Martes, 18 de diciembre de 2012
Grado en Gestión y Operaciones de transporte Aéreo
Universidad Politécnica de Madrid
Seguridad Aérea
Realizado por:
David García Luque
Francisco Arias Virseda
Ricardo A. Hernández D.
Seguridad Aérea-AF447 Tree Fault Analysis
Index
1. INTRODUCTION ............................................................................................................ 3
2. FACTUAL INFORMATION ......................................................................................... 3
History of Flight ......................................................................................................................... 3
Killed and Injured ...................................................................................................................... 4
Damage to Aircraft .................................................................................................................... 4
Other Damage ........................................................................................................................... 4
Personnel information .............................................................................................................. 4
Aircraft information .................................................................................................................. 4
Meteorological situation ........................................................................................................... 4
Aids to Navigation ..................................................................................................................... 4
Telecommunications ................................................................................................................. 4
Aerodrome Information ............................................................................................................ 4
Flight Recorders ........................................................................................................................ 4
Wreckage and Impact Information ........................................................................................... 4
Fire ............................................................................................................................................. 5
3. FAULT TREE ANALYSIS ............................................................................................. 5
4. CONCLUSIONS ................................................................................................................ 6
5. Tree Fault Analysis (general view): ................................................................... 7
6. Tree Fault Analysis (Obstruction Pitot Tubes): ............................................ 8
7. Tree Fault Analysis (Cockpit Confusion): ........................................................ 9
8. Tree Fault Analysis (sustained stall): .............................................................. 10
9. Description of the Tree Fault Analysis applied to the accident of the
AF447 ....................................................................................................................................... 11
Obstruction of Pitot Tubes ...................................................................................................... 12
Cockpit Confusion ................................................................................................................... 12
Loss of reliable airspeed information .................................................................................. 12
Autopilot Disengaged .......................................................................................................... 13
Excessive input controls ...................................................................................................... 13
Sustained Stall ......................................................................................................................... 14
Failure to identify aural warning ......................................................................................... 14
Confusion with overspeed situation ................................................................................... 14
Seguridad Aérea-AF447 Tree Fault Analysis
Flight Director Indications ................................................................................................... 14
Seguridad Aérea-AF447 Tree Fault Analysis
1. INTRODUCTION
The Airbus A330 flight AF447 took off from Rio de Janeiro bound for Paris on 31 May 2009.
The sequence of events in the accident is the following:
• The Captain left the cockpit at around 2 h 02.
• The crew made a course change of 12 degrees to the left at around 2 h 08.
• There were some automatic systems disconnected and the speed indications were
incorrect at 2 h 10 min 05.
• The Captain rejoined the crew at 2 h 11 min 35. In that moment, the airplane was in a
stall situation.
• The airplane impacted the sea at 2 h 14 min 28.
2. FACTUAL INFORMATION
History of Flight
Date of accident Aircraft
1st
June 2009 at 2h 14 min 28s Airbus A330-203
Site of accident Owner and Operator
At reference 3º03’57’’ N, 30º33’42’’W, Air France
near the TASIL point, in international
waters, Atlantic Ocean Operator
Air France
Seguridad Aérea-AF447 Tree Fault Analysis
Type of flight
International public transport of Persons on board
passengers Flight crew: 3
Scheduled flight AF 447 Cabin crew: 9
Passengers: 216
Killed and Injured
Fatal injuries Crew Members: 12 Passengers: 216
Damage to Aircraft
The airplane was destroyed.
Other Damage
Not applicable.
Personnel information
The crew possessed the licenses and ratings required to undertake the flight.
Aircraft information
Air France had owned the aircraft since April 2005. It had been delivered new.
Meteorological situation
The general conditions and the position of the ITCZ over the Atlantic were normal for the
month of June. Cumulonimbus clusters were present.
Aids to Navigation
The GNSS is the only navigation aid near the TASIL point.
At the time of the event, the GPS constellation gave the required navigation precision on the
route.
Telecommunications
Flight AF 447 was under radar control from departure from Rio de Janeiro airport to the INTOL
waypoint, and under radar coverage up to the SALPU waypoint. After this point, AF
447 was under en-route control (via a flight progress strip).
Aerodrome Information
The support aerodromes for this ETOPS 120 minute flight were: Natal (Brazil) and Sal Amilcar
(Cape Verde).
Flight Recorders
The aeroplane was equipped with two flight recorders.
