Autopsy of an airplane crash: a transactional approach to forensic cognitive science

In considerations of cognition in complex, technologically enhanced work environments, the question often concerns the boundaries of the phenomena to be researched. In classical cognitive science, the boundary of cognition is the brain case. More recent approaches, including distributed cognition and joint cognitive systems, draw the boundaries so that human operators and aspects of their environment are included; and the foci of the inquiries are interactions and representations that are passed around between players. This study makes a case for a transactional approach, which acknowledges a unity/identity of agent and environment. To understand the effect of agent characteristics in performance requires knowing the environment characteristics; and to understand the effect of the environment characteristics on performance requires knowing the agent characteristics. The approach is exemplified in the analysis of key instants of the spectacular and widely publicized crash of TransAsia Flight GE235 in which 43 lives were lost. The transactional analysis exhibits the internal cognitive dynamic in the cockpit that actually explains why agents acted as they did (rather than what they did not do because situation awareness lacked). It is better suited as a foundation of forensic cognitive science than the classical view on human error.     

Human factors in requirements engineering:: A survey of human sciences literature relevant to the improvement of dependable systems development processes

Requirements engineering (RE) is an inherently social process, involving the contribution of individuals working in an organizational context. Further, failures in the RE process will potentially lead to systematic failures in the products that are produced as a result. Consequently, the RE process for dependable systems development should itself be considered as a dependable process, and therefore subject to greater scrutiny for vulnerabilities to error. Research on human error has typically focused on the work of individual actors from a cognitive perspective. This paper presents a survey which broadens the view on what contributes to human error by also examining work from the social and organizational literature. This review was conducted to inform efforts to improve the systems development process for dependable systems, and in particular their requirements engineering process     

The ergonomics of flight management systems: fixing holes in the cockpit certification net

Recent air traffic control regulations mandate the installation of computer-based flight management systems in airliners across Europe. Integrating and certifying add-on cockpit systems is a long and costly process, which in its current form cannot meaningfully address ergonomics aspects. Two levels of problems occur: add-on systems carry many "classic" HCI failures, which could easily be addressed with modified certification requirements. Further, adding new technology changes practice, creates new skill and knowledge demands and produces new forms of error, which are more difficult to assess in advance. However, one innovative certification approach for add-on cockpit systems, based on the use of a representative population of user pilots, was found to be promising. This method minimizes the subjective bias of individual pilots in addition to defining pass/fail criteria in an operational environment.     

A socio-technical analysis of functional properties in a joint cognitive system: a case study in an aircraft cockpit

Abstract

In a socio-technical work domain, humans, device interfaces and artefacts all affect transformations of information flow. Such transformations, which may involve a change of auditory to visual information & vice versa or alter semantic approximations into spatial proximities from instruments readings, are generally not restricted to solely human cognition. This paper applies a joint cognitive system approach to explore a socio-technical system. A systems ergonomics perspective is achieved by applying a multi-layered division to transformations of information between, and within, human and technical agents. The approach uses the Functional Resonance Analysis Method (FRAM), but abandons the traditional boundary between medium and agent in favour of accepting aircraft systems and artefacts as agents, with their own functional properties and relationships. The joint cognitive system perspective in developing the FRAM model allows an understanding of the effects of task and information propagation, and eventual distributed criticalities, taking advantage of the functional properties of the system, as described in a case study related to the cockpit environment of a DC-9 aircraft.

Practitioner Summary: This research presents the application of one systemic method to understand work systems and performance variability in relation to the transformation of information within a flight deck for a specific phase of flight. By using a joint cognitive systems approach both retrospective and prospective investigation of cockpit challenges will be better understood.

