Ueberlingen Final Report

7/30/2019 Ueberlingen Final Report

1/46

Final Report:

Review of the BFU berlingen Accident Report

(Version 1: 17/12/2004)

Contract C/1.369/HQ/SS/04

Overview of the Project

This project reviews the BFU report into the berlingen Accident. The analysis concentrates on the BFU report andinvestigation. However, additional references are made to EUROCONTROL and other external recommendations, especiallyin the area of safety Management Systems. The aims of this work are to: 1. to show how the existing recommendations relateto the root causes identified in the existing report. 2. to use recognised accident analysis techniques to identify additional

recommendations that might be derived from this accident. 3. to review the existing BFU report and the Swiss governmentinvestigation into the associated safety management systems to extend the scope of objective (2).

Executive Summary of the Final Report

Technical Report A: The existing BFU report focuses on issues surrounding the coordination of aircrew responses to TCASadvisories in the face of possibly conflicting instructions from Air Traffic Service personnel. It also provides a thoroughaccount of safety management issues surrounding the staffing and operation of the Zurich ACC during major maintenance andupgrade operations. In contrast, the analysis in this report looks beyond the operating environment in the Zurich control roomon the night of the accident. Greater emphasis is placed on adequate preparation for what was extensive technical proceduresthat deprived the controllers of necessary support and created an error inducing environment. In particular, the BFU report

provides few insights into the risk assessment procedures that should be used before any similar upgrades should be attemptedin the future.

Technical Report B: This second part of this document builds on the findings mentioned above. In particular, it goes on tolook at the role that Safety Management Systems played in the accident. We concur with the BFU that the Swiss authoritieshad well-documented procedures and principles that would encourage the development of a sound Safety ManagementSystem. These principles were in accordance with ICAO and EUROCONTROL guidelines. However, the Swiss ATMorganisations lacked the experience and the personnel to implement those procedures. Partly as a result of this opportunitieswere missed to learn from two AIRPROX incidents that had similarities to the events before the berlingen accident. Anumber of additional recommendations are presented in this report that build on those recommendations already provided inTechnical Report A. The report closes by analysing the insights that the accident provides for the recent guidance published onSafety Management Systems in ATM operations by EUROCONTROL, Transport Canada and the US FAA.

Prepared by:

Prof. Chris Johnson217, Wilton Street, North Kelvinside, Glasgow, G20 6DE, Scotland, [email protected] (Email), +44 141 330 6053 (Tel.), +44 141 330 4913 (Fax)


2/46

C.W. Johnson, Final Report: RFQ/137/04 Review of the BFUs berlingen Accident Report

- 2 -

Technical Report A:

Incorporating Deliverables 1 and 2

(Version 1: 15/12/2004)


Executive Summary of Technical Report A

The following pages provide the first deliverable from this project. They document the output from an initial analysis of theBFU report. The investigation began by first constructing a more detailed timeline of the events leading to the collision, fromthe perspective of both crews and the Radar Controller who was operating the position in Zurich ACC. This involved thecompilation of additional details beyond the high-level summary that is provided in Appendix 2 of the BFU report. Once thistimeline had been compiled, it was used to generate more complex Events and Causal Factors charts. These focussed on theinfluences that helped to shape the controllers interaction with the aircrews and with neighbouring centres during the crucialminutes before the collision. Our analysis identified a number of minor ambiguities and inconsistencies in the Englishlanguage version of the report. It also extended the scope of the BFU investigation. The existing report focuses on issuessurrounding the coordination of aircrew responses to TCAS advisories in the face of possibly conflicting instructions from AirTraffic Service personnel. It also provides a thorough account of safety management issues surrounding the staffing andoperation of the Zurich center during major maintenance and upgrade operations. In contrast, the analysis in this report looksbeyond the operating environment in the Zurich control room on the night of the accident. Greater emphasis is placed onadequate preparation for what was extensive technical procedures that deprived the controllers of necessary support andcreated an error inducing environment. In particular, the BFU report provides few insights into the risk assessmentprocedures that should be used before any similar upgrades should be attempted in the future.

Prepared by:Prof. Chris Johnson217, Wilton Street, North Kelvinside, Glasgow, G20 6DE, Scotland, [email protected] (Email), +44 141 330 6053 (Tel.), +44 141 330 4913 (Fax)


3/46


- 3 -

Introduction

In the EUROCONTROL Strategic Safety Action Plan (SSAP) framework, informal and more formalreviews of the BFU berlingen Accident Report have been carried out in order to identify safetyimprovement that might not have emerged from the initial investigation. So far, few additional

recommendations have been identified. This report, therefore, represents the first set of deliverables froma detailed review of the BFU report by an independent team of accident investigators. The key objectivesfor this study are:

1. to show how existing recommendations relate to root causes identified in the existing report. The mainfocus will be to use Events and Causal Factors diagrams to draw out the root causes from the report and thento relate them to the recommendations. This choice of this method is justified because it provides relativelyaccessible diagrams that can readily be inspected to trace the information in the report back to particularrecommendations. EUROCONTROL has used similar diagrams to model human error and systems failure inATM incidents, for example in HUM.ET1.ST13.3000-REP-02 Human Factors in the Investigation ofAccidents and Incidents.

2. to use recognised accident analysis techniques to identify further recommendations from this accident. The ECF model developed in the previous stage of analysis can also be used to help identify additionalrecommendations. This will be done using the associated reasoning techniques that are part of this method.Additional root causes can be identified by examining each element of the diagram and asking whether or notthe accident could have been avoided if that event had not occurred. If the answer is yes then the event orcondition becomes a candidate for further inspection.

3. to review the existing BFU report and other reports into this accident dealing with the associated safetymanagement systems to extend the scope of objective (2). This final stage of the project will look moreclosely at the findings from the second stage of analysis. Rather than focussing on the BFU report alone,this stage will look at the wider investigatory process in the context of SMS development and will refer toinvestigatory practices in other countries. In particular, comparisons will be drawn with the FAA andCanadian TSBs guidelines on SMS development.

There are three deliverables associated with this project. Each represents the output of one of the stages identifiedin the previous section. The first is to deliver an analysis of the mapping from recommendations to root causes inthe BFU report. The second is to identify appropriate additional recommendations. The final deliverable is areport documenting each of the previous two subtasks and linking the information described in (1 and 2) toassociated work on safety management system guidance within ATM. As mentioned, this document providesthe first two of these three deliverables.

The BFU report into the berlingen collision identified a number of immediate causes for the accident.These can be summarised as follows, all page numbers in the remainder of this report refer to the officialBFU English language translation of the original German report:

(Immediate Cause 1) The imminent separation infringement was not noticed by ATC in time. Theinstruction for the TU154M to descend was given at a time when the prescribed separation to theB757-200 could not be ensured anymore. (BFU page 112)

(Immediate Cause 2) The TU154M crew followed the ATC instruction to descend and continuedto do so even after TCAS advised them to climb. This manoeuvre was performed contrary to thegenerated TCAS RA. (BFU page 112)

In addition, the BFU also identified a number of less immediate systemic causes:


4/46


- 4 -

(Systemic Cause 1) The integration of ACAS/TCAS II into the system aviation was insufficientand did not correspond in all points with the system philosophy. The regulations concerningACAS/TCAS published by ICAO and as a result the regulations of national aviation authorities,operational and procedural instructions of the TCAS manufacturer and the operators were notstandardised, incomplete and partially contradictory. (BFU, page 112)

(Systemic Cause 2) Management and quality assurance of the air navigation service company did

not ensure that during the night all open workstations were continuously staffed by controllers.(BFU, page 112)

(Systemic Cause 3) Management and quality assurance of the air navigation service companytolerated for years that during times of low traffic flow at night only one controller worked and theother one retired to rest. (BFU, page 112)

The first stage of our analysis was intended to determine the relationship between this causal analysis and the 19recommendations that were presented in the BFU report. Table 1 provides an overview of the results from aninitial analysis. It also documents the organisations that each recommendation was directed at. Most of therecommendations are directly related to the immediate and systemic causes identified in the BFU report. Forinstance, the recommendation 18/2002 made to the ICAO on 1 st October 2002 relates to changes in therequirements of Annex 2 and 6 and the PANS-OPS documentation to ensure that pilots follow TCAS advisorieseven in the face of conflicting information from ATM officers. This clearly addresses immediate cause 2 in whichthe crew of the TU154M descended contrary to the TCAS RA. It can also be argued that this recommendationstems from systemic cause 1 that the integration of ACAS/TCASII into the system aviation was insufficient.

