App 4a NLR 13 2008 646

UNCLASSIFIED Nationaal Lucht- en Ruimtevaartlaboratorium
National Aerospace Laboratory NLR
Executive summary
Quantification of Event Sequence Diagrams for a causal risk

model of commercial air transport
Report no.
NLR-CR-2008-646
Problem area different end states. Each path
The Netherlands Ministry of through the flowchart is a scenario. Author(s)
Transport has initiated a research Along each path, pivotal events are A.L.C. Roelen
effort to develop a causal model for identified as either occurring or not B.A. van Doorn
aviation safety. The objective of the occurring. The event sequence starts J.W. Smeltink
model is to represent the causes of with an initiating event such as a M.J. Verbeek
air transport accidents and the perturbation that requires some kind R. Wever
safeguards that are in place to of response from operators or pilots
Report classification
prevent them. The proposed risk or one or more systems. UNCLASSIFIED
model architecture introduces a Intentionally, the building blocks of
hybrid causal model of event the scenarios are kept broad and Date
sequence diagrams, fault trees and generic to cover many ‘similar’ October 2008
Bayesian belief networks. In a situations. The event sequence
previous study, generic accident diagram provides a qualitative Knowledge area(s)
scenarios that form the upper layer description of the scenarios. It is Safety & Security
of the two integrated risk models quantified by assessing the Flight Operations
have been developed. Event probability of occurrence of each of
Descriptor(s)
sequence diagrams are used to the different pathways. Probabilities
safety
represent these accident scenarios. of occurrence initiating events, risk modelling
The combined set of accident pivotal events and end states are air transport
scenarios provides a similar estimated from historical data. The
‘backbone’ for the model data sample was limited to
development efforts. The current commercial air transport with
study is aimed at quantifying these ‘western built’ aircraft heavier than
previously developed event 5,700 kg maximum take-off weight.
sequence diagrams by expressing Only fixed wing aircraft are
the probability of occurrence of the considered. The NLR Air Safety
various accident scenarios as a Database was used as a primary
function of the probability of source of data, details of the data
occurrence of the initiating events. sources are provided in the
appendix. The general approach
Description of work was to quantify the probability of
An event sequence diagram is a occurrence of the end states from
flowchart with paths leading to accident data, where the probability
UNCLASSIFIED
UNCLASSIFIED Quantification of Event Sequence Diagrams for a causal risk model of
commercial air transport
of occurrence of the initiating presented in this report is an

events was determined from extension of the work described in
‘occurrence data’ such as an [Roelen et al 2006].
airline’s occurrence reporting
system. Conditional probabilities of Applicability
pivotal events where then calculated The causal models of which the
from the initiating event and end event sequence diagrams are the
state probabilities. backbone are intended to be used
for improving understanding of the
Results and conclusions causes of air transport accidents,
For each event sequence diagram, identifying areas where
this report provides a definition of improvements could be made to the
the initiating events, pivotal event technical and managerial safeguards
and end states as well as an against accidents, and quantifying
estimation of their (conditional) the risk implications of alternative
probability of occurrence. Pivotal technical and managerial changes,
event probabilities are presented as allowing evaluation of their cost-
conditional probabilities, whereas effectiveness. In this respect it is
initiating events and end state important that the numerical
probabilities are described as estimates derived in this report
absolute probabilities, i.e. apply to ‘average’ world-wide
probability of occurrence per flight. commercial air transport. For
All probabilities are provided as particular applications of the model,
point estimates. During the it may be necessary to derive
qualitative and quantitative probability estimates that take into
development of the event sequence account local effects.
diagrams several assumptions have
been adopted. These are explicitly
stated in the report. The work
Nationaal Lucht- en Ruimtevaartlaboratorium, National Aerospace Laboratory NLR
Anthony Fokkerweg 2, 1059 CM Amsterdam,

P.O. Box 90502, 1006 BM Amsterdam, The Netherlands
UNCLASSIFIED Telephone +31 20 511 31 13, Fax +31 20 511 32 10, Web site: www.nlr.nl
Nationaal Lucht- en Ruimtevaartlaboratorium
National Aerospace Laboratory NLR
NLR-CR-2008-646
Quantification of Event Sequence Diagrams for a

causal risk model of commercial air transport
A.L.C. Roelen, B.A. van Doorn, J.W. Smeltink, M.J. Verbeek and
R. Wever
No part of this report may be reproduced and/or disclosed, in any form or by any means without the prior
written permission of the owner.
Customer Minitry of Transport

Contract number Ra-05.041/DGL 5.50.2.4019
Owner Ministry of Transport
Division NLR Air Transport
Distribution Limited
Classification of title Unclassified
October 2008
Approved by:
Author Reviewer Managing department
NLR-CR-2008-646
Contents
1 Introduction 11
1.1 Background 11
1.2 Objective 11
1.3 Research approach 11
1.4 Acknowledgements 12
1.5 Contents of this report 12
2 Event Sequence Diagrams 13

2.1 General theory 13
2.2 Quantification 15
2.3 Numerical accuracy 17
2.4 Changes relative to initial set of ESDs 18
2.5 Assumptions 19
3 ESD1 - Aircraft system failure 21

3.1 Definitions 21
4 ESD 2 – ATC event 25

4.1 Definitions 25
5 ESD 3 – Aircraft handling by flight crew inappropriate 31

5.1 Definitions 31
6 ESD4 - Aircraft directional control related system failure 36

6.1 Definitions 36
7 ESD5 – Incorrect configuration 41

7.1 Definitions 41
7.2.1 Data sources 45
7.2.2 Results 45
4
NLR-CR-2008-646
7.3 Summary of results 47
8 ESD6 - Aircraft takes off with contaminated wing 50

8.1 Definitions 50
8.2.2 Discussion 54
8.2.3 Quantification results 54
9 ESD 7 – Aircraft weight and balance outside limits during take-off 56

9.1 Definitions 56
10 ESD 8 – Aircraft encounters a performance decreasing wind shear after rotation 61

10.1 Definitions 61
11 ESD9 - Single engine failure during take-off 67

11.1 Definitions 67
12 ESD10 - Pitch control problems 71

12.1 Definitions 71
13 ESD11 - Fire onboard aircraft 78

13.1 Definitions 78
14 ESD12 - Flight crew spatially disoriented 82

14.1 Definitions 82
14.2.2 Summary 87
15 ESD13 - Flight control system failure 89

15.1 Definitions 89
5
NLR-CR-2008-646
16 ESD14 - Flight crew incapacitation 92

16.1 Definitions 92
16.2.2 Results 93
17 ESD15 - Anti-ice/de-ice system not operating 99

17.1 Definitions 99
17.3 Results 103
18 ESD16 - Flight instrument failure 104

18.1 Definitions 104
19 ESD17 - Aircraft encounters adverse weather 107

20 ESD18 - Single engine failure in flight 110

21 ESD19 - Unstable approach 113

22 ESD 21 – Aircraft weight and balance outside limits during approach 118
23 ESD23 - Aircraft encounters wind shear during approach 121

23.2.2 Results 124
23.2.3 Discussion 128
23.3 Summary of results 128
6
NLR-CR-2008-646
24 ESD25 – Aircraft handling by flight crew during flare inappropriate 132

25 ESD26 - Aircraft handling by flight crew during landing roll inappropriate 136
26 ESD27 - Aircraft directional control related system failure during landing 139
27 ESD28 - Single engine failure during landing 141

28 ESD29 - Thrust reverser failure 144

29 ESD30 - Aircraft encounters unexpected wind 148

30 ESD31 - Aircraft are positioned on collision course 151

31 ESD32 - Incorrect presence on runway in use 156

32 ESD 33 – Cracks in aircraft pressure cabin 161

33 ESD35 - Flight crew decision error/operation of equipment error (CFIT) 164

7
NLR-CR-2008-646
34 ESD 36 Collision on taxiway/apron 170

35 ESD 37 Wake vortex encounter 174

References 179
Appendix A Description of data sources 183
8
NLR-CR-2008-646
Abbreviations
ACAS Airborne Collision Avoidance System

AIDS Accident and Incident Database System
ASAP Aviation safety Action Program
ASR Air Safety Report
ASRS Aviation Safety Reporting System
ATA Air Transport Association of America
ATC Air Traffic Control
CAA Civil Aviation Authority
CFIT Controlled Flight Into Terrain
CRM Crew Resource Management
ECAC European Civil Aviation Conference
EGPWS Enhanced Ground Proximity Warning System
ESD Event Sequence Diagram
FAA Federal Aviation Administration
GPWS Ground Proximity Warning System
IATA International Air Transport Association
ICAO International Civil Aviation Organization
ILS Instrument Landing System
MOR Mandatory Occurrence Report
MTOW Maximum Take-Off Weight
NTSB National Transportation Safety Board
P Probability
RTO Rejected Take-Off
SDR Service Difficulty Report
SOP Standard Operating Procedure
STCA Short Term Conflict Alerting System
TAWS Terrain Avoidance Warning System
TCAS Traffic Collision Avoidance System
V1 Take-off decision speed
Vref Reference speed
9
NLR-CR-2008-646
This page is internationally left blank.
10
NLR-CR-2008-646
1 Introduction
1.1 Background
The Netherlands Ministry of Transport has initiated a research effort to develop a causal model
for aviation safety [Ale et al 2005]. The purpose of the model is to describe the air traffic system
and its safety functions in such a way that it is possible to analyze risk reduction alternatives and
that it will serve as a means of communication between experts and managers within the
industry. The model being developed in the Netherlands combines Event Sequence Diagrams,
Fault Trees and Bayesian Belief Nets into a single structure.
The causal model uses a backbone structure of generic accident scenarios. In a previous study
[Roelen and Wever 2005] those generic accident scenarios that form the upper layer of the
integrated risk model have been developed. Main accident types have been defined based on the
ICAO definition of an accident, in order to systematically develop accident scenarios: abrupt
manoeuvre, cabin environment, uncontrolled collision with ground, controlled flight into
terrain, forced landing, mid-air collision, collision on ground, structure overload and
fire/explosion. The accident scenarios are grouped by accident type and different flight phases.
The Event Sequence Diagram (ESD) methodology is used for representing accident scenarios.
In [Roelen and Wever 2005] 35 generic accident scenarios have been developed based on a
combination of retrospective analyses and prospective analyses. These scenarios describe
qualitatively the sequence of events at a high level of abstraction. The high level of abstraction
is required to make the scenarios easy to understand for users and to keep the model transparent
and simple at the top layer of the integrated risk model.
The work presented in this report is an extension of the work described in [Roelen et al 2006].
Event Sequence Diagrams for ‘collision on taxiway/ apron’ and ‘wake vortex encounter’ were
added.
1.2 Objective
The current study is aimed at quantification of the set of Event Sequence Diagrams that were
developed and described in [Roelen and Wever 2005].
1.3 Research approach

The scope was limited to commercial air transport with ‘western-built’ aircraft heavier than
5,700 kg. There are no geographical restrictions. Only fixed wing aircraft are considered. The
NLR Air Safety database was used as a primary source of data. Appendix A provides an
overview of the types of data collected in this database. The general approach was to quantify
the probability of occurrence of the end states from accident data, where the probability of
11
NLR-CR-2008-646
occurrence of the initiating events was determined from ‘occurrence data’ such as an airline’s
occurrence reporting system. Some of this occurrence data is confidential. Conditional
probabilities of pivotal events where then calculated from the initial event and end state
probabilities.
Airclaims and ADREP were the primary accident data sources. The time period considered was
1990-2003. This period provided a dataset that is large enough for quantification and is
considered representative for ‘current’ air transport. When only Airclaims was used the time
period was slightly expanded to 1985 - 2005 to provide a larger data sample. Because of the size
of most databases involved, much of the initial analysis was done by running queries, e.g.
looking for particular key words. Each incident in the resulting dataset was then individually
analyzed to verify whether it ‘fitted’ the particular ESD under consideration.
The primary source of data for quantification of the probability of occurrence of the initiating
event are the databases of Service Difficulty Reports and Air Safety Reports (see App. A) but
sometimes other sources of data were used if these were considered to be more accurate.
1.4 Acknowledgements
The authors are indebted to jennelle Derrickson (FAA – William J. Hughes Technical Centre)
and Rob van der Boom (Netherlands Ministry of Transport) for overall monitoring and co-
ordination. Many thanks also to Ali Mosleh (University of Maryland) and Linda Bellamy
(White Queen) who provided comments and ideas for this research. Fred Leonelli, Tommy
McFall, Richard C. Berg and Harold Donner (all of FJLeonelli Group) provided a much
appreciated review of the first set of ESDs.
1.5 Contents of this report

Chapter 2 of this report provides a general description of Event Sequence Diagrams. In the next
chapter, each Event Sequence Diagram is individually described and quantified. Definitions of
each of the initiating events, pivotal events and end states are provided, and the (conditional)
probabilities are derived. A description of the data sources is provided in appendix A.
12
NLR-CR-2008-646
2 Event Sequence Diagrams
2.1 General theory

An Event Sequence Diagram (Fig. 1) is a flowchart with paths leading to different end states.
Each path through the flowchart is a scenario. Along each path, pivotal events are identified as
either occurring or not occurring. The event sequence starts with an initiating event such as a
perturbation that requires some kind of response from operators or pilots or one or more systems
[Stamatelatos et al. 2002].
Initiating Pivotal YES Pivotal YES End

event event event state
NO NO
End
state
End
state
Fig. 1 Event Sequence Diagram
Conditional operators can be included to represent different outcomes depending on whether the
condition is met or not. Figure 2 and figure 3 show types of events and conditions in an ESD
and their iconic representation.
Intentionally, the building blocks of the scenarios are kept broad and generic to cover many
‘similar’ situations. The detailed specific or possible causes or contributing factors of these
events are not directly of interest at the scenario level. They are added, when such details are
necessary, through other layers of the model, such as Fault Trees of Bayesian Belief Nets. Event
Sequence Diagrams are often combined with fault trees. In practice, Event Sequence Diagrams
are typically used to portray progression of events over time, while fault trees best represent the
logic corresponding to failure of complex systems [Stamatelatos et al. 2002]. Fault trees are
used to model initial and pivotal events in Event Sequence Diagrams in sufficient detail. The
initiating and pivotal events in the Event Sequence Diagram are the top events in the fault trees.
13
NLR-CR-2008-646
Only active events are put in the accident sequence. Latent events are dealt with in the Fault
Trees and Bayesian Belief Nets. This is done to limit the size of the accident scenarios and to
make them easier to understand. Furthermore, latent failures are often ‘common mode’ and/or
‘soft’ causal relations, which can be better expressed in influence diagrams rather than ESDs.
Initiating event: The first event in an

ESD which initiates a sequence of
events terminating in an end state
Pivotal event: An event which has

YES two outcomes, typically ‘yes’ and
‘no’, corresponding to event
occurrence and non-occurrence.
NO
End state: It is the terminating point

of an ESD scenario. An ESD can
have multiple end states.
Comment box: Used for providing

information regarding the
development of the accident
sequence.
Fig. 2 Types of events in an ESD and their iconic representation
Time condition: Represents a

YES condition of the form a < t < b. Leads
to two outcomes depending on
whether the condition is met or not.
NO
Physical variable condition:
YES Represents a condition of the form
a < p < b. Leads to two outcomes
depending on whether the condition
NO is met or not.
Fig. 3 Types of conditions in an ESD and their iconic representation
14
NLR-CR-2008-646
2.2 Quantification
The objectives of the risk model require that the model can be used for probabilistic risk
assessments. The probability of occurrence of the various accident scenarios must be expressed
as a function of the initiating events. The event sequence diagram provides the qualitative
description of the scenarios. It is quantified by assessing the probability of occurrence of each of
the different pathways.
An event sequence diagram is comparable to a river that starts big and then braches off into
smaller arms, eventually ending up in the sea. The total amount of water that passes through at
the beginning is equal to the amount that eventually flows into the sea. The difference between
the ESD and the river is that instead of water, probabilities flow through the ESD.
There are basically three different ways of describing how big the river and its individual
branches are.
1) We can describe the total amount of water in absolute terms for each part of the river. In the
ESD this means that all probabilities are expressed as absolute probabilities (see Fig. 4).
2) We can normalize each branch of the river by the size of the river at the beginning. The
quantities at the end all add up to one (see Fig. 5).
3) For each individual branch point, we can describe the relative distribution of the flow among
the different braches. The quantities at each individual pivotal point add up to one. In the ESD
this means that all probabilities are expressed as probability of occurrence conditional to the
preceding pivotal event (see Fig. 6).
From the point of view of accuracy and completeness, the three different ways are equal. There
are practical reasons why it could be more appropriate to use one way instead of another. Three
different criteria are important for determining the most practical representation:
• Communication with experts and non- experts
• Retrieving numbers from existing datasets
• Configuration control of the ESD
Option 1 is a good option if the numbers in itself make sense. It provides an immediate picture
on the overall size of the ‘river’ (or ESD) and can be compared to other ‘rivers’ (ESDs), for
instance for comparing probabilities of end states. Option 2 is suitable to assess the individual
ESD at a glance. Because all numbers are normalised to the size of the river (or the probability
of the initiating event) the probabilities will usually not be very small, and this way of
15
NLR-CR-2008-646
expressing provides a good overall picture and allows easy comparison of the sizes of the
different branches. Absolute probabilities can be calculated by multiplying with the probability
of occurrence of the initiating event. Option 3 has big advantages for configuration control of
the ESDs. If changes are made upstream or downstream, the relative distribution for each
branch point is unaffected. Calculation is also straightforward; the probability of occurrence is
calculated by multiplying the probability of occurrence of the initiation events with the
conditional probabilities along its respective branch points.
In retrieving numbers from datasets, in practice we often use combinations of options 1, 2 and 3,
so from that point of view there is no real preference. Absolute probabilities are calculated by
multiplying with the probability of the initiating event and all relative probabilities of all
preceding branches.
In this report, all probabilities are calculated according to the system in figure 6. The numbers at
the pivotal events represent conditional probabilities. Numbers at the initiating event and the
end states are absolute probabilities. The sum of the probabilities of the end states is equal to the
probability of the initiating event. At each pivotal event, the conditional probabilities add up to
1.
Fig. 4 ESD quantification, absolute probabilities
16
NLR-CR-2008-646
Fig. 5 ESD quantification, normalised probabilities
2.20·10-4
8.80·10-5
0.8 0.5
A B C E
0.2 8.80·10-5
yes
0.5
no F
4.18·10-5
0.95
D G
2.20·10-6
0.05
H
Fig. 6 ESD quantification, conditional probabilities
2.3 Numerical accuracy

All quantitative data in this report are provided as point estimates. The authors are keenly aware
of the fact that many calculations are based on relatively small datasets, and some numbers will
have large bands of uncertainty. For reasons of consistency, all probabilities in this report are
displayed as numbers with two decimal places. This may create an illusion of numerical
accuracy.
17
NLR-CR-2008-646
2.4 Changes relative to initial set of ESDs

After the first ESD report [Roelen and Wever 2005] was released, several changes have been
made to the original set of ESDs. Most of these changes were made as a result of an effort to
integrate all ESDs in a single master logic diagram [Bellamy and Roelen 2006].
In comparison with the set of ESDs described in [Roelen and Wever 2005] the following
changes have been made:
ESD 11 - Fire onboard aircraft

The original ESD ‘fire onboard aircraft’ had 3 possible pathways out of the pivotal events
‘flight crew fails to detect smoke/fire’ and ‘flight crew fails to extinguish fire’. These 3 possible
pathways are ‘flight control system failure’, ‘aircraft structural failure’ and ‘flight crew
incapacitation’. In the current version of the ESD this distinction has been abandoned. The
investigation after fatal fire accidents (such as the Swissair 111 accident and the Concorde
accident) often fails to determine the exact reason of the loss of control. Quantification of the
relative frequency of occurrence of the three possible pathways is therefore speculative.
Because in the original ESD the sequence following the three pivotal events ‘flight control
system failure’, ‘aircraft structural failure’ and ‘flight crew incapacitation’ was similar in all
three cases, the distinction was considered less relevant. An added advantage of the new ESD is
that it is consistent with common practice of Event Sequence Diagram logic. The original ESD
had 3 possible ‘yes’ pathways out of the pivotal events ‘flight crew fails to detect smoke/fire’
and ‘flight crew fails to extinguish fire’. It is more conventional to have only two possible
pathways, one for ‘yes’ and one for ‘no’.
ESD 13 and 22 Flight control system failure.

In the original set of ESDs there were two similar ESDs related to the initiating event flight
control system failure. The only difference between the two ESDs was the flight phase they
represented. Because most other ESDs represent event sequences that can occur in more than
one flight phase, it was deemed unnecessary to have two separate ESDs only for this specific
initiating event. ESD 13 and ESD 22 were integrated into a single ESD 13. ESD 22 has been
deleted.
ESD 15 Anti-ice/de-ice system not operating

The initiating event of this ESD has been replaced by ‘ice accretion on the aircraft’, which was
the first pivotal event in the original ESD 15. The original initiating event ignores the fact that
ice build-up may occur even when the anti-ice / de-ice system is operational. It is also slightly
confusing because even if the anti-ice / de-ice system is not operational, ice accretion will only
occur if the aircraft flies in icing conditions. By replacing it with the new pivotal event ‘ice
18
NLR-CR-2008-646
accretion on aircraft’ these problems were solved. The remainder of the ESD is similar to the
original ESD.
ESD 17 Aircraft encounters adverse weather, ESD 34 Aircraft encounters unexpected wind and
ESD 36 Aircraft encounters turbulence.
These three ESDs have been integrated into a single ESD 17 ‘aircraft encounters adverse
weather’. The reason for integration is that the original three ESDs describe occurrences that are
very similar and are easily represented in a single ESD. By folding the three ESDs into a single
Event Sequence Diagram, a lot of potential confusion on which occurrence should be classified
to which ESD has been removed. The logic has not been changed.
ESD 19 Unstable approach, ESD 20 Flight crew fails to execute missed approach according to
missed approach procedures, and ESD 24 Unstable approach.
These ESDs have been integrated into a single new ESD 19 ‘Unstable approach’. Although the
three separate ESDs describe distinctly different scenarios, these are easily combined into a
single ESD. The single ESD is more compact and easier to understand than the 3 original ESDs.
The logic has not been changed.
ESD 25 Aircraft handling by flight crew during flare inappropriate.

