|University of Bielefeld - Faculty of technology|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
|Back to Abstracts of References and Incidents||Back to Root|
8 September 1997
The textual form is as follows:
WHY BECAUSE DESCRIPTION  accident /\  death of 1st person /\  death of 2nd person /\  damage to AC  [3.1] (AC hits earth bank)  [-.1] asphyxiation [2.1] /\ <-.1> smoke in cabin /\ [-.2] remained in cabin <2.1.1> [3.2] (AC burns) [2.1.2] /\ <-.1> unconsciousness /\ [<-.2>] unnoticed during evacuation <126.96.36.199> [3.1] (AC hits earth bank) [<188.8.131.52>] [<-.1>] motionless, noiseless, postion, smoke in cabin, time pressure, etc.  /\ [-.1] AC hits earth bank /\ <-.2> AC burns [3.1] /\ [-.1] AC overruns RWY /\ <-.2> earth bank in overrun path [3.1.1] /\ [<-.1>] certain cause: excessive speed on landing /\ <-.2> certain cause: unstabilised approach /\ [<-.3>] certain cause: braking delayed [<184.108.40.206>] [<-.1>] CRW's actions in expectation of windshear [<220.127.116.11.1>] /\ <-.1> CRW's decisions in expectation of windshear /\ [<-.2>] CRW's conformance with recommended procedures in case of windshear <18.104.22.168.1.1> /\ <-.1> prevailing weather conditions /\ [-.2] report of windshear from preceding AC /\ [-.3] wind report from tower /\ <-.4> CRW's belief that report was current /\ [-.5] CRW's comparison of tower's wind report with their measured groundspeed on approach <22.214.171.124.1.1.1> <-.1> front was passing through [126.96.36.199.1.1.3] [<-.1>] weather reporting system <188.8.131.52.1.1.4> /\ <-.1> CRW's assumption /\ <-.2> no ATC advice given on currency of report <184.108.40.206.220.127.116.11> /\ <-.1> usual arrangement at European airport /\ ???<-.2>??? expectation of advice if procedure not usual [18.104.22.168.1.1.5] [<22.214.171.124.1.2>] (CRW's conformance) <126.96.36.199> <-.1> CRW's actions (Action Failure) [<188.8.131.52>] /\ [<-.1>] potential cause: wheel braking delayed /\ [<-.2>] potential cause: speed brakes and thrust reverser deployment delayed [<184.108.40.206.1>] [<-.1>] aquaplaning [<220.127.116.11.1.1>] /\ <-.1> RWY very wet /\ [<18.104.22.168>] (speed of AC) /\ <-.3> low weight on each main gear wheel <22.214.171.124.1.1.1> /\ <-.1> weather conditions /\ <-.2> amount of water on RWY surface /\ <-.3> condition of RWY surface <126.96.36.199.1.1.3> [<188.8.131.52>] (speed of AC) [<184.108.40.206.2>] /\ <220.127.116.11.1.1.3> (low weight on main gear wheel) /\ <-.2> braking system's logical design /\ <-.3> divergence between consequences of design and behaviour expected by CRW /\ [-.4] actual landing <18.104.22.168.2.3> <-.1> behavior expected by CRW <22.214.171.124.2.3.1> /\ <-.1> `normal' behavior expected by CRW /\ ???<-.2>??? CRW's training at Lufthansa /\ ???<-.3>??? Lufthansa procedures [126.96.36.199.2.4] [<188.8.131.52.1>] (CRW's actions) <3.1.2> [<-.1>] built by airport authority for radio equipment <3.2> [3.1] Glossary: AC Aircraft CRW Crew RWY Runway
We call a part of a graph a semi-component if its `connection' to the rest of the graph passes only through `narrow' connections. This is a visual judgement rather than a mathematical definition. We anticipate that the reader will be able to see from the whole graph and our division into three semi-components exactly how we use the concept.
The first author used the dot graph-drawing tool to produce the WB-Graphs. The tool enabled us easily to divide the complete graph into three readable semi-components, and color the `connecting nodes' of these semi-components to make them easily identifiable across semi-component diagrams.
The overall structure of the WB-graph for this accident is Figure 1 (gzipped Postscript, 7K).
We observe that this graph can be broken down into three main sections along the `bottlenecks'. The `top' section is Figure 2 (gzipped Postscript, 3.5K). (The other two components are Figure 3 (gzipped Postscript, 4K) and Figure 4 (gzipped Postscript, 3.5K): the nodes that `join' two of these almost-components are included in both relevant figures.)
