safety, 91(6), pp.706716. Simmon, D. (1998). Boeing 757 CFIT Accident at Cali, Colombia Becomes Focus of Lessons Learned, Flight Safety Digest, 17(5/6), pp.1-31. Ung, S-T. (2015). A Weighted CREAM model for maritime human reliability analysis, Safety Science, 72, pp.144-152. Yang, Z.L., Bonsall, S., Wall, A., Wang, J., Usman, M. (2013). A modified CREAM to human reliability quantification in marine engineering, Ocean Engineering, 58, pp.293-303. 24
ScienceDirect
IFAC-PapersOnLine 49-19 (2016) 019–024
Safety Analysis of Aviation Flight-Deck Safety Analysis of Aviation Flight-Deck Safety Analysis of Aviation Flight-Deck Safety Analysis of Aviation Flight-Deck Procedures Using Systemic Accident Procedures Using Systemic Accident Procedures Using Systemic Accident Procedures Using Systemic Accident Model Model Model Model ∗ ∗ ∗ Takayuki Hirose ∗ , Tetsuo Sawaragi∗ , Yukio Horiguchi∗ ∗ , Tetsuo Sawaragi∗ , Yukio Horiguchi∗ Takayuki Hirose ∗ , Tetsuo Sawaragi∗ , Yukio Horiguchi∗ Takayuki Hirose Takayuki Hirose , Tetsuo Sawaragi , Yukio Horiguchi ∗ ∗ Department of Mechanical Engineering and Science, Kyoto ∗ Department of Mechanical Engineering and Science, Kyoto ∗ Department of Mechanical Engineering and University, Kyoto, Japan Department of Mechanical Engineering and Science, Science, Kyoto Kyoto University, Kyoto, Japan University, Kyoto, Japan (e-mail: [email protected], University, Kyoto, Japan (e-mail: [email protected], (e-mail: [email protected], {sawaragi, horiguchi}@me.kyoto-u.ac.jp) (e-mail: [email protected], {sawaragi, {sawaragi, horiguchi}@me.kyoto-u.ac.jp) horiguchi}@me.kyoto-u.ac.jp) {sawaragi, horiguchi}@me.kyoto-u.ac.jp)
Abstract: Analyzing Analyzing the the feasibility of of procedures is is important for for ensuring ensuring safety when when using using Abstract: Abstract: Analyzing the feasibility feasibility of procedures procedures is important important for ensuring safety safety when using systems that feature human operations and highly developed automation. This is certainly Abstract: Analyzing the feasibility of procedures is important for ensuring safety when using systems that feature human operations and highly developed automation. This is certainly systems human operations and automation. This the case case that withfeature flight-deck procedures due tohighly their developed complexity, which sometimes sometimes leads to to systems that feature human operationsdue andto highly developed automation. This is is certainly certainly the with flight-deck procedures their complexity, which leads the case with flight-deck procedures due to their complexity, which sometimes leads to deviation from standard operation procedures (SOPs) and other serious outcomes (e.g., air crash the case with flight-deck procedures due to their complexity, which sometimes leads to deviation from standard operation procedures (SOPs) and other serious outcomes (e.g., air crash deviation standard operation procedures (SOPs) other serious outcomes (e.g., crash accidents).from To analyze analyze the feasibility of procedures, procedures, weand adopt the functional resonance analysis deviation from standardthe operation procedures (SOPs)we and other serious outcomes (e.g., air air crash accidents). To feasibility of adopt the functional resonance analysis accidents). To analyze the feasibility of procedures, we adopt the functional resonance analysis method (FRAM) (Hollganel, 2004) to examine the safety management of flight-deck procedures. accidents). To analyze the feasibility of procedures, we adopt the functional resonance analysis method (FRAM) (Hollganel, 2004) to examine the safety management of flight-deck procedures. method (Hollganel, to the safety management of However,(FRAM) FRAM is is essentially2004) a theoretic theoretic method, and there are currently currently no specific specific procedures. approaches method (FRAM) (Hollganel, 2004) to examine examine the and safety management of flight-deck flight-deck procedures. However, FRAM essentially a method, there are no approaches However, FRAM is essentially a theoretic method, and there are currently no specific approaches or supportive tools to bridge the gap between theory and practice. In this paper, we propose an an However, FRAM is essentially a theoretic method, and there are currently no specific approaches or supportive tools to bridge the gap between theory and practice. In this paper, we propose or supportive tools to bridge the gap between theory and practice. In this paper, we propose an adaptation of the cognitive reliability and error analysis method (CREAM) (Hollnagel (1998)) or supportive tools to bridge the gap between theory and practice. In this paper, we propose an adaptation of of the the cognitive cognitive reliability reliability and and error error analysis analysis method method (CREAM) (CREAM) (Hollnagel (Hollnagel (1998)) (1998)) adaptation that we we call callofFuzzy Fuzzy CREAMreliability for systematic systematic andanalysis quantitative FRAM analysis. We applied applied the adaptation the cognitive and error method (CREAM) (Hollnagel (1998)) that CREAM for and quantitative FRAM analysis. We the that we call Fuzzy CREAM for systematic and quantitative FRAM analysis. We applied the proposed