White Paper on Human Reliability Analysis -...

White Paper on Human Reliability Analysis

An Approach for Conducting HRA by Evaluating Factors Influencing the Cognitive Ability of the Pilot and Co-pilot During the Aircraft Landing

Process

Vandana Nigam

5/20/2014

2

TABLE OF CONTENTS

Section 1............................................................................................................................................ 3

Introduction ...................................................................................................................................... 3

Project Objective ....................................................................................................................................... 3

Proposed Steps to Solve the Problem....................................................................................................... 4

Section2 ............................................................................................................................................ 5

Literature Survey ............................................................................................................................... 5

First Generation Methods ......................................................................................................................... 5

Second Generation Models ...................................................................................................................... 6

Application of HRA in Aviation .................................................................................................................. 8

Section 3............................................................................................................................................ 9

Methods ............................................................................................................................................ 9

Development of the Theoretical Framework ........................................................................................... 9

Task Analysis ........................................................................................................................................... 14

Unsafe Acts and the respective performance shaping factors ............................................................... 25

HRA Model Selection .............................................................................................................................. 31

Data Collection Methods ........................................................................................................................ 36

Data Analysis ........................................................................................................................................... 37

Risk Mitigation: Quantitatively Informed Risk Mitigation Strategies ..................................................... 41

Section 4.......................................................................................................................................... 46

Discussion ....................................................................................................................................... 46

Implementation of HRA .......................................................................................................................... 46

Model Limitations ................................................................................................................................... 49

Section 5.......................................................................................................................................... 51

Conclusion ....................................................................................................................................... 51

Application of knowledge from this project in the Aviation Domain ..................................................... 51

Extensions to the Project/Future Work .................................................................................................. 51

References ....................................................................................................................................... 52

3

Section 1

Introduction

Human error occurrence due to impairment of an individuals’ cognitive ability, resulting

in errors in judgment, inability to react to warnings, follow protocols, etc. have led to loss of life,

assets, and heavy financial loss over the past 50 years especially in the aviation industry. Human

error has been the reason in a variety of accidents, including 70% to 80% of those in civil and

military aviation [1] [2] [3] [4]. Literature also indicates that accidents due to mechanical error

has progressively declined over the past years, however the reduction in the accidents related

with human error have not reduced proportionately [4]. This clearly suggests that if the

failures/accidents were to be reduced, more emphasis needs to be in the direction of human error

mitigation.

The frontline investigators on accidents are mainly from the aviation industry with

substantial background and years of experience in aircraft maintenance and its operation, with

little background in human factors. This results in recommendations being on the technical

hardware/software side, more of blame on the pilot (crew) for the error, without a deeper dive

into human factor analysis or to provide pointers for human factor risk mitigation. Also, most

process design is based on an assumption of ideal conditions and flawless operation/performance

with little room for error. This perfect world assumption results in a catastrophe when a human

encounters an abnormal event or environment [7]. The focus on error management and error

recovery should be one of the major strategies, with due consideration on human factors of

cognition, behavior, social interaction and circumstances that lead to accidents, in order to do a

human reliability analysis that would give a practical, implementable, and useful

recommendation.

In this project the focus is on the cognitive piece through identification of a theoretical

framework of human error occurrence, a detailed task analysis, selection of method, data

collections methods, and risk mitigation strategies in the aircraft landing process. The purpose of

the project is to go through the steps and suggest formulation of the HRA model that can use as a

basis to take it to the next step. The last section of the document lists down the extensions to the

basic research presented here.

Project Objective

To propose HRA method by evaluating the factors affecting the cognitive ability of the pilot

and co-pilot, during landing of an aircraft with specific reference Boeing 757-200. The focus of

the project will be on the navigation system interaction during the landing operation. The factors

under consideration are:

Skill Level and Training and Retraining for the job

Distraction and lack of alertness and workload management

4

Proposed Steps to Solve the Problem

The proposed steps involved to solve the problem are discussed below:

1. Review the existing theories that impact the cognitive ability of pilot and co-pilot and

develop a theoretical framework under which human error can occur during the landing

process.

2. Conduct a detailed task analysis on the process of landing and the navigation interface for

the landing process.

3. With reference to the theoretical framework, identify the unsafe acts that could occur at

every task and sub-task and categorize the unsafe act based on Reasons GEMS approach.

4. Identify the PSF associated with each unsafe act.

5. Identify similarities, possibility of error recovery opportunities, and regroup PSFs and

unsafe acts.

6. Select method or combination of methods for analysis based on the 1st and 2nd generation

methodologies available in literature and practice.

7. Determine data collection methods.

a. Sending Surveys

b. Conducting Experiment based on a simulated environment

c. Elicitation Expert Opinion

d. A combination of all of the above

8. Apply the selected method to determine the HEP

9. Suggest risk mitigation strategies.

10. Implementing the HRA: Its Challenges

11. Discussion of the Model and its limitations

12. Conclusion and future work

5

Section2

Literature Survey

Human Reliability Analysis requires the use of qualitative and quantitative methods to

estimate the human error probability in a given scenario. Although, the origin of HRA methods

dates to the year 1960, but most techniques for assessment of the human factor have been

developed since the mid- 1980s. HRA techniques or approaches can be divided essentially into

two categories: first and second generation. The following subsections give an overview of the

most commonly used first and second generation methods, subsequently reviews the domain

specific and the problem specific methodologies for HRA.

First Generation Methods

The first generation HRA methods have been strongly based on the viewpoint of

probabilistic safety assessment (PSA) and have identified man as a mechanical component, thus

losing all aspects of dynamic interaction with the working environment, both as a physical

environment and as a social environment. In many of these methods - such as Technique for

Human Error Rate Prediction (THERP-1983) and Accident Sequence Evaluation Program

(ASEP-1987), the basic assumption is that because humans have natural deficiencies, humans

logically fail to perform tasks, just as do mechanical or electrical components. Thus, HEP can be

assigned based on the characteristics of the operator's task and then modified by performance

shaping factors (PSF). In the first generation HRA, the characteristics of a task, represented by

HEPs, are regarded as major factors; the context, which is represented by PSFs, is considered a

minor factor in estimating the probability of human failure. This generation concentrates towards

quantification, in terms of success/failure of the action, with less attention to the depth of the

causes and reasons of human behavior.

THERP [18] is the best know and most frequently used first generation HRA method. Its

approach describes the cognitive aspects of operator's performance with cognitive modeling of

human behavior, known as model skill-rule-knowledge (SKR) by Rasmussen (1984). This model

is based on classification of human behavior divided into skill-based, rule-based, and knowledge-

based, compared to the cognitive level used. This behavior model fits very well with the theory

of the human error in Reason (1990), according to which there are several types of errors,

depending on which result from actions implemented according to the intentions or less. Reason

distinguishes between: slips, intended as execution errors that occur at the level of skill; lapses,

that is, errors in execution caused by a failure of memory; and mistakes, errors committed

during the practical implementation of the action. In THERP, instead, wrong actions are

divided into errors of omission and errors of commission. ASEP [18] is a simplified version of

THERP, but more conservative.

In support of the Accident Sequence Precursor Program (ASP), the U.S. Nuclear

Regulatory Commission (NRC), in conjunction with the Idaho National Laboratory (INL),

in1994 developed the Accident Sequence Precursor Standardized Plant Analysis Risk Model

(ASP/SPAR) human reliability analysis (HRA) [20] method, which was used in the development

6

of nuclear power plant (NPP) models. Based on experience gained in field-testing, this method

was updated in 1999 and renamed SPAR-H, for Standardized Plant Analysis Risk-Human

Reliability Analysis method. There are two tasks types are defined in this method; Diagnosis and

Action. There exists eight predefined PSFs whose values are assessed and the basic HEP is

adjusted. The final HEP is applied to the PRA. SLIM-MAUD method was also developed for

Nuclear Industry. This method relies heavily on expert judgment. Frequency data which could be

used to estimate HEP is usually unavailable and if available applies to limited simple tasks. To

overcome this NRC embarked research on how the HEP estimates can be made indirectly using

expert judgment.

The first generation methods have disadvantages that resulted in the development of

second generation methods. Some of the concerns associated with first generation are listed

below:

Inadequate capture of human psychology, the underlying behavior, and context are not

considered in modeling.

PSF mechanism does not have a causal mechanism resulting in a disjointed PSF analysis.

Individual or the operator is not included in the analysis.

Highly subjective simulated data makes validity difficult. Possibility of the model

divergent from real-world scenario.

Expert opinion introduces the bias associated with the technique. There may be in

consistencies in expert opinion due to the subjectivity of the analysis.

Empirical demonstration of accuracy does not exist which brings in the difficulty of

validity of the model.

Second Generation Models

The Cognitive Reliability and Error Analysis Method (CREAM) (Hollnagel 1998) is a

second generation method that was in response to an analysis of existing HRA approaches.

CREAM [26] can be used both to predict potential human error, and retrospectively, to analyze

and quantify error. The CREAM technique consists of a method, a classification scheme and a

model. According to Hollnagel (1998) CREAM enables the analyst to achieve the following:

1. Identify those parts of the work, tasks or actions that require or depend upon human

cognition, and which therefore may be affected by variations in cognitive reliability.

2. Determine the conditions under which the reliability of cognition may be reduced, and

where therefore the actions may constitute a source of risk.

3. Provide an appraisal of the consequences of human performance on system safety, which

can be used in PRA/PSA.

4. Develop and specify modifications that improve these conditions, hence serve to increase

the reliability of cognition and reduce the risk.

CREAM uses a model of cognition, the Contextual Control Model (COCOM). COCOM focuses

on how actions are chosen and assumes that the degree of control that an operator has over his

actions is variable and also that the degree of control an operator holds determines the reliability

of his performance. The COCOM outlines four modes of control, Scrambled control,

Opportunistic control, Tactical control and Strategic control. According to Hollnagel (1998)

7

when the level of operator control rises, so does their performance reliability.CREAM technique

provides quick assessment of HEPs. The HEPs are determined based on the combination of PSF

states. There are nine PSF states defined in the model. The model gives four (error modes

defined by COCOM) HEP ranges.