The original ESD 25 had a pivotal event ‘failure to achieve maximum braking’ following the
pivotal event ‘aircraft touchdown fast or long’. In the new ESD 25 the pivotal event failure to
achieve maximum braking has been deleted. A long or fast touchdown by definition is
considered to result in a runway overrun, even if maximum braking is achieved.
ESD 33 Cracks in aircraft pressure cabin

The pivotal event ‘failure of maintenance to detect and repair cracks’ has been deleted from the
original ESD. It was the only pivotal event in the entire set of ESDs that described an
occurrence which takes place before the aircraft is pushed back from the gate. All other events
happen somewhere between the gate-to-gate cycle.
2.5 Assumptions
During the qualitative and quantitative development of the event sequence diagrams several
assumptions have been adopted. These assumptions are necessary in order to restrict the
complexity of the model or because of limitations on available data. It is important to recognise
these assumptions and to determine the impact of the assumptions on the model results.
19
NLR-CR-2008-646
The following general assumptions have been made:

• It is assumed that the data samples which are being used for quantification are
representative for the type of air transport at which the risk model is aimed.
• It is assumed that during analysis of the data sample no mistakes have been made by the
analysts, i.e. that all relevant cases in the data sample have been included in the
analysis.
• It is assumed that each occurrence in the data samples can be uniquely and
unambiguously assigned to a particular ESD.
• It is assumed that the data bases which are being used in the analysis are complete, i.e.
that there is no over reporting, underreporting or any other bias in the data bases.
• In cases where no examples of specific accident scenarios are found in the data sample,
it is assumed that the probability of occurrence of that scenario is 0.
• It is assumed that there are no dependencies between the different ESDs.
• It is assumed that events in the ESDs cannot occur ‘partially’, i.e. initiating events and
pivotal events have only ‘yes’ or ‘no’ output pathways.
20
NLR-CR-2008-646
3 ESD1 - Aircraft system failure
3.1 Definitions
Aircraft system failure

The initiating event ‘aircraft system failure’ includes all system failures that could lead to an
aborted take-off, with the exception of engine failures and system failures that can result in
directional control problems. Engine failures and directional control system failures are
addressed in ESD 9 and ESD 4 respectively. Pitch control problems during the take-off roll are
addressed in ESD10.
Flight crew rejects take-off

A rejected take-off is defined as “failure to complete a take-off manoeuvre after take-off power
has been applied”. If, during the take-off run, a situation arises that potentially compromises a
safe take-off and climb, the flight crew may elect to reject the take off. The decision whether or
not to reject the take-off depends on the speed of the aircraft and the amount of runway
remaining. At a certain point, the amount of runway available may not be sufficient to bring the
aircraft to a complete stop. For this reason a decision speed V1 is calculated before each take-
off. The decision speed V1 is the maximum speed at which the take-off can be safely aborted
and the aircraft can be brought to a complete stop at the remaining runway. At a speed below V1
the take-off can be safely rejected, at speeds above V1 the take-off should be continued. Typical
V1 values for large commercial jet aircraft vary from 125 to 160 knots. The actual V1 depends
on aircraft type, aircraft weight, wind, air density, temperature, and runway gradient. Some
21
NLR-CR-2008-646
operators and aircraft manufactures have defined a speed up to which a take-off should be
rejected for all observed failures. At speeds between this speed and the take-off decision speed
V1, the take-off should be rejected only in case of an engine failure and conditions affecting the
safe handling of the aircraft. Different policies exist among the operators regarding these take-
off rejection criteria. The speed up to which a take-off should be rejected for all observed
failures varies between 70-100 knots with a typical value in the order of 80 knots.
V > V1
The event V > V1 describes a situation where the rejected take-off is initiated at a speed higher
than the decision speed V1. The decision speed V1 is the maximum speed at which the take-off
can be safely aborted and the aircraft can be brought to a complete stop at the remaining
runway. At a speed below V1 the take-off can be safely rejected, at speeds above V1 the take-off
should be continued. Typical V1 values for large commercial jet aircraft vary from 125 to 160
knots. The actual V1 depends on aircraft type, aircraft weight, wind, air density, temperature,
and runway gradient.
Failure to achieve maximum braking

Immediately following the decision to reject a take-off, the flight crew must start reducing the
speed of the aircraft. Particularly in the case of a high speed rejected take-off, braking must start
immediately using maximum braking power and all available deceleration devices: the lift-
dumpers (if available) are raised (manually or automatically), the brakes are applied (manually
or automatically), and reverse thrust or propeller reverse is selected (if available). These actions
must be conducted without delay and according to the standard operating procedures (SOP).
Braking performance is strongly influenced by the runway conditions, if the runway is wet or
flooded, or if it is covered with snow, slush or ice, tyre-to-ground friction is significantly
reduced resulting in longer stopping distances.
3.2 Quantification
A data sample of Service Difficulty Reports (see App. A for a description of this sample) was
used to determine the probability of a system failure during take-off and the likelihood of a
rejected take-off in the event of a system failure. The analysis was limited to air carrier
operations from 1985 through 2003. Overall exposure is 216 million flights. Failures of systems
with ATA codes 2710-2722 (aileron and rudder), 3244-3245 (tyre) and 3250-3251 (nose wheel
steering) are not included here, these are dealt with in ESD 4. The results are presented in table
1.
22
NLR-CR-2008-646
Table 1 Conditional probability of rejected take-off given a system failure.

Likelihood of RTO in
Number
System ATA code the event of a system
of SDRs
failure
Flap 2750 – 2752 320 0.5
Drag control 2760 – 2761 255 0.9
3100 – 3110, 3160 – 3197,
Instrument 3412 – 3414, 3416 – 3417, 430 0.8
3420 – 3425
3200 – 3243, 3246, 3252 –
Landing gear 664 0.2
3297
Stall warning 3418 310 0.7
Pneumatic 3600 – 3697 186 0.4
Doors 5200 – 5297 1083 0.7
All 1 ATA codes between
2100 and 6199 or between
Other 7100 and 8097 that are not 2977 0.6
taken into account in the
items listed above.
Total 6225 0.59
The table lists both the number of occurrences of the initial event as well as the conditional
probability of the pivotal event ‘flight crew rejects take-off’ for the various aircraft systems that
are considered. Based on these results, the probability of a system failure during the take-off roll
is estimated at 6225 / 216 milli8on = 2.92·10-5 per flight. Obviously, the conditional probability
of a rejected take-off in the event of a system failure depends on which system fails and ranges
from 0.2 up to 0.9. The average value, taken across all system failures, is 0.59.
To estimate the frequency of occurrence of the end states, a data sample of accidents and
incidents from the Airclaims database was analysed. The sample was restricted to accidents and
incidents involving western-built aircraft heavier than 5,700 kg MTOW in commercial
operations. Data from 1985 through 2005 was used, representing a total of 399 million flights
The data sample contains 4 take-off overrun accidents resulting from system failures and
subsequent take-off rejection. In 3 cases the take-off was aborted at a speed above V1, in 1 case
the take-off was aborted at a speed below V1. There were no veer-off accidents in the data
sample. Based on this data, the probability of an overrun after a system failure and a take-off
abort above V1 is estimated to be 7.50·10-9. The probability of an overrun after a system failure
and a take-off abort below V1 is estimated to be 2.50·10-9.
1
Engine related failures, as well as directional control and pitch control failures are not taken into account. For associated
ATA chapters, see the description of ESD 4 and ESD 9.
23
NLR-CR-2008-646
The conditional probability that the speed is above V1 when a take-off is rejected because of a
system failure is 7.50·10-9 / (2.92·10-5 × 0.59) = 4.35·10-4.
The conditional probability of ‘failure to achieve maximum braking’ in the event of a system
failure and take-off rejection at a speed below V1 is 2.50·10-9 / (2.92·10-5 × 0.59 ×
(1 - 4.35·10-5)) = 1.45·10-4.
24
NLR-CR-2008-646
4 ESD 2 – ATC event
Accident type: uncontrolled collision with ground.

Flight phase: take-off.
Initiating event: Air traffic related event.
Air traffic related Flight crew rejects Runway

event take-off V > V1 overrun
yes Failure to
achieve Runway
no
maximum overrun
braking
Aircraft
stops on
runway
Aircraft
continues
take-off
4.1 Definitions
ATC event
For the purpose of this ESD, an ATC event is defined as any ATC related occurrence which
could result in a decision to reject a take-off, with the exception of runway incursions. Possible
separation infringements with other traffic on the departure runway (runway incursions) are
excluded from this ATC event and are treated separately in ESD 32. Examples of ‘ATC events’
are possible separation infringements with another departure or with a missed approach on
another runway. The problem situation could be caused by the aircraft in take-off (it did not
have a take-off clearance yet) or by ATC (a take-off clearance is given while other traffic
nearby). ATC can give an instruction to abort the take-off or the crew can independently decide
to perform a rejected take-off (RTO). An instruction by ATC to abort the take-off because of the
presence of birds in the vicinity of the runway is also included in this initiating event.

25
NLR-CR-2008-646
V > V1

Runway overrun
A runway overrun is a situation where the aircraft is not able to come to a full stop before
reaching the end of the runway. Occurrences where the aircraft cannot be brought to a halt
before reaching the end of the runway but where flight crew deliberately steer the aircraft off the
side of the runway in order to prevent a collision with obstacles located in line with the runway
26
NLR-CR-2008-646
are also considered to be ‘runway overruns’. The degree of damage is determined by the speed
at which the aircraft leaves the runway and the possible presence of obstacles such as ditches,
fences, approach lights, buildings, etc.
Aircraft continues take-off

There are two situations leading to this end state:
• ATC instructs the crew to reject the take-off but the crew does not comply, e.g. because
they decide that it is not possible any more or because of communication problems;
• During take-off roll, an ATC event occurs but neither ATC nor the crew detects it or reacts
to it..
4.2 Quantification
Air Safety Database

The NLR Air Safety Database contains several sources for RTO related incidents and accidents.
One source is an airline occurrence reporting system with occurrence reports from several
airlines. Only commercial operations with large (>5700 kg MTOW) Western built aircraft are
considered. A search on incidents in the take-off flight phase from 1993 to 2004 (corresponding
with 10.5 million flights) resulted in 416 RTOs in which ATC was a key factor, including
runway incursions. Further study of the first 195 incidents resulted in the following causes for
the RTOs:
• 58 ATC event related;
• 58 runway incursion related;
• 60 of which it is not clear whether it is an ATC event or a runway incursion;
• 19 which are outside the scope (e.g. ATC detects smoke coming out of the engines during
take-off).
Given the fact that there are as many ATC events as runway incursions, it is assumed that the 60
unclear causes can be equally divided over the ATC events and the runway incursions. This
means that for the incidents that are in scope of the “air traffic situation” definition, 50% can be
related to an ATC event and 50% to runway incursions.
Based on this sample, the probability of a RTO, given an ATC event according to the definition
of ESD 2 is 45% of 416 incidents in 10.5 million flights is 1.78·10-5 per flight.
A second sample of the airlines reported incidents focused on those situations during take-off
where no RTO had taken place but the incident was ATC related. Analysis of the first 300
incidents out of a set of 627 showed one incident in which ATC requested a RTO because of a
27
NLR-CR-2008-646
runway incursion but the crew decided not to abort because of the high take-off speed at that
time. Many of the 627 incidents were related to separation infringements in mixed mode 2
runway operations and wake turbulence problems with a preceding take-off. Again, the set
represented 10.5 million flights.
This data suggests that a small percentage (0.5 %) of the ATC events will not result in a rejected
take-off. Therefore it is assumed that the probability of the ATC event equals
1.78·10-5 / 9.95·10-1 = 1.79·10-5 per take-off.
RTO with V>V1 and runway overruns

In [Roelen & Wever, 2004] the take-off overrun probability is given based on historical data. A
distinction is made between different aircraft generations:
Table 2 Probability of a take-off overrun per flight for the different aircraft generations
Take-off overrun
Aircraft generation Probability per flight
1 3.77·10-7
2 1.09·10-7
3 6.20·10-8
The traffic mix for 2001 at Amsterdam Airport Schiphol is considered: 6% generation 2 and
94% generation 3 aircraft [Roelen & Wever, 2004]. This leads to a probability of a runway
overrun of 6.48·10-8 per flight, considering all possible causes for an RTO.
An analysis of the RTO overrun accidents/incidents [FAA, 1992] showed that in 58% of the
cases the RTO initiation speed was greater than V1. In 23% of the cases it was less than V1. For
the other 19% the initiation speed was unknown. Hence, in 72% of the overruns in which the
initiation speed was known, the initiation speed was greater than V1. According to this
information the probability of an overrun with an RTO initiation speed greater than V1 is
0.72×6.48·10-8 = 4.67·10-8 per flight and the probability of an overrun with an RTO initiation
speed smaller than V1 is 0.28×6.48·10-8 = 1.81·10-8.
The generic probability of an overrun given an RTO speed above V1 considers all possible
causes of a RTO. According to [Roelen & Wever, 2004], the distribution of RTO causes for
different speeds is as follows:
2
Mixed mode means that a runway is simultaneously used for take-offs as well as landings
28
NLR-CR-2008-646
Table 3 Distribution of the RTO speed for the different causes of the RTO
Cause VRTO ≤ 80 kts 80 kts < VRTO ≤ 120 kts VRTO > 120 kts
Aircraft configuration 26 % 15 % 10 %
Engine 20 % 25 % 30 %
Aircraft system 29 % 25 % 20 %
Air traffic situation 15 % 10 % 5%
Wheel/tyre 2% 10 % 12 %
Bird strike 3% 10 % 15 %
Flight crew 5% 5% 8%
According to the table, the air traffic situation causes 5 % of all RTO at speeds above 120 kts. It
is assumed here that the distribution for speeds above 120 knots is similar to the distribution for
speeds greater than V1. Assuming that 58.8% of the air traffic situations are the ATC events that
are considered in ESD 2, this means that 2.9% of the RTOs given a speed larger than V1 are
related to an ATC event. With this, the probabilities of the end states “runway overrun” can be
determined:
• Probability of runway overrun, given an ATC event and a RTO with a speed larger than V1
is 2.9% × 4.67·10-8 = 1.35·10-9 per flight; and
• Probability of runway overrun, given an ATC event and a RTO with a speed smaller than
V1 is 2.9% × 1.81·10-8 = 5.25·10-10 per flight.
Using these probabilities of a runway overrun and the probability that a flight crew rejects the
take-off given an ATC event, the conditional probability of ‘V > V1’ at the time of rejection is
1.35·10-9 / 1.78·10-5 = 7.58·10-5.
Pivotal event “Failure to achieve maximum braking” and end state “Aircraft stops on runway”
The probabilities of this pivotal event and end state can be determined by using the probabilities
that are estimated so far.
The probability of the flight crew rejecting a take-off because of an ATC event with a speed
lower than V1 is (1-7.58·10-5) × 1.78·10-5 = 1.78·10-5 per flight. This is input to the event “failure
to achieve maximum braking”. The conditional probability of ‘failure to achieve maximum
braking’ in the event of a take-off rejection below V1 is 5.25·10-10 / 1.78·10-5 = 2.95·10-5.
End state “aircraft continues take-off”

According to the definition of this end state, there are two situations leading to it:
• ATC instructs the crew to reject the take-off but the crew does not comply, either because
they decide that it is not possible any more or because of communication problems;
• During take-off roll, an ATC event occurs but neither ATC nor the crew detects it.
29
NLR-CR-2008-646
It appears to be very difficult to quantify this end state. Of the first situation (crew does not
reject the take-off after receiving an instruction from ATC to do so) no incidents have been
found in the NLR Air Safety Database. The second situation is related to separation
infringements. In the NLR Air Safety Database no clear incidents of this type have been found
although there are a few cases where TCAS alerts were received during climb or ATC
instructions are received soon after take-off to make a turn because of other traffic. Also there
are a few cases where the flight crews decide not to start the take-off roll because of conflicting
traffic without ATC noticing it.
To get an idea of the order of magnitude of this event, the focus is on the first situation: the crew
does not reject the take-off although they have received an instruction from ATC to abort.
Reasons for this could be that the aircraft already has a speed close to V1 or that the
communication is down. When looking at the data in [Roelen & Wever, 2004], the probability
of a RTO because of an air traffic situation with a speed lower than 120 knots is more than 200
times higher than the probability of a RTO with a speed more than 120 knots. This means that
RTO instructions because of an ATC event are given mainly during low speeds, so that it is not
likely that the crew does not follow this instruction. In fact, in the analysed set of incidents from
NLR Air Safety Database only one incident was reported where the crew did not follow a RTO
instruction (in this case because of a runway incursion). Considering that only half of the set has
been analysed and that 50% of the air traffic situations are assumed to relate to the ATC event
of ESD 2, we assume that only one incident in 10.5 million flights relates to this particular end
state, which would result in a frequency of 9.52·10-8 per flight.

Initiating event: Air traffic related event.
1.79·10-5 9.99·10-1
7.58·10-5 1.35·10-9
Air traffic related Flight crew rejects Runway
event take-off V > V1 overrun
yes Failure to
achieve
2.95·10-5 Runway
5.25·10-10
no
maximum overrun
braking
Aircraft 1.78·10-5
stops on
runway
Aircraft
continues 9.52·10-8
take-off
30
NLR-CR-2008-646
5 ESD 3 – Aircraft handling by flight crew inappropriate
5.1 Definitions
Aircraft handling by flight crew inappropriate

This event refers to aircraft handling errors than can result in loss of directional control of the
aircraft. Examples are improper use of the steering tiller, improper directional braking, improper
rudder input, and asymmetric engine thrust settings, etc. External conditions, including cross
wind and runway surface condition may play a role. Directional control problems due to
technical failures, such as a failure of the nose wheel steering system, are out of scope of this
ESD but are covered in ESD 4. A momentary configuration warning following the application
of take-off thrust, due to the main gear steering (if available) not being correctly aligned is not
considered within the scope of this initiating event.

31
NLR-CR-2008-646
V > V1
Flight crew fails to maintain control

Either after a rejected take-off with a speed lower than V1 or during take-off with a loss of
traction and steering capability, the crew may not be able to maintain control of the aircraft.
This event describes a situation where the flight crew has lost control of the aircraft, i.e. the
aircraft’s lateral movements are not in accordance with the flight crew’s intentions.
Runway overrun
32
NLR-CR-2008-646
Runway veer-off
A runway veer-off is a situation where the flight crew is not able to maintain directional control
and the aircraft deviates to the side of the runway and veers off it. Occurrences where the
aircraft cannot be brought to a halt before reaching the end of the runway but where flight crew
deliberately steer the aircraft off the side of the runway in order to prevent a collision with
obstacles located in line with the runway are considered to be ‘runway overruns’. The degree of
damage is determined by the speed at which the aircraft leaves the runway, the veer-off angle,
and the possible presence of obstacles such as ditches, fences, approach lights, buildings, etc.
5.2 Quantification
Initiating event
Safety reports from several airlines were examined to determine the frequency of occurrence of
the initiating event of this ESD. The safety reports are from Western airlines and cover mainly
flights in the period of 1993 to 2004. The occurrences relate to a total of 10.5 million flights
Using keywords as directional control, veer off, steering, flight control and flight phase take-off,
a set of 617 safety reports has been retrieved. Of these 617, 48 occurrences were considered
applicable to the initiating event of ESD 3. Sometimes the narratives of the occurrences
provided very little information. In case of doubt, an occurrence is considered applicable to keep
the estimate on the conservative side. In 36 of these 48 occurrences, the crew decided to reject
the take-off. Based on these results the estimated probability of the initiating event is 4.57·10-6
per flight.
End states
Analysis of the Airclaims database showed 26 accidents or incidents that were initiated as a
result of inappropriate aircraft handling by the flight crew during the take-off roll. The data
sample was limited to Western-built aircraft heavier than 5,700 kg MTOW in commercial
operations between 1990 and 2005. These occurrences are divided as follows:
• Veer-off without RTO: 17
• Veer-off after RTO: 7
• Overrun after RTO: 2 (in both cases take-off was rejected at a speed > V1)
A search in the ADREP database for the same period and flights in scope (Western-built aircraft
heavier than 5,700 kg in commercial operations) showed some additional occurrences to those
already identified:
• Veer-off without RTO: 4
• Veer-off after RTO: 2.
33
NLR-CR-2008-646
Overall exposure for the data sample is 453 million flights (1990-2005). This results in the
following probabilities:
• Veer-off without RTO: 4.64·10-8 per flight
• Veer-off after RTO: 1.99·10-8 per flight
• Overrun after RTO: 4.42·10-9 per flight
Pivotal event ‘flight crew rejects take-off’

Analysis of airline safety reports in the NLR Air Safety Database, shows that the flight crew
rejects the take-off in 75% of the directional control problems (36 of the 48 occurrences). The
conditional probability of ‘flight crew rejects take-off’ in the event of inappropriate aircraft
handling by the flight crew is 7.50·10-1.
Pivotal event ‘V > V1’

The conditional probability that V > V1 if the take-off is rejected after ‘inappropriate aircraft
handling by the flight crew’ is 4.42·10-9 / (4.57·10-6 × 7.50·10-1) = 1.23·10-3.
Pivotal event ‘flight crew fails to maintain control’ (take-off rejected)

The conditional probability that the ‘flight crew fails to maintain control’ if the take-off is
rejected after ‘inappropriate aircraft handling by the flight crew’ is 1.99·10-8 / (4.57·10-6 ×
7.50·10-1 × (1-1.23·10-3)) = 5.81·10-3.
Pivotal event ‘failure to achieve maximum braking’

Because the analysis failed to identify occurrences where the aircraft overran the runway after a
take-off was rejected below V1 due to inappropriate aircraft handling by the flight crew, the
conditional probability of ‘failure to achieve maximum braking’ is 0.
Pivotal event ‘flight crew fails to maintain control’ (take-off not rejected)
The conditional probability that the ’flight crew fails to maintain control’ if the take-off is not
rejected and the aircraft handling by the flight crew is inappropriate is 4.64·10-8 / (4.57·10-6 ×
(1-7.50·10-1)) = 4.06·10-2.
34
NLR-CR-2008-646

Initiating event: Aircraft handling by flight crew inappropriate.
4.57·10-6 7.50·10-1 1.23·10-3

Aircraft handling
Loss of 4.42·10-9
traction and Flight crew Runway
by flight crew V > V1
steering rejects take-off overrun
inappropriate
capability
5.81·10-3
1.99·10-8
Flight crew fails
Unrecovered Runway
yes to maintain
loss of control veer-off
control
no
Failure to 0 0
achieve Runway
maximum overrun
braking
3.41·10-6
Aircraft
stops on
runway
4.06·10-2 4.64·10-8
Flight crew fails
Unrecovered Runway
to maintain
control
Aircraft
1.10·10-6
continues
take-off
35
NLR-CR-2008-646
6 ESD4 - Aircraft directional control related system failure

Initiating event: aircraft directional control related system failure
Loss of
Aircraft directional
traction and Flight crew Runway
control related V > V1
steering rejects take-off overrun
system failure
capability
yes Flight crew fails

Unrecovered Runway
to maintain
no control
Failure to
achieve Runway
maximum overrun
braking
Aircraft
stops on
runway
Flight crew fails

Unrecovered Runway
to maintain
control
Aircraft
continues
take-off
6.1 Definitions
Aircraft directional control related system failure

An aircraft directional control system failure is a failure of any of the aircraft’s systems that
severely affects the directional controllability of the aircraft during the take-off roll. Included
are failures of the aileron and aileron controls, rudder and rudder controls, tyres, and nose wheel
steering. Directional control problems as a result of asymmetric thrust due to an engine failure
are covered in ESD 9.