Abbreviations: ATC: air traffic control; ATCO: air traffic controller; ATM: air traffic management; CSE: cognitive systems engineering; DSA: distributed situation awareness; FMS: flight management system; FMV: FRAM model visualize; FRAM: functional resonance analysis method; GF: generalised function; GW: gross weight; HFACS: human factors analysis and classification system; JCS: joint cognitive systems; PF: pilot flying; PNF: pilot not flying; SA: situation awareness; SME: subject matter expert; STAMP: systems theoretic accident model and processes; VBA: visual basic for applications; WAD: work-as-done; WAI: work-as-imagined; ZFW: zero fuel weight     

HELIX: A helicopter diagnostic system based on qualitative physics

Future helicopter requirements, including expanded missions and single-pilot operation, will greatly increase the demands placed on the pilot. To meet these requirements without overwhelming the pilot, novel approaches to cockpit automation must be devloped. To assess the feasibility of applying Artificial Intelligence technology to helicopter cockpit automation, an expert system for status monitoring and diagnosis designated HELIX (HELicopter Integrated eXpert) has been developed.At the heart of the HELIX program is a Qualitative Reasoning System (QRS). The QRS is a general mechanism to support the creation of hierarchical device models and reasoning about device behaviour using Qualitative Physics. The HELIX qualitative model is represented as a set of constraints that define the normal behaviour of the engines, transmission, flight controls, and rotors of the helicopter. Aircraft health is assessed by determining whether observations (sensor readings and pilot control inputs) are consistent with the constraints of the model. If an inconsistency is detected, a process of systematic constraint suspension is used to test various failure hypotheses.Critical to the efficient operation of the HELIX program is the hierarchical model representation, which enables reasoning at various levels of abstraction. Using a top-down approach, the diagnostic process exploits the hierarchy by beginning fault isolation with the most reduced form of the model. To refine the diagnosis, a branch of the hierarchy may be expanded until a component-level diagnosis is made. The hierarchy also greatly reduces the complexity of multiple failure diagnosis. Rather than considering combinations of failures in all leaf components, the diagnosis can be restricted to combinations of branches in the hierarchy.HELIX has been successfully tested on a variety of simulated failures. By representing only the normal behaviour of the helicopter and testing hypotheses by constraint suspension, HELIX has been able to diagnose single or multiple failures without prior knowledge of failure modes. The approach represents a promising technique for automating the qualitative reasoning required to diagnose novel failures and may form the basis for extensive automation both in airborne and ground-based diagnostic systems.     

Advanced concepts flight simulation facility

The cockpit environment is changing rapidly. New technology allows airborne computerised information, flight automation and data transfer with the ground. By 1995, not only will the pilot's task have changed, but also the tools for doing that task. To provide knowledge and direction for these changes, the National Aeronautics and Space Administration (NASA) and the Lockheed-Georgia Company have completed three identical Advanced Concepts Flight Simulation Facilities.

Many advanced features have been incorporated into the simulators — e g, cathode ray tube (CRT) displays of flight and systems information operated via touch-screen or voice, print-outs of clearances, cockpit traffic displays, current databases containing navigational charts, weather and flight plan information, and fuel-efficient autopilot control from take-off to touchdown. More importantly, this cockpit is a versatile test bed for studying displays, controls, procedures and crew management in a full-mission context. The facility also has an air traffic control simulation, with radio and data communications, and an outside visual scene with variable weather conditions. These provide a veridical flight environment to evaluate accurately advanced concepts in flight stations.     

A systems-theoretic approach to safety in software-intensive systems

Traditional accident models were devised to explain losses caused by failures of physical devices in relatively simple systems. They are less useful for explaining accidents in software-intensive systems and for nontechnical aspects of safety such as organizational culture and human decision-making. This paper describes how systems theory can be used to form new accident models that better explain system accidents (accidents arising from the interactions among components rather than individual component failure), software-related accidents, and the role of human decision-making. Such models consider the social and technical aspects of systems as one integrated process and may be useful for other emergent system properties such as security. The loss of a Milstar satellite being launched by a Titan/Centaur launch vehicle is used as an illustration of the approach.     