The CREAM technique uses a classification scheme consisting of a number of groups that

describe the phenotypes (error modes) and genotypes (causes) of the erroneous actions. The

CREAM classification scheme is used by the analyst to predict and describe how errors could

potentially occur. The CREAM classification scheme allows the analyst to define the links

between the causes and consequences of the error under analysis. Within the CREAM

classification scheme there are three categories of causes (genotypes); Individual, technological

and organizational causes. These genotype categories are then further expanded as follows:

1. Individual related genotypes – Specific cognitive functions, general person related

functions (temporary) and general person related functions (permanent).

2. Technology related genotypes – Equipment, procedures, interface (temporary) and

interface (permanent).

3. Organization related genotypes – communication, organization, training, ambient

conditions, working conditions.

Extended CREAM method, as the name suggests is an extension of the CREAM model. Just

as in the CREAM it has nine PSFs with defined states. It defines four human cognitive functions,

Observation, Interpretation, Planning, and Execution. It defines fifteen Cognitive activities that

are involved in HEP estimation. There is a confidence bound on the HEP available for each

cognitive function and the respective state of the cognitive activity. Finally effect of the PSF

state is applied to the HEP, which provides the effective HEP. The details are of steps are

discussed in section 3.

ATHEANA [18] is a second-generation tool, which is described as a method for obtaining

qualitative and quantitative HRA results. The premise of the method is that significant human

errors occur as a result of “error-forcing contexts” (EFCs), defined as combinations of plant

conditions and other influences that make an operator error more likely. It provides structured

search schemes for finding such EFCs, by using and integrating knowledge and experience in

engineering, probabilistic risk assessment (PRA), human factors, and psychology with plant

specific information and insights from the analysis of serious accidents. The tool can be used for

both retrospective and prospective analyses. Main reasons for developing ATHEANA were:

Human events modeled in previous HRA/ PRA models were not considered to be

consistent with the significant roles that operators have played in actual operational

events

The accident record and advances in behavioral sciences both supported a stronger focus

on the contextual factors, especially plant conditions, in understanding human error

Advances in psychology were integrated with the disciplines of engineering, human

factors and PRA in modeling human failure events.

8

IDAC [17] (Information, Decision, and Action in Crew Context) is another second

generation method which is a model of human error developed based on cognitive and

behavioral sciences, human factor findings, and field data and observations. This method models

an operator’s natural problem solving skills. It uses cognitive responses, information processing,

diagnosis, and decision making. It considers influences of PSFs on the task. PSFs being internal

(personal traits and skill level etc.) and external PSFs influenced by the organization,

environment, working conditions etc. Finally this technique predicts operator responses through

explicit qualitative and quantitative rules.

A new HRA method for aviation safety called ASHRAM has been developed [27].

ASHRAM is used to predict plausible aviation-accident scenarios before they occur. An

underlying premise of ASHRAM, is that many significant human errors can occur as a result of a

combination of situational factors, or “error-forcing context” that can trigger cognitive ‘error

mechanisms’ in personnel which can lead to the execution of unsafe acts. The method allows

aviation researchers to analyze accidents and incidents retrospectively, by answering questions

and filling in forms, or prospectively, by systematically generating families of plausible

scenarios based on a small set of initiators. ASHRAM can be utilized by a variety of researchers,

modelers, analysts, trainers, and pilots with a variety of backgrounds. ASHRAM is yet to be

validated and refined. It is hoped that it will be the tool for aviation safe and human reliability

analysis.

As explained in all the second generation methods, they consider the human behavior and

individual characteristics more than what the first generation methods have considered. Most of

the methods are computationally intense and the validation process is still ongoing.

Application of HRA in Aviation

Literature survey indicates that there have been several efforts in organizing the post

accident data bases to be used for HRA analysis [4]. There have studies done on identifying

theoretical frame work in the aviation industry [25] [24] [23]. Most of the methods have

originated from the nuclear industry and therefore provides the knowledge that can be applied to

another domain. Efforts have been made in this study utilize the methods discussed above in the

context of the landing of aircraft. Attempt will be made to explain the advantages and limitations

of the methods selected to do the analysis.

9

Section 3

Methods

The discussion in this section covers the proposed approach for solving the problem as listed in

Section 1. The following subsections will explain the development of the theoretical framework, task

analysis, identification of unsafe acts, the associated performance shaping factors, HRA method selection,

data collection options, proposed data analysis methods, and risk mitigation strategies. As a case study the

NTSB Accident Report Number: AAR-12-01 is used to illustrate the development of the theoretical

framework. Later the theory is generalized to any situation within the frame work to analyze the human

error.

Development of the Theoretical Framework The theoretical framework is developed with reference to the accident report NTSB Number

AAR-12-01. However, one can see going down the section, that the theory can be extrapolated to a

generic scenario. The task analysis done in the section shows how the theory built on a specific situation

is explains the human error.

Explanation of the Human error that occurred as per report NTSB Number: AAR-12-01.

The explanation of the human error that occurred is based on the Aircraft Accident

Report,” Runway Overrun American Airlines Flight 2253 Boeing 757-200, N668AA”. On Dec

29th 2010 American Airlines flight 2253, ran off the departure end of the runway and came to a

stop in deep snow after landing at the Jackson Hole Airport, Wyoming.

The probable cause of the failure was a defect in the clutch/brake mechanism. The Overrun could

be avoided by human intervention, which was not done and hence resulted in the incident. The

details are as follows:

In charge of the flight was captain and the first officer with specific responsibilities i.e. Pilot-

monitoring and Pilot-flying responsibilities from workload management perspectives.

The timing of the landing gear deployment just after touchdown coincided (rare situation)

with the deployment of thrust reversers. The mechanical and hydraulic interaction led to

locking the reverse thrust process.

The automatic speed brakes should have been deployed, but it failed to deploy. (Mechanical

defect)

Either of the pilots could have deployed the speed brakes manually, but they were distracted

by the abnormal event of the locked thrust reversers and hence were trying to resolve it.

Meanwhile the captain who was assigned the responsibility of monitoring took over flying

responsibilities, deviating from the pilot-flying/pilot-monitoring responsibilities during the

landing roll. This further resulted in the non-deployment of the speed brakes, remain

unnoticed.

In summary 3 major issues resulted in the incident, which are human related:

10

Distraction and confusion due to an abnormal event. In the process unintentionally missing

the non-deployment of automatic speed brakes, and therefore failing to manually apply speed

brakes.

Deviating from the workload management guideline, due to possibly hierarchical

relationship, and/or self-efficacy which led the captain taking over flying vs. monitoring.

This may have contributed to the situation negatively, i.e. not observing the failure of the

deployment of speed brakes.

Technique for handing the situation of locked of thrust reversal was available but neither of

the pilots was aware of it. Hence there was an evidence of lack of training and skill level.

Theories under consideration that explain the human error

Within the context of aviation there are primarily five different perspectives impacting

human error; cognitive, ergonomics and systems design, aeromedical, psychosocial, and

organizational [6]. This project focuses on the cognitive-related error of the pilot during landing

operation. The following theories are studied to establish a theoretical framework for analysis.

Divided Attention:

Landing the aircraft can be considered a very routine task for the pilot. The

unique/abnormal event that resulted initiated by a mechanical fault ended up being a distraction

for the pilots and drove the focus to troubleshoot the event versus apply the speed brakes

manually to land and stop the plane in a timely manner. There was a warning of the automatic

speeds brakes not deployed, but the distraction due to locking the reverse thrust process, led to

the pilots not noticing the warning indicator.

Self-Efficacy:

It is also suggested, that the captain took over from the first officer. The motivation could

have stemmed from his belief that he could handle the abnormal event better than the first

officer. However, it can be speculated that if he had continued to perform is primary job of

controls, he may have noticed the malfunction of the automatic brakes and would have manually

applied the brakes and averted the failure.

Rasmussen’s (SRK) theoretical foundation of human error:

Rasmussen provides a skill-rule-knowledge based theoretical framework to explain

occurrence of a human error. The terms skill, rule, and knowledge is referred to the degree of

conscious control an individual can have over his task. Skill based operation is to perform a task

in a highly skilled manner, almost with no conscious monitoring. For example a highly

experienced and skilled pilot performing a landing operation on an aircraft with no abnormality.

Rule based is application of rules learned during training, apprenticeship, school, or based on

experience and consciously applying to a situation at hand. For example setting up the controls

and parameters for landing is a rule based approach where the pilot prepares for landing after

review of the existing parameters for the operation. Therefore, rule based actions are those in

which the human applies the rules “IF-THEN” …“ELSE”… to a situation. Rule is more of a

packaged behavior for the situation. Rule based actions fall between the Skill and Knowledge

11

modes. Knowledge based actions are a results of 100% conscious efforts to address a situation

that is completely unfamiliar. These actions can be slow as the operator would like to review the

feedback of actions taken before the next step. This could have been the situation the pilot may

have faced as they were encountering a completely novel situation for which they were not

trained. This state mandates improvisation in unfamiliar environments with no routines or rules

available for guidance.

The common errors in the skills based actions are mostly due to strong habit intrusions

and situational changes that do not trigger the need to change habit. Rule based errors mostly

occur when a rule learned over the past situations are either not invoked, or invoked but applied

incorrectly or invoked but applied to a wrong situation. In the knowledge based errors the

operator faces a new and totally unfamiliar scenario. Lack of knowledge of “what to do?”

experience, overload of information, and lack of awareness of the consequences is what usually

causes an error.

Extension of Rasmussen’s SRK Theory by Reason [28]

Reason formulated the GEMS approach or The Generic Error Modeling Systems through the

extension of Rasmussen’s SRK model. He proposed that several levels of processing may occur

within the same task. Zooming in would indicate the substantial impact of factors that may look

trivial from a high level analysis. Reason’s theory suggests that the human cognition keeps

moving from the level of Skill based mode to Rule based mode to Knowledge based mode while

doing the same task based on the familiarity of a situation he may encounter. In the accident

being considered, the pilot would have been in the skill-based mode while preparing for landing,

and progressed to rule based while setting up parameters for landing for example moving to a

speed required for landing and the corresponding altitude etc. While deploying the landing gears

and the occurrence of the unique abnormal event they would have moved to the knowledge

based mode and would have taken actions to get the process in control and a mistake, slip or

violation may have resulted in the accident.

To develop further on Reason’s theory, errors occur based on the following figure and the

figure below explains how the theory can be applied to the situation at hand.

