AF447 Fault Tree Analysis

Martes, 18 de diciembre de 2012

Grado en Gestión y Operaciones de transporte Aéreo

Universidad Politécnica de Madrid

Seguridad Aérea

Realizado por:

David García Luque

Francisco Arias Virseda

Ricardo A. Hernández D.

Seguridad Aérea-AF447 Tree Fault Analysis

Index

1. INTRODUCTION ............................................................................................................ 3

2. FACTUAL INFORMATION ......................................................................................... 3

History of Flight ......................................................................................................................... 3

Killed and Injured ...................................................................................................................... 4

Damage to Aircraft .................................................................................................................... 4

Other Damage ........................................................................................................................... 4

Personnel information .............................................................................................................. 4

Aircraft information .................................................................................................................. 4

Meteorological situation ........................................................................................................... 4

Aids to Navigation ..................................................................................................................... 4

Telecommunications ................................................................................................................. 4

Aerodrome Information ............................................................................................................ 4

Flight Recorders ........................................................................................................................ 4

Wreckage and Impact Information ........................................................................................... 4

Fire ............................................................................................................................................. 5

3. FAULT TREE ANALYSIS ............................................................................................. 5

4. CONCLUSIONS ................................................................................................................ 6

5. Tree Fault Analysis (general view): ................................................................... 7

6. Tree Fault Analysis (Obstruction Pitot Tubes): ............................................ 8

7. Tree Fault Analysis (Cockpit Confusion): ........................................................ 9

8. Tree Fault Analysis (sustained stall): .............................................................. 10

9. Description of the Tree Fault Analysis applied to the accident of the

AF447 ....................................................................................................................................... 11

Obstruction of Pitot Tubes ...................................................................................................... 12

Cockpit Confusion ................................................................................................................... 12

Loss of reliable airspeed information .................................................................................. 12

Autopilot Disengaged .......................................................................................................... 13

Excessive input controls ...................................................................................................... 13

Sustained Stall ......................................................................................................................... 14

Failure to identify aural warning ......................................................................................... 14

Confusion with overspeed situation ................................................................................... 14


Flight Director Indications ................................................................................................... 14


1. INTRODUCTION

The Airbus A330 flight AF447 took off from Rio de Janeiro bound for Paris on 31 May 2009.

The sequence of events in the accident is the following:

• The Captain left the cockpit at around 2 h 02.

• The crew made a course change of 12 degrees to the left at around 2 h 08.

• There were some automatic systems disconnected and the speed indications were

incorrect at 2 h 10 min 05.

• The Captain rejoined the crew at 2 h 11 min 35. In that moment, the airplane was in a

stall situation.

• The airplane impacted the sea at 2 h 14 min 28.

2. FACTUAL INFORMATION

History of Flight

Date of accident Aircraft

1st

June 2009 at 2h 14 min 28s Airbus A330-203

Site of accident Owner and Operator

At reference 3º03’57’’ N, 30º33’42’’W, Air France

near the TASIL point, in international

waters, Atlantic Ocean Operator

Air France


Type of flight

International public transport of Persons on board

passengers Flight crew: 3

Scheduled flight AF 447 Cabin crew: 9

Passengers: 216

Killed and Injured

Fatal injuries Crew Members: 12 Passengers: 216

Damage to Aircraft

The airplane was destroyed.

Other Damage

Not applicable.

Personnel information

The crew possessed the licenses and ratings required to undertake the flight.

Aircraft information

Air France had owned the aircraft since April 2005. It had been delivered new.

Meteorological situation

The general conditions and the position of the ITCZ over the Atlantic were normal for the

month of June. Cumulonimbus clusters were present.

Aids to Navigation

The GNSS is the only navigation aid near the TASIL point.

At the time of the event, the GPS constellation gave the required navigation precision on the

route.

Telecommunications

Flight AF 447 was under radar control from departure from Rio de Janeiro airport to the INTOL

waypoint, and under radar coverage up to the SALPU waypoint. After this point, AF

447 was under en-route control (via a flight progress strip).

