Maintenance and Reliability

Many lives and aircrafts have been lost due to human errors associated with mental work-load overload (MWLOL). Human errors are successfully considered in existing Fault Tree Analysis (FTA) methods. However, MWLOL is considered through Performance Shaping Factors indirectly and its information is hidden in FT construction, which is not conducive to analyze the root causes of human errors and risks. To overcome this difficulty, we develop a risk analysis method where Multiple Resources Model (MRM) is incorporated into FTA methods. MRM analyzes mental workload by estimating the resources used during performing concurrent tasks, probably including abnormal situation handling tasks introduced by basic events in FT. Such basic events may cause MWLOL and then trigger corresponding human error events. A MWLOL gate is proposed to describe MWLOL explicitly and add these new relationships to traditional FT. This new method extends previous FTA methods and provides a more in-depth risk analysis. An accident, a helicopter crash in Maryland, is analyzed by the proposed method. Highlights Abstract A fault tree-based risk analysis method consider-• ing MWLOL is developed. A MWLOL gate is proposed based on Multiple • Resources Model. New logic relationships due to MWLOL are add-• ed to traditional FT through MWLOL gate. The new analysis method obtains more rational • results validated by Accident Report.

Many lives and aircrafts have been lost due to human errors associated with mental workload overload (MWLOL). Human errors are successfully considered in existing Fault Tree Analysis (FTA) methods. However, MWLOL is considered through Performance Shaping Factors indirectly and its information is hidden in FT construction, which is not conducive to analyze the root causes of human errors and risks. To overcome this difficulty, we develop a risk analysis method where Multiple Resources Model (MRM) is incorporated into FTA methods. MRM analyzes mental workload by estimating the resources used during performing concurrent tasks, probably including abnormal situation handling tasks introduced by basic events in FT. Such basic events may cause MWLOL and then trigger corresponding human error events. A MWLOL gate is proposed to describe MWLOL explicitly and add these new relationships to traditional FT. This new method extends previous FTA methods and provides a more in-depth risk analysis. An accident, a helicopter crash in Maryland, is analyzed by the proposed method.

Introduction
Human errors (HEs), defined as that a human diverges from a normative plan or task [12], are regularly cited as the main causes of the majority of accidents in complex systems [3,12,25,31]. Their pivotal role in aviation accident occurrence has been quantitatively pointed out in many studies: roughly 70% of all accidents in commercial aviation and 80% in general aviation [30]; more than 80% of helicopter accidents [4]. Pervasiveness of the HEs in accidents guarantees a requirement to investigate the causes of HEs to prevent future similar accidents [49].
In aviation, multitasking is prevalent in aviation [40], especially in abnormal situations [21]. HEs contribute to more than 70% of aviation accidents, and many of HEs can be attributed to workload [10]. During multitasks, a large number of cognitive resources such as attention, processing capacity, and multi-task performance [16] are required to complete assigned tasks, but the human has insufficient resources available to dedicate to the tasks [5]. Then, a high level of mental workload, or mental workload overload (MWLOL, i.e. the excessive levels of mental workload), occurs.
Due to the multi-dimensional characteristic of mental workload, Multiple Resources Model (MRM) [41] and Visual, Auditory, Cogni-tive, and Psychomotor method (VACP) [19] are well known for workload prediction in aviation (e.g. [29,42,44,52]). Wang et al. [38] propose a colored Petri net model based on MRM and VACP to predict mental workload. MRM and VACP claim that MWLOL occurs when the total demand for cognitive resources is beyond a threshold and pilot performance degrades [48]. Gore and Jarvis [9] suggest that when the cumulative demands of cognitive resources exceed an arbitrary threshold of 7, the operator will be at great risk of MWLOL.
With the development of technology in today's aircraft, pilots have to process a considerable amount of complex information [23]. Their attention often requires to be split between multiple information and the risk of MWLOL has increased [11].The MWLOL can cause errors or delay information processing [5], and may reduce the vigilance and alertness of pilots with catastrophic effects [33]. Therefore, the MW-LOL constitutes a key element in safety and reliability of complex man-machine systems. In aviation area, most of the accidents, especially those fatal ones, occurred due to high levels of mental workload of pilots [35,51]. Many lives and aircraft of the United States Air Force have been lost due to errors made during periods of flight associated with MWLOL and task saturation [23]. This makes prediction and assessment of pilot mental workload a major issue in aviation safety. Effective accident prevention should incorporate mental workload into risk analysis models.
Probabilistic safety assessment (PSA) is a comprehensive, structured methodology to identify and understand the risks associated with hazardous activities in complex systems [39]. It can identify potential accident scenarios, assess their likelihoods and consequences, and improve system safety and operation [20]. There are many PSA techniques, among which fault tree analysis (FTA) is one of the most prominent techniques [28] and is the most recognized and widely used [15]. The aim of FTA is to find the primary causes of accident causation utilizing a top-to-down method. The basic events of FT can be HEs, software or hardware failures, or environment events [6]. To analyze HEs and study human behavior in accident occurrence, many studies propose an analysis concept that combines FTA, Task analysis (TA) and human reliability analysis (HRA) methods [6,53,55]. FTA identifies the root causes of an accident, while TA analyses the way human perform tasks and how they interact with machines or other colleagues. These analysis methods are complemented by using one of HRA methods, such as ATHEANA (A Technique for Human Error Analysis), THERP (Technique for Human Error Rate Prediction), HEART (Human Error Analysis and Reduction Technique), CREAM (Cognitive Reliability and Error Analysis Method), and HEIST (Human Error Identification in System Tools). Doytchev et al. [6] combine FTA and TA to analyze an accident of Bulgarian Hydro power plant. In their analysis, HEs are analyzed by the combination method of TA and HEIST, through which details about HEs in a realistic situation are revealed. Zhou et al. [55] incorporate CREAM into FTA to analyze Liquefied Natural Gas carrier spill accidents, and estimate likelihoods of risks using Monte Carlo Simulation. Zhou et al. [53] propose a hybrid HEART method and incorporate it and TA to FT construction for risk analysis.
Although previous FTA methods successfully consider HEs based on the combination of TA and HRA, they ignore human mental workload or describe MWLOL through Performance Shaping Factors (PSF) indirectly, such as "number of simultaneous goals" and "available time". In doing so, the MWLOL information is effectively hidden in the logical structure of the FT, and task scenarios causing high mental workload cannot be identified. Therefore, it is unable to play a role in qualitative analysis. In addition, HEs should be best viewed as a joint product of the interactions of humans with other aspects of the system (software, hardware, etc.) in a particular external context [22]. These FTA methods cannot describe the logic relationships among human error events and other basic events due to MWLOL in the process of man-machine interaction: basic events such as equipment failures may cause the system in an abnormal situation, then introduce a new abnormal situation handling task which is time-shared with current tasks, and finally MWLOL occurs and triggers the corresponding human error events. Therefore, to deeply analyze the root causes of human errors and accidents, the MWLOL should be considered and described explicitly in FT construction.
In this paper, we focus more on MWLOL and it is incorporated into FTA. A modified FTA method is developed based on aforementioned FTA methods combined with TA and HRA [6,53,55]. This new method also makes use of TA describing and analyzing how and when the human interacts with the system or colleagues in the system. TA can create a detailed picture of human involvement, including the concrete operations and plans. Plans determine which operations should be perform simultaneously. Based on TA, human error identification, analysis, and quantification can be implemented with HRA methods. Then a traditional FT can be constructed. To overcome the difficulty of considering and describing MWLOL explicitly in traditional FTA, we introduce MRM to build a MWLOL mechanism model and develop a new logic gate (i.e. MWLOL gate) to incorporate MWLOL into previous FTA methods. Such gate can represent how MWLOL occurs and what its effects are, and it may add the logic relationships among basic events due to MWLOL to traditional FT construction. The proposed method represents a major extension from previous FTA methods and provides a more in-depth risk analysis. A case study of helicopter crash in Maryland On January 10, 2005 is used to illustrate the effectiveness of the proposed risk analysis method. This paper is organized as follows. In Section 2, we introduce the MWLOL and its contributions to aviation accidents. Section 3 presents the background and basic concepts of risk analysis. In Section 4, the proposed methodology is presented, while in Sections 5 and 6 application of the methodology with results and discussions are provided. Finally, the conclusions of this paper is presented in Section 7.

