Risk-Analysis in Aerospace Human-Factor-Related Tasks: Review and Extension

The focus of the review part, whose contents was partially presented as a plenary lecture at the 2019 Human Systems Integration (HSI) Conference in Biarritz, France, Sept. 11-13, is on the incentive for applying analytical (“mathematical”) probabilistic risk analysis (PRA) methods and approaches in aerospace human factor (HF), HSI and human-in-the-loop (HITL) related tasks and problems. Three PRA models are addressed in this review. The convolution model is employed to provide quantitative aftermath to the successful outcome of the famous “miracle-on-the-Hudson” event with an objective to show that the actual “miracle” was that an outstanding individual like Captain “Sully”, with his extraordinarily high human capacity factor (HCF), was behind the wheel in this emergency situation, and ditching an aircraft on Hudson-river was for an individual of this caliber just a more or less trivial operation. The model was applied also in the concept of anticipation in aviation. This concept was analyzed also by using double-exponential-probability-distribution-function (DEPDF) model, which enables assessing, using a single equation, the roles of the HF by considering the relative level of his/hers HCF vs. the more or less objective mental workload (MWL), as well as the roles of some additional factors (time, shortand long-term state-of-health) that affect these ergonomics characteristics. The segmentation model (SM) is employed to establish the risk of failure of an aircraft mission. This is done by breaking down the anticipated route on segments, within which the instrumentation reliability, human performance and the likely environmental conditions could be considered as more or less constant. The extension part of the analysis addresses the use of the multi-parametric Boltzmann-Arrhenius-Zhurkov (BAZ) equation, which is an extension of the constitutive BAZ equation used in thermodynamics, physical chemistry, solid state physics and experimental fracture mechanics. This extension was suggested by the author about a decade ago as part of the probabilistic-design-for-reliability (PDfR) concept in electronics and photonics materials science and engineering. It is shown that such an extension can be effectively employed also in ergonomics, including aerospace ergonomics, when there is a need to quantify the outcome of a HITL/HIS related event or a mission. The model is geared to the highly focused and highly cost-effective failure-oriented accelerated testing (FOAT) needed to generate trustworthy experimental data to predict the outcome of the anticipated actual mission or an off-normal situation. The BAZ equation is, actually, also a DEPDF model, but, unlike the “purely mathematical” DEPDF model, has a strong and well established physical background. The use and the attributes of the addressed models are illustrated by numerical examples.


Introduction
Mission success and safety in the air and in the outer space could be improved dramatically by developing and employing quantifiable assessments of the roles and significances of various critical and typically inevitable uncertainties. To do that is always a challenge, especially when the HF plays a role. HITL is an essential, often the most crucial part, of a complex man-instrumentation-vehicle-environment system. The probability of failure (PoF) is never zero and should be assessed beforehand and, to an extent possible, made adequate, and, ultimately, even specified, for a particular equipment, mission and application. The suggested PRA/PDfR concept [1][2][3][4][5] in reliability engineering can be expanded and modified to consider, when necessary, the role of the HF as well. This will put the art of producing reliable electronic and photonic products and systems, and assuring adequate human performance on a "reliable" applied-probability based foundation. FOAT [6], a crucial part of the PRA/PDfR concept, is aimed, first of all, at understanding the underlying physics of failure. Such testing, as far as instrumentation's performance is concerned, should be conducted for the most vulnerable material(s) and structural element(s) of the design, and geared to a simple and flexible predictive model, such as, e.g., BAZ equation [7][8][9][10][11][12]. It has been recently shown [13,14] that FOAT could be applied in some ergonomics problems as well, and that flight simulator could be used as an appropriate accelerated test vehicle for assessing the HCF [15] required for a successful fulfillment of the planned mission. In the review below several suitable quantitative models are indicated for avionic missions and situations, when the performances of both the instrumentation and the human(s) involved contribute jointly to the outcome of a mission or of an off-normal situation. It is shown how the recently suggested multi-parametric BAZ equation can be employed to assess the relative roles of the MWL and the HCF by using the kinetic BAZ model. This is, in a way, also a DEPDF model, but of a clear physical nature.