Aerodrome Information

The support aerodromes for this ETOPS 120 minute flight were: Natal (Brazil) and Sal Amilcar

(Cape Verde).

Flight Recorders

The aeroplane was equipped with two flight recorders.

Wreckage and Impact Information

The French and Brazilian navies found debris belonging to the aeroplane from 6 June onwards.

There were found about 1000 plane pieces.


Fire

There was no evidence of fire or explosion.

3. FAULT TREE ANALYSIS

Fault Tree Analysis (FTA) is a logic and probabilistic technique used in system reliability

assessment.

The Fault Tree Approach

The fault tree is a graphic model of faults that will result in the occurrence of the predefined

undesired event. It is a qualitative model that can be evaluated quantitatively.

The faults can be events that are associated with component hardware failures, human

errors, software errors, or any other events which can lead to the undesired event.

FTA doesn’t include all possible system failures or all possible causes for system failure. The

fault tree includes only those faults that contribute to the top event.

A fault tree is composed of “gates” that serve to permit or inhibit the passage of fault logic

up the tree.

The gates show the relationships of events needed for the occurrence of a “higher” event.

The “higher” event is the output of the gate; the “lower” events are the “inputs” to the gate.

The gate symbol denotes the type of relationship of the input events required for the output

event.

The probability of occurrence of the AND gate fault event is:

The probability of occurrence of the OR gate fault event is:


4. CONCLUSIONS

Ice crystals phenomenon was known but misunderstood, at the time of the accident. This

occurrence during cruise surprised the pilots of flight AF 447.

After data inputs inconsistency because of Pitot probes blocked, crew members decided to

disconnect the autopilot. They didn’t understand the situation and there was a bad

cooperation between crew members. That led to a total loss of cognitive control of the

situation.

They didn’t understand the airplane was in a sustained stall, although there were signals of it.

Consequently, they didn’t apply a recovery manoeuvre and the aircraft ended crashing the sea.


Obstruction

of Pitots

Tubes

Formation Ice

Crystals

...

Cockpit

Confusion

Loss of

reliable

airspeed information

...

Autopilot

Disengaged

...

Excesive

Control Inputs

5. Tree Fault Analysis (general view):

AF447 Tree Fault Analysis

Accident

AF447

Excesive

Control Inputs

...

Night and

ITCZ

Failure to

identify aural

warning

...

Any Visual

Information

Tree Fault Analysis (general view):

Sustained

Stall

Any Visual

Information

Confusion

with

Overspeed Situation

...

Flight Director

Indications

...


6. Tree Fault Analysis (

Freezing


Tree Fault Analysis (Obstruction Pitot Tubes):

Obstruction

Pitot Tubes

Formation

Ice Crystals

Freezing

Cores

Temperature

<40ºC


Loss of Reliable

airspeed Information

Lack of link

between indicated

airspeed and

procedure

Lack of training

flying NIC

Lack of a clear

display of airspeed

inconsistencies

Captain was not



Cockpit

Confussion

Autopilot

Disengaged

Captain was not

flying

Wrong task sharing

between co-pilots

Incomprehension of

the situation

Startle effect:

Emotional Factor

Activation Alternate

Law

Erroneous airspeed

information

Tree Fault Analysis (Cockpit Confusion):

Excessive Input

Controls

Erroneous airspeed

informationECAM Messages Excessive Warnings

Night and ITCZ


Failure to identify

aural warning

Low Training stall

phenomena

Low training stall

warnings

Low training

Buffet

Any Visual

Information



Sustained Stall

Low training

Buffet

Any Visual

Information

Confussion with

overspeed

situation

Thrust to Idle Nose-Up Position

Tree Fault Analysis (sustained stall):

Flight Director

Indications

Late Identification

of deviation from

flight path

Insufficient

correction of

deviation from flight path


9. Likelihood

P(Accident AF447) = P(1) * P(2) * P(3)

• P(1) = P(1A) = P(1A1) * P(1A2) :

