Why-Because Analysis (WBA) is a rigorous technique for causally analysing the behaviour of complex technical and socio-technical systems. Its primary application is in the analysis of accidents, mainly to transportation systems (air, rail and sea). It is also used in the Ontological Analysis method for safety requirements analysis during system development.WBA is based on a rigorous notion of causal factor. Whether one event or state is a causal factor in the occurrence of another is determined by applying the Counterfactual Test. The Counterfactual Test was proposed by the philosophical logician David Lewis in 1975, who credited David Hume (1770's) and has withstood detailed philosophical criticism since. During analysis, a Why-Because Graph (WB-Graph or WBG) is built showing the causal connections between all events and states of the behaviour being analysed. The completed WB-Graph is the main output of WBA.
The WB-Graph provides a rigorous causal explanation of the behaviour being analysed. However, mistakes may be made in constructing the WB-Graph, as with any human activity. To detect such mistakes, WBA provides a formal proof method which allows one to check whether the WB-Graph is correct and relatively complete. The formal proof method is based on the logic EL, a multi-modal logic based inter alia on Lamport's TLA and Lewis's Causal Logic. Most users of WBA do not feel the need to check their WB-Graphs using the formal proof procedures, but for those who do, it is there. WBA is the only accident analysis method with such a formal consistency/completeness check.
There is one-page description of WBA in German, and a short history (PDF) of WBA.
A two-day WBA training course is available. It consists of a WBA Tutorial, and participant hands-on exercises using the SERAS toolkit. The WBA Tutorial is one day, without participant exercises. The Tutorial has been given inter alia at the Safety@Siemens 2000 conference in Munich, and at Siemens Transportation Systems in Braunschweig. The WBA training course in its present form has been given three times in Australia in 2004 under the auspices of the Australian Safety-Critical Systems Club and twice in 2005 under the auspices of the Australian Aviation Psychology Association and the Civil Aviation Safety Authority, as well as to industrial clients in the transportation industry in Europe. Contact Peter Ladkin.
The output of a Why-Because Analysis is a Why-Because Graph. If the method is objective, it should be the case that different WB-Graphs prepared by different groups for the same incident should be very similar. The question arises how one can formally assess similarity of WB-Graphs.
Examples of Why-Because Analyses are available from RVS and other sources. We list some publically available examples:
The material below consists of scientific work on WBA performed in the RVS group before 2005.
A very detailed description of the WBA process was prepared by Thilo Paul-Stüve, based on his hierarchical task analysis (HTA) of WBA, which appeared in his Diplom (former equivalent to Master's) thesis in the RVS Group. Our experience is that this is too detailed to use as an introduction. It includes
We have a suite of software tools, based extensively on open source software, which aid in the construction and display of WB-Graphs. The suite is known as the WB-Toolset. The WB-Toolset currently comprises
YBEdit is a layout and display software written in Tcl/Tk which uses the Graphviz layout engine and graph manipulation software from AT&T Labs. It incorporates a point-and-click-based GUI which displays the WB-Graph being built in real-time.
VDAS is a lightweight archiving software written in Java. It is used to archive and store the WB-Graphs built with YB-Edit, and supplies version control and common-access control for cooperative work on a WB-Graph.
YBFactor is an input GUI for entering the key events and states, and information about them, which are anticipated to play a causal role in the WB-Graph. It is written in Java.
YBTimeliner converts a WB-Graph whose labels are annotated with the keywords TStmp and Actrs into a timeline showing the sequence of (punctual) events in an incident, along with the participants in each event, in an HTML format. YBTimeliner is written in PERL.
The WB-Toolset is currently implemented on a "black box", YB-CSS, a small bare-bones PC running the operating system NetBSD. YB-CSS is a server which provides the WB-Toolset to up to five individual PCs running the freely available VNC client terminal emulation software. Because the only interface to a local area network or client computers is via VNC, there are virtually no important security issues with use of YB-CSS in this architectural configuration.
Events in WB-Graphs built using the WB-Toolset may be annotated with both time of occurrence and participants, in the node label, via the keywords TStmp and Actrs, to produce a timeline of the salient events. At present, only punctual times may be included. States, which generally occur over periods and not punctually, are not yet represented. As an example, we show an annotated version of the Glenbrook Specific-Causes Why-Because Graph and Timeline produced directly from it by the YBTimeliner software.
The following literature and software appeared previously on the WBA home page in 2000. Some of it may be outdated; some of it represents research directions not taken. We can't take them all - please feel free to take this stuff and do interesting new things. And please also tell us about it!
Bernd Sieker, RVS-Soft-06, 28 June 2001 [ Service ]
This tool analyses CIDs, presented as CI-Script input files, and generates a fault tree in Postscript from the CID. Its function is described in the document RVS-Occ-01-04, How to Generate Fault Trees from Causal Influence Diagrams, by Peter B. Ladkin, Bernd Sieker and Joachim Weidner [Abstract | PDF Version (333K) | Postscript Version (705K)].
We offer this tool as a WWW service. The WW user must write the CI-Script input file. The service will prompt the user for the file name, and return the completed fault tree as a postscript file to the user.
Michael Höhl, Bernd Sieker, RVS-Soft-05, 21 June 2000, modified
1 July 2001
[ Service ]
This tool produces Postscript Causal Influence Diagrams, from input presented as CI-Script. Its function is described in the document RVS-Bk-00-01 Notes on the Foundations of System Safety and Risk, by Peter B. Ladkin [Abstract | PDF Version (1.65Mb) | PS Version (7.83MB)]
We offer this tool as a WWW service. The WW user must write the CI-Script input file. The service will prompt the user for the file name, and return the completed fault tree as a postscript file to the user.