PRA/PDfR/HF concept
The ability to predict and to quantify the most likely outcome of a critical aeronautic mission or a possible emergency situation can make, of course, a significant difference. The probability of a successful and safe outcome of such a mission or an off-normal situation is never 100%, but can be predicted (quantified) and made adequate for the available instrumentation and anticipated human performance. Such quantification should start at the planning stage and, if appropriate and possible, monitored and managed during the mission fulfillment using an appropriate modification of the PRA/ PDfR/HF concept. While the traditional statistical-and-posterior HF-oriented psychological approaches are based on experimentations followed by statistical analyses, or vice versa, the PRA/PDfR/HF concept and effort starts with an "educated guess" of what might cause a particular failure, and typically uses FOAT as an appropriate accelerated test vehicle to predict the probability of failure and the corresponding lifetime of a product or the MTTF for a human operator. Underlying physics/ergonomics of a possible instrumentation/human failure is critical and can usually be anticipated for a particular effort or a mission. E.g., for electronic or photonic instrumentation, it is the solder material experiencing temperature cycling and/or low or high temperature conditions and/or random vibrations; for a human it is one of the pertinent HCFs vs. most likely, for the given mission, MWL. If the underlying physics and/or the psychology of failure are critical, ability to quantify the role of the anticipated stressors is paramount, and, in our PDfR concept should be confirmed and measured by appropriate highly focused and highly cost-effective FOAT. FOAT should be geared to a chosen simple, easy-to-use and physically meaningful predictive model to predict the probability of failure and the corresponding useful lifetime of a mission or an anticipated off-normal situation. If the obtained safety level does not look acceptable, then sensitivity analyses based on the already developed methodologies and available algorithms could be employed to improve the situation. In the maritime engineering, e.g., it has been determined that the probability that the ship's hull, when sailing for twenty years in a row in Northern Atlantic, which is the most severe region of the world ocean, might break in half, is on the order of 10 -7 -10 -8 (the author of this article moved "from ships to chips" [16], when arriving to the US forty years ago, but is still interested in this branch of engineering). In aerospace engineering the initially acceptable risk might be considerably higher, perhaps, on the order of 10 -4 -10 -5 , because many possible human or equipment-and-instrumentation related failures might be reversible, and that effective reliability means (like redundancy, PHM equipment and algorithms, and medical equipment are successfully implemented and continuously mastered. Tversky and Kahneman [17] were, perhaps, the first ones, who considered, in connection with various decision making problems in economics, the role of critical uncertainties in cognitive "heuristics and biases". As traditional, although topnotch, psychologists, they addressed, however, such tasks and problems from the qualitative, not from the quantitative, even deterministic, viewpoint, while it is the importance of a quantitative approach that is addressed in this review and that is necessary, when there is an objective to make an aerospace mission successful and safe by quantifying what might seem to be unquantifiable, but is necessary to avoid a failure. Various aspects of MWL were considered and addressed in numerous publications (see, e.g., [18][19][20][21][22][23][24][25][26][27][28][29][30][31][32]). As has been indicated, the first attempt to quantify, on the probabilistic basis, MWL vs. HCF was undertaken in application to the helicopter-landing-ship effort [33], with an intent to assess the importance of the times of decision making by the officer on ship board and the helicopter pilot, and the time of actually "landing" the helicopter vs. the time in the expected lull in the sea condition. Clearly, if the random time of the two decision making and the time of actual landing are below the expected duration of the sea lull, then a safe landing is likely. Then the PRA was applied to several other aerospace safety related tasks [34][35][36][37][38][39]: Probabilistic assessment of the likelihood of a casualty, if one of the two navigators becomes incapacitated; when assessing and optimizing the route of an aircraft, considering that at every segment of this route either the equipment could fail, or the pilot could make an error, or both mishaps could take place; the details of the famous MoH event and the infamous "UN shuttle" disaster; and the roles of short-and long-term anticipations in aeronautics.
Some of the developed PRA predictive models are addressed and briefly discussed here: convolution model [36][37][38][39] that could be used, when the appropriate probability distributions are considered; route segmentation model with an objective to consider the roles of the instrumentation reliable performance and the HF [35]; DEPDF model that considers, in a single double-exponential physically meaningful expression, the roles of the MWL and the HCF and possibly, when necessary, also the state of human health (SoH) as part of his/hers MWL and the possibility of human error (HE) as part of the navigator's HCF [40][41][42]; and BAZ model [7][8][9][10][11][12]43], which is a special physically meaningful type of a DEPDF model.