36
NLR-CR-2008-646
V > V1


Either after a rejected take-off with a speed lower than V1 or during take-off with a loss of
traction and steering capability, the crew may not be able to maintain control of the aircraft.
This event describes a situation where the flight crew has lost control of the aircraft, i.e. the
aircraft’s lateral movements are not in accordance with the flight crew’s intentions.
37
NLR-CR-2008-646
Runway overrun
Runway veer-off
6.2 Quantification
According to the definition used for this ESD, directional control related systems are those
reported under ATA codes 2710-2722 (aileron and rudder), 3244-3245 (tyre) and 3250-3251
(nose wheel steering). A data sample of Service Difficulty Reports (see App. A for a description
of this sample) was used to determine the probability of a directional control related system
failure during take-off and the likelihood of a rejected take-off in the event of a system failure.
The analysis was limited to air carrier operations from 1985 through 2003. Overall exposure is
216 million flights.
According to the SDR database, there were 14,254 directional control related system failures,
i.e. a frequency of 6.60·10-5 per flight. In 7,475 cases this resulted in a rejected take-off. The
conditional probability of a rejected take-off in the event of a directional control related system
failure is 0.52.
To estimate the frequency of occurrence of the end states, a data sample of accidents and
incidents from the Airclaims database was analysed. The sample was restricted to accidents and
incidents involving western-built aircraft heavier than 5,700 kg MTOW in commercial
operations. Data from 1985 through 2005 was used, representing a total of 399 million flights.
38
NLR-CR-2008-646
The data sample contains 9 take-off overrun accidents resulting from directional control system
failures and subsequent take-off rejection. In 2 cases the take-off was aborted at a speed below
V1, in 7 cases the take off was aborted at a speed above V1. The data sample contains 4 veer-off
accidents resulting from directional control system failures during the take-off roll. For these
veer-off accidents the available data was insufficient to determine whether the decision to reject
the take-off was taken before or after the aircraft ran off the side of the runway. For the purpose
of this ESD, it is assumed that all veer-offs occurred after the crew had decided to reject the
take-off. The estimated probabilities for the end states are the following:
• Runway overrun (V > V1): 1.75·10-8
• Runway veer-off: 1.00·10-8
• Runway overrun (V < V1): 5.01·10-9.
The conditional probability of V > V1 in the event of a directional control related system failure
and decision to reject the take-off is 1.75·10-8 / (6.60·10-5 × 0.52) = 5.10·10-4.
The conditional probability of ‘flight crew fails to maintain control’ in the event of a directional
control related system failure and the decision to reject the take-off at a speed below V1 is
1.00·10-8 / (6.60·10-5 × 0.52 × (1-5.10·10-4)) = 2.92·10-4.
The conditional probability of ‘failure to achieve maximum braking’ in the event of a

directional control related system failure and the decision to reject the take-off at a speed below
V1 is 5.01·10-9 / (6.60·10-5 × 0.52 × (1-5.10·10-4) × (1-2.92·10-4)) = 1.46·10-4.
The conditional probability of ‘aircraft stops on runway’ in the event of a directional control
related system failure and the decision to reject the take-off at a speed below V1 is 6.60·10-5 ×
0.52 × (1-5.10·10-4) × (1-2.92·10-4) × (1-1.46·10-4) = 3.43·10-5.
The conditional probability of ‘aircraft continues take-off’ in the event of a directional control
related system failure and a decision to continue the take-off is 6.60·10-5 × (1-0.52) = 3.17·10-5.
39
NLR-CR-2008-646
40
NLR-CR-2008-646
7 ESD5 – Incorrect configuration

Initiating event: Incorrect configuration.
Take-off
Incorrect Flight crew Runway
configuration V > V1
configuration rejects take-off overrun
warning
yes Failure to
achieve Runway
no maximum overrun
braking
Aircraft
stops on
runway
Aircraft
continues
take-off
Flight crew fails

Aircraft stalls Unrecovered Collision
to regain
after rotation loss of control with ground
control
Aircraft
continues
flight
Aircraft
continues
flight
7.1 Definitions
Incorrect configuration
The initiating event is defined as an occurrence where the flight crew commences the take-off
while the aircraft is not properly configured for take-off. The cause of an incorrect configuration
can be either a system failure or the crew has not set the correct configuration. Setting the
required aircraft configuration for take-off includes several systems. An incorrect setting of
either one of those systems will generate a take-off configuration warning, unless the warning is
inhibited. Aircraft manufacturers sometimes choose to inhibit take-off configuration warnings at
speeds above 80 kts (typically) in order to avoid the risk of high speed rejected take-offs.
Incorrect configuration includes the following:
• Thrust not set to take-off thrust
• Thrust reverser not stowed
• Parking brake not released
• Flaps not in take-off position
41
NLR-CR-2008-646
• Spoilers/speed brakes not stowed

• Stabiliser trim not within green band
• Main landing gear not aligned
• Rudder trim not centred
• Flight control system not properly set (e.g. yaw damper not switched on)
Take-off configuration warning

Modern aircraft are equipped with a take off configuration warning system. This system warns
the flight crew of an inappropriate aircraft configuration as soon as the throttles are advanced to
take-off thrust. Examples of inappropriate aircraft configurations are: speed brakes not properly
stowed, stabiliser trim out of range, and incorrect flap setting. Absence of a take-off
configuration warning if the aircraft is not properly configured for take-off can be caused by a
failure of the take-off configuration warning system, inhibition of the take-off configuration
warning, or absence of a take-off configuration warning system.

V > V1
42
NLR-CR-2008-646


This event describes whether or not the flight crew rejects the take-off after receiving a take-off
configuration warning.
From the database of air safety reports (see App. A) it appears that flight crews sometimes do
not reject the take-off if they receive a take-off configuration warning. If a warning occurs after
V1, the standard operating procedures require the flight crew to continue the take-off. A
momentary warning is sometimes considered irrelevant by the flight crew. Sometimes warnings
are considered nuisance, e.g. warning related to centring of the main landing gear when the
aircraft is lined-up with too much engine power. There are also cases where the flight crew
corrects the situation on the spot without rejecting the take-off, e.g. if the parking brake is still
set.
We assume for modelling purpose that the events in which the flight crew continues take-off
with incorrect configuration (flaps) is covered by the sequence through pivotal event ‘aircraft
stalls after rotation’. We assume that the sequence of events, following a ‘no’-outcome of the
pivotal event ‘flight crew rejects take-off’ is covering situations where the crew continues take-
off after having corrected the configuration problem or if the warning occurs after V1 or
momentarily. As a result of this assumption, the end state ‘aircraft continues take-off’ represents
the situation that the aircraft is able to safely complete the take-off phase and climb out (i.e.
incorrect configuration does not result in loss of control).
43
NLR-CR-2008-646
Runway overrun
Aircraft stops on runway

This represents a situation where the take-off is aborted and the aircraft comes to a full stop
before reaching the end of the runway.

Based on the definitions above, the end state ‘aircraft continues take-off’ represents the situation
that the aircraft is able to safely complete the take-off phase and climb out. Thus either the
incorrect configuration does not result in loss of control or the incorrect configuration has been
corrected by the flight crew ‘on the roll’.
Aircraft stalls after rotation

An aircraft is stalled if the maximum lift which can be developed by the wing is not sufficient to
support the weight of the aircraft. If the aircraft’s flaps are not properly configured for take-off,
or if the stabiliser trim is not properly set, a stall may develop after rotation.
Flight crew fails to regain control

This pivotal event refers to the ability of the flight crew to regain control of the aircraft after
stall onset. This pivotal event does not necessarily imply a failure or error by the flight crew.
The ability of the flight crew to maintain control of the aircraft is in general affected by human
factors (fatigue etc), training, aircraft system failures, weather conditions, available altitude for
recovery manoeuvre etc.
Collision with ground

This end state refers to a possible outcome of an aircraft taking off with incorrect configuration.
The aircraft impacts terrain (ground, water) or obstacles, which results in injuries, fatalities or
(substantial) damage to the aircraft.
44
NLR-CR-2008-646
Aircraft continues flight

This end state refers to the possible outcome of a take-off with incorrect configuration: the flight
crew continues the flight to destination airport, returns to the departure airport or diverts the
aircraft to another airport.
7.2 Quantification
7.2.1 Data sources

The following data sources have been used to quantify events in this ESD:
• ADREP and Airclaims database of accidents and incidents;
• ASR databases (various airlines, European and non-European).
7.2.2 Results
ADREP and Airclaims data

A query was run in the ADREP and Airclaims databases to identify accidents and incidents
related to take-off with incorrect configuration. The time span was set to 1990-2005. Aircraft
types include jet, turbofan and turboprop aircraft with a Maximum Take-off Weight of more
than 5700 kg, operated in commercial operations (passenger and cargo flights). Aircraft
manufacturers include ‘Western’ airframe manufacturers such as Airbus, Boeing, McDonnell
Douglas, Lockheed, Fokker, Embraer. Airframe manufacturers from former USSR or Eastern-
block countries (e.g. Tupolev, Let, Antonov) are excluded from the query. All operators of
aforementioned aircraft types, irrespective of country of origin, are included. Military operators,
and accidents/incidents during test flights and training flights are excluded. The number of
flights associated with this query is 452 million flights. (1990-2005).
According to ADREP and Airclaims, there have been 24 accidents and incidents that are related
to loss of control after take-off with incorrect configuration.
• In 16 of these 24 occurrences the flight crew rejected the take-off. In 6 occurrences this
happened at a late stage in the take-off and resulted in a runway overrun. In 10 occurrences
the flight crew rejected the take-off and stopped on the runway.
• In 3 events the flight crew did not receive a take-off configuration warning and were
subsequently unable to rotate or lift-off at rotation speed. In all 3 cases the crew then failed
to maintain control and collided with the ground (crash landed at the end of the runway).
• In 3 events the flight crew did not respond to the take-off configuration warning, and were
subsequently unable to rotate or lift-off at rotation speed. In all 3 events the crew then failed
to maintain control and collided with the ground (crash landed at the end of the runway).
45
NLR-CR-2008-646
• In 2 occurrences the crew took off with an incorrect take-off configuration, but were able to
continue flight tot destination.
ASR database of various airlines

We have analysed Air Safety Report (ASR) databases for events involving a take-off with
incorrect configuration and/or take-off configuration warnings. The ASR databases come from
different airlines and cover 9 million flights between 1998 and 2004. All data concerns
commercial operations with ‘western’ aircraft of more than 5700 kg maximum take-off weight.
We have analysed the databases for occurrences involving a take-off configuration warning
and/or incorrect take-off configuration in the years 2000 and 2001. The corresponding number
of flights for these two years is 2.44 million. A total of 550 occurrences were identified. Table 4
shows the number of occurrences of a take-off configuration warning per associated system, the
percentage of take-off configuration warnings across the different systems that were incorrectly
configured, and the corresponding frequency of occurrence per flight.
Table 4 Take-off configuration warning generated by incorrect take-off configuration

of various systems
Number of occurrences Rate per flight
2000 2001 Total %
Propulsion system 34 16 50 9.1 2.05·10-5
Thrust reverser 1 2 3 0.5 1.23·10-6
Parking brake 10 12 22 4.0 9.02·10-6
Flap system 38 37 75 13.6 3.07·10-5
Spoiler 22 16 38 6.9 1.56·10-5
Stabilizer trim 40 34 74 13.5 3.03·10-5
Speed brakes 21 32 53 9.6 2.17·10-5
Landing gear 25 44 69 12.5 2.83·10-5
Flight control system 2 2 4 0.7 1.64·10-6
Rudder 0 1 1 0.2 4.10·10-7
Unknown system 69 85 154 28.0 6.31·10-5
Take-off warning system 7 0 7 1.3 2.87·10-6
Total 269 281 550 2.25·10-4
Total flights: 2.44·106
In 494 of the 550 reported take-off configuration warnings (89.82 %), the take-off was rejected.
This corresponds to a frequency of 2.02·10-4 per flight.
46
NLR-CR-2008-646
7.3 Summary of results
Incorrect configuration
According to table 4, the frequency of occurrence of incorrect aircraft configuration during the
take-off roll is 2.25·10-4 per flight.
Take-off configuration warning

According to ADREP and Airclaims data, out of a total sample of 452 million flights, there
have been 6 events where the flight crew did not receive a take-off warning or the take-off
warning was ignored without further action by the flight crew. The corresponding probability of
occurrence of ‘take off warning not effective’ is 1.33·10-8 per flight, or a conditional probability
of 1.33·10-8 / 2.25·10-4 = 5.90·10-5. All these cases ended as a ‘collision with ground’.

According to ASR data, in 494 of the 500 reported take-off configuration warnings the take-off
was rejected. The conditional probability of a rejected take-off in the event of an effective
configuration warning is 0.898.
V > V1
According to ADREP and Airclaims data, in a total sample of 452 million flights there have
been 6 high speed (V > V1) rejected take-offs as a result of a take-off configuration warning. All
these occurrences led to a runway overrun. The probability of a runway overrun after a high-
speed rejected take-off after is configuration warning is 1.33·10-8 per flight. The conditional
probability of V>V1 in the event of a rejected take off is 1.33·10-8 / (2.25·10-4 × (1- 5.90·10-5) ×
0.898) = 6.57·10-5.
Runway overrun after rejected take-off above V1.

been 6 high speed (V > V1) rejected take-offs as a result of a take-off configuration warning. All
these occurrences led to a runway overrun. The probability of a runway overrun after a high-
speed rejected take-off following a configuration warning is 1.33·10-8 per flight
Runway overrun after rejected take-off below V1.

According to ADREP and Airclaims, out of a total sample of 452 million flights there have been
no occurrences of a runway overrun following an aborted take-off at speed below V1 if the
reason for the abort was a take-off configuration warning. The probability of occurrence is
estimated to be 0.
47
NLR-CR-2008-646
Failure to achieve maximum braking.

Because the probability of a runway overrun following an aborted take-off at speed below V1 is
estimated to be 0 (see previous section), the conditional probability of ‘failure to achieve
maximum braking’ in the event of a rejected take-off at speeds below V1 is also estimated to be
0.
Aircraft stops on runway.

The frequency of occurrence of the end state ‘aircraft stops on the runway’ can be calculated
from the previous events. The probability is estimated to be 2.25·10-4 × (1-5.90·10-5) × 0.898 ×
(1-6.57·10-5) × 1 = 2.02·10-4 per flight.

The frequency of occurrence of the end state ‘aircraft continues take-off’ can be calculated from
the previous events. The probability is estimated to be 2.25·10-4 × (1-5.90·10-5) × 0.102 =
2.29·10-5 per flight.
Aircraft stalls after rotation.

warning was ignored without further action by the flight crew. All these events resulted in a loss
of control and collision with the ground. The corresponding conditional probability of
occurrence of ‘aircraft stall after rotation’ is assumed to be 1.
Flight crew fails to regain control.

of control and collision with the ground. The conditional probability of ‘flight crew fails to
regain control’ in the event of ‘aircraft stalls after rotation’ is assumed to be 1.
Collision with ground.

of control and collision with the ground. The corresponding probability of occurrence of
‘collision with ground’ is 1.33·10-8 per flight.
48
NLR-CR-2008-646

Initiating event: Incorrect configuration.
1 - 5.90·10-5 8.98·10-1
2.25·10-4
6.57·10-5 1.33·10-8
Take-off
Incorrect Flight crew Runway
configuration V > V1
configuration rejects take-off overrun
warning
yes Failure to 0 0
achieve Runway
no maximum overrun
braking
2.02·10-4
Aircraft
stops on
runway
2.29·10-5
Aircraft
continues
take-off
1.33·10-8
1
Aircraft stalls 1 Flight crew fails
Unrecovered Collision
to regain
after rotation loss of control with ground
control
0
Aircraft
continues
flight
0
Aircraft
continues
flight
49
NLR-CR-2008-646
8 ESD6 - Aircraft takes off with contaminated wing
8.1 Definitions
Take-off is defined as: from the application of take-off power, through rotation and to an
altitude of 35 ft above the runway elevation.
In the ESD the initiating event, pivotal events and end states are defined as follows.
Aircraft takes off with contaminated wing

Aircraft wing, horizontal stabiliser, tail and/or flight control surfaces (i.e. ailerons, elevator,
trim, rudder) are contaminated with frost, ice, slush or snow, as the aircraft commences take-off.
An event in which the contaminated wing results for instance in engine problems due to
ice/snow ingestion, is considered in the scope of this ESD. Occurrences in which ice, snow or
slush from the runway or landing gear enters the engine(s) and causes problems are excluded
from this initiating event but are included in ESD 9.

An aircraft is stalled if the maximum lift which can be developed by the wing is not sufficient to
support the weight of the aircraft. The lift which is developed by a wing depends on the angle of
attack (the relative angle of the impinging air to the wing chord) and the airspeed. The higher
the angle of attack and the higher the speed, the greater the amount of lift developed so long as
the airflow over the wing is smooth and adheres to its contour surface. If the airflow separates
from the surface, the lift produced by the wing diminishes. The airflow starts to separate from
any wing if its angle of attack reaches a critical value, typically 15 - 18 degrees. As the angle of
attack is increased further, it will reach a value at which maximum lift is developed, after which
50
NLR-CR-2008-646
higher angles of attack will produce a rapid decay in lift. Even a small amount of snow or ice on
the wing surface influences the smooth flow of air over the surface contour. Changes in the
contour shape and roughness of the surface will cause the airflow to begin to separate from the
wing at a lower angle of attack than normal and cause a reduction in the lift which will normally
be developed by a wing at a given angle of attack and a given airspeed. Both the maximum lift
which can be developed and the angle of attack at which it will be developed will be reduced
significantly. The extent and way that performance will be affected depends on the position of
the contaminant on the wing as well as on the nature of the contaminant.

This pivotal event refers to the ability of the flight crew to regain control of the aircraft after
stall onset. This pivotal event does not necessarily imply a failure or error by the flight crew.
The ability of the flight crew to maintain control of the aircraft is in general affected by human
factors (fatigue etc), training, aircraft system failures, weather conditions, available altitude for
recovery manoeuvre etc.

This end state refers to a possible outcome of an aircraft taking off with a contaminated wing.
The aircraft impacts terrain (ground, water) or obstacles, which results in injuries, fatalities or
(substantial) damage to the aircraft. The degree of damage is determined by the impact angle,
impact speed, and the characteristics of the terrain.

