The Munich Incident Agnar Darri Sverrisson
SYST 660
Summary
• An airplane (B777) is coming in for landing using automatic approach and Autoland • CAT I in operation
• When at 50 ft AGL, the airplane starts to bank (3.5° to the left)
• Left landing gear touches the runway • Deactivating the go-around button (TO/GA)
• The airplane touchdowns with all landing gear and veers left off the runway
• Pilots apply rudder pedal force, deactivating the autopilot
• The airplane crosses the runway from left to right
• Comes to a full stop parallel to the runway
• No fatalities, injuries, or damages on the airplane
List of Systems
• 1. Runway • Distance, width, orientation, altitude ASL, location.
• 2. Localizer Antenna • Range, location, signal strength, error declaration time.
• 3. Departing traffic • Departure time, weight, take-off starting point, location, SOP‘s, crew, communication links,
human operators, human intervention, TO/GA.
• 4. Arriving traffic • Arriving time, weight, Autoland, Autopilot, SOP‘s, human operators, communication links,
human intervention, TO/GA.
• 5. Air Traffic Control • SOP‘s, communication links, human operators, human intervention.
• 6. Weather • Humidity, temperature, dewpoint, ceiling, visibility, wind conditions.
Every subsystem that is bolded, did have an effect on the Munich
incident
Operational Concept Diagram
Scenario – Operation Context (Arriving Airplane)
• Flight had been going well • 147 Pax, 13 Flight Attendants, 2 Pilots
• The co-pilot was the pilot flying until they hear the latest weather report from Munich • Visibility 2000 m and cloud base 300 feet (CAT 1)
• PIC decided to assume the role of pilot flying as the SOP of the operator required • The co-pilot became Pilot Monitoring
• The PIC decided to conduct an automatic approach and Autoland • To practice their approach and landings when CAT III is in operation
• Pilots must be ready to initiate a go-around procedure when attempting this if anything goes wrong • Depends on (follows) signal from the localizer antenna
• Crew receives latest wind information and is clear to land on runway 08R
Scenario – Operation Context (Munich Airport)
• There had been some renovations at Munich Airport • The position of the localizer antenna for landing direction 08R was moved from
350 m beyond the runway threshold 26L to 1,000 m • Allowing bigger airplanes to take off and land at that runway
Scenario – Operation Context (ATC)
• Air Traffic Controllers under a high workload • Due to CAT II/III the same morning
• Delays resulted in an increased departure rate in combination with approaches on runway 08R
• ATC forced to work on the edge of the seperation minimum • One runway length (minimum)
• To get the traffic situataion back to its norm
Scenario – Triggering Event
• The ATC cleares a heavy aircraft for departure coming on to runway 08R from taxiway B4 • To save time
• At this time the B777 is 3.4 NM from runway 08R.
Event Sequence #1
• Effect on Automation • Autopilot Localizer mode remained engaged
• Even though the localizer signal was disrupted • The Localizer farfield monitor and the earfield monitor did not indicate a failed
Localizer signal.
• Inappropriate Automation Command • Autopilot followed the localizer signal that was disrupted and showed the runway
center-line to the left of the runway
• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • When the B 777 was about 50 feet above runway 08R in the flare phase the airplane
slowly started to bank left up to 3.5°.
Event Sequence #2
• Effect on Automation • When about 420 m beyond the runway threshold the airplane touched down
with the left main landing gear at 132 kt (at that time the Auto Flight System switched to rollout mode)
• Rollout mode disables the status of the TO/GA switches located on the Throttle Levers • The switches no longer work
• Inappropriate Automation Command • Autopilot continues to veer to the left
• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Airplane rolls out to the left of the runway.
Event Sequence #3
• Sensor Discrepancy and/or Pilot Entries • When the pilot in command notices that the airplane is banking to the left he
tried to initiate a go-around procedure by pushing the TO/GA buttons • The autopilot did not respond.
• Effect on Automation • None
• Inappropriate Automation Command • Autopilot continues to veer to the left
• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Airplane rolls out to the left of the runway.
