• Reassessment of the Ueberlingen Accident (full report in pdf)
  
  
• Reassessment of the Linate Accident (companion study)

This project reviews the Uberlingen Accident. The analysis will concentrate on the BFU report and investigation. However, additional references are made to EUROCONTROL and other external recommendations, especially in the area of Safety Management Systems. The aims of this work are to:

1. show how the existing recommendations relate to the root causes identified in the existing report.
2. use recognised accident analysis techniques to identify additional recommendations that might be derived from this accident.
3. review the existing BFU report and the Swiss government investigation into the associated safety management systems to extend the scope of objective (2).

The final report brings together two different documents.

Technical Report A: The existing BFU report focuses on issues surrounding the coordination of aircrew responses to TCAS advisories in the face of possibly conflicting instructions from Air Traffic Service personnel. It also provides a thorough account of safety management issues surrounding the staffing and operation of the Zurich ACC during major maintenance and upgrade operations. In contrast, the analysis in this report looks beyond the operating environment in the Zurich control room on the night of the accident. Greater emphasis is placed on adequate preparation for what was extensive technical procedures that deprived the controllers of necessary support and created an 'error inducing' environment. In particular, the BFU report provides few insights into the risk assessment procedures that should be used before any similar upgrades should be attempted in the future.

Technical Report B: This second part of the final report builds on the findings mentioned above. In particular, it goes on to look at the role that Safety Management Systems played in the accident. We concur with the BFU that the Swiss authorities had well-documented procedures and principles that would encourage the development of a sound Safety Management System. These principles were in accordance with ICAO and EUROCONTROL guidelines. However, the Swiss ATM organisations lacked the experience and the personnel to implement those procedures. Partly as a result of this opportunities were missed to learn from two AIRPROX incidents that had similarities to the events before the Ueberlingen accident. A number of additional recommendations are presented in this report that build on those recommendations already provided in Technical Report A. The report closes by analysing the insights that the accident provides for the recent guidance published on Safety Management Systems in ATM operations by EUROCONTROL, Transport Canada and the US FAA.

We identified the following additional recommendations based on the lessons learned from this accident:

• Additional Recommendation 1: Controllers should be made more aware of the role of STCA in the Ueberlingen accident as a reminder of the strengths and weaknesses of this tool. Our analysis and that of the BFU reinforces the role of STCA as a 'safety net' and not as an absolute defense against adverse events.
  
  
• Additional Recommendation 2: Additional emphasis should be paid to a risk-based approach to the identification and dissemination of information about the impact of necessary upgrades on the ATM infrastructure.
  
  
• Additional Recommendation 3: Additional emphasis should be paid not simply to minimum staffing levels as recommended in the BFU report but also to a risk-based approach to the identification of situations that require additional staffing and to the need to inform staff when those additional resources are available.
  
  
• Additional Recommendation 4: Additional emphasis should be placed not simply on minimum staffing levels (Recommendation 18/2004) but to appropriate staffing levels that match the maximum plausible task loading on controllers that might be anticipated from their operational and technical environment, considering the dangers of complacency and fatigue from idle operators during quiescence.
  
  
• Additional Recommendation 5: Additional emphasis should be placed on the concrete safety management techniques that might have identified the specific hazards in this accident well before the incident took place. These techniques include maintenance risk assessment according to the principles laid down in the ESSAR publications.
  
  
• Additional Recommendation 6: Any risk based assessment of the impact of large scale maintenance and upgrade activities should consider a range of plausible worst case scenarios especially where there may be common causes of 'failure'. In this case it was important to consider the combined effects of the loss of telecommunications as well as radar and flight plan correlation facilities rather than considering the consequences of each system loss in isolation.
  
  
• Additional Recommendation 7: A subsequent analysis of the accident should be conducted to identify the cognitive and perceptual cues that helped the controller to identify the potential conflict. It may have been through the Controller's direct observations of their radar displays, alternatively they may have been alerted to the conflict by indirect observations of the TCAS advisories that were issued in both cockpits at almost the same time the controller began to issue the initial descent instructions to the TU154M. Similarly, further attention to be paid to the protocols and procedures governing the transmission of location information such as the '2 o'clock' warning at 21:35:03. The BFU claim that this may have seriously disoriented the crew of the TU154M as they sought to resolve the TCAS alarm and yet nothing is stated about this in the existing recommendations.
  
  
• Additional Recommendation 8: Further thought should be given to the verbal protocols governing the exchange of information between controllers and the crews of all aircraft involved in a TCAS incident. Whenever possible channels of communication should be kept clear until all the parties involved have confirmed their immediate response to the warnings. The BFU recommendation 08/2004 that RA's be downlinked to ATC does not remove the need for such a verbal protocol given that even the revised ICAO guidelines offer crews discretion in the response to an advisory if they feel that to follow the TCAS alert would endanger safety. The remaining sections of this report go on to review the role that Safety Management Systems played in the Ueberlingen accident. The results of this analysis are then placed in the context of existing guidance and recommendations both within Europe and the United States
  
  
• Additional Recommendation 9: The Ueberlingen accident was caused by failures in the safety management systems that did not ensure the use of appropriate risk assessment techniques prior to the SYCO upgrade. Appropriate procedures and principles were in place within Swiss Air Traffic Management and it seems clear that had these been followed then the controllers might not have been exposed to such demanding operating conditions. It follows that EUROCONTROL and the ICAO might, therefore, usefully provide additional services in helping organisations implement these good practices and where appropriate might assist national regulators in monitoring their implementation.
  
