Causal risk models of air transport Comparison of user needs and model capabilities Alfred Roelen i ii Causal risk models of air transport Comparison of user needs and model capabilities Proefschrift ter verkrijging van de graad van doctor aan de Technische Universiteit Delft, op gezag van de Rector Magnificus prof. dr. ir. J.T. Fokkema, voorzitter van het College voor Promoties, in het openbaar te verdedigen op maandag 10 november 2008 om 15:00 uur door Alfred Lambertus Cornelis ROELEN ingenieur in de Luchtvaart en Ruimtevaart geboren te Vught iii Dit proefschrift is goedgekeurd door de promotor: Prof. dr. A.R. Hale Samenstelling promotiecommissie: Rector Magnificus voorzitter Prof. dr. A.R. Hale Technische Universiteit Delft, promotor Prof. dr. B.J.M. Ale Technische Universiteit Delft Prof. dr. ir. M.J.L. van Tooren Technische Universiteit Delft Prof. dr. A. Mosleh University of Maryland Prof. dr. ir. A.C. Brombacher Technische Universiteit Eindhoven Dr. H.A.P. Blom Nationaal Lucht- en Ruimtevaartlaboratorium © 2008 The author and IOS Press All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior permission from the publisher. ISBN Keywords: Safety, risk modelling, aviation, safety management. Published and distributed by IOS Press under the imprint Delft University Press Publisher & Distributor Distributor in the USA and Canada IOS Press IOS Press, Inc. Nieuwe Hemweg 6b 4502 Rachael Manor Drive 1013 BG Amsterdam Fairfax, VA 22032 Netherlands USA fax:+31-20-687 0019 fax: +1-703-323 3668 email: [email protected] e-mail: [email protected] LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS iv “People in those days fancied, as people generally fancy when they catch sight for the first time of a new problem, that it was far easier and simpler than was actually the case; they did not know till experience taught them how painfully they would be compelled to advance from step to step, and to unravel the intricate chain of causes which have gone to bring the earth into its present shape; and still less how one principal result of the enquiry would prove that the most interesting questions lay outside the reach of human knowledge”. Leslie Stephen, The playground of Europe, Fredonia Books, Amsterdam, The Netherlands, 2004, reprint from the 1910 edition. v Acknowledgements A PhD study has been compared with running a marathon, where every ten kilometres symbolise one year of research [Roelen 1997]. Although this is an interesting comparison, I believe that a PhD study is better compared with climbing a mountain; even though the route in general might be known, you’ll have to find your way while you go along and some bits are easy going, but other sections require all your strength and technical abilities. You’ll often think you have the peak in sight, only to discover the mountain continuing beyond the ridge you believed to be the top. Perhaps more importantly, running a marathon is a solitary effort, but climbing a mountain is a group endeavour. The rope group is vitally important for the probability of success. The connecting and life-saving rope allows the weaker to find support from the stronger member of the team [Harrer 1988]. A commonality between running, climbing and a PhD study is of course the inverse relation between ‘distance remaining’ and ‘desire to finish’. But then, even a bit unexpectedly, you’ll find yourself near the summit. ‘A few more whacks of the ice-axe in the firm snow and we stood on top’ [Hunt 1953]. It is here, on the top of the mountain, that one shakes hands with all members of the rope-group, acknowledging their contribution to the success. First of all many thanks to Andrew Hale for persuading me to start this endeavour for being such a thoughtful and kind promotor. John Lapointe and Kathy Fazen of the FAA Tech Center in Atlantic City and Hok Goei of the Transport and Water Management Inspectorate provided the first opportunity for me to do some serious research on risk modelling for air transport. Ali Mosleh kindly shared his knowledge from the field of nuclear safety engineering and his wisdom in many other disciplines, and this helped me a lot in getting a firm grip on the subject. The CATS people were indispensable for further development of resulting ideas and insights, so thank you Ben Ale, Roger Cooke, Dorota Kurowicka, Pei- Hui Lin, Oswaldo Morales-Napoles, Linda Bellamy, Louis Goossens, Dan Ababei, John Spouge, John Cooper and Rob van der Boom. While being involved in the various projects that were directly or indirectly related to the research topic, I have enjoyed working together with my colleagues at NLR, in particular Peter van der Geest, Gerard van Es, Rombout Wever, Gerben van Baren, Bart Klein Obbink, Hans de Jong, Bas van Doorn, Jelmer Scholte, Hans Post, Jeroen van der Zee, Mariken Everdij, Sybert Stroeve, Lennaert Speijker, Juan Coelho, Harry Smit, Arjen Balk, Joram Verstraeten, Johan Weijts, Ton Nieuwpoort, Arun Karwal, Carolynne Montijn, Margriet Klompstra, Bert Bakker, Koen de Jong, Udo Dees, Tom van Birgelen, Patricia Sijaranamual and Anna Kurlanc. Marijn Giesberts and Job Smeltink deserve special recognition for being such cheerful roommates! Henk Blom conducted a much appreciated review of an early draft of this thesis and Michel Piers and Alex Rutten encouraged me start and also to complete the work. While the rope group is fighting its way up the mountain slope, the people in base camp actually make it all possible. They provide the necessary supplies and allow the climber to recover from his efforts. I would like to thank the people of my base camp; Rob & Ellen and Jim & Henriëtte for their friendship and Caroline Veugelers for always being interested in the topic of my research. Dear mom, thank you for being the best mother in the world. Bernard and Susana are my base camp heroes. Obviously, the most important member of the base camp is my partner Mijntje Pikaar. I am very grateful for sharing my life with you. Harrer, H. (1988). Das Buch vom Eiger, Pinguin Verlag, Innsbruck, Austria. Roelen, B. (1997). TGF-βs and their receptors in early mammalian development, Febodruk B.V., Enschede. Hunt, J. (1953). The ascent of Everest, Hodder & Stoughton, London. vi Table of contents List of abbreviations.................................................................................................4 Chapter 1. Introduction............................................................................................7 1.1. Research question....................................................................................9 