Post on 13-Jun-2019
White Paper on Human Reliability Analysis
An Approach for Conducting HRA by Evaluating Factors Influencing the Cognitive Ability of the Pilot and Co-pilot During the Aircraft Landing
Process
Vandana Nigam
5/20/2014
2
TABLE OF CONTENTS
Section 1............................................................................................................................................ 3
Introduction ...................................................................................................................................... 3
Project Objective ....................................................................................................................................... 3
Proposed Steps to Solve the Problem....................................................................................................... 4
Section2 ............................................................................................................................................ 5
Literature Survey ............................................................................................................................... 5
First Generation Methods ......................................................................................................................... 5
Second Generation Models ...................................................................................................................... 6
Application of HRA in Aviation .................................................................................................................. 8
Section 3............................................................................................................................................ 9
Methods ............................................................................................................................................ 9
Development of the Theoretical Framework ........................................................................................... 9
Task Analysis ........................................................................................................................................... 14
Unsafe Acts and the respective performance shaping factors ............................................................... 25
HRA Model Selection .............................................................................................................................. 31
Data Collection Methods ........................................................................................................................ 36
Data Analysis ........................................................................................................................................... 37
Risk Mitigation: Quantitatively Informed Risk Mitigation Strategies ..................................................... 41
Section 4.......................................................................................................................................... 46
Discussion ....................................................................................................................................... 46
Implementation of HRA .......................................................................................................................... 46
Model Limitations ................................................................................................................................... 49
Section 5.......................................................................................................................................... 51
Conclusion ....................................................................................................................................... 51
Application of knowledge from this project in the Aviation Domain ..................................................... 51
Extensions to the Project/Future Work .................................................................................................. 51
References ....................................................................................................................................... 52
3
Section 1
Introduction
Human error occurrence due to impairment of an individuals’ cognitive ability, resulting
in errors in judgment, inability to react to warnings, follow protocols, etc. have led to loss of life,
assets, and heavy financial loss over the past 50 years especially in the aviation industry. Human
error has been the reason in a variety of accidents, including 70% to 80% of those in civil and
military aviation [1] [2] [3] [4]. Literature also indicates that accidents due to mechanical error
has progressively declined over the past years, however the reduction in the accidents related
with human error have not reduced proportionately [4]. This clearly suggests that if the
failures/accidents were to be reduced, more emphasis needs to be in the direction of human error
mitigation.
The frontline investigators on accidents are mainly from the aviation industry with
substantial background and years of experience in aircraft maintenance and its operation, with
little background in human factors. This results in recommendations being on the technical
hardware/software side, more of blame on the pilot (crew) for the error, without a deeper dive
into human factor analysis or to provide pointers for human factor risk mitigation. Also, most
process design is based on an assumption of ideal conditions and flawless operation/performance
with little room for error. This perfect world assumption results in a catastrophe when a human
encounters an abnormal event or environment [7]. The focus on error management and error
recovery should be one of the major strategies, with due consideration on human factors of
cognition, behavior, social interaction and circumstances that lead to accidents, in order to do a
human reliability analysis that would give a practical, implementable, and useful
recommendation.
In this project the focus is on the cognitive piece through identification of a theoretical
framework of human error occurrence, a detailed task analysis, selection of method, data
collections methods, and risk mitigation strategies in the aircraft landing process. The purpose of
the project is to go through the steps and suggest formulation of the HRA model that can use as a
basis to take it to the next step. The last section of the document lists down the extensions to the
basic research presented here.
Project Objective
To propose HRA method by evaluating the factors affecting the cognitive ability of the pilot
and co-pilot, during landing of an aircraft with specific reference Boeing 757-200. The focus of
the project will be on the navigation system interaction during the landing operation. The factors
under consideration are:
Skill Level and Training and Retraining for the job
Distraction and lack of alertness and workload management
4
Proposed Steps to Solve the Problem
The proposed steps involved to solve the problem are discussed below:
1. Review the existing theories that impact the cognitive ability of pilot and co-pilot and
develop a theoretical framework under which human error can occur during the landing
process.
2. Conduct a detailed task analysis on the process of landing and the navigation interface for
the landing process.
3. With reference to the theoretical framework, identify the unsafe acts that could occur at
every task and sub-task and categorize the unsafe act based on Reasons GEMS approach.
4. Identify the PSF associated with each unsafe act.
5. Identify similarities, possibility of error recovery opportunities, and regroup PSFs and
unsafe acts.
6. Select method or combination of methods for analysis based on the 1st and 2nd generation
methodologies available in literature and practice.
7. Determine data collection methods.
a. Sending Surveys
b. Conducting Experiment based on a simulated environment
c. Elicitation Expert Opinion
d. A combination of all of the above
8. Apply the selected method to determine the HEP
9. Suggest risk mitigation strategies.
10. Implementing the HRA: Its Challenges
11. Discussion of the Model and its limitations
12. Conclusion and future work
5
Section2
Literature Survey
Human Reliability Analysis requires the use of qualitative and quantitative methods to
estimate the human error probability in a given scenario. Although, the origin of HRA methods
dates to the year 1960, but most techniques for assessment of the human factor have been
developed since the mid- 1980s. HRA techniques or approaches can be divided essentially into
two categories: first and second generation. The following subsections give an overview of the
most commonly used first and second generation methods, subsequently reviews the domain
specific and the problem specific methodologies for HRA.
First Generation Methods
The first generation HRA methods have been strongly based on the viewpoint of
probabilistic safety assessment (PSA) and have identified man as a mechanical component, thus
losing all aspects of dynamic interaction with the working environment, both as a physical
environment and as a social environment. In many of these methods - such as Technique for
Human Error Rate Prediction (THERP-1983) and Accident Sequence Evaluation Program
(ASEP-1987), the basic assumption is that because humans have natural deficiencies, humans
logically fail to perform tasks, just as do mechanical or electrical components. Thus, HEP can be
assigned based on the characteristics of the operator's task and then modified by performance
shaping factors (PSF). In the first generation HRA, the characteristics of a task, represented by
HEPs, are regarded as major factors; the context, which is represented by PSFs, is considered a
minor factor in estimating the probability of human failure. This generation concentrates towards
quantification, in terms of success/failure of the action, with less attention to the depth of the
causes and reasons of human behavior.
THERP [18] is the best know and most frequently used first generation HRA method. Its
approach describes the cognitive aspects of operator's performance with cognitive modeling of
human behavior, known as model skill-rule-knowledge (SKR) by Rasmussen (1984). This model
is based on classification of human behavior divided into skill-based, rule-based, and knowledge-
based, compared to the cognitive level used. This behavior model fits very well with the theory
of the human error in Reason (1990), according to which there are several types of errors,
depending on which result from actions implemented according to the intentions or less. Reason
distinguishes between: slips, intended as execution errors that occur at the level of skill; lapses,
that is, errors in execution caused by a failure of memory; and mistakes, errors committed
during the practical implementation of the action. In THERP, instead, wrong actions are
divided into errors of omission and errors of commission. ASEP [18] is a simplified version of
THERP, but more conservative.
In support of the Accident Sequence Precursor Program (ASP), the U.S. Nuclear
Regulatory Commission (NRC), in conjunction with the Idaho National Laboratory (INL),
in1994 developed the Accident Sequence Precursor Standardized Plant Analysis Risk Model
(ASP/SPAR) human reliability analysis (HRA) [20] method, which was used in the development
6
of nuclear power plant (NPP) models. Based on experience gained in field-testing, this method
was updated in 1999 and renamed SPAR-H, for Standardized Plant Analysis Risk-Human
Reliability Analysis method. There are two tasks types are defined in this method; Diagnosis and
Action. There exists eight predefined PSFs whose values are assessed and the basic HEP is
adjusted. The final HEP is applied to the PRA. SLIM-MAUD method was also developed for
Nuclear Industry. This method relies heavily on expert judgment. Frequency data which could be
used to estimate HEP is usually unavailable and if available applies to limited simple tasks. To
overcome this NRC embarked research on how the HEP estimates can be made indirectly using
expert judgment.
The first generation methods have disadvantages that resulted in the development of
second generation methods. Some of the concerns associated with first generation are listed
below:
Inadequate capture of human psychology, the underlying behavior, and context are not
considered in modeling.
PSF mechanism does not have a causal mechanism resulting in a disjointed PSF analysis.
Individual or the operator is not included in the analysis.
Highly subjective simulated data makes validity difficult. Possibility of the model
divergent from real-world scenario.
Expert opinion introduces the bias associated with the technique. There may be in
consistencies in expert opinion due to the subjectivity of the analysis.
Empirical demonstration of accuracy does not exist which brings in the difficulty of
validity of the model.
Second Generation Models
The Cognitive Reliability and Error Analysis Method (CREAM) (Hollnagel 1998) is a
second generation method that was in response to an analysis of existing HRA approaches.
CREAM [26] can be used both to predict potential human error, and retrospectively, to analyze
and quantify error. The CREAM technique consists of a method, a classification scheme and a
model. According to Hollnagel (1998) CREAM enables the analyst to achieve the following:
1. Identify those parts of the work, tasks or actions that require or depend upon human
cognition, and which therefore may be affected by variations in cognitive reliability.
2. Determine the conditions under which the reliability of cognition may be reduced, and
where therefore the actions may constitute a source of risk.
3. Provide an appraisal of the consequences of human performance on system safety, which
can be used in PRA/PSA.
4. Develop and specify modifications that improve these conditions, hence serve to increase
the reliability of cognition and reduce the risk.
CREAM uses a model of cognition, the Contextual Control Model (COCOM). COCOM focuses
on how actions are chosen and assumes that the degree of control that an operator has over his
actions is variable and also that the degree of control an operator holds determines the reliability
of his performance. The COCOM outlines four modes of control, Scrambled control,
Opportunistic control, Tactical control and Strategic control. According to Hollnagel (1998)
7
when the level of operator control rises, so does their performance reliability.CREAM technique
provides quick assessment of HEPs. The HEPs are determined based on the combination of PSF
states. There are nine PSF states defined in the model. The model gives four (error modes
defined by COCOM) HEP ranges.
The CREAM technique uses a classification scheme consisting of a number of groups that
describe the phenotypes (error modes) and genotypes (causes) of the erroneous actions. The
CREAM classification scheme is used by the analyst to predict and describe how errors could
potentially occur. The CREAM classification scheme allows the analyst to define the links
between the causes and consequences of the error under analysis. Within the CREAM
classification scheme there are three categories of causes (genotypes); Individual, technological
and organizational causes. These genotype categories are then further expanded as follows:
1. Individual related genotypes – Specific cognitive functions, general person related
functions (temporary) and general person related functions (permanent).
