Upload
buidien
View
217
Download
3
Embed Size (px)
Citation preview
1
Modelling of potential hazards in
agent-based safety risk analysis
Henk Blom NLR and Delft University of Technology
Sybert Stroeve NLR
Tibor Bosse VU Amsterdam
10th
USA/Europe ATM R&D Seminar, Chicago, June 10-13, 2013
Vrije Universiteit Amsterdam
MAREA: Mathematical Approach
towards Resilience Engineering in ATM
2
Modelling of potential hazards in
agent-based safety risk analysis
• Agent-based safety risk analysis
• Potential hazards
• Identify model constructs
• Relation with models used in aviation
• Concluding remarks
3
Why Agent Based Modelling and Simulation?
Powerful framework to model Complex Socio-Technical Systems
Effective in partitioning the socio-technical system space
Effective in modelling interactions and dependencies
Capability to reveal and analyse emergent behaviour
Proven to work in safety risk analysis of novel ATM ConOps:
- TOPAZ (Traffic Organization and Perturbation AnalyZer)
4
Agent based safety risk analysis in TOPAZ
(Traffic Organization and Perturnation AnalyZer)
• Modelling Semantics:
• Agent Based Modelling (ABM)
• Human performance modelling
• Modelling Syntax:
• Petri Net based Compositional Specification
• Risk Quantification:
• Rare Event Monte Carlo (MC) simulation
• Bias and Uncertainty Analysis:
• Differences between model and reality
5
Differences between model and reality
• Numerical precision
• Parameter values
• Aleatory uncertainty
• Epemistic uncertainty
• Model structural assumptions
• Hazards not modelled
• Operational concept differences
Bias & uncertainty analysis process
Monte Carlo
Simulation Model
Reality
Bias & Uncertainty
AssessmentModel-Reality
DifferencesRisk expectation value
Risk credibility interval
True risk
Risk point estimate
Risk sensitivities
7
Pro’s and Con’s of modelling all hazards
Pro: Emergent Behaviour is Captured through MC
Con: Enlarges Model and Increases # of Parameters
Optimal balance:
• Model hazards that influence emergent behaviour
• Else, consider to use Bias and Uncertainty analysis
Development of an optimal approach requires understanding
how to model each hazard in an agent based model !
8
Modelling of potential hazards in
agent-based safety risk analysis
• Agent-based safety risk analysis
• Potential hazards
• Identify model constructs
• Relation with models used in aviation
• Concluding remarks
9
Identification of Hazards
Hazard = “Anything that may influence safety”
Events / conditions / performance aspects
Humans / systems / environment
Interactions
TOPAZ Hazard Database
Conducted safety assessments
Hazard brainstorm sessions
4000+ hazards
10
A Set of Generalised Hazards
4000+
Selection of unique hazards
525
Generalization of hazards
Development
(Set I)
Validation
(Set II)
Wrong waypoints in database
Transponder sends wrong call-sign
False alert of an airborne system
Track drop on controller HMI
Pilot mixes up ATC clearances
Pilot validates without checking Risk of a conflict is underestimated
Alert causes attentional tunneling
Controller has wrong SA about intent of aircraft
Flight plans of ATC system and FMS differ
Weather forecast is wrong
Animals on the runway
Resolution of conflict leads to other conflicts
Contingency procedures have not been tested
11
Clustering of Hazards
• Pilot performance 124
• Controller performance 110
• Speech-based communication 37
• Traffic relations 33
• Other 31
• Aircraft systems 27
• Surveillance system 27
• Weather 27
• ATC systems 25
• ATC coordination 24
• Infrastructure & environment 24
• Datalink based communication 20
• Navigation systems 16
12
Modelling of potential hazards in
agent-based safety risk analysis
• Agent-based safety risk analysis
• Potential hazards
• Identify model constructs
• Relation with models used in aviation
• Concluding remarks
Matching Model Constructs to Hazards
• Adopt selected model constructs
• Phase 1: TOPAZ model constructs
• Phase 2: VU model constructs
• Phase 3: Novel model constructs
• Perform ‘mental simulation’ of agent based model per hazard
• Each hazard tells a short story that should be mentally simulated
• Which model constructs are used in the mental simulation ?
