Investigation Report May 2004
Kind of occurrence: Accident
Date: 1 July 2002
Location: (near) Ueberlingen/Lake of Constance/Germany
Type of aircraft: Transport Aircraft
Manufacturer/Model:
1. Boeing B757-200
2. Tupolev TU154M
Injuries to persons: 71 fatals
Damage to aircraft: Both aircraft destroyed

http://www.bfu-web.de/berichte/02_ax001efr.pdf


With the greatest of respect to the victims of the tragic accident at Ueberlingen on the 1st of July 2002, we offer the following extracts as an abject lesson in the folly of relying on TCAS, or see-and-avoid – as air traffic management design tools. See-and-avoid is ineffective for high energy aircraft, and TCAS is a last line of defence. The following extracts are from the accident report, available at the web-site noted above. They are made by investigators from one of the most respected accident investigative bodies in Europe.

We counsel anyone engaged in airspace – either as a pilot, controller, maintenance personnel, training staff or management – to read this sobering report. 71 people died as a result of the failure of the ATC system.

We counsel especially the architects of your NAS proposal to read and comprehend the consequences of flawed beliefs and political expediency.


Extracts from the final report:


“……Fundamental Purpose of ACAS/TCAS
ACAS/TCAS was developed as a collision protection system to be rated as the “last line of defence“. Similar to the stall warning system, the stick pusher and the ground proximity warning system (GPWS), ACAS/TCAS is to interrupt a possible chain of occurrences resulting from human errors or technical malfunctions and which may lead to an accident.

As TCAS II, Version 7 is an airborne device and issues resolution advisories to the crew only as visual and aural commands, obligatory procedural instructions for the utilization of and the reaction to TCAS advisories are indispensable. The TA alerts the crew in case of a potential conflict situation and requests their attention for a possibly succeeding RA.

The RA has the highest priority, because it will only be issued if other collision avoidance mechanisms, such as vertical separation by a controller, are not sufficiently effective or are incorrect. The manual intervention in the control of the airplane by the pilot must then take place without delay.

A coordination with the controller or a clarification of the situation by means of other airborne devices following an RA would question the purpose of TCAS. The time left in such a case could be too short for an avoidance manoeuvre and would increase the collision risk. According to general conviction, TCAS only makes sense if worldwide all crews rely on the system and comply with the advisories.

Thus it is the opinion of the BFU that with the system conception of TCAS II, Version 7 only one procedure can be permitted in case of an RA. The crew must comply with the RA without delay and report the initiated TCAS manoeuvre to the controller. Any other procedure which does not sufficiently take into account the priority of an RA would be contradictory to the purpose of TCAS……”


“…..Legal basis, procedures and procedural instructions
As TCAS II, Version 7 is designed as a semiautomatic system which shall serve as a “last line of defence“ in collision avoidance, clear and unambiguous procedural instructions for the crews are an essential prerequisite. This prerequisite is so important, because the system philosophy of TCAS II, Version 7 provides only one procedure after the issuance of an RA and that is to follow the generated RA.

The decision to follow an RA without reservation could mean that up to the resolution of the conflict the crew has to divert from other obligatory standards for instance, from instructions for vertical separation issued by ATC and from other general right-of-way rules……”


“…..TCAS 2000/TCAS II Traffic Collision and Avoidance System Pilots Guide
The specifications of the TCAS manufacturer's „Pilots Guide“ regarding the TCAS system philosophy and the necessary procedures which ensure a safe function were not described distinct enough. The wording „TCAS 2000 is a backup to the ATC (Air Traffic Control) system and the „see and avoid“ concept.“ could be interpreted that ATC takes priority to TCAS and that TCAS is designated to be implemental or a substitute. It was not made clear in the description of the system philosophy that TCAS is exclusively meant as a „last line of defence“ for the avoidance of a collision and that in this stage TCAS advisories must be disconnected from instructions given by ATC controllers.


