Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
c ������������������� ������� �������������� �
Accident models provide the basis for
Investigating and analyzing accidents
Preventing accidents
Hazard analysis
Design for safety
Assessing risk (determining whether systems are suitable for use)
Performance modeling and defining safety metrics
c ������������������� ������� �������������� � Basic Energy Model
Assumes accidents are the result of an uncontrolled and undesired release of energy.
Use barriers or control energy flows to prevent them.
Barrier
ENERGY
Energy flow SOURCE OBJECT
Variations:
Both (1) application of energy and (2) interference in normal exchange of energy.
Energy transformation vs. energy deficiency.
Action systems (systems that produce energy) vs. nonaction systems (systems that constrain energy)
c ���������G�����H����IKJKL�L ������� �������������� �Heinrich’s Domino Model of Accidents
People, not things, are the cause of accidents.
but said third was easiest to remove. Removing any of dominoes will break sequence,
person
Unsafe act or condition
Accident
Injury
Fault of
environment
Ancestry, Social
Focus on single causes.
Chain−of−Events Models
Explain accidents in terms of multiple events, sequenced as a forward chain over time.
Events almost always involve component failure, human error, or energy−related event
Form the basis of most safety−engineering and reliability engineering analysis:
e.g., Fault Tree Analysis, Probabilistic Risk Assessment, FMEA, Event Trees
and design: e.g., redundancy, overdesign, safety margins, ...
D�3�� ( )��;) (�+�,*(%B!(
@ 75"'3�4E��F���2 �4!� + ) $0�%$&���� %)52 <�= �;)�3!� (
projected
Equipment damaged
Personnel injured
Fragments
M*N
metal rupture
�����������! �"#�%$&$���"'�
( $*) (�+�,-(�.
�%$0/
Weakened TankCorrosionMoisture
Operating pressure
S?T�U
4 ��/(�.
1�$��!���%$02 ��� (�+
) 10$0�;$�) 2 ��$�$ 9���"'����$�2 .�+
4!�%) = 10$0�!<���" $�)6��2 �:�"( (�.
4 86"'3�9�2 ���!4!��$�: >?���� ! ���" $�3 +�+
��=575"'3�4= O ( + ( 2 ))�3 ���� !4!3�2 $�)5��"#� $�)5����=�3�"&��3 )H3�7 )�:�2 � ,&+ ��$�$*$03 )�3!"#�� �)���"#�!<���7�3�"#�;) (�+�,
$���"#��� + )53;��3 + ) ( 2 + 902 ��2 @A3�7�) (�+�,?B
:�2 = � , ( + 2 )623��%)63�7�) (�+�,
/ �= )5�;� "'<�3 ��3�"#"'3�$�2 3 +;B
2 = = 3�) ��3���$�P� �"'��9�� )�2 +�.
4!3�"#� �3�$�$02 <�= �;75" (�.
4!� ) $0/ $A �"#��$�$���"#2 C�����/( ( + + + + $�)5����=5)53! �"#��9�� ) "'�����%�0�;$�)5"'� )5:;)�3 ��Q�)�� $�2 9��!� 4 � + +�. + ( (�. 2 =��3 ) ( ��) 2 )5: 7 ��"'�! �3�2 )6����"#2 +�. (�+
�;75" (�.
4R� + ) ( )�2 3 + / + B ( + 4!3�2 $�)���"#��/ 7�3�"'��$0��� <�= �!= 2 75�%)52 4!��/(
���������������zJKL�J ������� �������������� � c
Chain−of−Events Example: Bhopal
E1: Worker washes pipes without inserting slip blind
E2: Water leaks into MIT tank
E3: Explosion occurs
E4: Relief valve opens
E5: MIC vented into air
E6: Wind carries MIC into populated area around plant
c ���������������zJKL�� ������� �������������� �
Limitations of Event Chain Models:
Social and organizational factors in accidents ��v!q!`!e�Y jb_#v!u^`\p�`!e�jylK`!if[!v!h!Y'h!uzj�_#adW\l;Y#`!W!abl;h!v!`��!W!az_#idafiz_#`!v!if`!t
WbY|lK[!h!s!u![xlK[!`xlK`!if[!v!h!Y'hbu;j�m^W;j��!`x��`!Y'Yfq!`\pH`!Y'h;Z\`!q^Y#h!v!u^�!`!��h!e�`xlK[!`
afif_'`!v!if`^`!m^`!e�u!`!afgxwdpH`!e�Y jb_#v!u^`\pH`!e5jylK`!if[!v!_#izW!Yfh!e{if_|pH_'YfaHjbaklK`!m}_'a~W
afh!if_'W!Yfa�jkablK`bmnlK[!W\l�Zoe�h\p�_#q!`!arZ\s!e5Z\h!af`!t!u!h!W!Y'aft!W!v!q^q!`!if_'af_'h!v^ife�_%lK`!e�_#W!g
VXW!Y Z\[^]^_#Y'`badcfe�g
Models need to include the social system as well as the technology and its underlying science.