Similarly, from an ATM perspective recommendation 02/2003 issued on the 21st July 2003 required the SwissFederal Office for Civil Administration ensure minimum staffing levels at Zurich ACC. This addressed immediatecause 1, that the separation infringement was not noticed by ATC in time. It also addressed systemic cause 2, themanagement and quality assurance of the air navigation service company did not ensure that during the night allopen workstations were continuously staffed by controllers. Finally, this recommendation also addressessystemic cause 3 identified in the BFU report, the management and quality assurance programmes tolerate foryears that during times of low traffic at night only one controller worked and the other retired to rest.

However, several of the recommendations do not relate directly to either the immediate or systemic causesidentified in the BFU report. This can be explained in a number of ways. For instance, Recommendation 09/2004focuses on the need to improve audio recording of a controllers workstation to support accident investigation.Similarly, 13/2004 urges the Swiss Federal Office for Civil Aviation to meet the EUROCONTROLrecommendations for data capture and the reconstruction or replay of adverse events and near miss incidents.Such recommendations cannot be directly related to the causes of the accident but are formed in response toproblems during the investigation itself.


5/46


- 5 -

Reference andDate

RecommendationTo

Summary of Recommendation CauseAddressed?

18/2002(1st Oct. 2002)

ICAO Changes to Annex 2 and 6 and PANS-OPS to requirepilots to follow TCAS advisories.

Immediate 2,Systemic 1

01/2003(21 July 2003)

Swiss Federal Officefor Civil Aviation

Dissemination of information about and planning ofmaintenance work on ATC system (NB, no explicitmention of risk assessment)

02/2003(21 July 2003)


Ensure minimum manning levels in ACC Zurich Immediate 1,Systemic 2,Systemic 3

03/2003(21 July 2003)


ATC personnel to be trained in theory and simulation ofemergency procedures.


06/2004(19 May 2004)

ICAO Annex 2, 6, PANS clarification of pilots responses toACAS resolution advisories (RAs).


07/2004(19 May 2004)

ICAO Improve pilot education and training to increaseconfidence in ACAS.


08/2004(19 May 2004)

ICAO Downlink RAs to ATC. Immediate 1

09/2004(19 May 2004)

ICAO Assist accident investigation by recording speech andnoise etc at ATC workstations similar to cockpit voicerecorders.

16/2004

(19 May 2004)

ICAO Ensure all ACAS/TCAS users should be consistent in

responses to devices.

Immediate 2,

Systemic 110/2004(19 May 2004)


Minimum requirements for provision of Short TermConflict Alert to all ATC units.

Immediate 1

11/2004(19 May 2004)


Provide backup telecommunications systems in case offailure of main system.

12/2004(19 May 2004)


Radar updates within 8 seconds or less in en-route airspace.

Immediate 1

13/2004(19 May 2004)


Meet EUROCONTROL recommendations forsurveillance and data capture so it is possible toreconstruct critical incidents.

17/2004(19 May 2004)


Meet ICAO SARPS and EUROCONTROLS ESARRsfor Safety Management Systems (NB, no explicitmention of risk assessment).

Systemic 2

18/2004

(19 May 2004)

Swiss Federal Office

for Civil Aviation

Require evaluation of minimum staffing levels. Immediate 1,

Systemic 2,Systemic 319/2004(19 May 2004)


Refresher and safety training requirements compliantwith ESARR 5.

Immediate 1

14/2004(19 May 2004)

CAA of the RussianFederation

ACAS training to include simulation, CRM and LOFTprogrammes to include ACAS scenarios.


21/2004(19 May 2004)

CAA of the RussianFederation

Advance the use of CRM training. Immediate 2

15/2004(19 May 2004)

US Federal AviationAdministration

Manufacturer rephrase TCAS 2000 manual to reflectinternational policy.

Systemic 1

Table 1: Summary of Recommendations Made in the BFU Report (pages 111-113)

Table 1 shows that the BFU have responded well in drafting recommendations that address each of theimmediate and systemic causes they identified for the accident. Previous paragraphs have argued thatmost of the BFU recommendations are well justified in terms of the immediate and systemic causes thatare identified in the report. Some of the other recommendations cannot be related back to the causes ofthe accident because they address problems in the investigation rather than the events that led to themishap. In contrast, a number of recommendations cannot be linked directly to the causes identified inthe BFU report. This raises a number of issues. For example, it might be argued that theserecommendations are poorly grounded in the evidence that was gathered in the aftermath of the accident.Alternatively, these recommendations might address important safety issues for which there had onlybeen a partial causal analysis. In other words, interventions were recommended without identifying theassociated immediate or systemic causes. These recommendations include 01/2003 looking at the


6/46


- 6 -

dissemination of information about the planning and maintenance work on ATC systems. They alsoinclude recommendation 11/2004 on the need to provide backup telecommunications systems in the eventof a main telecommunications system failure.

The following pages further analyse the evidence that supports these recommendations (01/2003 and11/2004) that appear unrelated to the immediate and systemic causes. The analysis also determineswhether any additional recommendations might be drawn from the BFU report into the berlingen

accident. In order to do this it is first necessary to develop a more detailed timeline of the events that ledto the mid-air collision.


7/46


- 7 -

The Detailed Timeline

Appendix 2 of the berlingen report contains a high level timeline of the events that led to the collision. Thissequence of events runs from 21:21:50 until 21:35:32. The timeline provides an excellent overview of the accident.It describes communications between the ACC and the crew of both the B757 and the T154M. It also describessome of the actions that were taken in the immediate run-up to the collision. For example, it includes informationabout the separation and altitude of each aircraft at key moments. As far as is possible, each event is associatedboth with the real time at which the event occurred and the elapsed time until collision. Table 2 provides an

excerpt from Appendix 2 of BFU report.

ZeitUTC

MinSek

Boeing B757-200Flug DHX 611

Tupolew TU154MFlug BTC 2937

21:21:50 13:42 Initial call to ACC Zurich on 128.050 MHz at FL 260. The crew isinstructed to switch the transponder to 7524, to climb to FL 320and is cleared direct to Tango VOR. The crew requests a climb toFL 360. ACC Zurich announces the clearance in 4 to 5 minuteslater.

21:26:36 8:56 The crew receives the instruction to climb to FL 360.21:29:50 5:42 The aircraft reaches FL 360.21:30:11 5:21 Initial call to ACC Zurich on

128.050 MHz at flight level FL 360.

The crew is instructed to witch thetransponder to 7520.21:33:03 2:29 Start of a conversation within the

cockpit about a TCAS indication,which shows another aircraft in thesame altitude.

Table 2: Except from Appendix 2 Events in Both Cockpits of the BFU report (Page 1 of Appendix file)

There are several important limitations that affect the BFU timeline. Firstly, it does not cover many of thecontributory events that created the context in which the accident occurred. In particular, it does not mention anyof the circumstances that relate to the two partially supported recommendations identified in the previous section.

Appendix 2 does not go back far enough to consider the dissemination of information about the planning andmaintenance work on ATC systems (recommendation 01/2003) nor does it address the events that led torecommendation 11/2004 on the need to provide backup telecommunications systems in the event of a maintelecommunications system failure. Secondly, the timelines in Appendix 2 is entitled Events in both Cockpitshence the focus is not on the circumstances surrounding the controllers actions. It is for these reasons that ouranalysis began by reconstructing an extended and more detailed timeline of events. The reconstructed timelinewas deliberately developed to consider the controllers perspective as well as the circumstances in both cockpits.

Appendix A of this report presents the extended timelines used in this initial stage of the analysis. Incontrast, the remainder of this section goes on to review some of the key issues highlighted from thisanalysis. Firstly, the timeline was extended back to the moment at which both controllers came on duty(17:50). This is illustrated in Figure 1. In retrospect, this was not early enough. The subsequent Events

and Causal Factors analysis of the two partially supported recommendations began to look at themanagement and planning of the SYCO flight plan processing system. For now it, however, it issufficient to observe that this earlier start point was motivated by the aim of looking at the accident morefrom the perspective of Air Traffic Management staff rather than from the occupants of the two cockpits.


8/46


- 8 -

(6) 21:21:56,B757 cleared fordirect approach to

TANGO VOR

(6) 21:21:56,B757 cleared to

climb from FL260to FL320

(6) 21:22 B757PIC requests

climb to FL360

(7) 21:26 ATMapproves climb to

FL360

(7) 21:29 B757reaches FL360 butdoes not confirm

(6) 21:21:50, B757 PICcontacts ACC Zurich

(6) 21:21:56,Transponder code7524 assigned to

B757

(8) 21:30:33, TU154M crewassign transponder code.

