Identification of aviation accident models.

## Abstract

The runway excursions are defined as the exit of an aircraft from the surface of the runway. These excursions can take place at takeoff or at landing and consist of two types of events: veer off and overrun. This last one, which occurs when the aircraft exceeds the limits at the end of the runway, is the event of interest in the current study. This chapter aims to present an accident model with a new approach in aeronautical systems, based on the tasks of the pilots related to the operational procedures necessary for the approach and landing, in order to obtain the chain of events that lead to this type of accident. Thus, the tree-network overrun model (TNO model) was proposed, unlike most traditional models, which consider only the hardware failures or which do not satisfactorily explain the interrelationship between the factors influencing the operator. The proposed model is developed in a fault tree and transformed into a Bayesian network up to the level of the basic elements. The results showed the qualitative model of the main tasks performed by the pilots and their relation to the accident. It has also been suggested how to find and estimate the probability of factors that can impact on each of the tasks.

### Keywords

- overrun
- TNO model
- fault tree
- Bayesian networks
- safety
- aviation

## 1. Introduction

Around the world, the occurrence of runway excursions in commercial and general aviation is the highest ones. The International Air Transport Association (IATA) and the International Civil Aviation Organization (ICAO), through the Runway Excursion Risk Reduction Toolkit [1], define runway excursions as the exit of an aircraft from the surface of the track. These excursions might take place at takeoff or landing and consist of two types of events: veer off and overrun. For the landing, they can be described as:

Veer off (LDVO): when there is an exit in which the aircraft exceeds the lateral limits of a runway in the landing phase.

Overrun (LDOR): when overtaking occurs at the end of the runway during the landing phase. Event of interest of the current study.

The latest Boeing data from a survey conducted from 2006 to 2015 show that the final phase and landing phase together account for 49% of fatal accidents in the world’s commercial jet fleet [2]. The number of onboard fatalities on the aircraft in these same phases of flight accounts for 47% of the total. The statistic was evaluated according to the aircraft exposure time for each of the mentioned phases (percentage of flight time estimated for 1.5-h flight). The phases of this study interest—descent, initial approach, final approach, and landing—correspond together to 59% of fatal accidents and 61% of fatalities on board.

### 1.1 Literature review

Most of the aviation accident statistics cited in the literature today begins with the data collected in the late 1950s and early 1960s, and it is possible to observe a marked decline in the accident rate [3]. Beginning in the 1950s, a number of research efforts was undertaken to document the precise location of aircraft accidents so that effective data safety and security planning could be obtained from the airport and its surroundings. It is noteworthy that “the airport and its neighbors” identified the location of more than 30 military and commercial aircraft accidents, which occurred outside the physical boundaries of the airport with fatal victims or injured people on soil [4]. Despite limited data, this report led to the establishment of “clear zones,” which are now known as “track protection zones.” Besides that, they also brought important contributions to the literature: “Air Installation Compatible Use Zone (AICUZ) Program” of the US Department of Defense served to define potential areas of accident for military aircraft, known as “accident potential zones (APZs)” [5]; “location of aircraft accidents/incidents relative to runways,” compiled data on the location of accidents with commercial airplanes on the airport runway [6]; and surveys conducted by the Airline Pilots Association indicated that 5% of accidents occur in route, 15% occur in the vicinity of airports, while the remaining 80% occur on runways, overpass areas, and clear zones [7]. However, the increasing complexity in technological systems, such as aviation systems, maritime systems, air traffic control, telecommunications, nuclear plants, aerospace defense systems among others, has raised points of discussion about modes of failure and related new issues to security, such as the analysis of human factors and organizational factors in a system.

