Modelling of potential hazards in agent ... - ATM Seminar€¦ · Why Agent Based Modelling and Simulation? ... Pro’s and Con’s of modelling all hazards ... To extend agent based

1

Modelling of potential hazards in

agent-based safety risk analysis

Henk Blom NLR and Delft University of Technology

Sybert Stroeve NLR

Tibor Bosse VU Amsterdam

10th

USA/Europe ATM R&D Seminar, Chicago, June 10-13, 2013

Vrije Universiteit Amsterdam

MAREA: Mathematical Approach

towards Resilience Engineering in ATM

2



• Agent-based safety risk analysis

• Potential hazards

• Identify model constructs

• Relation with models used in aviation

• Concluding remarks

3

Why Agent Based Modelling and Simulation?

Powerful framework to model Complex Socio-Technical Systems

Effective in partitioning the socio-technical system space

Effective in modelling interactions and dependencies

Capability to reveal and analyse emergent behaviour

Proven to work in safety risk analysis of novel ATM ConOps:

- TOPAZ (Traffic Organization and Perturbation AnalyZer)

4

Agent based safety risk analysis in TOPAZ

(Traffic Organization and Perturnation AnalyZer)

• Modelling Semantics:

• Agent Based Modelling (ABM)

• Human performance modelling

• Modelling Syntax:

• Petri Net based Compositional Specification

• Risk Quantification:

• Rare Event Monte Carlo (MC) simulation

• Bias and Uncertainty Analysis:

• Differences between model and reality

5

Differences between model and reality

• Numerical precision

• Parameter values

• Aleatory uncertainty

• Epemistic uncertainty

• Model structural assumptions

• Hazards not modelled

• Operational concept differences

Bias & uncertainty analysis process

Monte Carlo

Simulation Model

Reality

Bias & Uncertainty

AssessmentModel-Reality

DifferencesRisk expectation value

Risk credibility interval

True risk

Risk point estimate

Risk sensitivities

7

Pro’s and Con’s of modelling all hazards

Pro: Emergent Behaviour is Captured through MC

Con: Enlarges Model and Increases # of Parameters

Optimal balance:

• Model hazards that influence emergent behaviour

• Else, consider to use Bias and Uncertainty analysis

Development of an optimal approach requires understanding

how to model each hazard in an agent based model !

8








9

Identification of Hazards

Hazard = “Anything that may influence safety”

Events / conditions / performance aspects

Humans / systems / environment

Interactions

TOPAZ Hazard Database

Conducted safety assessments

Hazard brainstorm sessions

4000+ hazards

10

A Set of Generalised Hazards

4000+

Selection of unique hazards

525

Generalization of hazards

Development

(Set I)

Validation

(Set II)

Wrong waypoints in database

Transponder sends wrong call-sign

False alert of an airborne system

Track drop on controller HMI

Pilot mixes up ATC clearances

Pilot validates without checking Risk of a conflict is underestimated

Alert causes attentional tunneling

Controller has wrong SA about intent of aircraft

Flight plans of ATC system and FMS differ

Weather forecast is wrong

Animals on the runway

Resolution of conflict leads to other conflicts

Contingency procedures have not been tested

11

Clustering of Hazards

• Pilot performance 124

• Controller performance 110

• Speech-based communication 37

• Traffic relations 33

• Other 31

• Aircraft systems 27

• Surveillance system 27

• Weather 27

• ATC systems 25

• ATC coordination 24

• Infrastructure & environment 24

• Datalink based communication 20

• Navigation systems 16

12








Matching Model Constructs to Hazards

• Adopt selected model constructs

• Phase 1: TOPAZ model constructs

• Phase 2: VU model constructs

• Phase 3: Novel model constructs

• Perform ‘mental simulation’ of agent based model per hazard

• Each hazard tells a short story that should be mentally simulated

• Which model constructs are used in the mental simulation ?