System accidents
Software error
c ���������������zJKL�� ������� �������������� � Limitations of Event Chain Models (2)
Human error
Deviation from normative procedure vs. established practice
Cannot effectively model human behavior by decomposing it into individual decisions and actions and studying it in isolation from the
physical and social context value system in which it takes place dynamic work process
Adaptation Major accidents involve systematic migration of organizational behavior under pressure toward cost effectiveness in an aggressive, competitive environment.
���������������zJKL�� ������� �������������� � Design
Vessel Design
Shipyard Equipment load added
Harbor Design
Cargo
Calais
ZeebruggeTraffic
Vessel
Management
Passenger Management
Scheduling
Operation
Berth design
Berth design
Operations management
Captain’s planning
procedure
to Zeebrugge Transfer of Herald
heuristics Operations management
procedure
Unsafe
patterns
docking Standing orders Operations management
Excess numbers Passenger management
Capsizing
Change of
Crew working
Stability Analysis
Truck companies
Impaired stability
Excess load routines
Docking
c
Time pressure
Operational Decision Making: Accident Analysis:
Combinatorial structure Decision makers from separate of possible accidentsdepartments in operational context can easily be identified. very likely will not see the forest for the trees.
c ���������������zJKL�²�IKJ'L�³ ������� �������������� �
STAMP (Systems Theory Accident Modeling and Processes)
To effect control over a system requires four conditions:
Goal Condition: The controller must have a goal or goals (e.g., to maintain a setpoint)
Action Condition: The controller must be able to affect the system state.
Model Condition: The controller must be (or contain) a model of the system
Observability Condition: The controller must be able to ascertain the state of the system.
°{�G�f���-���~¨��f¤-��¥ �~¨�¢6���f�����H�5�k£K�f±
� �f¡�¢-£ ���-¤^����¥ �-�¦£ �k�6�§�f£K����¨©���6�����?������¨«ª������
¬ ¢f�������6�-�?�5�f�5�^�ª��k¥K¢H�-�r�-®-�?��������¨«ª�������¯
�o�6�����f���r���H�^�-���-���f���r�������*�6���6�f�������-���
Displays Controls
inputs Process
outputs Process
Controlled Process
variables Controlled
InterfacesProcess Model of Model of
variables
(Controller) Human Supervisor
Automation Model of
Process Model of
Measured
SensorsActuators
Automated Controller
Disturbances
c ���������������zJKL�� ������� �������������� �
outputs Process
variables Controlled
variables Measured
inputs
Controlled
Process
and Decision Aiding Automated Display
InterfacesProcess Model of Model of
Process Model of
Process
SensorsActuators
Model of
(Controller) Human Supervisor
Automation
Safety and the Process Models
Accidents occur when the models do not match the process Wrong from beginning
Missing or incorrect feedback so not updated
Must also account for time lags
Explains human/machine interaction problems
Pilots and others are not understanding the automation
What did it just do? Why won’t it let us do that? Why did it do that? What caused the failure?
Disturbances
c ���������������zJKL�� ������� �������������� �
What will it do next? What can we do so it does not How did it get us into this state? happen again?
How do I get it to do what I want?
Don’t get feedback to update mental models or disbelieve it
���������������zJKL��������� �|�����0���|�� � c
A Systems Theory Model of Accidents
Accidents arise from interactions among humans, machines, and the environment.
Not simply chains of events or linear causality, but more complex types of causal connections.
Safety is an emergent property that arises when components of system interact with each other within a larger environment.
A set of constraints related to behavior of components in system enforces that property.
Accidents when interactions violate those constraints (a lack of appropriate constraints on the interactions).
Software as a controller embodies or enforces those constraints.
c ���������������zJ�JKL ������� �������������� �
A Systems Theory Model of Accidents (2)
Safety can be viewed as a control problem
e.g. O−rings did not adequately control propellant gas release
Software did not adequately control descent speed of MPL
Safety management is a control structure embedded in an adaptive system.
Events indirectly reflect the effects of dysfunctional interactions and inadequate control
Need to examine control structure itself to understand accidents Result from:
Inadequate enforcement of constraints
At each level of socio−technical system controlling development and operations
c ���������������zJ�J�JKI�J�JK�
SYSTEM DEVELOPMENT
Congress and Legislatures Government Reports
Legislation Lobbying Hearings and open meetings Accidents
Government Regulatory Agencies Industry Associations,
User Associations, Unions, Insurance Companies, Courts
Regulations Certification Info. Standards Change reports Certification Whistleblowers Legal penalties Accidents and incidents Case Law
Company Management
Safety Policy Status Reports Standards Risk Assessments Resources Incident Reports
Policy, stds. Project Management
Hazard Analyses Safety Standards Safety−Related Changes
Standards
Safety Reports
Test reports
Review Results
Hazard Analyses Progress Reports
Hazard Analyses
Design Rationale
Documentation
Hazard Analyses
�&�G��� �������������� �
SYSTEM OPERATIONS
Congress and Legislatures Government Reports
Legislation Lobbying Hearings and open meetings Accidents
Government Regulatory Agencies Industry Associations,
User Associations, Unions, Insurance Companies, Courts
Regulations Standards Certification Legal penalties Case Law
Accident and incident reports Operations reports Maintenance Reports Change reports Whistleblowers
Company Management
Safety Policy Operations ReportsStandards Resources
Operations Management
Progress Reports
Design, Documentation
Safety Constraints
Test Requirements
Implementation and assurance
Manufacturing Management
Work safety reports Maintenance
Procedures audits and Evolution work logs Incidents inspections Change Requests
Manufacturing Performance Audits
Problem reports
Audit reports Work Instructions Change requests
Physical
Actuator(s)
Problem Reports
Hardware replacements Software revisions
Operating Process
Operating Assumptions Operating Procedures
Revised operating procedures
Automated
Human Controller(s)
Controller
Sensor(s)
Process
c ���������G�����fJ�JK� ������� �������������� �
GOAL: Provide a framework for classifying factors leading to accidents and a system engineering methodology for handling them.