2. Technology related genotypes – Equipment, procedures, interface (temporary) and
interface (permanent).
3. Organization related genotypes – communication, organization, training, ambient
conditions, working conditions.
Extended CREAM method, as the name suggests is an extension of the CREAM model. Just
as in the CREAM it has nine PSFs with defined states. It defines four human cognitive functions,
Observation, Interpretation, Planning, and Execution. It defines fifteen Cognitive activities that
are involved in HEP estimation. There is a confidence bound on the HEP available for each
cognitive function and the respective state of the cognitive activity. Finally effect of the PSF
state is applied to the HEP, which provides the effective HEP. The details are of steps are
discussed in section 3.
ATHEANA [18] is a second-generation tool, which is described as a method for obtaining
qualitative and quantitative HRA results. The premise of the method is that significant human
errors occur as a result of “error-forcing contexts” (EFCs), defined as combinations of plant
conditions and other influences that make an operator error more likely. It provides structured
search schemes for finding such EFCs, by using and integrating knowledge and experience in
engineering, probabilistic risk assessment (PRA), human factors, and psychology with plant
specific information and insights from the analysis of serious accidents. The tool can be used for
both retrospective and prospective analyses. Main reasons for developing ATHEANA were:
Human events modeled in previous HRA/ PRA models were not considered to be
consistent with the significant roles that operators have played in actual operational
events
The accident record and advances in behavioral sciences both supported a stronger focus
on the contextual factors, especially plant conditions, in understanding human error
Advances in psychology were integrated with the disciplines of engineering, human
factors and PRA in modeling human failure events.
8
IDAC [17] (Information, Decision, and Action in Crew Context) is another second
generation method which is a model of human error developed based on cognitive and
behavioral sciences, human factor findings, and field data and observations. This method models
an operator’s natural problem solving skills. It uses cognitive responses, information processing,
diagnosis, and decision making. It considers influences of PSFs on the task. PSFs being internal
(personal traits and skill level etc.) and external PSFs influenced by the organization,
environment, working conditions etc. Finally this technique predicts operator responses through
explicit qualitative and quantitative rules.
A new HRA method for aviation safety called ASHRAM has been developed [27].
ASHRAM is used to predict plausible aviation-accident scenarios before they occur. An
underlying premise of ASHRAM, is that many significant human errors can occur as a result of a
combination of situational factors, or “error-forcing context” that can trigger cognitive ‘error
mechanisms’ in personnel which can lead to the execution of unsafe acts. The method allows
aviation researchers to analyze accidents and incidents retrospectively, by answering questions
and filling in forms, or prospectively, by systematically generating families of plausible
scenarios based on a small set of initiators. ASHRAM can be utilized by a variety of researchers,
modelers, analysts, trainers, and pilots with a variety of backgrounds. ASHRAM is yet to be
validated and refined. It is hoped that it will be the tool for aviation safe and human reliability
analysis.
As explained in all the second generation methods, they consider the human behavior and
individual characteristics more than what the first generation methods have considered. Most of
the methods are computationally intense and the validation process is still ongoing.
Application of HRA in Aviation
Literature survey indicates that there have been several efforts in organizing the post
accident data bases to be used for HRA analysis [4]. There have studies done on identifying
theoretical frame work in the aviation industry [25] [24] [23]. Most of the methods have
originated from the nuclear industry and therefore provides the knowledge that can be applied to
another domain. Efforts have been made in this study utilize the methods discussed above in the
context of the landing of aircraft. Attempt will be made to explain the advantages and limitations
of the methods selected to do the analysis.
9
Section 3
Methods
The discussion in this section covers the proposed approach for solving the problem as listed in
Section 1. The following subsections will explain the development of the theoretical framework, task
analysis, identification of unsafe acts, the associated performance shaping factors, HRA method selection,
data collection options, proposed data analysis methods, and risk mitigation strategies. As a case study the
NTSB Accident Report Number: AAR-12-01 is used to illustrate the development of the theoretical
framework. Later the theory is generalized to any situation within the frame work to analyze the human
error.
Development of the Theoretical Framework The theoretical framework is developed with reference to the accident report NTSB Number
AAR-12-01. However, one can see going down the section, that the theory can be extrapolated to a
generic scenario. The task analysis done in the section shows how the theory built on a specific situation
is explains the human error.
Explanation of the Human error that occurred as per report NTSB Number: AAR-12-01.
The explanation of the human error that occurred is based on the Aircraft Accident
Report,” Runway Overrun American Airlines Flight 2253 Boeing 757-200, N668AA”. On Dec
29th 2010 American Airlines flight 2253, ran off the departure end of the runway and came to a
stop in deep snow after landing at the Jackson Hole Airport, Wyoming.
The probable cause of the failure was a defect in the clutch/brake mechanism. The Overrun could
be avoided by human intervention, which was not done and hence resulted in the incident. The
details are as follows:
In charge of the flight was captain and the first officer with specific responsibilities i.e. Pilot-
monitoring and Pilot-flying responsibilities from workload management perspectives.
The timing of the landing gear deployment just after touchdown coincided (rare situation)
with the deployment of thrust reversers. The mechanical and hydraulic interaction led to
locking the reverse thrust process.
The automatic speed brakes should have been deployed, but it failed to deploy. (Mechanical
defect)
Either of the pilots could have deployed the speed brakes manually, but they were distracted
by the abnormal event of the locked thrust reversers and hence were trying to resolve it.
Meanwhile the captain who was assigned the responsibility of monitoring took over flying
responsibilities, deviating from the pilot-flying/pilot-monitoring responsibilities during the
landing roll. This further resulted in the non-deployment of the speed brakes, remain
unnoticed.
In summary 3 major issues resulted in the incident, which are human related:
10
Distraction and confusion due to an abnormal event. In the process unintentionally missing
the non-deployment of automatic speed brakes, and therefore failing to manually apply speed
brakes.
Deviating from the workload management guideline, due to possibly hierarchical
relationship, and/or self-efficacy which led the captain taking over flying vs. monitoring.
This may have contributed to the situation negatively, i.e. not observing the failure of the
deployment of speed brakes.
Technique for handing the situation of locked of thrust reversal was available but neither of
the pilots was aware of it. Hence there was an evidence of lack of training and skill level.
Theories under consideration that explain the human error
Within the context of aviation there are primarily five different perspectives impacting
human error; cognitive, ergonomics and systems design, aeromedical, psychosocial, and
organizational [6]. This project focuses on the cognitive-related error of the pilot during landing
operation. The following theories are studied to establish a theoretical framework for analysis.
Divided Attention:
Landing the aircraft can be considered a very routine task for the pilot. The
unique/abnormal event that resulted initiated by a mechanical fault ended up being a distraction
for the pilots and drove the focus to troubleshoot the event versus apply the speed brakes
manually to land and stop the plane in a timely manner. There was a warning of the automatic
speeds brakes not deployed, but the distraction due to locking the reverse thrust process, led to
the pilots not noticing the warning indicator.
Self-Efficacy:
It is also suggested, that the captain took over from the first officer. The motivation could
have stemmed from his belief that he could handle the abnormal event better than the first
officer. However, it can be speculated that if he had continued to perform is primary job of
controls, he may have noticed the malfunction of the automatic brakes and would have manually
applied the brakes and averted the failure.
Rasmussen’s (SRK) theoretical foundation of human error:
Rasmussen provides a skill-rule-knowledge based theoretical framework to explain
occurrence of a human error. The terms skill, rule, and knowledge is referred to the degree of
conscious control an individual can have over his task. Skill based operation is to perform a task
in a highly skilled manner, almost with no conscious monitoring. For example a highly
experienced and skilled pilot performing a landing operation on an aircraft with no abnormality.
Rule based is application of rules learned during training, apprenticeship, school, or based on
experience and consciously applying to a situation at hand. For example setting up the controls
and parameters for landing is a rule based approach where the pilot prepares for landing after
review of the existing parameters for the operation. Therefore, rule based actions are those in
which the human applies the rules “IF-THEN” …“ELSE”… to a situation. Rule is more of a
packaged behavior for the situation. Rule based actions fall between the Skill and Knowledge
11
modes. Knowledge based actions are a results of 100% conscious efforts to address a situation
that is completely unfamiliar. These actions can be slow as the operator would like to review the
feedback of actions taken before the next step. This could have been the situation the pilot may
have faced as they were encountering a completely novel situation for which they were not
trained. This state mandates improvisation in unfamiliar environments with no routines or rules
available for guidance.
The common errors in the skills based actions are mostly due to strong habit intrusions
and situational changes that do not trigger the need to change habit. Rule based errors mostly
occur when a rule learned over the past situations are either not invoked, or invoked but applied
incorrectly or invoked but applied to a wrong situation. In the knowledge based errors the
operator faces a new and totally unfamiliar scenario. Lack of knowledge of “what to do?”
experience, overload of information, and lack of awareness of the consequences is what usually
causes an error.
Extension of Rasmussen’s SRK Theory by Reason [28]
Reason formulated the GEMS approach or The Generic Error Modeling Systems through the
extension of Rasmussen’s SRK model. He proposed that several levels of processing may occur
within the same task. Zooming in would indicate the substantial impact of factors that may look
trivial from a high level analysis. Reason’s theory suggests that the human cognition keeps
moving from the level of Skill based mode to Rule based mode to Knowledge based mode while
doing the same task based on the familiarity of a situation he may encounter. In the accident
being considered, the pilot would have been in the skill-based mode while preparing for landing,
and progressed to rule based while setting up parameters for landing for example moving to a
speed required for landing and the corresponding altitude etc. While deploying the landing gears
and the occurrence of the unique abnormal event they would have moved to the knowledge
based mode and would have taken actions to get the process in control and a mistake, slip or
violation may have resulted in the accident.
To develop further on Reason’s theory, errors occur based on the following figure and the
figure below explains how the theory can be applied to the situation at hand.
12
Two Forms of Human Error
Errors Violations
Slips Mistakes Routine Does not follow procedure as it no longer relevant to the task
Exceptional Under the direction of a supervisor to handle a unique situation Captain Take over the operations in spite of the specific responsibilities of the Captain and First Officer
Misapplied competence SKILL BASED Warnings on the automatic brakes go un-noticed due to confusion
Failure of Expertise RULE BASED Failure to apply the speed brakes manually.