This end state refers to the possible outcome of a take-off with contaminated wing: the flight
crew continues the flight to destination airport, returns to the airport of departure or diverts the
aircraft to another airport. While in flight, the aircraft may encounter difficulties associated with
the contaminated wing, such as the ingestion of snow or ice by the engines, or controllability
problems. An example is the accident of a Scandinavian Airlines MD-81 in 1991, which
experienced ice ingestion in both engines from contaminated wings, resulting in a dual engine
failure and a forced landing. Such a situation is described in the integrated ESD model by a
transition from one ESD (e.g. ESD 6) to another (e.g. ESD 18).
8.2 Quantification
8.2.1 Data sources

• NLR Air Safety Database (ADREP, Airclaims, ECCAIRS)
• NTSB database
• ASR databases (various airlines)
51
NLR-CR-2008-646
NLR Air Safety Database

A query was run in the NLR Air Safety Database to search for accidents and incidents related to
take-off with contaminated wing. The time span was set to 1990-2003. Aircraft types include
jet, turbofan and turboprop aircraft with a Maximum Take-off Weight of more than 5700 kg,
operated in commercial operations (passenger and cargo flights). Aircraft manufacturers include
‘Western’ airframe manufacturers such as Airbus, Boeing, McDonnell Douglas, Lockheed,
Fokker, Embraer. Airframe manufacturers from former USSR or Eastern-block countries (e.g.
Tupolev, Let, Antonov) are excluded from the query. All operators of aforementioned aircraft
types, irrespective of country of origin, are included. Military operators and accidents/incidents
during test flights and training flights are excluded. The number of flights associated with this
query is 387 million flights.
The NLR Air Safety Database contains 5 accidents and 3 incidents related to a take-off with
contaminated wing. In 3 occurrences engine problems occurred in take-off or during initial
climb as a result of ice or snow ingestion from the contaminated wing. In all events de-icing
was not effective: in 3 cases de-icing was not done, in 4 cases de-icing was not properly done
(e.g. missing parts of aircraft surface), and in one occurrence the hold-over time was exceeded.
As a result of the take-off with contaminated wing 4 flights ended in a collision with terrain, in
one occurrence a rejected take-off was initiated above rotation speed (Vr), in one event a forced
landing was made after a double engine flame-out. Two of the 8 flights continued and landed
safely (they returned to the airport).
This data cannot be used for quantification of the initiating event because it does not include
occurrences where a take-off was made with a contaminated wing but without further
consequences.
Table 5 summarises the results of the accident and incident data analysis.
Table 5 Results of accident/incident analysis of take-off with contaminated

wing (NLR Air Safety Database, 1990-2003)
Consequences Number of events
Rejected take-off 1
Stall and collision with ground 4
Double engine failure and forced landing 1
Continue flight (return to airport) 2
Total 8
Source: NLR Air Safety Database, 1990-2003; 387 million flights
52
NLR-CR-2008-646
ASR database of various airlines

Air Safety Reports (ASR) databases from different airlines, covering 9 million flights between
1998 and 2004, were analysed for events involving a take-off with contaminated wing and de-
icing problems. Only commercial flights with fixed-wing Western-built aircraft heavier than
5,700 kg MTOW are considered. Reported problems with de-icing range from communication
problems between cockpit crew and de-ice crew, collision between aircraft and de-icing vehicle,
incorrect de-icing (e.g. incomplete de-icing or incorrect de-icing fluid used) and take-off with
contaminated wing.
Nine occurrences of aircraft taking off with contaminated wing were found in the ASR
databases. In one of these occurrences the hold-over time was exceeded, in 3 events the aircraft
was not de-iced and in 5 events the de-icing of the aircraft was not done properly, i.e. parts of
the aircraft remained covered with snow or ice. As a consequence one of the 9 flights
experienced engine problems in take-off due to snow ingestion, after which the crew aborted the
take-off. In one event the crew experienced pitch control problems in flight and diverted. In one
event the aircraft was damaged by ice from the wing that struck the tail structure. In the other 6
occurrences the flight crew did not report any effects of the contaminated wing. In all 9 events
the flight crew maintained control of the aircraft and landed safely. Table 6 shows the results of
the ASR databases analysis of take-offs with contaminated wing.
Table 6 Take-off with contaminated wing (ASR database 1998-2004)

Consequences Number of events Probability per
flight
Rejected take-off 1
Continue flight or return to airport 8
Total 9 1.00·10-6
Source: ASR database 1998-2004, 9 million flights
The ASR database was queried for reports on de-icing problems. Many reported problems with
respect to de-icing were not relevant for ESD 6 because it concerned for instance
communication problems with the de-icing crew or collision between the de-icing vehicle and
the aircraft. We found 108 reports about events in which de-icing was not performed or in
which it was detected that ice or snow was still present on the aircraft structure after de-icing
was performed and aircraft was cleared for flight. In 98 of these cases the flight crew reported
that they requested a new de-icing to remove the remaining snow or ice deposits, while in 11
cases no further information was available. In the ASR databases we found 5 occurrences in
which the hold-over time was exceeded. In 3 cases the aircraft returned to the gate for de-icing,
while in 2 cases the aircraft took off, although it was not reported whether the aircraft structure
53
NLR-CR-2008-646
or wings were actually contaminated with snow/ice. It is assumed that in these cases the
aircraft’s wing was not contaminated.
Table 7 De-icing problems (ASR database 1998-2004)

Aircraft de-icing Number of events Probability per
flight
Hold over time exceeded 61 6.67·10-7
Aircraft not de-iced 62 6.67·10-7
Aircraft not properly de-iced 118 3 1.31·10-5
Source: ASR database 1998-2004, 9 million flights
8.2.2 Discussion
Accident databases do not contain a representative sample of incidents to reliably estimate the
frequency of a take-off with contaminated wing, which did not result in a loss of control. On the
other hand, the database contains a representative sample of loss of control accidents as a result
of a contaminated wing. The probability of an unrecoverable loss of control and collision with
ground after take-off with contaminated wing can therefore be reliably estimated with accident
databases. For the frequency estimation of the Initiating Event we will use the ASR database,
because these data are a more representative collection of incidents than accident databases. The
ASR databases represent a selection of airlines, which means that the ASR database does not
present the whole picture of de-icing problems and take-offs with contaminated wing. We
assume that all events in which the flight crew reported incorrect or improper de-icing were
followed up by a second de-icing as is mentioned in the vast majority of the reports.
8.2.3 Quantification results
Aircraft takes off with contaminated wing

The frequency of the Initiating Event “aircraft takes off with contaminated wing” is estimated
from table 6 as 1.00·10-6 per flight.

The frequency of a stall with contaminated wing is 1.03·10-8 per flight (Tab. 5). Dividing this
number by the frequency of the initiating event (1.00·10-6 per flight), yields the conditional
probability that an aircraft stall after rotation, given a take-off with contaminated wing. This
conditional probability is 1.03·10-2. The probability that aircraft does not stall after take-off with
contaminated wing is (1-1.03·10-2).
54
NLR-CR-2008-646

Given a take-off with contaminated wing and subsequent stall the conditional probability that
the flight crew fails to regain control is 1. Although the conditional probability of a failure to
regain control after stall is based on a few flights only, it is regarded to be a reliable estimate
because those stalls will occur just after take-off and at low altitude which makes recovery
impossible.

The probability of an aircraft colliding with terrain as a result of a take off with contaminated
wing and subsequent loss of control is estimated from table 1 as 1.03·10-8 per flight.

The probability that an aircraft takes off with contaminated wing, does not stall and continues
flight safely is estimated as 1.00·10-6 × (1-1.03·10-2) = 9.90·10-7 per flight.
55
NLR-CR-2008-646
9 ESD 7 – Aircraft weight and balance outside limits during take-off
9.1 Definitions
Aircraft weight and balance outside limits

This pivotal event describes situation where the aircraft’s centre of gravity or the aircraft’s
weight differ from the flight crew’s expectations to such an extent that the flight crew has to
take additional action to try to maintain control of the aircraft, such as the application of
significantly different trim settings or large pitch control inputs. This can be due to:
• Cargo loose or shifted
• Wrong number of passengers
• Load sheet incorrect
• Incorrect loading
• Weight limits incorrect/exceeded
The initiating event does not include situations in which the aircraft is ‘extremely nose heavy on
rotation’ or where ‘extra nose up trim is required on take-off’ because these are not likely to
result in an aircraft stall. These events are included in the initiating event of ESD 10.

One of the possible consequences of weight and balance problems is that the aircraft stalls after
rotation. An aircraft is stalled if the airflow separates from the wing surface resulting in a drastic
reduction in lift. The maximum lift which can be developed by the stalled wing is not sufficient
to support the weight of the aircraft.
56
NLR-CR-2008-646

After the aircraft stalls after rotation, the crew might be able to regain control. If not, the result
is an unrecovered loss of control and a collision with the ground.
9.2 Quantification
Initiating event
Air Safety Report Database

Air safety report (ARS) databases from different airlines covering 9.5 million flights between
1997 and 2004 were analysed. The data sample included air safety reports from Western-built
aircraft, heavier than 5700 kg MTOW in commercial operations.. Initial search in the database
resulted in 1179 occurrences related to the initiating event “aircraft weight and balance outside
limits” in 9.5 million flights. This search included keywords like load, load sheet, weight,
gravity, balance, and considered all flight phases other than parked or cruise.
Using the classification of the source data it appears that 390 of the 1179 occurrences are related
to the take-off flight phase. Analysis of these 390 occurrences shows that 285 are possibly
relevant for ESD 7. These 285 can be classified as follows:
• 89 in which it is explicitly mentioned that the aircraft felt nose heavy on rotation;
• 45 in which it is explicitly mentioned that the aircraft felt tail heavy on rotation;
• 20 with an overweight take-off;
• 93 with incorrect load sheet information;
• 22 load shifts; and
• 16 of which the context is not exactly clear.
To quantify the initiating event, the following is assumed:

• Occurrences with nose-heavy and overweight aircraft behaviour cannot lead to an aircraft
stall. It is more likely that these result in e.g. a runway overrun. These occurrences are
considered not applicable to ESD 7;
• Obviously, occurrences with a tail-heavy aircraft behaviour are relevant for this ESD;
• Load shifts during take-off means that loads are shifting in aft direction. Therefore, these
occurrences are considered relevant for ESD 7;
• The occurrences with incorrect load sheet information and with the unknown context could
apply both to nose heavy and tail heavy aircraft behaviour but this is not explicitly stated.
Therefore, these occurrences are divided 2:1 (using the 89:45 division of nose heavy and tail
heavy occurrences) over not applicable and applicable to ESD 7.
57
NLR-CR-2008-646
With this, 45+22+109/3 = 103 occurrences are applicable. With 9.5 million flights this leads to
a probability of the initiating event of 1.08·10-5 per flight.
CAP 701
In the first 11 months in 1998, CAA-UK’s Safety Data Department received 52 aircraft loading
error Mandatory Occurrence Reports (MORs) [CAA, 2000]. Analysis indicated the following
five main causal factors as follows:
Table 8 Number of occurrences per causal factor (CAP 701)

Main causal factor Number of occurrences
Load sheet incorrect 29
Centre of gravity incorrect / outside limits 17
Cargo loose or shifted 10
Passenger load involved 8
Weight limits incorrect / exceeded 6
Total 70
Note that the total of 70 factors exceeds the 52 MORs. This means that some of the MORs
included more that one causal factor.
The number of flights in this period related to the MORs is determined as follows:
Table 9 Number of flights in this period related to the MORs

Type Number of occurrences in
1998
UK Airline (Passenger) Aeroplanes >5700kg MTOW 877,100
UK Airline (Cargo) Aeroplanes >5700kg MTOW 37,800
UK Airline Aeroplanes <5700kg MTOW 31,000
Total 945,900
From the total for 1998 it is estimated that the number of flights in the period January-
November 1998 amounts to 867,075.
For the 52 occurrences in the period January – November 1998, this corresponds with a
frequency of 5.99·10-5 per flight for the initiating event. [CAA, 2000] does not specify the flight
phase during which the events occurred.
STEADES
IATA STEADES data shows that from July 2004 to June 2005, there were 118 High-Medium
Risk Air Safety Reports (ASRs) relating to hold loading [IATA, 2005] and 293 Low-Minimal
58
NLR-CR-2008-646
Risk ASRs Of the 118 high-medium risk occurrences, 52% was related to incorrect loading and
27% to unrestrained items in the hold. The incorrect loading occurrences are divided as follows:
incorrect positioning of cargo (50%), excess loading (24%) and other (26%).
The corresponding exposure for the STEADES data totals 2.7·106 flights, resulting in a
frequency of 4.37·10-5 per flight when considering the 118 high/medium risk ASRs and 1.7·10-4
when considering all 457 ASRs.
Note that in [IATA, 2005] it is not explicitly mentioned if the ASRs were encountered during
take-off or during approach.
Combining information
Further analysis of load and balance events shows a fair consistency between CAP 701,
STEADES and Air Safety Database data:
Table 10 Comparison of the different estimates of load and balance events

CAA-UK MORS STEADES Air Safety Database
Load and balance events 5.99·10-5 4.37·10-5 1.08·10-5
Unrestrained cargo 1.15·10-5 1.18·10-5
Excess loading 6.91·10-6 5.5·10-6
CG incorrect 1.96·10-5 1.1·10-5
Although the CAA data and STEADES do not specify the flight phase, it is expected that the
majority of weight and balance problems will manifest itself during or immediately after take-
off.
For the purpose of this model, a frequency of 1.08·10-5 will be assumed for the initiating event
‘aircraft weight and balance outside limits’.
Accidents
In the Air Safety Database, 10 weight and balance related take-off accidents have been found on
387 million flights. Scope of the search is as follows:
• Western built aircraft;
• Maximum Take-Off Weight above 5,700 kg;
• Jets and turbo prop aircraft (excluding piston engines);
• Commercial operations;
• 1990-2003.
59
NLR-CR-2008-646
In the Air Safety Database, 10 accidents have been found caused by weight and balance
problems during take-off. In 5 of these accidents, the aircraft crashed because it was too heavy
or because the centre of gravity was too far aft. The other 5 accidents resulted in an overrun off
the runway because of a forward centre of gravity or because of too much weight. These latter 5
accidents are subject of ESD 10. Given that the 5 applicable accidents relate to 387 million
flights this means an accident frequency of 1.29·10-8 per flight.
Pivotal events
No occurrences have been found of stalling aircraft during take-off (because of weight and
balance problems) that could be controlled by the crew such that continuation of the flight was
possible. Because of the close proximity to the ground, it is highly unlikely that such a recovery
is possible. Therefore it is assumed that if an aircraft stalls, the flight crew is not able to regain
control. The pivotal event “flight crew fails to regain control” is estimated to be 1.
Given the result of the pivotal event “flight crew fails to regain control”, quantification of the
pivotal event “aircraft stalls after rotation” can be achieved by dividing the accident frequency
by the frequency of the initiating event. The result is 1.19·10-3.
60
NLR-CR-2008-646
10 ESD 8 – Aircraft encounters a performance decreasing wind

shear after rotation
Scenario type: loss of control.

Phases: take-off.
Initiating event: aircraft encounters a performance decreasing windshear after rotation.
Aircraft encounters a
Flight crew fails Flight crew fails
performance decreasing Unrecovered Collision
to detect wind- to maintain
windshear after rotation loss of control with ground
shear control
(1)
yes
Aircraft
no Flight crew fails continues
to perform flight
windshear
escape
manoeuvre
Aircraft
continues
flight
(1) Windshear is an abrupt change in wind direction and velocity. This ESD represents a
situation where the aircraft encounters a performance decreasing windshear (decreasing
headwind, increasing tailwind or a downdraft), e.g. as a result of a microburst.
10.1 Definitions
Aircraft encounters a performance decreasing wind shear after rotation

Wind shear is an abrupt change in wind direction and velocity. A type of wind shear that is
particularly dangerous for air transport is a downburst or microburst. The aircraft may encounter
performance increasing and decreasing effects. Wind shear poses the greatest danger to aircraft
during takeoff and landing, if the aircraft is close to the ground and has little time or room to
manoeuvre. During takeoff, an aircraft is near stall speed and thus is very vulnerable to wind
shear [NASA, 1992].
This event includes situations where the aircraft encounters an increase in tailwind or a decrease
in headwind after rotation (performance decreasing wind shear), but turbulence, e.g. due to
wake vortex is not included. The qualification “after rotation” is taken in a wide sense - it
includes also the (initial) climb.
Flight crew fails to detect wind shear

There are various possibilities for the flight crew to detect wind shear during take-off. Already
before take-off the crew can detect thunderstorms ahead and they may decide not to take-off yet
or request a different departure route. In other situations, during take-off and climb, the crew
monitors indicated airspeed and rates of climb. Rapid changes can be an indication of a wind
61
NLR-CR-2008-646
shear encounter. With autopilot and auto thrust engaged pitch deviations and unusual thrust
settings are the primary cues for early wind shear onset as airspeed deviations are effectively
compensated for. Alternative detection means can be other pilots’ reports, ground-based wind
shear alert systems using ground-based radar or lidar, and on-board wind shear detection
systems. Most, but not all, large commercial aircraft are equipped with an on-board wind-shear
detection system. In the case of ground-based systems the crew will be alerted by ATC. For the
purpose of this ESD, flight crew fails to detect wind shear is defined as a situation where the
aircraft encounters wind shear but this goes undetected by the flight crew.
Flight crew fails to perform wind shear escape manoeuvre

Details of the wind-shear escape manoeuvre may vary among different aircraft types and
different operators. A typical wind shear escape manoeuvre in take-off will include the
following:
On ground:
• When the decision is made to continue the take-off:
• Set emergency thrust (disregard engine over limit alerts).
At VR,
• Rotate initially to 15 degrees nose-up.
• Increase pitch attitude to lift off within the remaining distance, if necessary even to an
attitude at which a tail strike will occur.
• When airborne, do not change aircraft configuration.
• If the resulting flight path is still unacceptable, increase pitch until speed is just above the
stick shaker actuation.
Airborne:
• Pull take-off/go-around (TOGA) triggers
• Disengage autopilot and auto thrust
• Set emergency thrust
• Increase pitch to 15 degrees nose up (immediately after take-off it is not necessary to
decrease pitch to 15 degrees unless the stick shaker becomes active)
• Maintain wings level unless absolutely required for obstacle clearance
For the purpose of this ESD, ‘flight crew fails to perform wind shear escape manoeuvre’ is
defined as a failure of the flight crew to perform the prescribed escape manoeuvre, either by
mistake or on purpose when the crew decides that it is not necessary because control can be
maintained without following the procedure.
62
NLR-CR-2008-646
Pivotal Event Flight crew fails to maintain control

This pivotal even refers to the ability of the flight crew to maintain control of the aircraft. This
pivotal event does not necessarily imply a failure or error by the flight crew. The ability of the
flight crew to maintain control of the aircraft is affected by human factors (fatigue, training etc),
aircraft system failures, weather conditions etc.
10.2 Quantification
Airclaims and ADREP data are used to quantify the end states of this ESD, whereas airlines
safety reports are used to quantify the initiating event.
A query was run to search for accidents and incidents related to wind shear during take-off. The
time span was set to 1990-2005. Aircraft types include jet, turbofan and turboprop aircraft with
a Maximum Take-off Weight of more than 5700 kg, operated in commercial operations
(passenger and cargo flights). Aircraft manufacturers include ‘Western’ airframe manufacturers
such as Airbus, Boeing, McDonnell Douglas, Lockheed, Fokker, and Embraer. Aircraft
manufacturers from former USSR or Eastern-block countries (e.g. Tupolev, Let, Antonov) are
excluded from the query. All operators of aforementioned aircraft types, irrespective of country
of origin, are included. Military operators and accidents/incidents during test flights and training
flights were excluded. The number of flights associated with this query is 452 million flights for
the ADREP and Airclaims databases and 9 million flights for the airlines safety reports.
Airclaims and ADREP data

Airclaims and ADREP data only show one accident in which an aircraft encountered wind shear
immediately after rotation, forcing the aircraft into the ground. Two other incidents are reported
in which the aircraft had a tail strike after rotation. In one of those incidents the cause was
dedicated to wind shear and in the other there was a lot of crosswind, but this was not explicitly
indicated as the cause of the tail strike. In both situations, the aircraft continued the flight. In
these 3 accidents/incidents, no mention has been made regarding detection of wind shear or an
attempt to avoid it.
Airlines safety reports

Air safety report (ARS) databases from different airlines covering 9.5 million flights between
1997 and 2004 were analysed. The data sample included air safety reports from Western-built
aircraft, heavier than 5700 kg MTOW in commercial operations.. A query was performed on
keywords like wind shear, downdraft, microburst, and updraft and for the flight phases take-off
and (initial) climb. This query resulted in 514 occurrences, all of which were analysed with the
objective to quantify the frequencies of the events:
• Aircraft encounters a performance decreasing wind shear after rotation;
63
NLR-CR-2008-646
• Flight crew fails to detect wind shear and

• Flight crew fails to perform wind shear escape manoeuvre.
Analysis is sometimes difficult because the narratives of the occurrences do not always provide
sufficient information to draw any conclusions, and sometimes no additional information is
given at all. For this analysis, the following is considered:
• If the wind shear warning was false, the occurrence is considered to be “not applicable”;
• In some occurrences, wind shear was detected before take-off, leading to a rejected take-off
or to no take-off roll at all. These occurrences are also “not applicable”.
• The analysis distinguishes between cases with and without explicit wind shear warning. If
there is no wind shear warning, a wind shear encounter can be detected as rapid changes in
airspeed or rate of climb.
• The crew can react on wind shear (warnings) in various ways. The analysis identifies wind
shear encounters in which the crew performs any recovery action and occurrences in which
it is explicitly stated that standard operating procedures are followed, including e.g.
applying maximum or firewall thrust and pushing the TO/GA switch, which is a subset of
“any recovery action”.
These considerations lead to the following results:
Table 11 Number of wind shear occurrences per flight phase

Take-off (Initial) climb Take-off + (initial)
climb
Applicable to ESD 8 114 204 318
Sufficient information 108 187 295
Wind shear is detected 106 of 108 182 of 187 288 of 295
Wind shear warning 72 of 106 118 of 182 190 of 288
Crew avoidance/control actions 72 of 108 114 of 187 186 of 295
Wind shear escape manoeuvre 50 of 72 74 of 118 124 of 190
Initiating event
Using the results of the analysis of airlines safety reports, the frequency of the initiating event
can be determined as follows:
• 318 applicable occurrences;
• With an exposure of 9 million flights, this leads to a frequency of 3.53·10-5 per take-off.
64
NLR-CR-2008-646

The results show that the wind shear was detected in 288 out of 295 occurrences. The
conditional probability of ‘flight crew fails to detect wind shear’ in the event of a wind shear
encounter after rotations is 7/297 = 2.37·10-2.
Flight crew fails to perform wind shear escape manoeuvre

According to the definition of this pivotal event, we consider cases where the flight crew fails to
perform the full wind shear escape manoeuvre. According to the results, in 143 of 288
occurrences, the flight crew did not perform the wind shear escape manoeuvre, an estimated
probability of 4.97·10-1.
Collision with the ground

Airclaims and ADREP data showed only one accident in 452 million flights, resulting in a
probability of a collision with the ground given that the aircraft encounters wind shear after
rotation of 2.21·10-9 per take-off.

There are two situations that lead to the pivotal event “flight crew fails to maintain control:
• Flight crew fails to detect wind shear – this is estimated to happen with a probability of
2.37·10-2 × 3.53·10-5 = 8.37·10-7 per take-off; and
• Flight crew fails to perform wind shear escape manoeuvre – this is estimated to happen with
a probability of 4.97·10-1 × (1-2.37·10-2) × 3.53·10-5 = 1.71·10-5 per take-off.
In total, the probability that the crew gets into a situation in which they have to maintain control
is 1.79·10-5 per take-off.
The outcome is either a collision with the ground or the aircraft continues flight. The probability
that the crew indeed fails to maintain control resulting in a collision with the ground already is
estimated as 2.21·10-9 per take-off. This means that the conditional probability that the crew
fails to maintain control in the event of a wind shear encounter after rotation is 2.21·10-9 /
1.79·10-5 = 1.23·10-4.