Pilot ability to anticipate the consequences of flight actions as a function of expertise

The study offers insights into pilot ability to anticipate consequences of actions and how this ability changes with experience. Novice and expert pilots completed trials in which 3 screens depicted a control movement (or control movements), a cockpit flight situation, or a change in flight situation. Changes depicted in the 3rd screen of each trial were consistent, inconsistent with the mental model of the effect of the control movement or movements, or inconsistent with the application of the control movement(s) to the current flight situation. Pilots indicated whether the depicted change was inconsistent or consistent with their expectations, and accuracy of consistency judgments was greater for mental-model than for situation-model inconsistent statements. Experts are more accurate than novices, particularly for trials that involve multiple, meaningfully related control movements. Expert ability to organize information into meaningful units appears to facilitate future flight state projections, and projection failures appear to result from situation- rather than mental-model failures. Actual or potential applications of this research include analysis of flight situation awareness and flight performance errors.     

基于可靠性理论的分布式系统脆弱性模型

对现有的脆弱性分析方法进行分析和比较,提出基于可靠性理论的分布式系统脆弱性模型.针对影响分布式系统安全性的各项因素进行脆弱性建模,利用模型检验方法构造系统的脆弱性状态图,描述系统脆弱性的完整利用过程,引入可靠性理论对分布式系统的脆弱性进行分析和量化评估,从而为增强分布式系统的安全性提供理论依据.     

MULTI-AGENT INFRASTRUCTURES FOR OBJECTIVE AND SUBJECTIVE COORDINATION

Coordination in multi-agented systems (MAS) can be conceived as either an agent activity (the subjective viewpoint) or an activity over agents (the objective viewpoint). The two viewpoints have generated two diverging and often contrasting lines of research, as well as different and noncompatible technologies, however, their integration is mandatory for modeling and engineering complex MAS. In this paper, we explore the issue of integration at both the model and the technology levels.

First, by taking FIPA agents and coordination artifacts as reference notions for subjective and objective approaches, respectively, we sketch a framework where agent interactions with coordination artifacts are modeled as physical acts, deliberated and executed by agents analogously to communicative actions. Then, we show how the JADE infrastructure for FIPA-compliant agents, and the TuCSoN infrastructure providing agents with coordination artifacts can be integrated at the technology level, allowing JADE agents to access TuCSoN tuple centers through JADE services.     

Secure—I*: Engineering Secure Software Systems through Social Analysis

Engineering secure software systems requires a thorough understanding of the social setting within which the system-to-be will eventually operate. To obtain such an understanding, one needs to identify the players involved in the system's operation, and to recognize their personal preferences, agendas and powers in relation to other players. The analysis also needs to identify assets that need to be protected, as well as vulnerabilities leads to system failures when attacked. Equally important, the analyst needs to take rational steps to predict most likely attackers, knowing their possible motivations, and capabilities enabled by latest technologies and available resources. Only an integrated social analysis of both sides (attackers/protectors) can reveal the full space of tradeoffs among which the analyst must choose. Unfortunately, current system development practices treat design decisions on security in an ad-hoc way, often as an afterthought. This paper introduces a methodological framework based on i^*, for dealing with security and privacy requirements, namely, Secure-i^*. The framework supports a set of analysis techniques. In particular, attacker analysis helps identify potential system abusers and their malicious intents. Dependency vulnerability analysis helps detect vulnerabilities in terms of organizational relationships among stakeholders. Countermeasure analysis supports the dynamic decision-making process of defensive system players in addressing vulnerabilities and threats. Finally, access control analysis bridges the gap between security requirement models and security implementation models. The framework is illustrated with an example involving security and privacy concerns in the design of electronic health information systems.In addition, we discuss model evaluation techniques, including qualitative goal model analysis and property verification techniques based on model checking.     