Lack of Expertise KNOWLEDGE BASED Failures to trouble shoot the lock reverse thrust due to lack of training.
Figure1. Reason’s Theory to Human Error
13
Theory Interactions
The above theories interact as shown in the figure below:
The figure above explains how the theories selected for the analysis interact and explain
the error in the case study. The stimulus to the pilots was the warning signal and the event of
locking the reverse thrust which was initiated by a mechanical defect. The occurrence of this rare
event which was very unique, and the pilots were not trained on handling such a scenario, this
resulted in dividing their attention and troubleshooting locked reverse thrust seemed more
important. But they were not trained on this issue and could not effectively apply the knowledge.
Moreover the self efficacy of the Captain led to his taking charge and this resulted in further
missing the action of manually applying the brakes to prevent the error to happen. As mentioned
earlier in the document, the lack of knowledge in error management focus led to this mishap.
Although the above theoretical framework has been build using a very specific accident
report, the theory can be generalized to the tasks that require high level of cognition as a pilot
Stimulus
Warning that the automatic brakes aren’t applied
The reverse thrust locked
Distraction due to Divided Attention
Distraction due to Self Efficacy
SKILL
Strong habit intrusion
Selective Attention
RULE
Wrong Rule
Correct Rule Applied Inappropriately
SKILL
Unfamiliarity results in confusion and inability to control
Overload of information to process
Figure 2. Theory Interaction and Explanation of Error
14
and co-pilot flying an aircraft. In the following sections, it has been discussed in detail about the
impact of the divided attention and self efficacy on the occurrence of human error in a generic
situation that could be face during landing the aircraft. Also Rasmussen’s SKR theoretic
foundation and Reason’s GEMS approach helps understanding the theoretical background for
human error occurrence. The following explains the detailed tasks to be accomplished by the
pilot and co-pilot in completing the landing mission.
Task Analysis
The Boeing aircraft is equipped with computerized cockpits, where the pilots received all
their system information and alarms about the state of the aircraft from deck displays. The
display panels provide wealth of information like warnings, situation parameters etc. There is
instrumentation supporting the operations and ATC support too. The landing operation requires
multiple sequential and non-sequential tasks to successfully close the mission. The interaction
with technology, crew members (pilot and co-pilot), and ATC does result in human errors that
have resulted in accidents over the past 50 years. This document analyzes the task of the pilot
and the co-pilot performing the landing operation. As mentioned earlier, the focus is on
navigation system interaction during landing.
Overview of Landing Procedure Boeing 757-200
The most critical phases to landing are 1) Preparation for Landing (Descent) 2) Approach, 3)
Landing. Approach is the most complex and significant phase to complete a successful landing
operation. The task analysis presented below considers the phases of Approach and Landing as
the crucial parts of the navigation system analysis for a landing operation.
Descent: “Top of Descent Point”, is the altitude at which the descent starts. Guidelines for the descent rate
are available in published procedures and the pilot manually or by using autopilot descends to
the Approach Phase.
Approach Phase: This is the most complex phase. Missed approach is a situation when the pilot is unable to
meeting the requirement on speed, altitude, timing, and location for landing and hence the
aircraft needs to climb up and then reattempt Approach. Missed approach occurrence is rare
among professional pilots. Even though rare it is still considered as a part of normal phase of
flight because pilots prepare for it each time they fly an approach. The approach phase begins at
the bottom of descent and ends at main wheel touchdown in the landing phase. The purpose of
an approach is to transition the aircraft in a carefully prescribed manner from typical
intermediate altitudes after descent to a position, speed and configuration from which the pilots
can land their airplane. During the approach, pilots normally follow published approach
procedures, which designate mandatory courses, altitudes, and oftentimes speeds to a particular
runway. Published approaches safely and expeditiously guide arriving aircraft into an airport by
keeping aircraft away from high terrain, obstacles (e.g., radio antennas), aircraft departing from
15
the airport, the approaches to other runways, and traffic patterns from nearby airports. Published
approaches are most useful when visibility is poor because they enable the pilots to find the
runway when they would not be able to otherwise. ATC gives permission, or clearance, to fly a
specific approach, which is normally based upon weather, wind, and traffic conditions. There are
mainly four types of approaches, Visual (when it is daytime and good weather with good
visibility), ILS (Instrument Landing System), Area Navigation (RNAV), and (SVS) Synthetic
Vision System. From Task analysis from human error perspective, all four types have very similar
content in terms of tasks involved. However, the task analysis presented below refers to ILS aided
approach landing.
Landing: The final phase is when aircraft touches the ground. Deceleration is applied via the use of reverse
thrust and spoilers. The reverse thrust is cancelled after speed reduces to 60 KIAS. The spoilers
continue to be extended. Brakes applied after substantial speed reduction. The aircraft is now
ready for taxi to ramp.
Detailed Task Descriptions and Task Analysis
Subsequent to the cruise and descent phases the operation transitions to the approach
phase. The approach is toward landing at a specific airport. Therefore, the approach is the
portion of the flight during which the pilots fly the aircraft into the appropriate location,
attitude, and configuration to land. For both manual and automated flight, this involves
incrementally slowing to landing speeds, descending to appropriate altitudes for landing, and
aligning the aircraft with the runway such that the landing can be executed at the correct attitude
and correct speed, within the appropriate runway touchdown zone. The maneuvers performed by
the crew for both the approach and landing must be within the limitations of the aircraft, the
procedures of the airline, and the requirements of ATC, while ensuring the safety and comfort of
any passengers.
During the approach, the pilots make a series of speed reductions and wing flap deployments
in order to maintain the necessary pitch window and descent rate of about 300 feet per mile (3
degrees) to land at the correct speed. Landing at too fast a speed requires too much wheel brake
and reverse thrust energy to stop the aircraft; landing at too slow a speed risks stalling the
aircraft and crashing. Slowing to landing speed requires the use of flaps to maintain pitch
tolerances. Without flaps, the pitch has to be too high (nose up) to be safe at the slower landing
speeds, and again risks a stall. Also, as flaps are lowered, the pilots maintain certain speed
ranges to avoid over-speeding the flaps or flying too slow for that increment of flap setting. A
minimum flap setting is a function of the weight and airspeed of the airplane, so that, as the
airplane slows toward landing speed at a given weight, progressively greater flap settings are
required.
Sequential Task Analysis
The task analysis detailed below if primarily a PTA with components of CTA incorporated
at each sequential step. Each step below has a fairly detailed description of the task followed by
16
the combination of the PTA-CTA associated with the task. PTA is selected in this case because
the tasks are procedural, but several of the tasks do require decision making steps which warrant
an addition of the CTA component.
1. Communicate with ATC: When the crew communicates with ATC, it is either initiated
by the crew or in response to communication from ATC. Contact initiated by the crew
usually takes the form of an identification call or a request for clearance or information.
Responses usually involve reading back ATC instructions or providing requested
information (such as present speed). Voice communication requires the PNF (Pilot
control of flying) to press one of the microphone (“mic”) buttons on the yoke or on the
center console while speaking into the PNF's headset microphone. To end a radio call,
the PNF releases the “mic” button.
2. Set Radio Frequencies: The two radio control panels on the center pedestal between
the two pilots allow for two communication radio frequencies to be selected. A toggle
switch on the panel allows the crew to switch from one frequency to another. During the
approach, the crew uses the approach control frequency. At or near the FAF, the PNF
flips the switch to select the tower frequency.
3. Engage Automated Flight Control: Arming the approach mode, and engaging the auto-
throttles and an autopilot, is how the PF (Co-pilot) selects automated flight control.
These selections enable the autopilot to fly the localizer and glide slope until the pilots
take manual control. If the PF does not choose automated flight, then the PF must follow
the ILS guidance pointers or flight director to maintain the correct lateral and vertical
paths. Arming the approach mode requires pressing the approach mode button labeled
APP (Approach) on the MCP (Mode Control Panel); selecting an autopilot requires
pressing the selected button, also on the MCP.
17
4. Maintain Airspeed: Maintaining airspeed requires looking at one of the two airspeed
indicators. The indicators include movable markers along the outside of the dial called
bugs that are set to reference speeds during approach preparations. The pilots set the
bugs using checklist-like charts that list the target airspeeds for given aircraft weights
and flap settings. The bugs are memory aids, since the correct speeds change from flight
to flight with aircraft weight. The PF refers to the bugs to set the MCP speed during
automated flight; the auto-throttles maintain the set speed. Setting the speed requires
turning the speed dial until the desired speed is indicated by the digital display.
Verifying that the correct speed has been set requires looking at this display.
5. Set Flaps: The flaps are usually set by the PNF. The flap lever slides into a detent for
each available flap increment (1, 5, 15, 20, 25, and 30 degrees). During approach, the
PNF (usually) moves the lever to the next appropriate position when called for by the PF.
Pilots may also feel the position of the flap lever with their throttle hand to check if the
lever is settled into the correct detent.
18
6. Monitor Localizer and Glide Slope: As the approach continues under automated flight,
both pilots monitor their PFDs (Primary Flight Display) to ensure proper following of
the localizer and glide slope signals. They also monitor the FMAs (Flight Mode
Annunciator) and MCP (Mode Control Panel) to ensure that the correct modes are
engaging after being armed.
7. Lower Landing Gear: Lowering the landing gear requires moving the landing gear lever
all the way down. The gear lever requires only one hand to pull the lever out slightly and
then push it down. Verifying that the gear is locked down requires looking at the three
indicator lights directly above the landing gear lever. The lights are positioned in a
triangle (nose, left and right gear). If all three lights are green, then the landing gear is, in
pilot terms, down and locked. Both pilots check the gear lights, usually after they hear the
gear lower into position with a distinct "thunk" sound, to be sure the gear are down and
locked.