Aviation accidents due to MWLOL
With the improvement of intelligence and automation during flight, the role of the pilot has changed fundamentally, from the operator and controller of the system to the supervisor and decision-maker [24]. The applications of advanced technologies has greatly reduced the pilot's physical workload in modern aviation. However, in some cases, advanced equipment actually increases the overall mental workload. Objectively, the cockpit has become a workplace with a high incidence of MWLOL because of the highly intensive information. Pilots need to collect more than 30 pieces of information within 10s before and after the takeoff of a Boeing 747. In another case, 675 special abbreviations and hundreds of warning signals are contained in three displays under the windshield of the F/A-18 Hornet Fighter cockpit alone [50]. Pilots need process the increasing information and the allowable time for decision decreases. Therefore, flying a plane is often a heavy mental workload task, especially in abnormal situations. The pilots must constantly acquire and process much information from their eyes, ears and other sensory organs to avoid accidents.
It has become a universal phenomenon that multiple tasks cause mental workload to exceed the mental ability of pilots, which is called MWLOL. The pilots' capacities of information processing are stretched with increased task demands. The occurrence of MWLOL has affected the performance of pilots seriously, which reduces the efficiency and safety of the system. For example, when a pilot performs dual tasks with MWLOL, s/he will become involved in her/his current situation of the primary task while forget to perform the secondary task [23]. Consequently, the information of the secondary task is not perceived, which usually lead to perception errors, informationprocessing errors and slow decision-making. These HEs due to MW-LOL are frequently identified as a major cause of accidents [23].
Consequently, it is a major issue to analyze pilot mental workload in aviation risk analysis. Evaluating and improving the pilot's mental workload can be helpful in improving pilot performance and reducing the likelihoods of accidents.

Background of research methods
In the previous section, the importance and contributions of MW-LOL to accident are demonstrated. This section covers the necessary background for understanding the proposed method of aviation risk analysis considering MWLOL. An overview of MRM, FTA, TA, and HRA is illustrated below.

