accident scenarios for an integrated aviation safety model

Accident scenarios for an integrated aviation safety model

Alfred Roelen ([email protected])

Rombout Wever

National Aerospace Laboratory

Flight Safety and Aircraft Operations Department

September 2006accident scenarios for an integrated aviation safety model 2

Outline

Objective

Accident types and scenarios

Modelling approach

Scenario development process

Example loss of control accident scenario development

Results


Objective

Development of the top layer of an Integrated Safety Model.

Provide an initial framework for staged development and integrating work by the different organisations


Integrated Safety Model (Framework)

S System 1

Human Action System 2 Initiating event

2 PROXIMATE

CAUSES

1&2

ROOT CAUSES

RISK METRICS

S

F

F DIRECT OR INDIRECT PHYSICAL / ORGANIZATIONAL / REGULATORY / ENVIRONMENTAL CAUSES

SET OF POSSIBLE SCENARIOS

Likelihood L

H M H

H M L

Severity

3

System 1 System 2

1

Human Action

3


Scenario clustering

Collision with ground Collision with object General disintegration


Accident types

Accident

Collision withground

Collision withobject

Generaldisintegration

Loss ofcontrol

(unrecovered)

Controlledflight into

terrain

Collision onground

Collision inmid-air

Explosion

Majorstructural

failure

Personal injury

Abruptmaneuver

(recovered)

Securityrelated event


Flight phases

Take-off

Climb

En-route

Descent

ApproachLanding


Fatal accidents and flight phases

Take off33%

En route11%

Landing56%


Proposed scenario matrix

Taxi Take-off Climb En-route Approach Landing

Abrupt maneuver X X X X

Uninhabitable cabin environment X X X X X X

Loss of control (unrecovered) X X X X X

Controlled flight into terrain X X X

Forced landing X

Mid-air collision X X X

Collision on ground X X X

Structural accident X X X X X

Fire/Explosion X X X X X X


Accident scenario representation

To ...

From ...


Event Sequence Diagram

Pivotal Event

Initiating Event

Comment End StatePivotal Event


Event Sequence Diagram

Initiating Event

Pivotal Event

Pivotal Event

Pivotal Event

Comment End State

End State

End State

End State


Modelling Approach: selection of Initiating event and pivotal event

Initiating Event

– Deviation from normal operation

– Active failures (triggering events)

– No latent failures (softer/deeper)

Pivotal Event

– Event with possible intervention

– Different causal pathway

– Active failures

– No latent failures (softer/deeper)


Modelling Approach: Level of detail

Transparency.

Limited complexity at the top layer of the model.

ESD need further detail by means of Fault Trees and Bayesian Belief Nets.

Minimise inter-dependencies of Fault Trees.

ESDs can be quantified with available accident- incident- and flight data.


ESD development steps

1) Individual accidents are analyzed and represented as a sequence of events.

2) Accident scenarios are generalized per type of accident, initiating event and flight phase.

3) Generalised scenarios are combined into one generic ESD so that this ESD covers a class of accidents.

Selection of accidents/incidents: ~ past 15 years, commercial air transport, ‘Western built’ aircraft, accident investigation report available


Example : Loss of control accident

Accident type: loss of control

Flight phase: en-route/approach

Multiple ways to loose control over the aircraft:different loss of control accident scenarios


Loss of control accident scenario initiators

System• e.g. flight control system failure, propulsion system failure

Environment• e.g. wind shear, turbulence, ice

Flight Crew• e.g. spatial disorientation


Accident type: Loss of control

Flight phase: En-route/approach

Initiating event: Propulsion system failure

Example


Step 1From accident report to

accident scenario


British Midlands, 737-4Y0, G-OBME, East Midlands, January 8, 1989


ESD British Midland 737 G-OBME

Crew detects failure

Powerplant failure

Total power loss

Collision with ground

Crew throttles back No 2 engine

Crew attempts to restart no 2

engine

Crew perceives inherent cues as prove of correct

diagnossis

Loss of control (loss of speed)

Crew fails to regain control

Crew shutdown no 2 engine

Crew increases power on no 1

which fails again

No 1 engine failed, causing engine surge. severe vibration. As soon as No 2 was throttled back, No 1 surging and vibration ceased and No 1 seemed to be operating normally


Atlantic Southeast Airlines, EMB 120RT,N256AS, Carrollton, Georgia, August 21, 1995


ESD ASA EMB 120RT N256AS

Damage to engine and wing (severely degraded aircraft

performance)

Crew unable to maintain altitude

Loss of control

Collision with ground

Powerplant failure


Step 2Generalising the accident

scenarios


ESD British Midland 737 G-OBME

Crew shutdown wrong engine

Powerplant failure

Crew fails to maintain control

Total power loss

Collision with groundgeneralising

added branch throughsystematic analysis andgeneralising, combining

Aircraft lands off

runway (1)

Safe landing

Aircraft able to reach airport

Crew carries out powerless approach


Step 3 From generalised specific accident scenarios to one

generic scenario


Generic ESD ‘loss of control’Flight phases: climb-cruise, landingInitiating event: propulsion system failure


Crew shutdown wrong engine

Single engine failure

Total power loss

Safe landing

Collision with

ground

Scenario type: Loss of control Phase: Initial climb - landing Initiating Event: Propulsion system failure

(1) Asymmetric thrust due to an engine shutdown, feathered propeller or engine in idle thrust(2) This event incorporates control of speed, altitude, pitch and roll. Flight crew skills related to powerless flight(3) This event incorporates control of speed, altitude, pitch and roll, and power management. Flight crew skills related to one engine inoperative flight(4) ‘Off runway’ means a forced landing in field or ditching

Asymmetric thrust

Crew fails to maintain

control (3)

Aircraft lands off

runway (4)

Safe landing

Collision with

ground

Crew fails to maintain

control (2)

Loss of control

Aircraft able to reach airport

Crew carries out powerless approach

Crew fails to restore engine

power

Aircraft continues

flight

Dual engine failure

Loss of control


Results

35 different generic accident scenarios covering all accident types and all flight phases.

Fully quantified

All integrated into a single ‘Master Logic Diagram’

accident scenarios for an integrated aviation safety model

Documents

generalised scenarios

type of accident

available accident incident

flight data

sheet1000fatal accidents

class of accidents

selection of initiating

staged development