What is WBA?

Why-Because Analysis (WBA) is a rigorous technique for causally analysing the behaviour of complex technical and socio-technical systems. Its primary application is in the analysis of accidents, mainly to transportation systems (air, rail and sea). It is also used in the Ontological Hazard Analysis (OHA) method for safety requirements analysis during system development.

WBA is based on a rigorous notion of causal factor. Whether one event or state is a causal factor in the occurrence of another is determined by applying the Counterfactual Test. The Counterfactual Test was proposed by the philosophical logician David Lewis in 1973, who credited David Hume (1770's) and has withstood detailed philosophical criticism since. During analysis, a Why-Because Graph (WB-Graph or WBG) is built showing the causal connections between all events and states of the behaviour being analysed. The completed WB-Graph is the main output of WBA.

The WB-Graph provides a rigorous causal explanation of the behaviour being analysed. However, mistakes may be made in constructing the WB-Graph, as with any human activity. To detect such mistakes, WBA provides a formal proof method which can be used to check whether the WB-Graph is correct and relatively complete. The formal proof method is based on the logic EL, a multi-modal logic based inter alia on Lamport's TLA and Lewis's Causal Logic. Most users of WBA do not feel the need to check their WB-Graphs using the formal proof procedures, but for those who do, it is there. WBA is the only accident analysis method with such a formal consistency/completeness check.

Introductions to WBA

• One Page Introduction to WBA [PDF], also available in German [PDF]
• Causalis on the Friendly Fire Incident [PDF]
• Chapter 4 of Digital System Safety book from Peter Ladkin [HTML]
• Causal Analysis of Aircraft Accidents [PS], a Keynote Paper in SAFECOMP 2000
• A short explanation of WBA (in German) [PDF] by Causalis

Self study material

We have the WBA workbook with example cases for students of WBA. The book was co-authored by Peter Bernard Ladkin, Jan Sanders and Thilo Paul-Stueve.