To reduce these negative effects, it has been observed that studies are being carried out with a larger number of samples (accidents or incidents). As an example, there are the accident analysis studies developed by [8, 9, 10, 11, 12, 13, 14]. As a result, it was observed that this distance differs for each type of operation, whether landing or takeoff, as well as for each type of accident, whether overrun, undershoot, or veer off. The studies previously mentioned were important to present the differences among the events on runway excursions and to report which runway conditions influence each type of the accident. They also showed that aircraft operational factors are important in the analysis of an accident. Despite the contributions mentioned, they were mainly limited to environmental factors and models based on historical data. The relationship between occurrences and human performance factors, for example, was not explained.

Many researchers have attempted to develop theories or models to describe the causes of an accident [15]. One of the earliest models of accident causes is the “Domino theory” proposed by Heinrich in the 1940s, which describes an accident as a chain of discrete events occurring in a particular temporal order [16]. This theory belongs to the class of models of sequential accidents or models based on accident events, which gave subsidies for most models of analysis of accidents introduced later [17]. These models were known to use causality methods such as: failure mode and effect analysis (FMEA), fault tree analysis (FTA), event tree analysis (ETA), and cause-consequence analysis (CCA). A large part of this approach has been strongly criticized for being based only on causal relationships among the events [18, 19, 20].

### 1.2 Concept of the study

Safety is generally understood as a state of the transportation system; therefore, it has a qualitative nature. In aviation, there are neither widely accepted security measures, nor is there a common agreement on the limits of the indicators that can be considered acceptable [21]. In this context, interdisciplinary research and studies are necessary to understand the complexity of sociotechnical systems [18, 20]. In addition, through a broad systemic view, one can understand the multidimensional aspects of safety, to later achieve the modeling of accidents in a more global way.

Since the middle of the last century, safety models of the technical and human parts of the systems have been introduced [17]. Further studies provided important reviews of the various existing accident models [22, 23, 24, 25, 26]. The latter one presents an extensive research with 121 accident models described and their applications. In [25], the authors develop quantitative indicators to assess the status of the flight team and the impact of these indicators in air traffic safety. In [22], the authors particularly review the models of accident analysis, and in [27], the author develops a model for analysis of incidents using petri net, both for air traffic. In [28], the authors present a proposal to relate human factors, abilities, organizational factors and environmental factors to the task being performed by the pilot. This application proposes several relationships between these factors. These authors based on literature and research with pilots in flight simulators to obtain the results of relationship of the factors. A summary of the major accident models identified are highlighted in Table 1 [12, 29, 30, 31, 32, 33, 34, 35, 36].

The most recent model presents the purpose of this study. The methods or techniques that were used in these analyzes are shown in Table 2. The latter table was adapted according to the categories presented in [24] to classify the methods and/or techniques used. Thus, accident models can be divided into four categories: (i) causality model, (ii) collision risk model, (iii) human error models, and (iv) third-party risk model.

The TNO model is conceptually similar to [40], which uses the same tools to develop the model’s ship collision accident. These authors used fault tree to obtain the main human failures related to the ship’s crew tasks, and Bayesian networks (BNs) to obtain the probability of collision and the relationships between the contributing factors. Two other models similar to the proposed model are the flight model [33] and CATS model [35]. The first presents a model in Bayesian networks with a selection of contributing factors in order to obtain the probability of an aviation accident. Despite the contribution of human and organizational factors, this model does not represent the main operational procedures, nor does all the flight phases. The second one, CATS model [35], presents an aviation accident model developed by fault tree, where human failure is the only element that is obtained by Bayesian networks. This implies that the top event is static in relation to the other factors, making it impossible to obtain the contribution of this element with the accident and the possibility of the relationship between the various factors of the tree.

The objective of this chapter is to present a probabilistic accident model for the landing overrun of medium and large aircraft with the purpose of evaluating operational safety during approach and landing through the pilot-aircraft interface, considering the main operational procedures and the pilot’s tasks. So that, it is possible from these elements to observe the abilities and human factors of pilots, the performance of the airline, airport infrastructure, and environmental conditions in the field of commercial aviation.