12

Two Forms of Human Error

Errors Violations

Slips Mistakes Routine Does not follow procedure as it no longer relevant to the task

Exceptional Under the direction of a supervisor to handle a unique situation Captain Take over the operations in spite of the specific responsibilities of the Captain and First Officer

Misapplied competence SKILL BASED Warnings on the automatic brakes go un-noticed due to confusion

Failure of Expertise RULE BASED Failure to apply the speed brakes manually.

Lack of Expertise KNOWLEDGE BASED Failures to trouble shoot the lock reverse thrust due to lack of training.

Figure1. Reason’s Theory to Human Error

13

Theory Interactions

The above theories interact as shown in the figure below:

The figure above explains how the theories selected for the analysis interact and explain

the error in the case study. The stimulus to the pilots was the warning signal and the event of

locking the reverse thrust which was initiated by a mechanical defect. The occurrence of this rare

event which was very unique, and the pilots were not trained on handling such a scenario, this

resulted in dividing their attention and troubleshooting locked reverse thrust seemed more

important. But they were not trained on this issue and could not effectively apply the knowledge.

Moreover the self efficacy of the Captain led to his taking charge and this resulted in further

missing the action of manually applying the brakes to prevent the error to happen. As mentioned

earlier in the document, the lack of knowledge in error management focus led to this mishap.

Although the above theoretical framework has been build using a very specific accident

report, the theory can be generalized to the tasks that require high level of cognition as a pilot

Stimulus

Warning that the automatic brakes aren’t applied

The reverse thrust locked

Distraction due to Divided Attention

Distraction due to Self Efficacy

SKILL

Strong habit intrusion

Selective Attention

RULE

Wrong Rule

Correct Rule Applied Inappropriately

SKILL

Unfamiliarity results in confusion and inability to control

Overload of information to process

Figure 2. Theory Interaction and Explanation of Error

14

and co-pilot flying an aircraft. In the following sections, it has been discussed in detail about the

impact of the divided attention and self efficacy on the occurrence of human error in a generic

situation that could be face during landing the aircraft. Also Rasmussen’s SKR theoretic

foundation and Reason’s GEMS approach helps understanding the theoretical background for

human error occurrence. The following explains the detailed tasks to be accomplished by the

pilot and co-pilot in completing the landing mission.

Task Analysis

The Boeing aircraft is equipped with computerized cockpits, where the pilots received all

their system information and alarms about the state of the aircraft from deck displays. The

display panels provide wealth of information like warnings, situation parameters etc. There is

instrumentation supporting the operations and ATC support too. The landing operation requires

multiple sequential and non-sequential tasks to successfully close the mission. The interaction

with technology, crew members (pilot and co-pilot), and ATC does result in human errors that

have resulted in accidents over the past 50 years. This document analyzes the task of the pilot

and the co-pilot performing the landing operation. As mentioned earlier, the focus is on

navigation system interaction during landing.

Overview of Landing Procedure Boeing 757-200

The most critical phases to landing are 1) Preparation for Landing (Descent) 2) Approach, 3)

Landing. Approach is the most complex and significant phase to complete a successful landing

operation. The task analysis presented below considers the phases of Approach and Landing as

the crucial parts of the navigation system analysis for a landing operation.

Descent: “Top of Descent Point”, is the altitude at which the descent starts. Guidelines for the descent rate

are available in published procedures and the pilot manually or by using autopilot descends to

the Approach Phase.

Approach Phase: This is the most complex phase. Missed approach is a situation when the pilot is unable to

meeting the requirement on speed, altitude, timing, and location for landing and hence the

aircraft needs to climb up and then reattempt Approach. Missed approach occurrence is rare

among professional pilots. Even though rare it is still considered as a part of normal phase of

flight because pilots prepare for it each time they fly an approach. The approach phase begins at

the bottom of descent and ends at main wheel touchdown in the landing phase. The purpose of

an approach is to transition the aircraft in a carefully prescribed manner from typical

intermediate altitudes after descent to a position, speed and configuration from which the pilots

can land their airplane. During the approach, pilots normally follow published approach

procedures, which designate mandatory courses, altitudes, and oftentimes speeds to a particular

runway. Published approaches safely and expeditiously guide arriving aircraft into an airport by

keeping aircraft away from high terrain, obstacles (e.g., radio antennas), aircraft departing from

15

the airport, the approaches to other runways, and traffic patterns from nearby airports. Published

approaches are most useful when visibility is poor because they enable the pilots to find the

runway when they would not be able to otherwise. ATC gives permission, or clearance, to fly a

specific approach, which is normally based upon weather, wind, and traffic conditions. There are

mainly four types of approaches, Visual (when it is daytime and good weather with good

visibility), ILS (Instrument Landing System), Area Navigation (RNAV), and (SVS) Synthetic

Vision System. From Task analysis from human error perspective, all four types have very similar

content in terms of tasks involved. However, the task analysis presented below refers to ILS aided

approach landing.

Landing: The final phase is when aircraft touches the ground. Deceleration is applied via the use of reverse

thrust and spoilers. The reverse thrust is cancelled after speed reduces to 60 KIAS. The spoilers

continue to be extended. Brakes applied after substantial speed reduction. The aircraft is now

ready for taxi to ramp.

Detailed Task Descriptions and Task Analysis

Subsequent to the cruise and descent phases the operation transitions to the approach

phase. The approach is toward landing at a specific airport. Therefore, the approach is the

portion of the flight during which the pilots fly the aircraft into the appropriate location,

attitude, and configuration to land. For both manual and automated flight, this involves

incrementally slowing to landing speeds, descending to appropriate altitudes for landing, and

aligning the aircraft with the runway such that the landing can be executed at the correct attitude

and correct speed, within the appropriate runway touchdown zone. The maneuvers performed by

the crew for both the approach and landing must be within the limitations of the aircraft, the

procedures of the airline, and the requirements of ATC, while ensuring the safety and comfort of

any passengers.

During the approach, the pilots make a series of speed reductions and wing flap deployments

in order to maintain the necessary pitch window and descent rate of about 300 feet per mile (3

degrees) to land at the correct speed. Landing at too fast a speed requires too much wheel brake

and reverse thrust energy to stop the aircraft; landing at too slow a speed risks stalling the

aircraft and crashing. Slowing to landing speed requires the use of flaps to maintain pitch

tolerances. Without flaps, the pitch has to be too high (nose up) to be safe at the slower landing

speeds, and again risks a stall. Also, as flaps are lowered, the pilots maintain certain speed

ranges to avoid over-speeding the flaps or flying too slow for that increment of flap setting. A

minimum flap setting is a function of the weight and airspeed of the airplane, so that, as the

airplane slows toward landing speed at a given weight, progressively greater flap settings are

required.

Sequential Task Analysis

The task analysis detailed below if primarily a PTA with components of CTA incorporated

at each sequential step. Each step below has a fairly detailed description of the task followed by

16

the combination of the PTA-CTA associated with the task. PTA is selected in this case because

the tasks are procedural, but several of the tasks do require decision making steps which warrant

an addition of the CTA component.

1. Communicate with ATC: When the crew communicates with ATC, it is either initiated

by the crew or in response to communication from ATC. Contact initiated by the crew

usually takes the form of an identification call or a request for clearance or information.

Responses usually involve reading back ATC instructions or providing requested

information (such as present speed). Voice communication requires the PNF (Pilot

control of flying) to press one of the microphone (“mic”) buttons on the yoke or on the

center console while speaking into the PNF's headset microphone. To end a radio call,

the PNF releases the “mic” button.

2. Set Radio Frequencies: The two radio control panels on the center pedestal between

the two pilots allow for two communication radio frequencies to be selected. A toggle

switch on the panel allows the crew to switch from one frequency to another. During the

approach, the crew uses the approach control frequency. At or near the FAF, the PNF

flips the switch to select the tower frequency.

3. Engage Automated Flight Control: Arming the approach mode, and engaging the auto-

throttles and an autopilot, is how the PF (Co-pilot) selects automated flight control.

These selections enable the autopilot to fly the localizer and glide slope until the pilots

take manual control. If the PF does not choose automated flight, then the PF must follow

the ILS guidance pointers or flight director to maintain the correct lateral and vertical

paths. Arming the approach mode requires pressing the approach mode button labeled

APP (Approach) on the MCP (Mode Control Panel); selecting an autopilot requires

pressing the selected button, also on the MCP.

17

4. Maintain Airspeed: Maintaining airspeed requires looking at one of the two airspeed

indicators. The indicators include movable markers along the outside of the dial called

bugs that are set to reference speeds during approach preparations. The pilots set the

bugs using checklist-like charts that list the target airspeeds for given aircraft weights

and flap settings. The bugs are memory aids, since the correct speeds change from flight

to flight with aircraft weight. The PF refers to the bugs to set the MCP speed during

automated flight; the auto-throttles maintain the set speed. Setting the speed requires

turning the speed dial until the desired speed is indicated by the digital display.

Verifying that the correct speed has been set requires looking at this display.

5. Set Flaps: The flaps are usually set by the PNF. The flap lever slides into a detent for

each available flap increment (1, 5, 15, 20, 25, and 30 degrees). During approach, the

PNF (usually) moves the lever to the next appropriate position when called for by the PF.

Pilots may also feel the position of the flap lever with their throttle hand to check if the

lever is settled into the correct detent.

18

6. Monitor Localizer and Glide Slope: As the approach continues under automated flight,

both pilots monitor their PFDs (Primary Flight Display) to ensure proper following of

the localizer and glide slope signals. They also monitor the FMAs (Flight Mode

Annunciator) and MCP (Mode Control Panel) to ensure that the correct modes are

engaging after being armed.

7. Lower Landing Gear: Lowering the landing gear requires moving the landing gear lever

all the way down. The gear lever requires only one hand to pull the lever out slightly and

then push it down. Verifying that the gear is locked down requires looking at the three

indicator lights directly above the landing gear lever. The lights are positioned in a

triangle (nose, left and right gear). If all three lights are green, then the landing gear is, in

pilot terms, down and locked. Both pilots check the gear lights, usually after they hear the

gear lower into position with a distinct "thunk" sound, to be sure the gear are down and

locked.