Some causes of dysfunctional interactions:
Asynchronous evolution
Inconsistent models
inadequate or missing feedback time lags inadequate engineering design activities
etc.
Inadequate coordination among controllers and decision makers
Boundary areas
Overlap areas
c ���������G�����fJ�JK� ������� �������������� � Control Flaws Leading to Hazards
Inadequate control actions (enforcement of constraints) Unidentified hazards
Inappropriate, ineffective, or missing control actions for identified hazards
Design of control algorithm (process) does not enforce constraints
Process models inconsistent, incomplete, or incorrect (lack of linkup)
Flaw(s) in creation process Flaws(s) in updating process (asynchronous evolution) Time lags and measurement inaccuracies not accounted for
Inadequate coordination among controllers and decision−makers (boundary and overlap areas)
Inadequate Execution of Control Action Communication flaw
Inadequate actuator operation Time lag
Inadequate or missing feedback Not provided in system design
Communication flaw Time lag Inadequate sensor operation (incorrect or no information provided)
c ���������������zJ�JK² ������� �|�����0���|�� �Human Error Models
Categorize errors by external manifestations
Categorize by type of task
Simple, vigilance, emergency response, control, complex
Coordinating, scanning, recognizing, problem solving, planning ...
Usually consider performance−shaping factors such as task structure, stress, design of displays and controls
Categorize by cognitive mechanisms
Instead of focusing on task and environment characteristics,consider psychological mechanisms used by operator in performing tasks.
Interaction of psychological factors with features of workenvironment
Requires only a limited number of basic concepts
c ���������������zJ�JK³ ������� �������������� � Common Features of Cognitive Models
Most based on Bartlett’s ‘‘schemas’’
Internal representations of regularities of the world
An organized structure of knowledge
Our way of understanding and dealing with world
Slips vs. Mistakes (Don Norman)
Mistake is an error in intention (error in planning)
Slip is error in carrying out the intention
Human−Task Mismatch (Rasmussen)
