- 注册时间
- 2009-12-25
- 最后登录
- 2021-7-10
- 在线时间
- 3302 小时
- 阅读权限
- 200
- 积分
- 10
- 帖子
- 13416
- 精华
- 1
- UID
- 2036
 
|
Aviation Research Lab
Institute of Aviation
University of Illinois
at Urbana-Champaign
1 Airport Road
Savoy, Illinois 61874
Human Error and Accident
Causation Theories, Frameworks
and Analytical Techniques:
An Annotated Bibliography
Douglas A. Wiegmann and Aaron M. Rich
Aviation Research Lab
and Scott A. Shappell
Civil Aeromedical Institute
Technical Report ARL-00-12/FAA-00-7
September 2000
Prepared for
Federal Aviation Administration
Oklahoma City, OK
Contract DTFA 99-G-006
ARL
1
ABSTRACT
Over the last several decades, humans have played a progressively more important causal
role in aviation accidents as aircraft have become more. Consequently, a growing number of
aviation organizations are tasking their safety personnel with developing safety programs to
address the highly complex and often nebulous issue of human error. However, there is generally
no “off-the-shelf” or standard approach for addressing human error in aviation. Indeed, recent
years have seen a proliferation of human error frameworks and accident investigation schemes to
the point where there now appears to be as many human error models as there are people
interested in the topic. The purpose of the present document is to summarize research and
technical articles that either directly present a specific human error or accident analysis system,
or use error frameworks in analyzing human performance data within a specific context or task.
The hope is that this review of the literature will provide practitioners with a starting point for
identifying error analysis and accident investigation schemes that will best suit their individual or
organizational needs.
2
Adams, E. E. (1976, October). Accident causation and the management system.
Professional Safety, 26-29.
The paper explores accident causation in the context of management philosophy and support for
the safety professional. An underlying theme is that management’s thoughts and actions
influence work conditions and worker behavior. Accident prevention is then discussed as a two
level task. The first level consists of technical problem solving for correcting tactical errors. The
second level consists of management analysis and strategic planning for the correction of
operational errors. Heinrich’s domino philosophy of accident prevention is also analyzed in
regards to its relevance to management behavior.
Air Force Safety Center: Life Sciences Report (LSR) and USAF HF Taxonomy. (1998).
(NASA Aviation Data Sources Resource Handbook).
The Life Sciences Report and USAF human factors taxonomy are described. The human factors
category of the Life Science Report Investigations was designed to allow for a broader secondary
analysis of human factors issues. The data is limited to aircraft accidents only. The report relies
on the use of a logic tree. The human factors category is broken down into two main categories
with multiple subcategories within each. The first is the environmental category that incorporates
operations, institutions and management, logistics and maintenance, facilities services, and
egress/survival. The second is the individual category that is comprised of
physiological/biodynamic, psychological, and psychosocial subcategories.
AIRS Aircrew Incident Reporting System. (1998). (NASA Aviation Data Sources Resource
Notebook).
The AIRS is a reporting system developed by Airbus Industrie to assess how their aircraft are
operated in the real world, to gather human factor information, learn what role human factors
play in accidents, and inform other operators of the lessons learned from these events. A
taxonomy was designed for the database that is based on five categories of factors. The first
category is crew actions. There are three main components of this category.
(1) Activities of handling the aircraft and its systems
(2) Error types (based on Reason’s model of human error)
(3) Crew resource management teamskills
The other categories include personal influences (emotion, stress, motivation, etc),
environmental influences (ATC services, technical failure, other aircraft, etc.), organizational
influences (training, commercial pressure, etc.), and informational influences (checklists,
navigational charts, etc.). A keyword system to access the database has also been designed. This
keyword system is separated into two categories, crew behavior and contributory factors. An
advantage of the AIRS as a reporting system is that it allows for plots of error chains which
represent active and latent failures instrumental to an incident occurrence. It also supports trend
analysis.
3
Alkov, R. A. (1997). Human error. In Aviation safety- The human factor (pp. 75-87).
Casper, WY: Endeavor Books.
This paper makes the argument that much is known about what causes errors, but systems cannot
be error-free and eventually errors will occur. Three factors must be considered when studying
human error.
(1) Identical types of error can have fundamentally different causes.
(2) Anyone is capable of making errors, regardless of experience level, proficiency, maturity,
and motivation.
(3) Outcomes of similar errors can be different.
Errors are classified as design-induced. These errors can be random, systematic or sporadic.
Other types of error classifications include errors of omission, commission, substitution,
reversible, and irreversible. The paper goes on to describe three things that a model of human
error should do. It needs to be able to predict the error, take into account data input, account for
cognitive processes, and examine actions of individuals to determine what kind of error behavior
occurred. Three taxonomies for errors are also discussed. The first taxonomy simply describes
what happened. The second taxonomy lumps together errors according to the underlying
cognitive mechanism that cause it. The third taxonomy classifies errors according to human
biases or tendencies. The slips, lapses, mistakes paradigm of error is then examined within these
taxonomies. Errors, which are unintended, are contrasted to violations, which are usually
deliberate. The authors also take a look at intentional violations performed by operators. The
decision to perform a violation is shaped by three interrelated factors. These factors are attitudes
to behavior, subjective norms, and perceived behavioral control. The role of latent failures versus
active failures is discussed. Latent failures are consequences of human actions or decisions that
take a long time to reveal themselves. Active failures have almost immediate negative outcomes.
Finally, local versus organizational factors are stressed as being important. Local factors refer to
the immediate workplace whereas organizational factors refer to those that occur outside of the
immediate workplace.
Amendola, A. (1990). The DYLAM approach to systems safety analysis. In A. G. Colombo
& A. S. De Bustamante (Eds.), Systems reliability assessment (pp. 159-251). The
Netherlands: Kluwer Academic Publishers.
The DYLAM (Dynamic Logical Analytical Methodology) is described and analyzed. DYLAM is
a methodology created to address the problem of the inability of event trees to adequately
account for dynamic processes interacting with systems’ states. DYLAM is especially useful for
developing stochastic models of dynamic systems which provide a powerful aid in the design of
protection and decision support systems to assist operators in the control of hazardous processes
in addition to systems safety assessment. The method differs from other techniques in its ability
to account for process simulations and components of reliability performance in a unified
procedure. The method uses heuristical bottom-up procedures that lead to the identification of
event sequences that cause undesired conditions. It is also able to consider changes of the system
structure due to control logic and to random events.
4
Baron, S., Feehrer, C., Muralidharan, R., Pew, R., & Horwitz, P. (1982). An approach to
modeling supervisory control of a nuclear power plant (NUREG/CR-2988). Oak Ridge,
TN: Oak Ridge National Laboratory.
The purpose of this report is to determine the feasibility of applying a supervisory control
modeling technology to the study of critical operator-machine problems in the operation of a
nuclear power plant. A conceptual model is formed that incorporates the major elements of the
operator and of the plant to be controlled. The supervisory control modeling framework is
essentially a top-down, closed-loop simulation approach to supervisory control that provides for
the incorporation of discrete tasks and procedurally based activities.
Barriere, M. T., Ramey-Smith, A., & Parry, G. W. (1996). An improved HRA process for
use in PRAs. Probabilistic Safety Assessment and Management ’96 (pp. 132-137). New
York, NY: Springer.
A summary of the human reliability analysis called ATHEANA (a technique for human error
analysis) is given. ATHEANA is an analytical process for performing a human reliability
analysis in the context of probabilistic risk assessment. ATHEANA is based on an understanding
of why human-system interaction failures occur as opposed to behavioral and phenomenological
description of operator responses.
Benner, L., Jr. (1975). Accident investigations: Multilinear events sequencing methods.
Journal of Safety Research, 7(2), 67-73.
The paper tries to call attention to the need to develop generally acceptable approaches and
analysis methods that will result in complete, reproducible, conceptually consistent, and easily
communicated explanations of accidents. The first step for accident investigation should be to
answer the question, “what happened?” This involves a delineation of the beginning and end of
the accident phenomenon. It is extremely important that a convention for defining precisely the
beginning and end of an accident is decided on and used. The second question to answer is,
“Why did it happen as it did?” This means a recognition of the role of conditions leading to the
accident is necessary. A general explanation of the accident phenomenon is needed. This can be
done using the P-theory of accidents. The theory states that the accident can be seen to begin
with a perturbation and end with the last injurious or damaging event in the continuing accidental
events sequence. Accident event sequences should be displayed to aid accident investigation. An
events charting method is one way to do this. It is a chronological array of events and helps
structure the search for relevant factors and events involved in the accident. A method for
presenting the accident events and enabling conditions is suggested. This method stays tuned into
the time order and logical flow of events present in an accident. The author believes that the
adoption of the P-theory and the charting methods would improve the public’s grasp of accident
phenomenon.
5
Benner, L., Jr. (1982). 5 accident perceptions: Their implications for accident
investigations. Professional Safety, 27(2), 21-27.
The author is interested in investigating what the standards of accident investigation should be. A
common problem is that investigators may each have different ideas as to the purpose of the
investigation in relation to what their own needs and wants may be. Five distinct perceptions of
the nature of accident phenomenon are suggested to exist and the strengths of each are discussed.
These perceptions each seem to lead to a theoretical base for accident investigation. The first
perception is the single event perception, where accidents are treated as a single event. The only
strength of this perception is its tendency to concentrate attention on a single corrective measure.
A major weakness is that it provides an overly simplified explanation of accidents. The second
perception is the chain of events perception which treats accidents as a chain of sequential
events. The main focus is placed on unsafe conditions and acts. The major strength of this
perception is that the reconstruction technique provides some disciplining of the data search by
doing sequential ordering. A weakness is that the criteria for the selection of data used are
imprecise and very unlikely to lead to reproducible results. The third perception is the
determinant variable or factorial perception. This perception tries to discern common factors in
accidents by statistical manipulation of accident data. An important strength here is its ability to
discover previously undefined relationships. A major weakness is the total dependency on data
obtained by accident investigators. The fourth perception is the logic tree perception. This
presumes that converging chains of events lead to an undesired event. The major strength of this
perception is that it provides an approach to organize speculations about accidental courses of
events and allows an operator to watch for initiation events. A weakness is that the beginning
and end of an accident phenomenon are left to be decided by the individual investigators. The
fifth and final perception is the multilinear events sequence perception. This perception treats
accidents as a segment of a continuum of activities. The major strength is the way it facilitates
discovery by structuring data into logical arrays. A weakness is the perceived complexity of the
methodologies which discourages use. Three areas are addressed as problem areas that need to
be improved for accident investigators. Each investigator develops a personalized investigative
methodology instead of having a common methodology used by all investigators. Investigators
have difficulty linking investigations to predicted safety performance of an activity. Finally,
there are no standardized qualifications for investigators.
6
Berninger, D. J. <unknown date>. Understanding the role of human error in aircraft
accidents. Transportation Research Record, 1298, 33-42.
There are two main strategies used to address human error. The first is the introduction of
technology that is intended to assist and reduce the roles of humans. The second is training and
changes to the system that are suggested by human factors. One way of looking at human error is
as human malfunction. The author argues against using this point of view stating that there is no
malfunction on the human’s part because the human is responding appropriately to experience or
the circumstance. A second way of looking at human error is as a system malfunction. A system
that fails has both animate and inanimate components, and humans cause errors with the animate
components. But human performance is not independent of the inanimate components and
environment. A distinction is made between soft deficiencies and hard-system deficiencies. Soft
deficiencies are system characteristics that work against human performance and cause humans
to fail. Hard-system deficiencies are things such as insufficient durability and cause hardware to
fail. A mechanism for system design causing aircraft accidents is presented. It states that soft
deficiencies result from vigilance, which affects effectiveness along with skill and experience.
The effectiveness is compared to flight conditions. If the effectiveness level is too low compared
to flight conditions, the safety margin decreases until an accident occurs. Human factors
specialists, engineers, and others must pursue soft deficiencies jointly. By breaking down the soft
deficiencies, accidents can be understood better and made more preventable.
Besco, R. O. (1988). Modelling system design components of pilot error. Human Error
Avoidance Techniques Conference Proceedings (pp. 53-57). Warrendale, PA: Society of
Automotive Engineers.
A five factored model based on the assumption that errors have a cause and can be prevented by
removing error-inducing elements is developed and reviewed in the context of civilian aircraft
accidents. The five factors are obstacles, knowledge, systems, skill, and attitude. The model
consists of a sequential analysis of inducing elements and the associated reducers. A detailed
step-by-step graphic model is presented in the paper.
7
Besco, R. O. (1998). Analyzing and preventing knowledge deficiencies in flight crew
proficiency and skilled team performance. Dallas, TX: Professional Performance
Improvement.
A five-factor model called the Professional Performance Analysis System (PPAS) is developed
and described which has a main purpose of providing remedies to minimize pilot error and
optimize pilot performance. The model has been successful for use in accident investigation. The
model attempts to deal with knowledge deficiencies and attitudinal problems with a combination
of techniques and methodologies from organizational psychology, flight operations, business
leadership and management sciences. The five interactive factors of the model include
knowledge, skills, attitudes, systems environment, and obstacles. The first step in the analysis is
describing the process, function, task, error, or low performance. At this stage an investigator is
looking to see if the pilot was aware of risks, threats and consequences of their actions and if
there was stimulus that degraded this awareness. The second step is to assess the impact of the
error on this particular accident or incident by determining whether removal would have
prevented the accident. The third step is to assess the visibility of the error to the crewmembers.