Event Sequence #4
• Sensor Discrepancy and/or Pilot Entries • Pilots use rudder pedals to steer aircraft back onto runway. • Pilots do not disengage the Autopilot.
• Effect on Automation • Autopilot remains engaged in Roll-out Mode
• Inappropriate Automation Command • Autopilot continues to veer to the left
• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Airplane rolls out to the left of the runway. • Autopilot was still engaged as the airplane moved towards the left runway edge and
veered off the runway with a speed of 123 kt about 944 m beyond the threshold in the area of taxiway B4.
• The airplane rolled through the grass north of runway 08R for about 400 meters.
Event Sequence #5
• Sensor Discrepancy and/or Pilot Entries • Pilots use rudder pedals to steer aircraft back onto runway with force greater than
XXXX lbs
• Effect on Automation • Pilot rudder pedal force causes Autopilot to disengage • Due to pilots’ inputs via the rudder pedals, the autopilot disengaged
• Inappropriate Automation Command • Aircraft now follows pilot rudder pedal commands
• Inappropriate “Plant” (e.g. aircraft) Trajectory/Energy • Resulting in a 40° right turn, re-entering the runway close to the intersection with
taxiway B6 (about 1,566 meters beyond the threshold). • The aircraft crossed the runway (120° heading at 71 kt), then veered off the runway
again (south of runway 08R) and turned left by about 40° and came to a full stop in the grass south of and parallel to runway 08R.
Human Operator Intervention Opportunities
• Event Sequence #1 (localizer signal disrupted) • Nothing that the pilots could have done
• Possibly notice sooner that the aircraft was banking and initiate the TO/GA
• Event Sequence #2 (left main landing gear touch-downs) • Pilots could possibly have disengaged the autopilot and steered the aircraft back to
the runway center line
• Event Sequence #3 (Pilots try to initiate a TO/GA procedure) • No feedback from the system that the TO/GA is inactive
• Confuses pilots • At this time the pilots could possibly have disengaged the autopilot and steered the
aircraft back to the runway center line
Human Operator Intervention Opportunities
• Event Sequence #4 (Pilots use rudder pedals to try to steer the airplane) • The Autopilot is still engaged in a Roll-out mode
• By that time the pilots should have disengaged the Autopilot and steer the airplane back onto the runway
• Event Sequence #5 (Pilots disengage the autopilot with rudder pedal force) • If the pilots would have disengaged the autopilot by pushing a button, it is much
more likely that they hadn‘t overshot the runway and steered out off it on the other side
How can we prevent/reduce risk of similar accidents • Better communication
• Put a new rule in the pilots‘ SOP • Pilots who are about to conduct an automatic approach and Autoland must report it to
the ATC before reaching a certain point, X nautical miles from the runway threshold
• Better automation system feedback • The TO/GA button was inactive when the pilots tried to push it
• They didn’t know it was inactive which made them confused
• All TO/GA buttons should have a led lighting which says whether they are active or inactive • Green light = active
• Red light = inactive
Lessons Learned - Discussion
• Things for operators to look out for (and for designers to avoid):
1. Peer systems, operating in a system-of-systems, can have incompatible SOPs
• There is typically no over-arching body (i.e. oversight) to check the compatibility of SOPs
2. Make Operators Supervisors SOP Procedures that say its OK to perform a procedure as long as the pilot monitors and intervenes when the automation does something inappropriate
• How much time does the operator have?
• How subtle is the indication?
3. Monitoring Equipment Failure Criteria (e.g. Localizer signal monitors) that have longer “monitoring time thresholds” than the dynamics of the plant/vehicle to enter an unsafe energy-state/trajectory
4. Moded Input devices (e.g. switches, knobs, levers) that change the way they behave (e.g. disabled) based on context/situation
• Is there any direct, visual indication that their “mode” has changed?
5. Startle Disengagement: Requirement for operator to disengage automation (or perform other complex tasks) when startled/surprised.
Questions ? Thoughts ?