8. Arm Speed Brakes: The speed brakes are controlled using a lever on the left side of the
throttles. The lever is moved back (aft) to deploy the speed brakes (or spoilers), which are
panels on the top of the wings that spoil the lift of the wing and allow the aircraft to
descend faster or slow down more quickly. The speed brakes also work automatically
upon touchdown of all landing gear to slow the aircraft. In the forward position, the
lever is in a detent indicating that the speed brakes are stowed (i.e., flush with the wing
19
surface). The next aft setting is the armed position used for automatic deployment during
the landing roll. Beyond that, the lever can be moved farther aft to vary the amount the
spoiler panels are raised. Pilots use varying spoiler positions depending upon how
quickly they wish to decelerate. To verify that the speed brakes are armed for landing
during the final approach segment requires the pilot to look at the lever position, and to
sometimes use one hand (again, the throttle hand) to feel that the lever is in the armed
detent. The speed brake lever is easier to reach from the left seat, since it is left of the
throttles. Deploying the speed brakes from the right seat, if the FO is the pilot flying,
requires the FO to reach around the throttles.
9. Set Missed Approach Altitude: The missed approach altitude is the altitude to climb to
in the event of a missed approach and is given on the approach chart. Setting this missed
approach altitude requires using the altitude knob on the MCP to dial the correct
altitude. Typically, the PF sets this altitude, which must be done after glide slope
intercept, and the PNF verifies it.
10. Monitor Altitude below 2500 Feet AGL: The reading for the radio altimeter is on the
PFD just below the decision height (DH) reading. The PNF calls out AGL (Altitude
above Ground Level) altitudes, typically at 1000 and 500 feet, to denote the standard
stabilization gates. Both pilots check for the aircraft being within stable approach
parameters. The PNF also calls out "Approaching decision height" (usually 100 feet
above) and "Decision height" if the PF has not yet indicated that the runway is in sight.
20
11. Before Landing Checklist: Before Landing Checklist is a sequence of steps that are
executed by the PNF which are designed to verify that certain critical tasks have been
completed prior to landing. Each step is called out by the PNF and an associated check is
done. Depending on the airline, the PF is not required to verbally respond to any of the
checks as they are the duty of the PNF. However, the PF will usually follow along with
the checks and verify each one as the PNF reads through the list. Most airlines require the
landing checks to be done by reading the steps from the checklist card, rather than from
memory, to avoid missing any critical item.
12. Turn on Landing Lights: The controls for the landing lights are three switches (for left
wing, right wing and nose gear lights) on the middle overhead panel. The PNF turns the
landing lights on while accomplishing the Before Landing Checklist, if not sooner. The
lights are required to be on, unless using them is distracting (when, for example, it is
night in the clouds and the reflected light would harm the pilots' night vision).
21
13. Monitor Descent Rate: The descent rate is determined by looking at one of the two
vertical speed indicators, which are analog dials showing the vertical speed in feet per
minute. For a typical precision approach and Boeing 757 ground speeds, the vertical
speed should be about 700 feet per minute to fly the desired glide path.
22
14. Disengage Autopilot: The PF disengages the autopilot via the MCP or by using a button
on the control yoke when he or she decides to fly the aircraft manually. Prior to
disengaging the autopilot, the PF will put both feet on the rudder pedals and place his or
her hands on the yoke and throttles. Once the PF is ready to assume control, he or she
will press the yoke button with his or her thumb. Or the PF may ask the PNF to press the
MCP disengage bar, or do so himself or herself. A cockpit alarm sounds as the autopilot
disengages. If the PF uses the yoke button to disengage the autopilot (which is the
typical method), then the PF presses that button again to silence the alarm.
15. Fly Manually: Manual flight by the PF requires both hands, both feet, and visual scans
of the instruments and out the front window. It also requires some attention to the radio
and PNF who may call out information that the PF needs to know. Scan patterns vary
from pilot to pilot, but most pilots spend roughly equal time looking out the window, and
looking at the PFD and surrounding instruments during final approach. If visibility is
poor, the PFD is the primary focus. The PF makes constant minor adjustments to
maintain runway alignment, wings level, on speed, and the desired descent rate using the
yoke, rudder pedals and throttles.
16. Flare: The flare follows the final phase and precedes the touchdown and roll-out phases
of landing. To flare the aircraft, the PF gradually pulls on the yoke when over the runway
to bring the pitch up to the landing attitude, while reducing the thrust to idle on both
engines. The flare also requires the PF to keep the wings level and the airplane aligned
with the runway centerline while permitting the airspeed to decrease to touchdown speed
(usually about 5-10 knots below final approach speed). An ideal flare to touchdown
occurs when the pitch reaches the desired angle and the engines reach idle thrust as the
main landing gear simultaneously contact the runway.
23
17. Touchdown: Upon touchdown, spoilers (sometimes called "lift dumpers") are deployed
to dramatically reduce the lift and transfer the aircraft's weight to its wheels, where
mechanical braking, such as an auto-brake system, can take effect. Reverse thrust is used
by many aircrafts to help slow down just after touch-down, redirecting engine exhaust
forward instead of back. After the speed reduces to 60 KIAS the reverse thrust is
cancelled. Spoilers are extended and the aircraft to brought to a stop by application of
brakes.
Non-Sequential Tasks
The non-sequential tasks explained below are presented as an HTA-CTA. HTA has been chosen
as the tasks are done at the same hierarchical level, however does require CTA components in
order to comprehend the observations and take necessary steps to stay on track and meet the
goal.
1. Monitor Flight Path and Progress: This task is periodically performed by both
crewmembers throughout all phases of flight. The task primarily involves scanning the
instruments to ensure that the aircraft has not deviated from the expected path, altitude,
airspeed and overall flight plan. Looking at the ND (Navigation Display) allows the
pilots to determine if the aircraft is on the desired flight path, as programmed into the
FMS (Flight Management System). Looking at the PFD (Primary Flight Display) and its
FMAs allow the crew to verify that the aircraft is in the prescribed attitude and that the
automated flight systems are functioning normally. Pilots mainly look out the windows,
if visibility is good, to verify the correct airplane attitude. Other displays such as the
vertical speed indicator allow the crew to monitor the progress of various changes or
determine that unexpected changes may be occurring.
2. Double-Checks and Verifications: Throughout the approach and landing process both
pilots check and double-check the accuracy of settings that include altitude, speed, and
flaps. Sometimes these checks require consulting a reference such as the speed versus
24
flaps settings based on the weight of the aircraft. Other times the same steps are done so
frequently that the crew has expectations of what the settings will be. In these cases
double-checks are more of a mental process of determining if an expectation has been
violated. For example, if the PNF is expecting a particular flap setting and the PF asks for
a different one, the PNF would query the PF to determine the reason for the difference.
3. Monitor the Radio: This task involves listening for communications on the current
radio frequency. Auditory information is received through the ear piece, headphones, or
cockpit speaker. The information may include specific communications from ATC
directed at the crew, or communications between ATC and other aircraft. This
monitoring task requires no workload when there is no communication traffic on the
frequency because there is no information available to monitor. Attention is directed to
the radio when the pilots initiate a transmission or when attention is drawn by
communications on the radio. When communications do occur, the crew quickly
determines if the information is directed at them based on their call sign (e.g., NASA-113
may be the reference name for a particular aircraft). They also quickly determine if the
communication is coming from ATC or from another aircraft. When the radio call is for
the crew, they will closely attend to the information - even writing down clearances to
ensure accuracy. The pilots also monitor communications between ATC and other
aircraft because it helps them anticipate what ATC may direct them to do and how ATC
is managing the airspace, especially during the approach phase. ATC calls to them will
either confirm their expectations regarding approach and landing clearances, or require
them to make some sort of change. Listening to communications from ATC to other
aircraft helps the crew build a mental picture of where they are in the airspace relative to
the other aircraft and provides them with an idea of what to expect as they get closer to
the airport. The pace of radio communications will vary depending on a variety of factors
including the weather and the quantity of aircraft approaching the airport. At its worst,
the calls on the radio can be continuous as ATC and flight crews initiate calls and
respond to each other, which require some level of constant attention by the pilots. At
such times, it can be difficult to find a break in the communication flow to initiate a
call. It is not unusual during such situations for multiple aircraft to "talk over" each other
at the same time, which adds to the confusion and hectic tempo.
4. Monitor Aircraft Systems: This task is periodically performed by both pilots throughout
all phases of flight. The status of all of the different aircraft systems can be checked using
several different cockpit displays. Checking such displays helps the crew verify that the
aircraft systems are operating within normal tolerances. These displays are also used to
determine the nature of a malfunction, if one occurs. The system displays include alert
flags, problem annunciators, and alarm tones for the most serious malfunctions, all of
which draw the pilots' attention if a problem occurs. Consequently, the scan of these
instruments in the absence of flags or alarms is infrequent.
25
Figure 3 Non-Sequential Task Analysis
Unsafe Acts and the respective performance shaping factors The following table breaks the tasks described above into sub-tasks and the respective unsafe acts that
could result based on the theories under consideration. The SKR and GEMS are used to classify the
errors.
Sequential Tasks
SN Task SN Unsafe Act SN Theory SN Reason Error
Classification
SN PSF
1.0 Communication
with ATC
1.1 Seek Clearance –
Comprehend
information
1.1 Impatience 1.1
Divided
Attention due
to inability to
comprehend
information
due to cultural
difference/lan
guage
1.1 Mistake: Failure
to have exposure
to diversity
especially flying
in foreign air.
(Lack of skill)
1.1 Skill Level
26
2.0 Set Radio
Frequency for
communication
with ATC
2.0 Incorrect
selection of
radio
frequency
2.0 Divided
Attention
2.0 Mistake due to
lack of training.
1.1 Skill Level
3.0 Engage
Automatic Flight
Control
3.1 Select Autopilot
or Seek ILS
guidance if flying
manually
3.1 Assume
Autopilot
ON when it
is OFF.
Does not
notice
3.1 Divided
Attention
3.1 Slip (Unintended
Violation due to
being preoccupied
or distracted)
3.1 Fatigue
4.0 Maintain Air
Speed
4.1 Read Indicators 4.1 Read
incorrectly
4.1 Divided
Attention
4.1 Slip (Failure of
applying
expertise; Rule
Based)
4.1 Fatigue
4.2 Refer Checklist
for target speed
4.2 Not refer
Check List
4.2 Self Efficacy
(Over
confidence)
4.2 Routine Violation 4.2 Attitude
4.3 Set MCP speeds
based on
checklist
4.3 Not refer
Check List;
set wrong
speeds
4.3.1
4.3.2
Divided
Attention
Self Efficacy
4.3.1
4.3.2
Routine Violation
Routine Violation
4.3.1
4.3.2
Fatigue
Attitude
and
Personality
4.4 Auto throttle and
maintain set
speed
4.4 Skip Step 4.4 Divided
Attention
4.4 Slip 4.4 Fatigue
4.5 Verify correct
speed
4.5 Skip Step 4.5 Divided
Attention
4.5 Routine violation 4.5 Attitude
5.0 Set Flap
5.1 PF Calls out flap
positions and
PNF sets
positions
5.1 Lack of
Co-
ordination
5.1 Self Efficacy
on part of
either
5.1 Routine Violation
due to lack of
reason to follow
directions because
of overconfidence
in oneself
5.1 Attitude
5.2 PF verifies the
indent of flaps
5.2 Skip Step 5.2 Self efficacy 5.2 Routine Violation
due to lack of
reason to follow
directions because
of
overconfidence.