The fourth step involves analyzing a detailed flow chart to see if the crew had adequate
knowledge to cope with the errors and anomalies that occurred. There are four levels of learning
that are examined. These include unconsciously incompetent (crew is unaware that they don’t
know something), consciously incompetent (the crew is aware that they don’t know something),
consciously competent (the crew has knowledge and skill but must apply great effort to
accomplish it), and unconsciously competent (the crew has over learned the knowledge or skill
and can apply it without conscious thought). Other questions are explored to determine
deficiencies. Recommendations are given for each of the situations where a problem was
perceived.
(1) Did the crew ever have the knowledge?
(2) Was the knowledge used often?
(3) Was there feedback on the knowledge level?
(4) Was there operationally meaningful curriculum?
(5) Did personal interaction with learning occur?
(6) Is the knowledge compatible with an organization?
(7) Was the individual’s capacity to absorb and apply information lacking?
8
Bieder, C., Le-Bot, P., Desmares, E., Bonnet, J. L., & Cara, F. (1998). MERMOS: EDF’s
new advanced HRA method. Probabilistic Safety Assessment and Management: PSAM 4
(pp. 129-134). New York, NY: Springer.
MERMOS is a HRA method that deals with important underlying concepts of HRAs that were
developed and examined in this paper. The basic theoretical object of the MERMOS method is
what is termed Human Factor Missions. The Human Factor Missions refer to a set of macroactions
the crew has to carry out in order to maintain or restore safety functions. Four major steps
are involved in the MERMOS method. The first is to identify the safety functions that are
affected, the possible functional responses, the associated operation objectives, and to determine
whether specific means are to be used. The second is to break down the safety requirement
corresponding to the HF mission . The third is to bridge the gap between theoretical concepts and
real data by creating as many failure scenarios as possible. The final one is to ensure the
consistency of the results and integrate them into PSA event trees.
Bisseret, A. (1981). Application of signal detection theory to decision making in supervisory
control: The effect of the operator’s experience. Ergonomics, 24(2), 81-94.
The role of signal detection theory was looked at in the air-traffic controller environment. A
general model of perceptive judgments on a radar screen for ATC controllers is proposed for
judging the future separation at the point of convergence for two aircraft. An experiment was
conducted that looked at air-traffic controllers (trainees vs. experienced) ability to detect loss of
separation of aircraft at present and in the future. The results showed that experienced controllers
use a ‘doubt’ response (a part of the model of perceptive judgments proposed) while trainees do
not. Trainees look for a sure and accurate response while experienced controllers create a
momentary class of indetermination.
Braddock, R. (1958). An extension of the “Lasswell formula”. Journal of Communication,
8, 88-93.
Seven aspects of the communicative process are offered as an extension to the “Lasswell
Formula”. These aspects are WHO says WHAT to WHOM under WHAT CIRCUMSTANCES
through WHAT MEDIUM for WHAT PURPOSE with WHAT EFFECT. This formula (model)
can address errors in terms of dealing with aspects of a message, its medium, and the
expectations of the sender or receiver.
9
Broadbent, D. E. (1958). Perception and communication. Pergamon Press, Oxford.
Broadbent explains in detail an information flow diagram of an organism. There are five
important principles underlying his diagram. The nervous system acts as a single communication
channel that has a limited capacity. A selective operation is performed upon the input to the
channel. Selection is not random and depends on the probability of certain events and states
being present in an organism. Incoming information can be held in a temporary store for the
maximum time in the order of seconds. And finally, information can return to the temporary
store after passing through a limited capacity channel.
CAATE Civil Aviation Authority Taxonomy Expanded. (1998). (NASA Aviation Data
Sources Resource Handbook).
The CAATE was developed from analyses of controlled flight into terrain that led to ‘problem
statements’. These problem statements were adapted into a taxonomy. A brief version of the
taxonomy outline is presented here. Factors are divided into two main categories, causal and
circumstantial. Causal factors include the airplane, ATC/ground aids, environmental, the crew,
the engine, fire, maintenance/ground handling, the aircraft structure, infrastructure, design,
performance and an ‘other’ factor. Circumstantial factors include aircraft systems, ATC/ground
aids, environmental, the crew, infrastructure, and an ‘other’ factor.
Cacciabue, P. C., Carpignano, A., & Vivalda, C. (1993). A dynamic reliability technique for
error assessment in man-machine systems. International Journal of Man-Machine Studies,
38, 403-428.
The paper presents a methodology for the analysis of human errors called DREAMS (Dynamic
Reliability technique for Error Assessment in Man-Machine Systems). DREAMS is meant to
identify the origin of human errors in the dynamic interaction of the operator and the plant
control system. It accommodates different models of several levels of complexity such as simple
behaviouristic models of operators and more complex cognitive models of operator behaviour.
10
Cacciabue, P. C., Cojazzi, G., & Parisi, P. (1996). A dynamic HRA method based on a
taxonomy and a cognitive simulation model. Probabilistic Safety Assessment and
Management ‘96 (pp. 138-145). New York: Springer.
A human factors methodology called HERMES (human error reliability methods for event
sequences) is presented and compared to the “classical” THERP method. The classification
scheme is based on the model of cognition and guides field studies, the development of
questionnaires and interviews, the extraction of expert judgment, and the examination of
accidents/incidents. The overall aim is to estimate data and parameters that are included in the
analyses. The HERMES methodology is derived from four sources. The first is a cognitive
simulation model built on the theories of human error and contextual control of Hollnagel and
Reason. The second is a classification scheme of erroneous behavior. The third source is a model
of the functional response of the plan. The fourth source is a method for structuring the
interaction of the models of cognition and of plants that control the dynamic evolution of events.
Cinq-Demi Methodology and Analysis Grids. (1998). (NASA Aviation Data Sources
Resource Notebook).
This methodology was developed as a tool to analyze the error factors and operational system
faults that underlie a group of incidents or accidents. Three types of events are identified that can
influence the status of an aircraft. This status floats between the Authorized Flight Envelope
where the probability of an accident is low (10-7) to a Peripheral Flight Envelope where the
probability of an accident is higher (10-3). The three events are maneuverability, sensitivity to
disturbances, and pilotability. Maneuverability refers to maneuvers that are either imposed by the
mission or are required to accommodate environmental events. Sensitivity to disturbances
addresses internal and external events that influence aircraft status and movement. Pilotability
deals with pilots’ performance of elementary operations and tasks, and the conditions leading to
error. Five factors are proposed that are conditions leading to error. These include high
workload, lack of information, misrepresentation (mental) due to the wrong use of information
and cues, misrepresentation (mental) due to ‘diabolic error’, and physical clumsiness. The
accidents and incidents are divided into key sub-events. These sub-events are then analyzed by
five grids. The first three grids represent events that can change the Status Point of the aircraft.
The fourth identifies the human environment at the time. The fifth is a matrix of operational
system faults and elementary operations.
(1) GAME (grid of aircraft maneuvers events)
(2) GASP (grid of aircraft sensitivity to perturbations
(3) GOOF (grid of operator failures)
(4) GARE (grid of amplifiers of risk of errors)
(5) RAFT (rapid analysis fault table)
11
Cojazzi, G., & Cacciabue, P. C. (1992). The DYLAM approach for the reliability analysis
of dynamic systems. In T. Aldemir, N. O. Siu, A. Mosleh, P. C. Cacciabue, & B. G. Göktepe
(Eds.), Proceedings of the NATO Advanced Research Workshop on Reliability and Safety
Assessment of Dynamic Process Systems (pp. 8-23). Germany: Springer-Verlag Berlin
Heidelberg.
A review of the third generation DYLAM approach to reliability analysis is performed. DYLAM
is a powerful tool for integrating deterministic and failure events and it is based on the systematic
simulation of the physical process under study. The DYLAM framework takes into account
different types of probabilistic behaviours such as constant probabilities for initial events and
component states, stochastic transitions between the states of the component, functional
dependent transitions for failure on demand and physical dependencies, stochastic and functional
dependent transitions, conditional probabilities for dependencies between states of different
components, and stochastic transitions with variable transition rates. The DYLAM method is
defined as a type of fault-tree/event-tree method.
Cooper, S. E., Ramey-Smith, A. M., Wreathall, J., Parry, G. W., Bley, D. C., Luckas, W. J.,
Taylor, J. H., & Barriere, M. T. (1996). A technique for human error analysis (ATHEANA)
(NUREG/CR-6350). Brookhaven National Laboratory.
ATHEANA has been designed to address deficiencies in current human reliability analysis
(HRA) approaches. These deficiencies to be corrected include addressing errors of commission
and dependencies, representing more realistically the human-system interactions that have
played important roles in accident response, and integrating recent advances in psychology with
engineering, human factors, and probability risk analysis disciplines. ATHEANA is a
multidisciplinary HRA framework that has been designed to fuse behavioral science,
engineering, and human factors together. The framework elements are error forcing contexts,
performance shaping factors, plant conditions, human error, error mechanisms, unsafe actions,
probability risk assessment models, human failure events, and scenario definitions. The
ATHEANA method was demonstrated in a trial application and provided a “proof of concept”
for both the method itself and the principles underlying it.
Danaher, J. W. (1980). Human error in ATC system operations. Human Factors, 22(5),
535-545.
Errors in air traffic control systems are occurring more often as air traffic increases. The author
reviews the FAA’s program that sought to identify and correct causes of system errors which
occur as a result of basic weaknesses inherent in the composite man-machine interface. A system
error was defined as the occurrence of a penetration in the buffer zone that surrounds an aircraft.
A database called the System Effectiveness Information System (SEIS) has been kept to be able
to make summaries of system error data in desired categories. A system error is allowed only one
direct cause, but may have many contributing causes. There are nine cause categories. These are
attention, judgment, communications, stress, equipment, operations management, environment,
procedures, and external factors.
12
De Keyser, V., & Woods, D. D. (1990). Fixation errors: failures to revise situation
assessment in dynamic and risky systems. In A. G. Colombo and A. Saiz de Bustamante
(Eds.), Systems reliability assessment (pp. 231-252). Dordrechts, The Netherlands: Kluwer
Academic Publishers.
The paper identifies a major source of human error as being a failure to revise situation
assessment as new evidence becomes available. These errors are called fixation errors and are
identified by their main descriptive patterns. The paper explores ways to build new systems to
reduce this type of error. Fixation occurs when a person does not revise their situation
assessment or course of action in response to one of two things. Either the situation assessment
or course of action has become inappropriate given the actual situation, or the inappropriate
judgment or action persists in the face of opportunities to revise. Three main patterns of behavior
occur during fixation. There is the “Everything but that” pattern, the “This and nothing else”
pattern, and the “Everything is OK” pattern. The authors go on to describe a fixation incident
analysis. The analysis is broken into categories. These are initial judgment and background, the
error, opportunities to revise, neutral observer tests, incident evolution, and revision and
correction.
Diehl, A. E. (1989). Human performance aspects of aircraft accidents. In R. S. Jensen (Ed.),
Aviation psychology (pp. 378-403). Brookfield, VT: Gower Technical.
There is an important relationship between the phenomena of accident generation with the
following investigation process, and the measures that are eventually performed to prevent more
similar accidents from occurring. With this in mind, the author describes three important
elements in accident generation. First, hazards occur when a dangerous situation is detected and
adjusted for. Hazards are common. Second, incidents occur when a dangerous situation isn’t
detected until it almost occurs and an evasive action of some sort is needed. These are infrequent.
Third, accidents occur when a dangerous situation isn’t detected and does occur. These are rare.
Aircraft accident investigation consists of several discrete functions that occur in the following
sequence: fact finding, information analysis, and authority review. It is also important to examine
comparative data sources and mishap data bases. There are also important accident prevention
elements which are to establish procedural safeguards, provide warning devices, incorporate
safety features, and eliminate hazards and risks.
13
Dougherty, E. M., Jr., & Fragola, J. R. (1988). Human reliability analysis. New York: John
Wiley & Sons.
A human error taxonomy is discussed that draws heavily from the Rasmussen taxonomy. This is
then used to formulate a conceptual framework of technological risks. The human error
taxonomy is broken down into behavior types (mistakes, slips) and the different parts to error
(modes, mechanisms, causes). The parts of errors are expanded below:
Modes
Misdetection
Misdiagnosis
Faulty decision
Faulty planning
Faulty actions
Mechanisms
False sensations
Attentional failures
Memory lapses
Inaccurate recall
Misperceptions
Faulty judgments
Faulty inferences
Unintended actions
Causes
Misleading
Indicator
Lack of knowledge
Uncertainty
Time stress
Distraction
Physical incapacitation
Excessive force
Human variability
The framework shows that the human being consists of many modules that carry out selected
activities. There are mechanisms that control action. There are mechanisms that interpret, plan,
and choose actions. An executive monitor exists to control these processes. A conscious module
exists. In the framework, the human relates to the world through the senses and acts through the
motor apparatus. Skill loops are shorter and presumably faster whereas knowledge loops may
pass through all categories of the modules. Influences on human behavior may increase the
effectiveness of certain modules.
Drury, C. G., & Brill, M. (1983). Human factors in consumer product accident
investigation. Human Factors, 25(3), 329-342.
The role of accident investigation in product-liability cases is discussed. A job aid is developed
using task analysis as a basis which is intended to obtain better human factors data.