WBA examples

• from RVS:
  • Aviation:
    • 1979 Chicago O'Hare: Loss of control. A DC-10 aircraft physically lost an engine on takeoff, rolled inverted and hit the ground. A partial WBA may be found in the paper Formalism Helps in Describing Accidents [PDF], Peter Ladkin and Karsten Loer in Proceedings of the 18th Digital Avionics Systems Conference, IEEE Press, 1999.
    • 1988 Habsheim, France: CFIT. An A320 aircraft performing a low, slow pass at an air show hit trees at the end of the runway, settled to the ground, and burned. The accident sequence was captured on two amateur videos. A high-level WBA of the accident is discussed in the paper Causal Analysis of Aircraft Accidents [PDF], an invited paper in Computer Safety, Reliability and Security, Proceedings of the 19th International Conference, SAFECOMP2000, Lecture Notes in Computer Science No. 1943, Springer-Verlag, Heidelberg and London, 2000.
    • 1993 Warsaw: Runway overrun and fire. A A320 aircraft landing in a thunderstorm was unable to break adequately, overrun the runway and caught fire. The accident report and its partially misleading conclusions is WB-analysed in Causal Analysis of Aircraft Accidents [PDF], an invited paper in Computer Safety, Reliability and Security, Proceedings of the 19th International Conference, SAFECOMP2000, Lecture Notes in Computer Science No. 1943, Springer-Verlag, Heidelberg and London, 2000. The original WBA by Peter Ladkin and Michael Höhl is in Analysing the 1993 Warsaw Accident with a WB-Graph [HTML]. The WB-Graph of this accident may be found at http://www.rvs-bi.de/research/WBA/WBG/.
    • 1994 Nagoya: Loss of control. An Airbus A300 aircraft about to land suddenly climbed steeply, stalled and impacted the ground tail first inside the airport boundary. The WB-Graph of this accident may be found at http://www.rvs-bi.de/research/WBA/WBG/.
    • 1994 Operation Provide Comfort, Northern Iraq: Two U.S. Army Black Hawk helicopters were shot down by two U.S. Air Force F-15 interceptor aircraft in one of the worst fratricide incidents of recent years. The sociological analysis of Col. Scott Snook of the Harvard Business School has been reproduced as a series of WB-Graphs to demonstrate a rigorous application of WBA to an incident with largely sociological causes, contrary to what Snook suggests, that a causal analysis of the incident is possible. This was presented as a talk at the 3rd Bieleschweig Workshop on System Engineering, Bielefeld, 2004. Slides [PDF], handout [PDF] are available. The invited paper Two Causal Analyses of the Black Hawk Shootdown During Operation Provide Comfort appeared in the Proceedings of the 8th Australian Workshop on Safety-Critical Software and Systems, volume 33 of Conferences in Research and Practice in Information Technology, ed. Peter Lindsay and Tony Cant, 2004.
    • 1995 Cali, Columbia: CFIT. A B757 aircraft impacted a mountain on descent at night into Cali airport. This was the first fatal accident for the B757 type. The paper Analysing the Cali Accident With a WB-Graph [HTML] was presented at the first Human Error and Systems Development Workshop (HESSD 97) in Glasgow, March 1997.
    • 1996 Puerto Plata, Dominican Republic: Loss of control. A B757 displayed confusing air data on takeoff and the pilots eventually lost control of the aircraft. The WB-Graph of the Puerto Plata accident (in German) [PDF] is available, as is a formal proof of explanatory adequacy (also in German) [PDF].
    • 2000 Donaueschingen (Blumberg): CFIT. At the end of a flight to certify the accuracy of a new instrument approach to the airport at Donaueschingen, a contractor pilot attempted to fly the approach, which was not yet approved, from memory in bad weather. His memory was not adequate, and the airplane impacted a hillside. A WB-Graph [PDF] of the accident has been prepared by Peter Ladkin.
    • 2000 Paris: Fire and loss of control. A Concorde aircraft started to burn in the vicinity of the left engines on takeoff from Paris Charles de Gaulle airport. Control was lost and the aircraft crashed. A Why-Because Analysis of the accident was prepared by Bernd Sieker for his Diploma Thesis Visualisation Concepts and Improved Software Tools for Causal System Analysis [PDF]. There are also slides available from Sieker's talk WBA and the Concorde Accident [PDF] at the first Bieleschweig Workshop on Systems Engineering, 2002.
    • 2002 Überlingen, Lake Constance: Mid-air collision. A TU-154M and a B757 freighter collided at between FL350 and FL360 on a clear night with a little traffic despite both being equipped with TCAS. The slides from the talk Why-Because Analysis of the 2002 Lake Constance Midair Collision [PDF], the Why-Because Graph [PDF], List of Facts [PDF], and a timeline [PDF] of the accident were prepared from the final report by Jörn Stuphorn and Jan Sanders and presented at the 5.5th Bieleschweig Workshop of the WBA and CausalML User Group in Bielefeld, 2005.
    • 2011, Reno, Nevada: Galloping Ghost.
      Full Bachelor Thesis from Rico Magnuci available on the publications Page.
      The Why-Because Graph [PDF,de] is available separately.
    • 2011, Bern, Switzerland: Airprox in Swiss Airspace.
      The Why-Because Graph [PDF,en] from the Bachelor Thesis of Benjamin Eichert is available.
  • Rail:
    • The rear-end collision of an interurban and an interstate train near Glenbrook, NSW, Australia, in December 1999. The paper Why-Because Analysis of the Glenbrook, NSW Rail Accident and Comparison with Hopkins's Accimap [PDF] by Peter Ladkin presents an explicit method for comparison of two WB-Graphs in course of a comparison of the Glenbrook collision. To aid the reader in following the comparison, the various graphs are reproduced in The Glenbrook Why-Because Graphs, Causal Graphs, and Accimap [PDF].
    • Derailment of the Cairns Tilt Train near Berajondo, Australia, 15 November 2004. The final report on the accident was published in October 2005 by Queensland Transport and the Australian Transport Safety Bureau. The talk The Cairns Tilt-Train Derailment in Queensland [PDF] by Peter Ladkin, given at the Bieleschweig 6.5 CausalML and WBA User Group Workshop in Dresden, November 2005, presents a Why-Because Graph of the Tilt-Train derailment [PDF] derived from the report, and makes observations on both the possible causes considered in the report and the protection systems on the line and against what they can be taken to protect.
  • Marine:
