| University of Bielefeld - Faculty of technology | |
|---|---|
|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D. |
|
| Back to Abstracts of References and Incidents | Back to Root |
Höhl and Ladkin are with the RVS Group, Faculty of Technology,
University of Bielefeld.
Loer is with the BAe Dependable Computing Systems Center, Department of
Computer Science, University of York, U.K.
21 October 1997, extended 19 August 1998
We give the textual form and the graphical form generated by the tool wb2dot of the Why...Because... graph of the 26 April 1994 Nagoya accident to an A300B4. This graph is derived from the various events and states elaborated in the final report.
The WB-Graph presented here is derived from the information in the final report, (AAIC 96-5). This is similar to the method we used to analyse the Cali and Warsaw final reports (GeLaLo97.01), (HoLa97.09). In contrast to those cases, we did not find any obvious omissions or other logically questionable problems wiht the Nagoya report.
Readers who wish to read an introduction to WB-analysis and WB-Graphs may consult the Cali and Warsaw reports. The Cali report contains in particular an introduction to the construction of an WB-graph using the Lewis semantics for causality. A very brief introduction the the informal WB-Graph method may be found in (GeLaLo97.06). The complete WB-Analysis method, WBA, is briefly described and carefully illustrated in (Lo98.02), and will be fully described and illustrated in (LaLo98). WBA involves constructed a WB-Graph according to a certain procedure, and demonstrating formally that the graph contains a sufficient explanation of the incident by means of formal proofs in the logic EL.
We have not yet performed a full WBA of the Nagoya accident.
The Textual WB-Graph
Back to Contents
We give the textual graph itself, followed by a legend and a glossary of
acronyms used in the labels.
The WB-Graph
Back to Contents
[0] /* AC crashes into landing zone near E1 taxiway
// @T11:15'45" */
/\{1} /* AC stalls since
// @T11:15'31" */
/\{2} /* CRW unable to recover stall */
{1} {-.1} /* AOA becomes too large */
{1.1} /\<-.1> /* AC in out of trim (nose high) condition */
/\<-.2> /* AC climbing steeply */
/\{-.3} /* CAS becomes too low */
<1.1.1> /\<-.1> /* THS at -12.3 degrees (=nose-up) since: [1.1.1.1.1] */
/\<-.2> /* Elevators in nose-down position */
/\(-.3) /* CRW does not correct out of trim condition */
<1.1.1.1> /\<-.1> /* AP is engaged in CMD
// @T11:14'18" */
/\<-.2> /* AP in GA mode */
/\{-.3} /* F/O pushing on control column */
/\{-.4} /* AP stays engaged, although {1.1.1.1.3} */
/\{-.5} /* CRWs hand-tuning attempts ineffective
// #ACTION# // @T11:14'20" // @T11:14'34" // @T11:14'39" */
<1.1.1.1.1> [-.1] /* AP engaged
// #ACTION# // @T11:14'18" */
<1.1.1.1.2> /\[-.1] /* F/O (PF) triggers GA-lever
// @T11:14'05" // inf CVR */
/\(-.2) /* F/O (PF) does not disengage GA mode although
advised to do so by CAP several times:
// @T11:14'10" // @T11:14'30" // @T11:14'45" */
[1.1.1.1.2.1] /\<-.1> /* position of GA-lever
// ASSUMPTION */
/\[-.2] /* F/O moves hand on throttles
// ASSUMPTION */
<1.1.1.1.2.1.1> <-.1> /* Airbus Industry Cockpit Layout */
(1.1.1.1.2.2) /\{-.1} /* F/O (PF) tries but does not succeed in
disengaging GO-AROUND-mode
// #ACTION# */
/\<-.2> /* F/O (PF) does not realize his actions didn't
succeed
// #PERCEPTION# */
{1.1.1.1.2.2.1} /\[-.1] /* F/O (PF) tries to go direct into LAND mode
// #INTENTION# // inf CVR */
/\<-.2> /* direct access to LAND mode button cannot
disengage GO AROUND mode */
<1.1.1.1.2.2.1.1> <1.1.1.1.5.3.1>
<1.1.1.1.2.2.1.2> <1.1.1.1.4.1>
<1.1.1.1.2.2.2> /\<-.1> /* F/O (PF) overextended with situation
// ASSUMPTION */
/\<-.2> /* high workload
// #ATTENTION# */
<1.1.1.1.4> /\<-.1> /* Airbus Industry AP logic */
/\(-.2) /* modification to AP prescribed in Service Bulletin
SB A300-22-6021 had not been incorporated into
the aircraft
// 3rd party Information */
(1.1.1.1.4.2) /\(-.1) /* The aircraft manufacturer did not categorise
the SB A300-22-6021 as "Mandatory"
// 3rd party Information */
/\(-.2) /* The airworthiness authority of the nation of
design and manufacture did not issue promptly
an airworthiness directive pertaining to
implementation of the SB.