One can immediately observe from Figure 2 that node 3.1.2: earth bank in overrun path is a causally-necessary node: hitting the bank was a cause of the damage and fire; the hit directly killed one person and rendered the other unconscious and therefore unable to participate in the evacuation. The node is caused only by node 184.108.40.206: built by airport authority for radio equipment. This node in turn is not caused by any other event or state in the sequence. It is therefore to be counted amongst the `original causes' of the accident, according to the WB-graph method. However, it does not appear amongst the `probable causes' or `contributing factors' of the final report. We have therefore found a reasoning mistake in the report. It is not the only such node of which this is true.
[<220.127.116.11>]+ unnoticed during evacuation (for many reasons) [<18.104.22.168.1.2>] CRW's conformance with recommended procedures in case of windshear [22.214.171.124.1.1.2] report of windshear from preceding AC <126.96.36.199.188.8.131.52> front was passing through [<184.108.40.206.220.127.116.11>] weather reporting system <18.104.22.168.22.214.171.124> no ATC advice given on currency of report <126.96.36.199.188.8.131.52.1> usual (reporting) arrangement at European airport <184.108.40.206.220.127.116.11.2>??? expectation of advice if (weather reporting) procedure not usual <18.104.22.168.1> CRW's actions (handling on approach) (Action Failure) <22.214.171.124.126.96.36.199> amount of water on RWY surface <188.8.131.52.184.108.40.206> condition of RWY surface <220.127.116.11.2.2> braking system's logical design <18.104.22.168.22.214.171.124> `normal' behavior expected by CRW <126.96.36.199.188.8.131.52>???? CRW's training at Lufthansa <184.108.40.206.220.127.116.11>???? Lufthansa procedures [<18.104.22.168>] earth bank built by airport authority for radio equipmentWe consider them in turn.
There are two fundamental causes which appear in our analysis that were not dealt with in depth by the report, and which were thus not subject to recommendations from the accident investigation committee. We consider that failure to include those two causes amongst the contributing factors (at least) is simply a mistake in reasoning, given that they were noted in the body of the report. We note that these two causes were two out of three fundamental causes (according to our WB-Method) that were under the administrative control of the Polish authorities, who are also responsible for the report. In other work (GeLa97), we have noted another case in which fundamental causes (according to the WB-Method) under administrative control of the government responsible for the accident investigation seem to have been omitted from the list of contributory factors. We draw no further conclusions from this feature, simply note that it seems to have occurred twice so far in our studies.
Considering the Warsaw report as an example has shown how the WB-method renders reasoning rigorous, and enables the true original causal factors to be identified from amongst all the causally-relevant states and events.
What is the consequence of the rigorous reasoning employed in the WB-Method? We have been able to identify two fundamental causes (source nodes in the WB-graph) which occurred in the report but were omitted as `probable cause' or `contributing factors': the position of the earth bank, and the runway surfacing. Once we have identified the position of the earth bank as an original causal factor, we know that had the bank not been where it is, the accident that happened would not have happened. (It is, of course, possible that the aircraft could have broken up and burned for some other reason - whether that was likely can be left to the experts to decide, but it's certainly not as likely as in the case where there's something there to hit!) Therefore, one could consider repositioning the bank in order to avoid a repeat. However, this was not considered or recommended in the report, we suppose because the position of the bank was not considered to be a causally-essential feature in the report. Thus, in the absence of rigorous reasoning, one runs the risk of a limited, and thus inoptimal, set of choices as to how to proceed in the future to avoid similar problems. In an ideal situation, we would think that action could be taken to compare the positioning of the bank and the condition of the runway surface with norms in Western Europe and the US, for example, where aviation is most highly developed, and to initiate supplemental advisories, procedures, or a change in conditions themselves.
So, even though press and media opinion may focus on the automated systems of the accident aircraft, or on pilot `error', it is also true that had the aircraft had a free `overrun area' at the end of the runway in which to slow down, the accident could have been a mere incident: unfortunate but not deadly. Also, had the runway surfacing been otherwise, the wheel braking systems could have functioned earlier and perhaps the collision with the bank ameliorated or avoided. In a valid account of the accident, these mundane features identified as fundamental causes by the WB-Method must be noted as causal factors along with pilot and airplane behavior.