## 2. Development of the TNO model

The methodology presents the fault tree developed to represent the chain of events, which brings the consequences of human errors. Thus, this topic presents the development of FTA and its basic elements. Then, the FTA is transformed into a Bayesian network (BN). For each basic event, a BN is developed related to the task it is associated with, in which the performance factors will be aggregated. These factors, as well as the development of the model are presented throughout this chapter.

The methodology of this research presents four stages—familiarization, qualitative analysis, quantitative analysis, and incorporation to obtain the proposed accident model. These steps were adapted from the methodology proposed by [41] that aimed a human reliability analysis (HRA).

In the familiarization stage, besides the literature review, it was consulted the technical documentation of entities related to the sector to understand the operation and to describe the procedures of approach and landing of medium and large commercial aircraft and their flight stages, in addition to the current norms emanating from the competent organs. The following references were used: ALAR report [11], risk analysis report [8], ACRP 3 [10], TAM general operations manual [42], Flight Crew Training Manual for Aircraft Model A319, A320 and A321 [43], Flight Crew Operation Manual [44], and Flight Crew Training Manual for the 737NG [45]. In addition, fieldwork was carried out in an A-320 aircraft simulator; consultation with specialists—pilots and industry analysts—was an important point for the development of the model, showing the best coherence among the relationships between the operational procedures and the pilots’ activities. Finally, the accident analysis presents the NTSB database data on the causes of accidents of the LDO type, which helped the analysis of the relationships of the elements of the proposed model. Step 2 basically presents the FTA technique and the BN method used to construct the proposed model. Step 3, in summary, concerns the population of network elements developed by the model. And, step 4 presents the results and inferences.

### 2.1 Fault tree in the construction of the TNO model

The fault tree analysis (FTA) technique is widely used in aerospace, nuclear, and electronic systems [46]. FTA is a quantitative technique of the type “top-down” in which the top event refers to a single event from which the intermediate events lead to component failures as well as to human actions. Logical trees can be used both for a qualitative and quantitative evaluation of the system; they employ a deductive procedure to determine the possible causes of an event of interest located at the top of the tree that may be the fault or success in the execution of a given mission. The qualitative evaluation aims at identifying the cause-effect relationship between the events that may contribute to the occurrence of the top event (of interest) as well as its logical dependencies, while the quantitative evaluation aims to determine the probability of occurrence of the same top event from the probability of occurrence of the events that make up the tree. Moreover, the final objective of a qualitative analysis of an FTA is mainly the probability of occurrence of events, in addition to obtaining the set of minimum cuts and prioritizing them according to their order. Table 3 shows the logic gates used in the current study.

It is important to emphasize that the quantitative evaluation is deterministic and performed from the basic events, not allowing a diagnostic evaluation based on the evidence, and in both qualitative and quantitative analyzes, the basic events are considered Boolean; that is, they have only two possible states. Then, the logic of the model is represented by Boolean algebra rules, where each variable may have one of the binary values corresponding to the concepts of true (1) or false (0) [47]. If the top event is the failure of a system in the execution of a given mission, the tree is said to be faulty, and if the top event is the success of the system, the tree is said to be successful. In the latter case, it is said that the probability *P* of the top event will be the reliability of the system being analyzed, while in the first one, the reliability of the system will be *1-P* (top event).

### 2.2 Operational procedures selected for the TNO model

The development of the proposed model followed steps in which each element was designated by a number in the FTA, symbolized in the parentheses:

It was highlighted the landing overrun as the top event (#1).