5.2 Attitude
6.0 Monitor
Localizer and
glide slope
6.1 Monitor signals 6.1 Fails to 6.1 Divided 6.1 Slip 6.1 (Abnormal
27
on PFD monitor
PFD
attention situation)
Training in
handling
situations
6.2 Monitor MCD
for correct mode
Fails to
monitor
MCD
6.2 Self efficacy 6.2 Routine Violation 6.2 Attitude
7.0 Lower Landing
Gear
7.1 Move gear lever
down and verify
locking
7.1 Fail to
verify
7.1 Self Efficacy 7.1 Routine Violation 7.1 Attitude
8.0 Arm Speed
brakes
8.1 Set Spoiler
positions and
verify
8.1 Fail to
verify
8.1 Divided
Attention
8.1 Slip while trouble
shooting unique
situation
8.1 Lack of
Training in
handling
unique
situations
9.0 Set missed
approach altitude
9.1 Set missed
approach altitude
and verify
9.1 Fail to
verify the
altitude
9.1 Self Efficacy 9.1 Routine violation 9.1 Attitude
10.0 Monitor Altitude
below 2500 ft
10.1 Both officers to
follow
procedures and
verify altitudes
10.1 Skip
procedure
10.1 Self Efficacy 10.1 Routine violation 10.1 Attitude
(overconfi
dence)
11.0 Follow before
landing checklist
11.1 Both officers
review checklist
and verify
settings
11.1 Skip Steps,
rely on
memory
11.1 Self Efficacy 11.1 Routine Violation 11.1 Attitude
(overconfi
dence)
12.0 Turning on
Landing Lights
12.1 Turn on landing
lights when
required.
12.1 Not turning
on lights
when
required.
12.1 Self Efficacy 12.1 Routine Violation 12.1 Attitude
13.0 Monitor descent
13.1 Scan indicators,
analog dials,
speeds etc.
13.1 Omitting
and/or Not
carefully
observe all
readings
13.1 Divided
Attention
13.1 Slip due to
overload of
observations
13.1 Fatigue
14.0 Disengage Auto
Pilot
28
14.1 Follow procedure
before
disengaging
autopilot.
14.1 Skip Steps 14.1 Divided
Attention
14.1 Slip due to
overload of
information
14.1 Fatigue
14.2 Disengages
Autopilot and
verifies
14.2 Skip Steps 14.2 Divided
Attention
14.2 Mistake due to
divided attention
because of unique
event.
14.2 Training
15.0 Fly Manually
15.1 Follow procedure
of manual flying
15.1 Not
focused
15.1 Divided
Attention
15.1 Slip 15.1 Fatigue
and/or
abnormal
event
15.2 Attention to
Radio
15.2 Not
focused
15.2 Divided
Attention
15.2 Slip 15.2 Fatigue
and/or
abnormal
event
15.3 Scan displays
verify displays
15.3 Not
focused
15.3 Divided
Attention
15.3 Slip 15.3 Fatigue
and/or
abnormal
event
16.0 Flare
16.1 Follow procedure
to make
adjustments and
orientation of the
aircraft for
landing.
16.1 Not
focused
16.1 Divided
Attention
16.1 Slip 16.1 Fatigue
and/or
abnormal
event
17.0 Touchdown
17.1 Deploy Spoilers,
verify Auto
Brakes
deployment, and
reverse thrust
17.1 Not
focused
17.1 Divided
Attention
17.1 Slip/Mistake 17.1 Fatigue/
not
trained/
abnormal
event
17.2 Reduce speed
and apply manual
mechanical
brakes
17.2 Skip Steps 17.2 Divided
Attention
17.2 Mistake not
adequately reduce
speed
17.2 Fatigue
and/or
attitude
Table 1 Task Vs Unsafe Act Vs PSF: Sequential Tasks
Non-Sequential Tasks
S.N Task S.N Unsafe Act S.N Theory S.N Reason Error
Classification
S.N PSF
1.0 Monitor Flight
Path
29
1.1 Monitor every
display of the
PFD and MCP
for correct path
1.1 Technology
complacency
1.1 Divided
attention
leading to
cognitive
dissonance
1.1 Slip 1.1 Fatigue
2.0 Verification
Process
2.1 Both Pilots
verify system
parameters and
working of the
displays.
2.1 Skip
Verification
2.1 Divided
attention
2.1 Slip 2.1 Fatigue
2.2 Verification
through
consultation
2.2 Lack of
Focus to
comprehend
2.2 Divided
Attention
2.2 Slip 2.1 Fatigue
3.0 Monitor Radio
3.1 Listen to
information
shared over the
radio
3.1 Lack of
focus
3.1 Divided
Attention
3.1 Slip 3.1 Excess
workload
3.2 Filter through
pertinent
information as
the
communication
can be from
other aircrafts.
3.2 Impatience 3.2 Divided
Attention
3.2 Slip 3.2 Fatigue
4.0 Monitor
Aircraft
Systems
4.1 Status of
various system
parameters
4.1 Technology
complacency
4.1 Divided
Attention
4.1 Routine
Violation
4.1 Abnormal
event
occurrence
4.2 Monitoring
displays for
Alerts and
system
malfunctions
4.2 Technology
complacency
4.2 Divided
Attention
4.2 Routine
Violation
4.2 Attitude/
Overconfidence
Table 2 Task Vs Unsafe Act Vs PSF: Sequential Tasks: Non-Sequential Tasks
30
Selection of PSFs and its pertinence to the tasks
It is suggested that the tasks could be grouped based on the following table to understand the
selection of PSFs based on the complexity of the unsafe act.
Category of Task Unsafe Act PSFs
Routine/ Tedious:
Tasks:1,2,3,4.12
Failing to observe
Not taking required steps
Fatigue, either due to the
nature of the task that is
routine and boring, or due to
long hours of flying and
tiredness.
Intermediate nature of task
(non-routine) Tasks: 5, 9
Deliberate Violations Personality, Attitude,
Overconfidence
Tasks requiring high Alertness
Tasks: 7,10,11
Failing to observe Excessive Workload, High
continual Flying Time, High
Stress
Tasks requiring very high
level of Alertness
Tasks 6,8,13,14,15,16, 17
Failing to observe Time Crunch, Knowledge
based (Rasmussen) mode
trying to trouble shoot
abnormal situation, High
Stress, and Time Crunch
Table 3 Classification of Tasks and their respective Performance Shaping Factors
The problem at hand requires categorizing the sequential tasks and the non-sequential
tasks based on the type of tasks. For very simple and routine tasks the occurrence of error,
technically should be very low as it will fall in the skill based mode (Rasmussen). However, the
fact that it occurs, says that it would be a result of a slip associated with fatigue and or tiredness,
long hours of flying and more time on a task. According to Gore [9], in aviation it has been
estimated that flight crews’ alertness levels are degraded approximately 15% of the time they are
on duty leaving them vulnerable to error. In addition, excessive time on task has been found to
negatively impact a human operator’s vigilance, and an inverse relationship is found between
hours of wakefulness and performance on critical tasks. For a task that is not routine, it is
assumed that the protocols/procedures are skipped deliberately due to personality issues like
attitude and overconfidence. Tasks requiring a high level of alertness may lead to error because
of excessive workload, cognitive overload, may be independent or be coupled with long hours of
flying, and high stress. The tasks that require very high levels of alertness mainly would fail
when there is an abnormal situation or event faced by the crew. It may be a serious failure and/or
that would need trouble shooting and hence would drive the attention away from indications that
may have been captured under a normal condition, which inadvertently would lead to failure.
Such a condition is usually coupled with high stress and time crunch that would add fuel to the
fire.
31
HRA Model Selection
Preliminary Treatment of the Task Analysis
Under this step the tasks are critically analyzed to look for obvious screening, recoverable
tasks and task dependencies. This cleans up the analysis done this far to understand the modeling
needs and hence be able to select a suitable method of modeling.
Preliminary Screening:
Before the selection of model to do the HRA, the tasks were scanned for exclusion of
tasks which were either have little or no effect on the error or could be restored. This was a
process of preliminary screening. Tasks 1 and 2 were thus eliminated. The tasks were also
reviewed for any recovery of the error using the PTA.
Evaluation of Task Analysis for Recovery:
The tasks were evaluated for recovery possibilities. Task 1 and Task 2 were assumed to
show complete recovery as language barrier can be mitigated by visual signs. Task 2 also shows
recovery as the frequency would continue to be adjusted until the communication is clear. Task
3 also shows a good possibility of recovery as the flight will not respond to manual commands if
the autopilot is not disengaged. Task 9 when the plot sets the missed approach altitude
incorrectly, the consequence will result in a missed approach again and hence allows room to
recover, second time around.
Evaluating Tasks for Dependencies
The sequential tasks were reviewed for task dependencies. The matrix below presents the
results. The “X” is marked in the matrix with the co-ordinates indicating the dependencies.
Dependencies are assumed as the task which will affected by the result of the task preceding it.
The task number is the SN associated with the task in the table above.
32
Task# 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
3
4 X
5
6 X
7
8 X
9
10
11
12
13
14 X
15 X
16 X
17
Table 4 Dependency Matrix
Evaluation of the HRA Methods
Some of the most commonly used first generation and second generation methods were
evaluated based on the following tables. Each table was used to answer a pertinent question on
the top of the table. The “red” marks the method meeting the problem requirements.