8. Arm Speed Brakes: The speed brakes are controlled using a lever on the left side of the

throttles. The lever is moved back (aft) to deploy the speed brakes (or spoilers), which are

panels on the top of the wings that spoil the lift of the wing and allow the aircraft to

descend faster or slow down more quickly. The speed brakes also work automatically

upon touchdown of all landing gear to slow the aircraft. In the forward position, the

lever is in a detent indicating that the speed brakes are stowed (i.e., flush with the wing

19

surface). The next aft setting is the armed position used for automatic deployment during

the landing roll. Beyond that, the lever can be moved farther aft to vary the amount the

spoiler panels are raised. Pilots use varying spoiler positions depending upon how

quickly they wish to decelerate. To verify that the speed brakes are armed for landing

during the final approach segment requires the pilot to look at the lever position, and to

sometimes use one hand (again, the throttle hand) to feel that the lever is in the armed

detent. The speed brake lever is easier to reach from the left seat, since it is left of the

throttles. Deploying the speed brakes from the right seat, if the FO is the pilot flying,

requires the FO to reach around the throttles.

9. Set Missed Approach Altitude: The missed approach altitude is the altitude to climb to

in the event of a missed approach and is given on the approach chart. Setting this missed

approach altitude requires using the altitude knob on the MCP to dial the correct

altitude. Typically, the PF sets this altitude, which must be done after glide slope

intercept, and the PNF verifies it.

10. Monitor Altitude below 2500 Feet AGL: The reading for the radio altimeter is on the

PFD just below the decision height (DH) reading. The PNF calls out AGL (Altitude

above Ground Level) altitudes, typically at 1000 and 500 feet, to denote the standard

stabilization gates. Both pilots check for the aircraft being within stable approach

parameters. The PNF also calls out "Approaching decision height" (usually 100 feet

above) and "Decision height" if the PF has not yet indicated that the runway is in sight.

20

11. Before Landing Checklist: Before Landing Checklist is a sequence of steps that are

executed by the PNF which are designed to verify that certain critical tasks have been

completed prior to landing. Each step is called out by the PNF and an associated check is

done. Depending on the airline, the PF is not required to verbally respond to any of the

checks as they are the duty of the PNF. However, the PF will usually follow along with

the checks and verify each one as the PNF reads through the list. Most airlines require the

landing checks to be done by reading the steps from the checklist card, rather than from

memory, to avoid missing any critical item.

12. Turn on Landing Lights: The controls for the landing lights are three switches (for left

wing, right wing and nose gear lights) on the middle overhead panel. The PNF turns the

landing lights on while accomplishing the Before Landing Checklist, if not sooner. The

lights are required to be on, unless using them is distracting (when, for example, it is

night in the clouds and the reflected light would harm the pilots' night vision).

21

13. Monitor Descent Rate: The descent rate is determined by looking at one of the two

vertical speed indicators, which are analog dials showing the vertical speed in feet per

minute. For a typical precision approach and Boeing 757 ground speeds, the vertical

speed should be about 700 feet per minute to fly the desired glide path.

22

14. Disengage Autopilot: The PF disengages the autopilot via the MCP or by using a button

on the control yoke when he or she decides to fly the aircraft manually. Prior to

disengaging the autopilot, the PF will put both feet on the rudder pedals and place his or

her hands on the yoke and throttles. Once the PF is ready to assume control, he or she

will press the yoke button with his or her thumb. Or the PF may ask the PNF to press the

MCP disengage bar, or do so himself or herself. A cockpit alarm sounds as the autopilot

disengages. If the PF uses the yoke button to disengage the autopilot (which is the

typical method), then the PF presses that button again to silence the alarm.

15. Fly Manually: Manual flight by the PF requires both hands, both feet, and visual scans

of the instruments and out the front window. It also requires some attention to the radio

and PNF who may call out information that the PF needs to know. Scan patterns vary

from pilot to pilot, but most pilots spend roughly equal time looking out the window, and

looking at the PFD and surrounding instruments during final approach. If visibility is

poor, the PFD is the primary focus. The PF makes constant minor adjustments to

maintain runway alignment, wings level, on speed, and the desired descent rate using the

yoke, rudder pedals and throttles.

16. Flare: The flare follows the final phase and precedes the touchdown and roll-out phases

of landing. To flare the aircraft, the PF gradually pulls on the yoke when over the runway

to bring the pitch up to the landing attitude, while reducing the thrust to idle on both

engines. The flare also requires the PF to keep the wings level and the airplane aligned

with the runway centerline while permitting the airspeed to decrease to touchdown speed

(usually about 5-10 knots below final approach speed). An ideal flare to touchdown

occurs when the pitch reaches the desired angle and the engines reach idle thrust as the

main landing gear simultaneously contact the runway.

23

17. Touchdown: Upon touchdown, spoilers (sometimes called "lift dumpers") are deployed

to dramatically reduce the lift and transfer the aircraft's weight to its wheels, where

mechanical braking, such as an auto-brake system, can take effect. Reverse thrust is used

by many aircrafts to help slow down just after touch-down, redirecting engine exhaust

forward instead of back. After the speed reduces to 60 KIAS the reverse thrust is

cancelled. Spoilers are extended and the aircraft to brought to a stop by application of

brakes.

Non-Sequential Tasks

The non-sequential tasks explained below are presented as an HTA-CTA. HTA has been chosen

as the tasks are done at the same hierarchical level, however does require CTA components in

order to comprehend the observations and take necessary steps to stay on track and meet the

goal.

1. Monitor Flight Path and Progress: This task is periodically performed by both

crewmembers throughout all phases of flight. The task primarily involves scanning the

instruments to ensure that the aircraft has not deviated from the expected path, altitude,

airspeed and overall flight plan. Looking at the ND (Navigation Display) allows the

pilots to determine if the aircraft is on the desired flight path, as programmed into the

FMS (Flight Management System). Looking at the PFD (Primary Flight Display) and its

FMAs allow the crew to verify that the aircraft is in the prescribed attitude and that the

automated flight systems are functioning normally. Pilots mainly look out the windows,

if visibility is good, to verify the correct airplane attitude. Other displays such as the

vertical speed indicator allow the crew to monitor the progress of various changes or

determine that unexpected changes may be occurring.

2. Double-Checks and Verifications: Throughout the approach and landing process both

pilots check and double-check the accuracy of settings that include altitude, speed, and

flaps. Sometimes these checks require consulting a reference such as the speed versus

24

flaps settings based on the weight of the aircraft. Other times the same steps are done so

frequently that the crew has expectations of what the settings will be. In these cases

double-checks are more of a mental process of determining if an expectation has been

violated. For example, if the PNF is expecting a particular flap setting and the PF asks for

a different one, the PNF would query the PF to determine the reason for the difference.

3. Monitor the Radio: This task involves listening for communications on the current

radio frequency. Auditory information is received through the ear piece, headphones, or

cockpit speaker. The information may include specific communications from ATC

directed at the crew, or communications between ATC and other aircraft. This

monitoring task requires no workload when there is no communication traffic on the

frequency because there is no information available to monitor. Attention is directed to

the radio when the pilots initiate a transmission or when attention is drawn by

communications on the radio. When communications do occur, the crew quickly

determines if the information is directed at them based on their call sign (e.g., NASA-113

may be the reference name for a particular aircraft). They also quickly determine if the

communication is coming from ATC or from another aircraft. When the radio call is for

the crew, they will closely attend to the information - even writing down clearances to

ensure accuracy. The pilots also monitor communications between ATC and other

aircraft because it helps them anticipate what ATC may direct them to do and how ATC

is managing the airspace, especially during the approach phase. ATC calls to them will

either confirm their expectations regarding approach and landing clearances, or require

them to make some sort of change. Listening to communications from ATC to other

aircraft helps the crew build a mental picture of where they are in the airspace relative to

the other aircraft and provides them with an idea of what to expect as they get closer to

the airport. The pace of radio communications will vary depending on a variety of factors

including the weather and the quantity of aircraft approaching the airport. At its worst,

the calls on the radio can be continuous as ATC and flight crews initiate calls and

respond to each other, which require some level of constant attention by the pilots. At

such times, it can be difficult to find a break in the communication flow to initiate a

call. It is not unusual during such situations for multiple aircraft to "talk over" each other

at the same time, which adds to the confusion and hectic tempo.

4. Monitor Aircraft Systems: This task is periodically performed by both pilots throughout

all phases of flight. The status of all of the different aircraft systems can be checked using

several different cockpit displays. Checking such displays helps the crew verify that the

aircraft systems are operating within normal tolerances. These displays are also used to

determine the nature of a malfunction, if one occurs. The system displays include alert

flags, problem annunciators, and alarm tones for the most serious malfunctions, all of

which draw the pilots' attention if a problem occurs. Consequently, the scan of these

instruments in the absence of flags or alarms is infrequent.

25

Figure 3 Non-Sequential Task Analysis

Unsafe Acts and the respective performance shaping factors The following table breaks the tasks described above into sub-tasks and the respective unsafe acts that

could result based on the theories under consideration. The SKR and GEMS are used to classify the

errors.

Sequential Tasks

SN Task SN Unsafe Act SN Theory SN Reason Error

Classification

SN PSF

1.0 Communication

with ATC

1.1 Seek Clearance –

Comprehend

information

1.1 Impatience 1.1

Divided

Attention due

to inability to

comprehend

information

due to cultural

difference/lan

guage

1.1 Mistake: Failure

to have exposure

to diversity

especially flying

in foreign air.

(Lack of skill)

1.1 Skill Level

26

2.0 Set Radio

Frequency for

communication

with ATC

2.0 Incorrect

selection of

radio

frequency

2.0 Divided

Attention

2.0 Mistake due to

lack of training.

1.1 Skill Level

3.0 Engage

Automatic Flight

Control

3.1 Select Autopilot

or Seek ILS

guidance if flying

manually

3.1 Assume

Autopilot

ON when it

is OFF.