• Done by multiple experts in agent based modeling and simulation

of socio-technical systems

• 2 from VU and 2 from NLR

• Iterate until the mental simulations of these experts coincide

13

TOPAZ Model Constructs

C1 Human Information Processing C8 Human Error

C2 Multi-Agent Situation Awareness C9 Decision Making

C3

Task Identification C10 System Mode

C4

Task Scheduling C11 Dynamic Variability

C5

Task Execution C12 Stochastic Variability

C6

Cognitive Control Mode C13 Contextual Condition

C7 Task Load

14

15

Multi-Agent SA in ATM

,

,

,

,

Identity

State

Mode

Intent

k

t i

k

t i

k

t i

k

t i

SA of agent i

at time t

about agent k

,

k

t i

16

Multi-Agent SA Update types

SA

agent i

SA

agent k

Observation

SA

agent i

SA

agent k

Communication

SA

agent i

decision

agent i

Reasoning

17

Multi Agent SA propagation

Hazard Example involving

System Error (C10) and MA-SA (C2)

Wrong waypoint in FMS database, e.g, due to update of FMS

software, errors in database, outdated database

‘Mental simulation’

• Agents involved: Pilot and FMS

• Wrong waypoint in FMS database = System Mode

• Pilot enters Intent into FMS = Communication between agents

• FMS interprets this Intent using its database = MA-SA difference

18

19

Controller makes a reading error

Human error

Multi-agent SA

Pilots do not react to controller call

due to high workload

Task identification

Task scheduling

Cognitive control mode

Failure of GPS system

System mode

Pilot reports wrong position

Human error

Multi-agent SA

Controller ignores an alert

Multi-agent SA

...

Procedure change confusion

Multi-agent SA

Decision making

...

Cultural differences between airlines

...

Controller is fatigued and sleepy

...

Lack of experience in

degraded modes

...

Covered

Not

Covered

Partly 155

81

30

TOPAZ Model Constructs – Hazard Coverage

VU Model Constructs

MC1 Object-oriented Attention MC7 Trust

MC2 Experience-based Decision Making MC8 Formal Organisations

MC3

Operator Functional State MC9 Learning

MC4

Information Presentation MC10 Goal-oriented Attention

MC5

Safety Culture MC11 Extended Mind

MC6

Complex Beliefs in

Situation Awareness

20

21

Complex procedure causes R/T overload

Operator Functional State

Formal Organisation

Controller has low confidence in

validity of system alerts

Trust

Controller is fatigued and sleepy


Clutter of audio messages

Information Presentation

Situation Awareness

Pilots falling asleep


...

Negotiation problems Pilot-ATC

Trust

...

A jolly atmosphere on the frequency

...

Icing of the wings

...

Aircraft picks up beacons

with similar frequencies

...

Covered

Not

Partly

212

36

18

10th

USA/Europe ATM R&D Seminar (ATM2013) , Chicago, June 10-13, 2013

VU Model Constructs – Hazard Coverage

New Model Constructs

NM2 Unstabilised Approach NM32 Merging or Splitting ATC

Sectors

NM3 Handling Inconsistent

Information by a Technical

System

NM33 Changes in Visibility

NM7

Group Emotion NM34 Weather Forecast Wrong

NM14

Surprise/Confusion due to

Complex or Unclear Procedures

NM35 Turbulence

NM15

Surprise/Confusion due to

Changes in Procedures

NM36 Icing

NM21

Deciding when to take action NM38 Influence of Many Agents on

Flight Planning

NM31 Access Rights to an Information

System

NM40 Uncontrolled Aircraft

22

23

A jolly atmosphere on the frequency


Emotion Contagion

Aircraft picks up beacons

with similar frequencies

Handling of Inconsistent Info

by a Technical System

Icing of the Wings

Icing

Unstabilised Approach

Approach

Strong variation in view

Weather

...

Standard R/T not adhered to

Confusion

...

Security Intrusion

...

Unmanned Arial Vehicles

...

Military Aircraft Shoots a

Civil Aircraft Down

...