(74) 17:50 ATC controllersreport for duty

(75) One controller retires tolounge for rest

(75) Remaining ATC Radarcontroller assumes

responsibilities for Radar

Planning, Radar executiveand Supervisor.

(App A) 21:21:50 Radarcontroller instructs B757

crew to switch transponder to7524, climb to FL320,cleared to Tango VOR

(App A) 21:30:11, TU154Mcrew contact Zurich ACC

(App A) 21:22+ B757Crew ask ATC forclearance to FL360

(App A) 21:26:36 ATCconfirms clearance

(App A) 21:30:11 Radarcontroller instructs

TU154M crew to settransponder to 7520

Figure 1: Except from the Revised Timeline of Events

In Figure 1, events are denoted by each rectangle. Time flows from the top to the bottom of the diagram. The leftcolumn is used to group events that relate to the B757. The middle column shows events associated with the AirTraffic Managers. The right column denotes events associated with the crew of the TU154M. The figures inbrackets refer to pages in the BFU report that provide evidence for these events. For instance, (8) 21:30:33TU154M crew assigns transponder code denotes that the BFU discusses the assignment of the transponder onpage 8. A reference to (App A) relates to Appendix A of the BFU report.

Figure 1 illustrates some of the limitations of using timelines. For instance, this diagram denotes the B757 Pilot inCharges request to climb to FL360. There is nothing here to indicate the implications or consequences of this

request. The TU154M was already at FL360 and approaching the Zurich ACC centre. Nor does the timelineillustrate the factors that might have persuaded the controller to grant the request. As we shall see, paper basedflight strips were used to replace some aspects of the SYCO flight plan processing system that was beingupgraded and these paper strips did not show any potential conflict in the flight plans. The key point is thatthese timelines provide an entry point for any analysis and must be supplemented by additional techniques if theyare to yield more detailed insights, for example about the partially supported recommendations that were identifiedin previous sections.

Having raised these caveats, it is important to stress that the process of developing these timelines can also help toidentify potential conflicts, ambiguities and inconsistencies in accident reports. In particular, this analysis raised a


9/46


- 9 -

number of concerns about the precise time when the controllers might have been alerted to the audible STCAwarning. On page 44 of the BFU report it is stated that:

At 21:35:00 hrs the MV computer of ACC Zurich generated an acoustic STCA message which wasaddressed to the workstation RE SUED. It was not heard by any of the staff members present in thecontrol room (BFU, page 44)

Page 77 extends this analysis by revealing that the several seconds before the STCA the controller wasalready aware of the potential conflict and was taking action, which he believed would resolve thesituation. At 21:34:49 and again at 21:35:03 he issued instructions for the TU154M to expedite adescent. It is important to note that this excerpt does not mention the STCA audible alarm even thoughthe controllers preoccupation with issuing descent instructions provide a cogent explanation for thefailure to hear this alarm:

When the controller instructed the TU154M crew at 21:34:49 hrs for the first time to expeditedescent to FL 350 the horizontal separation was practically already below 7 NM (exactly at21:34:56, when the controllers radio message ended). The TU154M should have descended to FL350 by 21:34:56 hrs to ensure a vertical separation of 1 000 ft in the RVSM airspace. To achievethis it would have been necessary to give the instruction to descend to FL 350 at 21:33:49 hrs at the

latest - i.e. one minute before this instruction was actually given. This time is based on a normal rateof descent of approximately 1 000 ft per minute. When the TU154M crew did not verbally respondto the first instruction to descend to FL 350, the controller repeated this instruction at 21:35:03 hrsmore emphatically. (BFU, page 77)

Again on page 91, a similar set of observations is made. The aural STCA alert was issued at 21:35:00, itwas not heard by anyone. This paragraph does mention that the Controller had reacted to resolve theconflict when the alarm was issued. It also stressed that by the time that the alert was issued thecontroller lacked both the information and time necessary to avert the collision:

The MV9800 computers released an aural STCA at 21:35:00 hrs, but this was not heard by anyonein the CIR. The aural alert was released 32 seconds before the collision. At the time the two aircrafthad a distance of 6.5 NM to each other. As the ATCO had already reacted to resolve the conflict theaural STCA would just have pointed out the urgency of the situation. Even with the aural alert theATCO would not have been able to recognize the situation was not evolving as he expected untilfurther information was available. The TU154M was already complying with the descent instructionand the ATCO did not know the B757-200 had initiated an RA related descent. He would not havebeen able to recognise the B757-200 was descending until the screen update at 21:35:12 hrs or if hehad heard the crews TCAS descent call a few seconds later. By this time it was unlikely that hecould have formulated an instruction that would have averted the collision with sufficient safety.(BFU, page 91)

The construction of the more detailed timeline helped to identify the importance of the STCA and the

timing of the controllers initial response to the conflict. It raises a number of questions that are not fullyanalyzed in the BFU report. For instance, it is unclear when precisely the controller became aware of thepotential conflict. Similarly, it is difficult to determine what might have made him aware of the potentialconflict. For instance, Appendix 2 of the BFU report indicates that the TCAS alerts were generated inthe two planes at 21:34:42. It does not record any communications that alerted the controller to theconflict and that might then have triggered his instruction to the TU154M to expedite the descent at21:34:49. It seems too much of a coincidence that the controller responded within seven seconds of theTCAS warning and so he may have been alerted by overhearing radio communications. However, this isnot explicitly stated in the BFU report. If he had been alerted by other systems or observations then thismight add further insight to the report.


10/46


- 10 -

Irrespective of the mechanisms by which the Controller was alerted to the conflict, our analysis hasclearly shown the importance of the STCA system in this accident. The importance of this safety net isnot reflected in the existing BFU recommendations. The previous quote from paragraph 91 of the reportclearly shows that even if the STCA warning had been heard and acted upon then it is unlikely that thecollision would have been avoided. It should be recalled that Recommendations 07/2004, 16/2004,14/2004 all deal with informing pilots about the operational strengths and weaknesses of TCAS/ACAS.Our analysis has shown that similar recommendations ought to be made so that controllers are aware of

the role that STCA played in this accident. It is also important to emphasize the diverse ways in whichthe STCA was undermined by circumstance. An STCA alert was generated at the Karlsuhe center at21:33:24 but could not be communicated because of problems with the SWI-02 telecommunicationssystem. The visual STCA alert at ACC Zurich that would have been presented some two minutes beforethe aural alert was disabled as a result of the upgrade activities. One insight into the berlingen collisionis that current STCA systems provide a final safety net. They do not guarantee that controllers will beable to respond in time to avert an accident and hence, any use other than as a safety net of last resortshould be avoided.

Additional Recommendation 1:Controllers should be made more aware of the role of STCA in the berlingen accident as areminder of the strengths and weaknesses of this tool. Our analysis and that of the BFU reinforces

the role of STCA as a safety net and not as an absolute defense against adverse events.


11/46


- 11 -

Background to the Upgrade of the SYCO Flight Plan Processing System

The initial analysis of the BFU report centred on the development a more detailed timeline that alsoconsidered the controllers perspective on the events leading to the collision. As mentioned, this analysispushed back the initial timeline in Appendix 2 of the BFU report from 21:21:50 to 17:50 in the extendedtimelines of Appendix A in this report. However, subsequent analysis identified that the analysis would

have to go further back to consider the events and conditions that created the context for this incident. Inparticular, such an extended analysis was necessary to consider the causal arguments that might back therecommendations that had not been fully supported in the BFU report; 01/2003 looking at thedissemination of information about the planning and maintenance work on ATC systems andrecommendation 11/2004 on the need to provide backup telecommunications systems in the event of amain telecommunications system failure.

(38) ACC Zurich upperairspace was divided into

4 sectors and aboveFL235 into 2-3 sector

operation.

(Ass) Lack of riskassessment for

sectorization work?

(38) Partially verticalseparation causes

particular problems forRVSM operation.

(38) Six hour plan tomodify flight planprocessing system.

(38) Z-2002-022 and 024

official instructions areissued describing the

upgrade work.

(38) impactsADAPT radardata system.

(38) impactsMultiradar

computer system

(38) impactsflight plan data

processing systemfor tower and

approach control

(38) impactslanding sequence

computer

(38) impactsdepartures andarrivals trafficmanagement

system

(38) impactsATS ground-ground

phone system toother centers

(38) Additional

memorandum explainscontroller must work infallback mode withoutvisual but with aural

STCA alerts.

(38) Additionalmemorandum does notexplicitly explain that

controllers must performmanual flight plan to

radar correlation

(38) Documentationdoes not describe impacton telecommunications

system with othercenters.