Characteristic accident patterns were found among the data and these were labeled hazard
patterns or scenarios. It is stressed that etiological data is more important to obtain than
epidemiological data. Hazard patterns are developed and discussed. The intention of hazard
patterns is to create a way to predict the behavior of a product just by looking at its
characteristics. Hazard patterns are considered useful if at least six scenarios can account for
90% or more of the in-depth investigations, each scenario leads to at least one usable
intervention strategy that works for that pattern, each scenario is mutually exclusive from all the
others, and each scenario has human factors as a parameter in its description. A generic hazard
pattern is assigned to the remaining small percentage of scenarios that are not product specific.
Hazard patterns are broken down into four parts that correspond to the task, the operator, the
machine, and the environment.
14
Edwards, M. (1981). The design of an accident investigation procedure. Applied
Ergonomics, 12(2), 111-115.
The author points out that ergonomics has come under attack because models of application are
inappropriate and partly because ergonomists tend to be laboratory-centered rather than problemcentered.
The SHEL system is reviewed and suggested as a good solution to the problems
mentioned. The basis of the SHEL system is the premise that what people do in a work situation
is determined not only by their capabilities and limitations but also by the machines they work
with, the rules and procedures governing their activities and the total environment within which
the activity takes place. The model states that Hardware, Software, and Liveware (human
elements) all are system resources that interact together and with their Environment. Accidents
are described as symptomatic of a failure in the system. In order for the SHEL system to be
adopted, a change in orientation is needed so that accidents will not be regarded as isolated
events of a relatively arbitrary nature, due mostly to carelessness.
Embrey, D. E., Humphreys, P., Rosa, E. A., Kirwan, B., & Rea, K. (1984). SLIM-MAUD:
An approach to assessing human error probabilities using structured expert judgment
(NUREG/CR-3518). Brookhaven National Laboratory.
Procedures and analyses are performed to develop an approach for structuring expert judgments
to estimate human error probabilities. The approach is called SLIM-MAUD (success likelihood
index methodology, implemented through the use of an interactive computer program called
MAUD-multi attribute utility decomposition). The approach was shown to be viable in the
evaluation of human reliability.
Feggetter, A. J. (1982). A method for investigating human factor aspects of aircraft
accidents and incidents. Ergonomics, 25(11), 1065-1075.
This paper describes a comprehensive procedure for determining the human behaviour that
occurs in aircraft accidents and incidents. A recommendation is made to use interviews and
check lists in order to assess behavioral data that is involved with accidents and incidents. It is
stressed that a trained human factors specialist should interview the personnel involved in these
accidents and incidents as soon as possible. The author goes on to describe a checklist for
accident and incident investigation that has been developed. It is based on a systems approach to
understanding human error. The framework for the check list proposed considers three systems.
These three systems are the cognitive system, the social system and the situational system.
15
Ferry, T. S. (1988). Modern accident investigation and analysis (2nd ed.), New York: John
Wiley & Sons.
The book takes a thorough, detailed look at modern accident investigation and analysis. Its
purpose is to give an investigator the necessary basics to perform an investigation. It is pointed
out that a much more detailed version would be needed to truly train an expert in accident
investigation. The book is divided into four parts. The first part investigates the who, what, why
and when aspect of accident investigation. The second part examines the roles and interactions of
man, environment, and systems. The third part reviews specific analytical techniques such as
fault trees, failure mode and effect analysis (FMEA), the technique for human error rate
prediction (THERP), the management oversight and risk tree (MORT), and the technic or
operations review (TOR). The fourth part covers related topics to accident investigation. Some
examples of these are mishap reports, management overview and mishap investigation, legal
aspects of investigation, and the future of accident investigation. Fifteen general types of
methodological approaches are identified in the accident investigation domain. These are
epidemiological, clinical, trend forecasting, statistical inference, accident reconstruction,
simulation, behavioral modeling, systems approach, heuristic, adversary, scientific, Kipling
method (investigates who, what, when, where, why, and how), Sherlock Holmes method (events
sequencing integrated in the investigator’s mind), and traditional engineering safety.
Firenze, R. J. (1971, August). Hazard control: Safety, security, and fire management.
National Safety News, 39-42.
Error is looked at in the context of three integrated groups. The first group is physical equipment
(the machine) which examines poorly designed or poorly maintained equipment that leads to
accidents. The second group is man. In this group, faulty or bad information causes poor
decisions. The third group is environment. Here failures in the environment (toxic atmospheres,
glare, etc.) affect man, machine, or both. It is also noted that stressors that appear during a
decision making process cloud a person’s ability to make sound, rational decisions.
Fitts, P. M. (1954). The information capacity of the human motor system in controlling the
amplitude of movement. Journal of Experimental Psychology, 47(6), 381-391.
Fitts found that the rate of performance in a given type of task is approximately constant over a
considerable range of movement amplitudes and tolerance limits, but falls off outside this
optimum range. It was also found that the performance capacity of the human motor system plus
its associated visual and proprioceptive feedback mechanisms, when measured in information
units, is relatively constant over a considerable range of task conditions. This paper came as a
result of information theory and applied its concepts.
16
Fussell, J. B. (1976). Fault tree analysis – Concepts and techniques. In E. J. Henley & J. W.
Lynn (Eds.), Proceedings of the NATO Advanced Study Institute on Generic Techniques in
Systems Reliability Assessment (pp. 133-162). Leyden, The Netherlands: Noordhoff
International Publishing.
Fault tree analysis is a technique of reliability analysis that can be applied to complex dynamic
systems. The fault tree is a graphical representation of Boolean logic associated with the
development of a particular system failure to basic failures. Fault tree analysis has numerous
benefits. It allows the analyst to determine failures deductively. It points out important aspects of
the system in regards to the failure of interest. It provides a graphical aid giving clarification to
systems management people. It provides options for qualitative or quantitative system reliability
analysis. It allows the analyst to focus on one particular system failure at a time. Finally, it
provides the analyst with genuine insight into system behavior. Three disadvantages of fault tree
analysis include the high cost of development, the fact that few people are skilled in its
techniques, and the possibility of two different people developing two different trees for the
same system. The fault tree has 5 basic parts to it. The first parts, components, are the basic
system constituents for which failures are considered primary failures during fault tree
construction. The second parts, fault events, are failure situations resulting from the logical
interaction of primary failures. The third parts, branches, are the development of any fault event
on a fault tree. The fourth parts, base events, are the events being developed. The fifth and final
parts, gates, are Boolean logic symbols that relate the inputs of the gates to the output events.
Gerbert, K. & Kemmler, R. (1986). The causes of causes: Determinants and background
variables of human factor incidents and accidents. Ergonomics, 29(11), 1439-1453.
An investigation was done with German Air Force pilots to examine critical flight incidents. The
authors are interested in examining whether a possible cause of a failure can be traced to
permanent personality characteristics of an operator or to a situational disturbance by psychophysiological
or external events. Data analysis revealed human errors that can be interpreted as a
four-dimensional error structure. Vigilance errors encompass one dimension. These are missing
or fragmentary uptake of objectively present information due to inattention, or
channellized/shifted attention. Perception errors are another dimension. These errors are
comprised of erroneous judgment, miscalculations, wrong decisions, and faulty action plans. The
third dimension is information processing errors. These are defined as false utilization of
probabilistic information. The fourth dimension is sensorimotor errors. These are deficiencies in
timing and adjustments of simple-discrete and or complex-continuous motor activities and also
perceptual-motor confusion. The study shows that there is an entanglement and interaction of
specific causal conditions.
17
Gertman, D. I. (1993). Representing cognitive activities and errors in HRA trees.
Reliability Engineering and System Safety, 39, 25-34.
COGENT (cognitive event tree system) is an enriched HRA event tree method that is presented
in this paper that integrates three potential means of representing human activity. These include
an HRA event-tree approach, the skill-rule-knowledge paradigm, and the slips-lapses-mistakes
paradigm. COGENT attempts to combine the classical THERP technique with more cognitively
oriented approaches to bridge the existing gap between the modeling needs of HRA practitioners
and the classification schemes of cognitive theoreticians. The paper provides a detailed
description of the method and an application to an example scenario is performed.
Gertman, D. I., & Blackman, H. S. (1994). Human reliability and safety analysis data
handbook. New York: John Wiley and Sons.
The authors provide a comprehensive review and explanation of human reliability and safety
analysis. The background and “how to” aspects of conducting human reliability analysis are
discussed. Various methods of estimating and examining human reliability are reviewed. Some
of these include human cognitive reliability, maintenance personnel performance simulation,
techniques for human error rate prediction, and fault/event trees. It is stressed that existing data
sources and data banks are useful and important for performing human reliability and safety
analyses.
Gertman, D. I., Blackman, H. S., Haney, L. N., Seidler, K. S., & Hahn, H. A. (1992).
INTENT: A method for estimating human error probabilities for decision based errors.
Reliability Engineering and System Safety, 35, 127-136.
INTENT is a method that is used to estimate probabilities associated with decision based errors
that are not normally incorporated into probabilistic risk assessments. A hypothetical example is
created that uses a preliminary data set for 20 errors of intention that were tailored to represent
the influence of 11 commonly referenced performance shaping factors. The methodological flow
for INTENT involves six stages: Compiling errors of intention, quantifying errors of intention,
determining human error probabilities (HEP) upper and lower bounds, determining performance
shaping factors (PSF) and associated weights, determining composite PSF, and determining site
specific HEP’s for intention. The preliminary results show that the method provides an interim
mechanism to provide data which can serve to remedy a major deficiency of not accounting for
high consequence failures due to errors of intention.
18
Gore, B. R., Dukelow, J. S., Mitts, T. M., & Nicholson, W. L. (1995). A limited assessment
of the ASEP human reliability analysis procedure using simulator examination results.
(NUREG/CR-6355). Pacific Northwest Laboratory.
The procedures and requirements for the ASEP analysis are explained. This volume does not
contain any of the background or theory involved in developing the approach.
Hahn, H. A., Blackman, H. S., & Gertman, D. I. (1991). Applying sneak analysis to the
identification of human errors of commission. Reliability Engineering and System Safety,
33, 289-300.
SNEAK is a method designed to identify human errors of commission. It is especially powerful
as an aid to discovering latent errors. The analysis performed in this paper is in the context of
electrical circuits, although a software SNEAK analysis has also been designed. Data acquisition
and encoding is the first major consideration of the method to determine that the data being used
adequately represents the true system. Network trees are also used to represent a simplified
version of the system. The network trees are examined for topological patterns. These patterns
lead to clues that help identify SNEAK conditions.
Hansen, C. P. (1989). A causal model of the relationship among accidents, biodata,
personality, and cognitive factors. Journal of Applied Psychology, 74(1), 81-90.
Data from chemical industry workers were gathered to construct and test a causal model of the
accident process. The authors believe that social maladjustment traits, some characteristics of
neurosis, cognitive ability, employee age, and job experience would have an effect on accident
causation. An accident model path diagram is presented that considers variables from numerous
tests, scales and traits. These include the Bennett mechanical comprehension test, the Wonderlic
personnel test, an employee’s age, general social maladjustment scale, the distractibility scale,
job experience, involvement in counseling, accident risk, and accident consistency. The model
can be used to predict with some degree of accuracy the likelihood an employee has of getting
into an accident. This is accomplished through tests on the employee and employee data.
19
Harle, P. G. (1994). Investigation of human factors: The link to accident prevention. In N.
McDonald & R. Fuller (Eds.), Aviation psychology in practice (pp.127-148). Brookfield,
VT: Ashgate.
A general theme the author presents is that humans are the source of accidents, but they are also
the key to accident prevention. James Reason’s model of accident causation is examined as a
systems approach to accident causation. A step by step description of how investigations of
incidents should occur is given. It is first stressed that an investigator does not need to be a
specialist in the domain of the accident. A generalist investigator is usually well-suited.
Information needs to be collected that helps determine what happened and why it happened. The
SHEL model is useful for this type of data collection task. The SHEL model examines liveware,
software, hardware and environment of systems. Information is considered relevant and
necessary to obtain if it helps to explain why an accident or incident occurred. Two sources for
information are from primary sources and secondary sources. Primary sources include physical
equipment, documentation, audio/flight recorder tapes, etc. Secondary sources include
occurrence databases, technical literature and human factors professionals/specialists. A
framework for analyzing the occurrence data should then be used that leads to safety action as
the principal output. A human factors report of the incident/accident then needs to be written that
identifies the hazards uncovered and give safety recommendations. Finally, follow-up actions to
prevent the identified hazards needs to be taken.
Hawkins, F.H. (1997). Human error. In Human Factors in Flight, (pp. 27-56). Brookfield,
VT: Avebury Aviation.
Human error is examined in the context of aviation. Three basic tenets of human error are
developed and discussed. The first is that the origins of errors can be fundamentally different.
The second is that anyone can and will make errors. The third is that consequences of similar
errors can be quite different. From here, four different categories are used to make a
classification system for errors.
(1) Design-induced versus operator-induced
(2) Errors are either random, systematic, or sporadic
(3) Errors can be an omission, a commission, or a substitution
(4) Errors can be reversible or irreversible
20
Heinrich, H. W., Petersen, D., & Roos, N. (1980). Industrial accident prevention: A safety
management approach (5th ed.). New York: McGraw-Hill.
A basic philosophy of safety management and techniques of accident prevention are examined.
