MAREA: Mathematical Approach towards Resilience Engineering in ATM Vrije Universiteit Amsterdam Modelling of potential hazards in agent-based safety risk analysis Henk Blom NLR and Delft University of Technology Sybert Stroeve NLR Tibor Bosse VU Amsterdam 10th USA/Europe ATM R&D Seminar, Chicago, June 10-13, 2013 1 Modelling of potential hazards in agent-based safety risk analysis • Agent-based safety risk analysis • Potential hazards • Identify model constructs • Relation with models used in aviation • Concluding remarks 2 Why Agent Based Modelling and Simulation? Powerful framework to model Complex Socio-Technical Systems Effective in partitioning the socio-technical system space Effective in modelling interactions and dependencies Capability to reveal and analyse emergent behaviour Proven to work in safety risk analysis of novel ATM ConOps: - TOPAZ (Traffic Organization and Perturbation AnalyZer) 3 Agent based safety risk analysis in TOPAZ (Traffic Organization and Perturnation AnalyZer) • Modelling Semantics: • • Agent Based Modelling (ABM) Human performance modelling • Modelling Syntax: • Petri Net based Compositional Specification • Risk Quantification: • Rare Event Monte Carlo (MC) simulation • Bias and Uncertainty Analysis: • Differences between model and reality 4 Differences between model and reality • Numerical precision • Parameter values • • Aleatory uncertainty Epemistic uncertainty • Model structural assumptions • Hazards not modelled • Operational concept differences 5 Bias & uncertainty analysis process Risk point estimate Monte Carlo Simulation Model Model-Reality Differences Reality Risk sensitivities Bias & Uncertainty Assessment Risk expectation value Risk credibility interval True risk Pro’s and Con’s of modelling all hazards Pro: Emergent Behaviour is Captured through MC Con: Enlarges Model and Increases # of Parameters Optimal balance: • Model hazards that influence emergent behaviour • Else, consider to use Bias and Uncertainty analysis Development of an optimal approach requires understanding how to model each hazard in an agent based model ! 7 Modelling of potential hazards in agent-based safety risk analysis • Agent-based safety risk analysis • Potential hazards • Identify model constructs • Relation with models used in aviation • Concluding remarks 8 Identification of Hazards Hazard = “Anything that may influence safety” Events / conditions / performance aspects Humans / systems / environment Interactions TOPAZ Hazard Database Conducted safety assessments Hazard brainstorm sessions 4000+ hazards 9 A Set of Generalised Hazards Selection of unique hazards Development (Set I) Generalization of hazards Validation (Set II) 525 4000+ Weather forecast is wrong Pilot mixes up ATC clearances Flight plans of ATC system and FMS differ False alert of an airborne system Wrong waypoints in database Resolution of conflict leads to other conflicts Transponder sends wrong call-sign Alert causes attentional tunneling Risk of a conflict is underestimated Pilot validates without checking Controller has wrong SA about intent of aircraft Track drop on controller HMI Contingency procedures have not been tested Animals on the runway 10 Clustering of Hazards • • • • • • • • • • • • • Pilot performance Controller performance Speech-based communication Traffic relations Other Aircraft systems Surveillance system Weather ATC systems ATC coordination Infrastructure & environment Datalink based communication Navigation systems 124 110 37 33 31 27 27 27 25 24 24 20 16 11 Modelling of potential hazards in agent-based safety risk analysis • Agent-based safety risk analysis • Potential hazards • Identify model constructs • Relation with models used in aviation • Concluding remarks 12 Matching Model Constructs to Hazards • Adopt selected model constructs • Phase 1: TOPAZ model constructs • Phase 2: VU model constructs • Phase 3: Novel model constructs • Perform ‘mental simulation’ of agent based model per hazard • Each hazard tells a short story that should be mentally simulated • Which model constructs are