Multiple resources model
MRM is developed by [40,41], which are the main references used here. MRM can well interpret the occurrence of MWLOL and decrement of human performance caused by the interference between several concurrent tasks [40]. It has been widely used in workload prediction and assessment in aviation (e.g., commercial aviation [2] and helicopter [8,19]).
MRM holds the idea that humans have several separate limited and allocable mental resources. It provides a computational model to predict total interference between a time-shared pair of tasks, which is the sum of two components, a 4-dimensional demand component (i.e., resource demand) and a multiple resource conflict component (i.e., degree to which overlapping resources are required). The four dimensions, shown schematically in Fig.1, consist of (1) Information processing stages, referring to perception, cognition and response progress, (2) Processing codes, representing the spatial and verbal working memory codes, (3) Input modalities, containing the visual and auditory channels to allocate attention, and (4) Visual processing, dividing visual modality into focal and ambient vision [41]. MRM evaluates task interference through the following three critical processes: (1) demand vector determination, (2) conflict matrix construction, and (3) total interference calculation [41].
(1) Basic mental resources demand reflects the mental workload to complete a single task. In MRM, the determination of resource demand value in certain dimension depends on the characteristic and difficulty of task. Each demand is specified as being automated ( d = 0), easy ( d = 1), or difficult ( d = 2). According to the computational model, the demand vector of a certain task can be represented as: i {Vf , Va , As, Av, Cs, = d Cv, Rs, Rv} , where i d denotes the demand vector of task i ; V is visual; A is auditory; C is cognition; R is response; f represents focal vision; a represents ambient vision; s is spatial code; and v is verbal code. For the convenience of subsequent expression, the demand vector is simplified as: , where c ij corresponds the jth ( j 1, 2, , 8 =  ) elements in i d , and respectively represents the value of Vf, Va, As, Av, Cs, Cv, Rs, Rv. (2) Based on plenty of studies, Wickens [41] proposed a conflict matrix to reflect the conflict value for different resource competitions intuitively, as shown in Table 1. If dual tasks use the same resources, the conflict extent will be the highest. Hence the dual tasks may be time-shared more easily when using different type of resources (e.g., perception vs. response, auditory vs. visual). The dual-task resource conflict score is determined by the summation of conflict values: where 1 2 r( , ) dd denotes the resource conflict score between dual tasks 1 T and 1 T , and 1, 2 , cc i j ⊗ is the conflict value of two resources, determined by Table 1.
(3) The total interference value is represented by the sum of total resource demand value and 1 2 r( , ) dd : where TI denotes the total interference of dual tasks.

Fault tree analysis
FTA is a well-established and well-understood technique, widely used to determine the causes of accidents and dig deep into the factors leading to these causes [14]. The analysis results allow practitioners to identify weaknesses in the system and take prevention methods. In this paper, the proposed risk analysis method considering MWLOL is implemented through FTA.
FTA is a top-down and graphical method that analyzes accidents deductively and structurally [55]. FTA starts with an undesired event as a top event usually representing the accident, and constructs downwards to dissect the system for further detail until the basic events leading to the top event are known [16]. The basic events are in the bottom of the tree, including human errors, mechanical failure, environmental factors and any other events that can caused accidents [6]. Their relationships are described by logic gates, such as AND-gate and OR-gate.
Once a FT is modeled, it can be analyzed in qualitative and quantitative ways [14,46]. Qualitative analysis aims to find the minimal cut sets (MCS), which show how minimum basic events can combine together to cause the accident. In quantitative analysis, the probability of the accident occurrence and other quantitative indexes such as importance measures are mathematically calculated. The importance measures can determine which basic event in the cut sets are more critical to prevent the top event from occurring.
To capture the dynamic behavior of system failure mechanisms, the concept of dynamic FTA is proposed through adding the priority AND, standby or spare, and functional dependency gates to the traditional FTA [7,47]. With the development of technology, many scholars have expanded the FTA to make them suitable for advanced and complex systems. Simultaneous-AND gate [37], AND-THEN gate [45], and SEQ-OR gate [18] are proposed to improve the modeling power of dynamic FTs.

Task analysis
Task analysis (TA) involves the study of the way operators perform the tasks in their work environment and how to refine these tasks into a sequence of subtasks [6]. TA is the process of describing and analyzing how the operators interact with the system and other operators in order to achieve a system goal. TA can capture factors related to the cognitive activities of the human involved and psychological context of the tasks [1]. TA has experienced continuous improvement, and numerous TA methods have been developed, such as hierarchical task analysis (HTA), Goals Operations Methods (GOMS), Tabular Task Analysis, Timeline analysis, and cognitive task analysis [17]. Among the TA methods above, HTA is the ''best known task analysis technique'' [17], and has a very generic form that can almost be applied in any field. HTA focuses on the identification of the overall goal and the decomposition of the goal into subordinate goals and sub-tasks, which allows it to analyze complex tasks [1]. In HTA, the subordinate goals should be further decomposed into more detailed goals or tasks. Hence the decomposition needs to continue, until the sub-tasks in the bottom of HTA structure are all concrete operations. The goals and sub-goals are organized through plans, and the work processes are well structured based on its hierarchical approach [6]. The details and framework for conducting HTA can be seen in [32].
HTA has been extensively used in interface design and evaluation, allocation of function, job aid design, error prediction, and workload assessment [32]. In this paper, we focus on its application in the workload assessment and error prediction. These two parts deal with the question of how operators become MWLOL and human error occurs respectively. HTA is recognized as the pre-analysis before workload and human error analysis.

Human error analysis
As mentioned before, HEs are the main reasons for accidents in highly complex systems and the accidents caused by HEs has continuously increased [6]. Therefore, drilling down the causes of HEs is significant for accidents analysis. Human reliability analysis (HRA) is a series of techniques for human error analysis. The present HRA methods are almost based on the human factors engineering, mental science and probability statistics [55]. They aim at eliminating accidents attributed to HEs. To consider the impact of human errors, HRA methods usually include several stages i.e., decomposing human act, identifying error modes, calculating human error probability, determining effects and analyzing the reasons for HEs [53].
After decades of development, some classic HRA methods are gradually promoted, e.g., THERP (Technique for Human Error Rate Prediction), HEART (Human Error Assessment and Reduction Technique), CREAM (Cognitive Reliability and Error Analysis Method) [13], and etc. Among them, CREAM focuses more on cognitive error and holds the concept that the performance is mainly influenced by the context. Based on this concept, nine Common Performance Conditions (CPCs) are defined to represent how context, including environment, equipment, organization, and etc., influences the performance of operators in system. The influence level is divided into three categories, i.e. improved, reduced and insignificant levels.
CREAM classifies cognitive functions into four categories: observation, interpretation, planning, and implementation. Each category contains several failure modes, and each failure mode has its corresponding failure probability named Cognitive Failure Probability (CFP). CPCs can be utilized to calculate the CFPs and determine the causes of them. On the one hand, CPCs combine with basic probability to determine the fixed CFPs [55]. On the other hand, CREAM defines the causal relationship between CPCs. According to the causal chain, the causes of human errors can be traced. In this way, the contribution of MWLOL can be indirectly analyzed with CPCs like "number of simultaneous goals" and "available time" [13].

