Ueberlingen resources
This project reviews the Uberlingen Accident.
The analysis will concentrate on the BFU report and investigation.
However, additional references are made to EUROCONTROL and other external recommendations, especially in the area of Safety Management Systems.
The aims of this work are to:
- show how the existing recommendations relate to the root causes identified in the existing report.
- use recognised accident analysis techniques to identify additional recommendations that might be derived from this accident.
- review the existing BFU report and the Swiss government investigation into the associated safety management systems to extend the scope of objective (2).
The final report brings together two different documents.
Technical Report A: The existing BFU report focuses on issues surrounding the coordination of aircrew responses to TCAS advisories in the face of possibly conflicting instructions from Air Traffic Service personnel.
It also provides a thorough account of safety management issues surrounding the staffing and operation of the Zurich ACC during major maintenance and upgrade operations.
In contrast, the analysis in this report looks beyond the operating environment in the Zurich control room on the night of the accident.
Greater emphasis is placed on adequate preparation for what was extensive technical procedures that deprived the controllers of necessary support and created an 'error inducing' environment.
In particular, the BFU report provides few insights into the risk assessment procedures that should be used before any similar upgrades should be attempted in the future.
Technical Report B:
This second part of the final report builds on the findings mentioned above.
In particular, it goes on to look at the role that Safety Management Systems played in the accident.
We concur with the BFU that the Swiss authorities had well-documented procedures and principles that would encourage the development of a sound Safety Management System.
These principles were in accordance with ICAO and EUROCONTROL guidelines.
However, the Swiss ATM organisations lacked the experience and the personnel to implement those procedures.
Partly as a result of this opportunities were missed to learn from two AIRPROX incidents that had similarities to the events before the Ueberlingen accident.
A number of additional recommendations are presented in this report that build on those recommendations already provided in Technical Report A.
The report closes by analysing the insights that the accident provides for the recent guidance published on Safety Management Systems in ATM operations by EUROCONTROL, Transport Canada and the US FAA.
We identified the following additional recommendations based on the lessons learned from this accident:
- Additional Recommendation 1: Controllers should be made more aware of the role
of STCA in the Ueberlingen accident as a reminder of the strengths and weaknesses of
this tool. Our analysis and that of the BFU reinforces the role of STCA as a 'safety
net' and not as an absolute defense against adverse events.
- Additional Recommendation 2: Additional emphasis should be paid to a risk-based
approach to the identification and dissemination of information about the impact of
necessary upgrades on the ATM infrastructure.
- Additional Recommendation 3: Additional emphasis should be paid not simply to
minimum staffing levels as recommended in the BFU report but also to a risk-based
approach to the identification of situations that require additional staffing and to the
need to inform staff when those additional resources are available.
- Additional Recommendation 4: Additional emphasis should be placed not simply
on minimum staffing levels (Recommendation 18/2004) but to appropriate staffing
levels that match the maximum plausible task loading on controllers that might be
anticipated from their operational and technical environment, considering the dangers
of complacency and fatigue from idle operators during quiescence.
- Additional Recommendation 5: Additional emphasis should be placed on the
concrete safety management techniques that might have identified the specific
hazards in this accident well before the incident took place. These techniques
include maintenance risk assessment according to the principles laid down in
the ESSAR publications.
- Additional Recommendation 6: Any risk based assessment of the impact of large
scale maintenance and upgrade activities should consider a range of plausible worst
case scenarios especially where there may be common causes of 'failure'. In this
case it was important to consider the combined effects of the loss of
telecommunications as well as radar and flight plan correlation facilities rather than
considering the consequences of each system loss in isolation.
- Additional Recommendation 7: A subsequent analysis of the accident should be
conducted to identify the cognitive and perceptual cues that helped the controller to
identify the potential conflict. It may have been through the Controller's direct
observations of their radar displays, alternatively they may have been alerted to the
conflict by indirect observations of the TCAS advisories that were issued in both
cockpits at almost the same time the controller began to issue the initial descent
instructions to the TU154M. Similarly, further attention to be paid to the protocols
and procedures governing the transmission of location information such as the '2
o'clock' warning at 21:35:03. The BFU claim that this may have seriously
disoriented the crew of the TU154M as they sought to resolve the TCAS alarm and
yet nothing is stated about this in the existing recommendations.
- Additional Recommendation 8: Further thought should be given to the verbal
protocols governing the exchange of information between controllers and the crews of
all aircraft involved in a TCAS incident. Whenever possible channels of
communication should be kept clear until all the parties involved have confirmed their
immediate response to the warnings. The BFU recommendation 08/2004 that RA's
be downlinked to ATC does not remove the need for such a verbal protocol given that
even the revised ICAO guidelines offer crews discretion in the response to an
advisory if they feel that to follow the TCAS alert would endanger safety.