Errors are an integral part of learning Should be considered human−task or human−system mismatches
Skill−Rules−Knowledge framework (Rasmussen)
Human skills needed to solve problems also lead to errors
If eliminate possibility of human error, may eliminate ability to solve problems.
Rasmussen Model of Human−Task Mismatch ���������������zJ�JK� c ������� �|�����0���|�� �
´¦µ%¶ µ%·�¶ ¸ ¹�º
¹%»�¼�µ�½�µ�¾ ¿�À�µ�½�µ�º%¶ ¼�¹�¾�» ¿�Á�À ¶ ¼  º�µ%¿�Ã�Ä%¿�¶ Å�Æ�¿%·�·�¸ Ç%µ�º�¶ ¿�À�¶ ¸ È?¸ º�É
Ê ¹%È?È?¸ ¼�¼�¸ ¹�º?¹�»%µ�Ë�¶ ¾ ¿�º%µ�¹�Á�¼�¿�·�¶
Ê ¹%È?È?¸ ¼�¼�¸ ¹�º?¹�»%µ�¾ ¾ ¹�º�µ%¹�Á�¼�¿�·�¶
̦Ì�Í
¾ ¹�º�É?¶ ¸ È?¸ º�É
̦Ì
¸ º�¿�·�·�Á�¾ ¿�¶ µ?Ä�µ�¾ » ¹�¾ È?¿�º�·�µ
 Ä�µ%·�¸ » ¸ µ%Ç?¶ ¿%¼�Ã�º�¹%¶�Ä�µ%¾ » ¹%¾ È?µ�Ç
̦Ì
¹�È?¸ ¼�¼�¸ ¹�º?¹%»�¿�·�¶
Î?¿�º�¿%É�µ�È?µ%º�¶
Ï�Ç�È?¸ º%¸ ¼�¶ ¾ ¿�¶ ¸ ¹�º
Î?¿�¸ º�¶ µ�º%¿�º�·�µ�Æ#¾ µ�Ä%¿�¸ ¾�À ¹%É�¸ ¼�¶ ¸ ·�¼ Ð&µ%¼�¶�¿�º%Ç�·�¿%À ¸ Ñ�¾ ¿�¶ ¸ ¹�º
Ò Ä�µ%¾ ¿�¶ ¸ ¹�º
´¦µ%·�¸ ¼�¸ ¹�º
Ó Ç�µ%º�¶ ¸ » ¸ ·�¿%¶ ¸ ¹%º
̦Ì
¼�µ%À µ�·�¶�É�¹%¿�À
̦Ì
¼�µ%À µ�·�¶�¶ ¿�¾ É%µ�¶
̦Ì
¼�µ%À µ�·�¶�¶ ¿�¼�à ÏÔ·�¶ ¸ ¹%º
̦Ì
¹%Ä�µ�¾ ¿�¶ ¸ ¹�º�¿%À ¼�µ%Õ�Á�µ%º�·�µ
̦Ì
µ%Ë�µ�·�Á�¶ ¸ ¹�º
̦Ì
·�¹%È?È?Á�º�¸ ·�¿%¶ ¸ ¹%º
´¦¸ ¼�·�¾ ¸ È?¸ º�¿�¶ ¸ ¹�º
̦Ì
¼�¶ µ%¾ ¹�¶ Ö�Ä�µ?» ¸ Ë�¿�¶ ¸ ¹�º
̦Ì
» ¿%È?¸ À ¸ ¿%¾&¼�Å%¹�¾ ¶ ·�Á�¶ ̦Ì
¼�¶ µ�¾ µ�¹�¶ Ö�Ä�µ?¶ ¿�Ã�µ�¹%½�µ%¾
×�¿%Ñ�¾ ¸ ·�¿%¶ ¸ ¹%º
Ø%SÚÙ�Û
M*NÔÜ S�ØÔØÔݦÙ�Û�Þ T�ß àáÝ
N Ø M*N�â S�TÔÙ;Ýáã
Î?µ�º�¶ ¿�À�À ¹�¿%Ç�Æ�¾ µ�¼�¹�Á�¾ ·�µ�¼  Á�Ñ%ä µ�·�¶ ¸ ½�µ?É%¹�¿�À ¼�¿�º%Ç?¸ º�¶ µ�º�¶ ¸ ¹%º�¼
Ï�» » µ%·�¶ ¸ ½�µ?» ¿�·�¶ ¹%¾ ¼
Ü Þ Û�åÔSáÛ�Þ
M TAØ|SÚÙ�Û
M*NÔÜ ã Ð�¿�¼�Ã Ê Å�¿�¾ ¿�·�¶ µ%¾ ¸ ¼�¶ ¸ ·�¼ æ|Å�Ö�¼�¸ ·�¿�À&ç%º�½�¸ ¾ ¹�º�È?µ%º�¶
è-¹%¾ Ã�Ð�¸ È6µ Ê Å�¿�¾ ¿%·�¶ µ%¾ ¸ ¼�¶ ¸ ·�¼ Ó º�¼�Ä%µ�·�¶ ¸ ¹�º
Ó º�¼�¶ ¿�À À ¿�¶ ¸ ¹�º
æ%¾ ¹�·�µ%Ç�Á�¾ µ?Ç%µ�¼�¸ É�º
ç%Õ�Á%¸ Ä�È?µ�º%¶�Ç�µ%¼�¸ É�º
Sáé%éÔê
â S�ï¦ØÔå�T�Ù�Û�Þ
M T�ã
Ù�S�å
Ü Ý ÜRM Ø*ð�å
â S�T
â S?ï�ØÔå�TÔÙ�Û�Þ
M T�ã
â ÝñÙzð�S�T�Þ
Ü�â�Ü!M Ø*ð�å
â S�T
â S�ï�ØÔå�TÔÙ�Û�Þ
M T�ã
ݦòáÛ�Ý
N TÔS�ï
â�M U�Ý
M Øâ S?ï�ØÔå�TÔÙ�Û�Þ
M T�ã
Þ TÔÛ�Ý
N TÔS�ï;ð�å
â S�T
àáÝ
NÔÜÚM T�T�ÝÚï�ÛÔS
Ü�ó ã
̦Ì
» ¿%È?¸ À ¸ ¿�¾�Ä%¿�¶ ¶ µ%¾ º?º�¹%¶�¾ µ�·�¹%É�º�¸ ô�µ�Ç ç%Ë�¶ µ�¾ º%¿�À�µ�½�µ�º�¶ ¼
̦Ì
¼�Ä%¿�¶ ¸ ¿�À�È?¸ ¼�¹�¾ ¸ µ�º�¶ ¿�¶ ¸ ¹�º
̦Ì
È?¹%¶ ¹%¾�½�¿%¾ ¸ ¿�Ñ%¸ À ¸ ¶ Ö æ|Å�Ö�¼�¸ ·�¿�À Ê ¹�¹�¾ Ç�¸ º�¿%¶ ¸ ¹�º
·�¹�º%¼�¸ Ç�µ�¾ µ�Ç
̦Ì