1. Question: Are generic or context/operator-specific tasks required?
Answer: Yes
Method Task Decomposition PSF (number) Coverage
1:Physical
2:Cognitive
3:Organizational
THERP Nuclear specific tasks 3+ 1,3
SPAR-H Diagnosis, Action 8 1,2, and 3
ASEP Diagnosis, Action Based on THERP 1 (limited), 2(limited),
3 (limited)
SLIM-MAUD Not Specified User Defined 1,2,and 3
ATHEANA Not Specified 38 1,2,and 3
CREAM 15 Generic Tasks 9 1,2,and 3
EXTENDED
CREAM
15 Generic Tasks 9 1,2, and3
33
2. Question: Is a screening method required?
Answer: Yes
Method Screening Primary Source for
HEP Estimation
HEPs for
specific error
modes
Explicit Treatment of Uncertainty
Bounds
Estimations Number
provided
by
method
Number
produced
by
Analyst
Task/Error
Dependencie
s
Recovery
THERP X X Detailed and
many
X X X
SPAR-H X Diagnosis and
Action
X X X
ASEP X X Diagnosis and
Action
X X X
SLIM-
MAUD
X Not Specified
ATHEANA X Expert
Judgment
X X X
CREAM X X 13 error
modes
X
EXTENDED
CREAM
X X 15 Cognitive
Activity
X
3. Question: What type of HEP Source is appropriate?
Answer: Both so the model can be validated
Method Screening Primary Source for
HEP Estimation
HEPs for
specific error
modes
Explicit Treatment of Uncertainty
Bounds
Estimations Number
provided
by
method
Number
produced
by
Analyst
Task/Error
Dependen
cies
Recovery
THERP X X Detailed and
many
X X X
SPAR-H X Diagnosis and
Action
X X X
ASEP X X Diagnosis and
Action
X X X
SLIM-
MAUD
X Not Specified
ATHEANA X Expert Judgment X X X
CREAM X X 13 error modes X
EXTENDED
CREAM
X X 15 Cognitive
Activity
X
34
4. Questions: Are there task/PSF Dependencies?
Answer: Yes
Method Screening Primary Source for
HEP Estimation
HEPs for
specific
error modes
Explicit Treatment of Uncertainty
Bounds
Estimations Number
provided
by
method
Number
produced
by
Analyst
Task/Error
Dependencies
Recovery
THERP X X Detailed and
many
X X X
SPAR-H X Diagnosis
and Action
X X X
ASEP X X Diagnosis
and Action
X X X
SLIM-
MAUD
X Not
Specified
ATHEANA X Expert
Judgment
X X X
CREAM X X 13 error
modes
X
EXTENDED
CREAM
X X 15
Cognitive
Activity
X
5. Question: Is recovery necessary?
Answer: Yes
Method Screening Primary Source for
HEP Estimation
HEPs for specific
error modes
Explicit Treatment of Uncertainty
Bounds
Estimations Number
provided
by
method
Number
produced
by
Analyst
Task/Error
Dependen
cies
Recovery
THERP X X Detailed and
many
X X X
SPAR-H X Diagnosis and
Action
X X X
ASEP X X Diagnosis and
Action
X X X
SLIM-
MAUD
X Not Specified
ATHEANA X Expert Judgment X X X
CREAM X X 13 error modes X
EXTENDED
CREAM
X X 15 Cognitive
Activity
X
35
6. Question: Do uncertainty bounds need to be estimated?
Answer: Yes
Method Screening Primary Source for
HEP Estimation
HEPs for
specific
error modes
Explicit Treatment of Uncertainty
Bounds
Estimations Number
provided
by
method
Number
produced
by
Analyst
Task/Error
Dependencies
Recovery
THERP X X Detailed and
many
X X X
SPAR-H X Diagnosis
and Action
X X X
ASEP X X Diagnosis
and Action
X X X
SLIM-
MAUD
X Not
Specified
ATHEANA X Expert
Judgment
X X X
CREAM X X 13 error
modes
X
EXTENDED
CREAM
X X 15
Cognitive
Activity
X
7. Question: What level of knowledge is required to do the analysis
Answer About 1 year
Method Knowledge Level Domain
HRA Specialist HRA specialist
with <1 year
experience
PRA Analyst
THERP X
SPAR-H X
ASEP X
SLIM-MAUD X
ATHEANA X
CREAM X
EXTENDED
CREAM
X
36
Based on the tables above the method selection/rejection logic is explained below:
THERP is based on specifics of operator tasks pertaining to nuclear industry. Since the
task under consideration are quite different from that of a nuclear plant, the method is not
preferred. Moreover, the first generation methods have limited consideration for human
behavioral issues.
SPAR-H and ASEP, being first generation models, have limited consideration on human
behavior. Also, the focus of both the methods is on Diagnosis and action, whereas the
problem at hand deals is not limited to Diagnosis and Action.
ATHEANA could be a candidate for the analysis method, the disadvantage being that it
requires an experienced and skilled HRA specialist. In most cases in the real world there
is a restriction on the training and hiring specialist specifically for a particular project.
CREAM PSF’s are very much in line with the ones identified in the project. However,
this model deals with 15 generic tasks lacking context.
Extended CREAM provides all the content CREAM, but works in the human functions of
Observation, Interpreting, Planning and Execution, which is appropriate to the landing
problem being discussed. If modifications are made to it to decompose the generic tasks
into more specific aviation related tasks, it could help develop an appropriate method for
the analysis. The decomposition of tasks to meet the problem needs, the expert opinion
elicitation as described in ATHEANA method could be borrowed.
Based on the points above the method proposed to be used in the study is EXTENDED
CREAM with modifications. The modified EXTENDED CREAM will be modified to use more
specific task decomposition that would match the aviation domain.
Data Collection Methods
There are several data collection methods available as discussed in literature. Some of the
ones most widely used are empirical, expert opinion elicitation, and using the existing databases.
A combination approach is suggested in this proposal. The steps for collecting the data are
described below:
In order to keep the study cost effective is strongly recommended to do an unobtrusive
research on the given scenario. This could range from accident reports, published
interviews of pilots after an event, articles from news papers, photographs and films,
pertaining to the problem. This will be effective from the standpoint that, it will help one
conduct the research without any intervention and the researcher can collect data for a
period of time and may see a causal relationship, establish patters etc. Since the
information or record already exists, it is cost effective too. This will help build a
platform on which the study would need to be built.
Rollout surveys and questionnaire to the pilots, organization (airliner), aircraft
engineers/designers, safety officers of the organization etc. The questionnaires will be
framed differently (for example the design of a particular display on the PFD is such that
it results in human error in reading (analog Vs digital); the pilot community being the
user can suggest their need whereas the designer’s response will be regarding why the
37
design is analog and not digital) so we can capture the various perspectives and be able to
incorporate in the model.
Invite team experts to across the community which is part of the study, for example the
way it is described in the ATHEANA method. Instead the stakeholders should be a part
of the aviation industry. Recommended team of experts should cover the following:
o An HRA analyst
o A PRA analyst
o Pilots
o Engineers
This team would generate a HEP with a confidence interval.
There are existing databases on accidents. Some of them a listed below:
o NTSB Aviation Accident/Incident database
o FAA Incident data system
o MARS Accident database of the JRC European Union and
o OSHA
There are several research papers are available which suggest reorganizing the existing
data bases in a way that can be used by the practitioner to estimate useful HEP. The advantage
here is the availability of a high volume of data, and if the data is effective queried substantial
information can be churned out to be an input to the analysis.
The above data collection process will complement each of the data collection methods
and hence the model will turn out to be more comprehensive compared to a situation where only
empirical method is used or just expert elicitation is undertaken. Also, this effort will generate
more data although in different forms, and will aide in establishing confidence interval, and even
validating the model. The proposed validation and confidence estimations are discussed in the
following section.
Data Analysis
Data analysis will be mainly based on the Extended CREAM method. The modification
as explained above is in the data collection process through expert opinion elicitation. This
would strengthen the model through generating a context focus to this otherwise generic model.
The Extended CREAM procedure is listed below:
1. Describe the task segment to be analyzed. This can be done on each of the four
classifications of tasks in Table 3.
2. Identify type of cognitive activity (15 activities)
3. Identify associated human function (Observation, Interpreting, Planning, and
Execution)
4. Determine Basic HEP: Match failure mode to type of Human Function and
Assign a basic HEP with uncertainty bound.
5. Determine the PSF effect on HEP
38
The Associated charts and the definitions that help the estimation of HEP are given below:
PSF PSF State Expected Effect on Reliability
Adequacy of Organization Very Efficient
Efficient
Inefficient
Deficient
Improvement
Not significant
Reduced
Reduced
Working Conditions Advantageous
Compatible
Incompatible
Improved
Not significant
Reduced
Adequacy of MMI and
Operational Support
Supportive
Adequate
Tolerable
Inappropriate
Improved
Not significant
Not significant
Reduced
Availability of Procedures and
Plans
Appropriate
Acceptable
Inappropriate
Improved
Not significant
Reduced
Number of simultaneous
Goals
Fewer that capacity
Matching Capacity
More than Capacity
Not significant
Not significant
Reduced
Reduced
Available Time Adequate
Temperately Inadequate
Continuously Inadequate
Improved
Not significant
Reduced
Time of Day Day Time
Night Time
Not significant
Reduced
Adequate Training and
Experience
Adequate, High Experience
Adequate, limited Experience
Inadequate
Improved
Not significant
Reduced
Crew Collaboration Quality Very Efficient
Efficient
Inefficient
Deficient
Improvement
Not significant
Not significant
Reduced
Table 4 Nine PSF of the CREAM and EXTENDED CREAM Model
The fifteen cognitive activities that are identified in the model are listed below.
1. Co-ordinate
2. Communicate
3. Diagnosis
4. Evaluate
5. Execute
39
6. Identify
7. Maintain
8. Monitor
9. Observe
10. Plan
11. Record
12. Regulate
13. Scan
14. Verify
The four cognitive functions are Observation, Interpretation, Planning, and Execution. The table
below is used to assess the uncertainty bounds of each of the four cognitive functions depending
on the cognitive type of error reported in the task analysis.