There are two end states “aircraft continues flight”. The probability of ‘aircraft continues flight’
if the crew succeeds in maintaining control after an undetected wind shear or without
performing a wind shear escape manoeuvre is (1-1.23·10-4) × 1.79·10-5 = 1.79·10-5. The
probability of ‘aircraft continues flight’ after successfully performing a wind shear escape
manoeuvre is (1-4.97·10-1) × (1-2.37·10-2) × 3.53·10-5 = 1.73·10-5.
65
NLR-CR-2008-646
Scenario type: loss of control.

Phases: take-off.
Initiating event: aircraft encounters a performance decreasing windshear after rotation.
3.53·10-5
1.23·10-4
-2
2.21·10-9
Aircraft encounters a Flight crew fails 2.37·10 Flight crew fails
Unrecovered Collision
performance decreasing to detect wind- to maintain
loss of control with ground
windshear after rotation shear control
yes
1.79·10-5
Aircraft
no Flight crew fails continues
to perform flight
windshear
escape 4.97·10-1
manoeuvre 1.73·10-5
Aircraft
continues
flight
66
NLR-CR-2008-646
11 ESD9 - Single engine failure during take-off
11.1 Definitions
Single engine failure

For the purpose of this ESD, a single engine failure is defined as any failures of one of the
systems that correspond with the ATA codes between 6100 and 6197 or between 7100 and
8097.
Flight crew rejects take off

67
NLR-CR-2008-646

This pivotal event refers to the ability of the flight crew to maintain control of the aircraft, in
particular with respect to the aircraft’s flight- or ground path. This pivotal event does not
necessarily imply a failure or error by the flight crew. The ability of the flight crew to maintain
control of the aircraft is affected by human factors (fatigue, training etc), aircraft system
failures, weather conditions etc.

11.2 Quantification
Initiating event
The database of Service Difficulty Report (SDR) (see App. A) was used to estimate the
probability of occurrence of the initiating event. It is assumed that an engine failure can consist
of failures that correspond with the ATA codes between 6100 and 6197 or between 7100 and
8097. According to the data sample there were 8,745 engine related failures during take-off on a
total of 216 million flights. The estimated probability of occurrence is 4.05·10-5 per flight.
Pivotal event flight crew rejects take-off

Of the 8,745 engine failures during take-off that were reported in the SDR database, 6,999
resulted in a rejected take-off and 1,746 resulted in continuation of the take-off. Based on these
results, the conditional probability of ‘flight crew rejects take-off’ in the event of an engine
failure is estimated to be 8.00·10-1.
68
NLR-CR-2008-646
End states
To estimate the probability of runway overruns and veer-offs that are caused by engine failures
during take-off, the Airclaims accident and incident database was analysed. Only large Western-
built jets and turboprops in commercial operations between 1985 and 2005 were considered.
Business jets were excluded from the data sample. In the time frame under consideration, this
group conducted a total of 399 million flights. Results of the analysis are presented in table 12.
Table 12 Probability per flight for the different end states

Type of Abort Number of Frequency
occurrence speed occurrences per flight
Overrun V > V1 15 3.76·10-8
Veer-off V < V1 3 7.52·10-9
Overrun V < V1 4 1.00·10-8
Veer-off V > V1 2 5.01·10-9
Pivotal events
The conditional probability of an abort speed above V1 in the event of an engine failure during
take off is estimated to be 3.76·10-8 / (4.05·10-5 × 8.00·10-1) = 1.16·10-3.
The conditional probability of failure to maintain control in the event of a rejected take-off due
to an engine failure is 7.52·10-9 / (4.05·10-5 × 8.00·10-1 × (1-1.16·10-3)) = 2.32·10-4.
The conditional probability of ‘failure to achieve maximum braking’ in case of a rejected take-
off below V1 as a result of an engine failure is 1.00·10-8 / (4.05·10-5 × 8.00·10-1 × (1-1.16·10-3) ×
(1- 2.32·10-4) = 3.09·10-4.
The conditional probability of ‘flight crew fails to maintain control’ in case the take-off is
continued with an engine failure is 5.01·10-9 / (4.05·10-5 × (1-8.00·10-1)) = 6.19·10-4.
69
NLR-CR-2008-646
70
NLR-CR-2008-646
12 ESD10 - Pitch control problems
12.1 Definitions
Pitch control problem

For the purpose of this ESD, a pitch control problem can arise from a pitch control system
malfunction or difficulties related to the aircraft’s weight and balance. Only weight and balance
problems that may lead to a failure to rotate the aircraft are considered here. Weight and balance
problems that lead to over rotation and a subsequent risk of a wing stall are considered in ESD
7.

71
NLR-CR-2008-646
Aircraft fails to rotate and lift-off

This describes the situation where, when the aircraft reaches rotation speed VR, the aircraft
cannot be rotated and fails to lift off. This pivotal event describes a situation where the flight
crew does not abort the take-off, but continues the take-off attempt (i.e. engine remain at high
power) until the aircraft overruns the runway.
V> V1

This pivotal event refers to the ability of the flight crew to maintain control of the aircraft. This

72
NLR-CR-2008-646
Runway overrun
Runway veer-off
12.2 Quantification
Initiating event
The Service Difficulty Report (SDR) database (see App. A) has been used to determine the
contribution of pitch control system failures to the initiating event. According to the SDR
database, there have been 389 failures of ATA series 2730 (elevator) and 2740 (stabilizer)
during take-off, in a total of 216 million flights. This results in a frequency of 1.80·10-6 per
flight.
To determine the contribution of weight and balance problems to the initiating event, the Air
safety database was analysed. See also ESD 7. Initial search in the database resulted in 1179
occurrences related to the initiating event “aircraft weight and balance outside limits” in 9.5
million flights. This search included keywords like load, load sheet, weight, gravity, balance,
and considered all flight phases other than parked or cruise.
73
NLR-CR-2008-646
Using the classification of the source data it appears that 390 of the 1179 occurrences are related
to the take-off flight phase. Analysis of these 390 occurrences shows that 285 are possibly
applicable to ESD 10. These 285 can be classified as follows:
• 89 in which it is explicitly mentioned that the aircraft felt nose heavy on rotation;
• 45 in which it is explicitly mentioned that the aircraft felt tail heavy on rotation;
• 20 with an overweight take-off;
• 93 with incorrect load sheet information;
• 22 load shifts; and
• 16 of which the context is not exactly clear.
To quantify the initiating event, the following is assumed:

• Only occurrences with nose-heavy and overweight aircraft behaviour are relevant for this
initiating event.
• The occurrences with incorrect load sheet information and with the unknown context could
apply both to nose heavy and tail heavy aircraft behaviour but this is not explicitly stated.
Therefore, these occurrences are divided 2:1 (using the 89:45 division of nose heavy and tail
heavy occurrences) over applicable and not applicable to ESD 10.
With this, 89 +20+109×2/3 = 182 occurrences are applicable. With 9.5 million flights this leads
to a contribution to the probability of the initiating event of 1.91·10-5 per flight.
The total probability of the initiation event is estimated to be 1.80·10-6 + 1.91·10-5 = 2.09·10-5
per flight.
Pivotal event ‘flight crew rejects take off’

Analysis of the 389 pitch control system failures that are reported in the SDR database shows
that 313 pitch control system failures resulted in a rejected take-off, while 76 pitch control
system failures resulted in a continuation of the take-off.
Analysis of all 182 weight and balance related pitch control problems that are reported in the
Air Safety Database shows that none of those resulted in a rejected take-off.
The conditional probability of a rejected take-off in the event of a pitch control problem can
now be calculated. In one million flights, there will be an expected number of 1.80 pitch control
related system failures, which will result in 1.80 × (313/389) = 1.45 rejected take offs. In those
same one million flights, there will be an expected number of 19.1 weight and balance related
pitch control problems, resulting in no rejected take off.
74
NLR-CR-2008-646
In total, for the one million flights under consideration, there are 20.90 pitch control problems
and 0.869 rejected take-offs. The conditional probability of a rejected take-off in the event of a
pitch control problem is 1.45/20.90 = 6.93·10-2 per flight.
Runway overruns
A query in the ADREP and Airclaims databases has been performed to find runway overruns
that are caused by weight and balance problems (centre of gravity too much forward) or by pitch
control system failure (stabilizer or elevator). The scope of the query was flights from 1990 to
2005, Western-built aircraft with a MTOW of over 5700 kg in commercial operations. This set
has an exposure of 452 million flights. The following accidents could be identified:
Table 13 Number of occurrences per accident type

Accident type Number of
occurrences
Overrun with RTO, VRTO > V1 3
Overrun with RTO, VRTO < V1 1
Overrun with RTO, VRTO unknown 3
Overrun without RTO 1
Most of these accidents are related to weight and balance problems, either too much weight or a
centre of gravity that is more forward than calculated. In one additional accident, the aircraft
had pitch control problems (overweight), lifted off, and hit a building at the extended runway
centreline. This is considered outside the scope of this ESD.
Pitch control problems are often only discovered if the aircraft is already at rotation speed, i.e. at
a late stage of the take-off. If the crew decides to reject the take-off, this will be with a speed
close to V1. In the narratives of 3 accidents it is not explicitly stated whether the RTO speed is
above or below V1. Considering the division of the accidents with known RTO speeds (3 higher
and 1 lower than V1) it is decided to divide the 3 accidents as follows: 2 with an RTO speed
higher than V1 and 1 lower than V1. With 452 million flights, this gives the following results:
Table 14 Probability per flight for each end state

End state Number of Probability of
occurrences occurrence
Overrun with RTO, VRTO > V1 5 1.11·10-8 per flight
Overrun with RTO, VRTO < V1 2 4.42·10-9 per flight
Aircraft fails to rotate and lift-off 1 2.21·10-9 per flight
75
NLR-CR-2008-646
Runway veer-off
One of the possible outcomes of pitch control problems is a runway veer-off, which is the result
of the crew not maintaining control after a rejected take-off. In the list of accidents that has been
analysed, two runway veer-offs are found. However, in these 2 situations, the crew did maintain
control and steered the aircraft after the RTO on purpose to the side of the runway. Therefore,
these two situations are counted as runway overruns, not as runway veer-offs (see also the
definition of a runway overrun). Considering also that pitch control problems are not necessarily
leading to directional control problems, it is assumed here that the probability of a runway veer-
off after pitch control problems and a RTO is 0. With this, the conditional probability of the
pivotal event ‘flight crew fails to maintain control’ is 0.
V>V1
The conditional probability that V>V1 in the event of pitch control problems and a continued
take off is 1.11·10-8 / (2.09·10-5 × 6.93·10-2) = 7.66·10-3 per flight.

The conditional probability of a failure to achieve maximum braking in the event of pitch
control problems and a rejected take-off below V1 = 4.42·10-9 / (2.09·10-5 × 6.93·10-2 ×
(1- 7.66 ·10-3)) = 3.08·10-3 per flight.
Aircraft fails to rotate and lift-off

The conditional probability that the aircraft fails to rotate and lift off in the event of a continued
take-off with pitch control problems is 2.21·10-9 / (2.09·10-5 × (1 - 6.93·10-2)) = 1.14·10-4.
Aircraft stops on runway

The conditional probability that the aircraft stops on the runway is 2.09·10-5 × 6.93·10-2 ×
(1- 7.66·10-3) × (1- 3.08·10-3) = 1.43·10-6.

The conditional probability that the aircraft continues flight after pitch control problems during
take-off is 2.09·10-5 × (1 - 6.93·10-2) × (1 - 1.14·10-4) = 1.94·10-5.
76
NLR-CR-2008-646

Initiating event: pitch control problem.
2.09·10-5
6.93·10-2 7.66·10-3 1.11·10-8
Pitch control Flight crew Runway
V > V1
problem rejects take-off overrun
yes 3.08·10-3 4.42·10-9

Failure to
no achieve Runway
maximum overrun
braking
1.43·10-6
Aircraft
stops on
runway
1.14·10-4 2.21·10-9
Aircraft fails to
Runway
rotate and lift-
overrun
off
1.94·10-5
Aircraft
continues
flight
77
NLR-CR-2008-646
13 ESD11 - Fire onboard aircraft
Accident type: fire/explosion.

Flight phase: take-off, initial climb, en route, approach, landing.
Initiating Event: fire onboard aircraft.
Flight crew fails Flight crew fails Collision

Fire onboard Fire Unrecovered
to detect to maintain with
aircraft propagates loss of control
smoke/fire control ground
yes
Flight crew Aircraft
no
fails to continues
extinguish fire flight
damaged
Aircraft
continues
flight
damaged
Aircraft
continues
flight
damaged
13.1 Definitions
Fire onboard aircraft

This initiating event describes a situation where a combustible substance on-board the aircraft is
burning. The combustible material can be part of the aircraft’s payload, (e.g. cargo), systems
e.g. (fuel, oil, hydraulics) or interior (plastics etc). Indicators of a fire are (visible) flames, but
also visible smoke and a burning smell. Smoke and a burning smell may be generated even
before there is a real fire (e.g. smouldering plastics may generate smoke), but the difference
between smouldering and burning is often quite ambiguous. Cases where meals were
overheated causing a burning smell in the cabin were not considered to be cases of ‘fire on-
board aircraft’.
Flight crew fails to detect smoke/fire

Possible indicators of a fire are visible flames, visible smoke, burning smell, or an alert by fire
detection system. Most aircraft types are equipped with fire detection systems for the engines
and cargo areas. Modern aircraft also may display messages indicating that systems are
overheating. Detection capabilities are limited however, and fire detection systems are notorious
for the number of false warnings they generate. Small fires that die-out automatically may go
unnoticed, only to be detected after the flight during maintenance inspection.
Flight crew fails to extinguish fire

In most commercial transport aircraft there are three types of fire extinguishers:
• Engine fire extinguishers, remotely controlled from the cockpit
78
NLR-CR-2008-646
• Cargo bay fire extinguishers, remotely controlled from the cockpit

• Portable fire extinguishers, to be used for battling fire in the cockpit or the aircraft cabin.
Apart from these extinguishers there may be indirect ways in which the flight crew can
extinguish fires, such as shutting off the fuel lines to a burning engine.
This pivotal event refers to any situation where the fire is extinguished, either directly or
indirectly, through actions of the flight crew.
Fire propagates
The pivot event “Fire propagates” is defined as the situation in which the fire propagates to such
an extent that the flight is hampered by the fire. This could either be a failure of the flight
control system, a structural failure of the aircraft, or incapacitation of the crew.

In case of a flight control system failure, aircraft structural failure or flight crew incapacitation,
the flight crew may still be able maintain control and safely land the aircraft. This pivotal event
refers to the ability of the flight crew to maintain control of the aircraft. This pivotal event does
not necessarily imply a failure or error by the flight crew. The ability of the flight crew to
maintain control of the aircraft is affected by human factors (fatigue, training etc), aircraft
system failures, weather conditions etc.
13.2 Quantification
For quantification of this Event Sequence Diagram the Accident and Incident Database System
(AIDS) of the FAA was used. For this ESD, incidents and accidents from Part 121 flights in the
period 1990 to 2000 are selected. This selection corresponds to 100,860,778 departures.
Initiating event
The data sample from the FAA AIDS database contains 370 cases of genuine fires, which
corresponds with a frequency of 3.67·10-6 fires per flight. Details are presented in table 15. Only
‘genuine’ fires were considered, cases where meals were overheated causing a burning smell in
the cabin were not considered to be ‘genuine’ fires.
The most frequent type of fire is an engine fire: about 50 % of the occurrences are engine fires.
Electrical fires are the next most frequent type of fire. Other types of fire are less frequent. In
only 3 cases (0.81 %) the fire was not detected during the flight. In 216 (58.4 %) cases in the
data sample, the crew were able to extinguish the fire.
79
NLR-CR-2008-646
Table 15 Fire on-board aircraft

Location Number of Frequency
occurrences per flight
Engine 184 1.82·10-6
Electrical fires 106 1.05·10-6
APU 20 1.98·10-7
Cargo 9 8.92·10-8
Lavatory 9 8.92·10-8
Air conditioning 18 1.78·10-7
Cabin fire 23 2.28·10-7
Fuel tank 1 9.91·10-9
Accidents
Table 16 and table 17 provide an overview of all fatal loss of control accidents that were caused
by fire on-board the aircraft. Only ‘western-built’ aircraft heavier than 5,700 kg MTOW in
commercial operations between 1985 and 2005 were considered. A distinction is made between
large jet aircraft (more than 19 passengers) and small jet aircraft and turboprops. There have
been 7 cases of loss of control accidents due to fire for large jet aircraft. In the time-frame under
consideration, this group conducted a total of 309 million flights. The corresponding accident
frequency is 2.26·10-8 per flight. There have been 4 cases of loss of control for small jet aircraft
and turboprops. In the time frame under consideration this group conducted a total of 107
million flights. The corresponding accident frequency is 3.74·10-8 per flight. If no distinction is
made between large jet aircraft and small jet aircraft and turboprops, the accident frequency is
2.64·10-8.
Table 16 Fatal accidents of western-built jet aircraft in commercial operations in the period
1985-2003, more than 19 seats, loss of control caused by fire
Date Aircraft type Operator Location Cause of loss of control
31/03/86 Boeing 727 Mexicana Mexico Structural failure
28/11/87 Boeing 747 SAA Mauritius Exact cause unknown
11/07/91 DC-8 Nationair Jeddah, Saudi-Arabia Structural failure
11/05/96 DC-9 Valujet Miami. USA Flight control system
17/07/96 Boeing 747 TWA New York, USA Structural failure
02/09/98 MD-11 Swissair Nova Scotia, Canada Crew incapacitation
25/07/00 Concorde Air France Paris, France Structural failure
80
NLR-CR-2008-646
Table 17 Fatal accidents of western-built jet- and turboprop aircraft in commercial operations in
the period 1985-2003, 19 seats or less, loss of control caused by fire
Date Aircraft type Operator Location Cause of loss of control
10/06/85 Learjet 24 Euralair France (en route) Flight crew incapacitation
International
20/01/95 Dassault Unijet Paris, France Structural failure
Falcon 20
12/07/95 DHC-6 Twin Airlines of PNG Papua New Exact cause unknown
Otter Guinea
18/06/96 Fairchild Propair Montreal, Canada Structural failure
Metro II
Analysis of FAA’s AIDS database failed to find any cases of structural failure, flight control
system failure or flight crew incapacitation where the flight crew managed to maintain control.
It is therefore assumed that in the event of a fire which causes a structural failure, a flight
control system failure or flight crew incapacitation, the probability for the flight crew to
maintain control of the aircraft is 0.
81
NLR-CR-2008-646
14 ESD12 - Flight crew spatially disoriented

Flight phase: initial climb, en route, approach and landing.
Initiating Event: flight crew member spatially disoriented.
Flight crew member Flight crew fails

Unrecovered Collision with
spatially disoriented to maintain
loss of control ground
(1) control
yes Aircraft
continues
no flight
(1) Factors such as recognition of spatial disorentiation, hand over of control to

other crew member come under this event.
14.1 Definitions
Spatial orientation refers to a person’s ability to perceive motion, position and attitude in
relation to the surrounding environment. This capability depends upon the reception, integration
and interpretation of sensory inputs from visual, vestibular, muscular and skin receptors.
[Antuñano & Mohler, 1992].
Spatial disorientation occurs when a pilot has inadequate visual information or fails to attend to
or properly interpret available information regarding the airplane’s pitch and bank. Instead, a
disoriented pilot relies on cues that are often misleading. The most hazardous illusions that lead
to spatial disorientation result from ambiguous information received from motion sensing
organs located in each inner ear. The sensory organs of the inner ear detect angular accelerations
in the pitch, yaw, and roll axes and gravity and linear accelerations. During flight, the inner ear
organs may be stimulated by motion of the aircraft alone or along with head and body
movement [NTSB, 2003].
Quantification of ESD 12 is based on the assumption that spatial disorientation refers to

disorientation with respect to the attitude (pitch, roll and yaw) of the aircraft only.
Disorientation with respect to aircraft’s position and altitude are excluded. ESD 12 describes a
loss of control accident as a result of spatial disorientation. In this type of accident the pilot’s
perception of aircraft attitude relative to the surface of the earth and the gravitational vertical
plays a role, not his perception of position with respect to the surface of the earth. Situational
82
NLR-CR-2008-646
awareness regarding the aircraft position and altitude are relevant in the context of a potential
collision with terrain and are covered in ESD 35. Events where the flight crew lost situational
awareness and landed on a wrong runway, taxied along the wrong route, lined-up the wrong
runway etc., are covered by ESD 32.
It is often difficult to prove with certainty that spatial disorientation affected the pilot. However,
in many accidents, weather conditions in combination with the aircraft trajectory (e.g.
‘graveyard spin’) are strong indications that the flight crew was spatially disoriented.
Flight crew member spatially disoriented

The Initiating Event is defined as the situation that a flight crew member suffers spatial
disorientation, i.e. has inadequate visual information or fails to attend to or properly interpret
available information regarding the airplane’s pitch, roll or yaw angle or rate of rotation.

aircraft system failures, weather conditions etc. In this ESD the failure of the flight crew to
maintain control refers to a situation where a flight crew spatial disorientation event occurs. It is
then pivotal in the sequence of events whether any member of the flight crew detects the
disorientation and gives over or takes-over control in time to maintain control of the aircraft.

This end state refers to a possible outcome of a flight crew spatial disorientation event and
includes any sort of collision with terrain (ground, water) or obstacles that results in injuries or
fatalities or substantial damage to the aircraft.

This end state refers to the possible outcome of a flight crew spatial disorientation event when
the flight crew continues the flight to the destination airport or diverts the aircraft to another
airport. This includes occurrences where the non-affected pilot takes over control and
occurrences where the pilot(s) succeed(s) in overcoming the disorientation.
83
NLR-CR-2008-646
14.2 Quantification
14.2.1 Data sources

The following data sources have been used for quantifying the events in this ESD:
• NLR Air Safety Database;
• ASRS database;
• NTSB database.

