A New Accident Analysis Method Based on Complex Network and Cascading Failure

Anew accident causationmodel is proposed for accident analysis based on the complex network theory. By employing the cascading failure scheme, a new accident investigation method is performed on the associated new model, by which we can reveal key causation factors and key causation factor chains that lead to the final accident. The efficiency of a network is introduced for evaluating the severity of the damage of the whole network and hence the severity of the accident if it happens. All these can provide the government or associations with recommendations for accident prediction and prevention.


Introduction
Accident causation models are tools to describe scenarios for accident occurrences, explain possible causation mechanisms of accidents, provide conceptual or theoretical basis for accident investigation methods, and hence give evidence to formulate specific recommendations for accident prevention.As a fundamental but essential task of accident analysis, the modelling of accident causation mechanisms has concentrated great interests of researchers and engineers in many fields, especially in those high-risk industries such as aviation, nuclear plants, and railway system.As Svenson [1] has stated that "an accident can be explained in different ways depending on the accident analysis model that is used, " different models focus of different aspects on the accident occurrences and provide different recommendations for improving measurements.
To get a clear understanding of the accidents, a number of different accident causation models have been proposed, which can be roughly divided into three major groups according to Hollnagel's classification [2].The first group, also the earliest one, is termed as the "sequential accident model" [3], with the well-known Domino theory [4] as a typical example.In this group of models, accidents are regarded as a one-dimensional sequence of events that happened in a specific order.The second group is called the "epidemiological accident model" [5], in which accidents are regarded as analog to the spreading of epidemiological diseases, with the Swiss Cheese model [6,7] as a major contribution to this group.The third group, also known as the most modern one, is the "systemic accident model" (e.g., see [8][9][10][11]), in which accident processes are described as a complex and interconnected network of events rather than a simple causeeffect chain of events as in the first two groups.Rasmussen's [11] risk management model and Leveson's [10] STAMP (Systems-Theoretic Accident Model and Processes) model are two notable examples in the third group which endeavored to model the dynamics of complex sociotechnical systems of accidents.
With the rapid development in technology and automation, the underlying sociotechnical systems are becoming more and more complex and of high risk.This motivates us to tailor more powerful accident causation models to capture the complexity of the highly technological systems from a broad systemic view for understanding characteristics of accidents.
Mentioning that causation factors and their relationships for accidents are always complex in terms of uncertainty, randomness, abstractness, fuzziness, and other properties, it would be a nice try to employ the complex network theory [26][27][28] to reveal the involved complexity in accidents causation analysis.The primary purpose of this paper is to construct an accident causation network for causality analysis based on the complex theory.With the influence or relation between accident causation models and accident investigation methods as mentioned above, we apply the cascading failure scheme to characterize the process of the accident occurrence performed on the proposed model as an investigation approach.Together with the help of the network efficiency of the underlying accident causation network, we can evaluate the injury severity of the whole system with unexpected disturbances from technical, human, social, organizational, and environmental aspects of the whole system.
This paper is organized as follows.Some selected fundamental concepts in complex network are recalled in Section 2. The new accident causation network model is constructed in Section 3, and the cascading failure scheme is applied to characterize the evolution of the proposed causation network in Section 4. Simulation based on our proposed accident causation analysis method is described in Section 5. Conclusions are drawn in Section 6.

Basic Concepts in Complex Network
The complex network is a graph with complex topological features that may not occur in simple networks such as lattices or random graphs but often occur in real graphs.The study of complex networks has attracted great interest inspired largely by the empirical study of real-world networks such as computer networks and social networks.In mathematical terms, a network is represented by a graph.A graph is a pair of sets (, ), where  is a set of  nodes (or vertices) V 1 , V 2 , . . ., V  and  is a set of edges (or links) that connect two elements of .Graphs are usually represented as a set of dots, each corresponding to a node, two of these dots being joined by a line if the corresponding nodes are connected.Usually, we use (V  ) to denote the set of all nodes in  that are connected to node V  .A path in a graph is a sequence of edges which connect a sequence of vertices.The shortest path length of two nodes is defined as the smallest number of edges that connect these two nodes.
The shortest path length of nodes V 1 and V 2 is 1. Figure 2: Illustration for the random network with probability  = 0.15 for every pair of nodes being connected: Figure 1 shows an illustration of a graph with  = 5 nodes and 6 edges.With the complexity of real networks, the edge sets are sometimes not determined, which means there are some pairs of nodes with a random or uncertain link, such as the random network shown in Figure 2 with probability  = 0.15 for every pair of nodes being connected [29].To distinguish the adjacent nodes with deterministic connections and those with probability less than 1, we use Ñ() to denote the set of all nodes in  that are connected to node V  with probability less than 1.