(1): The observation that in causal explanation not just one `probable cause', but normally many causal factors explain the occurrence of an event, and that one cannot distinguish between `more necessary' and `less necessary' factors, is often attributed to John Stuart Mill; for example, as quoted by Steward (Ste97, p214):
It is usually between a consequent and the sum of several antecedents; the concurrence of them all being requisite to produce, that is, to be certain of being followed by the consequent. In such cases it is very common to single out only one of the antecedents under the denomination of Cause, calling the others merely Conditions....The real Cause is the whole of these antecedents; and we have, philosophically speaking, no right to give the name of causes to one of them exclusively of the others. (Mil43, p214).Back to text
(2): This accident was particularly poignant for computer scientists because Paris Kanellakis of Brown University was killed in the crash with his family. Back to text
(GeLa97): T. Gerdsmeier, P. B. Ladkin and K. Loer, Analysing the Cali Accident With a WB-Graph, at http://www.rvs.uni-bielefeld.de Publications, January 1997. Also to appear in the Proceedings of the Glasgow Workshop on Human Error and Systems Development, March 1997. Back
(GeLa97a): Thorsten Gerdsmeier, Michael Höhl, Peter Ladkin, Karsten Loer, How Aircraft Crash: Accident Reports and Causal Explanation, Article RVS-J-97-02, at http://www.rvs.uni-bielefeld.de Publications (Electronic Journalism), June 1997. Prepared for the Magazine Forschung an der Universität Bielefeld volume 16, University of Bielefeld, 1997 (in German). Back
(LadCOMP): Peter B. Ladkin, ed., Computer-Related Incidents with Commercial Aircraft, compendium of accident reports, commentary and discussion, at http://www.rvs.uni-bielefeld.de Back
(Lew73): David Lewis, Causation, Journal of Philosophy 70, 1973, 556-567. Also in (SoTo93), 193-204. Back
(Lew86): David Lewis, Causal Explanation, in Philosophical Papers, ii, Oxford University Press, 1986, 214-240. Also in (Rub93), 182-206. Back
(Mil43): John Stuart Mill, A System of Logic, 8th edn., 1843; London: Longmans, 1873. Quoted in (Ste97, p214). Back
(PaLa97): E. A. Palmer and P. B. Ladkin, Analysing An `Oops' Incident, in progress, will be available from http://www.rvs.uni-bielefeld.de Back
(Rub93): David-Hillel Ruben, ed., Explanation, Oxford Readings in Philosophy Series, Oxford University Press, 1993. Back
(SoTo93): Ernest Sosa and Michael Tooley, eds., Causation, Oxford Readings in Philosophy Series, Oxford University Press, 1993. Back
The Ontology of Mind: Events, States and Processes,
Oxford, Clarendon Press, 1997.
Appendix: The Logical Semantics of Causal Explanation
[This Appendix is taken verbatim from (GeLa97a)]
The WB-Graph method is based on a formal semantics for causality introduced by the philosophical logician David Lewis of Princeton University (Lew73, Lew86).
Roughly speaking, the semantics of Lewis for the assertion that A is a causal factor of B, in which A, respectively B, is either an event or state, is that in the nearest possible world in which A did not happen, neither did B. This relies on a notion from formal semantics of `possible world', best illustrated by example. Suppose my office door is open. But it could have been shut. A semanticist can now say: in another possible world, it is shut. A possible world is a way of talking about things that could happen, but didn't. But what about `near' possible worlds? The `nearest' possible world in which my door is shut is one in which my door is shut, air currents around it behave appropriately, sound through it is muffled as it should be, but broadly speaking everything else remains the same. A further-away world would be one in which someone else who is not me is sitting here typing, and an even further-away world is one in which this whole environment is situated in Ghana rather than Germany.
Now, suppose my door shuts. What caused it to shut? I was pushing it shut. The air was still, there was no draft, the only thing moving was the door and it was moving because I was pushing it shut. Intuitively, my actions caused the door to shut. How do I know this from the formal semantics? In the nearest possible world in which I didn't push the door, did the door shut? We have already supposed that nothing else was moving, no air drafts, no other person in the vicinity, so in the nearest world these would also be the case. It could be that all the molecules in the door moved the same way at the same time, so the door spontaneously shut - but this situation is so highly improbable as to be almost unthinkable, so could it be really the nearest such world? No. In the nearest world, everything behaved the same way, except that I didn't push the door. So it didn't shut. So according to my formal semantics, my action caused the door to shut.
This formal semantical test is particularly important in circumstances in which many causal factors conjoin to make something happen, which is by far the most usual case. The simple semantics asks a question of two events, or states, at a time, and by asking the question systematically of all pairs, pair by pair, a complex WB-graph may be systematically built.
Back to Text
Back to top
|Copyright © 1999 Peter B. Ladkin, 1999-02-08|
by Michael Blume