In order for an overrun to occur, it was determined that two situations must occur simultaneously: the “unwanted state in the operation of the aircraft” (#2) and the “flight crew did not go-around the aircraft” (#16). This association is warranted by the

*Flight Crew Training Manual*for the A319, A320, and A321 [43] aircrafts and*Flight Crew Training Manual*for the 737NG [45] aircraft that indicate the go-around for destabilized approach in order to avoid a runway excursion. Therefore, the connection of these factors was represented by an “E” logic gate. It is worth noting that in the BN model, this event assumed a 75% probability of overrun occurrence when both dangerous events occur, and 25% of the accident does not occur under the same conditions, according to [48]. This condition is not represented in the FTA because of its Boolean structure.The “unwanted state in the operation of the aircraft” event implies in two situations: “unwanted state in the descent” (#3) or “unwanted state in the landing” (#39). Either of these two situations makes the landing operation unwanted. This way, the logic gate “OR” was used.

For the “unwanted state in the descent” event to occur (#3), two situations were observed: “undesired state in the briefing” (#4) or “unwanted state in flight management” (#17). Either of these two dangerous events can lead to an undesired state of descent.

The “unwanted state in the briefing” (#4) was designed in consultation with experts. This way, they obtained two dangerous events: the nonexistent briefing (#5), when the flight crew decides not to make the necessary configurations for the descent procedure, and the inadequate briefing (#8) when the flight crew performs the task but does not meet the appropriate safety conditions, classified as incomplete (#14) or incorrect (#9). For the “unwanted state in flight management” (#17), they considered three situations: “inadequate checklist” (#18), “inadequate flight control” (#25) or “inadequate final approach” (#32), all linked to a logic gate “OR.” These events and their ramifications were arranged according to the consultation of the possible dangerous events with experts and are based on the description of operational safety reports [49, 50, 51, 52]. According to the literature, the cause of the factors is linked to omission or error in action, criteria not met for stabilized approximation, inadequate monitoring, among others. Additionally, the basic events were obtained with observations in the field and consultation with specialists. According to the pilots, once an error occurs in the procedure, it is quickly detected by the flight crew. The detection of the error in some of the activities developed in the proposed model has practically a 100% chance to occur. However, the error correction action may be flawed, as represented in FTA and BN (#20, #27, #34).

Finally, the event “unwanted landing state” (#39) was considered to occur when there is an “unfavorable runway” (#40) or “inadequate braking” (#41). Therefore, the connection of these factors was represented by an “OR” logic gate. Such a link was justified according to the flight simulator cockpit monitoring, where an overrun event was observed in both conditions, with the approach stabilized until the moment of landing consultation with experts also suggested the occurrence of this dangerous event. In addition, the hazardous event “inadequate braking” (#41) presents the “landing gear procedure error” (#42) and the error in the reverse procedure (#43) as basic events. In the fault tree, the designated logic gate was “OU.” However, the relationship of these two events was modeled in the BN with the ratio of 80% being braking adequate when the landing gear procedure is adequate and the reverse procedure is inadequate, and 20% of braking adequate when landing gear procedure is inadequate and the reverse procedure is appropriate. This condition is not represented in the FTA because of its Boolean structure.

The framework of the model proposed in FTA is in Figure 1. The pilot tasks that must be analyzed in the proposed model are listed in Table 4. The model elements with negligible failure are chosen based on field research and consultation with experts.

### 2.3 Bayesian network in the construction of the TNO model

Bayesian network (BN) is defined as a graphical structure for representing the probabilistic relationships among a large number of variables and for making probabilistic inferences with those variables [53]. Bayesian networks—also known as opinion networks, causal networks, or graphs of dependency—are graphic reasoning models based on uncertainty that use the concept of probability as the analyst’s degree of belief, allowing for expert judgments to be used as information to support a decision-making process related to complex systems [54, 55, 56]. The BNs showed to be useful in studies of system reliability [40, 57] and in risk analysis studies [58, 59, 60]. Yet, it has been applied to complex systems such as nuclear plants [61, 62], maritime transport [63, 64], and in the last 10 years, several studies on human reliability are also being developed in aviation using BNs [24, 28, 33, 35, 65, 66, 67, 68, 69, 70, 71].