1.2. Scope.......................................................................................................9 1.3. Directions for the reader........................................................................11 Chapter 2. Fundamentals of risk............................................................................12 2.1. Definition of safety...............................................................................12 2.2. Risk perception......................................................................................13 2.3. Risk metrics...........................................................................................14 2.4. Risk criteria...........................................................................................17 2.5. Theories about accident causation.........................................................19 2.6. Risk analysis and risk modelling...........................................................20 2.7. Conclusions for this section..................................................................21 Chapter 3. Fundamentals of causation and probability..........................................23 3.1. What is causation?.................................................................................23 3.2. Conditional independence.....................................................................26 3.3. Causation to predict the future..............................................................27 3.4. Singular and generic causal relations....................................................28 3.5. Strong and weak causal relations..........................................................29 3.6. The beginning and the end of causation................................................29 3.7. What is a causal model?........................................................................30 3.8. Conclusions for this section..................................................................31 Chapter 4. User needs............................................................................................33 4.1. A brief history of aviation safety...........................................................33 4.2. Who are the users?................................................................................43 4.3. Perspectives on aviation safety.............................................................43 4.3.1. Airlines..................................................................................................43 4.3.2. Repair stations.......................................................................................45 4.3.3. Aircraft manufacturer............................................................................47 4.3.4. Air navigation service provider.............................................................49 4.3.5. Airports.................................................................................................51 4.3.6. Policy makers and regulatory bodies....................................................52 4.3.7. Passengers.............................................................................................58 4.3.8. People living or working in the vicinity of airports..............................60 4.4. Summary of user requirements and discussion on consistency.............62 4.5. User expectations: lessons from CATS.................................................72 4.6. Conclusions for this section..................................................................74 Chapter 5. Examples of aviation safety analyses...................................................78 5.1. Safety of mixed VFR/IFR air traffic at Geneva Airport.......................78 5.2. Safety assessment of parallel approaches at Helsinki-Vantaa Airport..79 5.3. Safety assessment of offset steep approaches at Lugano Airport..........80 5.4. Reduced vertical separation minimum in Europe.................................81 5.5. VEMER ATM System increment 2002................................................83 5.6. Conclusions for this section..................................................................84 1 Chapter 6. Risk models in other industries............................................................86 6.1. Nuclear power.......................................................................................86 6.2. Manned spaceflight...............................................................................87 6.3. Offshore industry..................................................................................88 6.4. Process industry....................................................................................90 6.5. Rail transport.........................................................................................90 6.6. Health care............................................................................................91 6.7. Conclusions for this section..................................................................93 Chapter 7. Modelling.............................................................................................95 7.1. Model representation.............................................................................95 7.2. Modelling techniques............................................................................97 7.2.1 Boolean Trees.......................................................................................97 7.2.2 Bayesian Belief Nets...........................................................................101 7.2.3 Petri nets..............................................................................................105 7.3. Size, depth, complexity and uncertainty.............................................106 7.4. Time dependency................................................................................107 7.5. Conclusions for this section................................................................108 Chapter 8. Quantification....................................................................................110 8.1. Measurements, quantities, units and values........................................110 8.2. The need for ratio scales......................................................................114 8.3. Uncertainty..........................................................................................115 8.4. Model assumptions..............................................................................116 8.5. Data sources........................................................................................117 8.5.1 Accident or incident