An empirical investigation into open source web applications’ implementation vulnerabilities

Current web applications have many inherent vulnerabilities; in fact, in 2008, over 63% of all documented vulnerabilities are for web applications. While many approaches have been proposed to address various web application vulnerability issues, there has not been a study to investigate whether these vulnerabilities share any common properties. In this paper, we use an approach similar to the Goal-Question-Metric approach to empirically investigate four questions regarding open source web applications vulnerabilities: What proportion of security vulnerabilities in web applications can be considered as implementation vulnerabilities? Are these vulnerabilities the result of interactions between web applications and external systems? What is the proportion of vulnerable lines of code within a web application? Are implementation vulnerabilities caused by implicit or explicit data flows? The results from the investigation show that implementation vulnerabilities dominate. They are caused through interactions between web applications and external systems. Furthermore, these vulnerabilities only contain explicit data flows, and are limited to relatively small sections of the source code.     

Dynamic Modeling and Analysis of the Human Jumping Process

Humanoid robots have recently been the subject of many new and interesting fields both in robotics research and industry. The wide variety of their applications in civic and hostile environments demand developing approperiate theoretical models for analysis. A dynamical model was developed to study the human jumping process, and the effect of factors like joint speeds and hand motion in jumping. An experiment was designed and setup to compare the theoretical model with experimental observations. Time histories of vertical force, mass center velocity and driving torques were also obtained. Using dynamical equations, the effect of joint speeds on the maximum values of these quantities is discussed. It was shown that reducing the joint speeds of a body could lead to an unsuccessful jump in which the body would not enter the flight phase. An increase in speed reduced the take-off time (the time necessary for the body to leave the ground) and increased the body's linear velocity at take-off, as well as the maximum value of driving torques. Effect of hand motion was also investigated through suppressing motion of the shoulder and elbow. It was observed that hand motion had an improving effect on the body's linear velocity. Although speed of joints did not show to have a great influence on most joint torques, those at the shoulder and elbow were observed to be more sensitive to it.     

Artifacts in the A&;A meta-model for multi-agent systems

In this article we focus on the notion of artifact for agents in multi-agent systems (MAS) as a basis for a new meta-model promoting the modelling and engineering of agent societies and MAS environment as first-class entities. Its conceptual foundations lay upon theories and results coming from computational sciences as well as from organisational and cognitive sciences, psychology, computer supported cooperative work (CSCW), anthropology and ethology. In the resulting agents & artifacts (A&A) meta-model, agents are the (pro-)active entities in charge of the goals/tasks that altogether build up the whole MAS behaviour, whereas artifacts are the reactive entities providing the services and functions that make individual agents work together in a MAS, and that shape agent environment according to the MAS needs. After presenting the scientific background, we define the notions of artifact in the A&A meta-model, discuss how it affects the notion of intelligence in MAS, and show its application to a number of agent-related research fields.     

Cognitive failure analysis for aircraft accident investigation

Abstract

The present studies were undertaken to investigate the applicability of an information processing approach to human failure in the aircraft cockpit. Using data obtained from official aircraft accident investigation reports, a database of accidents and incidents involving New Zealand civil aircraft between 1982 and 1991 was compiled. In the first study, reports were coded into one of three error stages proposed by Nagel (1988) and for the presence of any of 61 specific errors noted by Gerbert and Kemmler (1986). The importance of decisional factors in fatal crashes was noted. Principal components analysis suggested the presence of five different varieties of human failure. In the second study, a more detailed error taxonomy derived from the work of Rasmussen (1982) was applied to the data. Goal selection errors emerged as the most frequent kind of cognitive error in fatal accidents. Aircraft accident reports can be a useful source of information about cognitive failures if probed with an appropriate, theoretically-based, analysis of information processing errors. Such an approach could provide the accident investigators with a useful tool, and lead to a more complete understanding of human error in aviation.     

