Causal Analysis of the ACAS/TCAS Sociotechnical System

Sociotechnical systems are those which rely not only on technology but on humans and social organisation for their adequate functioning. The analysis of sociotechnical systems poses the particular challenge of synthesising methods appropriate to formerly separate scientific disciplines. One result is that prominent features of the systems are often missed during analysis. This paper points to some features of the ACAS/TCAS transport aircraft collision avoidance system which I believe could do with much closer scrutiny. 1 The Überlingen Midair Collision Sociotechnical systems contain mechanical, electrical or electronic parts but rely for their appropriate functioning on human or social organisation and actions. Analysing them is often a complex matter, not only because the systems themselves are often complex, but because analysts must somehow apply a multitude of analysis techniques which traditionally have belonged to different scientific disciplines: computer science, physical and mechanical engineering, ergonomics, psychology and organisational theory. On 1 July, 2002, a Tupolev 154M operated by Bakshirian Airlines (BTC), a Russian airline, was flying westwards at night over Southern Germany towards a destination in Catalunya. A Boeing 757 operated by the cargo airline DHL was flying northbound over Switzerland, at the same Flight Level 360 (representing a nominal altitude of 36,000 feet in a normed atmosphere). Both were operating under Instrument Flight Rules (IFR), compulsory at this Flight Level. Skyguide, the Swiss air traffic control organisation, had control of both aircraft, and accordingly responsibility for separation of the aircraft. The controller on duty was operating two positions, some meters apart, because colleagues were on break. He was working primarily with other traffic at one position, and only noted the convergence of the two aircraft close to the point at which the separation he was required to enforce was to be broken Copyright (c) 2004, Australian Computer Society, Inc. This paper appeared at the 9th Australian Workshop on Safety Related Programmable Systems (SCS’04), Brisbane. Conferences in Research and Practice in Information Technology, Vol. 38, Tony Cant, Ed. Reproduction for academic, not-for-profit purposes permitted provided this text is included. (7 nautical miles lateral and/or 1,000 ft vertical separation). Another air traffic control facility at Karlsruhe had noticed the convergence, but was unable to contact Zürich through the dedicated communication channel, which was undergoing maintenance. Similarly, an automatic “early warning” system installed at the Zürich facility was undergoing maintenance and did not trigger. The controller issued an avoidance manoeuvre to BTC to descend immediately. However, both aircraft received a Resolution Advisory from their on-board Airborne Collision Avoidance System (ACAS) devices, both TCAS II Version 7.0 from the company ACSS, virtually simultaneously with this instruction. TCAS advised to BTC an immediate climb, and to DHL an immediate descent (the manoeuvres expected are also normed: a smooth 1/4g acceleration to a climb, resp. descent rate of 1,500 feet per minute (fpm)). DHL descended. The BTC commander also instructed his Pilot Flying (PF) to descend. 7 seconds later, the air traffic controller repeated his descend instruction to BTC with an note to “expedite”, for traffic which he mistakenly described as at the “two o’clock” relative position. BTC was at “two o’clock” to DHL; DHL was at “ten o’clock” to BTC. Such cognitive slips are not uncommon, and normally not consequential. In this case, however, it caused the BTC commander to believe he was in a three-aircraft conflict, with DHL, whose lights the crew could see and had identified at their ten o’clock, and with an unknown aircraft which his TCAS display was not “painting”, at his two o’clock [Bun04]. (I had speculated that this might have been so already in [Lad02a].) 7 seconds later, DHL received an “iterated advisory” to “increase descent” (to a normed rate of 2,500 fpm). 9 seconds after that, DHL informed air traffic control that he was in a “TCAS descent”. Air traffic control procedures are that they are no longer responsible for separating traffic responding to TCAS Resolution Advisories until it is reported to them by the participants that they are “Clear of Conflict”. However, they may continue to provide information to participants during the manoeuvres. The air traffic controller conformed with this procedure. 11 seconds after DHL informed the controller of the TCAS descent, the two aircraft collided. A more extensive discussion of the TCAS kit (the avionics that provides the information on nearby participating aircraft, as well as the manoeuvring advisories, to crew), as well as the precise minuteby-minute details of the accident, may be found in my presentation slides [Lad04] and the official accident report [Bun04]. Immediately after the accident, attention focused on BTC’s descent contrary to his TCAS Resolution Advisory, as well as the various apparent procedural deficiencies at Skyguide. In a particularly sad and inappropriate incident, the controller involved, who was reported to be understandably personally very affected by what had happened, was murdered by what was presumed to be a distraught relative of an accident victim. The responsible investigating authority, the German BFU, issued their final report in May 2004 [Bun04]. It contains a thorough discussion of the sociotechnical system consisting of the Skyguide air traffic control facility at Zürich, in my view an excellent example of this analytical art. Many factors contributing to the accident concern the operation of this system. In addition, BTC’s decision to descend was cited as a factor. The TCAS avionics was found to have operated as designed and intended. Also cited as a factor were the many, often contradictory, procedural instructions or advice to pilots on appropriate procedures on reception of a TCAS Resolution Advisory. The report enumerates all these pieces of advice and contains a thorough discussion. The BFU recommends that it should be made mandatory for pilots to follow TCAS Resolution Advisories. 2 A Brief Description of the ACAS/TCAS System First, some terminology. The name ACAS refers to an international standard, normed by the International Civil Aviation Organisation (ICAO), a subsidiary organisation of the United Nations. The specification comes from the U.S. TCAS system, developed over some thirty years, and mandated for commercial air transport in the U.S. by the U.S. Congress after a collision between an Aeromexico transport and a civil light aircraft in the Los Angeles area. I use the term TCAS here to refer to the avionics. The TCAS avionics senses other similarlyequipped aircraft in its vicinity through use of the radar transponders with which all aircraft flying at these flight levels are equipped. A transponder is a radio device which receives signals at the standard air traffic control radar frequency and automatically transmits information in return. So-called Mode C transponders transmit the aircraft ID, the aircraft’s pressure altitude (an internationally-normed altitude which is a fixed function of the sensed outside air pressure, also used to define the Flight Levels), and a four-octal digit code, called a “squawk”, which is set by the pilots during the flight according to air traffic control instructions. Mode S transponders, used by TCAS, have in addition to the Mode C functions also space in the return signal for sending a message. The TCAS avionics uses Mode S for detecting other aircraft, for reckoning relative closing speed and altitude, and for negotiated avoidance manoeuvres (Resolution Advisories, RA) with the other close aircraft. Whereas normal Mode S responds only to interrogation, in conjunction with TCAS avionics it broadcasts regularly “in the dark” as well as responding to broadcasts from other aircraft. The time lag or latency between a broadcast and receiving a reply is used to determine range (the distance to the responding aircraft). The latency is roughly composed of the time it takes the signal to traverse the distance between the aircraft, the processing latency of the receiving aircraft, and the time it takes the responding signal to return. The processing latency of the avionics is known (is normed as part of the kit), hence the range may be calculated. Altitude information comes directly from the Mode S altitude reports, which are discretised into (usually) 100 ft or 25 ft increments. Relative (horizontal and vertical) closing velocities are calculated from comparing successive returns. Warnings (Traffic Advisories, TA) and RAs are issued based on a time period, called Tau, τ , obtained by dividing the range R by the closing speed dR/dt: