The Munich Incident Agnar Darri Sverrisson

SYST 660

Summary

• An airplane (B777) is coming in for landing using automatic approach and Autoland • CAT I in operation

• When at 50 ft AGL, the airplane starts to bank (3.5° to the left)

• Left landing gear touches the runway • Deactivating the go-around button (TO/GA)

• The airplane touchdowns with all landing gear and veers left off the runway

• Pilots apply rudder pedal force, deactivating the autopilot

• The airplane crosses the runway from left to right

• Comes to a full stop parallel to the runway

• No fatalities, injuries, or damages on the airplane

List of Systems

• 1. Runway • Distance, width, orientation, altitude ASL, location.

• 2. Localizer Antenna • Range, location, signal strength, error declaration time.

• 3. Departing traffic • Departure time, weight, take-off starting point, location, SOP‘s, crew, communication links,

human operators, human intervention, TO/GA.

• 4. Arriving traffic • Arriving time, weight, Autoland, Autopilot, SOP‘s, human operators, communication links,

human intervention, TO/GA.

• 5. Air Traffic Control • SOP‘s, communication links, human operators, human intervention.

• 6. Weather • Humidity, temperature, dewpoint, ceiling, visibility, wind conditions.

Every subsystem that is bolded, did have an effect on the Munich

incident

Operational Concept Diagram

Scenario – Operation Context (Arriving Airplane)

• Flight had been going well • 147 Pax, 13 Flight Attendants, 2 Pilots

• The co-pilot was the pilot flying until they hear the latest weather report from Munich • Visibility 2000 m and cloud base 300 feet (CAT 1)

• PIC decided to assume the role of pilot flying as the SOP of the operator required • The co-pilot became Pilot Monitoring

• The PIC decided to conduct an automatic approach and Autoland • To practice their approach and landings when CAT III is in operation

• Pilots must be ready to initiate a go-around procedure when attempting this if anything goes wrong • Depends on (follows) signal from the localizer antenna

• Crew receives latest wind information and is clear to land on runway 08R

Scenario – Operation Context (Munich Airport)

• There had been some renovations at Munich Airport • The position of the localizer antenna for landing direction 08R was moved from

350 m beyond the runway threshold 26L to 1,000 m • Allowing bigger airplanes to take off and land at that runway

Scenario – Operation Context (ATC)

• Air Traffic Controllers under a high workload • Due to CAT II/III the same morning

• Delays resulted in an increased departure rate in combination with approaches on runway 08R

• ATC forced to work on the edge of the seperation minimum • One runway length (minimum)

• To get the traffic situataion back to its norm

Scenario – Triggering Event

• The ATC cleares a heavy aircraft for departure coming on to runway 08R from taxiway B4 • To save time

• At this time the B777 is 3.4 NM from runway 08R.

Event Sequence #1

• Effect on Automation • Autopilot Localizer mode remained engaged

• Even though the localizer signal was disrupted • The Localizer farfield monitor and the earfield monitor did not indicate a failed

Localizer signal.

• Inappropriate Automation Command • Autopilot followed the localizer signal that was disrupted and showed the runway

center-line to the left of the runway

• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • When the B 777 was about 50 feet above runway 08R in the flare phase the airplane

slowly started to bank left up to 3.5°.

Event Sequence #2

• Effect on Automation • When about 420 m beyond the runway threshold the airplane touched down

with the left main landing gear at 132 kt (at that time the Auto Flight System switched to rollout mode)

• Rollout mode disables the status of the TO/GA switches located on the Throttle Levers • The switches no longer work

• Inappropriate Automation Command • Autopilot continues to veer to the left

• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Airplane rolls out to the left of the runway.

Event Sequence #3

• Sensor Discrepancy and/or Pilot Entries • When the pilot in command notices that the airplane is banking to the left he

tried to initiate a go-around procedure by pushing the TO/GA buttons • The autopilot did not respond.