method to an actual air crash accident that occurred near Cali Airport, Colombia that we call Fuzzy CREAM for systematic and quantitative FRAM analysis. We applied the proposed method to an actual air crash accident that occurred near Cali Airport, Colombia proposed method to actual air accident occurred near Cali Airport, Colombia in 1995 1995 and and conclude that the accident accident was due to tothat deviation from SOPs. On the basis basis of our our proposed method to an an actual air crash crashwas accident that occurred near CaliOn Airport, Colombia in conclude that the due deviation from SOPs. the of in 1995 and conclude that the accident was due to deviation from SOPs. On the basis of our analysis, we show that FRAM can identify potential hazardous paths that may lead to an in 1995 and conclude that the accident was due to deviation from SOPs. On the basis of our analysis, we we show show that that FRAM FRAM can can identify identify potential potential hazardous hazardous paths paths that that may may lead lead to to an an analysis, accident. We also propose a new method using FRAM for pre-analysis of the safety of designed analysis, we show that FRAM can identify potential hazardous paths that may lead to an accident. We also propose a new method using FRAM for pre-analysis of the safety of designed accident. We procedures. accident. We also also propose propose a a new new method method using using FRAM FRAM for for pre-analysis pre-analysis of of the the safety safety of of designed designed procedures. procedures. procedures. © 2016, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: Functional Functional Resonance Resonance Analysis Analysis Method Method (FRAM), (FRAM), Fuzzy Fuzzy Cognitive Cognitive Reliability Reliability and and Keywords: Keywords: Functional Resonance Analysis Quantitative Method (FRAM), (FRAM), Fuzzy Cognitive Reliability Reliability and and Error Analysis Method (Fuzzy CREAM), FRAM Analysis Keywords: Functional Resonance Analysis Method Fuzzy Cognitive Error Analysis Method (Fuzzy CREAM), Quantitative FRAM Analysis Error Analysis Method (Fuzzy CREAM), Quantitative FRAM Analysis Error Analysis Method (Fuzzy CREAM), Quantitative FRAM Analysis 1. INTRODUCTION 1. 1. INTRODUCTION INTRODUCTION 1. INTRODUCTION Automation is is increasingly being being introduced introduced to to reduce Automation Automation isofincreasingly increasingly being introduced to reduce reduce the workload humans and improve the accuracy of Automation is increasingly being introduced to reduce the workload of humans and improve the accuracy of the workload of humans and improve the accuracy of task performance. At the same time, automation brings the workload of humans and improve the accuracy of task performance. At same automation brings task performance. At the the operators same time, time, automation brings aboutperformance. changes to to what what must do (e.g., (e.g., change change task At the same time, automation brings about changes the operators must do about changes to what the operators must do (e.g., change from direct manipulation to the supervision of instruments about changes to what thetooperators must do (e.g., change from direct manipulation of from direct manipulation to the the supervision supervision of instruments instruments or task task management), causing accidents that that cannot be be from direct manipulation to the supervision of instruments or management), causing accidents cannot or task management), causing accidents that cannot be explained by the conventional tenets of accident analysis. or task management), causing accidents that cannot be explained by the tenets of analysis. explained byone theofconventional conventional tenetsforms of accident accident analysis. In aviation, aviation, the most most typical typical of this this accident, accident, explained by the conventional tenets of accident analysis. In one of the forms of In aviation, one of ofInto the Terrain” most typical typical forms occurs of this this accident, accident, ”Control Flight (CFIT), when an In aviation, one the most forms of ”Control Flight Into Terrain” (CFIT), occurs when an ”Control Flightinto Intothe Terrain” (CFIT), occurs when an aircraft crashes terrain but there are no fatalities ”Control Flight Into Terrain” (CFIT), occurs when an aircraft crashes into the but there are no aircraft crashes into aircraft the terrain terrain but there are no fatalities fatalities or damage damage to the the nor but anythere fatalare errors by the the aircraft crashes into the terrain no fatalities or to aircraft nor any fatal errors by or damage to the aircraft nor any fatal errors by due the crew. This type of accident is thought to be mainly or damage to the aircraft nor any fatal errors by the crew. This of is thought to be due crew. This type typebetween of accident accident is thought of to equipment be mainly mainly and due to discrepancy discrepancy the is operation crew. This type of accident thought to be mainly due to between the operation of equipment and to discrepancy between the operation of equipment and human cognition or deviation from the standard operation to discrepancy between the operation of equipment and human cognition or from the operation