Does not

notice

3.1 Divided

Attention

3.1 Slip (Unintended

Violation due to

being preoccupied

or distracted)

3.1 Fatigue

4.0 Maintain Air

Speed

4.1 Read Indicators 4.1 Read

incorrectly

4.1 Divided

Attention

4.1 Slip (Failure of

applying

expertise; Rule

Based)

4.1 Fatigue

4.2 Refer Checklist

for target speed

4.2 Not refer

Check List

4.2 Self Efficacy

(Over

confidence)

4.2 Routine Violation 4.2 Attitude

4.3 Set MCP speeds

based on

checklist

4.3 Not refer

Check List;

set wrong

speeds

4.3.1

4.3.2

Divided

Attention

Self Efficacy

4.3.1

4.3.2

Routine Violation

Routine Violation

4.3.1

4.3.2

Fatigue

Attitude

and

Personality

4.4 Auto throttle and

maintain set

speed

4.4 Skip Step 4.4 Divided

Attention

4.4 Slip 4.4 Fatigue

4.5 Verify correct

speed

4.5 Skip Step 4.5 Divided

Attention

4.5 Routine violation 4.5 Attitude

5.0 Set Flap

5.1 PF Calls out flap

positions and

PNF sets

positions

5.1 Lack of

Co-

ordination

5.1 Self Efficacy

on part of

either

5.1 Routine Violation

due to lack of

reason to follow

directions because

of overconfidence

in oneself

5.1 Attitude

5.2 PF verifies the

indent of flaps

5.2 Skip Step 5.2 Self efficacy 5.2 Routine Violation

due to lack of

reason to follow

directions because

of

overconfidence.

5.2 Attitude

6.0 Monitor

Localizer and

glide slope

6.1 Monitor signals 6.1 Fails to 6.1 Divided 6.1 Slip 6.1 (Abnormal

27

on PFD monitor

PFD

attention situation)

Training in

handling

situations

6.2 Monitor MCD

for correct mode

Fails to

monitor

MCD

6.2 Self efficacy 6.2 Routine Violation 6.2 Attitude

7.0 Lower Landing

Gear

7.1 Move gear lever

down and verify

locking

7.1 Fail to

verify

7.1 Self Efficacy 7.1 Routine Violation 7.1 Attitude

8.0 Arm Speed

brakes

8.1 Set Spoiler

positions and

verify

8.1 Fail to

verify

8.1 Divided

Attention

8.1 Slip while trouble

shooting unique

situation

8.1 Lack of

Training in

handling

unique

situations

9.0 Set missed

approach altitude

9.1 Set missed

approach altitude

and verify

9.1 Fail to

verify the

altitude

9.1 Self Efficacy 9.1 Routine violation 9.1 Attitude

10.0 Monitor Altitude

below 2500 ft

10.1 Both officers to

follow

procedures and

verify altitudes

10.1 Skip

procedure

10.1 Self Efficacy 10.1 Routine violation 10.1 Attitude

(overconfi

dence)

11.0 Follow before

landing checklist

11.1 Both officers

review checklist

and verify

settings

11.1 Skip Steps,

rely on

memory


(overconfi

dence)

12.0 Turning on

Landing Lights

12.1 Turn on landing

lights when

required.

12.1 Not turning

on lights

when

required.


13.0 Monitor descent

13.1 Scan indicators,

analog dials,

speeds etc.

13.1 Omitting

and/or Not

carefully

observe all

readings

13.1 Divided

Attention

13.1 Slip due to

overload of

observations

13.1 Fatigue

14.0 Disengage Auto

Pilot

28

14.1 Follow procedure

before

disengaging

autopilot.

14.1 Skip Steps 14.1 Divided

Attention

14.1 Slip due to

overload of

information

14.1 Fatigue

14.2 Disengages

Autopilot and

verifies


Attention

14.2 Mistake due to

divided attention

because of unique

event.

14.2 Training

15.0 Fly Manually


of manual flying

15.1 Not

focused

15.1 Divided

Attention


and/or

abnormal

event

15.2 Attention to

Radio

15.2 Not

focused

15.2 Divided

Attention


and/or

abnormal

event

15.3 Scan displays

verify displays

15.3 Not

focused

15.3 Divided

Attention


and/or

abnormal

event

16.0 Flare


to make

adjustments and

orientation of the

aircraft for

landing.

16.1 Not

focused

16.1 Divided

Attention


and/or

abnormal

event

17.0 Touchdown

17.1 Deploy Spoilers,

verify Auto

Brakes

deployment, and

reverse thrust

17.1 Not

focused

17.1 Divided

Attention

17.1 Slip/Mistake 17.1 Fatigue/

not

trained/

abnormal

event

17.2 Reduce speed

and apply manual

mechanical

brakes


Attention

17.2 Mistake not

adequately reduce

speed

17.2 Fatigue

and/or

attitude

Table 1 Task Vs Unsafe Act Vs PSF: Sequential Tasks

Non-Sequential Tasks

S.N Task S.N Unsafe Act S.N Theory S.N Reason Error

Classification

S.N PSF

1.0 Monitor Flight

Path

29

1.1 Monitor every

display of the

PFD and MCP

for correct path

1.1 Technology

complacency

1.1 Divided

attention

leading to

cognitive

dissonance


2.0 Verification

Process

2.1 Both Pilots

verify system

parameters and

working of the

displays.

2.1 Skip

Verification

2.1 Divided

attention


2.2 Verification

through

consultation

2.2 Lack of

Focus to

comprehend

2.2 Divided

Attention


3.0 Monitor Radio

3.1 Listen to

information

shared over the

radio

3.1 Lack of

focus

3.1 Divided

Attention

3.1 Slip 3.1 Excess

workload

3.2 Filter through

pertinent

information as

the

communication

can be from

other aircrafts.

3.2 Impatience 3.2 Divided

Attention


4.0 Monitor

Aircraft

Systems

4.1 Status of

various system

parameters

4.1 Technology

complacency

4.1 Divided

Attention

4.1 Routine

Violation

4.1 Abnormal

event

occurrence

4.2 Monitoring

displays for

Alerts and

system

malfunctions

4.2 Technology

complacency

4.2 Divided

Attention

4.2 Routine

Violation

4.2 Attitude/

Overconfidence

Table 2 Task Vs Unsafe Act Vs PSF: Sequential Tasks: Non-Sequential Tasks

30

Selection of PSFs and its pertinence to the tasks

It is suggested that the tasks could be grouped based on the following table to understand the

selection of PSFs based on the complexity of the unsafe act.

Category of Task Unsafe Act PSFs

Routine/ Tedious:

Tasks:1,2,3,4.12

Failing to observe

Not taking required steps

Fatigue, either due to the

nature of the task that is

routine and boring, or due to

long hours of flying and

tiredness.

Intermediate nature of task

(non-routine) Tasks: 5, 9

Deliberate Violations Personality, Attitude,

Overconfidence

Tasks requiring high Alertness

Tasks: 7,10,11

Failing to observe Excessive Workload, High

continual Flying Time, High

Stress

Tasks requiring very high

level of Alertness

Tasks 6,8,13,14,15,16, 17

Failing to observe Time Crunch, Knowledge

based (Rasmussen) mode

trying to trouble shoot

abnormal situation, High

Stress, and Time Crunch

Table 3 Classification of Tasks and their respective Performance Shaping Factors

The problem at hand requires categorizing the sequential tasks and the non-sequential

tasks based on the type of tasks. For very simple and routine tasks the occurrence of error,

technically should be very low as it will fall in the skill based mode (Rasmussen). However, the

fact that it occurs, says that it would be a result of a slip associated with fatigue and or tiredness,

long hours of flying and more time on a task. According to Gore [9], in aviation it has been

estimated that flight crews’ alertness levels are degraded approximately 15% of the time they are

on duty leaving them vulnerable to error. In addition, excessive time on task has been found to

negatively impact a human operator’s vigilance, and an inverse relationship is found between

hours of wakefulness and performance on critical tasks. For a task that is not routine, it is

assumed that the protocols/procedures are skipped deliberately due to personality issues like

attitude and overconfidence. Tasks requiring a high level of alertness may lead to error because

of excessive workload, cognitive overload, may be independent or be coupled with long hours of

flying, and high stress. The tasks that require very high levels of alertness mainly would fail

when there is an abnormal situation or event faced by the crew. It may be a serious failure and/or

that would need trouble shooting and hence would drive the attention away from indications that

may have been captured under a normal condition, which inadvertently would lead to failure.

Such a condition is usually coupled with high stress and time crunch that would add fuel to the

fire.

31

HRA Model Selection

Preliminary Treatment of the Task Analysis

Under this step the tasks are critically analyzed to look for obvious screening, recoverable

tasks and task dependencies. This cleans up the analysis done this far to understand the modeling

needs and hence be able to select a suitable method of modeling.

Preliminary Screening:

Before the selection of model to do the HRA, the tasks were scanned for exclusion of

tasks which were either have little or no effect on the error or could be restored. This was a

process of preliminary screening. Tasks 1 and 2 were thus eliminated. The tasks were also

reviewed for any recovery of the error using the PTA.

Evaluation of Task Analysis for Recovery:

The tasks were evaluated for recovery possibilities. Task 1 and Task 2 were assumed to

show complete recovery as language barrier can be mitigated by visual signs. Task 2 also shows

recovery as the frequency would continue to be adjusted until the communication is clear. Task

3 also shows a good possibility of recovery as the flight will not respond to manual commands if

the autopilot is not disengaged. Task 9 when the plot sets the missed approach altitude

incorrectly, the consequence will result in a missed approach again and hence allows room to

recover, second time around.

Evaluating Tasks for Dependencies

The sequential tasks were reviewed for task dependencies. The matrix below presents the

results. The “X” is marked in the matrix with the co-ordinates indicating the dependencies.

Dependencies are assumed as the task which will affected by the result of the task preceding it.

The task number is the SN associated with the task in the table above.

32

Task# 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

3

4 X

5

6 X

7

8 X

9

10

11

12

13

14 X

15 X

16 X

17

Table 4 Dependency Matrix

Evaluation of the HRA Methods

Some of the most commonly used first generation and second generation methods were

evaluated based on the following tables. Each table was used to answer a pertinent question on

the top of the table. The “red” marks the method meeting the problem requirements.