(Ass+91) Problems insafety culture

(Ass+91) Problems insafety management

(38) Z-2002-022 and 024do not describe impact

on nightshift operations.

Figure 2: Contextual Factors Influencing the Technical Systems Environment in the Zurich ACC

Figure 2 presents the next stage in our analysis. It represents a simplified form of Events and CausalFactors analysis, initially pioneered by the US Department of Energy. Previous EUROCONTROL projects

have used similar diagrams to model human error and systems failure in ATM incidents, for example inHUM.ET1.ST13.3000-REP-02 Human Factors in the Investigation of Accidents and Incidents. Ellipses are used todenote contributory factors that combine to make events more likely. Events, as before, are denoted by rectangles.The figures in parentheses refer to the page numbers in the BFU report that contain information about thesecontributory factors. This diagram sets the background for the more detailed causal modeling of the accident. Ascan be seen, Figure 1 starts with the observation that ACC Zurich upper airspace was divided both vertically andhorizontally. The particular vertical division about FL235 into 2 or 3 sector operation created particular problemsfor the operation of RVSM and so page 38 of the BFU report outlines a six hour plan to modify the flight planprocessing system to simplify the upper airspace and support the implementation of RVSM. This plan effected anumber of different systems: the ADAPT radar data application; the multi-radar computer system; the flight plandata processing system for tower and approach control; the landing sequence computer; the departures and arrivalstraffic management system and the ATS ground to ground phone system with neighboring centers. A further


12/46


- 12 -

consequence of these effects was that management began to prepare for the upgrade by issuing official instructionsZ-2002-022 and 024 to describe the work. An additional memorandum also documented the impact that the workwould have in requiring controllers to work in fallback mode without a visual STCA. The right-half of thediagram shows how ECF analysis can encourage investigators to look beyond the information that is presented inan official accident report. In particular, it denotes that problems in the safety culture and safety management mayhave prevented an effective risk assessment for the work that was to be undertaken. The evidence for problems insafety culture and safety management is provided on page 91 of the BFU report but it never explicitly considers thefailure to perform a risk assessment, hence these contributory factors are annotated with Ass for assumption.

Technical report B will provide more detailed evidence from the BFU report and other sources to support thisargument. The key point is, however, that the ECF analysis helps to identify an apparent explanation, such as thelack of any adequate risk assessment, for the failure to document the impact of the upgrade on thetelecommunications facilities with other neighboring centers. Similarly, this failure can be used toexplain the lack of documentation about the impact of the upgrade on night shift operations and on theneed to perform manual correlations of radar targets against flight plan information.

Recommendation 2:Additional emphasis should be paid to a risk-based approach to the identification anddissemination of information about the impact of necessary upgrades on the ATM infrastructure.

(39) ACC Zurichcentralised into one

sector for nightoperation

(40) Normal

configuration is two controllersand two assistants..

(41) Normally one controller onsecond night shift retires to

lounge when traffic decreases.

(41) Lounge is out of callingdistance from the control room.

(41) Implicitmanagement

approval for thispractice.


sectorization work?

(41) Chief controllerbriefs them about

the scheduled workbut not of the

written instructionsnor about additional

staff.

(41) One of thecontrollers leavescontrol room.

(40) Normally onecontroller performsduties of systems

manager and supervisorafter 21:00.

(41) Remainingcontroller has oneassistant to help.

(43) Possible problemwith safety culture

Safety Policy Sect 2.2on staff responsibility.

(75) Radarcontroller now assumes

tasks of radar planning andradar executive and

supervisor also believes hehas tasks of systems

manager

(41) There is aSystems Manager available

during the upgrades.

(38) Six hourplan to modify flight

plan processingsystem.

(41) There is an ACCmanager to coordinate

between Controllers andtechnicians.

(41) SystemsManager stays at SYMA

workstations.

(41) Controller

not informed aboutextra staff.

(Ass+91) Problems insafety culture

(Ass+91) Problems insafety management

Figure 3: Contextual Factors Influencing the Human Systems Environment in the Zurich ACC

Figure 2 used a simplified ECF diagram to analyse the technical background to the berlingen accident.In contrast, Figure 3 focuses more on personnel and staffing issues. As can be seen, ACC Zurich used aform of centralised operation during night operations. The normal configuration was for two controllersto be supported by two assistants. It was also usual for one of the controllers to leave the control room assoon as the traffic died down so that he or she could rest in the lounge. During the accident, one of thecontrollers left the control room. This practice was known to management and there was no apparent


13/46


- 13 -

pressure to stop it hence there was an assumption of at least implicit acceptance, documented on page 41of the BFU report. This may itself also be due to problems in safety-culture mentioned in the previousparagraphs. The consequences of this practice were that the additional controller was now out of earshotfrom their remaining colleague and the remaining controller believed they only had one assistant to callon for help. It is difficult to determine what the other assistant was doing, as mentioned, two assistantsshould normally have supported the controllers. Meanwhile, the six hour upgrade plan was also havingan impact on the personnel and staffing of ACC Zurich just as it had effected the technical environment.

In this case, there was a systems manager (SYMA) who was available for support duties during theupgrade. However, they stayed at their SYMA workstation and controllers were unaware that thisresource was available. Under normal circumstances, the remaining controllers had to accept SYMAresponsibilities after their shift ended around 21:00. Similarly, there was an additional manager tocoordinate work between the technicians and the controllers. The Chief controller briefed his twocolleagues about the work at the start of the shift but did not tell them of the written instructions,mentioned above, nor about the additional staff. In consequence, a single controller was placed in asituation where they believed they were responsible for the tasks associated with radar planning, radarexecution, shift supervisor and systems manager at a time when profound changes were being made to thetechnical infrastructure. The BFU argue that the safety culture and safety management practices of theATM service provide should have ensured minimum manning levels. However, it can be argued thatoverstaffing of control room environments can lead to complacency, boredom and fatigue that are

themselves error inducing factors during quiet intervals in safety-critical tasks. Hence, the ECF analysisin Figure 3 again reinforces the observation that it is not the under-manning itself that is the root cause ofthe problem. The accident was caused by a combination of the under-manning and a failure to recognisethe risks associated with the profound system changes and lack of normal system support as aconsequence of the SYCO flight plan processing systemupgrade.

Recommendation 3:

Additional emphasis should be paid not simply to minimum staffing levels as recommended in theBFU report but also to a risk-based approach to the identification of situations that requireadditional staffing and to the need to inform staff when those additional resources are available.

Recommendation 4:

Additional emphasis should be placed not simply on minimum staffing levels (Recommendation18/2004) but to appropriate staffing levels that match the maximum plausible task loading oncontrollers that might be anticipated from their operational and technical environment, consideringthe dangers of complacency and fatigue from idle operators during quiescence.


14/46


- 14 -

The Radar Controllers Role in the Accident

Figures 2 and 3 presented an overview of the technical and human resources that were available on thenight of the accident and that were documented in the BFU report. In contrast, Figure 4 does on to lookin more detail at the more immediate conditions and events that led to the accident.

(74) 17:50 ATCcontrollers report

for duty

(38, 74) Six hour

plan to modify flightplan processing

system

(38) Chief controller briefs themabout the scheduled work but not

of the written instructions norabout the additional staff

(74) Briefingdocuments on planned

work are available (75,39) 21:10Sectorisationwork begins

(74) Schedule andcontract allows for

time to read briefingdocuments

(38, 74) Z-2002-022 and024 do not describe the

impact on night operations

(75) XX:XXWorkloaddecreases

(75) One of thecontrollers leaves

the room

(75) Remaining Radar controllerassumes responsibilities for Radar

Planning, Radar Executive,Supervisor and Systems Manager.

(41,75) Implicit

management approvalfor this practice

(75) Remainingcontroller cannot nowtake prescribed breaks

(App A) 21:21:50 B757ATC instructs crew toswitch transponder to7524, climb to FL320,cleared to Tango VOR

(App A) 21:21:50+ B757Crew ask ATC forclearance to FL360


(App A) 21:30:11 TU154call ACC Zurich.


sectorization work?

(74) XX:XXControllers do not

brief themselves onsectorization work



TU154M crew to set

transponder to 7520

(75) TU154Malready at

FL360

(75) Controlstrips do not show

a conflict

(75) TU154Mcleared to

TrasadingenVOR

(75) B757cleared to

Tango VOR

(75) Control stripsdo not correspond

with actualsituation.