human cognition or deviation deviation from the standard standard operation procedures (SOPs). Designingfrom an interface interface that shows shows the human cognition or deviation the standard operation procedures (SOPs). Designing an that the procedures (SOPs). Designing an interface that shows the behavior of equipment in a simple and clear way or that procedures (SOPs). Designing an interface that shows the behavior of equipment in simple and clear way or behavior of equipment in a simple and is clear way or that that considers of which procedures are feasible keyway in terms terms of behavior equipment in aa are simple and clear or that considers which procedures feasible is key in of considers which procedures are feasible is key in terms of preventing these accidents. considers which procedures are feasible is key in terms of preventing preventing these these accidents. accidents. preventing these accidents. To analyze this type type of accident, Hollnagel Hollnagel (2004) (2004) proproTo analyze this of To analyze this type typeresonance of accident, accident, Hollnagel (2004) proposed the functional analysis method (FRAM), To analyze this of accident, Hollnagel (2004) proposed the functional resonance analysis method (FRAM), posed the functional resonance analysis method (FRAM), which the is based based on aa systemic systemic accident model. With FRAM posed functional resonance analysis method (FRAM), which is on accident model. With FRAM which is based on a systemic accident model. With FRAM analysis, the potential hazards in a given procedure can be be which is based on a systemic accident model. With FRAM analysis, the potential hazards in can analysis, the potentialfrom hazards in a a given given procedure procedure canenbe identified. Moreover, the perspective of resilience analysis, the potential hazards in a given procedure can be identified. Moreover, from the of resilience enidentified. Moreover, from the perspective perspective ofprocedures resilience are engineering, FRAM FRAM canfrom identify whether the theof identified. Moreover, the perspective resilience engineering, can identify whether procedures are gineering, FRAM can identify whether the procedures are resilient against given disturbances. However, thus are far gineering, FRAMthe can identify whether the procedures resilient resilient against against the the given given disturbances. disturbances. However, However, thus thus far far resilient against the given disturbances. However, thus far
FRAM has has typically functioned functioned as as a qualitative qualitative method; method; FRAM FRAM has typically typically functioned as aaaanalysis qualitative method; a systematic way of using FRAM has not yet FRAM has typically functioned as qualitative method; aa systematic way of FRAM has not systematic way In of using using FRAMtoanalysis analysis has analysis not yet yet been established. this paper, make the abeen systematic way of using FRAM analysis has not yet established. In this paper, to make the analysis been established. In this paper, to make the analysis more objective, we propose integrating FRAM and a new been established. In this paper, to make theand analysis more objective, we propose integrating FRAM new more objective, wethe propose integrating FRAM and a new method based on on cognitive reliability and error error analmore objective, we propose integrating FRAM and aaanalnew method based the cognitive reliability and method based on the cognitive reliability and error analysis method (CREAM) that we call gFuzzy CREAMh method based on the cognitive reliability and error analysis method (CREAM) that we call gFuzzy CREAMh ysis method (CREAM) that we call gFuzzymethod CREAMh (Hollnagel (1998)). Then,that with we thiscall integrated as a ysis method (CREAM) gFuzzy CREAMh (Hollnagel (1998)). Then, with this integrated method as (Hollnagel (1998)). Then, with this integrated method asofa basis, we propose a method for evaluating the dynamics (Hollnagel (1998)). Then, with this integrated method as aa basis, we aa method for the dynamics of basis, we propose propose method for evaluating evaluating thethe dynamics of the growing disturbances. Finally, we applied proposed basis, we propose a method for evaluating the dynamics of the growing disturbances. Finally, we the the growing disturbances. Finally, we applied applied the proposed proposed method to an an actual air air crash crash accident that occurred occurred near the growing disturbances. Finally, we applied the proposed method to actual accident that near method to an actual air crash accident that occurred near Cali Airport, Colombia in 1995 and show how the deviamethod to an actual air crash accident that occurred near Cali Airport, Colombia in 1995 and show how the Cali Airport, Colombia in grew 1995 in and show how eventually the deviadeviation of of SOPs started started and theshow cockpit, Cali Airport, Colombia in 1995 and how the deviation SOPs and grew in the cockpit, eventually tion of SOPs SOPs started and grew grew in in the the cockpit, cockpit, eventually eventually leading to the fatal accident. tion of started and leading leading to to the the fatal fatal accident. accident. leading to the fatal accident. 2. 2. 2. 2.