A BN is a directed acyclic graph (DAG), which is defined as *G =* (*V*,*E*), where *V* are the nodes representing either discrete or continuous variables and E is a set of ordered pairs of distinct elements of *V*, called arcs (or edges), and represents the dependencies between the nodes. The conditional probabilities associated with the variables are the quantitative components. The nodes and arcs are the qualitative components of the networks and provide a set of conditional independence assumptions, which means that each arc built from variable *X* to variable *Y* is a direct dependence, such as a cause-effect relationship and, in that case, the node representing variable *X* is said to be a parent node of node *Y* [53].

Each node within a Bayesian network is classified as “parent,” “child,” or both. These classifications relate to their respective relations to other nodes, where children nodes are those connected to antecedent nodes or are influenced by other nodes; parents are those connected to decedent nodes or which have an influence on other nodes [72]. Once we have specified the topology, we need to specify the conditional probability table (CPT) for each node. Each row in the table contains the conditional probability of each node value for a conditioning case. A conditioning case is just a possible combination of values for the parent nodes.

Considering a BN containing *n* nodes, *X1* to *Xn*, taken in that order, a particular value in the joint distribution is represented by *P*(*X1 = x1*, *X2 = x2*, …, *Xn = xn*), or more compactly, *P*(*x1*, *x2*, …, *xn*), and the chain rule of probability theory allows to factorize these joint probabilities as shown in Eq. (1). Then, this process is repeated, reducing each conjunctival probability to a conditional probability and a smaller conjunction, until it forms a great product as shown in Eq. (2).

The quantitative analysis is based on the conditional independence assumption. Considering three random variables *X*, *Y*, and *Z*, *X* is said to be conditionally independent of *Y* given *Z*, if *P*(*X,Y|Z*) *= P*(*X|Z*)*P*(*Y|Z*). The joint probability distribution of a set of variables, based on conditional independence, can be factorized as shown in Eq. (3) since the constraint defined in Eq. (4) is verified. This equation allows obtaining any joint probability from values found in conditional probabilities tables, in the case of discrete variables, or from the conditional probability density function, for continuous variables. A complete example can be found in [69].

Thus, each entry in the joint is represented by the product of the appropriate elements of the conditional probability tables (CPTs) in the belief network. The CPTs therefore provide a decomposed representation of the joint. The possibility of using evidences of the system to reassess the probabilities of network events is another important feature of the BNs. Given some evidence, beliefs can be recalculated to evaluate their impact on the network nodes. The process of obtaining a posteriori probability from a priori probability is called Bayesian inference [53]. As emphasized by [73], inferences can be made using Bayesian networks in three distinct ways: causal, diagnostic, and intercausal.

### 2.4 Fault tree conversion in Bayesian networks

It is possible to combine a structured methodology as fault tree with the modeling and analytical power of the Bayesian network [74]. The authors also point out that any fault tree can be converted into a Bayesian network without losing information. It is important to note that the flexibility of Bayesian network modeling can accommodate several types of dependencies among variables that cannot be included in fault tree modeling. Studies have shown that the transformation of a problem described by a fault tree into a Bayesian network is not a complex process [74, 75]. To convert the fault tree into a Bayesian network, the basic premises of the standard FTA methodology are highlighted, as follows [74]:

events are binary (example: appropriate/not appropriate);

events are statistically independent;

the relations between events and causes are represented by logic gates through Boolean logic, i.e., AND and OR gates; and

the root of the fault tree is the unwanted event; i.e., it is the top event to be analyzed.

Thus, one node must be created for each event and for each basic element in the FTA. It is important to note that in BN, each element in the FTA must be represented only once, even if there are repetitions in the fault tree. Then, the nodes must be connected, according to the logic gates present in the FTA.