Covered

Not Partly

244

6 16

New Model Constructs – Hazard Coverage

24








Hazard % based ranking of model constructs

25

26

Top-15 Model constructs/types

commonly in use in aviation studies (1/2)

Rank 1 (41.4%): C2 – Multi-Agent SA (MA-SA):

• Multi Agent extension of Endsley’s (1995) SA model

• Allows to systematically capture SA differences between agents

• Complementary extension ranks 10: MC6 - Complex beliefs in SA

Rank 2 (19.9%): C10 - System mode:

• RAMS: Reliability, Availability, Maintainability and Safety of

technical systems

Rank 3 (18.0%): C8 - Human error

• 1st generation Human Reliability Analysis (HRA):

• Slips, Lapses and Mistakes (Reason, 1990)

• 2nd generation HRA incorporates effects such as captured by

model constructs at ranks 1,2,4,7,9, 11-15

27

Top-15 Model constructs/types

commonly in use in aviation studies (2/2)

Rank 4 (14.3%): C1 - Human Information Processing

• Human performance simulation

• MIDAS, Air-MIDAS, PUMA, ACT-R, IMPRINT/ACT-R,

D-OMAR

• Other related model constructs are at ranks 6-9,11-15

Rank 5 (8.6%): C11 - Dynamic Variability

• Simulation of aircraft trajectories in

• Aircraft performance models

• Human-In-The-Loop simulations

• Fast Time simulations

28

Other Model constructs/types

in use in aviation studies

Rank 17 (3.4%): – Formal Organization (MC8)

Rank 20 (3.0%): – Stochastic Variability (C12)

Rank 22 (2.6%): – Safety Culture (MC5)

Rank 25 (1.9%): – Task Load (C7)

Rank 26 (1.9%): – Extended Mind (MC11)

Rank 29 (0.4%): – Approach (NM2)

Rank 34-36 (0.4%) – Weather related (NM34-36)

Rank 38 (0.4%): – Uncontrolled aircraft (NM40)

29

Less common model constructs/types

• Rank 16 (3.4%): – Visibility changes (NM33)

• Rank 18 (3.4%): – Surprise / complex procedure (NM14)

• Rank 19 (3.0%): – Surprise / changed procedure (NM15)

• Rank 21 (3.0%): – Object Oriented Atttention (MC1)

• Rank 23 (2.6%): – Learning (MC5)

• Rank 24 (2.3%): – Information Presentation (MC4)

• Rank 27 (0.8%): – Goal Oriented Attention (MC10)

• Rank 28 (0.8%): – Access Rights (NM31)

• Rank 30 (0.4%): – Tech. Syst. Handling Incons. Info (NM3)

• Rank 31 (0.4%): – Group Emotion (NM7)

• Rank 32 (0.4%): – Deciding when to take action (NM21)

• Rank 33 (0.4%): – Merging or splitting ATC sectors (NM32)

30








Wrap up of Model Constructs Identified

38 agent-based model constructs have been identified

• 13 TOPAZ model constructs

• 11 VU model constructs

• 14 new model constructs

31

Covered

NotPartly

244

616

Result: considerable improvement in modelling hazards

Covered

Not

Covered

Partly 155

81

30

Covered

Not

Partly

212

36

18

+ VU TOPAZ + NEW

32

Summary of findings

• Hazard data base guided model construct search very well

• Model construct ranking 1 is a multi agent extension of

Endley’s SA model (ATM2003 paper)

• Model constructs ranking 2 through 5 are familiar:

• System Mode (RAMS)

• Human error (first generation HRA)

• Human Information Processing (Wickens)

• Dynamic Variability (aircraft dynamics simulation)

• 10 model constructs open new directions, e.g. Surprise,

Learning, Access Rights, Group Emotion.

33

Agent based modelling follow up

• Further integration of model constructs

• Validation of model constructs

• Test the coverage on the 2nd hazard set

• Apply model constructs to accident scenarios

• Conduct interviews with pilots and controllers

• Develop a balanced agent based modelling approach

• Model hazards having emergent effects

• Bias and Uncertainty Assessment for all other hazards

34

Resilience directed follow up

• Aim: To extend agent based modelling with model

constructs that capture the ways how pilots and controllers

provide a key source of resilience in handling hazards

• First step: Understanding how Pilots and Controllers do this

• Conduct Interviews with Pilots and Controllers regarding their

operational way of handling each hazard

• Conduct statistical analysis of these responses, in order to

identify the nature of pilot and controller responses to hazards

• Follow up step: To capture this in agent-based modelling,

e.g. coordination.

Questions ?

Documents

Modelling of potential hazards in agent ... - ATM Seminar€¦ · Why Agent Based Modelling and Simulation? ... Pro’s and Con’s of modelling all hazards ... To extend agent based