FUNCTIONAL FUNCTIONAL FUNCTIONAL FUNCTIONAL
RESONANCE RESONANCE RESONANCE (FRAM) RESONANCE (FRAM) (FRAM) (FRAM)
ANALYSIS ANALYSIS ANALYSIS ANALYSIS
METHOD METHOD METHOD METHOD
The functional functional resonance resonance analysis method method (FRAM) (FRAM) is is The The functional resonanceof analysis analysis method (FRAM) is based on the principle functional resonance caused The functional resonance analysis method (FRAM) is based on the of resonance caused based on the principle principle of functional functional resonance and caused by the the on variability of an an operator’s operator’s performance the based the principle of functional resonance caused by variability of performance and the by the variability of an operator’s performance and the surrounding context. It enables the analysis of deviation by the variability of an operator’s performance and the surrounding context. It enables the of deviation surrounding context. It to enables the analysis analysis ofSOPs). deviation from what what is iscontext. expectedIt be performed performed (e.g.,of In surrounding enables the analysis deviation from expected to be (e.g., SOPs). In from what is expected to be performed (e.g., SOPs). In this method, a procedure is assumed to consist of various from what is expected to be performed (e.g., SOPs). In this method, a procedure is to of this method, procedure is assumed assumed to consist consist of various various functions thataa have have complex dependencies on each each other. this method, procedure is assumed to consist of various functions that complex dependencies on other. functions that have complex dependencies on each other. Hollnagel (2004) identified six aspects of these functions functions that have complex dependencies on each other. Hollnagel (2004) six aspects of functions Hollnagel (2004)1)identified identified six aspects of these theseclear. functions (shown in in Table Table to make make six suchaspects dependencies Hollnagel (2004) identified of these functions (shown 1) to such dependencies clear. (shown in Table 1) to make such dependencies clear. (shown in Table 1) to make such dependencies clear.
Copyright 2016 IFAC 19 Hosting by Elsevier Ltd. All rights reserved. 2405-8963 © 2016, IFAC (International Federation of Automatic Control) Copyright © 2016 IFAC 19 Copyright 2016 IFAC 19 Peer review© of International Federation of Automatic Copyright ©under 2016 responsibility IFAC 19 Control. 10.1016/j.ifacol.2016.10.455
2016 IFAC/IFIP/IFORS/IEA HMS 20 Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
Effects, as shown in Table 2. For example, if the CPC ”Working Conditions” in Table 2 is rated as ”Advantageous”, it has a ”Positive” effect on the progress status.
Table 1. Six aspects of function Aspect
Description
Input Output Precondition
Input to the functions, trigger Outcome of functions Conditions that must be satisfied before functions are carried out What is consumed during the process (fuel, energy, labor force...) What supervises or restricts the function Time required to accomplish the process
Resource Control Time
Table 2. Examples of CPC Level and Effect CPC
Level
Effect
Working Condition
Advantageous Compatible Incompatible
Positive Not Significant Negative
Then, the number of CPCs found to be ”Positive” and ”Negative” is plotted onto the chart shown in Fig. 2. Depending on the plotted point in Fig. 2, control modes that represent the progress status of given tasks are identified.
Functions, each consisting of six aspects, are visually represented as hexagons and used to build a network in accordance with the dependencies between the aspects, as shown in Fig. 1.
Fig. 1. Visual representation of FRAM Once the variability in a function is generated, even if its magnitude is small, it will be amplified by the FRAM network, which can sometimes lead to serious outcomes.
Fig. 2. Relation between CPC effect and control modes. Also, with respect to each control mode, the intervals of probability of action failure (PAF), by which we mean the probability that the human performance will fail under a certain circumstance, are defined. The correspondence between control modes and the intervals of PAF is shown in Table 3. Table 3. PAF intervals with respect to control modes
This is the basic principle of FRAM analysis, and there has been much research on the best methods to use with it. However, FRAM analysis is qualitative, and no clear approach has yet been established. In this work, to overcome this problem, we introduce Fuzzy CREAM, an advanced cognitive reliability and error analysis method, and propose a novel method integrating FRAM and Fuzzy CREAM. 3. CREAM AND FUZZY CREAM 3.1 Basic Principle of CREAM Cognitive reliability and error analysis method (CREAM) is the second-generation form of human reliability analysis (HRA) proposed by Hollnagel (1998). Conventionally, in first-generation HRA (e.g., technique for human error rate prediction (THERP)), human error was thought to stem from inherent deficiencies and the fact that humans naturally fail to perform tasks just the same as machines or structures can fail. However, extensive study of HRA revealed that the contextual conditions under which a task is performed have a greater effect on human failure, which led to the development of the second-generation HRA.
Control Mode
Intervals of probability of action failures
Strategic Tactical Opportunistic Scrambled
0.5e − 5 < p < 0.01 0.001 < p < 0.1 0.01 < p < 0.5 0.1 < p < 1.0
However, the evaluation of the CPCs and the identification of control modes are too linguistic, and there is a problem with objectivity. Therefore, quantification of CREAM analysis is required, and various quantitative approaches for CREAM have been developed in recent years. One such approach, Fuzzy CREAM, enables us to evaluate linguistic representations such as ”Working Condition is Advantageous” or ”Working Condition is Compatible” with continuous quantitative values by introducing fuzzy linguistic variables.