Wreckage and Impact Information
The French and Brazilian navies found debris belonging to the aeroplane from 6 June onwards.
There were found about 1000 plane pieces.
Seguridad Aérea-AF447 Tree Fault Analysis
Fire
There was no evidence of fire or explosion.
3. FAULT TREE ANALYSIS
Fault Tree Analysis (FTA) is a logic and probabilistic technique used in system reliability
assessment.
The Fault Tree Approach
The fault tree is a graphic model of faults that will result in the occurrence of the predefined
undesired event. It is a qualitative model that can be evaluated quantitatively.
The faults can be events that are associated with component hardware failures, human
errors, software errors, or any other events which can lead to the undesired event.
FTA doesn’t include all possible system failures or all possible causes for system failure. The
fault tree includes only those faults that contribute to the top event.
A fault tree is composed of “gates” that serve to permit or inhibit the passage of fault logic
up the tree.
The gates show the relationships of events needed for the occurrence of a “higher” event.
The “higher” event is the output of the gate; the “lower” events are the “inputs” to the gate.
The gate symbol denotes the type of relationship of the input events required for the output
event.
The probability of occurrence of the AND gate fault event is:
The probability of occurrence of the OR gate fault event is:
Seguridad Aérea-AF447 Tree Fault Analysis
4. CONCLUSIONS
Ice crystals phenomenon was known but misunderstood, at the time of the accident. This
occurrence during cruise surprised the pilots of flight AF 447.
After data inputs inconsistency because of Pitot probes blocked, crew members decided to
disconnect the autopilot. They didn’t understand the situation and there was a bad
cooperation between crew members. That led to a total loss of cognitive control of the
situation.
They didn’t understand the airplane was in a sustained stall, although there were signals of it.
Consequently, they didn’t apply a recovery manoeuvre and the aircraft ended crashing the sea.
Seguridad Aérea-AF447 Tree Fault Analysis
Obstruction
of Pitots
Tubes
Formation Ice
Crystals
...
Cockpit
Confusion
Loss of
reliable
airspeed information
...
Autopilot
Disengaged
...
Excesive
Control Inputs
5. Tree Fault Analysis (general view):
AF447 Tree Fault Analysis
Accident
AF447
Excesive
Control Inputs
...
Night and
ITCZ
Failure to
identify aural
warning
...
Any Visual
Information
Tree Fault Analysis (general view):
Sustained
Stall
Any Visual
Information
Confusion
with
Overspeed Situation
...
Flight Director
Indications
...
Seguridad Aérea-AF447 Tree Fault Analysis
6. Tree Fault Analysis (
Freezing
AF447 Tree Fault Analysis
Tree Fault Analysis (Obstruction Pitot Tubes):
Obstruction
Pitot Tubes
Formation
Ice Crystals
Freezing
Cores
Temperature
<40ºC
Seguridad Aérea-AF447 Tree Fault Analysis
Loss of Reliable
airspeed Information
Lack of link
between indicated
airspeed and
procedure
Lack of training
flying NIC
Lack of a clear
display of airspeed
inconsistencies
Captain was not
7. Tree Fault Analysis (
AF447 Tree Fault Analysis
Cockpit
Confussion
Autopilot
Disengaged
Captain was not
flying
Wrong task sharing
between co-pilots
Incomprehension of
the situation
Startle effect:
Emotional Factor
Activation Alternate
Law
Erroneous airspeed
information
Tree Fault Analysis (Cockpit Confusion):
Excessive Input
Controls
Erroneous airspeed
informationECAM Messages Excessive Warnings
Night and ITCZ
Seguridad Aérea-AF447 Tree Fault Analysis
Failure to identify
aural warning
Low Training stall
phenomena
Low training stall
warnings
Low training
Buffet
Any Visual
Information
8. Tree Fault Analysis (
AF447 Tree Fault Analysis
Sustained Stall
Low training
Buffet
Any Visual
Information
Confussion with
overspeed
situation
Thrust to Idle Nose-Up Position
Tree Fault Analysis (sustained stall):
Flight Director
Indications
Late Identification
of deviation from
flight path
Insufficient
correction of
deviation from flight path
Seguridad Aérea-AF447 Tree Fault Analysis
9. Likelihood
P(Accident AF447) = P(1) * P(2) * P(3)
• P(1) = P(1A) = P(1A1) * P(1A2) :
Obstruction of Pitot Tubes 1
Formation Ice Crystals 1A
Freezing Cores 1A1