1. Question: Are generic or context/operator-specific tasks required?

Answer: Yes

Method Task Decomposition PSF (number) Coverage

1:Physical

2:Cognitive

3:Organizational

THERP Nuclear specific tasks 3+ 1,3

SPAR-H Diagnosis, Action 8 1,2, and 3

ASEP Diagnosis, Action Based on THERP 1 (limited), 2(limited),

3 (limited)

SLIM-MAUD Not Specified User Defined 1,2,and 3

ATHEANA Not Specified 38 1,2,and 3

CREAM 15 Generic Tasks 9 1,2,and 3

EXTENDED

CREAM

15 Generic Tasks 9 1,2, and3

33

2. Question: Is a screening method required?

Answer: Yes

Method Screening Primary Source for

HEP Estimation

HEPs for

specific error

modes

Explicit Treatment of Uncertainty

Bounds

Estimations Number

provided

by

method

Number

produced

by

Analyst

Task/Error

Dependencie

s

Recovery

THERP X X Detailed and

many

X X X

SPAR-H X Diagnosis and

Action

X X X

ASEP X X Diagnosis and

Action

X X X

SLIM-

MAUD

X Not Specified

ATHEANA X Expert

Judgment

X X X

CREAM X X 13 error

modes

X

EXTENDED

CREAM

X X 15 Cognitive

Activity

X

3. Question: What type of HEP Source is appropriate?

Answer: Both so the model can be validated


HEP Estimation

HEPs for

specific error

modes


Bounds

Estimations Number

provided

by

method

Number

produced

by

Analyst

Task/Error

Dependen

cies

Recovery


many

X X X


Action

X X X


Action

X X X

SLIM-

MAUD

X Not Specified

ATHEANA X Expert Judgment X X X

CREAM X X 13 error modes X

EXTENDED

CREAM

X X 15 Cognitive

Activity

X

34

4. Questions: Are there task/PSF Dependencies?

Answer: Yes


HEP Estimation

HEPs for

specific

error modes


Bounds

Estimations Number

provided

by

method

Number

produced

by

Analyst

Task/Error

Dependencies

Recovery


many

X X X

SPAR-H X Diagnosis

and Action

X X X

ASEP X X Diagnosis

and Action

X X X

SLIM-

MAUD

X Not

Specified

ATHEANA X Expert

Judgment

X X X

CREAM X X 13 error

modes

X

EXTENDED

CREAM

X X 15

Cognitive

Activity

X

5. Question: Is recovery necessary?

Answer: Yes


HEP Estimation

HEPs for specific

error modes


Bounds

Estimations Number

provided

by

method

Number

produced

by

Analyst

Task/Error

Dependen

cies

Recovery


many

X X X


Action

X X X


Action

X X X

SLIM-

MAUD

X Not Specified

ATHEANA X Expert Judgment X X X

CREAM X X 13 error modes X

EXTENDED

CREAM

X X 15 Cognitive

Activity

X

35

6. Question: Do uncertainty bounds need to be estimated?

Answer: Yes


HEP Estimation

HEPs for

specific

error modes


Bounds

Estimations Number

provided

by

method

Number

produced

by

Analyst

Task/Error

Dependencies

Recovery


many

X X X

SPAR-H X Diagnosis

and Action

X X X

ASEP X X Diagnosis

and Action

X X X

SLIM-

MAUD

X Not

Specified

ATHEANA X Expert

Judgment

X X X

CREAM X X 13 error

modes

X

EXTENDED

CREAM

X X 15

Cognitive

Activity

X

7. Question: What level of knowledge is required to do the analysis

Answer About 1 year

Method Knowledge Level Domain

HRA Specialist HRA specialist

with <1 year

experience

PRA Analyst

THERP X

SPAR-H X

ASEP X

SLIM-MAUD X

ATHEANA X

CREAM X

EXTENDED

CREAM

X

36

Based on the tables above the method selection/rejection logic is explained below:

THERP is based on specifics of operator tasks pertaining to nuclear industry. Since the

task under consideration are quite different from that of a nuclear plant, the method is not

preferred. Moreover, the first generation methods have limited consideration for human

behavioral issues.

SPAR-H and ASEP, being first generation models, have limited consideration on human

behavior. Also, the focus of both the methods is on Diagnosis and action, whereas the

problem at hand deals is not limited to Diagnosis and Action.

ATHEANA could be a candidate for the analysis method, the disadvantage being that it

requires an experienced and skilled HRA specialist. In most cases in the real world there

is a restriction on the training and hiring specialist specifically for a particular project.

CREAM PSF’s are very much in line with the ones identified in the project. However,

this model deals with 15 generic tasks lacking context.

Extended CREAM provides all the content CREAM, but works in the human functions of

Observation, Interpreting, Planning and Execution, which is appropriate to the landing

problem being discussed. If modifications are made to it to decompose the generic tasks

into more specific aviation related tasks, it could help develop an appropriate method for

the analysis. The decomposition of tasks to meet the problem needs, the expert opinion

elicitation as described in ATHEANA method could be borrowed.

Based on the points above the method proposed to be used in the study is EXTENDED

CREAM with modifications. The modified EXTENDED CREAM will be modified to use more

specific task decomposition that would match the aviation domain.

Data Collection Methods

There are several data collection methods available as discussed in literature. Some of the

ones most widely used are empirical, expert opinion elicitation, and using the existing databases.

A combination approach is suggested in this proposal. The steps for collecting the data are

described below:

In order to keep the study cost effective is strongly recommended to do an unobtrusive

research on the given scenario. This could range from accident reports, published

interviews of pilots after an event, articles from news papers, photographs and films,

pertaining to the problem. This will be effective from the standpoint that, it will help one

conduct the research without any intervention and the researcher can collect data for a

period of time and may see a causal relationship, establish patters etc. Since the

information or record already exists, it is cost effective too. This will help build a

platform on which the study would need to be built.

Rollout surveys and questionnaire to the pilots, organization (airliner), aircraft

engineers/designers, safety officers of the organization etc. The questionnaires will be

framed differently (for example the design of a particular display on the PFD is such that

it results in human error in reading (analog Vs digital); the pilot community being the

user can suggest their need whereas the designer’s response will be regarding why the

37

design is analog and not digital) so we can capture the various perspectives and be able to

incorporate in the model.

Invite team experts to across the community which is part of the study, for example the

way it is described in the ATHEANA method. Instead the stakeholders should be a part

of the aviation industry. Recommended team of experts should cover the following:

o An HRA analyst

o A PRA analyst

o Pilots

o Engineers

This team would generate a HEP with a confidence interval.

There are existing databases on accidents. Some of them a listed below:

o NTSB Aviation Accident/Incident database

o FAA Incident data system

o MARS Accident database of the JRC European Union and

o OSHA

There are several research papers are available which suggest reorganizing the existing

data bases in a way that can be used by the practitioner to estimate useful HEP. The advantage

here is the availability of a high volume of data, and if the data is effective queried substantial

information can be churned out to be an input to the analysis.

The above data collection process will complement each of the data collection methods

and hence the model will turn out to be more comprehensive compared to a situation where only

empirical method is used or just expert elicitation is undertaken. Also, this effort will generate

more data although in different forms, and will aide in establishing confidence interval, and even

validating the model. The proposed validation and confidence estimations are discussed in the

following section.

Data Analysis

Data analysis will be mainly based on the Extended CREAM method. The modification

as explained above is in the data collection process through expert opinion elicitation. This

would strengthen the model through generating a context focus to this otherwise generic model.

The Extended CREAM procedure is listed below:

1. Describe the task segment to be analyzed. This can be done on each of the four

classifications of tasks in Table 3.

2. Identify type of cognitive activity (15 activities)

3. Identify associated human function (Observation, Interpreting, Planning, and

Execution)

4. Determine Basic HEP: Match failure mode to type of Human Function and

Assign a basic HEP with uncertainty bound.

5. Determine the PSF effect on HEP

38

The Associated charts and the definitions that help the estimation of HEP are given below:

PSF PSF State Expected Effect on Reliability

Adequacy of Organization Very Efficient

Efficient

Inefficient

Deficient

Improvement

Not significant

Reduced

Reduced

Working Conditions Advantageous

Compatible

Incompatible

Improved

Not significant

Reduced

Adequacy of MMI and

Operational Support

Supportive

Adequate

Tolerable

Inappropriate

Improved

Not significant

Not significant

Reduced

Availability of Procedures and

Plans

Appropriate

Acceptable

Inappropriate

Improved

Not significant

Reduced

Number of simultaneous

Goals

Fewer that capacity

Matching Capacity

More than Capacity

Not significant

Not significant

Reduced

Reduced

Available Time Adequate

Temperately Inadequate

Continuously Inadequate

Improved

Not significant

Reduced

Time of Day Day Time

Night Time

Not significant

Reduced

Adequate Training and

Experience

Adequate, High Experience

Adequate, limited Experience

Inadequate

Improved

Not significant

Reduced

Crew Collaboration Quality Very Efficient

Efficient

Inefficient

Deficient

Improvement

Not significant

Not significant

Reduced

Table 4 Nine PSF of the CREAM and EXTENDED CREAM Model

The fifteen cognitive activities that are identified in the model are listed below.

1. Co-ordinate

2. Communicate

3. Diagnosis

4. Evaluate

5. Execute

39

6. Identify

7. Maintain

8. Monitor

9. Observe

10. Plan

11. Record

12. Regulate

13. Scan

14. Verify

The four cognitive functions are Observation, Interpretation, Planning, and Execution. The table

below is used to assess the uncertainty bounds of each of the four cognitive functions depending

on the cognitive type of error reported in the task analysis.