Accident prevention is accomplished through five separate steps, all built on a foundation of
basic philosophy of accident occurrence and prevention. The first step is organization. The
second step is fact finding. The third step is analysis. The fourth step is selection of a remedy.
The fifth step is the application of the remedy. The authors go on to describe and analyze an
updated model of accident prevention. Parts to the model include basic personal philosophies of
accident occurrence and prevention, fundamental approaches to accident prevention, collecting
data, analyzing data, selecting a remedy, applying the remedy, monitoring, and considering longterm
and short-term problems and safety programming. From here, a multitude of accident
sequence and causation models are examined and explained in terms of their usefulness.
Heinrich’s influential domino theory of accident causation is then proposed. An important
hypothesis put forth is that unsafe acts are the reason most accidents occur, not because of unsafe
conditions.
Helmreich, R. L., & Merritt, A. C. (1998). Error management: a cultural universal in
aviation and medicine. In Helmreich (Ed.), Culture at work in aviation and medicine.
Brookfield, VT: Ashgate.
The authors discuss how professional, national, and organizational cultures intersect within
organizations and can be engineered towards a safety culture. This is done by examining the
interplay of cultures through behaviors at the sharp end of a system. Error management is
suggested as a necessary strategy to create a safety culture. More empirical data is needed to
ascertain an organization’s health and practices. Five precepts of error management are
acknowledged: Human error is inevitable in complex systems. Human performance has
limitations. Humans make more errors when performance limits are exceeded. Safety is a
universal value across cultures. And finally, high-risk organizations have a responsibility to
develop and maintain a safety culture.
21
HFR British Airways Human Factors Reporting Programme. (1998). (NASA Aviation Data
Sources Resource Notebook).
The Human Factors Reporting Programme is a database that has four main purposes. The first is
to identify how and why a faulty plan was formulated. The second is to prevent a recurrence of
the circumstances or process. The third is to identify how well an organization supports the
activities of its flight crew. The fourth is to assure that the system does not assign blame to any
individual or agency. The database is coded into two main categories. One category is Crew
Actions. This category cover team skills (assertiveness, vigilance, workload management), errors
(action slips, memory lapses, mis-recognition), and aircraft handling (manual handling, system
handling). The other category is Influences. This category includes environmental factors
(airport facilities, ATC services, ergonomics), personal factors (complacency, distraction,
tiredness), organizational factors (commercial pressure, maintenance, training), and
informational factors (electronic checklists, information services, manuals). Each of these factors
can also be assigned in up to four ways. They can be positively/safety enhancing, negative/safety
degrading, first party or third party.
Hofmann, D. A. & Stetzer, A. (1996). A cross-level investigation of factors influencing
unsafe behaviors and accidents. Personnel Psychology, 49, 307-339.
A study was conducted to assess the role of organizational factors in the accident sequence in
chemical processing plants. Group process, safety climate, and intentions to approach other team
members engaged in unsafe acts were three group-level factors examined. Perceptions of role
overload was an individual-level factor that was also examined. Five hypotheses were made and
tested for significance. The first hypothesis was that individual-level perceptions of role overload
would be positively related to unsafe behaviors. This hypothesis was significant. The second was
that approach intentions would mediate the relationship between group process and unsafe
behaviors. This was not well supported. A third hypothesis was that group processes would be
negatively associated with actual accident rates. This was marginally supported. The fourth was
that safety climate would be negatively related to unsafe behaviors. This was significant. Finally
it was predicted that safety climate would be negatively related to actual accidents. This was
significant. A recommendation is made that safety practitioners engage in more systematic
organizational diagnosis.
22
Hollnagel, E. (1993). Human reliability analysis: Context and control. San Diego, CA:
Academic Press.
The Contextual Control Model (COCOM) is a control model of cognition that has two important
aspects. The first has to do with the conditions under which a person changes from one mode to
another. The second concerns the characteristic performance in a given mode, which relates to
determining how actions are chosen and carried out. Four control modes are associated with the
model. These are scrambled, opportunistic, tactic and strategic. Scrambled control occurs when
the choice of next action is completely unpredictable or random. Opportunistic control is the case
where the next action is chosen from the current context alone. It is mainly based on the salient
features rather than intentions or goals. Tactical control refers to situations where a person’s
performance is based on some kind of planning and following a procedure or rule. Strategic
control means that the person is considering the global context. Two main control parameters are
used to describe how a person can change from one control mode to another. They are
determination of outcome (succeed or fail), and estimation of subjectively available time
(adequate or inadequate). Four additional parameters are number of simultaneous goals,
availability of plans, the event horizon, and the mode of execution. The number of simultaneous
goals parameter refers to whether or not multiple goals are considered or just a single goal is
considered. The availability of plans parameter refers to having pre-defined or pre-existing plans
for which the next action can be chosen. The event horizon parameter is concerned with how
much of the past and future is taken into consideration when a choice of action is made.
Reference to the past is called the history size while reference to the future is called the
prediction length. The mode of execution parameter makes a distinction between subsumed and
explicit actions where a mode of execution can be ballistic/automatic or feedback controlled. The
relationships of how a person can change from one mode to another and the performance
characteristics of each control mode are discussed at length. The purpose of COCOM is to model
cognition in terms of contextual control rather than procedural prototypes.
Hollnagel, E. (1998). Cognitive reliability and error analysis method (CREAM). Alden
Group, Oxford.
Hollnagel introduces a second generation human reliability analysis method. This method has
two requirements. It must use enhanced probabilistic safety assessment event trees and it must go
beyond the categorization of success-failure and omission-commission. The purpose of CREAM
is to offer a practical approach for both performance analysis and prediction and be as simple as
possible. The model is expressed in terms of its functions as opposed to its structure. Four
aspects of the CREAM method are cited as being important. CREAM is bi-directional and
allows retrospective analysis as well as performance prediction. The method is recursive rather
than strictly sequential. There are well-defined conditions that indicate when an analysis or a
prediction is at an end. And finally, the model is based on the distinction between competence
and control which offers a way of describing how performance depends on context. CREAM
uses classification groups as opposed to a hierarchical classification scheme. This classification
scheme separates causes (genotypes) from manifestations (phenotypes). Also, CREAM relies on
the Contextual Control Model (COCOM) of cognition which is an alternative to information
processing models.
23
ICAO Circular (1993). Investigation of human factors in accidents and incidents. 240-
AN/144. Montreal, Canada: International Civil Aviation Organization.
The ADREP database records results of aviation accident investigations conducted by ICAO
member states. The information is used to create aviation accident reduction programs. Each
aviation accident or incident is recorded as a series of events. Human factors topics are structured
into the SHEL model format which covers the individual, the human-environment interface, the
person-person aspect, and the person-software aspect. The SHEL model addresses the
importance of human interaction and the use of written information and symbology while
simultaneously allowing the Reason model on accident investigation to be applied.
Jensen, R. S. & Benel, R. A. (1977). Judgment evaluation and instruction in civil pilot
training (Final Report FAA-RD-78-24). Springfield, VA: National Technical Information
Service.
A taxonomy of pilot errors is developed. Three general behavioral categories are specified. The
first category is procedural activities. Flight activity examples included under this category are
setting switches, selecting frequencies, programming a computer and making communications.
These activities are characterized as discrete events that involve cognitive processes. The second
level is perceptual-motor activities. These types of activities involve continuous control
movements in response to what a pilot sees in the environment. The third level is decisional
activities. This involves cognitive activities and judgments and is the most difficult aspect to
handle in realistic flight environments. Using this taxonomy, total percentages for fatal and nonfatal
accidents from each category were calculated for a 4 year period. Procedural activities were
responsible for 4.6% of the fatal and 8.6% of the non-fatal accidents. Perceptual-motor activities
were responsible for 43.8% of the fatal and 56.3% of the non-fatal accidents. Decisional
activities were responsible for 51.6% of the fatal and 35.1% of the non-fatal accidents.
Johnson, W. B., & Rouse, W. B. (1982). Analysis and classification of human errors in
troubleshooting live aircraft power plants. IEEE Transactions on Systems, Man, and
Cybernetics, SMC-12(3), 389-393.
Two experimental studies were used to develop and evaluate a scheme for classifying human
errors in troubleshooting tasks. The experiments focused on looking at errors in diagnosis by
advanced aviation maintenance trainees. Experimenters were able to decrease the amount of
errors with experimental changes. A modification of the classification system of van Eekhout
and Rouse (1982) was used to classify errors into five general categories in the second
experiment. These categories are observation of state errors, choice of hypotheses errors, choice
of procedure errors, execution of procedures errors, and consequence of previous error. The new
classification system led to the redesign of the training program and a decrease in the frequency
of particular types of human error.
24
Johnson, W. G. (1980). MORT: Safety assurance systems. New York: Marcel Dekker, Inc.
The MORT (management oversight and risk tree) logic diagram is a model of an ideal safety
program which is good for analyzing specific accidents, evaluating and appraising safety
programs, and indexing accident data and safety literature. MORT is useful in safety program
management for three reasons. It prevents safety related oversights, errors, and omissions. It
identifies and evaluates residual risks, and their referral to appropriate management levels for
action. Thirdly, it optimizes allocation of safety resources to programs and specific controls.
MORT is basically a diagram that presents a schematic representation of a dynamic, idealized
safety system model using fault tree analysis. Three levels of relationships exist that aid in the
detection of omissions, oversights, and defects. These are generic events, basic events, and
criteria. Furthermore, MORT explicitly states the functions that are necessary to complete a
process, the steps to fulfill a function, and the judgment criteria. A step by step outline is
provided for using the MORT system. The system is illustrated with examples. A major fault
with MORT is described as affirmation of the consequent. This is the fallacy of inferring truth of
an antecedent from the truth of the consequence.
Kahneman, D. & Tversky, A. (1984). Choices, values, and frames. American Psychologist,
39(4), 341-350.
The paper conducts a discussion of the cognitive and the psychophysical factors of choice in
risky and riskless contexts. A hypothetical value function is developed that has three important
properties. These properties are that the value function is defined on gains and losses rather than
on total wealth, it is concave in the domain of gains and convex in the domain of losses, and it is
considerably steeper for losses than for gains. This last property has been labeled loss aversion.
Three main points are made apparent. First, the psychophysics of value lead to risk aversion in
the domain of gains and risk seeking in the domain of losses. Second, risk aversion and risk
seeking decision making can be manipulated by the framing of relevant data. Third, people are
often risk seeking in dealing with improbable gains and risk averse in dealing with unlikely
losses.
Kashiwagi, S. (1976). Pattern-analytic approach to analysis of accidents due to human
error: An application of the ortho-oblique-type binary data decomposition. J. Human
Ergol., 5, 17-30.
An ortho-oblique-type binary data decomposition is proposed as a means of classifying patterns
of human error. The method is described mathematically and then applied to accidents in freightcar
classification yard work. The ortho-oblique-type of binary data decomposition is useful
because it tends to produce results that are very easily interpretable from the empirical point of
view. The main reason for adopting the method is that it allows data in the form of documents to
be made feasible for numerical classification by use of binary data matrices. The analysis of the
data showed that there are specific patterns of relevant and background conditions for most
accidents that are due to human error.
25
Kayten, P. J. (1989). Human performance factors in aircraft accident investigation. Human
Error Avoidance Techniques Conference Proceedings (pp. 49-56). Warrendale, PA: Society
of Automotive Engineers.
The author examines that evolution of human performance investigation within the National
Transportation Safety Board (NTSB). The importance of the background of the accident
investigator is explored. An argument is made that a background in the domain of the accident is
helpful, but definitely not required to be effective. Relevant facts to be collected, ignored, and to
be further thought about are discussed. It is greatly stressed that investigative techniques and
analytic methods still need to be improved to better manage human error.
Kirwan, B. (1998). Human error identification techniques for risk assessment of high risk
systems. Part 1: Review and evaluation of techniques. Applied Ergonomics, 29(3), 157-177.
This first part of a two part paper outlines thirty-eight approaches to error identification. They are
categorized by the type of error identification approach used and then they are critiqued by a
broad range of criteria. Trends and research needs are noted along with the identification of
viable and non-viable techniques. Three major components to an error are broken down. The first
component is the external error mode. This refers to the external manifestation of the error. The
second component is the performance shaping factors. These influence the likelihood of an error
occurring. The third component is the psychological error mechanism. This is the internal
manifestation of the error. The authors go on to recognize seven major error types that appear to
be of interest in current literature. These are slips and lapses, cognitive errors (diagnostic and
decision-making errors), errors of commission, rule violations, idiosyncratic errors, and software
programming errors. In order to show the general orientation of form of each error identification
technique, five broad classifications have been developed. These include taxonomies,
psychologically based tools, cognitive modeling tools, cognitive simulations, and reliabilityoriented
tools. The different approaches were also classified by their analytic method. These
methods are the checklist-based approaches, flowchart-based approaches, group-based
approaches, cognitive psychological approaches, representation techniques, cognitive
simulations, task analysis linked techniques, affordance-based techniques, error of commission
identification techniques, and crew interactions and communications. Ten important criteria to
evaluate the different techniques are laid out. The criteria are comprehensiveness of human
behavior, consistency, theoretical validity, usefulness, resources (actual usage, training time
required, requirement of an expert panel), documentability, acceptability (usage to date,
availability of technique), HEI output quantifiability, life cycle stage applicability, and primary
objective of the technique. Some main techniques are identified which could be useful for
general practice, but it is pointed out that no single technique is sufficient for all of a
practitioner’s need. It is suggested that a framework-based or toolkit-based approach would be
most beneficial.