Temperature <40ºC 1A2
• P(2) = [1 - P(2A)] * [1 - P(2B)] * [1 - P(2C)] * [1 - P(2D)]:
P(2A) = P(2A1) * P(2A2) * P(2A3)
P(2B2) = P(2B2A) * P(2B2B)
P(2B) = P(2B1) * P(2B2) * P(2B3)
P(2C) = P(2C1) * P(2C2) * P(2C3):
Cockpit Confusion 2
Loss of reliable airspeed information 2A
Lack of link between indicated airspeed and procedure 2A1
Lack of training flying NIC 2A2
Lack of clear display of airspeed inconsistencies 2A3
Autopilot Disengaged 2B
Captain was not flying 2B1
Wrong task sharing… 2B2
Incomprehension of the situation 2B2A
Startle effect: Emotional Factor 2B2B
Activation Alternate Law 2B3
Excessive Control Inputs 2C
Erroneous airspeed information 2C1
ECAM Messages 2C2
Excessive Warnings 2C3
Night and ITCZ 2D
• P(3) = P(3A)] * P(3B) * P(3C) * P(3D):
P(3A) = P(3A1) * P(3A2) * P(3A3)
P(3C) = P(3C1) * P(3C2)
P(3D) = P(3D1) * P(3D2):
Sustained Stall 3
Failure to identify aural warning 3A
Low Training stall phenomena 3A1
Low training stall warnings 3A2
Low training Buffet 3A3
Any Visual Information 3B
Confusion with Overspeed Situation 3C
Thrust to Idle 3C1
Nose-Up Position 3C2
Flight Director Indications 3D
Late Identification of deviation from flight path 3D1
Insufficient correction of deviation from flight path 3D2
Seguridad Aérea-AF447 Tree Fault Analysis
10. Description of the Tree Fault
Analysis applied to the accident
of the AF447
In order to apply this method to the accident of the Air France 447, we decided to prioritize
the most important contributor
aircraft. Firstly, we have chosen 3 main facts which trigger the f
are:
• Obstruction of Pitot Tubes
• Cockpit Confusion
• Sustained Stall
Obstruction of Pitot Tubes
This is the first fact that we realized it was primordial because it is
supposed to be the first cause to the rest of consequences. The
obstruction occurs because the aircraft was flying in a FL
outside temperature under -40ºC
cores, causes the appearance of the phenomena of Ice Crystals. This
phenomenon obstructs the Pitot Tubes, and nowadays, researchers are
seeking for a new invention who defrosts these Ice Crystals.
used the “and” gate in order to
contribute to the appearance of the Ice Crystals.
Cockpit Confusion
In this time, we have utilized a “or” gate because the confusion produced in the cockpit,
although the four items under th
have induced the situation of confusion. These four items are:
• Loss of reliable airspeed information
crew to get involved in a critical situatio
• Autopilot Disengaged
• Excessive control inputs
• Night and ITCZ: the meteorology and the flight in this area were determinant to
provoke the accident.
Loss of reliable airspeed information
In this part of our tree, we have selected some items which co
likelihood of the problems which the los
others, in reference to the final report,
• Lack of link between indicated airspeed and procedure
• Lack of training flying NIC
AF447 Tree Fault Analysis
Description of the Tree Fault
Analysis applied to the accident
of the AF447
In order to apply this method to the accident of the Air France 447, we decided to prioritize
the most important contributors which, from our point of view, lead to the accident of this
, we have chosen 3 main facts which trigger the fatal top event. These 3 facts
Obstruction of Pitot Tubes
Obstruction of Pitot Tubes
This is the first fact that we realized it was primordial because it is
supposed to be the first cause to the rest of consequences. The
obstruction occurs because the aircraft was flying in a FL350 with an
40ºC, condition which added to freezing
, causes the appearance of the phenomena of Ice Crystals. This
phenomenon obstructs the Pitot Tubes, and nowadays, researchers are
seeking for a new invention who defrosts these Ice Crystals. We have
used the “and” gate in order to represent that it was necessary to join the two conditions to
contribute to the appearance of the Ice Crystals.
In this time, we have utilized a “or” gate because the confusion produced in the cockpit,
although the four items under the “or” gate took place in the accident, any of the items would
have induced the situation of confusion. These four items are:
Loss of reliable airspeed information: this is one of the main reasons which drive the
crew to get involved in a critical situation.
