Michael Höhl and Peter Ladkin

Article RVS-Occ-97-09

8 September 1997


Abstract: We analyse the final report of the 1993 Lufthansa A320 accident in Warsaw using the WB-Graph method, and conclude that some fundamental causal factors are missing from the report's conclusions, although mentioned in the body of the report.


The Background

On 14 September 1993, a Lufthansa Airbus A320 landed at Warsaw airport in a thunderstorm. Upon landing, none of the braking systems (air brakes, thrust reverse, wheel brakes) functioned for about nine seconds: the wheel brakes only started to function after about thirteen seconds. The aircraft ran off the end of the runway, collided with an earth bank and started to burn. Primarily because of the superb behavior of the crew, only two people died: one pilot, who died when the aircraft hit the bank, and one passenger, who was unconscious in the front corner and unnoticed in the evacuation as the cabin filled with smoke, and was asphyxiated. It became clear that the logic of the braking systems was indeed a reason why the braking systems hadn't functioned as expected. However, many commentators focused upon this factor as the main cause of the accident, which is probably incorrect. There were many other necessary causal factors (1). The final report itself ascribed pilot decisions and behavior as `probable cause'. But what criteria are being used to determine this? The final report and commentary may be found in (LadCOMP, The A320 Accident in Warsaw) , We analyse this report here using the WB-Method.

The Narrative

The first author analysed the text of the report to pick out the relevant states and events concerning the accident. The report yielded the following, which we call the narrative. The report pages on which the assertions are to be found are included:

Analysis of the Narrative

It should be clear that some assertions in the narrative are conjunctions of many events and states, and also causal assertions. We separated the events and states, and also considered the causal assertions, to obtain the textual form of the WB-Graph below.

The WB-Graph of the Accident from the Report

We have found (GeLa97) that two steps are helpful in constructing the WB-Graph: The decisions to be made to turn the narrative of events and states into a WB-graph (textual form) are simply the decisions as to which events and states are causal factors for which other events and states. We make these decisions using the Lewis semantics for causal factors (see the Appendix ) and proceeding via a backwards-chronological lazy search (to use big words). Accordingly, we start with the accident event (defined standardly as significant damage to the aircraft, or serious injury or loss of life) and ask which events and states were causal factors.

The Textual Form of the WB-Graph

The textual form of the graph was prepared as in our previous application to the Cali accident (GeLa97). We refer the reader to this paper also for an explanation and discussion of the WB-Method in more detail.

The textual form is as follows:

WHY     BECAUSE          DESCRIPTION

[0]                      accident
    /\ [1]               death of 1st person
    /\ [2]               death of 2nd person
    /\ [3]               damage to AC

[1] [3.1]                (AC hits earth bank)

[2] [-.1]                asphyxiation

  [2.1] /\ <-.1>         smoke in cabin
        /\ [-.2]         remained in cabin

    <2.1.1> [3.2]        (AC burns)
    [2.1.2] /\ <-.1>     unconsciousness
            /\ [<-.2>]   unnoticed during evacuation

      <2.1.2.1> [3.1]    (AC hits earth bank)
      [<2.1.2.2>] [<-.1>] motionless, noiseless, postion, smoke in cabin,
                          time pressure, etc. 

[3] /\ [-.1]             AC hits earth bank
    /\ <-.2>             AC burns

  [3.1] /\ [-.1]         AC overruns RWY
        /\ <-.2>         earth bank in overrun path

    [3.1.1] /\ [<-.1>]   certain cause: excessive speed on landing
            /\ <-.2>     certain cause: unstabilised approach
            /\ [<-.3>]   certain cause: braking delayed

      [<3.1.1.1>] [<-.1>]  CRW's actions in expectation of windshear

        [<3.1.1.1.1>] /\ <-.1>   CRW's decisions in expectation of windshear
                      /\ [<-.2>] CRW's conformance with recommended
                                 procedures in case of windshear

          <3.1.1.1.1.1> /\ <-.1> prevailing weather conditions
                        /\ [-.2] report of windshear from preceding AC
                        /\ [-.3] wind report from tower
                        /\ <-.4> CRW's belief that report was current
                        /\ [-.5] CRW's comparison of tower's wind report
                                 with their measured groundspeed on approach