Cognitive
Function
Generic Failure Type Lower
Bound
Basic
Value
Upper
Bound
Observation O1: Wrong object observed
O2: Wrong Observation
O3: Observation not made
3.0E-4
2.0E-2
2.0E-2
1.0E-3
7.0E-2
7.0E-2
3.0E-3
1.7E-2
1.7E-2
Interpretation I1: Faulty Diagnosis
I2: Decision Error
I3: Delayed Interpretation
9.0E-2
1.0E-3
1.0E-3
2.0E-1
1.0E-2
1.0E-2
6.0E-1
1.0E-1
1.0E-1
Planning P1: Priority Error
P2: Inadequate Plan
1.0E-3
1.0E-3
1.0E-2
1.0E-2
1.0E-1
1.0E-1
Execution E1: Action of wrong Type
E2: Action at Wrong Time
E3: Action on Wrong Object
E4: Action out of sequence
E5: Miss Action
1.0E-3
1.0E-3
5.0E-5
1.0E-3
1.0E-3
3.0E-3
3.0E-3
5.0E-4
3.0E-3
3.0E-3
9.0E-3
9.0E-3
5.0E-3
9.0E-3
9.0E-3
Table 5 Uncertainty Bounds for the Cognitive Functions
Using Table 5 and the 15 cognitive activities a summary matrix needs to be created so the cells
with a possibility of failure, can be marked and the associated HEP is calculated and assigned to
the cell using the following equation:
𝐹𝑖𝑛𝑎𝑙(𝐻𝐸𝑃)
= 𝑃𝑟𝑜𝑏(𝑚𝑜𝑠𝑡 𝑙𝑖𝑘𝑒𝑙𝑦 𝑓𝑎𝑖𝑙𝑢𝑟𝑒 𝑓𝑜𝑟 𝑎 𝑔𝑖𝑣𝑒𝑛 𝑎𝑐𝑡𝑖𝑣𝑖𝑡𝑦 𝑚𝑜𝑑𝑒)𝑋 ∏ 𝑆𝑐𝑜𝑟𝑒(𝑆𝑡𝑎𝑡𝑒 𝑜𝑓 𝑃𝑆𝐹𝑖)
9
𝑖=1
40
The impact of the specific PSF on the HEP is shown in the table below:
PSF PSF State Type of Human Function
Observation Interpretation Planning Execution
Adequacy of
Organization
Very Efficient
Efficient
Inefficient
Deficient
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
0.8
1.0
1.2
2.0
0.8
1.0
1.2
2.0
Working
Conditions
Advantageous
Compatible
Incompatible
0.8
1.0
2.0
0.8
1.0
2.0
1.0
1.0
1.0
0.8
1.0
2.0
Adequacy of
MMI and
Operational
Support
Supportive
Adequate
Tolerable
Inappropriate
0.5
1.0
1.0
5.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
0.5
1.0
1.0
2.0
Availability
of
Procedures
and Plans
Appropriate
Acceptable
Inappropriate
0.8
1.0
2.0
1.0
1.0
1.0
0.5
1.0
5.0
0.8
1.0
2.0
Number of
simultaneous
Goals
Fewer that capacity
Matching Capacity
More than Capacity
1.0
1.0
2.0
1.0
1.0
2.0
1.0
1.0
5.0
1.0
1.0
2.0
Available
Time
Adequate
Temperately Inadequate
Continuously Inadequate
0.5
1.0
5.0
0.5
1.0
5.0
0.5
1.0
5.0
0.5
1.0
5.0
Time of Day Day Time
Night Time
1.0
1.2
1.0
1.2
1.0
1.2
1.0
1.2
Adequate
Training and
Experience
Adequate, High Experience
Adequate, limited Experience
Inadequate
0.8
1.0
2.0
0.5
1.0
5.0
0.5
1.0
5.0
0.8
1.0
2.0
Crew
Collaboration
Quality
Very Efficient
Efficient
Inefficient
Deficient
0.5
1.0
1.0
2.0
0.5
1.0
1.0
2.0
0.5
1.0
1.0
2.0
0.5
1.0
1.0
5.0
Table 6 Impact of PSF state on HEP
41
Using the HEP equation above and using the Table 5 and Table 6 the summary matrix with the
results will be presented in the following form:
Types of Human Functions
Type of
Activity
Observation Interpretation Planning Execution
O1 O2 O3 I1 I2 I3 P1 P2 E1 E2 E3 E4 E5
Co-ordinate
Communicate
Compare
Diagnose
Evaluate
Execute
Identify
Maintain
Monitor
Observe
Plan
Record
Scan
Verify
Table 7 Summary Matrix of Extended CREAM Method
Validation of Confidence Prediction
The validation of the model needs to be done to get the buy in of the management and research
community. Since there is some modifications made to the Extended CREAM method, this
method may be considered to have new content. The validation can be planned as follows:
Compare the confidence interval with the confidence interval given by the expert
opinion.
Use half the data from the database and use the remainder of the data to run the model
again and establish confidence intervals. Compare the two results.
If the model is not validated, relook at the model for areas of modifications and
assumptions, including the PSFs and the error circumstance
Risk Mitigation: Quantitatively Informed Risk Mitigation Strategies
This far we have proceeded to a point where we have an analysis method, data collection
and analysis proposal The question at this point of time is, having got the HEP and after
combination of the HEP to the system PRA, what do we do next? Risk probability helps us
42
prioritize the human aspects to the risk. Some of the suggested steps for risk mitigation are listed
below:
The HEP off the HRA model and the probability of failure from the PRA sheds enough light on
the risks associated with the human error and how it impacts the mission.
Use the HEP as a metric to prioritize the risk mitigation strategies, also weight should be given to
the risks that are more critical. Formulate a FMEA like tool to determine a RPN that could further
help in prioritization.
Study the contextual detail, unsafe act details and the PSFs contributing to the HEP
Establish strategies to mitigate risk.
Appropriate Risk Mitigation Strategies
The unsafe acts discussed in the Task Analysis section are summarized in table below.
The unsafe acts are broadly related to Personal, Social, Organizational, and Technological
categories. The majority of the errors happen due to personal traits and behavioral issues. In
some cases it is inadequate training/skills that leave the pilot lost in problem solving for an event
on which he has limited experience and/or training. In other situations it was seen that the unsafe
acts were committed when the pilot may have been under high work overload, fatigued, and/or
overconfident.
Unsafe Act Personal Social Organizational Technological
Not Focused X X
Omission X X X
Skip Procedures X X X
Uncoordinated X X X
Table 8 Unsafe Acts Vs Categories
Reason proposed that the way to resolve conflicts between human Vs system are based on:
1. Person Model
2. Engineering Model
3. Organizational Model.
Applying this to the problem, it is clear that it would be the organization’s responsibility to
engineer a model around and individual so it positively impacts the individual’s behavior.
Also, Weinreich (1999) identified essential elements required to achieve successful and lasting
behavior change are as follows:
An individual must believe there is a problem that has severe consequences.
An individual must believe that the proposed behavior will address the problem and
prevent the consequences.
The benefits must be perceived as outweighing the costs.
An individual has to have the skills required to implement the new behavior.
43
The individual must believe they have the skills required (self efficacy).
The behavior has to be consistent with self-image.
An individual needs to perceive the existence of social support or pressure for the
changed behavior as opposed to the status quo.
There needs to be fewer barriers to the new behavior than there are to the old behavior.
The individual must intend to make the required change to their behavior.
Combining Reason’s three distinct models for safety management, and Weinreich’s essential
elements for successful and lasting behavior change, give a model that can be the basis for the
development of strategies for human risk mitigation. The following figure shows how the
“combined model” can be used to convince the Sr. Management for a commitment to incorporate
the results of the HRA model.
Figure 3 Reason’s and Weinreich’s Combined Model.
44
The HRA and PRA results give weights on the unsafe acts to be mitigated. This
prioritized list combined with the cost benefit analysis will help arrive at the value proposition.
The value proposition should not only consider the benefits due to averting an accident but also
the elements of indirect gains for the airliner in terms of safety records and safety reputation that
would lead to loyal customers and emerging as a preferred airliner. The value proposition will
help an organization buy into the idea of accepting the recommendations and evolve the strategic
and tactical risk mitigation steps.
Generalized steps for risk mitigation are listed below with explanation on how it applies to the
problem at hand to mitigate risk:
Fear appeal campaigns: EDUCATE: Educate an individual on how the unsafe acts can
lead to catastrophic situation. It could be via advertisement campaign, workshops, and
demonstrations. For example if a pilot shows tendencies of skipping procedure, the
implication of this error should be demonstrated via workshops, films, and/or
advertisements.
Rewards and punishments: PERSUADE: Help create a positive attitude via rewards and
other personal motivating consideration. The pilots with low human error record should
be rewarded.
Unsafe act auditing: CONTROL: Audits would help the human keep a check on unsafe
acts. A concealed auditor could be present on board from the airliner/ and or an authority
to audit a flight human factor and error assessment, without prior notice, randomly which
would keep pilots on their toes.
Modifying procedure: DESIGN: Engineer the environment and working condition to be
such that it is conducive to the avoidance of unsafe acts. Policy on number of hours on
continuous flight, procedures and displays being clear and easily applied would preempt
skipping them.
Training and selection: DESIGN/EDUCATE: The situation faced by the pilot is such that
he is trained and equipped to accident management and apply a rule based approach in
troubleshooting an abnormal event.
45
Figure 4 Ways to mitigate risks
Targeting Different Strategies to the Concerned Population
The concerned population for the problem is the flight crew, design engineers, Sr.
Management, more importantly the pilots. Make it a policy to have:
Mandatory training/ workshops on human errors and its implications.
Accident recovery and training and retraining on abnormal even occurrences.
Engage the stakeholders in development of the training/ workshop, especially in
situations that may not occurred in the past but, may go wrong and hence preparedness
to handle that even should be the focal points.
Rewards program and also a punishment program should be a part of the policy to bring
in the regulatory aspect to the strategy.
46
Section 4
Discussion
In this section the challenges faced by an HRA practitioner in implementing the HRA in
an airline company is discussed. This discussion will be followed by a discussion of limitations
of the model, comprehensiveness of the model, data subjectivity, and its application
Implementation of HRA
Implementation of the HRA model pivots on the cost benefit analysis and alignment of
the HRA goals with the business goals. The business should be convinced and the Sr.
Management pledges its commitment on the analysis for a successful implementation of the
HRA. Moreover, there are procedures, policies and regulations that any project will be
constrained by during its implementation. The discussion that follows will walk through the steps
for getting the stake holders buy-in and getting approval from the FAA on the implementation of
the HRA recommendations.
Stakeholders’ Buy-in The Analyst and/or the team working on the HRA project will have to develop a value
proposition for the Sr. Management commitment and support. In order to build a value proposition some
questions need to be asked and answers obtained to come up with a reasonable value proposition. Some
sample questions are listed below, the answers are assumed. Please use this only for demonstration
purposes only. The sample questions are followed by sample analysis for demonstration purpose
too.
Sample Questions to the Company and Answers
1) What is the annual Volume of Flights?
