1. Field of the Invention
The invention described herein is directed to methods and systems for processing an integrated collection of facts in a system of interconnected models so as to infer measures of risk under selected circumstances in a system so modeled. Specifically, the invention provides a hybrid model from causal models, such as is characterized by fault trees and event sequence diagrams, and probabilistic models, such as is characterized by Bayesian belief networks, and determines probabilities of events in the causal models from conditions set in the probabilistic model.
2. Description of the Prior Art
Hazard analysis is focal strategy for assessing safety in many industries, including chemical process, power generation, and aviation and other transportation systems. A variety of assessment methods are used in practice, including simple experiment-based checklists, system or process “walk-throughs”, Failure Mode and Effects Analysis (FMECA), and, more recently, fault tree analysis. Typically, a list of unsafe acts, conditions, failures or abnormal states of various elements of a system or process is developed, and some degree of likelihood and severity is subjectively assigned to each item on the list. It is common to express the likelihood on relative quantitative scales (e.g., 1, 2, 3, . . . ) or qualitative scales (e.g., Frequent, Probable, Occasional, Remote, Improbable, Incredible). Similarly, the severity or consequence of a hazard is often measured in relative terms (e.g., Catastrophic, Hazardous, and Insignificant). The combination of severity and likelihood indicates the level of risk for each hazard, as compared with other hazards on the list. Hazards on the list may then be grouped based on a combined risk index (e.g., Unacceptable, Undesirable and Acceptable).
A more sophisticated method of hazard identification is through hierarchical functional/physical/organizational decomposition of the system and/or process elements. As recently proposed for aviation hazard classification, the hierarchy is based on five main categories: Production, Mechanical (Ground Systems and Aircraft), Operational, Environmental and Regulatory. Further subcategories are defined for each of the main categories. The category Aircraft, for example, is divided into 35 categories of hazard sources. These include, at the same level in the hierarchy, Electric Power, Hydraulic Power, Oil, Air Conditioning, Water/Waste, Fuselage, Fuel Systems, Lights, Navigation, Engine, Landing Gear, and Doors. Below this level in the hierarchy are, of course, other levels of hazard sources.
Such hierarchical decompositions, while meaningful as a way of organizing and presenting the list of potential hazards, are of limited value in the identification of hazard and are virtually useless in assessing their safety significance. Obviously, the level in the hierarchy (proximity to the top) cannot be taken as an indication of their associated degree of importance. In other words, an important dimension of the problem, which is the complexity of the system and relation between causes is essentially absent from such “flat” models. Natural question arise, such as why any given item in the hierarchy is listed as a hazard; what are the single, multiple or common causes of the identified hazards and, if and how are they interrelated; and, at what level does one stop from further detailing the hierarchy?
While modifications to the above approach have been postulated, significant limitations remain in the determination of the role of possible hazard prevention or mitigation methods. For example, an event or condition may be a hazard in one context and under a specific set of circumstances, but not be a hazard in another context. This is certainly not reflected in the hazard identification and classification procedure described above. An even more significant limitation is the fact that the interrelationships among causal factors in a system as complex as an aviation system are often complicated, nonlinear and non-modular. Root causes may form the source of deep and overarching dependencies, while conditions or states of the system play the role of convergence points linking multiple causal pathways to multiple system impacts and consequences. The significance of context within which events and conditions could be viewed as a hazard has called into question the adequacy of the simple hierarchical approach to hazard identification. Additionally, it has become apparent that a more comprehensive set of analysis tools could be provided by a hybrid model framework that combines assets of multiple hazard assessment methodologies.