Accident Causation Network
Causation factors and their relationships for sociotechnical system accidents are always complex with uncertainty, randomness, abstractness, fuzziness, and other properties.For example, the relation between two causation factors Table 1: Causation factors of the 7.23 China Yongwen railway accident [30].

Ministry of Railways
A1: seek quick success and benefits; A2: week management and incomplete rule standards; A3: unclear job responsibilities and functions; A4: inadequate inspection and supervision for Shanghai Railway Bureau.

Department of Technologies, Foundation
Department, Science and Technology Division CRSC B1: lack of careful supervision on the bidding of the equipment in Hening-Hewu Yongwen line train control center; B2: poor management of the operation on new products; B3: not enough examination of the LKD2-T1; B4: without clear regulations on the technical review; B5: no valid or regular technical prereview on the equipment LKD2-T1 for train control center; B6: illegal approval from the Science and Technology Division approved to use the LKD2-T1; B7: inadequate inspection and supervision of the quality management by CRSC; B8: little supervision or inspection from CRSC who fully transmit the project to the local design institute; B9: cursory decision on the bidding for the Hening-Hewu line control equipment; B10: unware of the illegal change of version of the train control center equipment in Hefei station.
Shanghai Railway Bureau and the signaling design institute C1: not enough safety education and training; C2: not sufficient inspection and supervision; C3: not sensitive safety awareness; not efficient measures to avoid or alleviate the accident; C4: not appropriate accident handling; C5: unwise decision on update of the LKD2-T1; C6: lack of the technical review on the development of the equipment for train control center; C7: lack of responsibility on scientific research management and inefficient control and supervision of the local companies on the product quality.
Vehicle depot, electricity depot, engineering system and train control institute D1: poor travel management and emergency handling; D2: not efficient supervision on the safety production management and train service work; lack of supervision to Wenzhou south station; D3: poor supervision on the dispatching institute and the vehicle depot system; D4: insufficient education and training for the staff; D5: lack of job responsibilities of the electricity emergency management; D6: cursory design of the equipment LKD2-T1; D7: poor equipment research and development management in the train control center; D8: the redesign of the equipment LKD2-T1 by the train control institute.
The attendants' behaviors and process E1: failure of following further situation of red band by the dispatcher in Shanghai Railway Bureau ; E2: careless monitoring on the situation of D3115; E3: no reminder of the emergency to D301; E4: no in time contact with the D301 driver; E5: no record of the circuit failure of the 5829AG; E6: no record of the replacement of some equipments of the track circuit besides 5829AG; E7: illegal behaviors; E8: the mistake to inform D3115 to switch to the visual driving mode if the signal was red; E9: D3115 stopped by the ATP; E10: D3115 failed to drive in visual mode 3 times; E11: D3115 failed to report to the dispatcher; E12: D3115 switched to the visual driving mode but still in the 5829AG; E13: D301 left Yongjia station; E14: D301 rear-ended D3115; E15: illegal to open the protection net for work.

Equipment and environment
F1: the damage of 4 sender boxes; F2: the damage of 2 receiver boxes; F3: the damage of 1 attenuator; F4: the fuse of F2 in LKD2-T1; F5: the design flaw in PIO of LKD2-T1; F6: the activation of ATP on the D3115; F7: thunder strike; F8: failure of the ATP on D301 which did not take any action; F9: the reduction of CAN total resistance; F10: unavailable communication between 5829AG and the train control center; F11: wrong displays on the terminal; F12: abnormal track circuit signal; F13: a red band; F14: wrong signal which maintained green for the faulted track section; F15: the sending of the unoccupied signal to D301.might be related under some special circumstances which can be regarded as a dash-line edge between them in the network with some associated conditional probability.This might be a clue for us to employ the complex network to characterize this complex system.We call this model the accident causation network, which can be viewed as an undetermined graph consisting of nodes connected by edges with the nodes and edges representing those causation factors and their possible causal or relevant relationships, respectively.
In order to get a relatively comprehensive and complete extraction of causation factors and their relationships to construct this railway accident causation network, we can employ some classification approach for specific accidents.We take the 7.23 China Yongwen railway accident as an example to illustrate the proposed accident causation network.By utilizing Rasmussen's hierarchical sociotechnical framework [11], causation factors of the 7.23 China Yongwen railway accident are distributed into the following six hierarchies: the ministry of railways, the Railway Bureau, train control center, train dispatcher, train drivers, and driving environment including line environment and the natural environment, as presented in Table 1.
Evidently, the above classification approach covers causation factors with respect to human, equipment, environment, and organizational management, which form a complex system.Figure 3 shows the causation network of Yongwen railway accident which happened in July 23, 2011, in China.