·�¹%º�Ç�¸ ¶ ¸ ¹�º?¹%¾�¼�¸ Ç�µ?µ�» » µ�·�¶�º�¹%¶
Ó º�» µ�¾ µ%º�·�µ
̦Ì
¹%¶ Å%µ�¾�¼�À ¸ Ä?¹�»%È?µ�È?¹�¾ Ö Ì¦Ì
È?¸ ¼�¶ ¿�Ã�µ?¿%À ¶ µ%¾ º�¿%¶ ¸ ½�µ%¼ ̦Ì
» ¹�¾ É�µ�¶%¸ ¼�¹�À ¿�¶ µ�Ç?¿%·�¶
�¦µ%·�¿%À À ̦Ì
¿%¼�¼�Á%È?Ä�¶ ¸ ¹�º
̦Ì
È?¸ ¼�¸ º�¶ µ�¾ Ä�¾ µ�¶ ¿�¶ ¸ ¹�º
̦Ì
¸ º�» ¹�¾ È?¿�¶ ¸ ¹%º?º�¹�¶%¾ µ�·�µ�¸ ½�µ%Ç Ó º�Ä%Á�¶�Ó º�» ¹�¾ È?¿%¶ ¸ ¹�º*æ%¾ ¹�·�µ�¼�¼�¸ º�É Ç�¸ ¼�¶ ¾ ¿�·�¶ ¸ ¹�º�Æ�µ�¶ ·�� �
Ó º%¶ ¾ ¸ º�¼�¸ ·�Å�Á�È?¿%º?½�¿%¾ ¸ ¿�Ñ%¸ À ¸ ¶ Ö ¼�¸ ·�Ã�º�µ%¼�¼&Æ#µ�¶ ·�� � Ò Ä%µ�¾ ¿�¶ ¹�¾�Ó º�·�¿�Ä%¿�·�¸ ¶ ¿�¶ µ�Ç
µ�¶ ·�� � » ¹�¾ ·�µ�Æ�¶ ¸ È?µ�Æ#Ã�º%¹ Í À µ�Ç%É�µ�Æ
ç%Ë�·�µ�¼�¼�¸ ½�µ?¶ ¿%¼�Ã�Ç�µ%È?¿�º�Ç ë¦ì�í�î
���������������zJ�JK� ������� �������������� �Skill−Rules−Knowledge Hierarchy
ö öÝ ì¦é%î ú ÷¦öáý ê í5ì¦ù ø î�� ÷�ü�ÿ �5îáê í�é%ù ú%ùü ý í�ì¦î�ã ß ÷ ù ý ú � Ù�S�å
Ü S�ï�Ù
M T�U�Þ ÛHÞ
M T Ü T M Û*Ù M T Ü Þ U�Ý
N ÝáU Ü T M Û*Ù M T Ü Þ U�Ý
N ÝáU => 3 ��� á< �� � + B . <���: 9�2 3�"(
�;��= á< �� � $����( <���: 902 3�"( ØÔÞ òáSáÛ�Þ
M T Ø|S
â Þ ï¦Þ S N-Ü ð M*N ÛÔÙ;åÔÛ
ö ÷áø î ù¦ú�û
Ü î ÷áø ì¦ë ø ü�ý ì¦ú ú|î ù¦î ì¦þ î ù¦ú�û
Sáú|ú ÷ é�ê ù¦î�ê ÷ í N ì¦é
÷¦ÿ í�ê î#ê ÷ í  ¸ É�º%¼
 Ö�È6Ñ�¹�À ¼ ( $0���
Ø|S
Þ T�Ù
â Ø
� ÷ î ÷áø� ù�î î ì ø í�ú S ü î ÷ � ù�î ì�ë;ú|ì�í�ú ÷áø ��
 ¸ É�º%¿�À ¼ ÏÔ·�¶ ¸ ¹%º�¼  µ�º�¼�¹�¾ ÖzÓ º�Ä�Á%¶
Ø|ì�ù¦î ü¦ø ì ö ÷áø � ù¦î�ê ÷ í  ¸ É%º�¼�� Ü Û�Ý
N Ý M ÛÔõ�àáÝ�ÛÔS
ó Ý M �� Ý N
Þ ë¦ìáí5î#ê ö ê é|ù�î#ê ÷ í é ��
÷ ê é%ì ÷¦ö î ù�úÔû
UÔì¦é�ê úÔê ÷ í �� à ý ùáí¦í�ê í ÿ
� Ü Þ U�Ý!ÝáØÔØÔÝñÙ�Û
M§N ß*ݦÛAÞ
ÜáM ï5SáÛ�ÝÚUAÞ Û�Ý
â Þ Ü ÛÔS
ó Ý;S
â0M T�ß NS�ï�Û�Ý TÔSáÛ�Þ
� Ý Ü NM*N�N ݦÙ�Û ÝñÙ�S�ï¦ï
Þâ ï¦Þ S N S ÜáÜáM ÙzÞ SáÛ�Þ
M T-Û
N S�à
=� 2 = á< � $0���, ( Þâ�M Û �� M*N S N áÞ �� S ï¦Þ ÛÔõ <���: 902 3�"( NÛ M à M ß S�àáð�Þ Ù Þ Þâ ÜáM*N ÝáT�Û�SÚÛ�Þ
M T MÜ Û�Ý
N Ý ÛÔõ�àáÝ
ØÔÞ òáSáÛ�Þ
M T ABSENTMINDEDNESS
LOW ALERTNESS
c
c ���������G�����fJ�JK� �&���G� �������������� �Social Psychology Models
Engineering models: look at human behavior in terms of tasks
Psychology models: relate human cognition to performance
Social Psychology models: include individual value systems and sense of personal responsibility
c ���������������zJK��J ��� ���G� � � ��� � � �����Safety Information System
Studies have ranked this second in importance only to top management concern for safety.