  
• Additional Recommendation 10: The Ueberlingen accident was pre-dated by two AIRPROX incidents in Zurich ACC that eloquently illustrated the dangers of Single Man Operating Procedures even under more benign circumstances that existed on the night of the accident. EUROCONTOL ESSAR guidelines require that such incidents should normally trigger a formal risk assessment and yet this was not done in either of these cases. It is difficult to be certain about why the guidelines were not followed here. The BFU report does not contain enough detail and this issue certainly merits further investigation. These AIRPROX incidents represent valuable learning opportunities that were missed before the Ueberlingen accident.
  
  
• Additional Recommendation 11: One of the great benefits of being supported and encouraged in this project has been to trace in detail the mechanisms by which national and international guidelines of Safety Culture and Safety Management Systems have a direct impact upon safety. Very often these guidelines can be criticised as 'too generic', 'irrelevent to current operating priorities' or not specific enough. The analysis presented in this report has shown the direct relationship between problems in the implementation of the company's Safety Policy and the events leading to the accident. It is important that other Air Traffic Management organisations in general, and Safety Managers in particular, are made aware of this direct connection. There is a danger that this aspect of the accident will be ignored or not given due attention given the amount of coverage that has been devoted to the interaction between the controller, the crews and ACAS/TCAS. These issues are important but are arguably less significant for long term safety than the lessons Ueberlingen provides about the importance of Safety Management Systems.
  
  
• Additional Recommendation 12: It seems clear that the requirements for the implementation of Safety Management Systems, such as those presented in ESARR 3, are well considered and would have played an important role in either preventing or mitigating the conditions that faced the controller during the Ueberlingen accident. It is less clear what role national or international organisations can play to encourage the monitoring of these requirements. The publication of European Safety Maturity indicators seems a key tool in this process. However, it may be necessary to make the identities of the nations in each level public possibly through a body that is in some way independent of EUROCONTROL to provide the necessary incentives to national regulators.
  
  
• Additional Recommendation 13: The international requirements for a risk-based approach to Safety Management Systems often contain accurate and perceptive statements about the need to consider the interaction between systems (people, technology, environmental factors) at different 'layers' of complexity. However, there is little guidance available to Safety Managers on how to do this for a situation that is as complex as that facing the ATM managers during the Ueberlingen accident.
  
  
• Additional Recommendation 14: An approved list of documentation techniques should be established for reactive incident analysis. These need not be 'heavy weight', for example, Transport Canada advocates the MEDA/PEAT tools developed by Boeing. These are little more than mnemonics for the range of causal factors that need to be considered during the analysis of an incident together with some guidance on how to determine the likelihood of any future recurrence.
  
  
• Additional Recommendation 15: Consideration should be given to the development of pathological 'what if' scenarios to support proactive risk assessment. The Ueberlingen accident and similar ATM incidents have taught us that it can be very difficult to anticipate the complex combinations of human 'error', technical 'failure' and environment conditions that lead to major loss of life. It is possible that short descriptions of previous incidents or some similar technique might be used to encourage Safety Managers to identify the plausible worst case before approving changes in ATM processes.
  
  
• Additional Recommendation 16: Consideration should be given to the publishing guidance on how to use risk assessment as a tool to critically analyse competing options rather than simply to validate a single planned procedure. The FAA are correct in recognising the value of this comparative approach to decision making where different risks are assessed rather. There is a danger that risk assessments will be tailored to demonstrate the acceptability of 'single option' decisions.
  
  
• Additional Recommendation 17: The Ueberlingen accident shows that incidents, such as the Zurich AIRPROX reports during Single Man Operating Procedures, should act as triggers to formal risk assessment within the guidelines associated with a Safety Management System. However, the FAA's recent focus on system-wide risk assessment may argue against this approach. If we wait for incidents to trigger risk assessments or if we wait for system upgrades to force new hazard analysis then there will be large areas of our airspace systems that have no formal risk assessment. It may, therefore, be necessary for ATM service providers to increase the scope of their Safety Management Systems to proactively create a more coherent Safety Case similar to the prototype arguments being produced by EUROCONTROL for the implementation of RVSM etc.

• The original BFU report (pdf)
• NLR Report into Aviation Safety Management in Switzerland
• EUROCONTROL ESARR3 Guidance
• Transport Canada Guidance on Safety Management in Civil Aviation
• FAA System Safety Management Programme