// 3rd party Information */
{1.1.1.1.3} /\{-.1} /* F/O (PF) tries to recover optimal glide path */
/\<-.2> /* F/O (PF) believes nose-down elevator commands will
achieve nose-down state
// ASSUMPTION */
{1.1.1.1.3.1} /\{-.1} /* AC left optimal glide path */
/\<-.2> /* AC should return to optimal glide path */
{1.1.1.1.3.1.1} [1.1.1.1.2.1]
// inf CVR */
<1.1.1.1.3.2> <1.1.1.1.5.3.1>
{1.1.1.1.5} /\[-.1] /* CRW attempts to hand-tune */
/\<-.2> /* when active, AP doesn't allow THS override */
/\(-.3) /* CRW doesn't realize <1.1.1.1.5.2>
// #PERCEPTION# */
/\<-.4> /* CRW lacks experience and knowledge with A300 AP
// ASSUMPTION */
[1.1.1.1.5.1] {1.1.1.1.3.1}
<1.1.1.1.5.2> <1.1.1.1.4.1>
(1.1.1.1.5.3) <1.1.1.1.5.4>
<1.1.1.2> {1.1.1.1.3}
(1.1.1.3) (-.1) /* CRW does not recognize OOT condition
// #PERCEPTION# // inf CVR */
(1.1.1.3.1) /\<-.1> /* optical systems for the purpose of THS motion
awareness do not provide effective information
at night */
/\<-.2> /* optical/acoustical warning device, capable of
_actively_ alerting THS motion inactive */
/\<-.3> /* CRW does not pay attention
// #ATTENTION# // inf CVR */
<1.1.1.3.1.1> <1.1.1.1.2.1.1.1>
<1.1.1.3.1.2> /\[-.1] /* Airbus Industry eliminated function from AP
in CMD mode design
// 3rd party information */
/\<-.2> /* Airbus Industry did not establish another
warning and recognition function
// 3rd party information */
/\<1.1.1.1.1>
<1.1.1.3.1.2.1> {-.1} /* Airbus Industry followed suggestion from UK CAA */
<1.1.2> /\<-.1> /* high engine thrust */
/\<-.2> /* F/O releases control wheel */
/\<1.1.1>
/\<1.1.1.1>
<1.1.2.1> [-.1] /* EPR increased from 1.04 to > 1.6 */
[1.1.2.1.1] /\[-.1] /* THR levers moved forward
// @T11:15'11" */
/\[-.2] /* Alpha Floor Function activated
// @T11:14'57" // @H570 */
[1.1.2.1.1.1] [-.1] /* CAP(PF) decides to initiate GO-AROUND manouevre
// @T11:15'03" */
<1.1.2.1.1.2> /\<-.1> /* AOA exceeded threshold AOA of 11.5 degrees */
/\<-.2> /* pitch angle increased */
/\<-.3> /* AP disengaged
// @T11:14'50" */
/\<-.4> /* Airbus Industry Logic */
<1.1.2.1.1.2.1> /\<1.1.1>
/\{1.1.3}
<1.1.2.1.1.2.2> /\<1.1.1>
/\<1.1.2.1>
// causal feedback loop !! - alpha floor //
{1.1.3} /\<-.1> /* THR not engaged continuously */
/\{-.2} /* THR decreased temporarily */
/\<1.1.2>
<1.1.3.1> /\<-.1> /* CAP(PF) uncertain about situation
// #ATTENTION# */
/\[-.2] /* CRWs actions interfere with AP operation */
<1.1.3.1.2> /\[-.1] /* F/O (PF) interrupts execution of Alpha Floor function */
/\<-.2> /* A300 AP `intended to permit pilots to apply
_small_ manual control inputs to assist the AP'
// cite from FCOM */
/\<-.3> /* CRW unaware that A300 AP does not allow
permanent manual override
// #ATTENTION# */
[1.1.3.1.2.1] {-.1} /* F/O (PF) counteracts against resulting pitch-up
movement from [1.1.2.1.1.2] */
<1.1.3.1.2.1.1> <-.1> /* F/O (PF) doesn't realize [1.1.2.1.1.2]
// #ATTENTION# */
<1.1.3.1.2.2> <1.1.1.1.4.1>
<1.1.3.1.2.3> /\<-.1> /* CRW unable to gain this information
from FCOM */
/\<-.2> /* CAP's (PF) action would be appropriate
for Boeing AP
// ASSUMPTION */
/\<1.1.1.1.5.3.1>
<1.1.3.1.2.3.1> <-.1> /* FCOM design not suited for handling
alert situations
// ASSUMPTION */
<1.1.3.1.2.3.1.1> <-.1> /* Airbus Industry FCOM layout */
{1.1.3.2} /\[-.1] /* THR levers retarded temporarily */
/\<-.2> /* surges occurred in both engines */
[1.1.3.2.1] /\[-.1] /* CAP (PNF) intends to continue approach
// inf CVR */
/\<1.1.3.1.2.1>