Contents
Updated System Safety Program Plan
Status of activities
Results of hazard analyses
Tracking and status information on all known hazards.
Incident and accident information including corrective action.
Trend analysis data.
Information collection
Information analysis
Information dissemination
c ���������������zJK��� ��� ���G� � � ��� � � ����� Intent Specifications
Bridge between disciplines
Support for human problem solving
Traceability
Support for upstream safety efforts
Integration of safety information into decision−making environment
Assistance in software evolution
c ���������������zJK��� ��� ���G� � � ��� � � ����� Intent Specifications (2)
Hierarchical abstraction based on ‘‘why’’ (design rationale) as well as what and how.
Design decisions at each stage mapped back to to requirements and constraints they are derived to satisfy
Earlier decisions mapped to later stages of process
Results in record of progression of design rationale from high−level requirements to component requirements and designs.
Provides traceability of intent information
c ���������������zJK��� ��� ���G� � � ��� � � ����� Intent Specifications
Part−Whole
Intent
Operations
Refinement
Validation Verification
Environment Operator System
Representation Design
System Purpose
System Design Principles
Representation Physical
Behavior Blackbox
Each level supports a different type of reasoning about system.
Mappings between levels provide relational info necessary to reason across hierarchical levels.
c � s"��s"{�y"z&� �¢¡"£ q�r"s"t�u v u t�w"x u y"z"{ h iV6Nj k�lViVmn4�iVo
�-��� o"4%m���iV�n��lVmn�Vl�iV4�iVo
�� ��4%k���o"lVk �-���
H"I�[%0�I�A&C�A @:I%C2O P
Y H"H"1%H�H"I�K%1�H"C�A @:O&^�=%F�?%I U�H"=%D F�D F%?>/>=�C�I�H"D =%M A �>=�D F%C2I%F�=�F%O&I
� K%I�H"=�C�1�HV/>=�F%0�=�M A K�H"1�O&I%T�0�H"I%A
~-0�T�D C � I�H"G�1�H"/>=�F%O&I />1%F�D C�1�H"D F�? =%F�T>=�0%T�D C�A
354�6�487:9 � �"1:;<)�$&.�/>=%#�=�?%)�/>)�#%.�'�( =�#�* @BA&C2=%C20%AED F%G21%H"/>=�C�D 1�F8@:A&=�G�I�C�JLK�M =%FN@:I%C2O P
� 0��"'�1%*&)
+-, *&.2)%/ 354�6�487�S X 1�F�A&C�H"=�D F�C�A
~-A&A&0�/>K%C2D 1�F�A
a b�cdH"I�[�0%D H"I�/>I%F�C�A
eNI�[%0�D H"I%/fI%F�C�A
e8I�A&K�1%F�A&D g%D M D C�D I%A
O&1%F�A&C�H"=�D F%C2A @BM D />D C�=�C�D 1%F�A
H"I�[�0%D H"I�/>I�F%C2A @BT�I�A&D ?�F
\ J&A&C2I%/]?%1�=�M A @:^�D ?�^�_ M I�`&I�M |N=%}&=�H"T>~-F�=%M J&A&D A � H"I�M D />D F%=�H"J e8I�`&D I%��A
� �"! #%$&! '�( )�*
+-, *&.�)�/ 354�6�487:R
D F�C�I�H"G�=�O&I�A
Y Z&C2I%H"F�=�M UV=�A&WL=�M M 1�O&=�C�D 1%F X 1�F%C2H"1%M A @:T%D A&K�M =%J&A
UV=�A&WL=�F%=�M J&A&I%A
=�F%T>=�M M 1�O&=�C�D 1%F
G20%F�O&C�D 1�F%=�M&T�I%O&1�/>K�1%A&D C�D 1�F
��1%?�D OLK�H"D F�O&D K%M I�A @ O&1�F%C2H"1�M&M =���A @
~-F%=�M J&A&D A \ J&A&C�I�/�|N=�}&=%H"T
=�F%T>H"I�A&0�M C�A @
�-=�M D T�=%C2D 1�F>K�M =�F
354�6�487:Q p-M =�O&W&g�1%Z �>1%T�I�M A Y F�`&D H"1�F�/>I%F�C />1�T%I�M A />1�T�I%M A � K�I%H"=�C�1�HVU�=%A&W
| X aB/>1�T�I%M A p-M =�O&W&g%1�ZLG20%F�O&C�D 1�F%=�M />1%T�I�M A a F�C�I�H"G�=�O&I>A&K�I%O&D G�D O&=�C�D 1%F�A
\ 0�g%A&J&A&C2I%/ |N=%}&=�H"T>~-F�=%M J&A&D A =�F%T>H"I�A&0�M C�A @
~-F�=%M J&A&D ALK�M =�F�A
354�6�487:�
e8I�KNP
�NI�A&D ?%F
| X a:T%I�A&D ?%F T�I%A&D ?�F>A&K%I�O&A
\ 1�G�C���=�H"I>=%F�T>^�=%H"T���=%H"I =�F�T>H"I%A&0�M C�A U�I%A&C�K�M =�F�A
e8I�KNP
� ^�J&A&D O&=%M
354�6�487:� K�^%J&A�D O&=�M&O&1�F%C2H"1%M A ��� a:T�I%A&D ?�F8@
T%I�A&D ?%F
=�A&A&I%/>g�M JLD F%A&C2H"0%O&C2D 1%F�A
\ 1%G2C���=%H"I>O&1�T�I8@:^�=%H"T���=%H"I U�I%A&C�K�M =�F�A =�F�T>H"I%A&0�M C�A
� K%I�H"=�C�D 1%F�A
354�6�487:�
Level 1: System Purpose
Introduction
Historical Perspective
Environment Description
Environment Assumptions
Altitude information is available from intruders with a minimum precision of 100 feet.