A query was run in the NLR Air Safety Database to search for accidents and incidents related to
spatial disorientation. The time span was set to 1970 to 2003. Aircraft types include jet and
turboprop aircraft with a maximum take-off mass of more than 5700 kg in commercial
operations. Only ‘Western-built aircraft’ are considered, i.e. aircraft from manufacturers such as
Airbus, Boeing, McDonnell-Douglas, Lockheed, Fokker, Embraer etc. Aircraft from
manufacturers located in Eastern Europe (such as Let, Antonov, Tupolev and Ilyushin) and
China are excluded. The corresponding number of flights for this data sample is 750 million.
The query resulted in 28 accidents.
The data sample was further analysed to determine causal factors. The data sample was not
suitable to estimate the frequency of occurrence of spatial disorientation events as it includes
only accidents. Minor occurrences and incidents involving spatial disorientation without further
consequences are not captured in the data sample.
Results of the accident data analysis are summarised in table 18. In 24 of 28 accidents the
aircraft collided with the ground, in 4 cases the aircraft made a hard landing. 23 accidents were
fatal. In all 28 accidents the flight crew failed to maintain control, although in at least three
cases it is known or suspected that the crew detected the condition of spatial disorientation, but
failed to correct the situation or take-over control from the disoriented pilot.
The weather conditions at the time of the accident are often not detailed. About a third of the
accidents occurred at night. In 7 occurrences visual reference with the horizon and terrain was
obscured or lost due to (heavy) rain showers. In 8 occurrences visual reference was not available
because aircraft was flying in(to) clouds at the time of spatial disorientation. In 2 cases fog was
present during the accident.
Table 18 also shows the distribution of spatial disorientation accidents across different flight
phases. About 90% of the spatial disorientation accidents occur in the approach, landing, missed
approach and climb flight phase, which is understandable given that these flight phases are
84
NLR-CR-2008-646
typically the flight phases during which pilots manually fly the aircraft part of the flight. These
flight phases include also manoeuvring, which means accelerations, turns, descents, climbs)
which can be conducive to spatial disorientation.
Table 18 Results from data analysis of spatial disorientation related accidents

Number of Percentage of Accidents per
occurrence occurrences flight
Total accident sample 28 100% 3.73·10-8
Fatal accidents 23 82 % 3.07·10-8
Non-fatal accidents 5 18 % 6.67·10-9
Flight crew response

Detect spatial disorientation 3
Take over control 0
Maintain control 0
Consequence
Collision with ground 24 86 % 3.20·10-8
Hard landing 4 14 % 5.3310-9
Weather conditions
Rain 7
Night 10
Clouds 8
Fog 2
Aircraft system failure

ADI failure 5
Flight phase
Climb 8 28 %
En route 3 11 %
Missed approach 5 18 %
Approach 9 32 %
Landing 3 11 %
Source: NLR Air Safety Database
ASRS and NTSB database

The ASRS database was queried for incidents on spatial disorientation, illusion or vertigo. The
data sample was restricted to commercial Part 121 operations. Aircraft types include jet, and
turboprop aircraft with a maximum take-off weight of more than 5700 kg, operated in
commercial operations. Only ‘Western-built aircraft’ are considered, i.e. aircraft from
manufacturers such as Airbus, Boeing, McDonnell-Douglas, Lockheed, Fokker, Embraer etc.
85
NLR-CR-2008-646
Aircraft from manufacturers located in Eastern Europe (such as Let, Antonov, Tupolev and
Ilyushin) and China are excluded. The time span was selected as 1990 to 2004. The number of
flights corresponding to this time span and Part 121 operations is 143.5 million [NTSB, 2005].
The ASRS query resulted in 12 pilot reports of in-flight spatial disorientation. All occurrences
were classified as incidents and none of them resulted in a collision with terrain. Table 19 shows
the results of the analysis of these occurrences. In 9 of the 12 events the flight crew reported that
they were manually flying the aircraft, in 3 cases information on whether the crew was manually
flying or flying on autopilot was not available. In the majority of the occurrences the pilot(s)
recognised the spatial disorientation, but did not hand over control. In all cases the flight crew
was able to maintain control, relaying on their instruments. In one case the aircraft developed a
high bank angle before the flight crew recognised the spatial disorientation and unusual attitude,
after which they regained control. The consequences of the loss of spatial orientation are listed
in table 19. Most events of spatial disorientation occurred in the approach phase (7), followed
by climb phase (3). This result matches the distribution across flight phases that we found in the
NLR Air Safety Database query.
In addition to the NLR Air Safety Database and ASRS database a query was run in the NTSB
database to search for incidents related to spatial disorientation, vertigo or illusions. The query
was limited to Part 121 commercial operations between 1990 and 2004. Of the data sample
returned by the NTSB database query one incident was relevant for this study and has been
included in the results in table 19.
86
NLR-CR-2008-646
Table 19 ASRS incident data on spatial disorientation occurrences

Number of Probability
Spatial disorientation event 3 (all classified as incidents) 12 4 8.36·10-8
Flight crew response

Detect spatial disorientation 8
Takeover control 0
Maintain control 11
Momentary loss of control 1
Flight crew manual flying 9

Manual flying or autopilot status unknown 3
Consequence (end state) Rate

Continue flight 12
Hard landing 1 6.97·10-9
Altitude bust 4 2.79·10-8
Weather conditions
Rain 1
Night 7
Clouds 5
Fog 0
Aircraft systems
Instrument failure 1
Flight phase Percentage

Climb 3 25%
En route 2 17%
Missed approach 1 8%
Approach 6 50%
Landing 0
Source: NTSB and ASRS database.
14.2.2 Summary
Quantification Initiating Event
The best estimate that we currently can derive from accident and incident data yields a
frequency of in-flight spatial disorientation of 8.36·10-8 per flight. This number is based on
ASRS data, which is a voluntary reporting system. The data reliability is poor and a degree of
underreporting is suspected.
3
All events were classified as incidents
4
The small sample size does not allow conclusions that are statistically significant.
87
NLR-CR-2008-646
Quantification Pivotal Event ‘Flight crew fails to maintain control’

Given spatial disorientation the conditional probability of a flight crew failing to maintain
control is 3.83·10-1. This number is derived from the frequency of spatial disorientation
occurrences and the frequency of spatial disorientation events resulting in a collision with
ground. The frequency of spatial disorientation was determined using ASRS data which has
limited reliability.
End state ‘collision with ground’

The probability of a ground collision as result of spatial disorientation is 3.20·10-8.
End state ‘aircraft continues flight’

The probability of a continued flight after a spatial disorientation event is estimated as 8.36·10-8
× (1- 3.83·10-1) = 5.16·10-8 per flight.

Initiating Event: flight crew member spatially disoriented.
8.36·10-8 3.83·10-1
3.20·10-8
Flight crew fails
Flight crew member Unrecovered Collision with
to maintain
spatially disoriented loss of control ground
control
5.16·10-8
yes Aircraft
continues
no flight
88
NLR-CR-2008-646
15 ESD13 - Flight control system failure

Initiating Event: flight control system failure.
Flight crew fails

Flight control Controllability Unrecovered Collision with
to maintain
system failure problems loss of control ground
control (1)
yes Aircraft
continues
no flight
(1) Maintaining control is influenced by factors such as type of failure, crew

response to the system failure, training, aircraft handling by crew etc
15.1 Definitions
Flight control system failure

For the purpose of this ESD, a flight control system failure is defined as a failure of any of the
following systems:
• Aileron system ATA 2710-2719
• Rudder system ATA 2720-2729
• Elevator system ATA 2730-2739
• Stabilizer system ATA 2740-2749
• Other ATA 2700-2709 & ATA 2750-2797

15.2 Quantification
The database of Service Difficulty Reports (SDR) (see App. A) has been used to determine the
number of flight control system failures. A failure of any of the following systems was
considered to be a ‘flight control system’ failure:
89
NLR-CR-2008-646
ATA 2710-2719 Aileron system

ATA 2720-2729 Rudder system
ATA 2730-2739 Elevator system
ATA 2740-2749 Stabilizer system
ATA 2700-2709 & ATA 2750-2797 Other
The data sample contained a total number of 7,789 flight control system failures during the
flight phases (initial) climb, en-route, descent, approach and landing. The corresponding number
of flights is 215,800,000. The results are presented in table 20. The estimated probability of a
flight control system failure is 3.61·10-5 per flight.
Table 20 Flight control system failure ATA codes, SDRs and failure rates
Number of Number of failures
System ATA code
SDRs per flight
Aileron 2710 – 2719 454 2.10·10-6
Rudder 2720 – 2729 512 2.37·10-6
Elevator 2730 – 2739 545 2.53·10-6
Stabilizer 2740 – 2749 510 2.36·10-6
Other 2700 – 2709 & 2750 – 2797 5768 2.67·10-5
Total 2700 – 2797 7789 3.61·10-5
Airclaims database
The number of collisions with the ground due to flight control system failures has been
determined from the Airclaims database. The time span was set to 1985-2005. Aircraft types
include jet, turbofan and turboprop aircraft with a Maximum Take-off Weight of more than
5700 kg, operated in commercial operations (passenger and cargo flights). Aircraft
and accidents/incidents during test flights and training flights were excluded. The number of
flights associated with this query is 309 million flights. (1985-2005).
The analysis identified 11 loss-of-control accidents that were initiated by flight control system
failures. The estimated frequency of occurrence is 3.56·10-8 per flight.
The estimated conditional probability of occurrence of a failure of the flight crew to maintain
control in the event of a flight control system failure is 3.56·10-8 / 3.61·10-5 = 9.86·10-4 .
90
NLR-CR-2008-646
91
NLR-CR-2008-646
16 ESD14 - Flight crew incapacitation
16.1 Definitions
Initiating Event Flight crew incapacitation

Incapacitation is the inability of any required flight crew member (i.e. captain, first officer or
flight engineer) to perform prescribed flight duties as a result of reduced medical fitness. In
medical literature distinction is made between impairment and incapacitation, but in this study it
is assumed that flight crew incapacitation covers both incapacitation and impairment of a flight
crew member. Incapacitation or impairment events related to cabin crew are excluded.
In general, flight crew incapacitation can be health related, hypoxia or caused by asphyxiation.
ESD 14 covers flight crew incapacitation due to a health related factor or hypoxia. Flight crew
incapacitation due to asphyxiation is covered in ESD 11 (in-flight fire). Accordingly, the
frequency of occurrence of flight crew incapacitation in this ESD pertains to flight crew
incapacitations as a result of health related problems or hypoxia.
Pivotal Event Flight crew fails to maintain control

aircraft system failures, weather conditions etc. In this ESD the failure of the flight crew to
maintain control refers to a situation where a flight crew incapacitation event occurs. It is then
pivotal in the sequence of events whether the affected or unaffected flight crew member detects
the incapacitation, gives over or takes over control in time to maintain control of the aircraft.
92
NLR-CR-2008-646
End State Collision with ground

This end state refers to a possible outcome of a flight crew incapacitation event: the aircraft
impacts terrain (ground, water) or obstacles, which results in injuries, fatalities or (substantial)
damage to the aircraft.
End State Aircraft continues flight

This end state refers to the possible outcome of a flight crew incapacitation: the flight crew
continues the flight to destination airport or diverts the aircraft to another airport due to medical
emergency (flight crew incapacitation).
In some occurrences in which a flight crew member became incapacitated or impaired the other
pilot took over control of the aircraft or the incapacitated/impaired pilot was replaced by a relief
pilot. This situation is classified as ‘aircraft continues flight’.
16.2 Quantification
16.2.1 Data sources

To quantify the events in the ESD multiple data sources have been used:
• NLR Air Safety Database;
• Occurrence data from an airline;
• Medical research (see references).
16.2.2 Results
There have been relatively few recent studies on-flight crew incapacitation. Some studies in this
area are relatively old (1970s and 1980s), which may not represent the situation today with
respect to current medical knowledge, medical examinations, medical regulations etc. A
relevant data source providing quantitative data is a study conducted into in-flight medical
incapacitation of U.S. airline pilots (1993-1998) [DeJohn, et al., 2004]. The study deals with
medical related incapacitation and impairments, including incapacitation as a result of hypoxia,
and excludes incapacitation as a result of asphyxiation. For quantification of the frequency of
flight crew incapacitation events, operator data is the most reliable source. Other sources,
including [DeJohn et al, 2004] and [Martin-Saint-Laurent et al., 1990] admittedly suffer from
underreporting and therefore cannot be used for quantification of the initiating and pivotal
event.
93
NLR-CR-2008-646
European operator data

Airline occurrence data from a European operator 5 contains five flight crew incapacitation
events in the time span 1997 to 1998. The corresponding number of flights in this period is
107,000, which yields a frequency of an incapacitation event of 4.67·10-5 per flight.
Literature
Two important studies on flight crew incapacitation are [DeJohn et al., 2004] and [Martin-Saint-
Laurent et al., 1990]. [DeJohn et al., 2004] estimates the probability of an accident related to
flight crew incapacitation. Two of 217 accidents in the study’s data sample are related to
medical incapacitation, which yields 3.7·10-8 as probability of an accident per flight as result of
medical incapacitation. No passenger fatality occurred in the accidents as a result of flight crew
incapacitation in the data sample, however there were some occurrences with passenger injuries
as a result. An in-flight crew incapacitation was considered an accident when the affected pilot
died in-flight. In 5 of 7 cases where flight safety was considered severely impaired, the
unaffected pilot took over the controls. In 2 cases the affected pilot remained in control, which
resulted in an accident.
Different categories of medical incapacitation are distinguished (see Tab. 21). Loss of
consciousness, gastrointestinal, neurological, cardiac and urological are the most frequent
categories. Consequences of in-flight incapacitations are listed in table 22. Continuation of
flight and diversion were the most frequently observed ‘consequence’ of a flight crew
incapacitation event in [DeJohn et al., 2004].
Table 21 Categories of health related flight crew incapacitation [DeJohn et al., 2004]
Number of events in Percentage of events in
data sample data sample
Loss of consciousness 9 23 %
Gastrointestinal 6 15 %
Neurological 6 15 %
Cardiac 5 13 %
Urological 3 8%
Hypoxia 2 5%
Miscellaneous 8 21 %
Total health related 39 100 %
incapacitations
5
The data itself is confidential. The airline conducts world wide commercial operations with large (> 5,700 kg MTOW )
Western-built jet aircraft.
94
NLR-CR-2008-646
Table 22 Consequences of flight crew incapacitation [DeJohn et al., 2004]

Consequence given flight crew Number of events in Rate per incapacitation
incapacitation data sample event 1) 2)
Collision with ground 2 0.04
Diversion 22 0.44
Continue flight 26 0.52
Fatal passenger 0 0.0
Fatal crew 4 0.08
1) more than one medical event per flight is possible (e.g. hypoxia)
2) total of 50 incapacitation/impairment events
According to [Martin-Saint-Laurent et al., 1990], seven out of ten incapacitations occurred in

cruise flight, two in approach, and one on ground. The data sample of this study ranges from
1968 to 1988.
According to [James, 1991], 58% of incapacitation incidents are related to gastrointestinal

problems. This information is based on a survey among airline pilots.

In the NLR Air Safety Database a query was run to search for accidents and incidents related to
flight crew incapacitation. The time span was set to 1970-2003. Aircraft types include jet,
turbofan and turboprop aircraft with a Maximum Take-off Weight of more than 5700 kg,
Fokker, Embraer. Airframe manufacturer from former USSR or Eastern-block countries (e.g.
types, irrespective of country of origin, are included. The number of flights associated with this
query is 750 million flights.
The NLR data sample is not representative to estimate the conditional probability of an accident
given flight crew incapacitation, because the data sample is skewed towards accidents. Operator
data provides better quality information to estimate the frequency of in-flight incapacitation.
The query in the NLR Air Safety Database yields 118 incidents and accidents related to pilot
incapacitation. In the majority of the 118 accidents and incidents no information was available
to be able to make a distinction between incapacitation and impairment. Therefore all
occurrences were classified as a flight crew incapacitation event.
95
NLR-CR-2008-646
In 14 of the 118 incidents and accidents related to pilot incapacitation only crew fatalities
occurred. In 4 of these 118 occurrences both crew and passenger fatalities occurred, while in
one occurrence only passenger fatalities occurred.
Taking into account the number of flights corresponding to the data sample, the following rates
are derived:
• Pilot incapacitation occurrence (accident or incident) is 1.6·10-7 per flight.
• Pilot incapacitation occurrence with fatalities amongst passengers or crew is 2.5·10-8 per
flight.
• Pilot incapacitation occurrence with fatalities amongst passengers is 6.7·10-9 per flight.
Table 23 and figure 7 show the distribution of the flight crew incapacitation by flight phase, as
found in the NLR Air Safety Database.
Table 23 Distribution of flight crew incapacitation across flight phases

(NLR Air Safety Database)
Flight phase of Number of Percentage of
incapacitation event events in data events in data
sample sample
Taxi 4 3%
Take-off 1 1%
Climb 13 11 %
Cruise and descent 91 77 %
Approach 6 5%
Landing 1 1%
Unknown 2 2%
Total 118 100%
96
NLR-CR-2008-646
Flight Crew Incapacitation by Flight Phase

(source: NLR Air Safety Database, 1970-2003)
Unknown
Landing
Approach
Cruise and descent
Climb
Take-off
Taxi
0 10 20 30 40 50 60 70 80 90 100
Number of events
Fig. 7 Distribution of incapacitation/impairment occurrences across flight phases
The consequences of the incapacitation occurrences found in the NLR Air Safety Database are
listed in table 24. Data in table 24 on diversion and continuation of flight are not reliable due to
the fact that the NLR Air Safety Database has a bias towards accidents. It therefore does not
contain a representative sample of incidents to estimate frequency of diversion.
Table 24 Consequences of flight crew incapacitation/impairment

(NLR Air Safety Database)
Consequence given flight Number of Rate per
crew incapacitation. events incapacitation
event 2)
Collision with ground 7 0.06
1)
Diversion 32+28 0.51
Continue flight 23+281) 0.43
Fatal passenger 5 0.04
Fatal crew 18 0.15
1) Category ‘Unknown consequence’ is equally divided between
‘diversion’ and ‘continue flight’.
2) 118 incapacitation events in total
In the NLR Air Safety database relatively more accidents than incidents involving flight crew
incapacitation are found compared to [DeJohn et al., 2004]. In the NLR data sample 18 of 118
97
NLR-CR-2008-646
occurrences involve fatalities (i.e. the event is classified as an accident), while according to
[DeJohn et al., 2004] 2 of 47 flights in which incapacitation or impairment occurred resulted in
an accident. We have calculated the accident probability as result of flight crew incapacitation
with the NLR Air Safety Database data sample, in combination with the frequency of flight
crew incapacitation from operator data.
The NLR Air Safety Database contains a representative, reliable, set of accidents with which the
probability of collision with ground given flight crew incapacitation is estimated as follows.
Seven cases of collision with ground after pilot incapacitation occurred in 750 million flights,
which is a frequency 9.33·10-9 per flight. Taking into account the probability of flight crew
incapacitation (4.67·10-5) from operator data, the probability of collision with ground given pilot
incapacitation then becomes: (9.33·10-9)/4.67·10-5 = 2.00·10-4. This result yields a probability of
1-2.00·10-4 = 0.9998 for a diversion or continuation of flight after pilot incapacitation.
Note
Simulator studies have been conducted in which a subtle incapacitation was simulated
[Chapman, 1984]. In 8 of 500 simulator flights it resulted in an accident when incapacitation
occurred in critical stage of flight, occasionally together with system failure. When subtle
incapacitation occurred without system failures 2 out of 800 simulator flights resulted in
accident. In other words one accident occurred in 400 simulated incapacitations (2.50·10-3 per
incapacitation). This result is one order of magnitude higher than our estimate, but our estimate
includes flight crew impairment and is not limited to complete incapacitation.
98
NLR-CR-2008-646
17 ESD15 - Anti-ice/de-ice system not operating
17.1 Definitions
This ESD describes a loss of control due to ice accretion on the aircraft’s outside structure
and/or control surfaces. Such ice accretion can occur if the aircraft’s anti-icing or de-icing
system is not operating while the aircraft flies in icing conditions or if the icing conditions are
so severe that they exceed the certification envelope of the aircraft. Icing of the pitot-static
system is not covered in this ESD. If the pitot-heat is for example not turned on, ice build-up
may cause erratic airspeed indications. This type of event is covered by ESD 16 ‘Flight
instrument failure’. Excluded from this ESD are control problems due to ice inside the aircraft’s
structure. This can occur if trapped water (e.g. resulting from a blocked drain) or other fluids
freezes and jams the flight control system. These types of occurrences are covered by ESD 13
‘Flight control system failure’.
In the ESD the Initiating Event, Pivotal Events and End States are defined as follows.
Ice accretion on aircraft in flight

This event refers to ice accretion on the aircraft’s outside structure, i.e. fuselage, wing, tail, and
flight control surfaces. Even if anti-ice/de-ice systems are operating ice accretion may occur.
The icing conditions may be so severe that they exceed the ‘certification envelope’ of the
aircraft. Other phenomena like ice bridging or ice accretion on parts of the aircraft that can not
be de-iced may contribute to controllability and performance problems.
Flight crew fails to respond appropriately to ice accretion

This pivotal event refers to the flight crew action following flight into icing conditions. When
ice accretion occurs, the flight crew’s awareness of icing conditions, the detection of ice
accretion on the aircraft and adequate awareness of associated risks will influence the flight
99
NLR-CR-2008-646
crew response. Appropriate response is to avoid or exit icing conditions and to operate the anti-
ice/de-ice systems.