Methods
A brief overview of methods and techniques for risk analysis were introduced in section 3. The FTA, TA, and HRA methods focus either on the failure of machine or human, and their combinations are uti-lized to analyze the causes of human errors and accidents. However, the main cause of pilots' errors, MWLOL, was ignored or considered indirectly through CPCs. To better analyze the MWLOL and its effects, MRM is introduced and combined with TA as a means to identify time-shared tasks and their resource demands that prompt MW-LOL. In addition, to analyze the way MWLOL leads to accidents, the proposed methods are complemented with the utilization of FTA and a new logic gate i.e. MWLOL gate. Through this gate, a new dependence among basic events due to MWLOL can be analyzed.

Procedure
The analysis flow is shown in Fig. 2 and consists of 8 steps. Traditional FT is first constructed with HTA and CREAM in steps 1-4. Then it is modified by a MWLOL gate to analyze MWLOL and corresponding effects. Accordingly, main steps are explained as follows.

Fig. 2 Flowchart of the analysis approach
Step 1-Task selection and Situation determination: The tasks referring to flight handbook are the definition of steps that pilot must complete during a flying process. The purpose of the Situation determination is defining a variety of instant conditions according to the tasks assessed, such as working environment, task status, time availability and so on.
Step 2-Task analysis: In accordance with the situation, task analysis is carried out through HTA, and a list of subtasks is obtained. Multitasking is prevalent in aviation [40], and the majority of MWLOL occurs by performing Multiple tasks concurrently. Therefore, in this step, it is essential to determine the plans of these subtasks to identify which are time-shared.
Step 3-Human error analysis: CREAM is introduced to identify and analyze human errors in flying operations based on the results of TA. According to the historical data collected by National Transportation Safety Board (NTSB) or expert judgments, the cognitive function, CPCs and their weights can be obtained. Finally, the probabilities of human errors in pilots' flying tasks can be calculated through CREAM [13].
Step 4-Perform a traditional FTA of the accident: There are many causes that can lead to the accident, such as equipment/mechanical failure, human errors, and environmental factors. Each of such causes is connected by logic gates and lower events until all its branches are terminated with basic events. Various logical combinations that lead to the accident can be displayed. Then FT is constructed and FTA is implemented to identify the root causes of the accident.
Steps 1-4 are the procedures to perform a traditional FTA, which is widely studied in many literatures [6,53,55]. To consider MWLOL, Steps 5-8 are proposed to modify traditional FTA in this paper, and we present them in sections 4.2-4.5 in detail.

Abnormal situation handling tasks caused by basic events (Step 5)
As the basic events including equipment/mechanical failure, human errors, and environmental factors occur, the aircraft may be in an abnormal situation. Pilots need deal with the abnormal situation based on the emergency procedure in flight handbook to prevent the accident [36]. Therefore, a new abnormal situation handling task is introduced, which will increase mental workload significantly. Then the performance of pilots will be affected seriously and the efficiency and safety of the system may be reduced. For example, single engine fire will introduce the engine fire extinguishing task. Pilots need perform at least dual tasks (i.e. flying task and extinguishing engine fire task) simultaneously. On such condition, the MWLOL may occur during manmachine interaction and lead to human errors and aircraft crash with high probability. Many aviation accidents have occurred when pilots perform multiple tasks besides an abnormal situation handling task.
In step 5, the abnormal situation handling tasks introduced by the occurrence of basic events are determined. Whether current tasks lead to MWLOL and what their effects are will be analyzed in steps 6 and 7 respectively.

Mental workload analysis with extension of MRM (Step 6)
Based on the results of HTA of normal tasks in step 2 and abnormal situation handling tasks in step 5, the tasks that should be performed concurrently are determined first in this step. Then mental workload analysis of these concurrent tasks is conducted with the extension of MRM.
In literature, MRM is proposed to predict the time-shared task interference, which is the sum of resource demands and conflicts. It is a convenient way to calculate mental workload caused by dual tasks. However, for the calculation of resource conflicts, it cannot be applied directly to the task scenario which contains three or more concurrent tasks. In aviation, especially under abnormal conditions, it is a common phenomenon that pilots perform multiple concurrent tasks [40]. To calculate multi-task interference, the above basic MRM is extended based on the following principles that the resource conflict is calculated according to task priority. For example, to calculate the resource conflict of three time-shared tasks, the resource conflict between the first and second highest priority tasks is first calculated, and then we calculate the resource conflict between the first two tasks and the third highest priority tasks. The detail steps are as follows: First, tasks are ranked in descending order of priority based on TA. Let i T denote the task with prioritization i . The prioritization of i T is higher than that of Second, let D p denote the sum of demand vector of 12 ,..., p T ,T T . It can be obtained through: where n is the number of concurrent tasks, and n>1.
Third, the resource conflict value between p T and other tasks whose prioritization higher than p T can be calculated with: where 1, 1 c pi p −− ∈ D , , c pj p ∈ d . Then, the resource conflict score of multiple time-shared tasks can be represented as: Finally, the total interference value of these tasks can be calculated as: In summary, if the pilot need perform dual tasks concurrently, the mental workload analysis can be conducted by the basic MRM introduced in section 3.4, while if the pilot need perform three or more tasks concurrently, the mental workload analysis can be conducted by the extension of MRM proposed in this section.