All aircraft have legal identification numbers.
Environment Constraints
The behavior or interaction of non−TCAS equipment with TCAS must not degrade the performance of the TCAS equipment.
System Functional Goals
Provide affordable and compatible collision avoidance system options for a broad spectrum of National Airspace System users.
c � s"��s"{�y"z&� �¢¡"¥ q�r"s"t¤u v u t�w"x u y"z"{Level 1: System Purpose (2)
High−Level Requirements [1.2] TCAS shall provide collision avoidance protection for any two
aircraft closing horizontally at any rate up to 1200 knots and vertically up to 10,000 feet per minute.
Assumption: Commercial aircraft can operate up to 600 knots and 5000 fpm during vertical climb or controlled descent (and therefore the planes can close horizontally up to 1200 knots and vertically up to 10,000 fpm.
Design and Safety Constraints
[SC5] The system must not disrupt the pilot and ATC operations during critical phases of flight nor disrupt aircraft operation.
[SC5.1] The pilot of a TCAS−equipped aircraft must have the option to switch to the Traffic−Advisory−Only mode where TAs are displayed but display of resolution advisories is prohibited.
Assumption: This feature will be used during final approach to parallel runways when two aircraft are projected to come close to each other and TCAS would call for an evasive maneuver.
c � s"��s"{�y"z&� �¢¡"¦ q�r"s"t¤u v u t�w"x u y"z"{ Example Level 1 Safety Constraints for TCAS
SC−7 TCAS must not create near misses (result in a hazardous level of vertical separation) that would not have occurred had the aircraft not carried TCAS.
SC−7.1 Crossing maneuvers must be avoided if possible.
2.36, 2.38, 2.48, 2.49.2
SC−7.2 The reversal of a displayed advisory must be extremely rare.
2.51, 2.56.3, 2.65.3, 2.66
SC−7.3 TCAS must not reverse an advisory if the pilot willhave insufficient time to respond to the RA before the closest point of approach (four seconds or less) or if own and intruder aircraft are separated by less than 200 feet vertically when 10 seconds or less remain to closest point of approach.
2.52
� c s"��s"{�y"z&� �¢¡"© q�r"s"t¤u v u t�w"x u y"z"{
Level 1: System Purpose (3)
System Limitations
L.5 TCAS provides no protection against aircraft with nonoperational or non−Mode C transponders.
Operator Requirements OP. 4 After the threat is resolved the pilot shall return promptly and
smoothly to his/her previously assigned flight path.
Human−Interface Requirements
Hazard and other System Analyses
�c s"��s"{�y"z&� �¢§"¨ q�r"s"t¤u v u t�w"x u y"z"{ Hazard List for TCAS
H1: Near midair collision (NMAC): An encounter for which, at the closest point of approach, the vertical separation is less than 100 feet and the horizontal separation is less than 500 feet.
H2: TCAS causes controlled maneuver into ground
e.g. descend command near terrain
H3: TCAS causes pilot to lose control of the aircraft.
H4: TCAS interferes with other safety−related systems
e.g. interferes with ground proximity warning
c
TCAS does not display a resolution advisory.
TCAS unit is not providing RAs. <Self−monitor shuts down TCAS unit> Sensitivity level set such that no RAs are displayed. ...
No RA inputs are provided to the display.
No RA is generated by the logic
Inputs do not satisfy RA criteria
� s"��s"{¤y«z&� �¢§�� qªr"s"t�u v u t�w"x u y"z"{
Surveillance puts threat outside corrective RA position.
Surveillance does not pass adequate track to the logic
<Threat is non−Mode C aircraft> L.5
1.23.1<Surveillance failure>
to be calculated>
Altitude reports put threat outside corrective RA position
Altitude errors put threat on ground
<Uneven terrain>
<Intruder altitude error>
<Own Mode C altitude error>
<Own radar altimeter error>
2.19
1.23.1
1.23.1
Altitude errors put threat in non−threat position. ... <Intruder maneuver causes logic to delay RA beyond CPA>
2.35 SC4.2
... <Process/display connectors fail>
<Display is preempted by other functions>
<Display hardware fails>
2.22 SC4.8
1.23.1
TCAS displays a resolution advisory that the pilot does not follow.
Pilot does not execute RA at all.
Crew does not perceive RA alarm.
<Inadequate alarm design>
<Crew is preoccupied>
1.4 to 1.14 2.74, 2.76
<Crew does not believe RA is correct.> OP.1
...