Answer: 500,000
2) What is the revenue/year?
Answer: $37.4B/year
3) What if the human error cost/annum as a % of Revenue?
Answer: 2% of revenue= $748 M
4) Financial damages paid to clients due to inconvenience caused due to human error?
Answer: 0.1% of revenue =$ 37.4 M
5) Litigation cost due to landing issues over the past 10 years?
Answer: $110 M/year
6) How much compensation was paid due to landing error over the past 10 year?
Answer: $200 M
47
7) Steps taken recently to mitigate the cause of the failures?
Answer: Not sure
8) Any verification process in place to confirm the proper working of the mitigation steps?
Answer: Not sure
9) Steps taken recently to mitigate the cause of the failures?
Answer: Worked on controls and MMI
10) Any verification process in place to confirm the proper working of the mitigation steps?
Answer: Not really
11) How effectively is the human factors analyses, and effects of human error conveyed to
designers, maintenance personnel and pilots?
Answer: Just begun to talk about it.
Sample Calculation of Value Proposition
Basis (Revenue/annum)= $37.4 B
Losses Cost (M)
Assume 50% Improvement After Implementation
Cost associated to human error $748.00 $374.00
Damages paid to Clients $37.40 $18.70
Litigation Cost
Compensation for death or major injury $200.00 $100.00
Total Loss: $985.40 $492.70
Table 8 Hard Losses due to lack of HRA
48
Gain Cost advantage (M)
*Customer Loyalty *Reputation (5% improvement) $1,870
Better Self Esteem of front-line personnel performance improvement (15%) (Assume 1000 frontline employees at an average salary of $100K $15
Total Gain $1,885
Table 9 Soft Cost Gain
Item Metric Unit Comment
Number of Team members 10 1-time
Time/year @ 20 hours/week for 220 days (1 Year) 880 hrs 1-time
Hourly rate @ $50/hour $440,000.00
Other computational Costs $1,000,000.00
Workshops/year $2,000,000.00 Recurring Cost
Total Cost of Implementation $3,440,000.00
Table 10 Cost of HRA and Implementation
49
ROI = Total Benefit/Total Cost= (492.7+1885)/3.44=198 Hence the value proposition is
198%
After the development of a convincing value proposition, the proposal for implementation will
need to be approved by the Sr. Management and sent to FAA for approval. This Approval
process is listed below [21]:
Processing of initial application
Maintenance of initial accuracy of the application
FAA determines eligibility for safety approval on performance criteria
Performance verification requirements need to be met
Validate the adequacy and reliability of the various analyses and procedures
Submit verification reports and results
Submit test results that show a measure of proficiency and experience for personnel
involved in training
The FAA will verify and validate performance to acceptable criteria before issuing a
safety approval. As part of the verification process the applicant may be required to
develop a plan that identifies the methods of verification: demonstration, analysis,
inspection, and testing, develop procedures or reports documenting verification methods
and results, conduct verification, and submit verification reports and results.
The FAA recognizes that it is not feasible to develop all criteria or standards that are
applicable or necessary to issue a safety approval for all eligible safety elements. FAA
understands that it maybe necessity to follow an individualized approach to safety
approvals and expect to draw on its experience in evaluating license, permit, and safety
approval applications. The scope of the approval will be limited by the scope of the safety demonstration
contained in the application.
The approval is valid for 5 years and would need to be renewed thereafter.
Approval process from FAA is the most time consuming and complex after the Sr.Management
has pledged its commitment.
Model Limitations
Extended CREAM method is widely used model in the Nuclear Industry. There have
been opinions and comments by researchers that suggest that there still need to have on-going
work required to fine tune the model. Some other limitations are listed below:
The data collection from various methods, for example from databases, and surveys etc.
has inherent subjectivity from an observation to observation is difficult to capture.
Validation methods discussed above may require more refinement to gain credibility
through additional work, probably by running experiments on simulators and simulate
environment under which errors would occur. This would add the cost of the project.
50
The process of studying validity and reliability of CREAM is ongoing[14].[13] Collier
found several problems with “both the CREAM technique and the data needed to
complete the analysis”. It was felt that further development was needed before this kind
of analysis can be reliable and valid, either in a research setting or as a practitioner’s tool
in a safety assessment”. More recently, Marseguerra et al [15] have applied
traditional/basic CREAM and fuzzy CREAM (based on fuzzy logic i.e. a form of algebra
employing a range of values from ‘true’ to ‘false’ that is used in making decisions with
imprecise data) to a contextual scenario of an actual train crash. They found distinct
advantages to applying fuzzy CREAM in that it allows for a more systematic and
transparent definition of the underlying model and a more explicit treatment of the
ambiguity involved in its evaluation.
Application of this model has been in the Nuclear Domain; hence its validity in the
aviation domain needs to be verified.
51
Section 5
Conclusion
Application of knowledge from this project in the Aviation Domain
This project is unique in its application. It extends the HRA method from the nuclear
domain to the aviation domain. Although, it requires external validity in the domain, but it sheds
light on how the risk mitigation efforts could be justified and implemented in the domain and get
stake holders buy-in. This project has presented a very comprehensive task analysis which could
be used to go deeper in the identification of PSFs based on widening the theoretical framework.
Therefore, this project provides a starting point for an HRA analyst to either elaborate of
additional focus area, or to take it from here to start the data collection process.
Extensions to the Project/Future Work
It highly recommended conducting a research within the theoretical framework to validate the
PSFs and errors suggested throughout the project with an expert in the aviation area. This would
help in the implementation phase as the buy-in would already be here from the stake holders. Validation of the model has been a concern as mentioned by several HRA practitioners. Hence it
is suggested to put effort in the validation process. It is suggested that validation should be done
using empirical data. The model will result in a more comprehensive model after adequate validation and modifications
made based on the aviation domain.
52
References
[1] Douglas A. Wiegmann, A Human Error Analysis of Commercial Aviation Accidents Using
the Human Factors Analysis and Classification System (HFACS), University of Illinois at
Urbana-Champaign 2001
[2] DAVID O'HARE, Mark Wiggins, Richard Batt, Dianne Morrison; Cognitive failure analysis
for aircraft accident investigation; Ergonomics 1994; Vol 37, issue 11.
[3] Douglas A. Wiegmann and Scott A. Shappell; A Human Error Approach to Aviation
Accident Analysis - The Human Factors Analysis and Classification System
[4] Douglas A. Wiegmann and Scott A. Shappell; Human Factors Analysis to Post Accident
Data: Applying Theoretical Taxonomies of Human Error
[5] Aircraft Accident Report: Overrun American Airlines Flight 2253 Boeing 757-200, N668AA:
NTSB Number: AAR-12-01
[6] Wiegmann and Shappell ; Human Error Perspectives in Aviation
[7] Neelam Naikar, Alyson Saunders; Crossing the boundaries of safe operation: An approach
for training technical skills in error management; EAM -2002 Best Paper Award.
[8] Keller, J., Leiden, K. and Small, R. (2003). Cognitive task analysis of commercial jet aircraft
pilots during instrument approaches for baseline and synthetic vision displays.
[9] Brian F. Gore, Ph.D Workload as a Performance Shaping Factor for Human Performance
Models; Boeing 757-200 Flight Crew Operations Manual Shanghai Airlines Company Limited
2013
[10] Boeing 757-200 Cat C Pilot Procedures
[11] Jim Thomson; Situation Awareness and the Human-Machine Interface, 2013
[12] Aircraft Accident Report: Overrun American Airlines Flight 2253 Boeing 757-200,
N668AA: NTSB Number: AAR-12-01
[13] Collier, S (2003) A Simulator Study of CREAM to Predict Cognitive Errors. In Proceedings
of the International Workshop. Building the new HRA. Errors of commission form research to
application. Nuclear Energy Agency. Pages 56-75.
[14] Everdij M.H.C. and Blom H.A.P. (2008) Safety Methods Database.
http://www.nlr.nl/documents/flyers/SATdb.pdf
[15]Marseguerra, M., Zio, E. and Librizzi, M. (2007) Human Reliability Analysis by Fuzzy
"CREAM" Risk Analysis Vol 27 No 1 pages 137–154
[16] Valentina Di Pasquale, Raffaele Iannone, Salvatore Miranda and Stefano Riemma; An
Overview of Human Reliability Analysis Techniques in Manufacturing Operations Chapter 9
[17] Mosleh, Chang; Model-based human reliability analysis: prospects and requirements;
Reliability Engineering and System Safety 83 (2004) 241–253
[18] Review of human reliability assessment methods Prepared by the Health and Safety
Laboratory for the Health and Safety Executive 2009
[19] E.A. Rosa, P.C. Humphreys, C.M. Spettell, and D.E. Embrey; Application of Slim-Maud: a
test of an interactive computer-based method for organizing expert assessment of human
performance and reliability volume 1: main report
Date Published - September 1985
[20] The SPAR-H Human Reliability Analysis Method Idaho National Laboratory
U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Washington, DC
20555-0001
[21] The SPAR-H Human Reliability Analysis Method Idaho National Laboratory
53
U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research
Washington, DC 20555-0001
[22] 757-200 Flight Crew Operations Manual Shanghai Airlines Company Limited Document
Number D632N001-24SHA Revision Number: 47 Revision Date: May 16, 2013
[23] Federal Aviation Administration Human Factors Team Report on: The Interfaces Between
Flightcrews and Modern Flight Deck Systems June 18, 1996
[24] Pramila Rani Nilanjan Sarkar Operator Engagement Detection and Robot Behavior
Adaptation in Human-Robot Interaction
[25] Daniela K. Busse and Chris W. Johnson; Using a Cognitive Theoretical Framework to
Support Accident Analysis; Dept. of Computing Science, University of Glasgow 17, Lilybank
Gardens, Glasgow G12 8RZ
[26]http://www.skybrary.aero/index.php/Cognitive_Reliability_and_Error_Analysis_Method_%
28CREAM%29; CREAM Method
[27] Dwight P. Miller, Ph.D., CPE; Development of ASHRAM; A new Human-Reliability
Analysis Method for Aviation Safety Dwight P. Miller, Ph.D., CPE Systems Reliability
Department Sandia National Laboratories* Albuquerque, New Mexico
[28] David Embrey; Understanding Human Behavior and Error Human Reliability Associates
1, School House, Higher Lane, Dalton, Wigan,
Lancashire. WN8 7RP
RR679
Research Report