MWLOL gate (Step 7)
For the contribution of MWLOL to aviation accidents, considering it into FTA model is beneficial to analysis the causes of accidents. The functions of FTA are reflected in various logic gates which represent how failures in subsystems can combine to cause a system failure. Therefore, it is a feasible method to construct a new logic gate (i.e. MWLOL gate) to model the fault logic of MWLOL. Based on the task management theory [43], tasks are abandoned in the order of priority when concurrent tasks lead to MWLOL.

Fault logic of MWLOL
"Mental workload describes the relation between the (quantitative) demand for resources imposed by a task and the ability to supply those resources by the operator" [41]. To investigate the fault logic of MW-LOL, it is important to understand the strategy of task management that operators adapt when the supply is less than the demand. At a most general level, there are four possible types of adaptation when the MWLOL occurs [43].
Operators may allow tasks' performance to degrade, for example, • a vehicle driver may allow lane position to wander when the workload of dealing with an in-vehicle automation system increases.
Operators may perform the tasks through a less resource consum-• ing and more efficient way, as they may shift from optimal algorithms to satisfactory heuristics in decision making. Operators may shed tasks altogether, in an "optimal" fashion, • eliminating performance of those of lower priority. For example, the air traffic controllers with mental workload overload may cease to offer pilots weather information unless requested, while turning their full attention to traffic separation. Operators may shed tasks altogether, in an "non-optimal" fash-• ion, abandoning those that should be performed. For example, a vehicle driver abandons safe driving in favor of a cell phone conversation.
Unfortunately, beyond the studies and literatures on task management and resource allocation, very little is known about general principles that can account for when people adopt one strategy or the other [43]. However, training can certainly help operators to adopt an "optimal" strategy [43].
In this paper, the pilots are assumed to be well-trained, and they may shed tasks altogether in an "optimal" fashion, i.e., pilots under high workload will focus on the critical tasks with higher priority and eliminate performance of tasks of lower priority. Therefore, some of the operations for tasks of low priority will be abandoned.
MRM assumes that humans have several separate allocable mental resources but limited. Gore and Jarvis [31] suggest an arbitrary threshold of 7, i.e., the maximum cumulative demands of cognitive resources people can provide is 7. Then whether the MWLOL occurs can be determined based on the value of total interference of time-shared tasks. Therefore, when the total interference of concurrent tasks exceeds 7, MWLOL is assumed to occur and the operator tends to eliminate performance of lower priority tasks.

Establish MWLOL Gate
As discussed above, the fault logic of MWLOL is obtained. We describe this fault logic by introducing a MWLOL gate, as shown in fig. 3. MWLOL Gate has multiple inputs and outputs. The inputs are concurrent multiple tasks (i.e. T 1 , T 2 , …, T n ), while the outputs (t 1 , t 2 , …, t n ) are the abandonment of tasks of low priority which triggers the corresponding human errors whose modes are omissions, such as perception omissions due to the abandonment. All inputs are basic events. Each output event t i represents the abandonment of input event T i . When all inputs occur simultaneously and the task interference exceeds 7 (i.e., the MWLOL occurs), the output events (t n , t n-1 , …, t 2 ) will occur in turn until the interference of performing tasks is less than 7.
The MWLOL occurs only when multiple tasks need to be handled at the same time. Therefore, the output events occur only when all input events occurs simultaneously. However, whether the input events of the AND gate occur at the same time or not, is not clear from its definition. The AND gate has no time parameters. To consider the temporal relations among input events, many logic gates have been developed to extend the description and analysis of fault trees, such as Priority-AND gate [7], AND-THEN gate [45], and Simultaneous-AND gate [37]. A Simultaneous-AND gate represents the input event X and Y occur at the same time. MWLOL Gate is proposed based on Simultaneous-AND. In this paper, the temporal relation that all input events occurs simultaneously is ensured by TA. The occurrence of output events depends on the MWLOL judged by MRM.
According to the MRM and task prioritization strategies, the following rules of MWLOL GATE are made: MWLOL GATE will not be triggered if only one input event 1) occurs; All output events will not occur if no MWLOL occurs; 2) All input events must be time-shared; 3) Output event 4) t i occurs later to t i+1 .

Modelling FTA with MWLOL gate (Step 8)
Based on Steps 1-3, task selection and situation determination, task analysis, and human error identification and analysis have been conducted. A combination of TA and HRA is utilized to determine the human error modes and their probabilities. Then, in step 4, a traditional FT can be established as shown in Fig. 4, and the detailed procedure can be seen in [6,53]. The traditional FT considers human errors, ma-chine failures, and environment factors. The top event (i.e. accident or incident) will occur when the MCS of basic events occur.