(75) Controllers haveto manually correlateradar targets to flight

plan

(75) Radar controllerdoes not notice that

two flights are now atsame flight level

(75) Control stripsshow TU154M at

FL350 afterTrasadingen VOR

(8) Vienna ACC giveTU154M receive

clearance for appraochon Trasadingen VOR at

FL360

(39) 21:13:XXADAPT radarprocessing and

presentation systemwas disabled

(Ass+91) Problems insafety culture?

(Ass+91) Problems insafety management?

Figure 4: ECF Analysis of the berlingen Accident - Clearance for B757 to Join TU154M at FL360

As can be seen, Figure 4 takes the analysis from the time at which the controllers report for duty (17:50).However, it also carries forward elements of the earlier analysis of the technical and personnelinfrastructure. For instance, it refers to the lack of documentation on the impact of the upgrades. It alsolinks back to the lack of any adequate risk assessment and the impact that this may have had on, forinstance, the Chief Controllers briefing about the upgrade work. Similarly, this diagram includeselements of Figure 3 that refer to the remaining controller assuming a considerable number of additionalresponsibilities at a time when they were left exposed by a lack of systems support. Figure 4 goes well


15/46


- 15 -

beyond the previous ECF diagrams because it begins to map out the more immediate chain of events thatled to the accident. As can be seen, the B757 contacts Zurich ACC at 21:21:50. The request is made forclearance to FL360 immediately after the initial contact and this is granted at 21:26:36. The conditionsthat make this event more likely include the fact that the paper control strips for the B757 and TU154Mdo not show any apparent conflict. They are cleared to different waypoints. The controllers difficulty inanticipating the potential conflict is compounded by the observation on page 75 of the BFU report that thestrips no longer began to reflect the true situation as the TU154M was shown at FL350 after Trasadingen

VOR. However, the controller would have had to detect this inconsistency manually given that theautomatic flight plan and radar correlation (ADAPT) support had been disabled as part of the SYCOflight plan processing system upgrade. The ECF diagram ends with the call from the TU154M to ZurichACC as it approaches their airspace.

The key insight from Figure 4 is the role that inadequate risk assessment may have played in exposing theController to an error inducing context. This builds on the previous contextual analysis that has alreadymade a similar point because it shows the more detailed causal mechanisms that lead from managerialand cultural problems to specific events in the accident itself. In this case, the lack of risk assessment ledto the controllers being poorly informed about the sectorisation work. It is possible to conjecture that ifadditional information had been available, for instance about the interruption to the SWI-02 communicationssystem with neighbouring centres then the second controller might not have departed for the lounge.

Similarly, if an adequate risk assessment had been conducted then additional consideration might havebeen paid to the possible consequences of disabling the ADAPT radar system.

It is important to emphasise that the analysis of ECF diagrams relies upon counterfactual arguments. Theprevious paragraph surmises that the accident would not have progressed in the way that it did had anadequate risk assessment been performed. We cannot, however, be sure that this would indeed have beenthe case. We cannot run an experiment or realistic simulation to show that such an assessment wouldhave uncovered the potential hazards that the controllers, aircrews and passengers faced during thisaccident. Equally, the ECF analysis does point the need to be more coherent about the particular safetymanagement techniques that might have been used to detect the potential problems before lives wereplaced at risk. As we have seen, the BFU recommendations correctly focus on staffing issues and theperformance of ACAS/TCAS. In addition, however, recommendations should be made about the role of

specific and concrete safety management techniques that are consistent with a strong safety culture. Theanalysis in this report would, therefore, suggest that a risk assessment should have identified the potentialdangers associated with the upgrade long before the two controllers set foot in the ACC Zurich.

Recommendation 5:

Additional emphasis should be placed on the concrete safety management techniques that mighthave identified the specific hazards in this accident well before the incident took place. Thesetechniques include maintenance risk assessment according to the principles laid down in theESSAR publications.


16/46


- 16 -

(App A) 21:34:49 Radarcontroller tells TU154M

crew descend flightlevel 3-5-0, expedite, Ihave crossing traffic

(App A) 21:35:03 Radarcontroller repeats

instruction to TU154Mcrew descend level 3-5-0,

expedite descent

(App A) 21:35:03+ Radarcontroller hears

acknowledgement fromTU154M crew

(App A) 21:35:03+ Radarcontroller Ja, we have

traffic at your 2 oclockposition now at 3-6-0

(42) 21:30:52 A320 flighttrack becomes visible on

ARFA sector radar

(42) 21:35:XX MVComputer generatedacoustic STCA alert

(74) Extensivesectorization workscheduled for night

shift

(39) 21:13:XXIntegratedController

Workstationsswitched to

fallback mode

(39) VisualSTCA warning is

not presented

(39) 21:13:XX

SWI-02 directtelephone lines toneighbour ACC

disabled.

(39) Neighbouringcentres not informedabout planned work


sectorisation work

(41) Radar Planningworkstation on left

displays ACCZurich airspace

(41) Radar Executiveworkstation on right

displays approach forSt. Gallen-Altenrhein

& Friedrichshaven

(42) Must changebetween workstations

to transmit to either theA320 or the TU154M

and the B757

(44) 21:33:24STCA

alarm at Karlsruhe

for B757 andTU154M.

(44) 21:33:24+Controller tries toalert Zurich usingdirect phone line.

(44) 21:33:24+Busy signal andthen a ringing

tone is heard as11 further

attempts aremade.

(44) Rules not metfor international

emergency warningdirect to planes

(75) 21:30:52+Controller tries

without success tophone Friedrichshafen

(75) 21:30:52+ Radarcontroller has to move

from RP to RE

(75) Radar controllernot told about SystemsManager who might

have helped

(75) Radarcontroller preoccupiedand misses potential

conflict.

(App A) Radarcontrollers first instruction

is not acknowledged

(8) 21:35:03, TU154MPNF acknowledges

(74) Fails toindicate

seriousness ofsituation

(74) Stress whenconflict is noted

(App A) 21:34:49Radar controllernotices conflict

(75) Controller givesincorrect position

information, shouldbe at 10 oclock

(75) Controllergives incorrect dataB757 at FL356 from

descent afteradvisor

(75) Controllercannot read newB757 flight leveluntil radar image

renewal (21:35:24)(76) Radar controller seesTU154M initiate descent

on left (RP) monitor

(75) Radar controllerbelieves he has

solved the conflict

Figure 5: ECF Analysis of the berlingen Accident Radar Controller Notices and Attempts to Resolve Conflict

Figure 5 continues the ECF analysis of the BFU report from the moment when the TU154M approaches

ACC Zurich to the point at which the BFU argue the Controller believed he had resolved the conflict.Key observations in this stage of the analysis are that at 21:33:24 there is an STCA alarm at Karlsruhe.This is one minute and eighteen seconds before the TCAS warning on the aircraft and approximately twominutes between the missed audible STCA warning at ACC Zurich. During these intervals it might havebeen possible for the Karlsruhe staff to alert the controller to the potential problem, however the SWI-02direct communications facility had been interrupted as part of the upgrade work. Similarly, the visualSTCA warning at ACC Zurich was also disabled and this might have bought an additional two minuteswarning compared to the time at which the controller began responding to the conflict. Figure 5 alsoillustrates another possible reason for the controllers failure to detect the potential conflict. An A320flight enters the controllers area and he attempts to coordinate with Friedrichshaven. As we have seen,however, neither the controller nor the neighbouring areas were informed of the potential interruption to


17/46


- 17 -

the SWI-02 communications system and so valuable time was lost as the controller distributed his finiteattention between the three aircraft and the associated tasks, including attempting to communicate withthe neighbouring centres. The demands associated with these tasks were exacerbate by the layout of thecontrollers working positions as he had to shuffle between two workstations; both were capable ofdisplaying the flight radar information but different positions had to be used to broadcast to the TU-154Mand the B757 on one frequency and the A320 on another. All of these factors may have combined withthe lack of an automatic radar and flight plan correlation system to prevent the controller form

recognising the conflict. This diagram captures the extreme situation that faced the controller. The BFUreport argues that these problems could have been resolved by adequate staffing. Equally, however, amore coherent risk assessment strategy should also have uncovered the need to fully document theconsequences of the upgrade. It also may have emphasized the importance of communicating thoseconsequences both to controllers and to other centres. Although the BFU mention the importance ofinformation dissemination in recommendation 01/2003, it does not link the recommendation to any of theimmediate or systemic causes of the accident. In contrast, Figure 5 shows how this recommendation canbe more directly tied into the events leading to the berlingen accident. In particular, the lack of anadequate risk assessment can be argued to have created the context in which the accident occurred.