MWL vs. HCF
Should be considered and compared, when the PRA/ PDfR/HF concept is used in various HF tasks [13,15,[18][19][20][21][22][23][24][25][26][27][28][29][30][31][32]. As is known, the concepts of the situation awareness and MWL have been for many years and still are critical to the aerospace human psychology. The MWL factor is widely accepted as a significant cause of HE. There is an extensive research and hundreds of publications on possible ways of measuring the MWL in aerospace engineering and ergonomics. We argue, however, that the MWL and the HCF are as critical in human psychology to the same extent as the relative levels and interactions of the stress (loading) and strength (bearing capacity) are important in structural and other areas of hardware engineering [42]. It is also important to take into account, when possible and critical, that these two criteria are not completely independent in ergonomics tasks and problems: The effective/actual level of the MWL can be lower for individuals with higher HCF. It is also noteworthy that although MWL and HCF can be characterized by different means and different measures, both factors have to be quantified using the same units to be able to meaningfully establish their roles in a particular problem of interest, and avoiding comparing "apples with oranges".
It is well known what is typically included in what is called MWL. As to the HCF, the tentative list of human qualities should include, depending on the particular problem of im-portance, but might not be limited to, age (it has been recently established in a research on driver drowsiness in automated and manual driving [44] that 20-25 and 65-70 age groups are more prone to "driver drowsiness" than the 26-64 group); psychological/personality type; general IQ level; psychological suitability for a particular task and relevant capabilities and skills; professional experience and qualifications; level of education, both special and general; level, quality and timeliness of training; performance sustainability/consistency/predictability); independent thinking and acting, when necessary (Captain Sullenberger is a good example of a person possessing this quality); ability to concentrate; ability to anticipate; self-control and ability to act in cold blood in hazardous situations; mature/realistic thinking; ability to operate effectively under time pressure; "tolerance to stress", i.e., ability to operate effectively, in a tireless fashion, for a long period of time); team-player attitude, when necessary (Captain Sullenberger's crew is a good example of such an attitude); swiftness in reaction, when necessary (in emergency situations); trust in technologies, other humans, and himself/ herself. These qualities are certainly of different importance in different tasks and situations, and different individuals possess these qualities in different degrees.

Convolution model
Is based on the convolution of two or more physically and logically meaningful probability distribution functions for the particular HF problem [33,42]. The developed helicopter-landing-ship model can be used particularly when developing guidelines for personnel training, and can be of help when establishing the times to be met by the two decision making individuals. If, e.g., the expected duration of the lull is 30 sec, and the required (specified) probability of exceeding this time is, say, P = 10 -3 , then the times for decision making and actual landing should not exceed, in the carried out example, 5.04 sec. The calculated data sheds light on whether it is possible at all to train a human to swiftly react (say, to make his/hers timely decision) to keep the probability of safe landing acceptable, i.e., sufficiently high. If not, then an application of more sophisticated, more powerful and, most likely, more expensive equipment to do the job. If such an effort is considered, then probabilistic sensitivity analyses based on the developed model will be needed to determine the most promising ways to pursue for particular ships, flying machines and sea conditions. The same formalism was applied in the famous MoH situation [41] and in the concept of anticipation in aeronautics [37]. The "subjective"/decision-making time in the MoH event was compared to the "objective"/available landing (ditching) time for the aircraft, which suddenly became a glider, to stay in the air. The outstanding individual like Captain Sullenberger, with his extraordinarily high HCF, anticipated, of course, the "objective available time" subconsciously. A similar comparison has been made in the concept of anticipation-in-aviation effort, whose success can be expected if the probability that a safe and effective maneuver takes place during the objective/available time is sufficiently high.
DEPDF and route segmentation models (RSM) could be is ratio of the HnF ( ) h i i P t at the i-th segment to the initial level 0 P of this probability, 2 2 0 i G G is the ratio squared of the elevated MWL to the ordinary one, and 2 2 0 i F F is the HCF, which is in this case the ratio squared of the HCF of the human of higher-than-ordinary capacity to the HCF of a human of the ordinary capacity level. The probability of the mission failure can be found as The calculated data in Table 1 can be used particularly to choose, if necessary, an alternative route in such a way that the set of the probabilities i q of the encountering harsh environments brings the overall probability of mission failure to an acceptable level.
The likelihood i q of encountering at the i-th segment, during the fulfillment of the mission, a certain level of the pertinent environmental condition of the anticipated severity (such as, e.g., the expected level of winds or gusts for an aircraft, or radiation for a spacecraft) should be based on the available forecast of such a likelihood. The example in Table 1 is just a tentative illustration of how the likelihood i q could be considered.
The DEPDF model, unlike the convolution model, considers the roles of the MWL and HCF in a single (double-exponential) expression. The simplest DEPDF model was used in the previous section. The important roles of the HE and his/hers stateof-health (SoH) were considered in this model indirectly, as parts of the general HCF and MWL information. Because HE and SoH are important MWL and HCF characteristics, they could be accounted in DEPDF model for the probability of the human Here 0 P is the probability of the non-failure at the initial moment of time (t = 0) and at the normal level ( ) 0 G G = , of the MWL; S γ is the threshold (acceptable level) of the continuously monitored indicative SoH characteristic (symptom) for the pilot; S γ is the sensitivity parameter for the symptom * ; is the actual MWL (that could be, particularly, as has been indicated, time dependent); 0 G is the MWL in normal operation conditions; * T is the mean time to error (MTTF), which is a characteristic of the probability of a HE; T γ is the sensitivity factor for the MTTF * 0 ; T F F ≥ is the off-normal exhibited or required HCF, while 0 F is the normal HCF. Thus, the suggested DEPDF model considers the roles of the "objective" (MWL related) factor and the "subjective" (HCF related) factor The rationale behind these additional terms in the DEPDF model is that the MWL level could be affected by the human's SoH (the same person might experience a higher MWL, which is not only different for different humans, but might be quite different for the same individual depending on his/hers type of personality, degree of fatigue, propensity to drowsiness, or his/ hers current SoH), while the HCF, although could also be affected by the navigator's fatigue or his/her SoH, has its direct and better substantiated measure if considered as the likelihood that the navigator is prone to making an error. There is a certain overlap, of course, between the levels of the HCF * T and the propensity of the navigator to make an error that is reflected by the * T value, which has also to do with the HF and even with his/hers IQ. The difference is, however, that the * T value is a short-term characteristic of the human performance and might be affected, first of all, by his/hers personal qualities and the state of fatigue or health, while the HCF is a long-term, more or less permanent, characteristic that has to do with the human type, education, age, experience, ability to think and act independently, etc., and, as such, is applicable to a group of individuals as well. The MTTF * T can be determined during testing on a flight simulator. The factor F , however, cannot be evaluated using such testing, and should be established based on tests and modeling of different types. Possible ways for doing that are considered as future work.