Fig. 4. Example of traditional FT with human errors (HE), machine failures (MF), and environment factors (EF) events
Based on steps 5 and 6, concurrent tasks (i.e. normal tasks and abnormal situation handling tasks) in the risky task scenario are identified and task interference can be calculated by MRM to identify whether MWLOL occurs.
Step 7 establishes the MWLOL Gate that can determine which task will be abandoned when MWLOL occurs. Then its actual contents of output events trigger omission error events due to the abandonment of tasks. Therefore, for these omission error events, their occurrence is due to the MWLOL or omissions. Then, such omission error events in Fig. 4 will change from basic events to intermediate events, which are connected by OR gate and basic events t i and omission, such as HE2 and HE3 in Fig.5. The probability of basic event "omission" can be calculated using CREAM. MWLOL Gate represents how MWLOL occurs and what its fault logic is. By using MWLOL Gate, the MWLOL is present in the logical structure of FT, which plays a significant role in qualitative analysis of the root causes of aviation accidents. Figure. 5 shows an example of a FT with MWLOL Gate. On such situation, operator need handle three tasks (i.e. T 1 , T 2 , T 3 ) simultaneously. Among them, T 3 is assumed to be the abnormal situation handling task caused by the basic events MF2 and EF1. The task interference of these three tasks exceeds 7, and the event t 3 (i.e. abandon T 3 ) occurs. Then t 3 triggers event HE3. In addition, if the task interference of T 1 and T 2 also exceeds 7. The event t 2 (i.e. abandon T 2 ) also occurs and triggers HE2. On the contrast, if the task interference of T 1 and T 2 is less than 7, the event t 2 will not exist, and HE2 is only affected by operation omission. Through MWLOL Gate, the dependence among basic events MF2, EF1, HE2, and HE3 can be described explicitly, and the causes of HE2 and HE3 can be well explained.
As shown in Fig. 5, MWLOL Gate combined with other logic gates can describe how the basic events cause top event. The causes of HEs in the process of man-machine interaction can be well investigated through the modified FTA. Then, HEs caused by MWLOL or not, mechanical failures and environmental factors can be identified as the root causes of accidents. Moreover, quantitative analysis like the calculation of top event probability and probability importance of basic events can be used to prioritize those causes. Therefore, FTA with MWLOL Gate can be analyzed in qualitative or quantitative methods, which are the same as traditional FTA.

Case study
The proposed analysis method is implemented to an accident of helicopter crash in Maryland [27]. On January 10, 2005, about 23:11, a helicopter crashed into the Potomac River during low-altitude cruise flight near Oxon Hill, Maryland. The pilot and several crews were The helicopter originated at the Washington Hospital Center Helipad and was en route to Stafford Regional Airport. During the flight route, multiple tasks besides an abnormal situation handling task should be performed simultaneously. Researching the MWLOL is worthwhile to analyze the root causes of the accident. The risky task scenario is analyzed using the proposed risk analysis method to illustrate its effectiveness.

Task selection and Situation determination
In view of the aviation accident report, the flight mission profile is as shown in Fig. 6. Since the flight route is near Stafford Regional Airport, the helicopter need cruise with low altitude and is usually asked to avoided airbus. The helicopter flies southbound along the Potomac River toward Woodrow Wilson Bridge. When the helicopter is near the bridge, climbs and crosses over the bridge. Then the helicopter descends and cruises with low altitude. During performing the tasks above, the pilot is informed that an airbus was ten miles above the helicopter. The pilot should search for airbus visually and maintain visual separation from the airbus. Therefore, on such condition, the pilot need perform dual normal tasks concurrently, which may lead to MWLOL of the pilot. Considering the contribution of MWLOL to aviation accidents, these tasks are selected and analyzed in this section.
The situation can be determined based on a closer look at the aviation accident report. The pilot holds a commercial pilot certificate with ratings for airplane single-and multi-engine land, rotorcraft helicopter, and instrument helicopter. He is well trained and experienced. The helicopter was manufactured in 2004 and had accumulated 166.6 total flight hours at the time of the accident. The helicopter was configured one pilot, one flight paramedic, and one flight nurse.
The tasks are performed at night, about 23:11. According to the aviation accident report, a new moon was below the horizon and no illumination was provided at the time and location of the accident. Flying low-attitude North of the bridge is typically flying VFR due to the intense amount of ground lights available along the river. Once the pilot crosses the bridge he is now flying into a black void, and there is no outside visual reference. Therefore, the helicopter likes flying into actual instrument meteorological conditions, and flight instruments should be used to a greater degree to ensure altitude awareness.

Task analysis using HTA
Based on the helicopter flight handbook [36], with four raters' assistance, TA is performed using HTA method. We compile a list of subtasks and concrete operations which are helpful for analyzing the HEs that lead to the failure. HTA includes a set of hierarchical tasks that provide a systematic description of the flight mission of the helicopter. Table 2 shows the subordinate goals and all concrete operations. The subordinate goals i.e. sub-tasks are 1) climb, 2) cross over the bridge, 3) descend, and 4) search and avoid the airbus. Each subordinate goal is further divided into concrete operations.
The brainstorming session with four raters allows us to identify the tasks that should be performed at the same time and their priorities. We then determine the plans of these sub-tasks, through which the work processes are well structured based on its hierarchical approach. Such plans and task priorities is the basis of mental workload analysis.

Human error analysis using CREAM
Based on the results of TA, CREAM method is introduced to identify and quantify possible HEs. Table 2 shows the detailed operation procedure, and for each operation, we can identify its cognitive function. According to the determined situation, CPC assessment can be conducted with four raters' assistance. For example, Table 3 shows the CPCs for subtask 3. Then weighting factors for CPCs can be determined and the CFP for each operation can be calculated using the extended CREAM method [13].
The methods that combine TA and CREAM for human error identification and quantification have been widely studied in many literatures [34,54,55]. Based on such methods, the possible helicopter's errors when performing flight mission can be identified and quantified. In this paper, we focus more on the occurrence and effects of MWLOL, which will be analyzed in detail next.