Cognitive

Function

Generic Failure Type Lower

Bound

Basic

Value

Upper

Bound

Observation O1: Wrong object observed

O2: Wrong Observation

O3: Observation not made

3.0E-4

2.0E-2

2.0E-2

1.0E-3

7.0E-2

7.0E-2

3.0E-3

1.7E-2

1.7E-2

Interpretation I1: Faulty Diagnosis

I2: Decision Error

I3: Delayed Interpretation

9.0E-2

1.0E-3

1.0E-3

2.0E-1

1.0E-2

1.0E-2

6.0E-1

1.0E-1

1.0E-1

Planning P1: Priority Error

P2: Inadequate Plan

1.0E-3

1.0E-3

1.0E-2

1.0E-2

1.0E-1

1.0E-1

Execution E1: Action of wrong Type

E2: Action at Wrong Time

E3: Action on Wrong Object

E4: Action out of sequence

E5: Miss Action

1.0E-3

1.0E-3

5.0E-5

1.0E-3

1.0E-3

3.0E-3

3.0E-3

5.0E-4

3.0E-3

3.0E-3

9.0E-3

9.0E-3

5.0E-3

9.0E-3

9.0E-3

Table 5 Uncertainty Bounds for the Cognitive Functions

Using Table 5 and the 15 cognitive activities a summary matrix needs to be created so the cells

with a possibility of failure, can be marked and the associated HEP is calculated and assigned to

the cell using the following equation:

𝐹𝑖𝑛𝑎𝑙(𝐻𝐸𝑃)

= 𝑃𝑟𝑜𝑏(𝑚𝑜𝑠𝑡 𝑙𝑖𝑘𝑒𝑙𝑦 𝑓𝑎𝑖𝑙𝑢𝑟𝑒 𝑓𝑜𝑟 𝑎 𝑔𝑖𝑣𝑒𝑛 𝑎𝑐𝑡𝑖𝑣𝑖𝑡𝑦 𝑚𝑜𝑑𝑒)𝑋 ∏ 𝑆𝑐𝑜𝑟𝑒(𝑆𝑡𝑎𝑡𝑒 𝑜𝑓 𝑃𝑆𝐹𝑖)

9

𝑖=1

40

The impact of the specific PSF on the HEP is shown in the table below:

PSF PSF State Type of Human Function

Observation Interpretation Planning Execution

Adequacy of

Organization

Very Efficient

Efficient

Inefficient

Deficient

1.0

1.0

1.0

1.0

1.0

1.0

1.0

1.0

0.8

1.0

1.2

2.0

0.8

1.0

1.2

2.0

Working

Conditions

Advantageous

Compatible

Incompatible

0.8

1.0

2.0

0.8

1.0

2.0

1.0

1.0

1.0

0.8

1.0

2.0

Adequacy of

MMI and

Operational

Support

Supportive

Adequate

Tolerable

Inappropriate

0.5

1.0

1.0

5.0

1.0

1.0

1.0

1.0

1.0

1.0

1.0

1.0

0.5

1.0

1.0

2.0

Availability

of

Procedures

and Plans

Appropriate

Acceptable

Inappropriate

0.8

1.0

2.0

1.0

1.0

1.0

0.5

1.0

5.0

0.8

1.0

2.0

Number of

simultaneous

Goals

Fewer that capacity

Matching Capacity

More than Capacity

1.0

1.0

2.0

1.0

1.0

2.0

1.0

1.0

5.0

1.0

1.0

2.0

Available

Time

Adequate

Temperately Inadequate

Continuously Inadequate

0.5

1.0

5.0

0.5

1.0

5.0

0.5

1.0

5.0

0.5

1.0

5.0

Time of Day Day Time

Night Time

1.0

1.2

1.0

1.2

1.0

1.2

1.0

1.2

Adequate

Training and

Experience

Adequate, High Experience

Adequate, limited Experience

Inadequate

0.8

1.0

2.0

0.5

1.0

5.0

0.5

1.0

5.0

0.8

1.0

2.0

Crew

Collaboration

Quality

Very Efficient

Efficient

Inefficient

Deficient

0.5

1.0

1.0

2.0

0.5

1.0

1.0

2.0

0.5

1.0

1.0

2.0

0.5

1.0

1.0

5.0

Table 6 Impact of PSF state on HEP

41

Using the HEP equation above and using the Table 5 and Table 6 the summary matrix with the

results will be presented in the following form:

Types of Human Functions

Type of

Activity

Observation Interpretation Planning Execution

O1 O2 O3 I1 I2 I3 P1 P2 E1 E2 E3 E4 E5

Co-ordinate

Communicate

Compare

Diagnose

Evaluate

Execute

Identify

Maintain

Monitor

Observe

Plan

Record

Scan

Verify

Table 7 Summary Matrix of Extended CREAM Method

Validation of Confidence Prediction

The validation of the model needs to be done to get the buy in of the management and research

community. Since there is some modifications made to the Extended CREAM method, this

method may be considered to have new content. The validation can be planned as follows:

Compare the confidence interval with the confidence interval given by the expert

opinion.

Use half the data from the database and use the remainder of the data to run the model

again and establish confidence intervals. Compare the two results.

If the model is not validated, relook at the model for areas of modifications and

assumptions, including the PSFs and the error circumstance

Risk Mitigation: Quantitatively Informed Risk Mitigation Strategies

This far we have proceeded to a point where we have an analysis method, data collection

and analysis proposal The question at this point of time is, having got the HEP and after

combination of the HEP to the system PRA, what do we do next? Risk probability helps us

42

prioritize the human aspects to the risk. Some of the suggested steps for risk mitigation are listed

below:

The HEP off the HRA model and the probability of failure from the PRA sheds enough light on

the risks associated with the human error and how it impacts the mission.

Use the HEP as a metric to prioritize the risk mitigation strategies, also weight should be given to

the risks that are more critical. Formulate a FMEA like tool to determine a RPN that could further

help in prioritization.

Study the contextual detail, unsafe act details and the PSFs contributing to the HEP

Establish strategies to mitigate risk.

Appropriate Risk Mitigation Strategies

The unsafe acts discussed in the Task Analysis section are summarized in table below.

The unsafe acts are broadly related to Personal, Social, Organizational, and Technological

categories. The majority of the errors happen due to personal traits and behavioral issues. In

some cases it is inadequate training/skills that leave the pilot lost in problem solving for an event

on which he has limited experience and/or training. In other situations it was seen that the unsafe

acts were committed when the pilot may have been under high work overload, fatigued, and/or

overconfident.

Unsafe Act Personal Social Organizational Technological

Not Focused X X

Omission X X X

Skip Procedures X X X

Uncoordinated X X X

Table 8 Unsafe Acts Vs Categories

Reason proposed that the way to resolve conflicts between human Vs system are based on:

1. Person Model

2. Engineering Model

3. Organizational Model.

Applying this to the problem, it is clear that it would be the organization’s responsibility to

engineer a model around and individual so it positively impacts the individual’s behavior.

Also, Weinreich (1999) identified essential elements required to achieve successful and lasting

behavior change are as follows:

An individual must believe there is a problem that has severe consequences.

An individual must believe that the proposed behavior will address the problem and

prevent the consequences.

The benefits must be perceived as outweighing the costs.

An individual has to have the skills required to implement the new behavior.

43

The individual must believe they have the skills required (self efficacy).

The behavior has to be consistent with self-image.

An individual needs to perceive the existence of social support or pressure for the

changed behavior as opposed to the status quo.

There needs to be fewer barriers to the new behavior than there are to the old behavior.

The individual must intend to make the required change to their behavior.

Combining Reason’s three distinct models for safety management, and Weinreich’s essential

elements for successful and lasting behavior change, give a model that can be the basis for the

development of strategies for human risk mitigation. The following figure shows how the

“combined model” can be used to convince the Sr. Management for a commitment to incorporate

the results of the HRA model.

Figure 3 Reason’s and Weinreich’s Combined Model.

44

The HRA and PRA results give weights on the unsafe acts to be mitigated. This

prioritized list combined with the cost benefit analysis will help arrive at the value proposition.

The value proposition should not only consider the benefits due to averting an accident but also

the elements of indirect gains for the airliner in terms of safety records and safety reputation that

would lead to loyal customers and emerging as a preferred airliner. The value proposition will

help an organization buy into the idea of accepting the recommendations and evolve the strategic

and tactical risk mitigation steps.

Generalized steps for risk mitigation are listed below with explanation on how it applies to the

problem at hand to mitigate risk:

Fear appeal campaigns: EDUCATE: Educate an individual on how the unsafe acts can

lead to catastrophic situation. It could be via advertisement campaign, workshops, and

demonstrations. For example if a pilot shows tendencies of skipping procedure, the

implication of this error should be demonstrated via workshops, films, and/or

advertisements.

Rewards and punishments: PERSUADE: Help create a positive attitude via rewards and

other personal motivating consideration. The pilots with low human error record should

be rewarded.

Unsafe act auditing: CONTROL: Audits would help the human keep a check on unsafe

acts. A concealed auditor could be present on board from the airliner/ and or an authority

to audit a flight human factor and error assessment, without prior notice, randomly which

would keep pilots on their toes.

Modifying procedure: DESIGN: Engineer the environment and working condition to be

such that it is conducive to the avoidance of unsafe acts. Policy on number of hours on

continuous flight, procedures and displays being clear and easily applied would preempt

skipping them.

Training and selection: DESIGN/EDUCATE: The situation faced by the pilot is such that

he is trained and equipped to accident management and apply a rule based approach in

troubleshooting an abnormal event.

45

Figure 4 Ways to mitigate risks

Targeting Different Strategies to the Concerned Population

The concerned population for the problem is the flight crew, design engineers, Sr.

Management, more importantly the pilots. Make it a policy to have:

Mandatory training/ workshops on human errors and its implications.

Accident recovery and training and retraining on abnormal even occurrences.

Engage the stakeholders in development of the training/ workshop, especially in

situations that may not occurred in the past but, may go wrong and hence preparedness

to handle that even should be the focal points.

Rewards program and also a punishment program should be a part of the policy to bring

in the regulatory aspect to the strategy.

46

Section 4

Discussion

In this section the challenges faced by an HRA practitioner in implementing the HRA in

an airline company is discussed. This discussion will be followed by a discussion of limitations

of the model, comprehensiveness of the model, data subjectivity, and its application

Implementation of HRA

Implementation of the HRA model pivots on the cost benefit analysis and alignment of

the HRA goals with the business goals. The business should be convinced and the Sr.

Management pledges its commitment on the analysis for a successful implementation of the

HRA. Moreover, there are procedures, policies and regulations that any project will be

constrained by during its implementation. The discussion that follows will walk through the steps

for getting the stake holders buy-in and getting approval from the FAA on the implementation of

the HRA recommendations.

Stakeholders’ Buy-in The Analyst and/or the team working on the HRA project will have to develop a value

proposition for the Sr. Management commitment and support. In order to build a value proposition some

questions need to be asked and answers obtained to come up with a reasonable value proposition. Some

sample questions are listed below, the answers are assumed. Please use this only for demonstration

purposes only. The sample questions are followed by sample analysis for demonstration purpose

too.

Sample Questions to the Company and Answers

1) What is the annual Volume of Flights?

Answer: 500,000

2) What is the revenue/year?

Answer: $37.4B/year

3) What if the human error cost/annum as a % of Revenue?

Answer: 2% of revenue= $748 M

4) Financial damages paid to clients due to inconvenience caused due to human error?

Answer: 0.1% of revenue =$ 37.4 M

5) Litigation cost due to landing issues over the past 10 years?

Answer: $110 M/year

6) How much compensation was paid due to landing error over the past 10 year?