            <3.1.1.1.1.1.1> <-.1> front was passing through
            [3.1.1.1.1.1.3] [<-.1>] weather reporting system
            <3.1.1.1.1.1.4> /\ <-.1> CRW's assumption
                            /\ <-.2> no ATC advice given on currency of report

              <3.1.1.1.1.1.4.1> /\ <-.1> usual arrangement at European airport
                                /\ ???<-.2>??? expectation of advice if
                                               procedure not usual

            [3.1.1.1.1.1.5] [<3.1.1.1.1.2>] (CRW's conformance)

      <3.1.1.2> <-.1>    CRW's actions                        (Action Failure)
      [<3.1.1.3>] /\ [<-.1>] potential cause: wheel braking delayed
                  /\ [<-.2>] potential cause: speed brakes and thrust reverser
                                              deployment delayed

        [<3.1.1.3.1>] [<-.1>] aquaplaning

          [<3.1.1.3.1.1>] /\ <-.1> RWY very wet
                          /\ [<3.1.1.1>] (speed of AC)
                          /\ <-.3> low weight on each main gear wheel

            <3.1.1.3.1.1.1> /\ <-.1> weather conditions
                            /\ <-.2> amount of water on RWY surface
                            /\ <-.3> condition of RWY surface

              <3.1.1.3.1.1.3> [<3.1.1.1>] (speed of AC)

        [<3.1.1.3.2>] /\ <3.1.1.3.1.1.3> (low weight on main gear wheel)
                      /\ <-.2> braking system's logical design
                      /\ <-.3> divergence between consequences of design and
                               behaviour expected by CRW
                      /\ [-.4] actual landing

          <3.1.1.3.2.3> <-.1> behavior expected by CRW

            <3.1.1.3.2.3.1> /\ <-.1> `normal' behavior expected by CRW
                            /\ ???<-.2>??? CRW's training at Lufthansa
                            /\ ???<-.3>??? Lufthansa procedures

          [3.1.1.3.2.4] [<3.1.1.1.1>] (CRW's actions)

    <3.1.2> [<-.1>]   built by airport authority for radio equipment

  <3.2> [3.1]

Glossary: AC  Aircraft
          CRW Crew
          RWY Runway

The WB-Graph and its Semi-Components

We call a part of a graph a semi-component if its `connection' to the rest of the graph passes only through `narrow' connections. This is a visual judgement rather than a mathematical definition. We anticipate that the reader will be able to see from the whole graph and our division into three semi-components exactly how we use the concept.

The first author used the dot graph-drawing tool to produce the WB-Graphs. The tool enabled us easily to divide the complete graph into three readable semi-components, and color the `connecting nodes' of these semi-components to make them easily identifiable across semi-component diagrams.

The overall structure of the WB-graph for this accident is Figure 1 (gzipped Postscript, 7K).

We observe that this graph can be broken down into three main sections along the `bottlenecks'. The `top' section is Figure 2 (gzipped Postscript, 3.5K). (The other two components are Figure 3 (gzipped Postscript, 4K) and Figure 4 (gzipped Postscript, 3.5K): the nodes that `join' two of these almost-components are included in both relevant figures.)

One can immediately observe from Figure 2 that node 3.1.2: earth bank in overrun path is a causally-necessary node: hitting the bank was a cause of the damage and fire; the hit directly killed one person and rendered the other unconscious and therefore unable to participate in the evacuation. The node is caused only by node 3.1.2.1: built by airport authority for radio equipment. This node in turn is not caused by any other event or state in the sequence. It is therefore to be counted amongst the `original causes' of the accident, according to the WB-graph method. However, it does not appear amongst the `probable causes' or `contributing factors' of the final report. We have therefore found a reasoning mistake in the report. It is not the only such node of which this is true.