A subsystem composed of a logical gate whose Boolean algebra is of any nature (union, intersection, excluding union, or others) with *k* branched components, being events or subsystems, which can be converted into their corresponding Bayesian network. If the logical gate is represented by a union, then, only the nonoccurrence of all events avoids the occurrence of the top event, i.e., (*P* (Top|

## 3. Results

The result of the FTA transformation in BN is presented, qualitatively, in Figure 3. The Bayesian network of the proposed model presents two states, negative and positive, for each node. The negative state represents the probability of occurrence of the node (characterized by the word YES). And the positive state represents the probability of not occurring the node; that is, the fault does not occur (characterized by the word NO). The node in red represents the landing overrun, and its positive and negative states represent the probability of the accident occurring, given the factors of the developed network.

According to field research and expert opinion, the tasks that require most pilots during approach and landing are listed below. On these tasks, a chain of dangerous events was also obtained, described in the development of the model as below:

decide if the aircraft continues to approach and/or landing (go-around);

landing briefing;

landing checklist;

control of aircraft parameters;

execution of the procedure drag on final approach; and

execution of the braking procedure (landing gear and reverse).

It should be noted that this work is not intended to introduce the factors of each task and its probabilities in this example, but to present the accident model for the approach and landing phases related to the tasks performed by the pilots that can be visually understood. The TNO model includes the main tasks performed by the crew and the chain of dangerous events that can lead to landing overrun.

From this model, it is possible to obtain the relation between the factors that can influence the performance of the pilots, and therefore, this can indicate how this can impact in the success or failure of the tasks related to the procedures of approach and landing. For each of these tasks, it is possible to develop more focused studies and to obtain the organizational, environmental, human factors, and the main abilities around each one of them. One way to get the factors contributing to the negative state of each of these tasks was suggested in [28]. Once obtained, a way to develop the Bayesian network with these factors and to find the probability of each of the states, positive and negative, is in [71].

The main advantage of transforming the FTA model to BN is to verify the sensitivity of each of the nodes given the accident and to obtain their impact. It is also possible to obtain the probability of an accident occurring because an error occurred in some task, for example. This type of approach is only possible in BN, one of the advantages of using this method for risk analysis. Finally, the network data can be obtained by consulting specialists and/or obtained from the literature.

## 4. Conclusions

Human factors are the most important source of uncertainties of any model, though many techniques and computational tools arise in recent decades to deal with the complexity of sociotechnical systems. To be able to get a representative analysis of the real system, a systemic vision of process is required. However, to model operational procedures of a system, or its main tasks, is not an easy step. So, first it is important to know the system that is intended to be modeled, and then analyze the factors (and their relationships) that can contribute to an occurrence. For such information, a search in the literature and a research with pilots and accident investigators become extremely important.

The proposed model was described and used to model the relationship between the main operational procedures performed by the flight crew and the pilots’ skills and to support the construction of a BN to quantitatively analyze the event of interest. Differently from other studies, the TNO model proposes a systematic and efficient way to organize the influence factors through an FTA and, consequently, to obtain a probabilistic analysis through a BN. The use of BN to find the most probable cause with the objective of identifying the most important factors and prioritizing the mitigation action is also an important contribution of this work. As far as we know, no other study has proposed a similar approach.

It should be noted that factors related to component failures in aircraft systems are not being considered in the general model. This is because studies of failures in aeronautical equipment are already traditionally considered and modeled, besides presenting a low probability of occurrence. Therefore, the emphasis was placed on the human actions of pilots. Thus, our intention was to model one of the main tasks of the flight team considering factors that precede team error. This model must be able to obtain a representative analysis of the real system; a systemic view of the process is also needed. In this sense, this model of accident fills this gap.

The results indicate subsidies to propose mitigating actions and can collaborate with the management of air transport operational safety. The best way to improve the latter is to attack the most sensitive points. Thus, the factors highlighted in the analysis, once prioritized within the company, can promote the reduction of runway excursions during the landing procedure of medium and large aircraft.

## Acknowledgments

The authors are especially grateful to the pilots and engineers who participated in the consultations conducted by the research. The authors are grateful for the financial support given by CAPES and FAPESP in Brazil for this study.