<1.1.3.2.2> <-.1> /* high AOA of inlets */
<1.1.3.2.2.1> /\<1.1.2>
/\{1.1.3}
{2} /\(-.1) /* CRW doesn't take appropriate action to recover stall */
/\<-.2> /* AC systems in unusual modes */
/\<-.3> /* time and altitude for recovery operations short to insufficient */
(2.1) /\<-.1> /* CRW not aware of AC systems states
// #ATTENTION# */
<2.1.1> /\<-.1> /* situation is unusual */
/\<-.2> /* no THS motion warning */
/\<-.3> /* none of the CRW is able to keep track of the
situation
// #ATTENTION# */
/\<1.1.3.1.2.1.1.1>
<2.1.1.1> /\<-.1> /* transition `GO-AROUND -> LAND' is no flight manoevre
according to Standard Operating Procedures */
<2.1.1.2> /\<1.1.1.3.1.1>
/\<1.1.1.3.1.2>
<2.1.1.3> /\[-.1] /* CAP (PNF) takes over controls against duty assignment
// #ACTION# // @T11:15'03" */
/\<-.2> /* CAP (PNF) doesn't grasp flight conditions
// inf CVR */
/\{-.3} /* F/O (PF) looses his autonomy, since he follows a series of
instructions given by CAP (PNF) instead of acting on his own
// @T11:14'26" to T11:15'03" */
<2.2> <-.1> /* complex control situation at stall */
<2.2.1> /\<-.1> /* trying to transit GO-AROUND -> LAND */
/\<1.1.2.1.1.2>
/\<1.1.1>
<2.3> /\<-.1> /* nose-up attitude is 43.8 degrees */
/\<-.2> /* altitude is 1,730ft */
/\<-.3> /* AS is less than 50kts */
(88 nodes)
[X.X] Event
State
{Z.Z} Process
(U.U) Non-Event
/* comment on node */
additional information on comments:
// @T... T=Time (hh:mm'ss" UTC)
// @H... Predicates: H=Heigh (pressure altitude in ft)
// @P... P=Position (2D)
// ## where
::= perception | attention | reasoning |
decision | intention | action
is the classification of failures according to the extended
information-processing model introduced in [GLL96]
// 3rd party information
// inf CVR any information judged as required
// ...
AD : Airworthiness Directive
ADC : Air Data Computer
AFS : Automatic Flight System
ALT : Altitude
ALT SEL : Altitude Selector
AOA : Angle of Attack
AP : Auto-Pilot
APU : Auxiliary Power Unit
A/THR : Automatic Thrust
AT : Auto Throttle
ATS : Auto-Throttle System
ATT : Attitude
BEA : Bureau Enqu^etes Accidents
BKN : Broken
CAP : Captain
CAS : Computed Airspeed
CGCC : Center of Gravity Control Computer
CAT : Category
CMD : Command
CN : Consigne de Navigabilite
CRW : Crew
CVR : Cockpit Voice Recorder
CWS : Control Wheel Steering
DFDR : Digital Flight Data Recorder
DGAC : Direction G^en^erale de l' Aviation Civile
ECAM : Electronic Centralized Aircraft Monitoring
BFCU : Electronic Flight Control Unit
EFIS : Electronic Flight Instrument System
ENG : Engine
EPR : Engine Pressure Ratio
FAA : Federal Aviation Administration
FAC : Flight Augmentation Computer
FADEC : Full Authority Digital Electronic Control
FCC : Flight Control Computer
FCOM : Flight Crew Operating Manual
FCU : Flight Control Unit
FD : Flight Director
FIDC : Fault Isolation and Detection Computer
FIDS : Fault Isolation and Detection System
FL : Flight Level
FMA : Flight Mode Annunciator
FMC : Flight Management Computer
FMS : Flight Management System
F/O : First Officer
FMC : Flight Warning Computer
GA : GO AROUND
GCU : Generator Control Unit
GPWC : Ground Proximity Warning Computer
GPWS : Ground Proximity Warning System
GS : Glide Slope
HDG : Heading
HDG/SEL : Heading Selector
HPC : High Pressure Compressor
HPT : High Pressure Turbine
ICAO : International Civil Aviation Organization
IGS : Instrument Guidance System
IGV : Inlet Guide Vane
IND : Indicator
ILS : Instrument Landing System