Perform a traditional FTA of the accident
The accident report shows that the helicopter crashed during the descent stage (subtask 3.1). The pilot performed subtask 3.1, and task 4 simultaneously at that time. Based on section 5.1-5.3, we gather the HEs, mechanical failures, and environment factors which are combined to cause the accident, and perform a traditional FTA of the helicopter crash accident, as shown in Fig. 7. The helicopter crash during descent stage is due to three categories of causes: 1) helicopter's altitude is too low caused by equipment failures (G1), 2) helicopter's altitude is too low caused by extreme environment (G3), and 3) helicopter crashes due to the failure of man-machine interaction (G2). In this accident, the pilot is well trained. If he is aware of the low altitude, he will take measures to prevent helicopter crash. The flight nurse who survived the accident stated: "the pilot did not execute any evasive maneuvers or communicate any difficulties, either verbally or nonverbally" [27]. Therefore, G2 is caused by the pilot perception failure of low altitude.
The MWLOL occurs during man-machine interaction. In addition, G1 and G3 can be analyzed by traditional FTA methods. Thus we focus more on the cause G2, and it is analyzed by the connection of logic gates and lower events until all its branches are terminated with basic events.   Table. 4, where the probabilities of equipment failures (i.e. X1 and X3) are as-sumed to be 1e-4, the probabilities of HEs (i.e. X2, X4 and X5) are calculated using extended CREAM method.

Abnormal situation handling tasks caused by basic events
When traditional FT is conducted, the basic events are analyzed first to determine whether they can introduce abnormal situation handling tasks in the process of man-machine interaction. When the basic event X1 "Radar altimeter failure" occurs, the pilot should fly with VFR. In addition, if the basic events X6 "Night flight" and X7 "No outside visual reference" also occur, the pilot cannot obtain altitude from the view. Then a new abnormal situation handling task (i.e. a communication task with ATC for altitude) is introduced. At the same time, the pilot should perform another dual tasks (i.e. subtask 3.1, task 4). Therefore, the new abnormal situation handling task will increase pilot's mental workload, and may lead to MWLOL. During these concurrent tasks, the MWLOL may lead to the abandonment of communication task with ATC, and then the helicopter crashes into the river due to perception failure of low altitude.

Mental workload analysis
The pilot performs subtask 3.1, task 4, and communication task simultaneously at that time. We calculate the task interference of these three time-shared tasks based on the extension of MRM, and implement FTA with the MWLOL gate. For these three tasks, priority is given to safe helicopter control (i.e. subtask 3.1 denoted 1 T ). The secondary task is searching and avoiding the airbus (i.e. task 4 denoted 2 T ). The communication task is an important but low-priority task because it is not urgent. Thus the communication task denoted 3 T is the third priority task. Each task is coded by the extent to which it depends on separate resources defined by 4 dimensions mentioned above, as shown in Fig. 1. The pilot performs 1 T following VFR. He views outside and controls the cyclic stick, collective pitch lever, and anti-torque pedals to maintain the rate of decent, propeller speed, course, and longitudinal trim. 1 T can be coded as: Perception: Visual Ambient (=1), Response: Spatial (=2). When performing 2 T , the pilot should do a conversational task with controller and search for the airbus to maintain visual separation. Task 4 can be coded as: Perception: Auditory Verbal (=1), and Visual Ambient (=1). 3 T requires the pilot to ask the ATC for altitude. Such task can be coded as Perception: Auditory Verbal (=1). Thus each task spawns a demand vector: 1 {0, 1, 0, 0, 0, 0, 2, 0} = d , 2 {0, 1, 0, 1, 0, 0, 0, 0} = d , and 3 {1, 0, 0, 0, 0, 0, 0, 0} = d . Then by querying Table 1, the resource-conflict scores can be obtained. The conflict matrix of 1 2 TT , 1 3 TT , and 2 3 T T is constructed respectively, as shown in Table 5-7.
5.7. MWLOL gate establishing 1 2 3 TI + + exceeds the threshold of 7, i.e., this task scenario actually leads to MWLOL. Performing 1 T , 2 T , and 3 T simultaneously requires a large number of cognitive resources that the pilot is unable to all provide. Based on the mechanism of MWLOL, the pilot will abandon the low-priority tasks until the total interference is less than 7. Thus the pilot will abandon 3 T and the total interference value of 1 2 TT is 6.8. The MWLOL gate can be established. As shown in Fig.8,   3 t denote the event that abandon 3 T .