Pilot executes the RA but inadequately
<Pilot stops before RA is removed> OP.10
OP.4
OP.10
<Pilot continues beyond point RA is removed>
<Pilot delays execution beyond time allowed>
c � s"��s"{¤y"z&���¢§"¡ qªr"s"t�u v u t¤w"x u y"z"{ 2.19 When below 1700 feet AGL, the CAS logic uses the difference
between its own aircraft pressure altitude and radar altitude to determine the approximate elevation of the ground above sea level (see Figure 2.5). It then subtracts the latter value from the pressure altitude value received from the target to determine the approximate altitude of the target above the ground (barometric altitude − radar altitude + 180 feet). If this altitude is less than 180 feet, TCAS considers the target to be on the ground ( 1.SC4.9). Traffic and resolution advisories are inhibited for any intruder whose tracked altitude is below this estimate. Hysteresis is provided to reduce vacillations in the display of traffic advisories that might result from hilly terrain ( FTA−320). All RAs are inhibited when own TCAS is within 500 feet of the ground.
OWN TCAS
Barometric Airborne Declared
Radar Altimeter
Value
Altimeter
Allowance on Ground Declared
on Ground Declared
180−foot
ÒÓ
c � s"��s"{�y"z&� �¢§"§ q�r"s"t¤u v u t�w"x u y"u z"{ Example Level−2 System Design for TCAS
SENSE REVERSALS Reversal−Provides−More−Separationm−301
2.51 In most encounter situations, the resolution advisory sense will be maintained for the duration of an encounter with a threat aircraft.
SC−7.2
However, under certain circumstances, it may be necessary for that sense to be reversed. For example, a conflict between two TCAS−equipped aircraft will, with very high probability, result in selection of complementary advisory senses because of the coordination protocol between the two aircraft. However, if coordination communications between the two aircraft are disrupted at a critical time of sense selection, both aircraft may choose their advisories independently.
FTA−1300
This could possibly result in selection of incompatible senses.
FTA−395
2.51.1 [Information about how incompatibilities are handled]
� c s"��s"{�y"z&� �¢§"À q�r"s"t¤u v u t�w"x u y"z"{ Level 3 Modeling Language Example
a ¬�Ue � ��Y-e�P \ U�~-U
�N\
UV^�H"I�=%C
� H"®%Z�D ¯>=�C�I�_ UVH"=�G�G2D O � C�^�I�H"_ UVH"=�G�G�D O
� ®%C2I%F�C�D =�M _ U�^%H"I�=�C
U�^%H"I�=�C
� C�^�I%H"_ U�H"=�G�G�D O ´µ
� ®%C2I%F�C�D =�M _ U�^%H"I�=�C�_ X ®%F�T�D C2D ®�F
� H"®%Z&D ¯>=�C�I�_ UVH"=�G�G2D O&_
X ®�F%T�D C�D ®%F
e8=�F�?%I�_ �-=�M D T ~-M C2_-e8I�K�®%H"C2D F�?°j i�±
� o"��o"²³��®�A&C ¶ ¶ ¶·
· ¶ · ·
p-I%=�H"D F%?�_ �-=�M D T ¶
.
.
.
. .
.
.
.
.
.
.
.
.
. ¶
¸�¹�º�»ª¼
½ ¹�¾�»ª¼
½ ¹�¾ª»�¾ � C�^�I�H"_ ~-D H"O&H�=%G2C
� F%_
� H"®%¿�F�Tj iV±
� o"��o"²
½ ¹�¾�Áª¼ Ô
ÂN² � ��k:j �Vo�j lVià ~×C�^%H�I%=�C%D AØH"I%O&M =�A&A&D G2D I�T>=�AL®�C�^�I%H�C�H"=�G�G�D OLD G�D C�AL=�M C�D C�¿�T%I>H"I�K�®%H"C2D F�? ^%=�ALg�I�I%F>M ®�A&C
Ë Ì P�Î:Ï%Ð =%F�T>I�D C2^%I�HVC2^%I>g�I�=%H"D F�?>®%H�H"=%F�?�I>D F�K�¿%C2AL=�H"I>D F�`&=�M D TNÑ D G�D C�AØ=%M C�D C�¿�T�I>H"I%K�®�H"C�D F%?>^�=�ALg�I%I�F>M ®�A&C�=%F�T>g�®%C2^>C�^�I>H"=%F�?�I>=%F�T>g�I%=�H"D F%?>=�H"I D`&=%M T>g%¿�C�F%I�D C�^%I�H�C�^%I>K�H"®�Z&D ¯>=%C2I>F%®>H�K%®�C�I�F�C�D =%M&C2^%H"I�=�C%O&M =�A&A&D G2D O&=�C�D ®�F>O&H"D C2I%H�D = =%H"I>A&=�C�D A&G�D I�T8Ñ:®�HVC�^�I>=�D H"O&H"=�G�C�D AL®�F>C�^�I>?%H"®�¿�F%T
Ë Ì P�Î Ì Ð . ÄÅ���V�Æj iVÇno"lÉÈ5²�Ê�²87:R8Ã Ì P Ì ÏN@ Ì P Ì�Í
ÄÅ���V�Æj iVÇno"lÉÈ5²�Ê�²87:�8Ã Õ P ÖNP�Î�@:UVH"=�G�G�D O&_ ~-T�`&D A&®%H"J