Recommendation 6:Any risk based assessment of the impact of large scale maintenance and upgrade activities should

consider a range of plausible worst case scenarios especially where there may be common causes offailure. In this case it was important to consider the combined effects of the loss oftelecommunications as well as radar and flight plan correlation facilities rather than consideringthe consequences of each system loss in isolation.

Figure 5 also shows that the controller notices the conflict between the B757 and TU154M at 21:34:49.As mentioned previously, it is difficult to determine the precise cognitive and perceptual factors thatprompted his subsequent intervention. The diagram does, however, introduce an assumption that thestress of detecting a potential conflict under such adverse working conditions may explain his apparentfailure to inform the aircrews of the seriousness of the incident, noted on page 74 of the BFU report. TheECF diagram denotes that the initial descend command was not explicitly acknowledged by the TU154Mcrew and so the instruction is reiterated. The Pilot-Non-Flying acknowledges the second request and the

controller responds by, arguably, explaining the request; Ja, we have traffic at your 2 oclock positionnow at 3-6-0. Again the stress of the situation may explain the apparent anomaly in this comment whenthe B757 should have been in the 10 oclock position relative to the TU154M. At this point thecontroller observes the descent of the TU154M as requested but cannot observe the descent of the B757in response to their TCAS advisory because the controllers radar image is not renewed until 21:35:24.Hence, the BFU argue that he believed he had resolved the conflict.

Recommendation 7:A subsequent analysis of the accident should be conducted to identify the cognitive and perceptualcues that helped the controller to identify the potential conflict. It may have been through theControllers direct observations of their radar displays, alternatively they may have been alerted tothe conflict by indirect observations of the TCAS advisories that were issued in both cockpits atalmost the same time the controller began to issue the initial descent instructions to the TU154M.Similarly, further attention to be paid to the protocols and procedures governing the transmissionof location information such as the 2 oclock warning at 21:35:03. The BFU claim that this mayhave seriously disoriented the crew of the TU154M as they sought to resolve the TCAS alarm andyet nothing is stated about this in the existing recommendations.


18/46


- 18 -

Figure 6 illustrates the immediate events before the collision. Again, the controller begins to focus hisattention on the A320 on its delayed approach to Friedrichshafen. This allocation of attention isexplained in the BFU report by the observation that the Controller now believed they had resolved theconflict once the crew of the TU154M had expedited their descent to FL350. The decision to focus onthe A320 had important consequences as the controller again had to move to the Radar Executiveworkstation to transmit to this aircraft. Any subsequent transmissions to the B757 or the TU154M wouldthen involve a further move back to the Radar Planning workstation, although all flights were visible on

both displays. The outcome of this distraction or division of attention was that the controller failed toobserve the radar trace of the B757s descent in response to the previous TCAS advisory.

(App A) 21:35:19 B757crew report to radar

controller they have beguna TCAS descent

(75) Radar controllerbelieves he has

solved the conflict

(75) A320 crew call radarcontroller on approach to

Friedrichshaven

(75) Radar controllermoves to RE workstation

to transmit to A320

(75) Radar controllernow focuses all

attention on A320

(75) Radarcontroller fails tonotice descent ofB757 on radar.

(75) Radar controllerdoes not acknowledgeTCAS descent call

from B757.

(75) Radar controllersolves A320 problem

(7,9) 21:35:32 T U154Mand B757-200 collide

(75) Radar controllerreturns attention to

conflict.

(75) Radar controllerobserved TU154M

displayed at red point onradar monitor

(75) Radar controllerB757 no longer

displayed on radarmonitor



(App A) 21:35:03+ Radarcontroller Ja, we havetraffic at your 2 oclockposition now at 3-6-0

(76) Radar controller seesTU154M initiate descent

on left (RP) monitor

(94) B757 delayTCAS decent report

as ACC Zurichchannel is busy.

Figure 6: ECF Analysis of the berlingen Accident B757 Report TCAS Descent


19/46


- 19 -

The controllers preoccupation with the A320 and the split working positions can also be argued toexplain his failure to notice the B757 crews radio signal that they had begun a TCAS descent. TheBFU report suggests that the timing of this call was particularly unfortunate. The crew of the B757 hadbeen trained to alert ATC as soon as possible after a TCAS advisory. Both the Pilot Flying and the PilotNot Flying initially tried to contact ACC Zurich:

Although the TCAS descent call was made 23 seconds after the beginning of the initial RA, and

7 seconds or more after the copilot was back on headset, it was made at the earliest opportunity.Immediately after the RA the Commander was PF and PNF, and was concentrating on the manualflying task to execute the RA manoeuvre, so that at that time the report of the TCAS descent didnot have the highest priority. A few seconds after the RA the ATC frequency became busy withcommunication between Zurich Control and TU154M. The B757-200 crew started their TCASdescent call as soon as the frequency became open. (BFU, page 94)

It seems that the Controllers descent instructions to the TU154M and the subsequent conversation aboutthe possible 2 oclock position of the other aircraft prevented the B757 crew from conveying the criticalinformation about their decent to ACC Zurich. When the radio channel eventually became available, theB757 crew transmitted their descent call. However, this in turn overlapped with the call from the A320crew on their approach to Freidrichshaven. This pathological sequence of events may, therefore, have

prevented the controller from hearing the critical information from the B757 crew. Although, it can alsobe argued that when this information was transmitted there was insufficient time available to successfullyavert the collision. Thirteen seconds provides an extremely narrow window within which to formulate aresponse, communicate that advice to one of the crews and for them then to act upon that informationespecially given that both crews had already initiated a decent to resolve the apparent conflict.

Recommendation 8:Further thought should be given to the verbal protocols governing the exchange of informationbetween controllers and the crews of all aircraft involved in a TCAS incident. Whenever possiblechannels of communication should be kept clear until all the parties involved have confirmed theirimmediate response to the warnings. The BFU recommendation 08/2004 that RAs be downlinkedto ATC does not remove the need for such a verbal protocol given that even the revised ICAO

guidelines offer crews discretion in the response to an advisory if they feel that to follow the TCASalert would endanger safety.


20/46


- 20 -

Conclusions

This report documents the output from an initial analysis of the BFU report into the berlingen mid-aircollision. The investigation constructed a more detailed timeline of the events leading to the collision,from the perspective of both crews and the Radar Controller who was operating the position in ZurichACC. This involved the compilation of additional details beyond the high-level summary that is

provided in Appendix 2 of the BFU report. Once this timeline had been compiled, it was used togenerate more complex Events and Causal Factors charts. These focussed on the influences that helpedto shape the controllers interaction with the aircrews and with neighbouring centres during the crucialminutes before the collision. Our analysis identified a number of minor ambiguities and inconsistenciesin the English language version of the report. It also extended the scope of the BFU investigation. Theexisting report focuses on issues surrounding the coordination of aircrew responses to TCAS advisories inthe face of possibly conflicting instructions from Air Traffic Service personnel. It also provides athorough account of safety management issues surrounding the staffing and operation of the Zurich centerduring major maintenance and upgrade operations. In contrast, the analysis in this report looks beyondthe operating environment in the Zurich control room on the night of the accident. Greater emphasis isplaced on adequate preparation for what was extensive technical procedures that deprived the controllersof necessary support and created an error inducing environment. In particular, the BFU report provides

few insights into the risk assessment procedures that should be used before any similar upgrades shouldbe attempted in the future. The final stages of this project will look at the specific safety managementand risk assessment techniques that might have been used to alert senior management to the dangers thatwere created by the planned upgrades at ACC Zurich.

It is important to stress that we have focussed on the controllers perspective in this report. The role ofboth crews and the impact of ACAS/TCAS have already been well covered by the BFU. It is alsoimportant to stress that this report is not intended to be a criticism of the BFU report. They conducted athorough and detailed investigation under difficult circumstances and their recommendations have clearlymade a significant contribution to aviation safety. However, our aim has been to go beyond the existingrecommendations and extract any additional lessons that might be learned from this very unfortunateincident. Our secondary aim has also been to ensure that the recommendations made by the BFU were

supported by either systemic or immediate causes.

Summary of Findings:The BFU report contains two recommendations that are not supported by their causal analysis, althoughthe evidence provided in the report supports them. There recommendations are as follows:

Safety Recommendation No. 01/2003The Federal Office for Civil Aviation (FOCA) should ensure that the air traffic control service provider issuesand implements procedure to undertake maintenance work on the ATC Systems stipulating operationaleffects and available redundancies. The procedure shall include the following aspects:

Stipulating the detailed responsibilities of the Operational Division and the Technical Division. Personnel reserve planning of the operational staff for maintenance work on the ATC Systems. Timely dissemination of procedure to the controllers, in order to prepare them to deal with the

situations. Establish and implement the checklists for the maintenance as well operational staff, when

maintenance work on the ATC Systems is undertaken, to enhance the safety net. Selection of best possible time from operational aspects for the maintenance work on the ATC

Systems.