„TCAS 2000 Pilots Guide“ does not state clearly enough that the safe separation accomplished through ATC and the tasks of TCAS are two different functions. It is not clear that TCAS is not part of the conceptual design of ATC……”



“……Defences

ACAS/TCAS

As an independent, onboard collision avoidance system, TCAS is designed as a last resort system to assist flight crews in avoiding a mid-air collision. The B757-200 VSI/TRA used for displaying TCAS information had a maximum display capability of 16 NM and holds a prevalent position within the pilots’ scan. TCAS is an onboard system which normally works in the background and becomes active once a collision risk appears.

The interface "TCAS - crew" becomes active with the generation of a TA. In this phase TCAS contributes to the situation awareness of the crew. An input into the control of the aircraft is not intended in this phase. After the generation of an RA the flight crew must take over control of the aircraft. Thereby is essential:

• Even in consideration of the pilot's final responsibility the TCAS RA must be followed. In this situation the crew has no better basis for a decision.
• Deviations from ATC instructions must be reported as soon as possible…..”



“…..Visual acquisition of aircraft
There is much literature about the physiological limitations of the human visual system within the aviation environment and particularly in the context of the “see and avoid” principle, often dealing with the difficulty in acquiring visual contact with other aircraft. This event exposes the human weakness even further, in that even with a visual contact with the opposing aircraft, neither crew successfully utilised the sensory information to recognise the high risk of a collision in time to successfully take avoiding action.

Having detected another aircraft a process of evaluation starts to assess the likelihood of a collision and to consider the need for evasive action. The first step of this evaluation requires that the relative position and relative motion be determined in all dimensions and then the rate of change evaluated.

At night and high altitude humans are extremely unsuited to this task.

At high altitude, and particularly at night, relative height it is almost impossible to judge visually with certainty, but change in the relative vertical bearing gives an indication of potentially conflicting traffic crossing above or below.

The lack of vertical change indicates no height difference at crossing, but does not allow determination as to whether a contact is above or below one’s own aircraft.

With high closure rates it may remain impossible to assess with certainty the relative height of intruder traffic until just a few seconds prior to the closest point of approach. Change of relative (horizontal) bearing is an indication as to whether a contact is passing ahead or behind one’s own aircraft, but in most environments the task of determining the intruder traffic’s heading still remains extremely difficult. In a potential collision situation the bearing does not change.

The third dimension involves the distance between the aircraft, and is assessed based on the apparent size of the contact. The relationship between distance and size is not a linear one, however: size increases exponentially with decreasing distance. At night and high level it is almost impossible to judge the distance between two aircraft based on visual information alone as there is no optical reference.

This makes it impossible to assess the closure rate until a contact is at a range that a change in size becomes perceivable. With a low closure rate the point at which a pilot can discern the size of another aircraft, and recognise the separation distance, may allow time to assess the flight trajectory and react to the situation prior to the closest point of approach. However, at high closure rates, by the time a pilot can detect a change in the apparent size of another aircraft, it will already be rapidly expanding in his view.

And although he instinctively recognises the high closure rate, even an immediate control input may not give enough time to effectively initiate an avoidance manoeuvre. The visual sensation created by a clear change of relative bearing, vertically or horizontally, conveys a sense that a collision threat is reducing, or does not exist. This perception is strengthened as the rate of change is increased. However, if the rate of change of relative bearing is reduced or is constant the pilot does not sense an increased threat of collision.

In this situation the pilot experiences an alarming visual sensation only if distance to the conflict traffic decreases significantly and the object size increases rapidly. The flight paths of the accident flights had the two aircraft at an almost constant relative height and horizontal bearing, but with a closure rate of about 710 knots (about 365 m/s).

This closure rate would not have allowed the crew of either aircraft to recognise the shortness of distance between them or their relative velocity till only several seconds before the collision. The remaining time was insufficient to decide on a course of action and affect a change in the aircraft flight path…..”.



“…..With ACAS/TCAS an additional safety system was introduced into aviation. It works independently of ground equipment and is installed in airplanes. ACAS/TCAS is a system of last resort and works independently of ATC units. Collision avoidance is one of the common tasks of the two systems. The instructions of both systems may command opposite directions. Yet, in case of an RA ACAS/TCAS takes priority, there is no contradiction….”