The Source Nodes

The source nodes (nodes that are causal factors of others, but themselves are not regarded as having significant causal factors) are:
 [<2.1.2.2>]+            unnoticed during evacuation (for many reasons)
 [<3.1.1.1.1.2>]         CRW's conformance with recommended procedures in case
                           of windshear
 [3.1.1.1.1.1.2]         report of windshear from preceding AC
 <3.1.1.1.1.1.1.1>       front was passing through
 [<3.1.1.1.1.1.3.1>]     weather reporting system
 <3.1.1.1.1.1.4.2>       no ATC advice given on currency of report
 <3.1.1.1.1.1.4.1.1>     usual (reporting) arrangement at European airport
 <3.1.1.1.1.1.4.1.2>???  expectation of advice if (weather reporting) 
                           procedure not usual
 <3.1.1.2.1>             CRW's actions (handling on approach) (Action Failure)
 <3.1.1.3.1.1.1.2>       amount of water on RWY surface
 <3.1.1.3.1.1.1.3>       condition of RWY surface
 <3.1.1.3.2.2>           braking system's logical design
 <3.1.1.3.2.3.1.1>       `normal' behavior expected by CRW
 <3.1.1.3.2.3.1.2>????   CRW's training at Lufthansa
 <3.1.1.3.2.3.1.3>????   Lufthansa procedures
 [<3.1.2.1>] earth bank  built by airport authority for radio equipment

We consider them in turn.

There are two fundamental causes which appear in our analysis that were not dealt with in depth by the report, and which were thus not subject to recommendations from the accident investigation committee. We consider that failure to include those two causes amongst the contributing factors (at least) is simply a mistake in reasoning, given that they were noted in the body of the report. We note that these two causes were two out of three fundamental causes (according to our WB-Method) that were under the administrative control of the Polish authorities, who are also responsible for the report. In other work (GeLa97), we have noted another case in which fundamental causes (according to the WB-Method) under administrative control of the government responsible for the accident investigation seem to have been omitted from the list of contributory factors. We draw no further conclusions from this feature, simply note that it seems to have occurred twice so far in our studies.

Conclusions

Considering the Warsaw report as an example has shown how the WB-method renders reasoning rigorous, and enables the true original causal factors to be identified from amongst all the causally-relevant states and events.

What is the consequence of the rigorous reasoning employed in the WB-Method? We have been able to identify two fundamental causes (source nodes in the WB-graph) which occurred in the report but were omitted as `probable cause' or `contributing factors': the position of the earth bank, and the runway surfacing. Once we have identified the position of the earth bank as an original causal factor, we know that had the bank not been where it is, the accident that happened would not have happened. (It is, of course, possible that the aircraft could have broken up and burned for some other reason - whether that was likely can be left to the experts to decide, but it's certainly not as likely as in the case where there's something there to hit!) Therefore, one could consider repositioning the bank in order to avoid a repeat. However, this was not considered or recommended in the report, we suppose because the position of the bank was not considered to be a causally-essential feature in the report. Thus, in the absence of rigorous reasoning, one runs the risk of a limited, and thus inoptimal, set of choices as to how to proceed in the future to avoid similar problems. In an ideal situation, we would think that action could be taken to compare the positioning of the bank and the condition of the runway surface with norms in Western Europe and the US, for example, where aviation is most highly developed, and to initiate supplemental advisories, procedures, or a change in conditions themselves.

So, even though press and media opinion may focus on the automated systems of the accident aircraft, or on pilot `error', it is also true that had the aircraft had a free `overrun area' at the end of the runway in which to slow down, the accident could have been a mere incident: unfortunate but not deadly. Also, had the runway surfacing been otherwise, the wheel braking systems could have functioned earlier and perhaps the collision with the bank ameliorated or avoided. In a valid account of the accident, these mundane features identified as fundamental causes by the WB-Method must be noted as causal factors along with pilot and airplane behavior.

Footnotes

(1): The observation that in causal explanation not just one `probable cause', but normally many causal factors explain the occurrence of an event, and that one cannot distinguish between `more necessary' and `less necessary' factors, is often attributed to John Stuart Mill; for example, as quoted by Steward (Ste97, p214):

It is usually between a consequent and the sum of several antecedents; the concurrence of them all being requisite to produce, that is, to be certain of being followed by the consequent. In such cases it is very common to single out only one of the antecedents under the denomination of Cause, calling the others merely Conditions....The real Cause is the whole of these antecedents; and we have, philosophically speaking, no right to give the name of causes to one of them exclusively of the others. (Mil43, p214).
Back to text

(2): This accident was particularly poignant for computer scientists because Paris Kanellakis of Brown University was killed in the crash with his family.