Safety Recommendation No. 11/2004The FOCA should ensure that the air traffic control service provider equips air traffic control units withtelephone systems which in case of a failure or shutdown of the main telephone system reroutes incomingtelephone calls automatically to the bypass telephone system.


21/46


- 21 -

It is difficult to be sure why these recommendations are not supported by the immediate and systemiccauses mentioned in the BFU report. However, our analysis suggests that greater attention ought to havebeen paid to the planning and management of the SYCO upgrades. In particular we could argue that amore sustained form of risk assessment might should have been used before the work was undertaken.

In addition, our analysis has identified the following additional recommendations:

Additional Recommendation 1: Controllers should be made more aware of the role of STCA in theberlingen accident as a reminder of the strengths and weaknesses of this tool. Our analysis and that ofthe BFU reinforces the role of STCA as a safety net and not as an absolute defense against adverseevents.

Additional Recommendation 2: Additional emphasis should be paid to a risk-based approach to theidentification and dissemination of information about the impact of necessary upgrades on the ATMinfrastructure.

Additional Recommendation 3: Additional emphasis should be paid not simply to minimum staffinglevels as recommended in the BFU report but also to a risk-based approach to the identification ofsituations that require additional staffing and to the need to inform staff when those additional resources

are available.

Additional Recommendation 4: Additional emphasis should be placed not simply on minimum staffinglevels (Recommendation 18/2004) but to appropriate staffing levels that match the maximum plausibletask loading on controllers that might be anticipated from their operational and technical environment,considering the dangers of complacency and fatigue from idle operators during quiescence.

Additional Recommendation 5: Additional emphasis should be placed on the concrete safetymanagement techniques that might have identified the specific hazards in this accident wellbefore the incident took place. These techniques include maintenance risk assessment accordingto the principles laid down in the ESSAR publications.

Additional Recommendation 6: Any risk based assessment of the impact of large scale maintenance andupgrade activities should consider a range of plausible worst case scenarios especially where there may becommon causes of failure. In this case it was important to consider the combined effects of the loss oftelecommunications as well as radar and flight plan correlation facilities rather than considering theconsequences of each system loss in isolation.

Additional Recommendation 7: A subsequent analysis of the accident should be conducted to identifythe cognitive and perceptual cues that helped the controller to identify the potential conflict. It may havebeen through the Controllers direct observations of their radar displays, alternatively they may have beenalerted to the conflict by indirect observations of the TCAS advisories that were issued in both cockpits atalmost the same time the controller began to issue the initial descent instructions to the TU154M.

Similarly, further attention to be paid to the protocols and procedures governing the transmission oflocation information such as the 2 oclock warning at 21:35:03. The BFU claim that this may haveseriously disoriented the crew of the TU154M as they sought to resolve the TCAS alarm and yet nothingis stated about this in the existing recommendations.

Additional Recommendation 8: Further thought should be given to the verbal protocols governing theexchange of information between controllers and the crews of all aircraft involved in a TCAS incident.Whenever possible channels of communication should be kept clear until all the parties involved haveconfirmed their immediate response to the warnings. The BFU recommendation 08/2004 that RAs bedownlinked to ATC does not remove the need for such a verbal protocol given that even the revised


22/46


- 22 -

ICAO guidelines offer crews discretion in the response to an advisory if they feel that to follow the TCASalert would endanger safety.


23/46


- 23 -

Appendix A: Detailed Timeline of the berlingen Accident

As mentioned, the berlingen report contains a high level timeline of the events that led to the collision. This ispresented in Appendix 2 of the official report and runs from 21:21:50 until 21:35:32. The timeline provides agood general overview of the events leading to the accident. However, it does not cover many of the events thatcreated the context for the collision and which occurred before the B757 and TU154M entered Zurich ACCairspace. Similarly, it focuses on the events that occurred in both cockpits and arguably neglects the controllersperspective. The following pages present an extended timeline that was then used as input for the subsequentEvent and Causal Factors analysis of the BFU report.

.

(6) 21:21:56,B757 cleared fordirect approach to

TANGO VOR

(6) 21:21:56,B757 cleared toclimb from FL260

to FL320

(6) 21:22 B757PIC requests

climb to FL360

(7) 21:26 ATMapproves climb to

FL360

(7) 21:29 B757reaches FL360 butdoes not confirm

(7) 21:34:31 copilothands over to PIC to

go to lavatory

(7) 21:34:42 TCASTraffic Advisorytraffic, traffic


(6) 21:21:56,Transponder code7524 assigned to

B757

(8) 21:30:33, TU154M crewassign transponder code.

(8) 21:33:00, Crew discussTCAS display of planeapproaching from left

(8) 21:34:36, Commander:Here it is in sight

(8) 21:34:38 Commander:Look here it indicates zero

(8) 21:34:25 TU154M beginsbanking manoeuvre

(8) 21:34:42, TCAS TrafficAdvisory traffic, traffic

(8) 21:34:44, Pilot andCoPilot traffic, traffic

(74) 17:50 ATC controllersreport for duty

(75) One controller retires tolounge for rest

(75) Remaining ATC Radarcontroller assumes

responsibilities for RadarPlanning, Radar executive

and Supervisor.

(App A) 21:21:50 Radarcontroller instructs B757

crew to switch transponder to7524, climb to FL320,

cleared to Tango VOR

(App A) 21:30:11, TU154M

crew contact Zurich ACC

(App A) 21:22+ B757Crew ask ATC forclearance to FL360



TU154M crew to settransponder to 7520

Figure A1: Extended Timeline from Start of Controllers Shift (17:50)


24/46


- 24 -

(7) 21:34:56 TCASResolution Advisorydescend, descend

(7) 21:34:58 Autopilotswitched off, control

column pushedforward, thrust

reduced

(7) 21:35:05 CVRCopilot: Traffic Right

There,

(8) 21:34:49 ACCZurich descend flightlevel 350, expedite, Ihave crossing traffic

(8) 21:34:56, Controlcolumn goes forward,

autopilot pitchswitched off, power

reduced.

(8) 21:34:56,TCAS ResolutionAdvisory Climb,

Climb

(8) 21:34:59,Copilot TCAS

says climb

(8) PIC requestsPF to descend

(8) 21:34:59, PICATC is guiding

us down

(8) 21:34:59,Copilot

descend?

(8) 21:35:02, PFpulls control

column to slowdescent.

(8) 21:35:03, enginethrottles pulled back

further

(8) 21:35:03, ACCZurich descend level

350, expedite descend

(8) 21:35:03, PNFacknowledges

(8) 21:35:03, Hear ACCZurich Jawe havetraffic at your 2 oclockposition now at 3-6-0

(8) 21:35:03, PICWhere is it?

(8) 21:35:03,Copilot Here on the

left side

(8) 21:35:04,Navigator Itsgoing to passbeneath us

(9) 21:35:04,autopilot rollswitched off

(9) 21:35:05, PFpushes column toincrease descent


TU154M crew descendflight level 3-5-0, expedite,

I have crossing traffic

(App A) 21:35:03 Radar

controller repeatsinstruction to TU154Mcrew descend level 3-5-0,

expedite descent



(App A) 21:35:03+ Radarcontroller Ja, we havetraffic at your 2 oclockposition now at 3-6-0

(7) 21:35:05 CVRPIC: Yes

Figure A2: Extended Timeline from the Controllers Initial Descent Instruction (21:34:49)


25/46


- 25 -

(7,9) 21:35:32 TU154M and B757-200 collide

(7) 21:35:10 TCASResolution Advisory

increase descent,increase descent

(7) 21:35:10Copilot: increase

(7) 21:35:10 rateof descent is

increased

(7) 21:35:14,Master CautionAural Warning

(7) 21:35:18,Crew turn offautothrottle

(7) 21:35:19,Crew report

TCAS descentto ACC Zurich

(7) 21:35:26,Copilot asksPIC to

descend

(7) 21:35:30,Copilot asks

PIC to descendhard

(7) 21:35:30,Control column

pushed fullyforward

(9) 21:35:07,change in

heading begins

(9) 21:35:24, TCASResolution Advisory

increase climb

(9) 21:35:24,Copilot it says

climb

(9) 21:35:24, slowincrease in decent as

control columnmoved forward

slightly

(9) 21:35:27, controlcolumn now pulled

back, minor increasein thrust

(9) 21:35:32, controlcolumn pulled backabruptly, thrust now

fully forward.