26
Kirwan, B. (1998). Human error identification techniques for risk assessment of high risk
systems. Part 2: Towards a framework approach. Applied Ergonomics, 29(5), 299-318.
This second of a series of papers describes a framework-based and a toolkit-based approach as a
human error identification approach in nuclear power and reprocessing industries. Advantages
and disadvantages are considered. Framework approaches try to deal with all human error types
in an integrative way by using a wide array of tools and taxonomies that have been found to be
effective. The Human Error and Recovery Assessment system (HERA) is a framework approach
that is outlined in this paper. The HERA system is a document and a prototype software package.
The paper only describes in detail the procedure for skill and rule based error identification. The
document is the formal system and has main modules or functional sections. One such main
module is the scope analysis and critical task identification. This module deals with factors to
consider, logistical and otherwise, along with phases of operations to look at. A second module is
task analysis. Initial task analysis and Hierarchical Task Analysis are the two major forms of task
description that are used and described. A third module is skill and rule based error
identification. For this module, nine error identification checklists are used that may have some
over-lapping. These checklists are explained in some detail and include mission analysis,
operations level analysis, goals analysis, plans analysis, error analysis, performance shaping
factor based analysis, psychological error mechanism based analysis, Human Error Identification
in Systems Tool (HEIST) analysis, and human error HAZOP. The five remaining modules that
are not explained in detail are diagnostic and decision-making error identification, error of
commission analysis, rule violation error identification, teamwork and communication error
identification, and integration issues. The toolkit framework approach seeks to ensure that all
relevant error types are discovered by using several existing techniques. It is also pointed out that
there may be a useful synergistic relationship between human error analysis and ergonomics
evaluation.
Kletz, T. (1992). Hazop and hazan: Identifying and assessing process industry hazards.
Bristol, PA: Hemisphere Publishing.
Hazard and operability study (HAZOP) is a technique for identifying hazards without waiting for
an accident to occur. It is a qualitative assessment. A series of guide words are used in HAZOP
to explore types of deviations, possible causes, consequences and actions required. Hazard
analysis (HAZAN) is a technique for estimating the probability and consequences of a hazard
and comparing them with a target or criterion. It is a quantitative assessment. HAZAN contains
three steps. The first is to estimate the likelihood of an incident. The second is to estimate
consequences to employees, the public and environment, and to the plant and profits. The third
step is to compare these results to a target or criterion to decide if action is necessary to reduce
the probability of an occurrence.
27
Kubota, R., Ikeda, K., Furuta, T., & Hasegawa, A. (1996). Development of dynamic human
reliability analysis method incorporating human-machine interaction. Probabilistic Safety
Assessment and Management ‘96 (pp. 535-540). New York: Springer.
The authors describe an updated dynamic human reliability analysis method that considers
interactions within the plant. It compares and evaluates the response time between the cases
where the safety limit of the plant is quickly reached and the cases where it is not. The proposed
cognition mechanism borrows from the Monte Carlo calculation using the probabilistic network
method and Rasmussen’s decision making model. The authors intend the new dynamic human
reliability analysis method to replace the THERP (technique for human error rate prediction) and
TRC (time reliability correlation) methods.
Lasswell, H. D. (1948). The structure and function of communication in society. In L.
Bryson (Ed.), The communication of ideas (pp. 37-51). US: Harper and Row.
The ‘Lasswell formula’ is a description of an act of communication asking these questions:
(1) Who
(2) Says what
(3) In which channel
(4) To whom
(5) With what effect
Three functions are performed while employing the communication process in society. The first
is surveillance of the environment. The second is correlation of the components of society in
making a response to the environment. The third is transmission of the social inheritance. This
formula (model) can address errors in terms of dealing with aspects of a message, its medium,
and the expectations of the sender or receiver.
Laughery, K. R., Petree, B. L., Schmidt, J. K., Schwartz, D. R., Walsh, M. T. & Imig, R. G.
(1983). Scenario analyses of industrial accidents. Sixth International System Safety
Conference (pp. 1-20).
An analytic procedure of accidents is developed that is based on two contentions. The first is that
it is necessary to answer the question, “what happened?” The second is that it is important to
recognize that all accidents, no matter how minor, represent a valuable source of data. Four
categories of variables exist within the method. The first category is demographic variables. This
includes such aspects as gender, job classification, the day, the location, etc. The second category
is labeled accident scenario code. This includes prior activity, the accident event, the resulting
event, the injury event, the agent of the accident, and the source of injury. The third category
deals with injury variables. This breaks down into the body part injured, the injury type, and the
injury severity. The final category is labeled causal factors. This is broken down further into
human causes, and equipment/environment causes. The analytic procedures consider frequency,
severity, and potential for effective interventions. The analyses used are a frequency analysis and
a scenario analysis which describes accident patterns.
28
Macwan, A., & Mosleh, A. (1994). A methodology for modeling operator errors of
commission in probabilistic risk assessment. Reliability Engineering and System Safety, 45,
139-157.
A methodology is described that incorporates operator errors of commission in nuclear power
plant probabilistic risk assessments (PRA). An initial condition set is obtained by combining
performance influencing factors with information taken from the plant PRA, operating
procedures, information on plant configuration, and physical and thermal-hydraulic information.
These initial condition sets are fed into the primary tool of the methodology called Human
Interaction TimeLINE (HITLINE). HITLINE generates sequences of human action, including
errors, in time. At each branching point of the HITLINE, mapping rules are used to relate
performance influencing factors with errors. A quantification scheme is used to assign weights at
each of the branching points. A sample exercise is performed using the methodology and is
validated in terms of the current PRA framework.
Mangold, S. J., & Eldredge, D. (1993). An approach to modeling pilot memory and
developing a taxonomy of memory errors. In R. S. Jensen & D. Neumeister (Eds.),
Proceedings of the Seventh International Symposium on Aviation Psychology (263-268).
Columbus, OH: The Ohio State University.
A review of the methodology used to develop a memory-related taxonomy of memory errors in
pilots is performed. It is based on the connectionist approach of cognitive functioning. Five
categories of memory-related key terms were developed. The key words reflect the types of
breakdowns that can occur in the memory process. The first category is information encoding
errors. These are defined as failures to encode relevant information so that it can be accessed at a
later time. The second category is meaning structure errors. These are memory errors that come
from problems with representational structures. Processing competition errors is a third category.
These errors have to do with the cognitive system being busy with one task and failing to
adequately manage a second task. A fourth category is information retrieval errors. These are
described as failures to achieve the same cognitive state at information retrieval as was present
when the information was encoded. The final category is artifact-induced errors. These errors
come as a result of the complex demands of the advanced automation cockpit.
29
Marteniuk, R. G. (1976). Information processing in motor skills. New York: Holt, Rinehart
and Winston.
This book presents an information processing model. The basic human performance model
discussed has three major mechanisms that mediate information in the environment and
movement. The perceptual mechanism is the first one described. This mechanism receives
environmental information from the senses. Perception is argued to have three general classes of
processes. These are sensory capacities, information selection and prediction, and memory. The
second mechanism is the decision mechanism. This mechanism deals with deciding on a plan of
action for the current information that is available. The third mechanism is the effector
mechanism. This mechanism organizes a response and activates the motor commands to the
muscular system. It is emphasized that feedback information is an important part of the model
which allows correction in the effector mechanism if there is enough time. Memory also plays a
crucial role in the model and has implications for and causes interactions with the perceptual,
decision, and effector mechanism. Two types of skills are identified that can be analyzed using
the model. Open skills occur in environments where the conditions under which the skill is
performed are continually changing in space. This causes increased time pressure and stress.
Closed skills occur in environments where the critical cues for the performance of that skill were
static or fixed in one position.
Maurino, D. E., Reason, J., Johnston, N. & Lee, R. B. (1995). Widening the search for
accidental causes: A theoretical framework. In Beyond aviation human factors: Safety in
high technology systems (pp. 1-30). Vermont: Ashgate.
This chapter tries to outline a theoretical framework that seeks to provide a principled basis both
for understanding the causes of organizational accidents and for creating a practical remedial
toolbag that will minimize their occurrence. The framework traces the development of an
accident sequence. It considers organizational and managerial decisions, conditions in various
workplaces, and personal and situational factors that lead to errors and violations. Active and
latent failure pathways to an event are identified. Events are defined as the breaching, absence or
bypassing of some or all of the system’s various defenses and safeguards. Within the framework,
organizational pathogens are introduced into a system where they follow two main pathways to
the workplace. In the first pathway the pathogens act upon the defenses, barriers and safeguards
to create latent failures. In the second pathway the pathogens act upon local working conditions
to promote active failures.
30
McCoy, W. E., III, & Funk, K. H., II. (1991). Taxonomy of ATC operator errors based on a
model of human information processing. Proceedings of the 6th International Symposium
on Aviation Psychology (pp. 532-537). Columbus, OH: The Ohio State University, The
Aviation Psychology Laboratory.
An analysis of accidents was run which provided a classification of ATC errors based on a
human information processing model. The errors can be further explained in terms of inherent
human limitations such as working memory capacity and duration limits. The authors conclude
that it is advisable to develop a set of systematic design strategies which consider the propensity
of human beings to make errors and to try and mitigate the adverse consequences of such errors.
McRuer, D. (1973). Development of pilot-in-the-loop analysis. AIAA Guidance and Control
Conference (pp. 515-524). Stanford, CA.
A pilots’ dynamic characteristics when operating as a controller are affected by several physical,
psychological, physiological, and experimental variables which are contained in four categories.
These are task variables, environmental variables, procedural variables, and pilot-centered
variables. Pilot-in-the-loop analysis is discussed. It is argued that pilot-in-the-loop analysis is
dependant on four different aspects of research. The first aspect is experimental determination of
human pilot dynamic characteristics for a wide variety of situations and conditions. The second
aspect is evolution of mathematical models and manipulative rules. The third aspect is
relationships between the pilot-vehicle situation and the objective and subjective pilot
assessments. The fourth and final aspect is combination of pilot dynamics and equivalent aircraft
mathematical models to treat particular problems. Two fundamental concepts of pilot-in-the-loop
analysis are guidance and control along with the pilot sets-up and closes the loop.
MEDA Maintenance Error Decision Aid. (1998). (NASA Aviation Data Sources Resource
Notebook).
The purpose of MEDA is to give maintenance organizations a better understanding of how
human performance issues contribute to error. This occurs by providing line-level maintenance
personnel with a standardized methodology to analyze maintenance errors. MEDA provides two
levels of analysis. At one level, local factors are analyzed. At another level, organizational
factors are analyzed. MEDA has many benefits. It uses a human-centered approach to
maintenance error event analysis. The local factors analysis gives maintenance ownership of
individual event analysis. MEDA uses standardized definitions and data collection processes that
are consistent across and within airlines. Data is obtained that allows for organizational trend
analysis. The maintenance investigator gains an increased awareness of human performance
investigation techniques. And a final benefit is MEDA is that a process is provided that improves
the effectiveness of corrective actions chosen.
31
Miller, G. A. (1956). The magical number seven, plus or minus two: Some limits on our
capacity for processing information. The Psychological Review, 63(2), 81-97.
The amount of information that a human can process in immediate memory is examined.
Important in regards to human error is Miller’s testing of absolute judgments of single and multidimensional
stimuli. Absolute judgment is limited by the amount of information according to
Miller. Miller also states that immediate memory is limited by the number of items to be
remembered.
Nagel, D. C. (1988). Human error in aviation operations. In E. L. Wiener & D. C. Nagel
(Eds.), Human factors in aviation (pp. 263-303). New York: Academic Press, Inc.
Nagel argues that an error model needs to meet three criteria. It needs to explain in detail why a
human error occurs so that a solution strategy can be developed. It needs to be predictive and not
just descriptive. It also needs to not ignore systematic research in the field of behavioral and life
sciences. A three stage simple error model called the information-decision-action model is
presented to illustrate the previously named criteria. The first stage of the model is the
acquisition, exchange and processing of information. Stage two is where decisions are made and
specific intents or plans to act are determined. Stage three is where decisions are implemented
and intents acted upon. Nagel points out three approaches that reduce the occurrence and severity
of human error in complex human-machine systems. One approach is to design controls,
displays, operational procedures and the like in a careful and informed way. A second approach
is to reduce errors through selection and training. A third approach is to design systems to be
error-tolerant.
NASA ASRS-Aviation Safety Reporting System Database (1998). (source NASA Data
Sources Resource Notebook).
The Aviation Safety Reporting System (ASRS) is an incident database that collects, analyzes,
and responds to voluntarily submitted aviation safety incident reports. Valuable human factors
information can be obtained from the database. ASRS analysts choose appropriate fields to code
each report for the database. Eleven general categories are suggested to the ASRS analysts for
classification.
(1) Affective or cognitive states—attitude, complacency, fatigue, etc.
(2) Capability—inadequate certification, unfamiliar with operation, etc.
(3) Circumstances affecting human performance—equipment design, noise, workload, etc.
(4) Distraction—checklist, radio communication, socializing, etc.
(5) Inadequate briefing—cockpit, preflight, etc.
(6) Inadequate planning—inflight, preflight, other
(7) Inadequate technique—air traffic control, communication, flying, etc.