In the CREAM method, E. Hollnagel referred to these contextual conditions collectively as the Common Performance Condition (CPC) and defined it to include nine factors: ”Adequacy of Organization”, ”Working Conditions”, ”Adequacy of Man-Machine Interface”, ”Availability of Procedures/Plans”, ”Number of Simultaneous Goals”, ”Available Time”, ”Time of Day”, ”Adequacy of Training and Experience”, and ”Crew Collaboration Quality”. The CPC contains various CPC Levels and CPC
3.2 Fuzzy CREAM For the quantitative approach, fuzzy logic theory was introduced to modify the original CREAM method. In Fuzzy CREAM, a crisp value of PAF and a control mode are obtained from input variables comprised of CPC scores corresponding to the linguistic values of CPC Levels. Several methods for this have been proposed in the past. 20
2016 IFAC/IFIP/IFORS/IEA HMS Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
Step 2: Construction of IF-THEN Rules
In this paper, we adopt the weighted CREAM model proposed by Ung (2015), for the following reasons. First, the weight of each CPC under certain circumstances has not been adequately considered in other methods, as pointed out by Ung (2015). Also, although the chart in Fig. 2 is often used as the basis for determining control mode from the combination of CPC status, ideally this chart should be regarded as just an example to identify the control mode with the status of CPCs in Hollnagel (1998), and the adopted method can construct the rules without the chart.
In this step, the rules between the combinations of CPC Levels and the control mode are established. The rules are constructed by an IF-THEN Rule, where the IF-part (antecedent) corresponds to a combination of the linguistic values of CPC Levels and the THEN-part (consequent) corresponds to the linguistic values of Control Modes. Ideally, these rules should be established on the basis of statistical data and/or the knowledge of experts. However, since each of the nine CPCs has three or four CPC Levels (as shown in the example in Table 2), there are tens of thousands of combinations of CPC Levels. Therefore, some systematic way to selectively define the rules is required. To identify which combination of CPC Levels belongs to which control mode, the index C k is defined as n Ck = Aji · wi (1)
3.3 Weighted CREAM Model (Ung (2015)) This method consists of four steps: Step 1: Definition of membership function for linguistic values of CPC Levels
i=1
The score of the CPC status, which is a continuous value varying from 0 to 100, is determined and used as input variables to obtain a result. Membership functions for each linguistic value, which vary from 0 to 1, can also be defined. If the value of the membership function with respect to the CPC score reaches 1, the status of the CPC is a complete match with the linguistic values. An example of the membership function of the ”Working Condition” CPC is shown in Fig. 3. Also, the membership function of the control modes can be defined with Table 3. An example is shown in Fig. 4. In Fig. 4, the logarithm of the probability is used in the abscissa for better output(Konstandinidou et al. (2006) and Ung (2015)).
where Aji is the significance of linguistic values for the ith CPC’s jth CPC Level, which is defined as the value of the abscissa when its membership function reaches 1. For example, the significance of ”Advantageous”, ”Compatible”, and ”Incompatible” is 0, 50, and 100, respectively in Fig. 3. Also, wi is the normalized weight of the ith CPC determined by analysts on the basis of pertinent data or their own knowledge. Let the index C k be a percentage of the abscissa in Fig. 4. The value on the abscissa indicated by C k can then be obtained. By comparing this value with the intervals listed in Table 4, which are defined by applying OR operation of fuzzy theory for Fig. 4, a linguistic value of the control mode (THEN-part) that belongs to a certain combination of CPC Levels (IF-part) is identified. In the end, multiple combinations of CPC Levels will belong to one control mode. The consequences of these rules are calculated in the next step.
Ideally, the membership functions should be designed using statistical data and/or the knowledge of experts. However, the membership functions in this paper are regarded as linear, shown in Fig. 3, for the sake of simplicity. 1 Incompatible Compatible Advantageous
0.9
21
Table 4. Intervals of abscissa in Fig. 4 for identificaton of control mode
0.8
Membership [-]
0.7
Intervals
Strategic [-5.30, -3.80]
Tactical (-3.80, -2.90]
Intervals
Opportunistic (-2.90, -1.03]
Scrambled (-1.03, 0]
0.6 0.5 0.4 0.3 0.2 0.1 0 0
10
20
30
40
50
60
70
80
Step 3: Obtaining conclusion fuzzy set
90 100
CPC score [-]
If n combinations of CPC Levels for a kth linguistic value of control mode are obtained in Step 2, the degree of matching for each linguistic value of control mode µk is obtained from the following equations: m µkl = µi,j (x) · wi (2)
Fig. 3. Membership functions of ”Working Condition”. 1 Strategic Tactical Opportunistic Scrambled
0.9 0.8
Membership [-]
0.7
i=1
0.6 0.5
µk =
0.4 0.3 0.2
0 -4
-3
-2
-1
l=1
n
µkl
(3)
where m is the number of CPC, µi,j (x) is the value of the membership function that represents the jth linguistic term of the ith CPC, and k and l represent the linguistic value of the control mode and the lth combination of CPC Levels, respectively. Finally, the conclusion fuzzy sets are defined as min(max(ν 1 (x), µ1 (x)), max(ν 2 (x), µ2 (x)), ...),
0.1 -5
n
0
log(PAF) [-]
Fig. 4. Membership functions of control modes. 21
2016 IFAC/IFIP/IFORS/IEA HMS 22 Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
To consider the dependencies of these CPCs, the updated CPC scores shown in the left column of Table 5 are calculated by x∗i = xi + (xj − xi ) × wj (5)
where ν k (x) is the membership function of the linguistic values of the kth control mode. Step 4: Defuzzification After the conclusion fuzzy set is obtained in Step 3, it is transformed into a crisp value using a process called defuzzification. The crisp value CV is obtained by x · µ(x)dx CV = D (4) µ(x)dx D