This pivotal event refers to the ability of the flight crew to maintain control of the aircraft after
performance and controllability has degraded due to ice accretion on the aircraft. This pivotal
event does not necessarily imply a failure or error by the flight crew. The ability of the flight
crew to maintain control of the aircraft is in general affected by human factors, aircraft system
failures, weather conditions, operating procedures, available altitude for a recovery manoeuvre
etc. The flight crew may experience controllability problems or aircraft performance
degradation (e.g. reduced rate of climb, speed drop) as a result of ice accretion, which may be
overcome by descending or exiting icing conditions.
In some occurrences ice accretion causes a temporary loss of control which is then restored by
the flight crew. In this ESD such occurrences are classified ‘flight crew maintains control’
leading to end state ‘aircraft continues flight’ as opposed to an unrecovered loss of control.

This end state refers to a possible outcome of an aircraft flying in icing conditions while the
anti-ice/de-ice systems do not operate: the aircraft impacts terrain (ground, water) or obstacles,
which results in injuries, fatalities or (substantial) damage to the aircraft.

This end state refers to the situation that the flight crew continues the flight to the destination
airport, returns to the airport of departure or diverts to another airport.
If ice accretion on the aircraft structure leads to ice or snow ingestion in the engine and
subsequently causes an engine failure and potentially controllability or performance problems,
the occurrence is regarded as leading to end state ‘aircraft continues flight’. In the Master Logic
Diagram that combines all ESDs this occurrence will then link to ESD 9 which describes a
(potential) loss of control after an engine failure.
17.2 Quantification

A query was run in the NLR Air Safety Database to search for loss of control accidents and
incidents related to ice accretion on the aircraft structure. The time span was set to 1990-2003.
Aircraft types include jet, turbofan and turboprop aircraft with a Maximum Take-off Weight of
100
NLR-CR-2008-646
more than 5,700 kg in commercial operations (passenger and cargo flights). Aircraft
and accidents/incidents during test flights and training flights are excluded.
In a number of investigation reports on loss of control accidents due to in-flight ice accretion,
reference was made to previous, related, accidents and incidents. Several of these referenced
accidents and incidents complemented the NLR Air Safety Database query results. The reports
are listed in the reference section of this report.
The number of flights associated with this query is 387 million flights. The dataset contains 45
accidents and incidents related to a (temporary) loss of control in flight as result of ice accretion
on the aircraft. The distribution of occurrences across flight phases is shown in figure 8.
Accidents/incidents related to loss of control as result of ice accretion
unknown 2
climb 11
enroute 11
descent 4
approach 14
landing 3
0 2 4 6 8 10 12 14 16
Number of occurrences
Fig. 8 Distribution of accidents/incidents related loss of control as result of ice accretion on

aircraft [NLR Air Safety Database 1990-2003]
Operation of anti-ice/de-icing system while in icing conditions

The data sample of 45 accidents and incidents was analysed to determine whether the flight
crew operated the anti-ice/de-icing systems of the aircraft in icing conditions. It was found that
in 15 events the anti-ice/de-ice system was not activated and in 3 events the system was
101
NLR-CR-2008-646
inoperative. In 14 occurrences it is not known whether the crew had activated the system. In 12
occurrences the crew operated the anti-ice/de-ice system, but still a (temporary) loss of control
occurred. In 2 occurrences the ice accretion was so severe that the de-ice/anti-ice systems could
not cope with the icing conditions.
Flight crew response in case of ice accretion

In all 45 accidents and incidents some degree of ice accretion on the aircraft occurred. In 25
occurrences (56%) the flight crew failed to respond appropriately to the ice accretion on the
aircraft, while in 18 (40%) events the flight crew response was considered appropriate (e.g.
activate de-icing/anti-icing systems or exit icing conditions). In two cases (4%) the data
contains no information on the crew response. In 8 of the 25 inappropriate response cases an
unrecovered loss of control and subsequent collision with terrain occurred. In 17 of the 25
inappropriate response cases the flight crew continued flight. In all 20 events in which the flight
crew response to the ice accretion was appropriate, the flight continued.
The ability of the flight crew to maintain control of the aircraft following ice accretion is
summarised in table 25.
Table 25 Flight crew response to ice accretion

If flight crew response to ice accretion is inappropriate:
Collision with terrain 8
Aircraft continues flight 17
If flight crew response to ice accretion is appropriate:
Collision with terrain 0
Aircraft continues flight 20
45 incidents and accidents related to in-flight ice
accretion.
ASR databases of various airlines

Air Safety Report (ASR) databases from different airlines were analysed for events involving
anti-/de-icing systems and icing problems. The ASR database covers 9 million flights in a
period between 1998 and 2004. The ASR database contains 177 occurrences where either ice
accretion on the aircraft was reported or (part) of the aircraft’s anti/de-ice system failed while
the aircraft was flying in icing conditions. This corresponds to a frequency of 1.97·10-5 per
flight.
102
NLR-CR-2008-646
17.3 Results
Initiating event ‘ice accretion on aircraft in flight’
Based on the analysis of ASR data, the estimated probability of occurrence of in-flight ice
accretion is 1.97·10-5 per flight.
End states ‘collision with ground’

According to the analysis of the Air Safety Database there have 8 been loss of control and
subsequent collision with ground accidents due to ice accretion in 387 million flights. The
estimated probability of this end state is 2.07·10-8 per flight.
End state ‘aircraft continues flight’ when crew has failed to respond appropriately
According to the analysis of the Air Safety Database there have 17 occurrences in 387 million
flights where the flight crew failed to respond appropriately respond to in-flight ice accretion,
but control of the aircraft was not lost. The estimated probability of this end state is 4.39·10-8 per
flight.
Flight crew ‘fails to respond appropriately’ to ice accretion

The conditional probability that the flight crew fails to respond appropriately to ice-accretion on
the aircraft is (2.07·10-8 + 4.39·10-8) / 1.97·10-5 = 3.28·10-3.
Flight crew ‘fails to maintain control’

The conditional probability of the flight crew failing to maintain control after inappropriate
response to ice accretion is 2.07 10-8 / (1.97·10-5 × 3.28·10-3) = 3.20·10-1.
103
NLR-CR-2008-646
18 ESD16 - Flight instrument failure

Initiating Event: flight instrument failure.
Flight crew fails

Flight instrument Unrecovered Collision
to maintain
failure loss of control with ground
control
yes Aircraft
continues
no flight
18.1 Definitions
Flight instrument failure

For the purpose of this ESD, a flight instrument failure is defined as a failure of the flight
instrument(s) to correctly display airspeed, altitude or attitude of the aircraft. In the case of dual
instruments and/or if a standby instrument is available, even a failure of only one of the
instruments to correctly display is considered to be a ‘flight instrument failure’.

flight crew to maintain control is affected by human factors (fatigue, training etc), aircraft
system failures, weather conditions, etc.
18.2 Quantification
The probability of occurrence of the initiating events is estimated by analysing the Service
Difficulty Report (SDR) database (see App. A). Query 1 below has been used to count the flight
instrument failures during initial climb, en route, approach and landing. Instrument failures
during take-offs without a rejected take-off are included as well. It is assumed that flight
instrument failures can consist of failures that correspond with the ATA codes described in table
26 and Query 1. This data corresponds to a total of 216 million flights.
104
NLR-CR-2008-646
Table 26 ATA codes defining “flight instruments”

ATA Description Number of Rate per
code SDRs flight
3414 Airspeed/Mach indicator 133 6.16 10-7
3416 Altimeter, barometric / encoder 308 1.43 10-6
3417 Air Data Computer 445 2.06 10-6
3420 Attitude and direction data system 248 1.15 10-6
3421 Attitude gyro and indicator system 282 1.31 10-6
TOTAL 1416 6.56 10-6
Query 1:
c15 Year Between “1985” And “2003”
c35 Air Carrier or General Aviation “A”
c40 ATA code 3414 Or 3416 Or 3417 Or 3420 Or 3421
c314a 1st occurrence Not Like “aborted takeoff”
c330 Stage of operation code Not Like "in" And Not Like "nr" And
Not Like "tx" And Not Like "uk"
c604 Aircraft wing type code Not Like “g”
A query was run in the ADREP and Airclaims databases to search for accidents and incidents
related to flight instrument failures. The time span was set to 1990-2005. Aircraft types include
jet, turbofan and turboprop aircraft with a Maximum Take-off Weight of more than 5700 kg,
types, irrespective of country of origin, are included. Military operators, and accidents/incidents
query is 452 million flights (1990-2005). Six accidents were identified (Tab. 27) resulting in an
estimated probability of occurrence of 1.33·10-8 per flight.
105
NLR-CR-2008-646
Table 27 World-wide flight instrument failure accidents between 1990 and 2003
Date A/C type Airline Location Failure
06/06/92 B737-204 COPA Panama Attitude
02/06/96 B757-200 Birgenair Dominican Speed

Republic
02/10/96 B757-23A Aeroperu Peru Speed / Altitude
10/10/97 DC9-32 Austral Lineas Uruguay Speed

Aeras
18/03/98 SAAB 340 Formosa Airlines Taiwan Instrument failure
2212/99 B747-2B5F Korean Airlines Stansted Attitude
The conditional probability of ‘flight crew fails to maintain control’ in the event of a flight
instrument failure is estimated to be 1.33·10-8 / 6.56·10-6 = 2.02·10-3.

Initiating Event: flight instrument failure.
6.56·10-6 2.02·10-3
1.33·10-8
Flight crew fails
Flight instrument Unrecovered Collision
to maintain
failure loss of control with ground
control
6.55·10-6
yes Aircraft
continues
no flight
106
NLR-CR-2008-646
19 ESD17 - Aircraft encounters adverse weather
Accident type: structure overload

Flight phase: initial climb, en route, and approach.
Initiating Event: aircraft encounters adverse weather.
Ultimate
Aircraft encounters In flight
design load
adverse weather break-up
exceeded
yes
no Flight crew fails Collision

Unrecovered
to maintain with
loss of control
control ground
Personal
injury
19.1 Definitions
Aircraft encounters adverse weather
For the purpose of this ESD, an adverse weather encounter is defined as an encounter with
severe turbulence that results in occupant injuries, an aircraft upset or structural damage to the
aircraft as a result of overstress of the aircraft’s structure.
Ultimate design load exceeded

This event is defined as an occurrence where the ultimate design load of the aircraft is exceeded
as a direct result of the aircraft’s encounter with adverse weather. This occurrence will result in
an in-flight break-up of the aircraft.

An encounter with adverse weather may result in an unusual aircraft attitude. This pivotal event
describes whether the flight crew is able to maintain control of the aircraft in the event of an
adverse weather encounter.
Personal injury
One or more occupants receive minor, serious or fatal injuries as a direct result of the aircraft’s
encounter with adverse weather. An encounter with adverse weather may result in injuries to
passengers or crew when people fall to the ground, hit the aircraft’s ceiling or are hit by loose
objects such as service trolleys.
107
NLR-CR-2008-646
19.2 Quantification
related to adverse weather. The time span was set to 1990-2005. Aircraft types include jet,
turbofan and turboprop aircraft with a Maximum Take-off Weight of more than 5700 kg,
types, irrespective of country of origin, are included. Military operators and accidents/incidents
query is 452 million flights (1990-2005).
Initiating event
According to the dataset, there have been 324 accidents and incidents involving encounters with
adverse weather. The corresponding probability of occurrence of an adverse weather encounter
is 324 / 4.52·108 = 7.16·10-7 per flight.
End states
Table 28 shows the resulting number of occurrences for the various events and end states of the
ESD. The dataset contained no accidents in which the ultimate design load was exceeded
resulting in an in flight break-up. In 2 occurrences the flight crew failed to maintain control and
the aircraft subsequently collided with the ground. The remaining 322 adverse weather
encounters resulted in personal injury.
Table 28 Results of analysis of adverse weather related accidents

ADREP and Airclaims (1990-2005, 452 million flights)
End state Number of Probability
In flight break-up 0 0
Collision with ground 2 4.42·10-9
Personal injury 322 7.12·10-7
Pivotal event
Based on the results of this analysis, the conditional probability that the ultimate design load is
exceeded when an aircraft encounters adverse weather is 0.
Based on the results of this analysis, the conditional probability that the flight crew fails to
maintain control if adverse weather is encountered is 4.42·10-9 / 7.16·10-7 = 6.17·10-3.
108
NLR-CR-2008-646
109
NLR-CR-2008-646
20 ESD18 - Single engine failure in flight
20.1 Definitions

Single engine failure is defined as a significant loss of thrust from one of the aircraft’s
propulsion systems. Single engine failures also include cases where the engine detaches from
the aircraft. Engine fires are not included here but are incorporated in ESD11. Only engine
failures during climb, en-route or approach are considered. Engine failures during the take-off
roll are addressed in ESD 9, engine failures in the landing roll in ESD 28.
Dual engine failure

Dual engine failure is defined as a significant loss of thrust from two of the aircraft’s propulsion
systems.
Flight crew fails to restore engine power

Failure of the flight crew to restore the amount of thrust from the propulsion system to similar
values as before the occurrence of the initiating event.
Flight crew shutdown wrong engine

Event in which, after the occurrence on a single engine failure, the flight crew accidentally shut
down an engine that is performing adequately, whereas the intention of the crew is to secure the
suspected faulty engine.
110
NLR-CR-2008-646

This pivotal event refers to the ability of the flight crew to maintain control following an engine
failure. The asymmetric thrust that results from the engine failure limits the control authority
and may result, possibly in combination with other circumstances such as crosswind, in a failure
to maintain control.
Aircraft unable to reach airport

Occurrence in which the aircraft, given an absence of thrust, is not able to reach a suitable
airfield for landing and position itself correctly for a successful landing on one of the airfield’s
runways.
20.2 Quantification
To derive the probability of a single engine failure, operational data from a large western
European airline has been used. This airline operates western-built jet aircraft in worldwide
commercial operations. The data set consists of 286,753 flights from the year 2001. This set
contains 79 occurrences of an engine failure. There were no dual engine failures. The set did not
include cases where the flight crew was able to restore engine power. The corresponding engine
failure probability is estimated to be 79/286,753 = 2.75·10-4 per flight.
To estimate the frequency of accidents/incidents due to engine failures the Airclaims accident
and incident databases was analysed. The data sample included large western-built jets and
turboprops in commercial operations between 1985 and 2005, representing 399 million flights.
Business jets were excluded. The data set contains 151 relevant occurrences of engine failures.
The distribution of these events over the different end states is given in the table below.
Table 29 Engine failure related probabilities per flight for different end states
End state Number of Probability per
occurrences flight
Total power loss, collision with ground 8 2.01·10-8
Total power loss, aircraft lands off runway 27 6.77·10-8
Total power loss, aircraft continues landing 4 1.00·10-7
Single engine failure, collision with ground 69 1.73·10-7
Single engine failure, aircraft continues landing 43 1.08·10-7
Based on these results, the probability of a total power loss is 39/3.99·108 = 9.77·10-8 per flight.
The 39 occurrences of total power loss include one case in which the flight crew secured the
wrong engine. The corresponding conditional probability of a ‘dual engine failure’ given a
single engine failure is (38 / 3.99·108) / 2.75·10-4 = 3.46·10-4.
111
NLR-CR-2008-646
Since there were no cases observed in which the flight crew restored power, the conditional
probability that the flight crew fails to restore power in the event of a single engine failure is
1.00.
The conditional probability that the flight crew shuts down the wrong engine in the event of a
single engine failure is ((1/3.99·108) / (2.75·10-4 × (1-3.46·10-4)) = 9.10·10-6.
The conditional probability that the flight crew fails to maintain control given a total power loss
is 8 / 39 = 2.05·10-1.
The conditional probability that the aircraft is unable to reach an airport in the event of a total
power loss where the flight crew is able to maintain control is 27 / (39 – 8) = 8.71·10-1.
In the event of a single engine failure resulting into asymmetric thrust, the conditional
probability that the flight crew fails to maintain control is (69 / 3.99·108) / (2.75·10-4 - 9.77·10-8)
= 6.29·10-4.
112
NLR-CR-2008-646
21 ESD19 - Unstable approach

Flight phase: landing.
Initiating Event: unstable approach.
Flight crew fails

Flight crew fails
Unstable to initiate and Unrecovered Collision with
to maintain
approach execute missed loss of control ground
control
approach
yes Aircraft
Runway
touchdown fast
no overrun
or long
Aircraft
Flight crew fails
touchdown with Hard Structural Unrecovered Runway
to maintain
excessive sink landing failure loss of control veer-off
control
rate
Aircraft
continues
landing roll
damaged
Aircraft
continues
landing roll
Failure to achieve Runway

maximum braking overrun
Aircraft
continues
landing roll
Flight crew fails

Unrecovered Collision with
to maintain
loss of control ground
control
Insufficient fuel
Landing off
available for
runway
next approach
Aircraft enters
new
approach
21.1 Definitions
Unstable approach
An approach is considered unstable if any of the following criteria is not met:
• Correct glide path;
• Only small changes in heading/pitch;
• Speed between Vref and Vref +20 knots;
• Correct landing configuration;
• Sink rate is no greater than 1000 feet per minute;
• Power setting appropriate for the aircraft configuration;
• All briefings and checklists have been conducted;
• Approach type specific:
o ILS approaches: within one dot of the glide slope and localizer;
o Cat. II or III ILS approach: within the expanded localizer band;
o Circling approach: wings should be level on final at 300 feet.
113
NLR-CR-2008-646
Flight crew fails to initiate missed approach

If during the approach to the landing runway a certain situation exists or arises, which would
make the continuation of the approach and consecutive landing “unsafe”, the flight crew should
initiate a missed approach. Generally speaking, during a missed approach the flight crew
advance the throttle to go-around power, the flap setting is reduced (typically to 20 degrees) and
the aircraft is rotated to 15 degrees pitch attitude. The aircraft climbs to a predefined altitude
from where a new approach is initiated, or the aircraft diverts to an alternate airport. The
purpose of the missed approach is to reject flying into unsafe conditions or under unsafe
circumstances and to enable the flight crew to carry out a new approach and landing under safer
circumstances.
Aircraft touchdown fast or long

A long touchdown is a situation where the aircraft contacts the runway far beyond the runway
threshold. A long touchdown itself is not always hazardous. Particularly if small aircraft land on
a long runway, a long touchdown does not create a risk. However, a long touchdown is more
hazardous if the runway is relatively short and /or slippery.
A fast touchdown occurs if the aircraft lands with a speed that is significantly higher than the
reference touchdown speed. A fast touchdown itself is not always hazardous. Particularly if
small aircraft land on a long runway, a fast touchdown does not create a risk. However, a long
touchdown is more hazardous if the runway is relatively short and /or slippery.

This end states describes a situation where the aircraft collides with the ground during an
unsterilized approach. Included are runway undershoots were the aircraft collides with the
ground short of the runway. Undershoot accidents are sometimes difficult to classify because
the available information is not always sufficient to distinguish this type of accident from
approach CFIT accidents. We decided to classify undershoot accidents where the point of
impact is ‘just short’ of the runway threshold (up to several hundreds of meters), as unstable
approach & loss of control cases, and accidents where the point of impact is relatively further
from the runway threshold (more than a few hundred metres) as CFIT (ESD 35).
Runway overrun
114
NLR-CR-2008-646
Runway veer-off
Aircraft continues landing roll damaged

This end state describes a situation where the aircraft is damaged as a result of a hard landing
but remains on the runway. ‘Damage’ includes landing gear failures, damage to propellers and
airframe overstress. Tail strikes are not included because these are rarely the result of a hard
landing.

Immediately following touchdown, the flight crew must start reducing the speed of the aircraft.
On most large aircraft, a ‘positive’ touchdown is required to make sure the aircraft switches to
ground logic, which will automatically deploy lift dumpers (if available and armed) and will
ensure a proper functioning of the auto brake system. Braking must start immediately using
maximum braking power and all available deceleration devices: the lift-dumpers (if available)
are raised (manually or automatically), the brakes are applied (manually or automatically), and
reverse thrust or propeller reverse is selected (if available). These actions must be conducted
without delay and according to the standard operating procedures (SOP). Braking performance
is strongly influenced by the runway conditions, if the runway is wet or flooded, or if it is
covered with snow, slush or ice, tyre-to-ground friction is significantly reduced resulting in
longer stopping distances.