I think that should be 72 fatals.

Directly from the report:

B757-200: 2 crew 0 passengers - Total 2
TU154M: 9 crew 60 passengers - Total 69

Total: 71 fatal injuries

We are well aware of the unfortunate after-event to which you refer.

Please read the report - which - whilst not in any way justifying the latter action - might just separate the two incidents. We will allow you to judge who was really responsible for that unforgiveable action. Look wider than the individuals involved.

This was not the purpose or thrust of our post. The purpose was to highlight the latent system failures - some of which are being deliberately built into your airspace design. To design a system - or allow the defensive layers to decay to the point where passengers are put in a situation where the only line of defence between them and the ultimate sanction is TCAS - coupled with see and avoid - is close to criminally negligent.

Great to see you back, Voices! Keep up the great work, one day reason will prevail.

Voices. I had the opportunity to speak to one of the investigators of that accident in Sydney last year at the AAVPA conference. The accident was more attributable to the Russian culture that the controller, (human) told the aircraft to descend, and the TCAS, (Computer) told the pilot to climb. Given the choice of compying with someone in authority or an onboard computer, the pilot chose the person in authority.

Forgive me if I"m wrong, but after spending a few hours with this gentleman (I can't remember his name, however I have it written down somewhere) that is what he told me.

BM

Apart from totally missing the point, Baldrick's mum, what's your point? Are you saying that Dick Smith should now re-write the TCAS procedures? After all, they are now a cornerstone of NAS viability. And the pilots in the VB Bris incident were described by him as being "criminally negligent" for abiding by their TCAS RA and climbing to avoid their VFR intruder (see Dick's thread on this forum).

Are you even slightly embarrassed by your ignorance, or are you just not aware of it?

VoR is saying that see-and-avoid doesn't work for jet aircraft.
VoR is saying that TCAS is not a design tool for airspace management.
VoR is using the accident report as a source to back those assertions.

Dick Smith has given you a worse airspace system that relies on see-and-avoid, in fact unalerted see-and-avoid, of jet aircraft, and appears to have designed into it reliance on TCAS. His reasoning is 'that "I believe" it will work'.
Is that clear enough for you?

VOR, don't forget the one on the ground... It did come later but it did happen

And of course the most ironic observation of all...if there were no TCAS there would be no accident! Not to be interpreted as an anti-TCAS stance..just an observation:( :confused:

****zu,
It always has seemed a bit odd to me that we have two pilots, TCAS, lookout (onya Dick, you twit) and radio to maintain a grip on what is going on, but you ATCs can operate "single-pilot". It's got to be a classic case of affordable safety, right up until the midair. I wonder how long it'll take for this report to sink into the beancounters in AsA CBR?

Dick et al: if you think safety (ie Class C) is expensive: you wait 'til there's an accident.

Ferris,
Well said!

SM4 Pirate

We answered your statement in our second post to this thread.

****su Tonka

You made a statement that the second controller was " taking a break". This would seem to infer a 1/2 hour meal break, or a one hour rest etc.

In fact, if you read the investigation report that we have tagged in the first post, you will note that the second controller left the operations room at 9.15pm, and was not expected to return until early morning - i.e., the second controller was sleeping at the time of the accident - AND Skyguide management were aware of the practice, even though a safety management process was underway to stop such practices.

Skyguide, as with other European service providers, has explicitly banned the previously tolerated practice of sleeping on night shifts.


Baldricks Mum

Perhaps if you read the investigation report, you will find the correct references to why the Russian crew felt it necessary to follow control instructions and disregard TCAS. The crew was very experienced - but had NOT been trained on the reaction protocols associated with TCAS - no simulator capability existed to train pilots on reaction to TCAS alerts.

Further, the operating procedures for the flight crew specifically required compliance with ATC at all times. It was NOT Russian "culture" - it was poor, incorrect or absent training.