IRS : Inertial Reference System
IRU : Inertial Reference Unit
LAND : Landing
L/D : Landing
LIG : Landing Gear
LOC : Localizer
LPC : Low Pressure Compressor
LPT : Low Pressure Turbine
LVL/CH : Level Change
MAC : Mean Aerodynamic Chord
MAN THR : Manual Thrust
MIC : Microphone
MTP : Maintenance and Test Panel
NAV : Navigation
NTSB : National Transportation Safety Board
OOT : Out Of Trim
OVC : Overcast
PCM : Pulse Code Modulation
PF : Pilot Flying
PFD : Primary Flight Display
PlC : Pilot in Command
PNF : Pilot Not Flying
QNH : Pressure Setting to Indicate Elevation above Mean Sea Level
R ALT : Radio Altitude
RET : Retract
RMI : Radio Magnetic Indicator
RWY : Runway
SB : Service Bulletin
SCT : Scattered
SGU : Symbol Generator Unit
SPD : Speed
SPD/MAC : Speed/Mach
SRS : Speed Reference System
SW : Switch
TCC : Thrust Control Computer
TCD : Ministry of Transport Civil Aviation Bureau Directive
THR : Thrust
THR L : Thrust Latch
THS : Trimmable Horizontal Stabilizer
TIPS : Technical Instruction Processing Sheet
TRP : Thrust Rating Panel
VAPP : Approach Target Speed
VOR : VHF Omnidirectional Radio Range
V/S : Vertical Speed
Vs : Stall Speed
VTG : Target Speed
W.STA : Wing Station
We used the tool wb2dot to generate graphical representations of the WB-Graph. The representations appear both as a graphic for on-line viewing below, and in a format suitable for download and printing. `Source' nodes are colored light blue, and will show as such on color printers. Black-white printers represent these nodes with gray shading.
(AAIC 96-5), Aircraft Accident Investigation Commission, Ministry of Transport, Japan, Aircraft Accident Investigation Report: China Airlines Airbus industrie A300B4-622R, B1816, Nagoya Airport, April 26, 1994, author, available also as an on-line document, through Computer-Related Incidents with Commercial Aircraft, at http://www.rvs.uni-bielefeld.de. Back
(GeLaLo97.01), Thorsten Gerdsmeier, Peter Ladkin and Karsten Loer, Analysing the Cali Accident With a WB-Graph, Research Report RVS-RR-97-01, RVS Group, Faculty of Technology, University of Bielefeld. Available through http://www.rvs.uni-bielefeld.de. Back
(GeLaLo97.06), Thorsten Gerdsmeier, Peter Ladkin and Karsten Loer, FOrmalising Failure Analysis, Research Report RVS-Occ-97-06, RVS Group, Faculty of Technology, University of Bielefeld. Available through http://www.rvs.uni-bielefeld.de. Back
(Ho98.04), Michael Höhl wb2dot - A Tool for Translating Textual WB-Graphs into DOT Format, Software RVS-Soft-04, RVS Group, Faculty of Technology, University of Bielefeld. Available through http://www.rvs.uni-bielefeld.de --> Publications. Back
(HoLa97.09), Michael Höhl and Peter Ladkin, Analysing the 1993 Warsaw Accident With a WB-Graph, Research Report RVS-Occ-97-09, RVS Group, Faculty of Technology, University of Bielefeld. Available through http://www.rvs.uni-bielefeld.de. Back
(LaLo98), Peter Ladkin and Karsten Loer Why-Because Analysis: The Formal Logic of Failure (Preliminary title), in preparation, RVS Group, Faculty of Technology, University of Bielefeld. Back
(Lo98.02), Karsten Loer Towards "Why...Because"-Analysis of Failures [DVI, gzipped, 134K | PS, gzipped, 503K], Diplom Thesis RVS-Dip-98-02, RVS Group, Faculty of Technology, University of Bielefeld. Available through http://www.rvs.uni-bielefeld.de. Back
Back to `Incidents and Accidents' Compendium.
| Copyright © 1999 Peter B. Ladkin, 1999-02-08 | |
|
by Michael Blume |