The remaining sections of this report go on to review the role that Safety Management
Systems played in the Ueberlingen accident. The results of this analysis are then
placed in the context of existing guidance and recommendations both within Europe
and the United States
- Additional Recommendation 9: The Ueberlingen accident was caused by failures in
the safety management systems that did not ensure the use of appropriate risk
assessment techniques prior to the SYCO upgrade. Appropriate procedures and
principles were in place within Swiss Air Traffic Management and it seems clear that
had these been followed then the controllers might not have been exposed to such
demanding operating conditions. It follows that EUROCONTROL and the ICAO
might, therefore, usefully provide additional services in helping organisations
implement these good practices and where appropriate might assist national regulators
in monitoring their implementation.
- Additional Recommendation 10: The Ueberlingen accident was pre-dated by two
AIRPROX incidents in Zurich ACC that eloquently illustrated the dangers of Single
Man Operating Procedures even under more benign circumstances that existed on the
night of the accident. EUROCONTOL ESSAR guidelines require that such incidents
should normally trigger a formal risk assessment and yet this was not done in either of
these cases. It is difficult to be certain about why the guidelines were not followed
here. The BFU report does not contain enough detail and this issue certainly merits
further investigation. These AIRPROX incidents represent valuable learning
opportunities that were missed before the Ueberlingen accident.
- Additional Recommendation 11: One of the great benefits of being supported and
encouraged in this project has been to trace in detail the mechanisms by which
national and international guidelines of Safety Culture and Safety Management
Systems have a direct impact upon safety. Very often these guidelines can be
criticised as 'too generic', 'irrelevent to current operating priorities' or not specific
enough. The analysis presented in this report has shown the direct relationship
between problems in the implementation of the company's Safety Policy and the
events leading to the accident. It is important that other Air Traffic Management
organisations in general, and Safety Managers in particular, are made aware of this
direct connection. There is a danger that this aspect of the accident will be ignored or
not given due attention given the amount of coverage that has been devoted to the
interaction between the controller, the crews and ACAS/TCAS. These issues are
important but are arguably less significant for long term safety than the lessons
Ueberlingen provides about the importance of Safety Management Systems.
- Additional Recommendation 12: It seems clear that the requirements for the
implementation of Safety Management Systems, such as those presented in ESARR 3,
are well considered and would have played an important role in either preventing or
mitigating the conditions that faced the controller during the Ueberlingen accident. It
is less clear what role national or international organisations can play to encourage the
monitoring of these requirements. The publication of European Safety Maturity
indicators seems a key tool in this process. However, it may be necessary to make the
identities of the nations in each level public possibly through a body that is in some
way independent of EUROCONTROL to provide the necessary incentives to national
regulators.
- Additional Recommendation 13: The international requirements for a risk-based
approach to Safety Management Systems often contain accurate and perceptive
statements about the need to consider the interaction between systems (people,
technology, environmental factors) at different 'layers' of complexity. However,
there is little guidance available to Safety Managers on how to do this for a situation
that is as complex as that facing the ATM managers during the Ueberlingen accident.
- Additional Recommendation 14: An approved list of documentation techniques
should be established for reactive incident analysis. These need not be 'heavy
weight', for example, Transport Canada advocates the MEDA/PEAT tools developed
by Boeing. These are little more than mnemonics for the range of causal factors that
need to be considered during the analysis of an incident together with some guidance
on how to determine the likelihood of any future recurrence.
- Additional Recommendation 15: Consideration should be given to the development
of pathological 'what if' scenarios to support proactive risk assessment. The
Ueberlingen accident and similar ATM incidents have taught us that it can be very
difficult to anticipate the complex combinations of human 'error', technical 'failure'
and environment conditions that lead to major loss of life. It is possible that short
descriptions of previous incidents or some similar technique might be used to
encourage Safety Managers to identify the plausible worst case before approving
changes in ATM processes.
- Additional Recommendation 16: Consideration should be given to the publishing
guidance on how to use risk assessment as a tool to critically analyse competing
options rather than simply to validate a single planned procedure. The FAA are
correct in recognising the value of this comparative approach to decision making
where different risks are assessed rather. There is a danger that risk assessments will
be tailored to demonstrate the acceptability of 'single option' decisions.
- Additional Recommendation 17: The Ueberlingen accident shows that incidents,
such as the Zurich AIRPROX reports during Single Man Operating Procedures,
should act as triggers to formal risk assessment within the guidelines associated with a
Safety Management System. However, the FAA's recent focus on system-wide risk
assessment may argue against this approach. If we wait for incidents to trigger risk
assessments or if we wait for system upgrades to force new hazard analysis then there
will be large areas of our airspace systems that have no formal risk assessment. It
may, therefore, be necessary for ATM service providers to increase the scope of their
Safety Management Systems to proactively create a more coherent Safety Case
similar to the prototype arguments being produced by EUROCONTROL for the
implementation of RVSM etc.
Related Links:
Chris Johnson,
Dept. of Computing Science,
Univ. of Glasgow,
Glasgow,
G12 8QQ,
Scotland.
Tel: +44 141 330 6053,
Fax: +44 141 330 4913,
johnson@dcs.gla.ac.uk