    • 1995 Rose and Crown Shoal, off Nantucket Island, USA: Grounding. The cruise ship Royal Majesty grounded in shallow water some 17 miles off course after a 30+ hour trip. Slides are available from the talk WBA of the Royal Majesty Accident [PDF], given at the Second Bieleschweig Workshop on Systems Engineering in Braunschweig, 2003. There is a paper also with the title WBA of the Royal Majesty Accident [PDF].
  • Safety of Nuclear Power Plants:
    • 1979, Three Mile Island, Pennsylvania.
      The Why-Because Graph [PDF,en] from Andrea Weber is available.
    • 1986, Chernobyl.
      The preliminary Why-Because Graph [PDF,de] from the Bachelor Thesis of Tim Schürmann is available.
    • 2011, Fukushima Daiichi.
      The Why-Because Graph [PDF,de] from the Bachelor Thesis of Hauke Kaufhold is available.
  • Computer Security:
    • 2000 Indonesia: DNS spoofing incidents. A series of incidents with the Internet Domain Name System were analysed by I Made Wiryana and Avinanta Tarigan and presented in a talk entitled Analysing DNS Incidents [PDF] at the First Bieleschweig Workshop on System Engineering, Bielefeld, 2002.
    • 2002 Bielefeld: Local area network penetration. The RVS net was penetrated by a Rumanian hacker, using a new exploit, who was observed online and attempted to delete his traces. Log files were forensically restored and the vunerability analysed, first by experience and intuition. The WB-Analysis was performed by Jan Sanders, Lars Molske and Damian Novak and presented in their talk Why-Because Analysis of a Computer Security Incident [PDF, 3.5MB] at the 5.5th Bieleschweig Workshop, the WBA and CausalML User Group meeting, Bielefeld, 2005. There is also a handout [PDF, 1.3MB) and a technical report [PDF, 3.2MB].
• from the Institute for Railway Systems Engineering and Traffic Safety (IfEV) at the Technical University of Brunswick (Braunschweig), Germany:
  • Rail:
    • 1998 Eschede, Germany: Derailment. An ICE train derailed and collided with a bridge resulting in Germany's worst rail accident ever. A WBA was performed as a student research project and is available in German. The Why-Because Graph of the Eschede Accident [PDF], by Oliver Lemke, assessing only the specific train of events after the wheel tyre detached, has 111 nodes. Contact Oliver Lemke.
    • 1999 Ladbroke Grove, England: Collision. A local train ran through a stop signal and collided with a high speed intercity train resulting in England's worst rail accident in decades. A WBA was performed by Ernesto de Stefano as a student research project. The Ladbroke Grove Why-Because Graph [PDF] has about 90 nodes, and shows clearly that up to nine different technical systems were causally involved in the accident. Contact Ernesto de Stefano at Siemens Transportation Systems.
    • 2000 Aasta, Norway: Collision. An intercity train collided head-on with another train on a signalled single track line, resulting in Norway's worst rail accident for decades. A WBA was performed as a student research project and is available in German. Contact Oliver Lemke. The WB-Graph [PDF] is available.
    • 2000 Brühl, Germany: Derailment. An intercity train derailed when passing at high speed through points at Brühl station. The maximum speed limit was less than half of the train's speed. Slides from the talk Analysis of the Brühl railway accident using Why-Because Analysis [PDF] given at the First Bieleschweig Workshop on System Engineering, Bielefeld, 2002, and a WB-Graph [PDF] of the accident are available.
    • 2003 Neufahrn, Germany: Collision. A commuter train collided with a stationary commuter train on signalled track. A paper Informeller Vergleich zweier Why-Because-Analysen (in German) [PDF] by Oliver Lemke (IfEV, T.U. Braunschweig) and Enrico Anders (Chair of Railway Signalling and Traffic Safety Systems, T.U. Dresden) compares two WB-Analyses of the Neufahrn accident in order to derive some general comparison methods for Why-Because Analyses. The example was presented at the Bieleschweig Workshop 6.5 in Dresden on 29 November, 2005. Slides from the talk Why-Because Analysis of the S-Bahn railway accident in Neufahrn [PDF] and a WB-Graph [PDF] of the accident are available.
• from the University of Applied Sciences Gelsenkirchen, Germany:
  • Air:
    • 2002 Überlingen, Germany: Mid-air collision. A TU-154M and a B757 freighter collided at between FL350 and FL360 on a clear night with a little traffic despite both being equipped with TCAS. The slides from the talk by Christina Junge Analyse der Midair-Collision bei Überlingen (WBA) (in German) [PDF] at the Third Bieleschweig Workshop on Systems Engineering, Bielefeld, 2004, the Why-Because Graph [Visio], and her Diploma Thesis (in German) [PDF] are available.
• from the Chair of Railway Signalling and Traffic Safety Systems at the Technical University of Dresden, Germany:
  • Rail:
    • 2003 Neufahrn, Germany: Collision. A commuter train collided with a stationary commuter train on signalled track. See the entry under IfEV, T.U. Braunschweig, above, for the joint Braunschweig/Dresden work on this accident.
• from Siemens Transportation Systems Rail Automation Division:
  • Marine:
    • 1986 Zeebrugge, Belgium: Capsize. The RORO ferry Herald of Free Enterprise capsized upon leaving port and entering the open sea in the worst ferry accident ever in the North Sea. Slides are available from the talk by Ernesto de Stefano Towards a hybrid approach for Incident Root Cause Analysis [PDF] at the Second Bieleschweig Workshop on Systems Engineering, Braunschweig, 2003.
• from the University of York:
  • Air:
    • 1990 Ronaldsway, Isle of Man: Landing accident. A turboprop aircraft suffered damage on landing. The 2001 Ph.D. thesis of Julia Hill, Resolving Complexity in Accident Texts Through Graphical Notations and Hypertext [PDF, 2.4MB] contains a WBA of this accident in Section 5.3, pp91-105. The history of the flight is in Appendix B, pp214-6. Appendix D, p218, shows the WB-Graph of the accident. Appendix F, p220, contains the full WB-Graph, but this does not appear to be available online.
    • n.d., RAF military incident. The same thesis of Julia Hill contains a WBA case study by a third party in Section 7.12, pp133-6.
• from members of the Australian Civil Aviation Safety Authority:
  • Air:
    • n.d., New Zealand. Turboprop landing accident. An accident to an Ansett Dash-8 aircraft was litigated in civil court and a WBA by Dmitri Zotov, now with the Australian Civil Aviation Safety Authority, helped decide the case. The WBA appears in his Ph.D. thesis submitted to Massey University, New Zealand. Contact Dmitri Zotov.