(8) Misread—chart, instrument, publication
(9) Non adherence to—clearance, instruction publication
(10) Other behaviors or non-behaviors—altitude callout omitted, perception problem, etc.
(11) Physical state—hypoxia, illness, incapacitation, etc.
32
National Transportation Safety Board. (1992). Human performance investigation
procedures (vol. III) [manual]. Washington, DC: Author.
The NTSB’s human performance investigation procedure is explained. The NTSB seeks to
examine six human performance factors within their investigations. These are behavioral factors,
medical factors, operational factors, task factors, equipment design factors, and environmental
factors. Examples of actual checklists used to examine these factors in accidents are included in
this manual.
Navarro, C. (1989). A method of studying errors in flight crew communication. Perceptual
and Motor Skills, 69, 719-722.
A method is described which uses the information processing paradigm to study errors in flight
crew communication. The taxonomy of errors proposed is based on two dimensions. In the first
dimension, an evaluation of the type of communication errors is made. These can be classified as
having to do with transmission, detection, identification, interpretation, and action linked to
communication. The second dimension evaluates the type of adjustment made. For individuals,
this concerns problem-solving by the operator. For interactive environments, this involves
problem-solving by a crew. The taxonomy specifically includes transmission of a message,
detection of a message, identification of a message, interpretation of a message, and action taken
in regards to the message.
Nawrocki, L. H., Strub, M. H., & Cecil, R. M. (1973). Error categorization and analysis in
man-computer communication systems. IEEE Transactions on Reliability, R-22(3), 135-
140.
The authors examine traditional approaches to human reliability and a new technique is
presented which permits the system designer to derive a mutually exclusive and exhaustive set of
operator error categories in a man-computer system. Error categories are defined in terms of
process failures and provide a qualitative index suitable for determining error causes and
consequences. The new index is tested on a set of data. From this, it is determined that the new
methodology offers a designer a systematic means for deriving error categories which appear to
be acceptable for systems in which the operator must transform and input data, such as in
information reduction tasks.
33
Newell, A., & Simon, H. A. (1972). Human problem solving. Englewood Cliffs, NJ:
Prentice-Hall Inc.
The authors define a human information processing system in terms of symbols. Eight important
characteristics of a human information processing system are discussed in relation to problem
solving tasks. The system contains an active processor, input and output systems, long-term
memory, short-term memory and external memory. Long-term memory has unlimited capacity
and is organized associatively, with its contents being symbols and structures of symbols. Shortterm
memory holds about 5 to 7 symbols. Sensory modalities, processes, and motor patterns are
symbolized and handled identically in short-term memory and long-term memory. Overall
processing rates are limited by read rates from long-term and extended memory. Extended
memory is defined as the immediately available visual field. The information processing
system’s program is structured as a production system, the condition for evocation of a
production being the presence of appropriate symbols in the short-term memory augmented by
the foveal extended memory. A final important characteristic of the system is that a class of
symbol structures or goal structures are used to organize problem solving.
Norman, D. A. (1981). Categorization of action slips. Psychological Review, 88(1), 1-15.
The author concentrates on action errors in regards to slips. Three major categories of slips are
addressed. One category is based on errors in the formation of the intention. A second category is
based on errors having to do with faulty activation of schemas. The third category is based on
errors dealing with faulty triggering. The author proposes a model called the activation-triggerschema
system (ATS). It contains a system of activated schemas with a triggering mechanism for
determining appropriate time for activation. This provides a satisfactory framework for the
categorization and analysis of slips. The ATS model is considered novel for five reasons. It
combines schemas, activation values, and triggering conditions. It considers the application of
motor action sequences. The role of intention is considered. There is consideration of the
operation of cognitive systems when several different action sequences are operative
simultaneously, And finally, it is novel because a specific application of this framework to the
classification of slips is employed.
Norman, D. A. (1986). Cognitive engineering. In D. A. Norman & S. W. Draper (Eds.), User
centered system design (pp. 31-62).
This selected chapter introduces a theory for action to understand what the user of a system is
doing. A discrepancy between the psychological terms of the user and the physical variables of a
system is stated as the Gulf of Execution and the Gulf of Evaluation. Bridging the gap in the
Gulf of Execution is done in four segments that deal with intention, formation, specifying the
action sequence, and executing the action. Bridging the gap in the Gulf of Evaluation consists of
comparing the interpretation of system state with the original goals and intentions.
34
OASIS: Occurrence Analysis and Safety Information Systems. (1998). (NASA Aviation
Data Sources Resource Notebook).
The OASIS system is a database that is based on the ICAO standard. The major difference is that
the OASIS manual provides definitions of the explanatory factors. OASIS is also able to
generate safety reports from data entered during an investigation. Explanatory factors are
structured into eight categories:
(1) Between people
(2) Human-environment
(3) Human-machine
(4) Human system support
(5) Physical
(6) Physiological
(7) Psychological
(8) Psychosocial
O’Connor, S. L., & Bacchi, M. (1997). A preliminary taxonomy for human error analysis
in civil aircraft maintenance operations. Ninth Biennial Symposium on Aviation
Psychology.
The authors argue that a reporting scheme for human error analysis needs to have three steps. It
needs to provide detail and structure of the error form or tool. It needs to provide a method of
data collection and a procedure of implementing such a tool. It also needs to provide a storage
and utilization mechanism. This paper describes an error taxonomy that tries to provide detail
and structure of human error in aircraft maintenance. Three broad classification of human error
are identified that are based on a task oriented classification that include maintenance and
dispatch activities. The first classification, external error modes, is based on three main activities.
These are repair, service, and inspection/checking. The second classification, performance
influencing factors, is split into six main groups. These include task factors, task support,
situational factors, environmental factors, personnel factors, and error agents. The third and final
classification, psychological error mechanisms, is based on four models. Information processing
theory, symbolic processing theory, Endsley’s model of mechanisms of situational awareness,
and Rasmussen’s skill-rule-knowledge based levels of cognitive control are the four important
models that serve as the basis of this classification.
35
O’Hare, D. (1992). The “artful” decision maker: A framework model for aeronautical
decision making. International Journal of Aviation Psychology, 2(3), 175-191.
This paper reviews the available literature on aeronautical decision making and then proposes a
new framework called ARTFUL. This framework is a goal-directed process with five
functionally separate components that deal with situational awareness (detection and diagnosis),
risk assessment, planning, response selection, and response execution. This framework
recognizes three important points. It is acknowledged that most routine decision making arises
directly from situation awareness which then maps directly to response selection. Errors may
arise in the process of response execution in predictable forms such as slips. It is also recognized
that as long as the current state is consistent with the current goal state and no other threatening
circumstances exist, the current goal will continue to be pursued. The framework can be
described and defined by key steps in the process that are linked to decision making states.
Awareness of the situation as a result of monitoring is the first step. From here, risk of current
and alternative courses of action is assessed. This leads to time assessment which is a critical
factor in decision making for dynamic environments. Finally, further options are generated.
O’Hare, D. (in press). The “wheel of misfortune”: A taxonomic approach to human factors
in accident investigation and analysis in aviation and other complex systems. Ergonomics.
The Reason model of human error has been very influential in accident investigation because of
its complexity and breadth. However, a major criticism for using this model as an accident
causation model is its linear sequence of levels instead of considering intersecting influences
from various points. A revised theoretical model and associated classification framework is
proposed to help guide the accident investigation process. It is named the Wheel of Misfortune.
There are three concentric spheres in this model. The innermost circle represents the actions of
the front line personnel. The middle circle represents local precipitating conditions. The
outermost circle represents the global conditions generated by organizations. Actions of the
individual operator are described in terms of an internal function taxonomy. This taxonomy
includes the Skill-Rule-Knowledge framework that Rasmussen developed. The local conditions
circle includes factors that may be critical in the breakdown of human performance in complex
systems. These include weather and internal states of the flightcrew among other factors. The
global conditions circle considers the context within which the task activity takes place. This
includes organizational processes. This model has three potentially valuable functions. The
concentric spheres within spheres are better than the linear sequence of factors in representing
accident causation. This provides an alternative to Reason’s Swiss Cheese model. In the wheel of
misfortune, the strength of a system is determined by the outer shell of the model. The model is
also good for directing the attention of the investigator to specific questions within the layers of
concern such as local actions, immediate realities of the operational environment, and influences
of organizational functioning. A final benefit is that the model is expressed in terms of general
processes which are independent of functioning within any specific domain. This allows
information from other models to be used in this framework. The model is similar to the
“Taxonomy of Unsafe Operations” model of Shappell and Wiegmann, but uses a representation
at a higher level of abstraction that gives greater comprehensiveness and parsimony.
36
O’Hare, D., Wiggins, M., Batt, R., & Morrison, D. (1994). Cognitive failure analysis for
aircraft accident investigation. Ergonomics, 37(11), 1855-1869.
Two studies were conducted to investigate the applicability of an information processing
approach to human failure in the aircraft cockpit. In the first study, the authors attempt to
validate Nagel’s three stage information processing model of human performance. The model
confirmed that decisional factors are extremely important in fatal accidents. It is determined that
Nagel’s model is and oversimplification. There are at least five, not three, distinct categories of
errors that can occur in the cockpit. These are perceptual, decisional, procedural, monitoring, and
handling errors. In the second study, the authors develop a more detailed analysis of cognitive
errors based on a theoretical model proposed by Rasmussen and further developed by Rouse and
Rouse. A taxonomic algorithm that was derived from Rasmussen’s work was used to classify
information processing failures. The algorithm focused on structural and mechanical errors,
information errors, diagnostic errors, goal errors, strategy errors, procedure errors, and action
errors.
Paradies, M. (1991). Root cause analysis and human factors. Human Factors Society
Bulletin, 34(8), 1-6.
Root cause analysis attempts to achieve operator excellence by establishing an aggressive
program to review the accidents, determine their root causes, and take prompt corrective action.
Event investigation systems seem to be successful when they contain certain basic
characteristics. They need to identify the event’s sequence, set a goal to find a fixable root cause,
avoid placing blame, be easy for investigators to learn and use, and be easy for managers to
understand and provide an easily understood graphic display of the event for management
review.
Pedrali, M. (1997). Root causes and cognitive processed: Can they be combined in accident
investigation? Ninth International Symposium of Aviation Psychology.
A methodological approach is proposed that relies on a model of cognition and a classification of
human errors. The intent of the approach is to reconstruct the process of cognition through which
latent failures give rise to active failures. A major concern with modern methodological
approaches is that they may stray too far from the context of the accident. A classification
scheme is devised that distinguishes three categories. The first category is person-related causes.
This deals with specific cognitive functions of people and general person-related functions. The
second category, system-related causes, focuses on training, equipment, procedure, and interface
issues. The third category is environment-related causes. These include ambient conditions,
communication, organization, and working conditions. The main principles of the HERMES
model were used to create a prototype software tool called DAVID (Dynamic Analysis of Video
in Incident studies).
37
Petersen, D., & Goodale, J. (1980). Readings in industrial accident prevention. New York:
McGraw-Hill.
This book is a forum for debate and information sharing of key issues in accident causation and
prevention. The first part of the book deals with the basis of philosophy of accident prevention.
Some issues examined are the differences between unsafe acts and unsafe conditions. Models of
accident phenomenon are discussed. The pros and cons of cost-benefit analyses are argued. The
idea of an “injury tax” to help offset some problems of a company’s unwillingness to increase
safety is presented. Important principles and factors when attempting to control accidents are
also explained. The second part of the book examines accident prevention methods in stages.
Data collection and analysis is an important stage. Issues examined are mathematical evaluations
and creating a safety program priority system. Systems approach issues are examined into
separate papers. Monitoring, motivating, and training are discussed due to their relevance in
preventing accidents. The third section of the book covers miscellaneous subjects such as the
professionalism of investigators and management, insurance issues, risk management and
looking at the effectiveness of OSHA.
Ramsey, J. D. (1985). Ergonomic factors in task analysis for consumer product safety.
Journal of Occupational Accidents, 7, 113-123.
The author proposes a model that identifies contributing factors to accidents. This is done by
following the information processing steps of an accident sequence and listing factors that affect
each stage of the process. The accident sequence model has four levels to it. If any level’s
criteria are not met, it leads to an increased chance of an accident occurring. If a level’s criteria
are met, the sequence progresses to the next level until a state of increased chance for no accident
occurs. When exposure to a hazardous product occurs, a person goes through four levels in order,
assuming the criteria for each level is met. Level one is the perception of the hazard. This
involves sensory skills, perceptual skills, and the state of alertness. Level two is cognition of the
hazard. Factors affecting this are experience and training, mental abilities, and memory abilities.
Level three is the decision to avoid the hazard. Factors affecting this are experience and training
again, attitude and motivation, risk-taking tendencies, and personality. The fourth and final level
is the ability to avoid the hazard. Relevant factors here are anthropometrical, biomechanical, and
motor capabilities.
38
Rasmussen, J. (1981). Models of mental strategies in process plant diagnosis. In J.
Rasmussen and W.B. Rouse (Eds.), Human Detection and Diagnosis of System Failures
(pp.241-258). Plenum Press, New York.