Modelling FTA with MWLOL gate
Performing 1 2 3 TTT at the same time leads to the MWLOL, and then 3 T will be abandoned. Accordingly, the basic event X4 in Fig 7 i.e. "Pilot did not ask for altitude" is triggered. Therefore, X4 occurs not only due to omission, but also due to MWLOL. Then the event "Pilot did not ask for altitude" denoted as X4 becomes an intermediate event in the modified FTA, denoted as Gn. Gn can be triggered by MWLOL or operation omission, where MWLOL can be described by the MWLOL gate and the omission is basic event whose probability can be calculated by CREAM method. In addition, because the basic event "omission" is the same as the event "Pilot did not ask for altitude" in tradition FT, it is also denoted as X4 in modified FT for the purpose of comparative analysis between modified FTA and traditional FTA.
The traditional FT is modified by the MWLOL gate, and the modified FT is shown in Figure 9. X1, X6, X7, and X4 in traditional FT are independent, while X1, X6, and X7 trigger X4 when considering MWLOL. Through the MWLOL gate, such logic relationship is added explicitly to traditional FT, which is more helpful for analyzing the reasons of HEs and preventing the accident. 6. Results and discussions 6.1. Risk analysis of helicopter crash As shown in Fig.9, the FT of helicopter crash has been constructed with the MWLOL gate, whose top event is "Helicopter crash due to pilot perception failure of low altitude". The FT thus created is analyzed through evaluating MCS. The MCS are identified as follows: Based on the MCS above and the probabilities of basic events shown in Table 4, the probability of top event can be calculated by quantitative methods of traditional FT. In Fig. 9, the helicopter crash probability is 2.392e-5.
To identify the crucial basic events, we calculate and analyze their probability importance degrees as shown in Table 8. Comparing with the other basic events, X1 (Radar altimeter failure) is the most crucial event. This can be complained by the fact that the combination of X1, X6 (Night flight) and X7 (No outside visual reference) belongs to the MCS and X6 and X7 are high probability events. Therefore, the accident probability is sensitive to X1. X6 and X7 make pilot fly into actual instrument meteorological conditions. X1 combined with X6 and X7 will introduce pilot's communication task with ATC for altitude. Then the MWLOL lead to pilot's perception failure of low altitude and finally the helicopter crashes.
In addition, X3 (Communication equipment failure) and X4 (Omission) shall also attract more attention because these two events are relatively more crucial than the others apart f rom X1.

Comparison with the traditional FTA
As shown in Fig.7, the traditional FT of helicopter crash has been constructed. The MCS are identified as follows: Fig. 9 Modified FT of the helicopter crash accident

Analysis of MWLOL's contribution to helicopter crash
As discussed above, the combination of X1, X6, and X7 will introduce 3 T (pilot's communication task with ATC for altitude). 1 2 , T T , and 3 T are time-shared, which lead to MWLOL. Then 3 T is abandoned, and pilot cannot be aware of helicopter altitude information. Finally, helicopter crashes during descent stage due to pilot perception failure. The above man-machine interaction process is described through MWLOL gate. The logic relationship that X1, X6, and X7 trigger X4 is established and { } X1,X6,X7 belongs to MCS. Therefore, when considering MWLOL the helicopter crash is more likely to occur and helicopter crash probability increases from 1.897e-5 to 2.392e-5. In addition, X1 becomes more crucial, its importance degree increases from 6.84E-04 to 5.02E-02. If the helicopter flies with an inoperative radar altimeter, the top event probability in the modified FT with MWLOL gate is 0.0502. In addition, if this helicopter flies at night, the top event probability is 0.1002. Therefore, through MWLOL gate, the analysis shows that X1 is a weakness of the helicopter system especially flying at night.
If ignoring MWLOL, the importance degree of X1 is 6.84E-04, and the most crucial basic events will be regarded as X3 and X4. In addition, if the helicopter flies with an inoperative radar altimeter, the top event probability in traditional FT without MWLOL gate is 7.02e-4. Comparing with the results of modified FTA (i.e. 0.0502), such accident probability decreases significantly. The traditional FT cannot identify the true root causes of accident. Accordingly, it is impossible to take targeted measures to prevent accidents.

Validation and suggestions
For this accident, the NTSB determines that "the probable cause of this accident was the pilot's failure to identify and arrest the helicopter's descent, which resulted in controlled flight into terrain. Contrib-uting to the accident were the dark night conditions, limited outside visual references, and the lack of an operable radar altimeter in the helicopter." [27]. That is to say, the occurrence of X1, X6, and X7 leads to the pilot's perception failure and then results in helicopter crash. Such accident causes demonstrate the need to consider MWLOL and the effectiveness of the modified FTA Based on the results of modified FTA and the accident causes determined by NTSB, radar altimeter is a vulnerability of the helicopter system when flying at night because it is necessary to ensure altitude awareness when the helicopter flies into instrument meteorological conditions. Therefore, the radar altimeter should be pay more attention when performing aircraft inspection program. However, the radar altimeter is out of the FAAapproved Minimum Equipment List (MEL) and can be deferred for maintenance within 10 calendar days. In this accident, the maintenance logbook on January 10, 2005 included an entry for an inoperative radar altimeter. According to "MEL Items and Deferred Maintenance" section, the inoperative radar altimeter could be deferred for maintenance until January 20, 2005. Then the helicopter with an inoperative radar altimeter was allowed to perform flying tasks, and the inoperative radar altimeter lead to this accident. Therefore, when flying at night, the radar altimeter should be added to the MEL.

Conclusions
Effective risk analysis and accident prevention need analyze pilot mental workload to better understand human behavior in accident occurrence. In this paper, a MRM is introduced to analyze mental workload in risk analysis, and a MWLOL gate is first proposed to incorporate MWLOL into previous FTA methods combined with TA and HRA. The proposed risk analysis method modifies traditional FTA through the MWLOL gate, while it retains the analytical capability of traditional FTA. It provides a more in-depth risk analysis of manmachine system, and it can also assess the technical safety of machine system. In addition, the proposed method models the normal task and abnormal situation handling task as a whole, and analyzes all possible events to assess the risk of systems. Therefore, the risk analysis may be more comprehensive.
This modified FTA is successfully used to analyze accident for the first time. As seen from the case study, through the MWLOL gate, logic relationships among basic events due to the MWLOL in the process of handling abnormal situations are added to traditional FT. Comparing with the results of traditional FTA, the modified FTA obtains more rational MCS, important degrees of basic events, and top event probability, which are validated by a case study of helicopter crash in Maryland reported by NTSB. Last but not least, an insight of the causes of the helicopter crash accident in Maryland is gained and some suggests are given to prevent future similar accidents.