Methodology and software platform for multi-layer causal modeling

This paper introduces an integrated framework and software platform that uses a three layer approach to modeling complex systems. The multi-layer PRA approach implemented in IRIS (Integrated Risk Information System) combines the power of Event Sequence Diagrams and Fault Trees for modeling risk scenarios and system risks and hazards, with the flexibility of Bayesian Belief Networks for modeling nondeterministic system components (e.g. human, organizational). The three types of models combined in the IRIS integrated framework form a Hybrid Causal Logic (HCL) model that addresses deterministic and probabilistic elements of systems and quantitatively integrates system dependencies. This paper will describe the HCL algorithm and its implementation in IRIS by use of an example from aviation risk assessment (a risk scenario model of aircraft taking off from the wrong runway. build a single one-layer model, or a network of multi-layer models. IRIS was developed as part of an international research effort sponsored by the FAA System Approach for Safety Oversight (SASO) office. Other parts of this research created ESDs, FTs, and BBNs by teams of aviation experts from the United States and Europe. IRIS integrates the different models into a standard framework and the HCL algorithm combines quantitative information from the models to calculate total risk. The Dutch National Aerospace Laboratory (NLR) used the NLR air safety database and aviation experts to created a hierarchical set of 31 generic ESDs representing the possible accident scenarios from takeoff to landing (Roelen et al. 2002) Another layer of the aviation safety model was created by Hi-Tec Systems. Hi-Tec created a comprehensive model for the quality of air carrier maintenance (Eghbali 2006) and the flight operations (Mandelapu 2006). NLR has also created FTs for specific accident scenarios (Roelen & Wever 2004a, b). The NLR and Hi-Tec models were built and analyzed in IRIS. One set of models pertains to the use of the incorrect runway during takeoff. These models became especially pertinent after the August 2006 fatal Comair Flight 5191 crash in Lexington, Kentucky. The pilot of flight 5191 taxied onto the wrong runway during an early morning takeoff due to a combination of human and airport factors. The incorrect runway was shorter than the minimum distance required for the aircraft to takeoff. The aircraft was less than 300ft from the end of the runway before pilots realized the error and attempted to takeoff at below-optimal speed. The attempted takeoff resulted in a runway overrun and the death of 49 of the 50 people onboard. The NTSB (2007) cited human actions by crew and air traffic control (ATC) contributing to the accident. The crew violated cockpit policy by engaging in non-pertinent conversation during taxiing and by completing an abbreviated taxi briefing. Signs indicating the runway number and cockpit displays indicating the direction of takeoff were not mentioned by either pilot during the takeoff. During takeoff the flight crew noted that there were no lights on the runway as expected, but did not double check their position as the copilot had observed numerous lights out on the correct runway the previous day. Pre-flight paperwork also indicated that the centerline lights on the proper runway were out. The flight crew did not use the available cues to reconsider takeoff. At the time of the accident only one of two required air traffic controllers were on duty. According to post-accident statements, the controller on duty at the time of the accident was also responsible for monitoring radar and was not aware that the aircraft had stopped short of the desired runway before he issued takeoff clearance. After issuing takeoff clearance the controller turned around to perform administrative tasks during take-off and was not engaged in monitoring the progress of the flight. Fatigue likely contributed to the performance of the controller as he had only slept for 2 hours in the 24 hours before the accident. Impaired decision making and inappropriate task prioritization by both crew members and ATC were major contributing factors to this accident. The reducing lighting on both the correct and incorrect runways at the airport contributed to the decision errors made by crew and fatigue and workload contributed to decision errors made by ATC. The details from the flight 5191 and the group of models for use of the incorrect runway during takeoff will be used throughout this paper to show how the HCL methodology can be applied to a real example. 2 OVERVIEW OF HCL METHODOLOGY 2.1 Overview of the HCL modeling layers The hybrid causal logic methodology extends conventional deterministic risk analysis techniques to include “soft” factors including the organizational and regulatory environment of the physical system. The HCL methodology employs a model-based approach to system analysis; this approach can be used as the foundation for addressing many of the issues that are commonly encountered in system safety assessment, hazard identification analysis, and risk analysis. The integrated framework is presented in Figure 1. ESDs form the top layer of the three layer model, FTs form the second layer, and BBNs form the bottom layer. An ESD is used to model temporal sequences of events. ESDs are similar to event trees and flowcharts; an ESD models the possible paths to Figure 1: Illustration of a three-layered IRIS model PE-2