j
x∗i
where is the updated score of the ith CPC and xi is its original score. Also, xj is the score of the jth CPCs listed in the right column of Table 5, and wj is the normalized weight determined in subsection 3.3. Finally, the dependencies between functions with respect to the PAF are established. As a first step, the relation between the output of an upstream function and aspects of other downstream functions are determined. According to these relations, CPCs of downstream functions that are influenced by the output of an upstream function are also determined. This process should also be based on statistical data and/or the knowledge of experts. Then, the score of the relevant CPCs in the downstream functions will be changed in accordance with Eq. 6 if the variability of the function, i.e., the change of PAF as a result of the Fuzzy CREAM process, is actually generated. n P AFprev = xm∗ (6) × xm i i n P AFcurrent
where CV is the crisp value representing log(P AF ), D is the domain of integration, and µ(x) is the conclusion fuzzy set. 4. METHODOLOGY: INTEGRATION OF FUZZY CREAM AND FRAM
In this work, we propose integrating Fuzzy CREAM with FRAM analysis to make the analysis objective and quantitative. Conventional CREAM analysis including Fuzzy CREAM is designed to deal with certain circumstances as an analysis subject. However, from the perspective of the second-generation HRA, the functions of FRAM analysis are also influenced by the contextual conditions (i.e., the CPCs), and it should be possible to adopt the Fuzzy CREAM method for evaluating the control mode of each function. That is, the evolving values of each CPC score, and the results derived by Fuzzy CREAM (PAF), can be used for the variability scale of the functions. Moreover, once the dependencies between functions with respect to the PAF are determined, functional resonance becomes derivable and can be calculated as quantitative value. To accomplish the analysis, the following steps are taken.
where xm∗ and xm i i are the updated and original scores of the ith CPC in the mth downstream function, respectively. n n Also, P AFprevs and P AFcurrent respectively refer to the PAF value of a certain nth upstream function before and after the PAF value has been changed by the Fuzzy CREAM process. Therefore, quantitative FRAM analysis becomes possible by repeatedly updating the CPC scores calculated through the dependencies between CPCs in Eq. 5 and the propagation of scores made through the relations between the functions in Eq. 6 after the variability of some functions is generated by the Fuzzy CREAM process.
First, we add two more CPCs, ”Availability of Resources” and ”Quality of Communication”, to the original nine. The new CPCs were added in Hollnagel (2004), when FRAM analysis was proposed for the first time. In this way, a series of CPCs should be considered and changed depending on the case.
The above processes are implemented, which enables interactive analysis by assuming several variables. 5. APPLICATION OF PROPOSED METHOD TO ACTUAL AIR CRASH ACCIDENT
Second, the dependencies of CPCs are considered. The dependencies between CPCs are described in Hollnagel (1998), and the CPC Effects are updated in accordance with it. The dependencies between CPCs are listed in Table 5.
5.1 Overview of Accident We applied the above methodology to the analysis of an actual air crash accident that occurred near Cali Airport, Colombia in 1995. This was the first fatal accident of the high-tech B757 aircraft in its 13 years of exemplary service at that time. American Airline flight 965 was about to land at the airport close to Cali, Colombia. The flight was already two hours behind schedule due to a departure delay at Miami, and it was dark outside. During the approach, the ATC proposed a runway change for landing to the flight crew, who accepted it. However, just after doing so, the crew of flight 965 became busy in identifying a new approach course. They input the wrong course for landing to the flight management computer (FMC) and subsequently went off the correct course, which was not noticed for a while. Flight 965 flew into the mountains of the Andes and finally crashed into the terrain. Further details of this accident are presented in Simmon (1998)
Table 5. Dependencies between CPCs CPC
Depends on the Following CPCs
Working Conditions
Adequacy of Organization, Adequacy of MMI, Time of Day Availability of Resource, Available Time, Adequacy of Training and Experience Working Conditions, Adequacy of MMI, Availability of Procedures/Plans Working Conditions, Adequacy of MMI, Availability of Procedures/Plans, Number of Simultaneous Goals, Adequacy of Training and Experience Time of Day Adequacy of Organization, Time of Day, Quality of Communication
Number of Simultaneous Goals Available Time
Crew Collaboration Quality
22
2016 IFAC/IFIP/IFORS/IEA HMS Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
Table 7. Initial CPC status of ”Communication with ATC”
5.2 Demonstration of Proposed Method One of the most critical points of this accident is that the crew of flight 965 input the wrong course after they accepted the runway change proposal from ATC. Although runway changes are basically regarded as a normal event during operation, it seems to have led to the fatal error of the crew in this case. In the following, we focus on what took place from the time the crew accepted the runway change proposal from ATC to the time at which they input the wrong course to the FMC and then analyze these events using the proposed method. First, we define the five functions of FRAM analysis shown in Table 6, which are to be performed in the circumstances of the targeted events, and the dependencies between the functions, as shown in Fig. 5. Also, using the dependencies in Fig. 5, analysts determine which CPCs in downstream functions are affected by variability in the upstream functions.