• Effect on Automation • None

• Inappropriate Automation Command • Autopilot continues to veer to the left

• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Airplane rolls out to the left of the runway.

Event Sequence #4

• Sensor Discrepancy and/or Pilot Entries • Pilots use rudder pedals to steer aircraft back onto runway. • Pilots do not disengage the Autopilot.

• Effect on Automation • Autopilot remains engaged in Roll-out Mode

• Inappropriate Automation Command • Autopilot continues to veer to the left

• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Airplane rolls out to the left of the runway. • Autopilot was still engaged as the airplane moved towards the left runway edge and

veered off the runway with a speed of 123 kt about 944 m beyond the threshold in the area of taxiway B4.

• The airplane rolled through the grass north of runway 08R for about 400 meters.

Event Sequence #5

• Sensor Discrepancy and/or Pilot Entries • Pilots use rudder pedals to steer aircraft back onto runway with force greater than

XXXX lbs

• Effect on Automation • Pilot rudder pedal force causes Autopilot to disengage • Due to pilots’ inputs via the rudder pedals, the autopilot disengaged

• Inappropriate Automation Command • Aircraft now follows pilot rudder pedal commands

• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Resulting in a 40° right turn, re-entering the runway close to the intersection with

taxiway B6 (about 1,566 meters beyond the threshold). • The aircraft crossed the runway (120° heading at 71 kt), then veered off the runway

again (south of runway 08R) and turned left by about 40° and came to a full stop in the grass south of and parallel to runway 08R.

Human Operator Intervention Opportunities

• Event Sequence #1 (localizer signal disrupted) • Nothing that the pilots could have done

• Possibly notice sooner that the aircraft was banking and initiate the TO/GA

• Event Sequence #2 (left main landing gear touch-downs) • Pilots could possibly have disengaged the autopilot and steered the aircraft back to

the runway center line

• Event Sequence #3 (Pilots try to initiate a TO/GA procedure) • No feedback from the system that the TO/GA is inactive

• Confuses pilots • At this time the pilots could possibly have disengaged the autopilot and steered the

aircraft back to the runway center line

Human Operator Intervention Opportunities

• Event Sequence #4 (Pilots use rudder pedals to try to steer the airplane) • The Autopilot is still engaged in a Roll-out mode

• By that time the pilots should have disengaged the Autopilot and steer the airplane back onto the runway

• Event Sequence #5 (Pilots disengage the autopilot with rudder pedal force) • If the pilots would have disengaged the autopilot by pushing a button, it is much

more likely that they hadn‘t overshot the runway and steered out off it on the other side

How can we prevent/reduce risk of similar accidents • Better communication

• Put a new rule in the pilots‘ SOP • Pilots who are about to conduct an automatic approach and Autoland must report it to

the ATC before reaching a certain point, X nautical miles from the runway threshold

• Better automation system feedback • The TO/GA button was inactive when the pilots tried to push it

• They didn’t know it was inactive which made them confused

• All TO/GA buttons should have a led lighting which says whether they are active or inactive • Green light = active

• Red light = inactive

Lessons Learned - Discussion

• Things for operators to look out for (and for designers to avoid):

1. Peer systems, operating in a system-of-systems, can have incompatible SOPs

• There is typically no over-arching body (i.e. oversight) to check the compatibility of SOPs

2. Make Operators Supervisors SOP Procedures that say its OK to perform a procedure as long as the pilot monitors and intervenes when the automation does something inappropriate

• How much time does the operator have?

• How subtle is the indication?

3. Monitoring Equipment Failure Criteria (e.g. Localizer signal monitors) that have longer “monitoring time thresholds” than the dynamics of the plant/vehicle to enter an unsafe energy-state/trajectory

4. Moded Input devices (e.g. switches, knobs, levers) that change the way they behave (e.g. disabled) based on context/situation

• Is there any direct, visual indication that their “mode” has changed?

5. Startle Disengagement: Requirement for operator to disengage automation (or perform other complex tasks) when startled/surprised.

Questions ? Thoughts ?