The Accident Cascading Failure Process
From the systemic theory perspective, any accident can be regarded as a result of a series of unsatisfied constraints or factors which are out of control.These failures or incidents can be spread and might eventually lead to an accident.In this  regard, the failure cascading scheme might be applicable to characterize the evolution process on our proposed accident causation network.With some unexpected disturbances in the system, this network will be evolved to a determined network or graph, which might lead to an accident.The cascading scheme for accident analysis based on the proposed accident causation network is elaborated as follows.Let () be the graph of the underlying accident causation network at time ,  = 0, 1 . .., and  is the number of nodes (i.e., the number of possible causation factors) of the network.For any  = 1, . . ., ,   () is the load of node  at time  and   :=     (0) is the tolerance of node .For any distinct  and ,   () denotes the efficiency between nodes  and  at time  with   (0) = 1.When the load of node  exceeds its capacity, that is,   () >   , that is, the constraint at this node fails to hold, then the associated efficiency between node  and any other node  will be reduced.Assume that it evolves in the following simple manner: Define the efficiency of the whole network at time  as It is trivial that if any failure or incident happens in some nodes, this efficiency will be reduced.Therefore, this quantity can, to some extent, indicate how badly the underlying accident causation network is damaged at any time .Moreover, it could provide an index for defining the severity level of the accident if it finally happens.There are some basic assumptions involved.Assumption 1.Let node  be defined as the accident indicator with the meaning that the accident happens at time  if   <   ().The evolution stops once the accident happens.
Assumption 2. Each node has its shortest path length to node  as its capacity, and the load evolves in the following manner with equal spreading loads: with   () = { ∈ Ñ () :   <   ()}, Ñ () being the set of all adjacent nodes which are connected to node  with dashed line at time .
Assumption 3.Each node  with   <   () will have solid lines to its adjacent nodes after time .
See Figure 4 as a simple illustration for the evolution of an accident causation network.
From the previous assumptions, we can find that if node  is out of control at time , that is,   <   (), then it will affect all its adjacent nodes at time  + 1 since the corresponding conditional probabilities increase.These growing loads will add the burden of its adjacent nodes and might lead to cascading failures or even accident in the future.For example, in Figure 4, if node 9 is the accident indicator, then the accident happens at time  = 5 with an original attack on node 2.
Assumption 1 provides a direct way to predict an accident by calculating the load   ().In this case, we can analyze key causation factors for accidents by testing each failure node in terms of the occurrence of accidents.Specifically, if only node  fails at the beginning and it leads to the failure of node  according to the above revolution rules, then it is reasonable to say it is a key causation factor for the final accident.Those paths formed by failure nodes to the accident node during the whole cascading process are called the key causation chains.In Figure 4, node 2 is a key causation factor and the corresponding key causation chains are 2-1-3-8-9

2-5-9
Denote  be the  ×  matrix with all entries 1 and   be the  ×  matrix with its th and th entries 1 and 0 elsewhere.For any  ∈ {1, . . ., } and any time , define , if   <   () for some  ≤ , 0, otherwise. ( By direct calculation, we can obtain the evolution formulas for the efficiency of the network at each time period as follows: where sgn(⋅) is the sign function, tr(⋅) is the trace operator of matrix,   () is defined as in ( 4), and  is the identity matrix.This could provide a way to quantify the accident severity level in terms of the corresponding efficiency matrix which can be calculated as in (5).