Functions
1 2 3 4 5
Communication with ATC Input and execute the route to FMC Identifying approach course Descending for new approach course Review of flight plan for RWY change
CPC
Score
Weight
Availability of Resource Training and Experience Quality of Communication Adequacy of MMI Adequacy of Procedures/Plans Working Condition Number of Simultaneous Goals Available Time Time of Day Crew Collaboration Adequacy of Organization
100 100 100 100 100 100 100 100 100 100 100
0.10 0.10 0.51 0.00 0.00 0.051 0.051 0.051 0.051 0.051 0.026
functions of Control Modes are the same as those shown in Fig. 4. As its initial condition, the PAF value of every function is set to 1.59 × 10−5 . This is done because, in the Fuzzy CREAM method, every CPC score is initially set to 100, and the control mode of the THEN part mentioned in Step 3 of subsection 3.3 is identified as ”Strategic” only. Moreover, µstrategic of Eq. 3 becomes 1.0 under this condition. Therefore, the value log(P AF ) of all functions in Table 6 corresponds to the center of gravity of the triangle composed of one ”Strategic” line and two axes in Fig. 4.
Table 6. Functions list No.
23
1 Lv. 1 Lv. 2 Lv. 3 Lv. 4
0.9 0.8
Membership [-]
0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
10
20
30
40 50 60 CPC score [-]
70
80
90 100
Fig. 6. Membership functions for fuzzy values of four CPC Levels. According to the investigation in Simmon (1998), the captain of flight 965 misunderstood the runway change instructions from ATC, and ATC failed to correct it when the captain read back the instructions. This indicates a discrepancy of communication between the captain and ATC. Considering this, we set the score of the ”Quality of Communication” CPC in Communication with ATC as degraded to 20 at this point. Then, in accordance with the dependencies between CPCs, the score of ”Crew Collaboration” is affected if the score of ”Quality of Communication” has changed. The updated score of ”Crew Collaboration” is obtained with Eq. 5, whose score becomes 57.89(100 + (20 − 100) × 0.53). After the new CPC scores are obtained, we apply the Fuzzy CREAM method to the updated CPC scores and the new PAF value of the function is obtained as 1.85 × 10−3 . Once the PAF of the function is updated, the score of CPCs in its downstream function, i.e., Identify approach course and Review of flight plan for RWY change, is changed in accordance with Eq. 6. For example, the ”Availability of Resource” CPC in Identify approach course is affected by the variability of the Communication with ATC upstream function. In the above process, the PAF
Fig. 5. Dependencies among functions in Table 6. Each function shown in Table 6 has 11 CPCs, as discussed above. If we assume that everything was going well until the crew accepted the proposal of the runway change, the score of all CPCs is set to 100. The weights for those CPCs are defined by analysts who investigated the details of the accident report. For example, the score and weight of the CPCs of function no. 1, Communication with ATC, are shown in Table 7. The most important CPC for this function is apparently ”Quality of Communication”, and the weight of this CPC is therefore the highest. The other CPCs more or less contribute to this function, with their weights set as shown in Table 7. In addition to such CPC status, the membership function of those CPCs and Control Modes are defined. In this analysis, the shapes of the membership function of CPC are defined as shown in Figs. 3 (in this case, the CPC has three CPC Levels) and 6 (in this case, the CPC has four CPC Levels). Also, the membership 23
2016 IFAC/IFIP/IFORS/IEA HMS 24 Aug. 30 - Sept. 2, 2016. Kyoto, Japan
Takayuki Hirose et al. / IFAC-PapersOnLine 49-19 (2016) 019–024
value of Communication with ATC has changed from 1.59 × 10−5 to 1.85 × 10−3 . Therefore, the score of the ”Availability of Resource” CPC in Identify approach course is changed from 100 to 0.86 in accordance with Eq. 6, resulting in changes to the scores of other CPCs and, in the end, the PAF value of the function.
waypoints on the FMC display, which was not noticed by the crew. Therefore, the score of ”Crew Collaboration” and ”Adequacy of MMI” is assumed to have become 0 at this point, and the PAF and control mode of this function respectively became 2.0×10−1 and ”Scrambled”, the most undesirable condition.