The author states that the ultimate purpose of diagnosis in process plant control is to link the
observed symptoms to the actions which will serve the current goal properly. The paper contrasts
a topographic search versus a symptomatic search to locate problems. The author refutes the
trend to design man-machine interfaces towards a presentation of measured variables on visual
display units as bar graphs and/or mimic displays while also attempting to unload the operator by
alarm analysis and reduction. An optimal computer-based design is proposed as having sharp
distinctions disappear between the functions of alarm and safety systems, of control systems, and
of operators. A key role of the computer will be as a partner of the operator in higher level
supervisory control.
Rasmussen, J. (1982). Human errors. A taxonomy for describing human malfunction in
industrial installations. Journal of Occupational Accidents, 4, 311-333.
A taxonomy for event analysis is presented. The taxonomy recognizes that error mechanisms and
failure modes depend on mental functions and knowledge which are activated by subjective
factors. They are not directly observed but are inferred. A model of human information
processing is needed to relate elements of human decision making and action to internal
information processes for which generic psychological mechanisms and limitations can be
identified. Such a model was developed that draws on a distinction between three levels of
behavior. Skill-based domain of behavior includes subconscious routines and performance that is
controlled by stored patterns of behavior in a time-space domain. Rule-based domain of behavior
includes performance in familiar situations and is controlled by stored rules for coordination of
subroutines. Knowledge-based domain of behavior occurs in unfamiliar situations where actions
must be planned from an analysis. In this domain decisions need to be based on knowledge of the
functional and physical properties of the system while also giving importance to the priority of
the various goals. It is possible for the same required mental function to be served by different
information processes, and each with their own error mechanism. A five dimension multi-facet
classification system is described for an accidental chain of events. The dimensions include
external causes, internal failure mechanisms, internal mental functions failed, external mode of
action failures, and external tasks. Categories of the taxonomy directly related to the
inappropriate human performance are listed. These are:
(1) Personnel task—identification of the task performed
(2) External mode of malfunction—immediate observable effect of human malfunction
(3) Internal human malfunction—internal mental function of a persons decision making which
was not performed as required by the task
(4) Mechanisms of human malfunction
(5) Causes of human malfunction—identifies possible external causes of inappropriate human
action
(6) Performance shaping and situational factors—general conditions that can influence error
probability but not cause errors in and of themselves
39
Reason, J. (1979). Actions not as planned: The price of automatization. In G. Underwood
(Ed.), Aspects of consciousness (pp. 67-89). London: Academic Press.
The author takes a detailed look at minor slips and lapses that humans make in everyday life, and
tries to sort out some of the conceptual confusion that exists between an act and its
consequences. A brief experiment of natural history observations was performed that asked
subjects to record unintended or absent-minded actions. Two predictions are made. First, test
failures will occur when the open-loop mode of control coincides with a critical decision point
where the strengths of the motor programs beyond that point are markedly different. The second
prediction is that when errors occur, it will involve the unintended activation of the strongest
motor program beyond the node. The discussion then switches to ‘Slips of action’. It is argued
that ‘slips of action’ have certain consistencies. They occur almost exclusively during the
automatic execution of highly practiced and ‘routinized’ activities. They often result from the
misdirection of focal attention. Finally, they usually take the form of some frequently and
recently performed behavioral sequence.
Reason, J. (1990). Human error. Cambridge, MA: Cambridge University Press.
The author presents a framework of accident causation. The framework is an expansion of a
“resident pathogen” metaphor, meaning that causal factors are present in a system before an
accident sequence actually occurs. This leads to a differentiation of active failures and latent
failures. An important premise of the framework is that accidents come from fallible decisions
that are made by designers and decision makers. Five basic elements of a system are first
identified and then related to breakdowns in a system. One element is that decision makers are
those who set goals for the system and can make fallible decisions (latent failures). Another
element is that line management implements the strategies of the decision makers and are subject
to deficiencies themselves (latent failures). A third element is that preconditions are conditions
that permit efficient and safe operations and can be precursors for unsafe acts (latent failures). A
fourth element is that productive activities are the actions performed by man and machine and
lead to unsafe acts (active failures). The final element is that defenses are safeguards against
foreseen hazards and can be inadequate (active and latent failures). Unsafe acts can be broken
down into different types. If actions are unintended, they can be slips or lapses. Slips are
attentional failures that can be caused by intrusions, omissions, reversals, misordering, or
mistiming. Lapses are memory failures that lead to omitting planned items, place-losing, and
forgetting. If actions are intended, they are classified as either mistakes or violations. Mistakes
are either rule-based where there is a misapplication of a good rule or and application of a bad
rule, or they can be knowledge-based. Violations are either routine, exceptional, or even acts of
sabotage. It is argued that accidents occur as a penetration of various levels of the framework
occurs. Latent errors combined with local triggering events lead to accidents and incidents.
40
Rockwell, T. H., & Giffin, W. C. (1987). General aviation pilot error modeling – Again?
Proceedings of the 4th International Symposium on Aviation Psychology (pp. 712-720).
Columbus, OH: The Ohio State University, The Aviation Psychology Laboratory.
Process models are created to initially explore three types of pilot error in general aviation. These
are visual flight rules (VFR) flight into instrumental meteorological conditions (IMC), pilot fuel
mismanagement, and pilot response to critical inflight events. The models are intended to explain
large percentages of accidents of a specific type, pin point specific research needs to understand
and to verify elements in the models, and to create implementable countermeasures to reduce the
probability of pilot error. The models depict decisional processes, list typical errors, contributing
factors and propose needed research.
Rouse, W. B. (1983). Models of human problem solving: Detection, diagnosis, and
compensation for system failures. Automatica (19), 613-625.
The paper looks at the role of the human operator as a problem solver in man-machine systems.
Various models of human problem solving are examined and a design for an overall model is
outlined. The overall model attempts to capture the whole of problem solving and be
operationalized within specific task domains. A basic mechanism for the proposed model
incorporates pattern recognition models. Problem solving occurs on three general levels. These
are recognition and classification, planning, and execution and monitory. The model can produce
the behavior of solving problems in a top-down and a bottom-up manner and almost
simultaneously on several levels.
41
Rouse, W. B., & Rouse, S. H. (1983). Analysis and classification of human error. IEEE
Transactions on Systems, Man, and Cybernetics, SMC-13(4), 539-549.
There are two major approaches to human error, probabilistic and causal. This paper deals with
the causal approach which focuses more on the why errors occur instead of just what occurs. It is
argued that classification schemes can generally be categorized in one of three ways. They can
be behavior-oriented, task-oriented, or system-oriented. Behavior-oriented schemes range from
those emphasizing basic human information processing to those that focus on types of behavior
occurring in particular task domains. Task-oriented schemes focus on information transfer
problems, distraction events, and discriminating among types of tasks. System-oriented schemes
apply categories of a relatively broad nature which cover a series of tasks within the domain of a
particular system. A methodology is developed and discussed with the goal of analyzing human
error in terms of causes as well as contributing factors and events. It borrows heavily from
several of the previously discussed classification schemes. There are four general classes of
contributing factors for human errors: Inherent human limitations, inherent system limitations,
contributing conditions, and contributing events. Inherent human limitations include the
knowledge and attitude of the operator. Inherent system limitations include the design of controls
and displays, design of dialogues and procedures, and level of simulator fidelity. Contributing
conditions include environmental factors such as noise, excessive workload, frustration, anger,
embarrassment, confusion and operating in degraded modes. Contributing events involve
distractions, lack of or misleading communication, sudden equipment failures, and events such
as tension release. The proposed methodology is used to reanalyze data reported by Rouse et al
having to do with the design and evaluation of computer-based methods for presenting
procedural information such as checklists for normal, abnormal, and emergency aircraft
operations. The results are finer grained and support stronger conclusions than those originally
found.
Samanta, P. K., & Mitra, S. P. (1982). Modeling of multiple sequential failures during
testing, maintenance and calibration (NUREG/CR-2211). Brookhaven National Lab.
This report looks at the nature of dependence among human failures in a multiple sequential
action and how it differs from other types of multiple failures. It is necessary to consider
dependant failures in a system because otherwise there are serious doubts as to the usefulness of
a reliability calculation that considers random events only. There are two types of dependant
failures. Common cause failures are caused by an event outside the group but common to the
components. Cascade failures are caused from within the group such as a single component
failure which results in the failure of all components concerned. A multiple sequential failure
during testing and maintenance is modeled by taking into account the processes involved in such
a failure. The data suggest that the dependence among failures increases as the number of
components in the system increases. Human error causes selective failure of components
depending on when the failure started. Since previous models of dependent failures were found
to be lacking, two models were developed. The first is very general and does not require any
dependent failure data. The second model took multiple sequential failures into account.
42
Sanders, M. S. & McCormick, E. J. (1993). Human error, accidents, and safety. In Human
factors in engineering and design (7th ed.) (pp. 655-695). New York: McGraw-Hill, Inc.
This chapter deals with human error, accidents and improving safety in the domain of human
factors. Human error is defined as an inappropriate or undesirable human decision or behavior
that reduces, or has the potential for reducing, effectiveness, safety, or system performance. A
review of three classification schemes is performed. Swain and Guttmann’s omissioncommission
model is the first reviewed. A model by Rouse and Rouse is the second model
reviewed. Rasmussen’s skill-rule-knowledge based model is the third reviewed. An argument for
three general types of accident causation theories is made. These three types are accidentproneness
theories, job demand versus worker capability theories, and psychosocial theories.
Three aspects of risk perception are examined. These are the availability heuristic, the “It can’t
happen to me” bias, and relative risk. It is noted that warnings and product liability have become
important legal issues in today’s society. As a result of this, human factors has a large role to
play in these issues. The remainder of the article discusses Sanders and Shaw’s contributing
factors in accident causation model (CFAC). This model has five important tiers. Tier one
concerns itself with management issues. Tier two focuses on the physical environment,
equipment design, the work itself, and the social/psychological environment. The third tier
involves the worker and coworker factors. Tier four is where all unsafe behaviors from the
previous tiers are grouped. The fifth tier is the level of chance that leads to an accident. Unique
features of CFAC include the emphasis on management and social-psychological factors, the
recognition of the human-machine-environment system and the model’s simplicity and easy
comprehension.
Shappell, S. A. & Wiegmann, D. A. (1995). Controlled flight into terrain: The utility of
models of information processing and human error in aviation safety. Proceedings of the
Eighth International Symposium on Aviation Psychology, 8, 1300-1306.
A study of controlled flight into terrain (CFIT) accidents in the U.S. military was conducted to
try and ascertain why pilots do this. The study looked at an 11 year period. The four stage
information processing model of Wickens and Flach was used to classify 206 of the 278 pilot
causal factors found. These four stages are short-term sensory store, pattern recognition, decision
and response selection, and response execution. Reason’s model of unsafe acts was applied to the
data and allowed for the classification of 223 of 278 pilot causal factors. It was concluded that
any intervention needs to focus on the decision process of the pilot, specifically with mistakes
and violations.
43
Shappell, S. A. & Wiegmann, D. A. (1997). A human error approach to accident
investigation: The taxonomy of unsafe operations. International Journal of Aviation
Psychology, 7(4), 269-291.
A framework is provided and discussed called the Taxonomy of Unsafe Operations. This
framework bridges the gap between classical theories and practical application by providing field
investigators with a user-friendly, common sense framework that allows accident investigations
to be conducted and human causal factors classified. Three levels of failure involving the human
component are presented. These are unsafe supervision, unsafe conditions of operators, and
unsafe acts that operators commit. The framework directly incorporates Reason’s classification
of unsafe acts. Three basic error types are incorporated. The first are slips which are
characteristic of attentional failures. The second are lapses which come from memory failures.
The third are mistakes which are defined as intentional behavior that doesn’t produce the desired
outcome. Mistakes can be further broken down as being either rule-based or knowledge-based,
as is described in Rasmussen’s model. A framework was developed to breakdown unsafe
conditions of the operator. Substandard conditions of the operator are divided into three
categories. These include adverse physiological states, adverse mental states, and physical and/or
mental limitations. Substandard practices of the operator are also broken down into three
categories. These categories are mistakes-misjudgments, crew resource mismanagement, and
readiness violations. A framework for unsafe supervision is also developed. One dimension of
this framework deals with unforeseen unsafe supervision. Examples of this are unrecognized
unsafe operations, inadequate documentation and procedures, and inadequate design. The other
dimension deals with known unsafe supervision. Examples of this include inadequate
supervision, planned inappropriate operations, failure to correct known problems, and
supervisory violations. The usefulness of this cause-oriented taxonomy was shown by a
demonstration in its application to a military aviation accident.
Shappell, S. A., & Wiegmann, D. A. (2000). The human factors analysis and classification
system (HFACS) (Report Number DOT/FAA/AM-00/7). Washington DC: Federal Aviation
Administration.
The Human Factors Analysis and Classification System (HFACS) was originally developed for
the U.S. Navy and Marine Corps as an accident investigation and data analysis tool. Since its
original development however, HFACS has been employed by other military organizations (e.g.,
U.S. Army, Air Force, and Canadian Defense Force) as an adjunct to preexisting accident
investigation and analysis systems. To date, the HFACS framework has been applied to over
1,000 military aviation accidents yielding objective, data-driven intervention strategies while
enhancing both the quantity and quality of human factors information gathered during accident
investigations. Other organizations such as the FAA and NASA have has also explored the use of
HFACS as a complement to preexisting systems within civil aviation in an attempt to capitalize
on gains realized by the military. Specifically, HFACS draws upon Reason’s (1990) concept of
latent and active failures and describes human error at each of four levels of failure: 1) unsafe
acts of operators (e.g., aircrew), 2) preconditions for unsafe acts, 3) unsafe supervision, and 4)
organizational influences. The manuscript provides a detail description and examples of each of
these categories.