Answer: $200 M

47

7) Steps taken recently to mitigate the cause of the failures?

Answer: Not sure

8) Any verification process in place to confirm the proper working of the mitigation steps?

Answer: Not sure

9) Steps taken recently to mitigate the cause of the failures?

Answer: Worked on controls and MMI

10) Any verification process in place to confirm the proper working of the mitigation steps?

Answer: Not really

11) How effectively is the human factors analyses, and effects of human error conveyed to

designers, maintenance personnel and pilots?

Answer: Just begun to talk about it.

Sample Calculation of Value Proposition

Basis (Revenue/annum)= $37.4 B

Losses Cost (M)

Assume 50% Improvement After Implementation

Cost associated to human error $748.00 $374.00

Damages paid to Clients $37.40 $18.70

Litigation Cost

Compensation for death or major injury $200.00 $100.00

Total Loss: $985.40 $492.70

Table 8 Hard Losses due to lack of HRA

48

Gain Cost advantage (M)

*Customer Loyalty *Reputation (5% improvement) $1,870

Better Self Esteem of front-line personnel performance improvement (15%) (Assume 1000 frontline employees at an average salary of $100K $15

Total Gain $1,885

Table 9 Soft Cost Gain

Item Metric Unit Comment

Number of Team members 10 1-time

Time/year @ 20 hours/week for 220 days (1 Year) 880 hrs 1-time

Hourly rate @ $50/hour $440,000.00

Other computational Costs $1,000,000.00

Workshops/year $2,000,000.00 Recurring Cost

Total Cost of Implementation $3,440,000.00

Table 10 Cost of HRA and Implementation

49

ROI = Total Benefit/Total Cost= (492.7+1885)/3.44=198 Hence the value proposition is

198%

After the development of a convincing value proposition, the proposal for implementation will

need to be approved by the Sr. Management and sent to FAA for approval. This Approval

process is listed below [21]:

Processing of initial application

Maintenance of initial accuracy of the application

FAA determines eligibility for safety approval on performance criteria

Performance verification requirements need to be met

Validate the adequacy and reliability of the various analyses and procedures

Submit verification reports and results

Submit test results that show a measure of proficiency and experience for personnel

involved in training

The FAA will verify and validate performance to acceptable criteria before issuing a

safety approval. As part of the verification process the applicant may be required to

develop a plan that identifies the methods of verification: demonstration, analysis,

inspection, and testing, develop procedures or reports documenting verification methods

and results, conduct verification, and submit verification reports and results.

The FAA recognizes that it is not feasible to develop all criteria or standards that are

applicable or necessary to issue a safety approval for all eligible safety elements. FAA

understands that it maybe necessity to follow an individualized approach to safety

approvals and expect to draw on its experience in evaluating license, permit, and safety

approval applications. The scope of the approval will be limited by the scope of the safety demonstration

contained in the application.

The approval is valid for 5 years and would need to be renewed thereafter.

Approval process from FAA is the most time consuming and complex after the Sr.Management

has pledged its commitment.

Model Limitations

Extended CREAM method is widely used model in the Nuclear Industry. There have

been opinions and comments by researchers that suggest that there still need to have on-going

work required to fine tune the model. Some other limitations are listed below:

The data collection from various methods, for example from databases, and surveys etc.

has inherent subjectivity from an observation to observation is difficult to capture.

Validation methods discussed above may require more refinement to gain credibility

through additional work, probably by running experiments on simulators and simulate

environment under which errors would occur. This would add the cost of the project.

50

The process of studying validity and reliability of CREAM is ongoing[14].[13] Collier

found several problems with “both the CREAM technique and the data needed to

complete the analysis”. It was felt that further development was needed before this kind

of analysis can be reliable and valid, either in a research setting or as a practitioner’s tool

in a safety assessment”. More recently, Marseguerra et al [15] have applied

traditional/basic CREAM and fuzzy CREAM (based on fuzzy logic i.e. a form of algebra

employing a range of values from ‘true’ to ‘false’ that is used in making decisions with

imprecise data) to a contextual scenario of an actual train crash. They found distinct

advantages to applying fuzzy CREAM in that it allows for a more systematic and

transparent definition of the underlying model and a more explicit treatment of the

ambiguity involved in its evaluation.

Application of this model has been in the Nuclear Domain; hence its validity in the

aviation domain needs to be verified.

51

Section 5

Conclusion

Application of knowledge from this project in the Aviation Domain

This project is unique in its application. It extends the HRA method from the nuclear

domain to the aviation domain. Although, it requires external validity in the domain, but it sheds

light on how the risk mitigation efforts could be justified and implemented in the domain and get

stake holders buy-in. This project has presented a very comprehensive task analysis which could

be used to go deeper in the identification of PSFs based on widening the theoretical framework.

Therefore, this project provides a starting point for an HRA analyst to either elaborate of

additional focus area, or to take it from here to start the data collection process.

Extensions to the Project/Future Work

It highly recommended conducting a research within the theoretical framework to validate the

PSFs and errors suggested throughout the project with an expert in the aviation area. This would

help in the implementation phase as the buy-in would already be here from the stake holders. Validation of the model has been a concern as mentioned by several HRA practitioners. Hence it

is suggested to put effort in the validation process. It is suggested that validation should be done

using empirical data. The model will result in a more comprehensive model after adequate validation and modifications

made based on the aviation domain.

52

References

[1] Douglas A. Wiegmann, A Human Error Analysis of Commercial Aviation Accidents Using

the Human Factors Analysis and Classification System (HFACS), University of Illinois at

Urbana-Champaign 2001

[2] DAVID O'HARE, Mark Wiggins, Richard Batt, Dianne Morrison; Cognitive failure analysis

for aircraft accident investigation; Ergonomics 1994; Vol 37, issue 11.

[3] Douglas A. Wiegmann and Scott A. Shappell; A Human Error Approach to Aviation

Accident Analysis - The Human Factors Analysis and Classification System

[4] Douglas A. Wiegmann and Scott A. Shappell; Human Factors Analysis to Post Accident

Data: Applying Theoretical Taxonomies of Human Error

[5] Aircraft Accident Report: Overrun American Airlines Flight 2253 Boeing 757-200, N668AA:

NTSB Number: AAR-12-01

[6] Wiegmann and Shappell ; Human Error Perspectives in Aviation

[7] Neelam Naikar, Alyson Saunders; Crossing the boundaries of safe operation: An approach

for training technical skills in error management; EAM -2002 Best Paper Award.

[8] Keller, J., Leiden, K. and Small, R. (2003). Cognitive task analysis of commercial jet aircraft

pilots during instrument approaches for baseline and synthetic vision displays.

[9] Brian F. Gore, Ph.D Workload as a Performance Shaping Factor for Human Performance

Models; Boeing 757-200 Flight Crew Operations Manual Shanghai Airlines Company Limited

2013

[10] Boeing 757-200 Cat C Pilot Procedures

[11] Jim Thomson; Situation Awareness and the Human-Machine Interface, 2013

[12] Aircraft Accident Report: Overrun American Airlines Flight 2253 Boeing 757-200,

N668AA: NTSB Number: AAR-12-01

[13] Collier, S (2003) A Simulator Study of CREAM to Predict Cognitive Errors. In Proceedings

of the International Workshop. Building the new HRA. Errors of commission form research to

application. Nuclear Energy Agency. Pages 56-75.

[14] Everdij M.H.C. and Blom H.A.P. (2008) Safety Methods Database.

http://www.nlr.nl/documents/flyers/SATdb.pdf

[15]Marseguerra, M., Zio, E. and Librizzi, M. (2007) Human Reliability Analysis by Fuzzy

"CREAM" Risk Analysis Vol 27 No 1 pages 137–154

[16] Valentina Di Pasquale, Raffaele Iannone, Salvatore Miranda and Stefano Riemma; An

Overview of Human Reliability Analysis Techniques in Manufacturing Operations Chapter 9

[17] Mosleh, Chang; Model-based human reliability analysis: prospects and requirements;

Reliability Engineering and System Safety 83 (2004) 241–253

[18] Review of human reliability assessment methods Prepared by the Health and Safety

Laboratory for the Health and Safety Executive 2009

[19] E.A. Rosa, P.C. Humphreys, C.M. Spettell, and D.E. Embrey; Application of Slim-Maud: a

test of an interactive computer-based method for organizing expert assessment of human

performance and reliability volume 1: main report

Date Published - September 1985

[20] The SPAR-H Human Reliability Analysis Method Idaho National Laboratory

U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Washington, DC

20555-0001

[21] The SPAR-H Human Reliability Analysis Method Idaho National Laboratory

53

U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research

Washington, DC 20555-0001

[22] 757-200 Flight Crew Operations Manual Shanghai Airlines Company Limited Document

Number D632N001-24SHA Revision Number: 47 Revision Date: May 16, 2013

[23] Federal Aviation Administration Human Factors Team Report on: The Interfaces Between

Flightcrews and Modern Flight Deck Systems June 18, 1996

[24] Pramila Rani Nilanjan Sarkar Operator Engagement Detection and Robot Behavior

Adaptation in Human-Robot Interaction

[25] Daniela K. Busse and Chris W. Johnson; Using a Cognitive Theoretical Framework to

Support Accident Analysis; Dept. of Computing Science, University of Glasgow 17, Lilybank

Gardens, Glasgow G12 8RZ

[26]http://www.skybrary.aero/index.php/Cognitive_Reliability_and_Error_Analysis_Method_%

28CREAM%29; CREAM Method

[27] Dwight P. Miller, Ph.D., CPE; Development of ASHRAM; A new Human-Reliability

Analysis Method for Aviation Safety Dwight P. Miller, Ph.D., CPE Systems Reliability

Department Sandia National Laboratories* Albuquerque, New Mexico

[28] David Embrey; Understanding Human Behavior and Error Human Reliability Associates

1, School House, Higher Lane, Dalton, Wigan,

Lancashire. WN8 7RP

RR679

Research Report

http://www.skybrary.aero/index.php/Cognitive_Reliability_and_Error_Analysis_Method_%28CREAM%29

http://www.skybrary.aero/index.php/Cognitive_Reliability_and_Error_Analysis_Method_%28CREAM%29

White Paper on Human Reliability Analysis -...

Documents

Transcript of White Paper on Human Reliability Analysis -...