As to comments made by another respondent regarding whether the lack of a TCAS alert might have in fact prevented the accident - we would again ask that you read the report.

The two aircraft were assigned FL360 - even though the Tupolev was to be recleared to FL350 at or around the accident time. The two aircraft were tracling via separate VORs such that a common point on ATC strips was not evident. The visual STCA was not active due the maintenance. When the single controller on duty DID notice that the aircraft were in conflict, separation had ALREADY been infringed.

The fact remains that TCAS or not, accident or near miss, the ATC system failed. System design was faulty.


That is the point that we are trying to make in regard to your NAS system. Design is faulty.

VOR,
Thanks for clarifying the conversation I had with the investigator. I thought I might have been mistaken by what the investigator actually told me compared to what he and the others in the team wrote in the report.

BM

Baldricks Mum,

It is entirely possible that one of the investigators did make the comments to you regarding Russian culture. It is also possible to believe that statement given other examples - both in the aviation and other industries - of absolute compliance with authority.

What the report indicates, however, is that the crew actually complied (exactly and with little question) with training and company doctrine. Had the crew been trained in the response requirements related to TCAS Resolution Advisory as the vast majority of other operators at the time of the accident, that accident may never have occurred.

We did not mean to imply that your recollections were incorrect - perhaps the investigator had not had the advantage of the assembled inputs.

All of that said, we hold to our original reason for making the post.

The crews of the concerned aircraft should NEVER have been placed in a situation of relying on TCAS - the LAST LINE OF DEFENCE - to resolve this conflict.

Over US$25 billion is spent each year around the globe on the provision of air traffic services. Many hundreds of TCAS Resolution Advisories occur around the world each year - more than one a day.

We would have thought that that amount of money might deliver a better outcome. We would also have thought that building a system that relies on the use of TCAS as a design feature, rather than the last line of defense, would be anathema.

The senior management of Skyguide was severely criticised for the systemic issues associated with the accident. Criminal investigations are still underway. Skyguide management might be able to plead partial ignorance.

Senior aviation management in Australia cannot make similar claims - and had better be very sure that they understand the potential consequences of their actions - to the public and themselves - before accepting a NAS design that so highly features reliance on TCAS and see-and-avoid.

left the operations room at 9.15pm

VoR,

9.15pm UTC that is, which makes it 11.15pm local time.

It was pleasing to see that your airspace change architect, Mr. Dick Smith, took note of a previous post that we submitted regarding TCAS, and provided selected quotes from that reference on his aviation web-site. It was disappointing, however, to see that he has selectively quoted the references, to paint a picture that TCAS might actually be regarded as a design tool.

We have transposed the entire reference below. You might note that it does NOT quite say what Mr. Smith is trying to infer.



……………The Traffic Alert and Collision Avoidance System, or TCAS, is an instrument integrated into other systems in an aircraft cockpit. It consists of hardware and software that together provide a set of electronic eyes so the pilot can "see" the traffic situation in the vicinity of the aircraft. Part of the TCAS capability is a display showing the pilot the relative positions and velocities of aircraft up to 40 miles away. The instrument sounds an alarm when it determines that another aircraft will pass too closely to the subject aircraft. TCAS provides a backup to the air traffic control system’s regular separation processes.

The MITRE Corporation conducted early research into collision avoidance technologies under the sponsorship of the Federal Aviation Administration (FAA). TCAS is a direct descendant of those invented at MITRE and elsewhere. To learn more about TCAS, and the people who invented it, read further.

Background

Since the early 1960s, MITRE's Center for Advanced Aviation System Development (CAASD) has provided the FAA with Air Traffic Control (ATC) system engineering support. As part of this longstanding partnership, CAASD helped the FAA implement a collision avoidance system for aircraft. The resulting Traffic Alert and Collision Avoidance System, or TCAS, has become a standard for safety in the United States and abroad. Its value is clear: no airline mid-air collisions have occurred in the United States since 1990, when the airlines began equipping their planes with TCAS.