Michael Höhl, RVS-Soft-04, 2 April 1998 [ Manual | Service ]
wb2dot is a tool for converting WB-Graphs written in textual ASCII form (in EBNF) automatically into (pictorial) graphs. There is a parser for the textual WB-Graph which feeds into the graph layout mechanism, which is the dot tool, part of the graphviz suite from Bell Labs. The Manual describes the tool.
Also available is the wb2dot Service which allows people to use wb2dot remotely. The service offers a CGI interface, which asks for the filename (pathname) of a textual-WB-graph source file on the user's machine, reads it (make sure the permissions are set!), then processes it on our WWW server here, and returns to the user's browser an HTML page containing details of the run (including any error messages) along with a link to download the postscript file containing the pictorial form of the graph which was generated.
Just what it says - this paper explains the steps in a Why-Because Analysis of a complex behavior, and illustrates the core idea, the WB-Graph Method, as well as explaining why formal verification of the WB-Graph is often important as well.
Postscript versions of Why-Because Graphs for various incidents we have analysed, generated using the tool wb2dot from analyses written in WB-Script. A postscript viewer with zoom capability is required, since the graphs are compact.
Abstract: This thesis introduces the Why...Because Analysis (WBA) method of explaining failures causally. From a brief history of an incident, WBA first aims at inquiring after and identifying the significant acts/states/events/non-events that partake in a causal explanation, and then proving rigorously in the formal logic Explanatory Logic (EL) that the explanation found is correct and relatively sufficient. WBA along with formal proof in Lamport's hierarchical style is presented by means of a small running example. (G-ZIPped PS, 501K
The main idea of WB-analysis comes from a formal semantics for causation, explained by the philosophical logician David Lewis in 1973. Ladkin used the Lewis semantics first to clarify the causal factors involved in two aircraft accidents in
He showed that application of the Lewis criterion led to a structure that could be represented as a graph, called in that essay the causal hypergraph, now know as the WB-Graph. It was observed that logical connections fulfil the Lewis causality criterion also, although a logical implication between statements is not normally regarded as having anything to do with causality. Also, some instances of causality in the behavior machines is `traditionally' analysed by using logical inference from a specification of the machine and of the various states of the machine at the time events happen, using the assumption that the machine fulfils its specification. For these reasons, the Lewis relation could be seen as involving explanatory features which did not seem to be purely causal. The name WB-Graph (Why...Because...Graph) was thus suggested by Everett Palmer of NASA Ames to be more appropriate.Two survey papers reviewed the analysis method and results as of 1998.
is informal, and was written for the biannual Research Magazine of the University of Bielefeld in early 1998. A more technical survey article isPapers describing some analyses from 1997-8 are:
The WB-analysis is primarily concerned with analysing causality. The input to the causal analysis is therefore taken to be the list of events, states and processes (short coherent sequences of actions and states that do not need to be analysed into components) stated in the accident reports. The Lewis criterion is applied to these pairwise to obtain the WB-graph in, first, a textual form and then (automatically or by hand) in graphical form. The textual and graphical form can be generated automatically from the individual judgements of causal factors, as shown in
It is important to distinguish the purely temporal factors of an accident sequence from the causal factors that are part of its explanation. Some attempts to formalise causality have conflated them, and try to formalise the causal reasoning in a pure temporal logic. We do not believe this can work. A critique of one attempt to do this may be found in an early paper
and a general critique of other attempts, and some principles on which they appear to be based, may be found in Our view of how temporal logic enters into accident histories and analysis, and how the `standard' temporal logic for reactive systems should be thereby modified, may be found inMore than just observable causal factors come into play when analysing an accident. One must be able to identify causally significant non-events, and to incorporate information about the procedural and regulatory context in which process leading to the accident developed. Palmer and Ladkin have developed a method of inferring the causal significance of non-events, based on comparing the observed events and states with standard operating procedures and observing where those procedures were not adhered to (in An Analysis of `Oops', to appear). Non-events are added to the state/event/process list to represent events that should have happened but didn't. We expect a similar technique to work for more general deontic contexts, such as regulatory matters and managerial oversight, Reason's latent error types.
Furthermore, there are occasions when deontic considerations conflict with the purely causal analysis. An example was noted in
We have observed that all accident reporting depends upon a closed-world assumption (CWA), namely that all the relevant facts are those we know plus those we know are missing. An investigation is considered to have gathered all the facts when we know what we know and we know what we don't know. An explanation based on this collection of facts and missing-facts may be incomplete (as when certain facts obviously lack a causal explanation - the causes are thus missing-facts), but it is not non-monotonic. If one is lacking part of an explanation, the explanation itself does not have to be revised when missing facts are discovered later. However, for many if not all accidents, it is in principle possible that certain events that are not considered plausible and are not easily traceable could in fact have happened, and have led to the accident. The supposition that there are no such abnormal events is equivalent to the CWA. It is a supposition, and the possibility is always there that it may be shown to be incorrect by further evidence. This plausibility criterion, the CWA, thus leads to non-monotonicity. While incompleteness is accomodated within the WB-method as it now is, non-monotonic features of the reasoning are not yet explicitly accounted for.
The paper