Obstruction of Pitot Tubes 1

Formation Ice Crystals 1A

Freezing Cores 1A1

Temperature <40ºC 1A2

• P(2) = [1 - P(2A)] * [1 - P(2B)] * [1 - P(2C)] * [1 - P(2D)]:

P(2A) = P(2A1) * P(2A2) * P(2A3)

P(2B2) = P(2B2A) * P(2B2B)

P(2B) = P(2B1) * P(2B2) * P(2B3)

P(2C) = P(2C1) * P(2C2) * P(2C3):

Cockpit Confusion 2

Loss of reliable airspeed information 2A

Lack of link between indicated airspeed and procedure 2A1

Lack of training flying NIC 2A2

Lack of clear display of airspeed inconsistencies 2A3

Autopilot Disengaged 2B

Captain was not flying 2B1

Wrong task sharing… 2B2

Incomprehension of the situation 2B2A

Startle effect: Emotional Factor 2B2B

Activation Alternate Law 2B3

Excessive Control Inputs 2C

Erroneous airspeed information 2C1

ECAM Messages 2C2

Excessive Warnings 2C3

Night and ITCZ 2D

• P(3) = P(3A)] * P(3B) * P(3C) * P(3D):

P(3A) = P(3A1) * P(3A2) * P(3A3)

P(3C) = P(3C1) * P(3C2)

P(3D) = P(3D1) * P(3D2):

Sustained Stall 3

Failure to identify aural warning 3A

Low Training stall phenomena 3A1

Low training stall warnings 3A2

Low training Buffet 3A3

Any Visual Information 3B

Confusion with Overspeed Situation 3C

Thrust to Idle 3C1

Nose-Up Position 3C2

Flight Director Indications 3D

Late Identification of deviation from flight path 3D1

Insufficient correction of deviation from flight path 3D2


10. Description of the Tree Fault

Analysis applied to the accident

of the AF447

In order to apply this method to the accident of the Air France 447, we decided to prioritize

the most important contributor

aircraft. Firstly, we have chosen 3 main facts which trigger the f

are:

• Obstruction of Pitot Tubes

• Cockpit Confusion

• Sustained Stall

Obstruction of Pitot Tubes

This is the first fact that we realized it was primordial because it is

supposed to be the first cause to the rest of consequences. The

obstruction occurs because the aircraft was flying in a FL

outside temperature under -40ºC

cores, causes the appearance of the phenomena of Ice Crystals. This

phenomenon obstructs the Pitot Tubes, and nowadays, researchers are

seeking for a new invention who defrosts these Ice Crystals.

used the “and” gate in order to

contribute to the appearance of the Ice Crystals.

Cockpit Confusion

In this time, we have utilized a “or” gate because the confusion produced in the cockpit,

although the four items under th

have induced the situation of confusion. These four items are:

• Loss of reliable airspeed information

crew to get involved in a critical situatio

• Autopilot Disengaged

• Excessive control inputs

• Night and ITCZ: the meteorology and the flight in this area were determinant to

provoke the accident.

Loss of reliable airspeed information

In this part of our tree, we have selected some items which co

likelihood of the problems which the los

others, in reference to the final report,

• Lack of link between indicated airspeed and procedure

• Lack of training flying NIC


Description of the Tree Fault


of the AF447


the most important contributors which, from our point of view, lead to the accident of this

, we have chosen 3 main facts which trigger the fatal top event. These 3 facts



This is the first fact that we realized it was primordial because it is

supposed to be the first cause to the rest of consequences. The

obstruction occurs because the aircraft was flying in a FL350 with an

40ºC, condition which added to freezing

, causes the appearance of the phenomena of Ice Crystals. This

phenomenon obstructs the Pitot Tubes, and nowadays, researchers are

seeking for a new invention who defrosts these Ice Crystals. We have

used the “and” gate in order to represent that it was necessary to join the two conditions to

contribute to the appearance of the Ice Crystals.


although the four items under the “or” gate took place in the accident, any of the items would

have induced the situation of confusion. These four items are:

Loss of reliable airspeed information: this is one of the main reasons which drive the

crew to get involved in a critical situation.