(App A) 21:35:19 B757crew report to radar

controller they have beguna TCAS descent

Figure A3: Extended Timeline from the TU154Ms Change in Heading (21:35:07)


26/46

Technical Report B:

Incorporating Deliverable 3

(Version 1: 17/12/2004)


Executive Summary of Technical Report B

This is the second report of two issued under this contract. The first report identified recommendations in the BFU report that

were not fully supported by their causal analysis. The first report also used an Events and Causal Factors analysis to identifyeight additional recommendations from the BFU report. The principle insight from all of this work was that the BFU did goodwork in analysing the role of ACAS/TCAS in the two planes. However, less attention was paid to the inadequate riskassessments that exposed the controllers to extreme operational demands during the SYCO systems upgrade. This reportbuilds on the findings of the initial document. In particular, it goes on to look at the role that Safety Management Systemsplayed in the accident. We concur with the BFU that the Swiss authorities had well-documented procedures and principlesthat would encourage the development of a sound Safety Management System. These principles were in accordance withICAO and EUROCONTROL guidelines. However, the Swiss ATM organisations lacked the experience and the personnel toimplement those procedures. Partly as a result of this opportunities were missed to learn from two AIRPROX incidents thathad similarities to the events before the berlingen accident. A number of additional recommendations are presented in thisreport that build on those recommendations already provided in Technical Report A.

Prepared by:

Prof. Chris Johnson217, Wilton Street, North Kelvinside, Glasgow, G20 6DE, Scotland, [email protected] (Email), +44 141 330 6053 (Tel.), +44 141 330 4913 (Fax)


27/46


- 27 -

Introduction

The EUROCONTROL Strategic Safety Action Plan (SSAP) has initiated a number of reviews into theBFU berlingen Accident Report. The intention behind this study is to determine whether employing ateam of accident investigators to study the existing report can derive any additional findings. The key

objectives for this study are:

1. to show how existing recommendations relate to root causes identified in the existing report. The mainfocus will be to use Events and Causal Factors diagrams to draw out the root causes from the report and thento relate them to the recommendations. This choice of this method is justified because it provides relativelyaccessible diagrams that can readily be inspected to trace the information in the report back to particularrecommendations. EUROCONTROL has used similar diagrams to model human error and systems failure inATM incidents, for example in HUM.ET1.ST13.3000-REP-02 Human Factors in the Investigation ofAccidents and Incidents.

2. to use recognised accident analysis techniques to identify further recommendations from this accident. The ECF model developed in the previous stage of analysis can also be used to help identify additionalrecommendations. This will be done using the associated reasoning techniques that are part of this method.Additional root causes can be identified by examining each element of the diagram and asking whether or notthe accident could have been avoided if that event had not occurred. If the answer is yes then the event orcondition becomes a candidate for further inspection.

3. to review the existing BFU report and other reports into this accident dealing with the associated safetymanagement systems to extend the scope of objective (2). This final stage of the project will look moreclosely at the findings from the second stage of analysis. Rather than focussing on the BFU report alone,this stage will look at the wider investigatory process in the context of SMS development and will refer toinvestigatory practices in other countries. In particular, comparisons will be drawn with the FAA andCanadian TSBs guidelines on SMS development.

There are three deliverables associated with this project. Each represents the output of one of the stages identifiedin the previous section. The first is to deliver an analysis of the mapping from recommendations to root causes inthe BFU report. The second is to identify appropriate additional recommendations. Both of these deliverableswere documented in Technical Report A. For convenience, the following section provides an executive summaryof the output from this work. This report represents the final deliverable associated with this contact. It links theinformation derived from objectives 1 and 2 to associated work on safety management system guidance withinATM.


28/46


- 28 -

Summary from Technical Report ATechnical Report A first determined whether any of the recommendations from the BFU were notadequately supported by the associated causal analysis. The BFU report into the berlingen collisionidentified a number of immediate causes for the accident. These can be summarised as follows, all pagenumbers in the remainder of this report refer to the official BFU English language translation of theoriginal German report:

(Immediate Cause 1) The imminent separation infringement was not noticed by ATC in time. Theinstruction for the TU154M to descend was given at a time when the prescribed separation to theB757-200 could not be ensured anymore. (BFU page 112)

(Immediate Cause 2) The TU154M crew followed the ATC instruction to descend and continuedto do so even after TCAS advised them to climb. This manoeuvre was performed contrary to thegenerated TCAS RA. (BFU page 112)

In addition, the BFU also identified a number of less immediate systemic causes:

(Systemic Cause 1) The integration of ACAS/TCAS II into the system aviation was insufficient

and did not correspond in all points with the system philosophy. The regulations concerningACAS/TCAS published by ICAO and as a result the regulations of national aviation authorities,operational and procedural instructions of the TCAS manufacturer and the operators were notstandardised, incomplete and partially contradictory. (BFU, page 112)

(Systemic Cause 2) Management and quality assurance of the air navigation service company didnot ensure that during the night all open workstations were continuously staffed by controllers.(BFU, page 112)

(Systemic Cause 3) Management and quality assurance of the air navigation service companytolerated for years that during times of low traffic flow at night only one controller worked and theother one retired to rest. (BFU, page 112)

The BFU report contains two recommendations that are not supported by their causal analysis, althoughthe evidence provided in the report supports them. There recommendations are as follows:

Safety Recommendation No. 01/2003The Federal Office for Civil Aviation (FOCA) should ensure that the air traffic control service provider issuesand implements procedure to undertake maintenance work on the ATC Systems stipulating operationaleffects and available redundancies. The procedure shall include the following aspects:

Stipulating the detailed responsibilities of the Operational Division and the Technical Division. Personnel reserve planning of the operational staff for maintenance work on the ATC Systems. Timely dissemination of procedure to the controllers, in order to prepare them to deal with the

situations. Establish and implement the checklists for the maintenance as well operational staff, when

maintenance work on the ATC Systems is undertaken, to enhance the safety net. Selection of best possible time from operational aspects for the maintenance work on the ATC

Systems.

Safety Recommendation No. 11/2004The FOCA should ensure that the air traffic control service provider equips air traffic control units withtelephone systems which in case of a failure or shutdown of the main telephone system reroutes incomingtelephone calls automatically to the bypass telephone system.

It is difficult to be sure why these recommendations are not supported by the immediate and systemiccauses mentioned in the BFU report. However, our analysis suggests that greater attention ought to have


29/46


- 29 -

been paid to the planning and management of the SYCO upgrades. In particular we could argue that amore sustained form of risk assessment should have been used before the work was undertaken. Inaddition, our analysis identified the following recommendations:

Additional Recommendation 1: Controllers should be made more aware of the role of STCA in theberlingen accident as a reminder of the strengths and weaknesses of this tool. Our analysis and that ofthe BFU reinforces the role of STCA as a safety net and not as an absolute defense against adverse

events.

Additional Recommendation 2: Additional emphasis should be paid to a risk-based approach to theidentification and dissemination of information about the impact of necessary upgrades on the ATMinfrastructure.

Additional Recommendation 3: Additional emphasis should be paid not simply to minimum staffinglevels as recommended in the BFU report but also to a risk-based approach to the identification ofsituations that require additional staffing and to the need to inform staff when those additional resourcesare available.

Additional Recommendation 4: Additional emphasis should be placed not simply on minimum staffing

levels (Recommendation 18/2004) but to appropriate staffing levels that match the maximum plausibletask loading on controllers that might be anticipated from their operational and technical environment,considering the dangers of complacency and fatigue from idle operators during quiescence.

Additional Recommendation 5: Additional emphasis should be placed on the concrete safetymanagement techniques that might have identified the specific hazards in this accident wellbefore the incident took place. These techniques include maintenance risk assessment accordingto the principles laid down in the ESSAR publications.

Additional Recommendation 6: Any risk based assessment of the impact of large scale maintenance andupgrade activities should consider a range of plausible worst case scenarios especially where there may be

common causes of failure. In this case it was important to consider the combined effects of the loss oftelecommunications as well as radar and flight plan correlation facilities rather than considering theconsequences of each system loss in isolation.

Additional Recommendation 7: A subsequent analysis of the accident should be conducted to identifythe cognitive and perceptual cues that helped the controller to identify the potential conflict. It may havebeen through the Controllers direct observations of their radar displays, alternatively they may have beenalerted to the conflict by indirect observations of the TCAS advisorie

Ueberlingen Final Report

Documents

Transcript of Ueberlingen Final Report