驾驶舱人体热舒适性建模及环境评估

建立人体热舒适性模型,通过RadTherm平台实现人体热舒适性模型和驾驶舱环境的对接。对驾驶舱环境进行数值模拟,得到驾驶舱内气流组织形式,其速度场和温度场作为人体热舒适性模型的输入。驾驶舱环境数值模拟结果与人体热舒适性评估结果相互验证,共同评价驾驶舱环境的优劣。研究结果表明,通过数值模拟得到的驾驶舱环境评估结果和通过人体热舒适性模型得到的驾驶员热舒适性评估结果准确、有效,具有较高的工程应用价值。     

推力矢量垂直短距飞机轨迹优化与控制

推力矢量垂直短距起降(V/STOL)飞机是一种兼顾巡航飞行速度和起降灵活性的新型飞机.本文首先建立了包含执行器饱和的V/STOL飞机动力学模型;然后针对V/STOL飞机在过渡过程阶段面临的强耦合、强非线性的特点,使用梯度下降法进行最优过渡过程轨迹优化并采用适应性矩估计算法(Adam)加速了优化过程;在此基础上,以最优轨迹为基础设计前馈控制器,同时通过对比真实飞行状态与所设计的最优状态给出反馈补偿量,保证了实际的过渡过程沿着最优轨迹进行.经过仿真实验可以发现,该方法具有过渡过程时间短、姿态平稳、鲁棒性强的优点.     

A logical approach to systems engineering artifacts: semantic relationships and dependencies beyond traceability—from requirements to functional and architectural views

Not only system assurance drives a need for semantically richer relationships across various artifacts, work products, and items of information than are implied in the terms “trace and traceability” as used in current standards and textbooks. This paper deals with the task of working out artifacts in software and system development, their representation, and the analysis and documentation of the relationships between their logical contents—herein referred to as tracing and traceability; this is a richer meaning of traceability than in standards like IEEE STD 830. Among others, key tasks in system development are as follows: capturing, analyzing, and documenting system-level requirements, the step to functional system specifications, the step to architectures given by the decomposition of systems into subsystems with their connections and behavioral interactions. Each of these steps produces artifacts for documenting the development, as a basis for a specification and a design rationale, for documentation, for verification, and impact analysis of change requests. Crucial questions are how to represent and formalize the content of these artifacts and how to relate their content to support, in particular, system assurance. When designing multi-functional systems, key artifacts are system-level requirements, functional specifications, and architectures in terms of their subsystem specifications. Links and traces between these artifacts are introduced to relate their contents. Traceability has the goal to relate artifacts. It is required for instance in standards for functional system safety such as the ISO 26262. An approach to specifying semantic relationships is shown, such that the activity of creating and using (navigating through) these relationships can be supported with automation.     

驾驶舱飞行员认知行为一体化仿真建模

针对国内航空领域飞行员认知行为一体化建模研究较少,运用ACT-R认知架构对民机飞行员驾驶技能获得、提取和运用的内在机制进行建模。对飞行员驾驶飞机的认知过程进行划分;以驾驶舱中出现频率最高的典型飞行任务--飞行员告警信息感知、处理与决策为对象进行实验设计和一体化仿真;对实验操作和模拟仿真进行对比,表明ACT-R认知体系能够指导推进驾驶舱人机工效一体化中飞行员仿真理论与模型研究的发展,为驾驶舱优化设计与评估提供深层次的支撑。     

面向工业控制系统全生命周期的脆弱性多维协同分析

工业互联网背景下,工业控制系统面临攻击防不住、脆弱性易暴露的安全挑战,要保障系统安全稳定运行,首先需要深入探究引发工业控制系统故障的原因,明确系统脆弱性机理.针对当前单点或局部脆弱性分析的局限性,面向工业控制系统全生命周期安全需求及特征,提出脆弱性多维协同分析框架,通过模型驱动的系统静态、动态脆弱性分析以及多域融合评估,剖析和挖掘系统脆弱点及其关联渗透过程,生成系统脆弱性知识.所提出框架首次明确脆弱性含义,同时全生命周期需求覆盖以及一体化架构特性有助于实现系统全局脆弱性机理揭示.