Autopilot Disengaged

Excessive control inputs

the meteorology and the flight in this area were determinant to

provoke the accident.

Loss of reliable airspeed information

In this part of our tree, we have selected some items which could have reduced the

likelihood of the problems which the loss of reliable airspeed information induces. Amongst

others, in reference to the final report, we have elected:

Lack of link between indicated airspeed and procedure

Lack of training flying NIC

Description of the Tree Fault



which, from our point of view, lead to the accident of this

atal top event. These 3 facts

represent that it was necessary to join the two conditions to


e “or” gate took place in the accident, any of the items would

: this is one of the main reasons which drive the

the meteorology and the flight in this area were determinant to

uld have reduced the

of reliable airspeed information induces. Amongst


• Lack of a clear display inconsistencies

Autopilot Disengaged

Under this level, the 3 items we have chosen are:

• Captain was not flying: it was quite unusual that if they knew that they were going to

overfly an ITCZ, the captain wouldn´t have been flying at this moment.

• Wrong task-sharing between co-pilots: this is one of the points where human factors

are very important. The relationship between the PF and the PNF should always be

synergistic, because if nobody takes the control of the airplane, the instructions and

the decisions between the pilots can be contradictory. Beneath this level, we have

added an “and” gate including two more contributors: the incomprehension of the

situation and the startle effect. The startle effect is an emotional factor which should

be always taken in account, because is an inherited item independent of the people

who are flying.

• Activation Alternate Law

Excessive input controls

Regarding to this fact we have collected from the text “Sustained Stall”, we have prioritized 3

of the controls which are necessary to fly the aircraft but maybe can confused the crew

because they are very numerous. They are:

• Erroneous airspeed information: if the anemometer can´t display a correct airspeed, it

shouldn´t show an incorrect one because the pilots are used to being looking to the

IAS at any time.

• ECAM messages: maybe the order in which the ECAM messages were appearance in

the display screen could have increased the confusion.


• Excessive Warnings:

Sustained Stall

Under this level, we have used an “and” gate with 4 more items who

sustained stall:

• Failure to identify aural warning

• Any Visual Information

external points as references points, they would solve the situation.

• Confusion with overspeed situation

• Flight Director Indicat

Failure to identify aural warning

The failure in identifying the aural warning of getting into a stall situat

induced by a low training. We should remark that the training is primordial to cope with any

situation of flying. They could have had more training in fields like:

• Low training stall phenomena

• Low training stall warnings

• Low training buffet

Confusion with overspeed situation

Because of this confusion with an overspeed situation, they decided to:

• Decrease Thrust to idle

• Increase the Nose-up position

Flight Director Indications

This is the last part of our tree, in which the FDI in

• Identify late the deviation from flight path

• And added to the previous one, the

path


Excessive Warnings: this point could also increase the stressful situation.

Under this level, we have used an “and” gate with 4 more items who influenced to the


Any Visual Information: it is remarkable to say that if they had been able to s

external points as references points, they would solve the situation.


Flight Director Indications


The failure in identifying the aural warning of getting into a stall situation might have been


situation of flying. They could have had more training in fields like:

Low training stall phenomena

Low training stall warnings


Because of this confusion with an overspeed situation, they decided to:

Thrust to idle

up position

Indications

This is the last part of our tree, in which the FDI induces the pilots to:

late the deviation from flight path

And added to the previous one, the insufficient correction of deviation from flight

stressful situation.

influenced to the

it is remarkable to say that if they had been able to see some

ion might have been


nsufficient correction of deviation from flight


Bibliography

• Air France 447 – Final Report

• Aerosafety World – August 2012

• Document “Engelamiento” - Jefe Departamento Meteorología Aeronáutica de la

DGSMN.

• NASA (2002). Fault Tree Handbook with Aerospace Applications. National Aeronautics

and Space Administration.

AF447 Fault Tree Analysis

Documents

Transcript of AF447 Fault Tree Analysis