used in the mental simulation ? • Done by multiple experts in agent based modeling and simulation of socio-technical systems • 2 from VU and 2 from NLR • Iterate until the mental simulations of these experts coincide 13 TOPAZ Model Constructs C1 Human Information Processing C8 Human Error C2 Multi-Agent Situation Awareness C9 Decision Making C3 Task Identification C10 System Mode C4 Task Scheduling C11 Dynamic Variability C5 Task Execution C12 Stochastic Variability C6 Cognitive Control Mode C13 Contextual Condition C7 Task Load 14 Multi-Agent SA in ATM k t ,i SA of agent i at time t about agent k Identitytk,i k Statet ,i k Modet ,i Intentk t ,i Multi-Agent SA Update types Observation SA agent i SA agent k Communication SA agent i SA agent k Reasoning SA agent i decision agent i 1 Multi Agent SA propagation Hazard Example involving System Error (C10) and MA-SA (C2) Wrong waypoint in FMS database, e.g, due to update of FMS software, errors in database, outdated database ‘Mental simulation’ • Agents involved: Pilot and FMS • Wrong waypoint in FMS database = System Mode • Pilot enters Intent into FMS = Communication between agents • FMS interprets this Intent using its database = MA-SA difference 18 TOPAZ Model Constructs – Hazard Coverage Cultural differences between airlines ... Controller is fatigued and sleepy ... Lack of experience in degraded modes ... Procedure change confusion Multi-agent SA Decision making ... Controller makes a reading error Human error Multi-agent SA 81 Failure of GPS system System mode Not Covered Covered Partly 155 Pilot reports wrong position Human error Multi-agent SA 30 Controller ignores an alert Multi-agent SA ... Pilots do not react to controller call due to high workload Task identification Task scheduling Cognitive control mode 19 VU Model Constructs MC1 Object-oriented Attention MC7 Trust MC2 Experience-based Decision Making MC8 Formal Organisations MC3 Operator Functional State MC9 Learning MC4 Information Presentation MC10 Goal-oriented Attention MC5 Safety Culture MC11 Extended Mind MC6 Complex Beliefs in Situation Awareness 20 VU Model Constructs – Hazard Coverage A jolly atmosphere on the frequency ... Icing of the wings ... Aircraft picks up beacons with similar frequencies ... Complex procedure causes R/T overload Operator Functional State Formal Organisation 36 Controller is fatigued and sleepy Operator Functional State Not Partly 18 Clutter of audio messages Information Presentation Situation Awareness Covered Negotiation problems Pilot-ATC Trust ... 212 Pilots falling asleep Operator Functional State ... Controller has low confidence in validity of system alerts Trust 10th USA/Europe ATM R&D Seminar (ATM2013) , Chicago, June 10-13, 2013 21 New Model Constructs NM2 Unstabilised Approach NM32 Merging or Splitting ATC Sectors NM3 Handling Inconsistent Information by a Technical System NM33 Changes in Visibility NM7 Group Emotion NM34 Weather Forecast Wrong NM14 Surprise/Confusion due to NM35 Turbulence Complex or Unclear Procedures NM15 Surprise/Confusion due to NM36 Icing Changes in Procedures NM21 Deciding when to take action NM38 Influence of Many Agents on Flight Planning NM31 Access Rights to an Information NM40 Uncontrolled Aircraft System 22 New Model Constructs – Hazard Coverage Security Intrusion ... Unmanned Arial Vehicles ... A jolly atmosphere on the frequency Operator Functional State Emotion Contagion 6 16 Not Partly Military Aircraft Shoots a Civil Aircraft Down ... Standard R/T not adhered to Confusion ... Strong variation in view Weather ... Covered 244 Icing of the Wings Icing Unstabilised Approach Approach Aircraft picks up beacons with similar frequencies Handling of Inconsistent Info by a Technical System 23 Modelling of potential hazards in agent-based safety risk analysis • Agent-based safety risk analysis • Potential hazards • Identify model constructs • Relation with models used in aviation • Concluding remarks 24 Hazard % based ranking of model constructs 25 Top-15 Model constructs/types commonly in use in aviation studies (1/2) Rank 