• Done by multiple experts in agent based modeling and simulation
of socio-technical systems
• 2 from VU and 2 from NLR
• Iterate until the mental simulations of these experts coincide
13
TOPAZ Model Constructs
C1 Human Information Processing C8 Human Error
C2 Multi-Agent Situation Awareness C9 Decision Making
C3
Task Identification C10 System Mode
C4
Task Scheduling C11 Dynamic Variability
C5
Task Execution C12 Stochastic Variability
C6
Cognitive Control Mode C13 Contextual Condition
C7 Task Load
14
15
Multi-Agent SA in ATM
,
,
,
,
Identity
State
Mode
Intent
k
t i
k
t i
k
t i
k
t i
SA of agent i
at time t
about agent k
,
k
t i
16
Multi-Agent SA Update types
SA
agent i
SA
agent k
Observation
SA
agent i
SA
agent k
Communication
SA
agent i
decision
agent i
Reasoning
17
Multi Agent SA propagation
Hazard Example involving
System Error (C10) and MA-SA (C2)
Wrong waypoint in FMS database, e.g, due to update of FMS
software, errors in database, outdated database
‘Mental simulation’
• Agents involved: Pilot and FMS
• Wrong waypoint in FMS database = System Mode
• Pilot enters Intent into FMS = Communication between agents
• FMS interprets this Intent using its database = MA-SA difference
18
19
Controller makes a reading error
Human error
Multi-agent SA
Pilots do not react to controller call
due to high workload
Task identification
Task scheduling
Cognitive control mode
Failure of GPS system
System mode
Pilot reports wrong position
Human error
Multi-agent SA
Controller ignores an alert
Multi-agent SA
...
Procedure change confusion
Multi-agent SA
Decision making
...
Cultural differences between airlines
...
Controller is fatigued and sleepy
...
Lack of experience in
degraded modes
...
Covered
Not
Covered
Partly 155
81
30
TOPAZ Model Constructs – Hazard Coverage
VU Model Constructs
MC1 Object-oriented Attention MC7 Trust
MC2 Experience-based Decision Making MC8 Formal Organisations
MC3
Operator Functional State MC9 Learning
MC4
Information Presentation MC10 Goal-oriented Attention
MC5
Safety Culture MC11 Extended Mind
MC6
Complex Beliefs in
Situation Awareness
20
21
Complex procedure causes R/T overload
Operator Functional State
Formal Organisation
Controller has low confidence in
validity of system alerts
Trust
Controller is fatigued and sleepy
Operator Functional State
Clutter of audio messages
Information Presentation
Situation Awareness
Pilots falling asleep
Operator Functional State
...
Negotiation problems Pilot-ATC
Trust
...
A jolly atmosphere on the frequency
...
Icing of the wings
...
Aircraft picks up beacons
with similar frequencies
...
Covered
Not
Partly
212
36
18
10th
USA/Europe ATM R&D Seminar (ATM2013) , Chicago, June 10-13, 2013
VU Model Constructs – Hazard Coverage
New Model Constructs
NM2 Unstabilised Approach NM32 Merging or Splitting ATC
Sectors
NM3 Handling Inconsistent
Information by a Technical
System
NM33 Changes in Visibility
NM7
Group Emotion NM34 Weather Forecast Wrong
NM14
Surprise/Confusion due to
Complex or Unclear Procedures
NM35 Turbulence
NM15
Surprise/Confusion due to
Changes in Procedures
NM36 Icing
NM21
Deciding when to take action NM38 Influence of Many Agents on
Flight Planning
NM31 Access Rights to an Information
System
NM40 Uncontrolled Aircraft
22
23
A jolly atmosphere on the frequency
Operator Functional State
Emotion Contagion
Aircraft picks up beacons
with similar frequencies
Handling of Inconsistent Info
by a Technical System
Icing of the Wings
Icing
Unstabilised Approach
Approach
Strong variation in view
Weather
...
Standard R/T not adhered to
Confusion
...
Security Intrusion
...
Unmanned Arial Vehicles
...
Military Aircraft Shoots a
Civil Aircraft Down
...