By repeating the above process, a change of the status of Input and execute the route to FMC, which is one of the most critical points of the accident, can be observed. Table 8 shows the simulation results indicating what happened in the cockpit based on Simmon (1998) before they entered the wrong course to FMC and the change of PAF and the control mode of Input and execute the route to FMC due to the events.
Note that the above result cannot be obtained if only one function fails. For example, Input and execute the route to FMC does not lead to such a serious result (e.g. PAF is 2.0 × 10−1 and control mode is ”Scrambled”) by just setting the score of CPCs in the function to 0. That is, growing disturbances(e.g. growing deviation from SOPs) is the cause of the serious outcomes, and the dependencies of functions have to be taken into account in order to analyze the feasibility of procedures.
Table 8. Events and PAF/Control Mode of Input and execute the route to FMC Event
PAF
Control Mode
Crew received the proposal of RWY change Crew accepted the RWY change without sufficient briefing Crew started descending for new approach course after they accepted the RWY change Crew become confused with identifying new approach course PNF entered the first letter of next point and hit the execution button without cross check
1.2 × 10−4
Strategic
1.9 × 10−3
Opportunistic
1.8 × 10−3
Opportunistic
1.1 × 10−2
Opportunistic
2.0 × 10−1
Scrambled
6. CONCLUSION Automation has been introduced to reduce the workload of humans and improve the accuracy of task performance. However, it has also brought about changes to the tasks of operators, and procedures often become too complex. That is, new automation tools may alter the situations in which the tasks occur and even the conditions that cause people to want to engage in the tasks. This result in accidents that have never been experienced before, which are mainly due to the discrepancy between the behavior of equipment and human cognition or deviation from the standard operation procedures (SOPs). To prevent such accidents, the feasibility of procedures must be analyzed. For this purpose, in this paper we proposed a systematic method of FRAM analysis. The proposed method was developed by integrating FRAM with the Fuzzy CREAM method, which enables interactive FRAM analysis by assuming several variables. The proposed method was applied to an actual air crash accident that occurred near Cali Airport, Colombia in 1995 and revealed how the deviation of SOPs started and grew in the cockpit. With further development, our method is expected to contribute not only to accident analysis but also to the pre-analysis of the safety of designed procedures.
Here, we briefly discuss the events in Table 8. In the first event of Table 8, when the crew of flight 965 received the proposal of runway change from ATC, there was a discrepancy of communication. Therefore, the score of ”Quality of Communication” in Communication with ATC is set to 20, and the PAF and control mode of Input and execute the route to FMC became 1.2 × 10−4 and ”Strategic”, respectively. After the event, Simmon (1998) pointed out that the runway change was accepted without sufficient review of the flight plan. Therefore, the score of ”Crew Collaboration” in Review of flight plan for RWY change was set to 0, whose PAF and control mode became 1.9×10−3 and ”Opportunistic”, respectively. Also, they started descending soon after they accepted the runway change, and the Pilot Flying (PF), who is responsible for controlling the aircraft, became occupied with this task. At this point, the score of ”Available Time” and ”Number of Simultaneous Goals” of Descend for New Approach Course became 0. This time, both the PAF and the control mode of Input and execute the route to FMC remained about the same as in the previous event. Then, the crews became confused when trying to identify the new approach course for the runway change, and the score of ”Available Time” and ”Number of Simultaneous Goals” in Identify approach course was supposed to have become 0 in this event. As a result, the PAF of Input and execute the route to FMC became 1.1×10−2 . Finally, the course was entered to FMC by the Pilot Not Flying (PNF), who is mainly responsible for supervising flight status, without cross checking with the PF. Moreover, although the PNF entered the first letter of the next waypoint to FMC and executed it, the letter showed a completely different place on the list of
REFERENCES Hollnagel, E. (1998). Cognitive Reliability and Error Analysis Method-CREAM. Oxford: Elsevier Science. Hollnagel, E. (2004). Barriers and Accident Prevention, Aldershot, UK: Ashgate Konstandinidou, M., Nivolianitou, Z., Kiranoudis, C. and Markatos, N. (2006). A fuzzy modeling application of CREAM methodology for human reliability analysis, Reliability Engineering & System Safety, 91(6), pp.706716. Simmon, D. (1998). Boeing 757 CFIT Accident at Cali, Colombia Becomes Focus of Lessons Learned, Flight Safety Digest, 17(5/6), pp.1-31. Ung, S-T. (2015). A Weighted CREAM model for maritime human reliability analysis, Safety Science, 72, pp.144-152. Yang, Z.L., Bonsall, S., Wall, A., Wang, J., Usman, M. (2013). A modified CREAM to human reliability quantification in marine engineering, Ocean Engineering, 58, pp.293-303. 24