Computer-Related Incidents with Commercial Aircraft

Tu154M and B757, midair collision, near Überlingen, Lake Constance, Germany, July 2002

1 July 2002

Synopsis Two aircraft were transitting German airspace near its southern border, under control of Zürich ATC in Switzerland. Bakshirian Airlines Tu154M was flying at Flight Level 360 east to west; a DHL cargo B757 at the same Flight Level from south to north. The night was clear. They were the only aircraft in that air traffic control sector in upper-level airspace, talking to the same controller. Both were equipped with the TCAS collision-avoidance system. They even saw each other. And they hit each other. How could that happen?

The Swiss Skyguide company was faulted extensively by the Final Report (the Appendices are Appendix 1 and Appendix 2). Not only was the controller alone when he shouldn't have been, but the Short Term Conflict Alert early-warning system was not functioning, and controllers at Germany's Karlsruhe Center, who noticed the two aircraft converging, were unable to communicate with the controller via the usual telephone link. The controller was working two physically-separated positions, some meters apart, and was trying to sort out an aircraft in lower-level airspace that was having trouble finding an airport. The controller noticed the conflict before the required 7-statute-mile lateral separation between the aircraft was violated, but too late to issue instructions that would avoid loss of this separation. He instructed Bakshirian to descend, which the Tupolev did. DHL also descended, according to its TCAS Resolution Advisory (RA). The copilot was indisposed at the time, so the captain flew the RA manoeuvre alone. Bakshirian received a climb RA, but the captain had already instructed the flying pilot to descend, in conformance with the controller's instruction. The aircraft had each other in sight.

I speculated right after the accident that a misstep by the controller (whose iterated advisory to descend mentioned traffic at "2 o'clock", whereas DHL was at Bakshirian's 10 o'clock position) might had induced Bakshirian to think he was in a three-aircraft conflict, and wasn't painting the third aircraft on his TCAS display. This conjecture was confirmed by the Final Report when it was published in May 2004.

I have argued that the accident has brought to light many problems in the design and use of TCAS. My arguments have been most recently published as Causal Analysis of the ACAS/TCAS Sociotechnical System in Proceedings of the 9th Australian Workshop on Safety Related Programmable Systems, Brisbane, August 2004, volume 47 of Conferences in Research and Practice in Information Technology, ed. Tony Cant, 2005. I gave talks on this topic to the CAST Forum, Darmstadt, Germany, in May 2004 (one week after the Final Report was published), to the 9th Australian Workshop on Safety Related Programmable Systems, in Brisbane, August 2004, to the Fourth Bieleschweig Workshop on Systems Engineering, Brunswick (Braunschweig), Germany, September 2004, and to the conference on Automation, Assistance, and Embedded Real-Time Systems for Transportation (AAET), Brunswick (Braunschweig), Germany, February 2005. There is a set of slides from my talk, The Causal Analysis of Sociotechnical Systems I: The Avionics System ACAS/TCAS (PDF), Document RVS-LN-14, 24 January 2005.

For another view on TCAS, see Ed Williams's paper Airborne Collision Avoidance System, presented at the Ninth Australian Workshop on Safety-Related Programmable Systems, Brisbane, August 2004, published in CRPIT Volume 47: Safety Critical Systems and Software 2004

Two Why-Because Analyses (WBA) of the accident have been performed. A talk was given by Jörn Stuphorn at the 5.5th Bieleschweig Workshop, the WBA and CausalML User Group meeting, in Bielefeld, June 2005, on the WBA of Stuphorn and Jan Sanders derived from the final report. Slides of the talk, Why-Because Analysis of the 2002 Lake Constance Midair Collision, are available, as are the Why-Because Graph (PDF), the List of Facts (PDF), and a Timeline (PDF) of the accident.

Christina Junge, then at the University of Applied Sciences Gelsenkirchen presented her Diploma Thesis (in German) at the Third Bieleschweig Workshop on Systems Engineering, in Bielefeld, February 2004. She derived her information from professional contacts; the final report on the accident was not published until three months later. The analysis thus differs some from that of Stuphorn and Sanders. Slides from her talk Analyse der Midair-Collision bei Überlingen (WBA) (in German) are available, as is her Why-Because Graph (Note: in Visio format!).