From its inception, TCAS has dramatically improved pilots' chances of successfully averting the threat of a mid-air collision. Pilots have come to rely on TCAS to give them the crucial data to avoid collisions. As their last line of defense, TCAS gives pilots the edge needed to ensure that their crew and passengers have the safest flight possible.

The project benefited from the cooperative efforts of the FAA, airlines, and several other companies. CAASD designed and developed the collision avoidance logic at the heart of the system. The Massachusetts Institute of Technology's Lincoln Laboratory developed air-to-air surveillance. The FAA Technical Center and a team of contractors, including The Analytical Sciences Corporation, Coleman Research Corporation, and Rannoch Corporation, were responsible for software verification and validation. The FAA Technical Center and ARINC Research handled operational evaluations.

Historical Perspective

On June 30, 1956, two planes collided over the Grand Canyon. In the wake of this and other such airborne disasters, the industry realized they needed a system that could help prevent similar incidents. Companies soon began designing collision avoidance systems, but two problems hampered their efforts. First, adoption of the proposed systems would require the airlines to equip their fleets with expensive new hardware. Second, there was still a lot of development left to do before an adequate system would be ready.

In 1974, MITRE proposed an alternative. Using the transponders already installed in many aircraft for communication with the FAA's ground-based Air Traffic Control Radar Beacon System (ATCRBS), developers took advantage of existing technologies to significantly hasten the design and implementation process. The Beacon-Based Collision Avoidance System (BCAS) was the predecessor of today's TCAS. This system sent interrogation signals to nearby aircraft similar to the FAA's radar system. The transponders then sent back response signals. The system interpreted these signals to determine the location, speed, and course of each plane and used the data to avoid a potential collision.

BCAS test results were promising. On the ground, MITRE equipped a trailer to receive transponder signals as if it were an aircraft. BCAS lived up to expectations, prompting the FAA Technical Center to test the system on one of its aircraft. On the basis of these two tests, the FAA moved forward with further development of BCAS.

A Collision Avoidance System Is Born

In 1981, the FAA chose to pursue the onboard design approach used in BCAS rather than a ground-based collision avoidance system which was also under consideration. At that point, BCAS was renamed TCAS.

There are two different versions of TCAS, for use on different classes of aircraft. The first, TCAS I, indicates the bearing and relative altitude of all aircraft within a selected range (generally 10 to 20 miles). With color-coded symbols, the display indicates which aircraft pose potential threats. This constitutes the Traffic Advisory (TA) portion of the system.

When pilots receive a TA, they must visually identify the intruding aircraft and may alter their plane's altitude by up to 300 feet. TCAS I does not offer solutions, but does supply pilots with important data so that they can determine the best course of action. An illustration of TCAS range and altitude criteria shows the horizontal and vertical distances to monitor traffic and issue advisories to maintain safe separation of aircraft.

In addition to a traffic display, the more comprehensive TCAS II also provides pilots with resolution advisories (RA’s) when needed. The system determines the course of each aircraft; climbing, descending, or flying straight and level. TCAS II then issues an RA advising the pilots to execute an evasive maneuver necessary to avoid the other aircraft, such as "Climb" or "Descend." If both planes are equipped with TCAS II, then the two computers offer deconflicting RA’s. In other words, the pilots do not receive advisories to make maneuvers that would effectively cancel each other out, resulting in a continued threat.

MITRE's key contribution to the development of TCAS was its work on the collision avoidance logic for TCAS II. The software uses the collected data on the flight patterns of other aircraft and determines if there is a potential collision threat. The system doesn't just show the other planes on a display like a radar screen, but offers warnings and solutions in the form of traffic advisories (TA’s) and resolution advisories (RA’s).

As CAASD's Dr. Andrew Zeitlin points out, "Because of the pilots' normal workload, we don't expect them to spend all of their time looking at the screen. It's there when needed, but more important, it speaks up and advises them as they need to make a maneuver to avoid a collision."