44
Siegel, A. I., Bartter, W. D., Wolf, J. J., Knee, H. E., & Haas, P. M. (1984). Maintenance
personnel performance simulation (MAPPS) model: Summary description (NUREG/CR-
3626). Oak Ridge, TN: Oak Ridge National Laboratory.
This report describes a human performance computer simulation model developed for the
nuclear power maintenance context. The model looks at variables such as work place,
maintenance technician, motivation, human factors, and task-orientation. Information is provided
about human performance reliability pertinent to probabilistic risk assessment, regulatory
decisions, and maintenance personnel requirements. The technique allows for the assessment of
the tasks that maintenance technicians may perform in a less than satisfactory manner and what
conditions or combination of conditions serve to contribute to or alleviate such performance.
Silverman, B. G. (1992). Critiquing human error: A knowledge based human-computer
collaboration approach. San Diego, CA: Academic Press.
A model of human error is examined that that is useful for construction of a critic system in
artificial intelligence. The model is rooted in the psychological study of expert performance. The
adapted model of human error consists of three levels. The outermost layer provides a method to
account for external manifestations of errors in human behavior. These occur as cues such as
knowledge rules, models, or touchstones, that need to be followed to reach a correct task
outcome. The middle layer determines what causes lead to the erroneous behaviors identified in
the outer layer. The inner layer investigates the innermost cognitive reasons causing the error.
This is performed by teasing apart the processes and operations that contribute to that cause. The
diagnostic graph of cognitive operations leading to human error include four categories that all
fall under the heading of cue usage error. Cognitive biases is the first category. Examples of
these are input filter biases, info acquisition biases, info processing biases, intended output
biases, and feedback biases. Accidental slips and lapses is a second category. Examples of these
include environment/feedback errors, info acquisition errors, info processing errors, and intended
output errors. A third category is cultural motivations. Errors that occur in this category are
rational actor errors, incrementalism errors, recognition primed errors, and process control errors.
The final category is the missing knowledge category. Examples of these errors are initial
training errors, knowledge decay errors, and multidisciplinary errors. This model focuses on
errors that occur prior to time pressures and stress that occur during crisis or panic times. A
framework in which errors arise is presented and described. It is a system with four entities.
(1) The person or expert making the judgments.
(2) The task-environment within which the person makes the judgments.
(3) The feedback loop consisting of actions and reactions of people.
(4) The automated critics that try to influence a person’s judgment and decision.
45
Singleton, W. T. (1973). Theoretical approaches to human error. Ergonomics, 16(6), 727-
737.
Two types of approaches to human error are discussed. The technological approach involves
coping with many problems with or without laboratory support and then attempting to generalize
the rules of the game in terms of classifications of kinds of problems with associated remedies.
The scientific approach is based on the principle that theory is the bridge between experiment
and practice. The author discusses different theoretical approaches and extracts useful elements
relevant to human error. The approaches looked at include the psychoanalytic approach, the
stimulus response approach, field theories, cybernetics, human performance and skill, Decision
Theory, the arousal/stress theories, and the social theories. The author concludes that errors and
accidents are not homogeneous, therefore it is necessary for a practitioner to match the most
relevant taxonomy and theory to the particular practical problem. It is suggested that no single
method will provide a complete answer but rather that this is where the greatest dividend is likely
to be found. From here, a comprehensive unweighted approach to problems is presented.
Stoklosa, J. H. (1983). Accident investigation of human performance factors. Proceedings
of the 2nd International Symposium on Aviation Psychology (pp. 429-436). Columbus, OH:
The Ohio State University, The Aviation Psychology Laboratory.
The paper discusses the necessary factual information for a detailed and systematic investigation
of the human performance aspects of an accident. Six profile categories are established which
include behavioral, medical, operational, task, equipment design, and environmental factors. This
concept has been successfully implemented in actual multi-modal accident investigations.
Sträter, O. (1996). A method for human reliability data collection and assessment.
Probabilistic Safety Assessment and Management ‘96 (pp. 1179-1184). New York:
Springer.
A method for evaluation of plant experience for probabilistic assessment of human actions is
described. The method is able to support root cause analysis in the evaluation of events and to
describe human failures with respect to HRA purposes. The method is applied to boiling water
reactor events and the results are compared with the data tables of the THERP handbook. The
evaluation framework was subdivided into two steps, the decomposition of an event into units
called MMS (man-machine systems), and then detailed analysis of the MMS-units. It was
concluded that it is possible to validate most of the items of the THERP handbook using the new
method. The new method is a reasonable procedure to analyze simulator data as well as to
improve Human Reliability systematically in a wide range of industries (i.e. aviation and power
plants).
46
Swain, D., & Guttmann, H. E. (1980). Handbook of human reliability analysis with
emphasis on nuclear power plant applications (NUREG/CR-1278). Albuquerque, NM:
India Laboratories.
The Technique for Human Error Rate Prediction (THERP) model is presented in this handbook.
The steps in THERP define the system failures of interest, list and analyze the related human
operations, estimate the relevant error probabilities, estimate the effects of human errors on the
system failure events, and recommend changes to the system and recalculate the system failure
probabilities. THERP is interested in evaluating task reliability, error correction, task effects, and
the importance of effects. Probability tree diagrams are the basic tools of THERP.
Tarrants, W. E. (1965, May). Applying measurement concepts to the appraisal of safety
performance. Journal of ASSE, 15-22.
The author addresses the issue of non-injurious accidents, or near misses, as an important basis
for an accident prevention program designed to remove those causes before more severe
accidents can occur. The Critical Incident Technique is presented and explained to deal with
these near misses. The Critical Incident Technique is a method that identifies errors and unsafe
conditions which contribute to accidents within a given population by means of a stratified
random sample of participant-observers selected from within this population. Interviews with
people whose jobs are being studied are performed to reveal unsafe errors, conditions and other
critical incidents. The incidents are classified into hazard categories from which accident
problem areas are defined. Accident prevention programs are then designed to deal with the
critical incidents. The technique is reapplied periodically to detect new problem areas and to
measure effectiveness of the accident prevention program that was designed. The technique of
behavior sampling is also reviewed as an accident measure. The technique is concerned with the
acts a person is engaged in at the moment of an accident.
Van Eekhout, J. M., & Rouse, W. B. (1981). Human errors in detection, diagnosis, and
compensation for failures in the engine control room of a supertanker. IEEE Transactions
on Systems, Man, and Cybernetics, SMC-11(12), 813-816.
An error classification system is presented in a marine context that is an extension of
Rasmussen’s scheme of classifying human errors in nuclear power plant operations. The general
categories of error in the classification system are observation of the system state, identification
of a fault, choice of the goal, choice of the procedure, and execution of the procedure. A study
was conducted on crews of professional engineering officers to see how they could perform the
task of coping with failures in a high-fidelity supertanker engine control room simulator. Two
important conclusions were made. First, human factors design inadequacies and fidelity
problems lead to human errors. Second, a lack of knowledge of the functioning of the basic
system as well as automatic controllers is highly correlated with errors in identifying failures.
47
Wickens, C. D. & Hollands J. G. (2000). Engineering psychology and human performance
(3rd ed.). Upper Saddle River, NJ: Prentice Hall.
The information processing model is a framework that is broken down into a series of stages and
feedback loops. Sensory processing is the first stage. Information from the environment gains
access to the brain. Sensory systems each have their own short-term sensory store. Perception is
the second stage. Raw sensory data is transmitted to the brain and is interpreted and given
meaning. Perception is automatic and occurs rapidly. It relies on both bottom-up processing and
top-down processing. Cognition and memory is another stage in the model. Working memory is
part of this stage. This stage is characterized by conscious activities which transform or retain
information and are resource limited. From here, some information is transferred to long-term
memory. The next two stages are response selection and response execution. Feedback loops are
important and necessary for monitoring progress to see if a task was completed. Attention is
another important aspect of the model. Attention is a limited resource that can be selectively
allocated to the desired channels. Attention can also be divided between different tasks and
mental operations. This model can be used to describe human error as occurring in different
stages of the model. Mistakes (knowledge and rule based) can arise from problems in perception,
memory, and cognition. Slips occur during action execution. Lapses and mode errors are related
to memory failures.
Wiegmann, D. A. & Shappell, S. A. (1997). Human factors analysis of postaccident data:
Applying theoretical taxonomies of human error. International Journal of Aviation
Psychology,7(1), 67-81.
Three conceptual models of information processing and human error are examined and used to
reorganize the human factors database associated with military aviation accidents. The first
model was the four stage information processing model of Wickens and Flach. The second
model used was O’Hare’s adapted version of Rasmussen’s taxonomic algorithm for classifying
information processing failures. The third model used was Reason’s approach to classification of
active failures. It was found that the naval aviation accident database could be reorganized with a
large degree of success into the three taxonomies of human error. It is also noted that a general
trend was found. Accidents were primarily associated with procedural and response-execution
errors as well as mistakes. The four stage information processing model accounted for slightly
less pilot-causal factors than did the other two models.
48
Wiegmann, D. A., & Shappell, S. A. (1999). A human factors approach to accident analysis
and prevention. (Workshop Manual from the 43rd Human Factors and Ergonomics Society
Conference).
This paper is an expansion of the framework given in Shappell and Wiegmann’s (1997) paper.
The only difference is that organizational factors are considered and added into the framework.
Three categories of organizational influences exist. Resource management refers to the
management, allocation, and maintenance of organizational resources. Examples of these include
human resources, monetary resources, and equipment/facility resources. Organizational climate
considers the prevailing attitudes and atmosphere in an organization. Important aspects of this
category include the structure, policies, and culture of the organization. Operational process is
the final category and is defined as the formal process by which things get done in an
organization. Parts to this category include operations, procedures and oversights in the
organization.
Williams, J. C. (1988). A data-based method for assessing and reducing human error to
improve operational performance. Conference record for 1988 IEEE Fourth Conference
on Human Factors and Power Plants (pp. 436-450). New York, NY: Institute of Electrical
and Electronics Engineers.
The HEART method (Human Error Assessment and Reduction Technique) is used to explore the
identities and magnitudes of error-producing factors and provides defensive measures to combat
their effects. The HEART method is based on three premises. First, basic human reliability is
dependent upon the generic nature of the task to be performed. Second, given “perfect”
conditions, this level of reliability will tend to be achieved consistently with a given nominal
likelihood within probabilistic limits. And finally, given that these perfect conditions do not exist
in all circumstances, the human reliability predicted may be expected to degrade as a function of
the extent to which identified error-producing conditions might apply. The HEART methodology
concentrates on the additive nature of error-producing conditions found in practice, and assumes
that factorial degradation of performance through multiple error-producing conditions is a much
more likely outcome.
Woods, D. D., Pople, H. E., & Roth, E. M. (1990). The cognitive environment simulation as
a tool for modeling human performance and reliability (NUREG/CR-5213). Pittsburgh,
PA: Westinghouse Science and Technology Center.
A tool called the Cognitive Environment Simulation (CES) was developed for simulating how
people form intentions to act in nuclear power plant personnel emergencies. A methodology
called Cognitive Reliability Assessment Technique (CREATE) was developed to describe how
CES can be used to provide input to human reliability analyses in probabilistic risk assessment
studies. CES/CREATE was evaluated in three separate workshops and was shown to work in the
tested scenarios. CES can be used to provide an objective means of distinguishing which event
scenarios are likely to be straightforward to diagnose and which scenarios are likely to be
cognitively challenging, requiring longer to diagnose and which can lead to human error.
49
Wreathall, J. (1994). Human errors in dynamic process system. In T. Aldemir (Eds.),
Reliability and safety assessment of dynamic process systems (pp. 179-189). New York:
Springer.
The author reviews the nature of human errors and the way they interact with systems in
dynamic processes. A framework of accident causation is presented that is heavily based on
Reason’s model. The important features of the model are organizational processes, errorproducing
conditions, unsafe acts, defenses against unsafe acts, latent failures, and the accident
itself. Unsafe acts can be separated into different categories. There are errors of commission and
omission. There are active and latent errors. There are also slips/lapses, mistakes, and
circumventions.
Wreathall, J., Luckas, W. J., & Thompson, C. M. (1996). Use of a multidisciplinary
framework in the analysis of human errors. Probabilistic Safety Assessment and
Management ’96 (pp. 782-787). New York, NY: Springer.
This paper describes an effort to develop and apply a framework to describe the human-system
interactions associated with several different technical applications. The fundamental elements of
the framework are the PSA model and “plant” state, human failure events, unsafe actions, error
mechanisms, performance shaping factors, and plant conditions. The framework was applied in
the analysis of several accidents (including the crash of Air Florida flight in January 1982) and
proved to be robust and insightful.
Acknowledgments and Disclaimer
This material is based upon work supported by the Federal Aviation Administration
under Award No. DTFA 99-G-006. Any opinions, findings, and conclusions or
recommendations expressed in this publication are those of the authors and do not necessarily
reflect the views of the Federal Aviation Administration. |
|
IP卡
狗仔卡
发表于 2010-5-19 08:33:03
分享
收藏
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2010-6-28 14:17:31
下来看看