A Case Study
The "7.23" Yongwen railway accident is chosen as a case study here to test the efficiency of our proposed accident causation model-method.Based on its accident causation network as constructed in Figure 3, we perform our cascading evolution process as follows.
Step 1.The capacity or tolerance of node  is chosen as the shortest path length   of node  to node E14 (the accident indicator) for simplicity, which is shown in Table 2 by direct calculation.This assumption is reasonable since the further the factor away from the accident indicator, the less impact (or more robust) of leading to the accident.
Step 2. The initial load for each node is chosen as   (0) = (1/2)  ; that is,   = 2 for each  = A1, . . ., F15.It is realistic to choose a normal and safe state as a start.
Step 3. Disturbances Case I (4 times of the capacity).( 1) Take the hub node F14 as the first attacking point with the attacking load 8 (4 times of its capacity) at time  = 1.The evolution process is performed as follows.
= 1.Attacking the hub node F14 with a load 8: = 2. Changing all dashed lines connected to F14 to solid: = 3. Changing all dashed lines connected to E12, E13, and F8 to solid: The evolution stops at time  = 3 by Assumption 1 since the accident happens.By (3), the efficiency of the whole network turns out to be ((3)) = 0.93.The load distributions of each vertex in the whole process are illustrated below.For simplicity, nodes A1 to F15 are renumbered as 1 to 59 in Figure 5 and similarly in Figures 6, 7, and 8.
(2) Take the natural environment node F7 as another attacking point with the load 40, which is also 4 times of its capacity. = 1.Attacking node F7 with a load 16: = 2. Changing all dashed lines connected to F7 to solid: The evolution stops at time  = 5 by Assumption 1 and the efficiency of the whole network turns out to ((5)) = 0.77.
The load distributions of all vertices in the whole process are illustrated in Figure 6.
Case II (10 times of the capacity).( 3) Take the hub node F14 as the attacking point as a load 20 (10 times of its capacity) at time  = 1, which largely exceeds its capacity.Similar to case I, the evolution process can be described in Figure 7.The load distributions of each vertex in the whole process are illustrated in Figure 7.
(4) Take the natural environment node F7 as another attacking point with the load 40, which is also 10 times of its capacity.Similarly, we can obtain the following load distributions of the whole evolution process.
From the analysis for case I, it indicates that F14 is a key causation factor to the accident with respect to a 4 times capacity attack, with the efficiency loss 0.07, while for the same severity of attack on F7, the accident indicator will not get a heavy load larger than its capacity, which means that the accident will not happen.This tells us that, with a 4 times attacking load, node F7 could not be a key causation factor for the occurrence of the accident.This is reasonable since the thunder strike (F7) might be a trigger and may play a role in the 7.23 Yongwen accident but is not essential, while the equipments' failure (F14) is the key causation factor.However, with the analysis of case II, it is also worth mentioning that, with bad natural disasters, such as hurricanes or earthquakes, which result in a super heavy attacking load, the environment factor would turn to a key causation factor as well.Meanwhile, from the comparison of cases I and II, it is easy to see that the heavier the attack is, the larger the efficiency loss is, and hence the higher severity the accident is.On the other hand, as we can find in cases (1), (3), and (4), the involved key causation chains contain E8, E12, and E13 which are all related to the control flaws of the train operation system.This tells us that more attention should be paid to the control flaws to prevent or encumber the spreading of cascading failure which is essential to the accident occurrence.
It is known that nodes with large degrees play an important role in the cascading failure for a network.Thus, those nodes with largest degrees in each level are chosen, and their critical loads to lead an accident by means of the proposed cascading failure scheme are calculated.To characterize their sensitivities and also for the sake of comparison, the ratio of  the critical load to the capacity of each of them is illustrated in Figure 9.
As we can see in Figure 9, E6 and F14 possess small ratios, which means that they are quite sensitive for the accident occurrence with a small attacking intensity.Thus, it is important to prevent failures made by the related staff and also the control equipment.In contrast, A1 and C5 have relatively large ratios.This tells us that the culture of seeking quick success and benefits in the ministry of railways and the unwise decision on update of the LKD2-T1 are not that sensitive, but they do have effect on the accident.With any attacking intensity larger than their corresponding ratios, it will lead to an accident in the cascading failure process.Thus, it is urgent to build a healthy, safe, and sustainable culture for the railway development in China, and the design of the equipment must enforce the safety constraints in face of an environment disturbance or other factors' failure.

Conclusions
In this paper, we have introduced an accident causation network model based on the complex network theory.By utilizing the cascading failure scheme, the evolution process of the proposed causation network has been described and key causations of accidents have been explored and analyzed.Based on some reasonable assumptions, the sensitivities of some important key causation factors for accident occurrence are characterized and compared.The severity of the accident has been characterized via the network efficiency of the evolved network quantitatively as well.It is worth pointing out that the accuracy of the method can be greatly improved by a relatively comprehensive and complete extraction of causation factors and their relationships for the causation network construction and by the expert knowledge and reliable statistical results for the cascading failure process.Approaches to improve the accuracy desire further investigation which is our future research topic.

Figure 3 :
Figure 3: The causation network of the 7.23 China Yongwen railway accident.

Figure 4 :
Figure 4: Illustration for the evolution of an accident causation network.

Figure 5 :Figure 6 :
Figure 5: Load distributions of the evolution process in Case I(1).

Figure 7 :Figure 8 :
Figure 7: Load distributions of the evolution process in Case II(3).

Figure 9 :
Figure 9: Ratios of critical loads and capacities.

Table 2 :
The shortest path length   of every node to the E14.