Aside from the logic design, much of MITRE's work on TCAS involved creating and running computer simulations to test the system. "Because it's expensive to fly test encounters," says Dr. Zeitlin, "we have developed some very powerful tools where we can generate millions of encounters on the computer and evaluate the logic exhaustively. We can also play back radar data from ordinary traffic and get a feel for how the system works and how much disruption you get day to day or at different locations with ordinary traffic."

n occasion, MITRE has also assisted the FAA and other organizations in evaluating special encounters. "For example, if somebody has a near-miss and they want to know what TCAS's role was or what would TCAS have done in the encounter, we can simulate the encounter and give advice," says Zeitlin.

Taking to the Skies: The Congressional Mandate

On August 31, 1986, while TCAS was still in development, a collision occurred over Cerritos, California, involving an Aeromexico DC-9 and a small Piper aircraft carrying a family of three. The DC-9 was descending toward Los Angeles International Airport in clear skies, flying at 6,500 feet. The Piper hit the DC-9's tail, causing both aircraft to plummet from the sky.
The accident resulted in the deaths of all 67 people aboard the two planes, as well as 15 people on the ground.

In the aftermath of this accident, Congress passed a law requiring the FAA to mandate the use of TCAS. By 1993, all carrier aircraft operating within U.S. airspace with more than 30 passenger seats were equipped with TCAS II. Aircraft with 10 to 30 seats were required to employ TCAS I.

Evolving to Meet Safety Needs

Although the airlines were using the more advanced version 6.01 of the TCAS logic, some improvements still needed to be made. The system was issuing RA’s in some situations, such as final approach, when traffic may be closer but is safely under control. Many pilots saw these RA’s as a nuisance. The system was basically too sensitive, with unnecessary TA’s and RA’s even being triggered by transponders on bridges and ships.

According to Dr. Zeitlin, "There was a growing tendency among pilots to ignore the advisory, even when they didn't necessarily have full knowledge of the situation. Everyone was concerned that one day they would ignore one that was necessary."
In 1992, CAASD developed logic version 6.04 to alleviate these problems. Delta Airlines, the first carrier to voluntarily use the new logic, reported an 80 percent reduction in RA’s. The following year, CAASD developed an additional improvement to the logic, version 6.04A. Airlines began equipping their fleets with this version in 1994.

The Final Generation

In 1997, CAASD finished work on one final major change to the TCAS logic, version 7. It was approved by the RTCA standards committee and the FAA, and is the version installed on all new aircraft. It has also been adopted by the International Civil Aviation Organization (ICAO) as the international standard. Version 7 is required for aircraft serving European and some other countries. American carriers who fly to these countries have had to upgrade from 6.04A to 7 on their international planes, and can voluntarily upgrade the equipment already on their U.S. fleets. Version 7 also will be required for operation in Reduced Vertical Separation Minima (RVSM) airspace.

Version 7 logic yields at least a 20 percent reduction in RA’s over the previous version. CAASD ran simulations using radar data from Europe, where they encounter more high-altitude en route conflicts. The 7.0 software resulted in a 40 percent reduction in unnecessary RA’s. The new logic also significantly improves TCAS performance in several other important areas.

CAASD personnel conducted safety studies to evaluate the performance of each successive version of the TCAS logic. In a 1997 report on version 7, CAASD's Dr. Michael McLaughlin examined the reduced risk of collision in aircraft equipped with TCAS II versus the risk in aircraft without TCAS. Based on the likelihood of incursions into a protected zone around aircraft with a radius of 500 feet and a height of 200 feet--defined as Critical Near Mid-Air Collisions (NMACs)--McLaughlin concluded that "TCAS should reduce NMAC probability by at least 90 to 98 percent," depending on whether one or both aircraft in an encounter are equipped with TCAS.

Though NMACs, especially those involving commercial, passenger aircraft are already extremely rare, McLaughlin notes that "TCAS is intended to reduce their probability even further."
Although the FAA has said that version 7 will be the final logic for TCAS, CAASD continues to work on many different air traffic control projects, and will undoubtedly play a role in the development of any future collision avoidance systems…….




TCAS is NOT a system design tool – it is a TOOL OF LAST RESORT for pilots.