data?...................................................................117 8.5.2 Accident investigation.........................................................................118 8.5.3 Incident reporting................................................................................119 8.5.4 In-flight recorded data.........................................................................122 8.5.5 Expert judgement................................................................................124 8.5.6 Empirical studies.................................................................................124 8.5.7 Safety audits........................................................................................126 8.6. Denominator data................................................................................128 8.7. Using the data......................................................................................129 8.8. Conclusions for this section................................................................132 Chapter 9. Modelling challenges.........................................................................134 9.1. Modelling human operators................................................................134 9.2. Modelling safety management............................................................140 9.3. Complexity, completeness and dependencies.....................................148 9.4. Conclusions for this section................................................................157 Chapter 10. Model validation..............................................................................159 10.1. Introduction.........................................................................................159 10.2. Validation of the generic accident scenarios.......................................160 10.2.1. Validation of take-off and landing overrun probability estimates......160 10.2.2. Completeness of the accident scenarios..............................................161 10.3. Validation of a model for missed approaches: case validity...............161 10.3.1. Qualitative description of the model...................................................161 10.3.2. Quantification of the model variables (the parent nodes)...................163 2 10.3.3. Dependencies......................................................................................168 10.3.4. Comparison of model results with observations in practice...............169 10.4. Face validity and peer review..............................................................171 10.5. Assumption analysis............................................................................171 10.6. Conclusions for this section................................................................172 Chapter 11. Summary, discussion and conclusions.............................................173 References............................................................................................................186 Summary...............................................................................................................214 Samenvatting........................................................................................................217 Appendix A: The history of third party risk regulation at Schiphol.....................221 Background.......................................................................................................221 Stand still for Schiphol risk..............................................................................222 New law for Schiphol.......................................................................................222 Causal model as a solution?..............................................................................224 Appendix B: The aviation system.........................................................................225 A typical flight..................................................................................................226 Subsidiary processes.........................................................................................231 Flight crew training..........................................................................................231 Air Traffic Control...........................................................................................231 Aircraft design and certification.......................................................................232 Aircraft maintenance........................................................................................233 Airport processes..............................................................................................235 Safety regulation and oversight........................................................................237 Appendix C: Causal Model for Air Transport Safety (CATS).............................241 Curriculum Vitae..................................................................................................243 3 List of abbreviations AC Advisory Circular ACC Area Control Centre AD Airworthiness Directive ADREP Accident/Incident Reporting System ALARA As Low As Reasonably Achievable ALARP As Low As Reasonably Practicable ANS Air Navigation System ANSP Air Navigation Service Provider AOC Air Operator Certificate ATC Air Traffic Control ATCo Air Traffic Controller ATHEANA A Technique for Human Event Analysis ATIS Automatic Terminal Information System ATL Aircraft Technical Log ATM Air Traffic Management BBN Bayesian Belief Net BFU Büro für Flugunfalluntersuchungen CAA Civil Aviation Authority CATS Causal Model for Air Transport System CFIT Controlled Flight Into Terrain CIL Critical Item List CREAM Cognitive Reliability and Analysis Method CRM Crew Resource Management CS Certification Specification CTR Control Zone CVR Cockpit Voice Recorder DME Distance Measuring Equipment EASA European Aviation Safety Agency EC European Commission ECCAIRS European Co-ordination Centre for Aviation Incident Reporting Systems EMF Electric and Magnetic Field EPC Error Producing Condition ESARR Eurocontrol Safety Regulatory Requirement ESD Event Sequence Diagram EU European Union FAA Federal Aviation Administration FANOMOS Flight Track and Aircraft Noise Monitoring System FAR Federal Aviation Regulation FAS Final Approach Speed FDR Flight Data Recorder FHA Functional Hazard Assessment FMECA Failure Modes Effects and Criticality Analysis FMS Flight Management System FOCA Federal Office for Civil Aviation FSF Flight Safety Foundation GGR Gesommeerd Gewogen Risico (summed weighted risk) GPS Global Positioning System 4