References

(GeLa97): T. Gerdsmeier, P. B. Ladkin and K. Loer, Analysing the Cali Accident With a WB-Graph, at http://www.rvs.uni-bielefeld.de Publications, January 1997. Also to appear in the Proceedings of the Glasgow Workshop on Human Error and Systems Development, March 1997. Back

(GeLa97a): Thorsten Gerdsmeier, Michael Höhl, Peter Ladkin, Karsten Loer, How Aircraft Crash: Accident Reports and Causal Explanation, Article RVS-J-97-02, at http://www.rvs.uni-bielefeld.de Publications (Electronic Journalism), June 1997. Prepared for the Magazine Forschung an der Universität Bielefeld volume 16, University of Bielefeld, 1997 (in German). Back

(LadCOMP): Peter B. Ladkin, ed., Computer-Related Incidents with Commercial Aircraft, compendium of accident reports, commentary and discussion, at http://www.rvs.uni-bielefeld.de Back

(Lew73): David Lewis, Causation, Journal of Philosophy 70, 1973, 556-567. Also in (SoTo93), 193-204. Back

(Lew86): David Lewis, Causal Explanation, in Philosophical Papers, ii, Oxford University Press, 1986, 214-240. Also in (Rub93), 182-206. Back

(Mil43): John Stuart Mill, A System of Logic, 8th edn., 1843; London: Longmans, 1873. Quoted in (Ste97, p214). Back

(PaLa97): E. A. Palmer and P. B. Ladkin, Analysing An `Oops' Incident, in progress, will be available from http://www.rvs.uni-bielefeld.de

(Rub93): David-Hillel Ruben, ed., Explanation, Oxford Readings in Philosophy Series, Oxford University Press, 1993. Back

(SoTo93): Ernest Sosa and Michael Tooley, eds., Causation, Oxford Readings in Philosophy Series, Oxford University Press, 1993. Back

(Ste97): Helen Steward, The Ontology of Mind: Events, States and Processes, Oxford, Clarendon Press, 1997. Back

Appendix: The Logical Semantics of Causal Explanation

[This Appendix is taken verbatim from (GeLa97a)]

The WB-Graph method is based on a formal semantics for causality introduced by the philosophical logician David Lewis of Princeton University (Lew73, Lew86).

Roughly speaking, the semantics of Lewis for the assertion that A is a causal factor of B, in which A, respectively B, is either an event or state, is that in the nearest possible world in which A did not happen, neither did B. This relies on a notion from formal semantics of `possible world', best illustrated by example. Suppose my office door is open. But it could have been shut. A semanticist can now say: in another possible world, it is shut. A possible world is a way of talking about things that could happen, but didn't. But what about `near' possible worlds? The `nearest' possible world in which my door is shut is one in which my door is shut, air currents around it behave appropriately, sound through it is muffled as it should be, but broadly speaking everything else remains the same. A further-away world would be one in which someone else who is not me is sitting here typing, and an even further-away world is one in which this whole environment is situated in Ghana rather than Germany.

Now, suppose my door shuts. What caused it to shut? I was pushing it shut. The air was still, there was no draft, the only thing moving was the door and it was moving because I was pushing it shut. Intuitively, my actions caused the door to shut. How do I know this from the formal semantics? In the nearest possible world in which I didn't push the door, did the door shut? We have already supposed that nothing else was moving, no air drafts, no other person in the vicinity, so in the nearest world these would also be the case. It could be that all the molecules in the door moved the same way at the same time, so the door spontaneously shut - but this situation is so highly improbable as to be almost unthinkable, so could it be really the nearest such world? No. In the nearest world, everything behaved the same way, except that I didn't push the door. So it didn't shut. So according to my formal semantics, my action caused the door to shut.

This formal semantical test is particularly important in circumstances in which many causal factors conjoin to make something happen, which is by far the most usual case. The simple semantics asks a question of two events, or states, at a time, and by asking the question systematically of all pairs, pair by pair, a complex WB-graph may be systematically built.

Back to Text