Covered
Not Partly
244
6 16
New Model Constructs – Hazard Coverage
24
Modelling of potential hazards in
agent-based safety risk analysis
• Agent-based safety risk analysis
• Potential hazards
• Identify model constructs
• Relation with models used in aviation
• Concluding remarks
Hazard % based ranking of model constructs
25
26
Top-15 Model constructs/types
commonly in use in aviation studies (1/2)
Rank 1 (41.4%): C2 – Multi-Agent SA (MA-SA):
• Multi Agent extension of Endsley’s (1995) SA model
• Allows to systematically capture SA differences between agents
• Complementary extension ranks 10: MC6 - Complex beliefs in SA
Rank 2 (19.9%): C10 - System mode:
• RAMS: Reliability, Availability, Maintainability and Safety of
technical systems
Rank 3 (18.0%): C8 - Human error
• 1st generation Human Reliability Analysis (HRA):
• Slips, Lapses and Mistakes (Reason, 1990)
• 2nd generation HRA incorporates effects such as captured by
model constructs at ranks 1,2,4,7,9, 11-15
27
Top-15 Model constructs/types
commonly in use in aviation studies (2/2)
Rank 4 (14.3%): C1 - Human Information Processing
• Human performance simulation
• MIDAS, Air-MIDAS, PUMA, ACT-R, IMPRINT/ACT-R,
D-OMAR
• Other related model constructs are at ranks 6-9,11-15
Rank 5 (8.6%): C11 - Dynamic Variability
• Simulation of aircraft trajectories in
• Aircraft performance models
• Human-In-The-Loop simulations
• Fast Time simulations
28
Other Model constructs/types
in use in aviation studies
Rank 17 (3.4%): – Formal Organization (MC8)
Rank 20 (3.0%): – Stochastic Variability (C12)
Rank 22 (2.6%): – Safety Culture (MC5)
Rank 25 (1.9%): – Task Load (C7)
Rank 26 (1.9%): – Extended Mind (MC11)
Rank 29 (0.4%): – Approach (NM2)
Rank 34-36 (0.4%) – Weather related (NM34-36)
Rank 38 (0.4%): – Uncontrolled aircraft (NM40)
29
Less common model constructs/types
• Rank 16 (3.4%): – Visibility changes (NM33)
• Rank 18 (3.4%): – Surprise / complex procedure (NM14)
• Rank 19 (3.0%): – Surprise / changed procedure (NM15)
• Rank 21 (3.0%): – Object Oriented Atttention (MC1)
• Rank 23 (2.6%): – Learning (MC5)
• Rank 24 (2.3%): – Information Presentation (MC4)
• Rank 27 (0.8%): – Goal Oriented Attention (MC10)
• Rank 28 (0.8%): – Access Rights (NM31)
• Rank 30 (0.4%): – Tech. Syst. Handling Incons. Info (NM3)
• Rank 31 (0.4%): – Group Emotion (NM7)
• Rank 32 (0.4%): – Deciding when to take action (NM21)
• Rank 33 (0.4%): – Merging or splitting ATC sectors (NM32)
30
Modelling of potential hazards in
agent-based safety risk analysis
• Agent-based safety risk analysis
• Potential hazards
• Identify model constructs
• Relation with models used in aviation
• Concluding remarks
Wrap up of Model Constructs Identified
38 agent-based model constructs have been identified
• 13 TOPAZ model constructs
• 11 VU model constructs
• 14 new model constructs
31
Covered
NotPartly
244
616
Result: considerable improvement in modelling hazards
Covered
Not
Covered
Partly 155
81
30
Covered
Not
Partly
212
36
18
+ VU TOPAZ + NEW
32
Summary of findings
• Hazard data base guided model construct search very well
• Model construct ranking 1 is a multi agent extension of
Endley’s SA model (ATM2003 paper)
• Model constructs ranking 2 through 5 are familiar:
• System Mode (RAMS)
• Human error (first generation HRA)
• Human Information Processing (Wickens)
• Dynamic Variability (aircraft dynamics simulation)
• 10 model constructs open new directions, e.g. Surprise,
Learning, Access Rights, Group Emotion.
33
Agent based modelling follow up
• Further integration of model constructs
• Validation of model constructs
• Test the coverage on the 2nd hazard set
• Apply model constructs to accident scenarios
• Conduct interviews with pilots and controllers
• Develop a balanced agent based modelling approach
• Model hazards having emergent effects
• Bias and Uncertainty Assessment for all other hazards
34
Resilience directed follow up
• Aim: To extend agent based modelling with model
constructs that capture the ways how pilots and controllers
provide a key source of resilience in handling hazards
• First step: Understanding how Pilots and Controllers do this
• Conduct Interviews with Pilots and Controllers regarding their
operational way of handling each hazard
• Conduct statistical analysis of these responses, in order to
identify the nature of pilot and controller responses to hazards
• Follow up step: To capture this in agent-based modelling,
e.g. coordination.
Questions ?