1 (41.4%): C2 – Multi-Agent SA (MA-SA): • Multi Agent extension of Endsley’s (1995) SA model • Allows to systematically capture SA differences between agents • Complementary extension ranks 10: MC6 - Complex beliefs in SA Rank 2 (19.9%): C10 - System mode: • RAMS: Reliability, Availability, Maintainability and Safety of technical systems Rank 3 (18.0%): C8 - Human error • 1st generation Human Reliability Analysis (HRA): • Slips, Lapses and Mistakes (Reason, 1990) • 2nd generation HRA incorporates effects such as captured by model constructs at ranks 1,2,4,7,9, 11-15 26 Top-15 Model constructs/types commonly in use in aviation studies (2/2) Rank 4 (14.3%): C1 - Human Information Processing • Human performance simulation • MIDAS, Air-MIDAS, PUMA, ACT-R, IMPRINT/ACT-R, D-OMAR • Other related model constructs are at ranks 6-9,11-15 Rank 5 (8.6%): C11 - Dynamic Variability • Simulation of aircraft trajectories in • Aircraft performance models • Human-In-The-Loop simulations • Fast Time simulations 27 Other Model constructs/types in use in aviation studies Rank 17 (3.4%): – Formal Organization (MC8) Rank 20 (3.0%): – Stochastic Variability (C12) Rank 22 (2.6%): – Safety Culture (MC5) Rank 25 (1.9%): – Task Load (C7) Rank 26 (1.9%): – Extended Mind (MC11) Rank 29 (0.4%): – Approach (NM2) Rank 34-36 (0.4%) – Weather related (NM34-36) Rank 38 (0.4%): – Uncontrolled aircraft (NM40) 28 Less common model constructs/types • • • • • • • • • • • • Rank 16 (3.4%): Rank 18 (3.4%): Rank 19 (3.0%): Rank 21 (3.0%): Rank 23 (2.6%): Rank 24 (2.3%): Rank 27 (0.8%): Rank 28 (0.8%): Rank 30 (0.4%): Rank 31 (0.4%): Rank 32 (0.4%): Rank 33 (0.4%): – – – – – – – – – – – – Visibility changes (NM33) Surprise / complex procedure (NM14) Surprise / changed procedure (NM15) Object Oriented Atttention (MC1) Learning (MC5) Information Presentation (MC4) Goal Oriented Attention (MC10) Access Rights (NM31) Tech. Syst. Handling Incons. Info (NM3) Group Emotion (NM7) Deciding when to take action (NM21) Merging or splitting ATC sectors (NM32) 29 Modelling of potential hazards in agent-based safety risk analysis • Agent-based safety risk analysis • Potential hazards • Identify model constructs • Relation with models used in aviation • Concluding remarks 30 Wrap up of Model Constructs Identified 38 agent-based model constructs have been identified • 13 TOPAZ model constructs • 11 VU model constructs • 14 new model constructs Result: considerable improvement in modelling hazards 81 Partly 30 Partly Not Partly Not Covered TOPAZ 6 16 Not 36 18 Covered 155 + VU Covered 212 + NEW Covered 244 31 Summary of findings • Hazard data base guided model construct search very well • Model construct ranking 1 is a multi agent extension of Endley’s SA model (ATM2003 paper) • Model constructs ranking 2 through 5 are familiar: • • • • System Mode (RAMS) Human error (first generation HRA) Human Information Processing (Wickens) Dynamic Variability (aircraft dynamics simulation) • 10 model constructs open new directions, e.g. Surprise, Learning, Access Rights, Group Emotion. 32 Agent based modelling follow up • Further integration of model constructs • Validation of model constructs • • • Test the coverage on the 2nd hazard set Apply model constructs to accident scenarios Conduct interviews with pilots and controllers • Develop a balanced agent based modelling approach • • Model hazards having emergent effects Bias and Uncertainty Assessment for all other hazards 33 Resilience directed follow up • Aim: To extend agent based modelling with model constructs that capture the ways how pilots and controllers provide a key source of resilience in handling hazards • First step: Understanding how Pilots and Controllers do this • • Conduct Interviews with Pilots and Controllers regarding their operational way of handling each hazard Conduct statistical analysis of these responses, in order to identify the nature of pilot and controller responses to hazards • Follow up step: To capture this in agent-based modelling, e.g. coordination. 34 Questions ?
© Copyright 2026 Paperzz