Extension
Zhurkov's [7] kinetic equation for the MTTF of a solid experiencing crack propagation is based on the model suggested about 130 years ago by Boltzmann in his kinetic theory of gases [10,11] and by Arrhenius, about eight years later, in the kinetic theory of chemical reactions [8,9]. In the above equation, 0 U is the activation energy that characterizes the fracture toughness of the material, T is temperature, k is Boltzmann's constant, σ is the tensile stress applied to the notched specimens, γ is the stress-sensitivity factor and 0 τ is the time constant. The term γσ was introduced by Zhurkov. The Zhurkov equation was recently generalized by the author of this article for multiple and not necessarily mechanical stressors (such as voltage, current, elevated humidity, random vibrations, light output, etc.) and applied for the prediction of the lifetime of electronic and optical materials and devices [2][3][4][5].
It has been shown [12] that the material degradation can be viewed, when BAZ model is considered, as a Markovian process, and that the BAZ model can be obtained as the steady-state solution to the Fokker-Planck equation in the theory of Markovian processes (see, e.g., [1]). A rather simple, but still useful, modification of the BAZ equation expressed as is considered here. In this equation, is the safety factor, t is time and τ is the time constant (actually, the MTTF) that characterizes the physics (the human factor) of the process/operation. As evident from the calculated data (Table 2), if the safety factor is significant, the probability of non-failure is also high. The following conclusions could be made from the Table  2 data: When the time of the mission is significant, the probability of the HnF is low, unless the human possesses a sufficiently high HCF, however, it is not the absolute values of time and the HCF that are important, but their ratios with the MTTF and the MWL, respectively: if the MTTF τ is significant, i.e., when the human is robust (strong, healthy, highly qualified, not prone to making an error because of fatigue, drowsiness or any other reason), the ratio t τ will be low, even for rather long times in operation; if the MWL G is significant, the safety ratio S F G = will be low, even if the HCF F is not small, and the probability of the HnF will be low, particularly, when the time in operation is appreciable; The governing ratios  is the entropy of the suggested distribution, explain the physics underlying this distribution: The derivative of the probability of non-failure with respect to the safety factor is equal to the entropy of this probability distribution, and its time derivative is equal to the ratio of this entropy to time.

Conclusion
The developed models could be used in aerospace engineering field when there is an intent to assess the probability of a successful outcome of an aerospace mission or an off-normal situation, and when the reliability of the equipment/instrumentation (both hard-and software), the performance of the human-in-the-loop and the most likely weather (environmental) conditions contribute jointly to the outcome of a mission or an off-normal situation of importance. The models can be used also in other fields of applied science and engineering, when a human encounters an off-normal situation, and should develop