Autopilot Disengaged
Excessive control inputs
the meteorology and the flight in this area were determinant to
provoke the accident.
Loss of reliable airspeed information
In this part of our tree, we have selected some items which could have reduced the
likelihood of the problems which the loss of reliable airspeed information induces. Amongst
others, in reference to the final report, we have elected:
Lack of link between indicated airspeed and procedure
Lack of training flying NIC
Description of the Tree Fault
Analysis applied to the accident
In order to apply this method to the accident of the Air France 447, we decided to prioritize
which, from our point of view, lead to the accident of this
atal top event. These 3 facts
represent that it was necessary to join the two conditions to
In this time, we have utilized a “or” gate because the confusion produced in the cockpit,
e “or” gate took place in the accident, any of the items would
: this is one of the main reasons which drive the
the meteorology and the flight in this area were determinant to
uld have reduced the
of reliable airspeed information induces. Amongst
Seguridad Aérea-AF447 Tree Fault Analysis
• Lack of a clear display inconsistencies
Autopilot Disengaged
Under this level, the 3 items we have chosen are:
• Captain was not flying: it was quite unusual that if they knew that they were going to
overfly an ITCZ, the captain wouldn´t have been flying at this moment.
• Wrong task-sharing between co-pilots: this is one of the points where human factors
are very important. The relationship between the PF and the PNF should always be
synergistic, because if nobody takes the control of the airplane, the instructions and
the decisions between the pilots can be contradictory. Beneath this level, we have
added an “and” gate including two more contributors: the incomprehension of the
situation and the startle effect. The startle effect is an emotional factor which should
be always taken in account, because is an inherited item independent of the people
who are flying.
• Activation Alternate Law
Excessive input controls
Regarding to this fact we have collected from the text “Sustained Stall”, we have prioritized 3
of the controls which are necessary to fly the aircraft but maybe can confused the crew
because they are very numerous. They are:
• Erroneous airspeed information: if the anemometer can´t display a correct airspeed, it
shouldn´t show an incorrect one because the pilots are used to being looking to the
IAS at any time.
• ECAM messages: maybe the order in which the ECAM messages were appearance in
the display screen could have increased the confusion.
Seguridad Aérea-AF447 Tree Fault Analysis
• Excessive Warnings:
Sustained Stall
Under this level, we have used an “and” gate with 4 more items who
sustained stall:
• Failure to identify aural warning
• Any Visual Information
external points as references points, they would solve the situation.
• Confusion with overspeed situation
• Flight Director Indicat
Failure to identify aural warning
The failure in identifying the aural warning of getting into a stall situat
induced by a low training. We should remark that the training is primordial to cope with any
situation of flying. They could have had more training in fields like:
• Low training stall phenomena
• Low training stall warnings
• Low training buffet
Confusion with overspeed situation
Because of this confusion with an overspeed situation, they decided to:
• Decrease Thrust to idle
• Increase the Nose-up position
Flight Director Indications
This is the last part of our tree, in which the FDI in
• Identify late the deviation from flight path
• And added to the previous one, the
path
AF447 Tree Fault Analysis
Excessive Warnings: this point could also increase the stressful situation.
Under this level, we have used an “and” gate with 4 more items who influenced to the
Failure to identify aural warning
Any Visual Information: it is remarkable to say that if they had been able to s
external points as references points, they would solve the situation.
Confusion with overspeed situation
Flight Director Indications
Failure to identify aural warning
The failure in identifying the aural warning of getting into a stall situation might have been
induced by a low training. We should remark that the training is primordial to cope with any
situation of flying. They could have had more training in fields like:
Low training stall phenomena
Low training stall warnings
Confusion with overspeed situation
Because of this confusion with an overspeed situation, they decided to:
Thrust to idle
up position
Indications
This is the last part of our tree, in which the FDI induces the pilots to:
late the deviation from flight path
And added to the previous one, the insufficient correction of deviation from flight
stressful situation.
influenced to the
it is remarkable to say that if they had been able to see some
ion might have been
induced by a low training. We should remark that the training is primordial to cope with any
nsufficient correction of deviation from flight
Seguridad Aérea-AF447 Tree Fault Analysis
Bibliography
• Air France 447 – Final Report
• Aerosafety World – August 2012
• Document “Engelamiento” - Jefe Departamento Meteorología Aeronáutica de la
DGSMN.
• NASA (2002). Fault Tree Handbook with Aerospace Applications. National Aeronautics
and Space Administration.