This event describes a situation where control is lost during the execution of a missed approach.
21.2 Quantification
Initiating event
To estimate the probability of occurrence of an unstable approach, an analysis was made of all
landings between 1998 and 2001 of a large European airline that operates globally. Out of a
115
NLR-CR-2008-646
total of 312,044 flights, 1642 approaches did not meet the stabilised approach criteria. The
estimated probability of the initiating event is 5.26·10-3 per flight.
End states
The probability of occurrence of the end states was estimated from the Airclaims accident and
incident database. Only large Western-built jets and turboprops in commercial operations
between 1985 and 2005 were considered. Business jets were excluded from the data sample. In
the time frame under consideration, this group conducted a total of 399 million flights.
Table 30 Probability of occurrence of the end states

End state Number of Frequency
Unstable approach, loss of control 128 3.21·10-7
Unstable approach, overrun 79 1.98·10-7
Unstable approach, hard landing, veer-off 15 3.76·10-8
Unstable approach, hard landing, damage 26 6.52·10-8
Unstable approach, hard landing, no damage 5 1.25·10-8
Loss of control during missed approach 20 5.01·10-8
Fuel exhaustion during missed approach 3 7.52·10-9
Pivotal events
According to [Roelen et al., 2002], the conditional probability of ‘failure to execute a missed
approach’ in the event of an unstable approach is 2.18·10-2. This estimate is based on expert
judgement. A total of 4 experts were interviewed. The results of the experts were averaged by
assigning equal weights to all of them. The experts were informed that all questions concerned a
“Schiphol class airport”.
The conditional probability that ‘flight crew fails to maintain control’ if the approach is unstable
and a missed approach is not executed is 3.21·10-7 / (5.26·10-3 × 2.18·10-2) = 2.80·10-3.
The conditional probability that the ‘aircraft lands long or fast’ if the approach in not stable and
a missed approach is not executed is 1.98·10-7 / (5.26·10-3 × 2.18·10-2 × (1-2.80·10-3)) =
1.73·10-3.
The conditional probability of a ‘touchdown with excessive sink rate’ if the approach is not
stable and a missed approach is not executed is (3.76·10-8+6.52·10-8+1.25·10-8) / (5.26·10-3 ×
2.18·10-2 × (1-2.80·10-3) × (1-1.73·10-3)) = 1.01·10-3.
116
NLR-CR-2008-646
The conditional probability that a hard landing after an unsterilized approach results in a
structural failure is (3.76·10-8 + 6.52·10-8) / (5.26·10-3 × 2.18·10-2 × (1-2.80·10-3) × (1-1.73·10-3)
× 1.01·10-3) = 8.91·10-1.
The conditional probability that a hard landing after an unsterilized approach results in a
structural failure and the ‘flight crew fails to maintain control’ is 3.76·10-8 / (5.26·10-3 ×
2.18·10-2 × (1-2.80·10-3) × (1-1.73·10-3) × 1.01·10-3 × 8.91·10-1) = 3.66·10-1.
The conditional probability that the ‘flight crew fails to maintain control’ if a missed approach
is executed is 5.01·10-8 / (5.26·10-3 × (1-2.18·10-2)) = 9.74·10-6.
The conditional probability that there is ‘insufficient fuel available for the next approach’ when
a missed approach is executed is 7.52·10-9 / (5.26·10-3 × (1-2.18·10-2) × (1-9.74·10-6)) =
1.46·10-6.
117
NLR-CR-2008-646
22 ESD 21 – Aircraft weight and balance outside limits during

approach
22.1 Definitions
If the aircraft’s weight and balance are outside limits, there is a possibility that, although the
aircraft was controllable during the preceding part of the flight, controllability becomes difficult
during the approach phase. The change in aircraft configuration that is required for the
approach, particularly the selecting of landing flaps, causes a redistribution of the airflow and
associated changes in the aerodynamic moment.
This event sequence diagram deals with a similar problem as ESD 7, in which also “aircraft
weight and balance outside limits” is the initiating event. However, in ESD 21, the approach
phase is considered and the “aircraft stall” pivotal event is combined with the “flight crew fails
to maintain control” pivotal event.
Aircraft weight and balance outside limits

This initiating event considers the following situations:
• Centre of gravity (CG) incorrect / outside limits
• Cargo loose or shifted
• Wrong number of passengers
• Load sheet incorrect
• Weight limits incorrect/exceeded
118
NLR-CR-2008-646
This means that also situations are accounted for where weight and balance is not strictly
“outside limits”, but it is different than the crew expected.
Not considered for this event are overweighed landings, problems with lateral fuel balance and
jettison of fuel during descent.

The crew might not be able to regain control of the aircraft if there are problems during
approach because of weight and balance problems. The result is an unrecovered loss of control
and a collision with the ground.
22.2 Quantification
Initiating event
The initiating event “Aircraft weight and balance outside limits” in ESD 21 is similar to the
initiating event of ESD 7, except for the difference in flight phase. Some occurrences that are
counted for ESD 7 are also relevant for ESD 21:
• Some weight and balance occurrences are noticed during take-off and are not corrected
during the flight, e.g. shifted cargo that cannot be corrected during flight; The flight
continues, so that the problem still exists during approach;
• Some weight and balance problems are noticed during take-off and are corrected during the
flight, e.g. new loading information is retrieved after take-off and this is accounted for in the
remaining flight phases, including approach, or overweight during take-off is solved by
means of burning fuel during the flight;
• Weight and balance occurrences did not originate during take-off but during approach, e.g.
cargo that starts shifting during descent or approach, or a centre of gravity problem that is
notified when extending the flaps during approach.
The sources [IATA, 2005] and [CAA, 2000] do not distinguish between weight and balance
problems in the various flight phases. The information in the NLR Air Safety Database includes
the flight phase in which the problem occurred. When considering the classification “approach”
used in the database, 18 occurrences can be related to relevant weight and balance problems,
like loose or shifted cargo and wrong information regarding the load of the aircraft. These 18
occurrences are assumed to be new occurrences that did not appear during take-off but only
during approach. For example, it is often explicitly mentioned that cargo shifted during
approach. Considering 9.5 million flights, these 18 occurrences result in a frequency of 1.89·10-6
per approach for the initiating event of ESD 21. This is approximately a factor 20 lower than the
frequency of the initiating event of ESD 7 (i.e. 3.70·10-5 per take-off). The reason for the
difference could be that problems that occur during take-off can be solved during the flight such
119
NLR-CR-2008-646
that there are no problems during approach anymore. For example, in often happens that new
(and better) load sheet information is received after take-off and problems with weight can be
solved by burning more fuel (or dumping it).
Accidents
In the NLR Air Safety Database, 2 accidents that were caused by weight and balance problems
in the approach phase have been found on 387 million flights. These flights include:
• Western built aircraft;
• Weight above 5700 kg; and
• Jets and turbo prop aircraft (excluding piston engines).
• Commercial operations
• Time frame 1990-2003
This means an accident frequency of 5.16·10-9 per flight.
Pivotal event
Quantification of the pivotal event “flight crew fails to regain control” can be achieved by
dividing the accident frequency (5.16·10-9 per flight) with the frequency of the initiating event
(1.89·10-6 per flight), resulting in:
• Yes: 2.73·10-3
• No: 0.99727
120
NLR-CR-2008-646
23 ESD23 - Aircraft encounters wind shear during approach
23.1 Definitions
Aircraft encounters wind shear on approach/landing

Wind shear is an abrupt change in wind direction and velocity. A type of wind shear that is
dangerous for air transport is a downburst or microburst. The aircraft may encounter
performance increasing and decreasing effects. Wind shear poses the greatest danger to aircraft
during takeoff and landing, if the aircraft is close to the ground and has little time or room to
manoeuvre. This event includes situations where the aircraft encounters an increase in tailwind
or a decrease in headwind during approach and landing (performance decreasing wind shear),
but turbulence, e.g. due to wake vortex is not included.

There are various possibilities for the flight crew to detect wind shear during approach and
landing. Rapid changes in indicated airspeed or rates of vertical speed can be an indication of a
wind shear encounter. With autopilot and auto thrust engaged pitch deviations and unusual
thrust settings are the primary cues for early wind shear onset as airspeed deviations are
effectively compensated for. Other detection means can be other pilots’ reports, ground-based
wind shear alert systems using ground-based radar or lidar, and on-board wind shear detection
121
NLR-CR-2008-646
systems. Most, but not all, large commercial aircraft are equipped with an on-board wind shear
detection system. In the case of ground-based systems the crew will be alerted by ATC. For the
purpose of this ESD, flight crew fails to detect wind shear is defined as a situation where the
aircraft encounters wind shear but this goes undetected by the flight crew.
Flight crew fails to execute escape manoeuvre successfully

Details of the wind shear escape manoeuvre may vary among different aircraft types and
different operators. A typical wind shear escape manoeuvre in approach and landing will
include the following:
• Pull take-off/go-around (TOGA) triggers;
• Disengage autopilot and auto thrust;
• Set emergency thrust;
• Increase pitch to 12 degrees nose up; and
• Maintain wings level unless absolutely required for obstacle clearance.
For the purpose of this ESD, ‘flight crew fails to perform wind shear escape manoeuvre’ is
defined as a failure of the flight crew to perform the prescribed escape manoeuvre, either by
mistake or on purpose if the crew decides that it is not necessary because control can be
maintained without following the procedure.
Sometimes a go-around manoeuvre is initiated by the flight crew if a wind shear is encountered
during the approach. Strictly speaking a go-around manoeuvre differs from the wind shear
escape manoeuvre. Configuration changes (such as reducing flap setting) that are normally
made during the go-around are not recommended during the wind shear escape manoeuvre and
the go-around is conducted with go-around thrust rather than emergency thrust. For the purpose
of this ESD however, a go-around manoeuvre which helps the aircraft to successfully escape
wind shear is regarded as a ‘successful escape manoeuvre’.
Depending on the strength of the wind shear/downdraft, the altitude of encounter, the response
of the flight crew and aircraft performance, the aircraft may hit the ground during the wind
shear escape manoeuvre. If the flight crew initiates a wind shear escape manoeuvre during
which they hit the ground (e.g. tree tops or the runway), but maintain control and continue safe
flight, the event is classified as a successful wind shear escape manoeuvre.
Aircraft touchdown with excessive sink rate

Whether or not the sink rate during touchdown is considered to be ‘excessive’, resulting in a
hard landing, is determined by the captain. If the captain decides that the landing was ‘hard, an
entry will be made in the aircraft’s tech log. As an indication, a touchdown during which the
122
NLR-CR-2008-646
vertical deceleration exceeds 1.9 g will usually be considered as a touchdown with excessive
sink rate.
In some accidents the wind shear caused the aircraft to develop an excessive sink rate resulting
in the aircraft touching down short of the runway. These events are also considered to be
included in this pivotal event.
Structural failure
Structural failure refers to the situation that the aircraft suffers a mechanical (overstress)
structural failure after touching down with excessive sink rate (a hard landing). A structural
failure can be any failure of the aircraft structure and components. In these circumstances a
structural failure often includes:
• failure of landing gear (collapse, torn off);
• damage to wing (tip) damage after contact with ground (runway, approach lights, trees etc);
• damage of tail section (over-rotation, if pilots try to arrest sink rate and pitch up).
Failure to maintain control

This pivotal event refers to the ability of the flight crew to maintain (directional) control on the
runway after a hard landing that results in some kind of structural failure. Particularly in the
event of landing gear failures, directional control may be difficult to maintain.
Runway veer-off
and the aircraft deviates to the side of the runway and veers off it. The degree of damage is
determined by the speed at which the aircraft leaves the runway, the veer-off angle, and the
possible presence of obstacles such as ditches, fences, approach lights, buildings, etc.
Occurrences where the aircraft cannot be brought to a halt before reaching the end of the
runway but where flight crew deliberately steer the aircraft off the side of the runway in order to
prevent a collision with obstacles located in line with the runway are considered to be ‘runway
overruns’.
Aircraft continues landing roll damaged

The aircraft suffered damage during a hard landing but stays on the runway during the landing
roll-out.
Aircraft continues landing roll

The aircraft continues the landing roll-out on the runway.
123
NLR-CR-2008-646

A long touchdown is a situation where the aircraft contacts the runway far beyond the runway
threshold. A long touchdown itself is not always hazardous. Particularly if small aircraft land on
a long runway, a long touchdown does not create a risk. However, a long touchdown is more
hazardous if the runway is relatively short and /or slippery.
A fast touchdown occurs if the aircraft lands with a speed that is significantly higher than the
reference touchdown speed. A fast touchdown itself is not always hazardous. Particularly if
small aircraft land on a long runway, a fast touchdown does not create a risk. However, a fast
touchdown is more hazardous if the runway is relatively short and /or slippery.
For the purpose of this ESD, ‘aircraft touchdown fast or long’ is defined as a situation where the
combination of touchdown speed and touchdown point is such that the aircraft cannot be
brought to a full stop before reaching the end of the runway, even when making full use of all
available deceleration devises such as wheel brakes, lift dumpers and thrust reversers.
Runway overrun
23.2 Quantification
23.2.1 Data sources

• ADER
• Airclaims;
• ASR databases (various airlines).
23.2.2 Results
ADREP and Airclaims database

related to wind shear encounters during approach and landing. The time span was set to 1990-
124
NLR-CR-2008-646
2005. Aircraft types include jet, turbofan and turboprop aircraft with a Maximum Take-off
Weight of more than 5700 kg, operated in commercial operations (passenger and cargo flights).
Aircraft manufacturers include ‘Western’ airframe manufacturers such as Airbus, Boeing,
McDonnell Douglas, Lockheed, Fokker, Embraer. Airframe manufacturers from former USSR
or Eastern-block countries (e.g. Tupolev, Let, Antonov) are excluded from the query. All
operators of aforementioned aircraft types, irrespective of country of origin, are included.
Military operators, and accidents/incidents during test flights and training flights are excluded.
The number of flights associated with this query is 452 million flights (1990-2005).
A total of 42 accidents and incidents related to wind shear encounters in the approach-landing
flight phase were found. Table 31 shows the results of the analysis of this data sample. Figure 9
shows a mapping of these 42 accidents to the different scenarios in ESD 23. The figure shows
the absolute number of occurrences observed of each pivotal event and end state, based on this
accident data sample.
In 26 of 42 occurrences the flight crew detected wind shear. In 11 of these 26 cases the flight
crew successfully executed a wind shear escape manoeuvre. In 15 occurrences the flight crew
detected wind shear but failed to execute a wind shear escape manoeuvre successfully.
In 31 of 42 occurrences the flight crew did not detect the wind shear or did not escape the wind
shear successfully: There were 15 unsuccessful wind shear escape manoeuvres, 9 events in
which the wind shear encounter was not detected and 7 events in which it was not clear whether
the crew detected wind shear. Out of those 31 events, there were 28 events in which the aircraft
touched down with excessive sink rate (i.e. a hard landing) and 3 events in which the aircraft
touched fast or long.
125
NLR-CR-2008-646
Table 31 Results of analysis of wind shear related accidents NLR Air Safety Database
(1990-2005, 452 million flights)
Event Number of Rate per
occurrences flight
Aircraft encounters wind shear during approach/landing 42 9.29·10-8
Flight crew fails to detect wind shear 16 0.386
Flight crew fails to execute wind shear escape manoeuvre 15 0.581
successfully
Aircraft touchdown excessive sink rate 28 0.901
Aircraft touchdown fast or long 3 1.001
Structural failure 21 0.751
Failure to maintain control (followed by runway veer off) 7 0.331
Failure to apply maximum braking (followed by overrun) 3 1.001
End states Number of Rate per
occurrences flight
Runway veer-off 7 1.55·10-8
Aircraft continues landing roll damaged 14 3.10·10-8
Aircraft continues landing roll 7 1.55·10-8
Runway overrun 3 6.64·10-9
Aircraft continues flight 11 2.43·10-8
In 21 of 28 hard landings a structural failure occurred. The flight crew failed to maintain control
of the aircraft and veered off the runway after a structural failure in 7 occurrences. In 14 cases
the flight crew maintained control after structural failure and the aircraft continued the landing
roll with structural damage. In 7 hard landings no structural failure occurred and the aircraft
continued the landing roll.
In the 3 occurrences where the aircraft touched down fast or long the flight crew failed to apply
maximum braking and overran the runway.
6
Conditional probability.
126
NLR-CR-2008-646

Flight phase: approach and landing.
Initiating Event: aircraft encounters windshear during approach/landing.
16+15=
31 28 21
42 28 7 7
Aircraft encounters Aircraft
Flight crew fails Flight crew fails
windshear during touchdown with Hard Structural Unrecovered Runway
to detect to maintain
approach/landing excessive sink landing failure loss of control veer-off
windshear control
(1) rate
14
yes 3 7 Aircraft 14
continues
no 26 landing roll
15 damaged
Flight crew fails 7

to execute Aircraft
windshear continues
escape landing roll
manoeuvre
succesfully 3
Aircraft 3 3
touchdown fast or
11 long
0 0 Aircraft 0
continues
taxi
Aircraft 0
continues
landing roll
Aircraft 11
continues
flight
(1) Windshear is an abrupt change in wind direction and velocity. This ESD represents a situation where the aircraft
encounters a performance decreasing windshear (decreasing headwind, increasing tailwind or a downdraft) or a
performance increasing windshear (decreasing tailwind, increasing headwind).
Fig. 9 ESD quantified with NLR Air Safety Database (accidents and incidents, 1990-2005)
ASR database
Air Safety Reports (ASR) databases were analysed for events involving a wind shear encounter
in the approach and landing flight phase. The ASR databases come from different airlines and
cover 9 million flights between 1998 and 2004. The databases were queried for occurrences
involving wind shear, a downdraft, or a microburst in the years 2000 and 2001. Only air safety
reports involving Western-built aircraft heavier than 5700 kg MTOW in commercial operations
were considered. The corresponding number of flights for these two years is 2.44 million.
Analysis of the data shows the following results:
• The data sample contains 578 occurrences of a wind shear encounter in the approach and
landing phase. This corresponds to an estimated frequency of 2.37·10-4 per flight. Because
air safety reports are filed by flight crews, obviously in all of the 578 occurrences the wind
shear encounter was detected by the flight crew.
• In 427 of 578 wind shear encounters the flight crew initiated a go-around or a wind shear
recovery manoeuvre 7.
• Some of the wind shear warnings were considered false warnings. In 25 of 578 occurrences
the wind shear warning was considered a false, spurious or nuisance alert. In 7 of these
7
In most ASRs a go-around was reported rather than a wind-shear escape manoeuvre.
127
NLR-CR-2008-646
events a go-around was initiated nevertheless. In the remaining cases the aircraft continued
the landing. This set of 7 events is part of the 427 reported occurrences involving a wind
shear encounter followed by a go-around.
• In a number of events the aircraft encountered wind shear in the approach or landing, but
the flight crew was able to maintain control and decided to continue the flight. In 151 of 578
reported wind shear encounters the flight crew decided to continue the approach. In 27 of
these cases (17.9 %) the wind shear resulted in a flap over speed warning. In 13 of 151
events (8.6 %) a hard landing was made. In one event the aircraft landed long but this did
not result in a runway overrun.
Examples of instances in which the flight crew continued the approach or landing after a wind
shear encounter, and landed uneventfully are:
• Aircraft was again stabilised before reaching 500 feet altitude (unstable approach criterion).
• Speed was adjusted by use of power and speed brakes.
• Wind shear was briefed and anticipated by the flight crew. Therefore the approach was
continued with a stable flight path or after a stable approach was regained. This mostly
refers to wind shear generated by obstacles on the ground and ‘normal’ wind shear close to
the ground rather than wind shear associated with a microburst and thunderstorm cells.
• Wind shear alert during flare manoeuvre.
• Momentary wind shear alert.
23.2.3 Discussion
The ADREP and Airclaims data do not contain a representative sample of incidents to reliably
estimate the frequency of a wind shear encounter, which did not result in a loss of control
accident. On the other hand, ADREP and Airclaims data do contain a representative sample of
loss of control accidents as a result of a wind shear encounter. The probability of the end states
and conditional probabilities of pivotal events can therefore be reliably estimated with ADREP
and Airclaims data. For the frequency estimation of the Initiating Event we will use the ASR
database. The pivotal events ‘flight crew fails to detect wind shear’ and ‘flight crew fails to
execute wind shear escape manoeuvre successfully’ will be quantified by using a combination
of ASR and ADREP and Airclaims data.
23.3 Summary of results
Aircraft encounters wind shear on approach/landing

The frequency of occurrence of a wind shear encounter in the approach landing phase is
estimated as 2.37·10-4 per flight (based on ASR data).
128
NLR-CR-2008-646
Flight crew fails to detect wind shear and Flight crew fails to execute escape manoeuvre
successfully
The conditional probabilities of these events are estimated as follows:
• In 16 of 42 (38%) wind shear encounter related accidents the flight crew did not detect the
wind shear, while in 15 of these 42 occurrences the flight crew failed to execute a wind
shear escape manoeuvre (ADREP and Airclaims data).
• It is assumed that the relative contribution to the pivotal event ‘aircraft touchdown with
excessive sink rate’ from both input events ‘flight crew fails to detect wind shear’ and
‘flight crew fails to execute wind shear escape manoeuvre successfully’ as found in
accidents and incidents (ADREP and Airclaims data) is representative for all wind shear
encounters.
• ASR data indicate that 151 of 578 (26%) wind shear encounters do not result in a successful
wind shear escape manoeuvre.
• Combining this information results in the conclusion that, in the event of a wind shear
encounter during approach and landing, the conditional probability that the flight crew fails
to detect wind shear is 0.144 whereas the conditional probability that the event ‘flight crew
fails to execute wind shear escape manoeuvre successfully’ is 0.135.
Aircraft touchdown with excessive sink rate (hard landing)

According to ASR data, in 151 of 587 (26%) of wind shear encounters the flight crew continued
the approach or the wind shear escape manoeuvre was considered unsuccessful. In 13 of these
151 events the aircraft touched down with excessive sink rate. Hence, the conditional
probability of this event is estimated as 8.60·10-2. This probability is conditional on the sum of
the yes-output of ‘flight crew fails to detect wind shear’ and ‘flight crew fails to execute wind
shear escape manoeuvre successfully’. The no-output of the pivotal event ‘aircraft touchdown
with excessive sink rate’ is 0.914.

ADREP and Airclaims data show that out of 21 structural failures due to touchdowns with
excessive sink rate that where the result of a wind shear encounter, 7 (33%) led to a runway
veer-off and 14 (67%) resulted a ‘continued landing roll damaged’. Given the event that the
aircraft has a structural failure the conditional probability of the flight crew failing to maintain
control is 0.33.
Runway veer-off
have been 7 runway veer-off accidents as result of a wind shear encounter and hard landing
129
NLR-CR-2008-646
followed by structural damage and a failure of the flight crew to maintain control. The
corresponding probability is 1.55·10-8 per approach and landing.
Structural failure
The conditional probability of a structural failure is derived from the following equation:
2.37·10-4 × 0.26 × 0.086 (excessive sink rate) × structural failure × 0.33 (failure to maintain
control) = 1.54·10-8 (veer-off). Hence, given the event that the aircraft touches down with an
excessive sink rate, the conditional probability of a structural failure is 8.81·10-3.
Aircraft continues landing roll damaged.

have been 14 cases of ‘aircraft continues landing roll’ damaged’ accidents as result of a wind
shear encounter followed by a and hard landing and structural damage. The corresponding
probability is 3.10·10-8 per approach and landing.

The estimated probability that the aircraft continues the landing roll after a hard landing
following a wind shear encounter in the landing is 5.25·10-6 per flight. This probability follows
by multiplication of the initiating event probability and the conditional probabilities of the
intermediate pivotal events.

been 3 runway overrun accidents as a result of a fast and long landing following a wind shear
encounter during approach and landing. The corresponding runway overrun probability is
6.63·10-9 per approach and landing. The conditional probability of a fast or long landing can be
calculated from previously calculated information: 2.37·10-4 × 0.26 × 0.914 × P(touchdown fast
or long) = 6.63·10-9. The conditional probability of a fast or long touchdown is 1.18·10-4.
Runway overrun
According to ADREP and Airclaims data, out of a total sample of 452 flights, there have been
three cases of a runway overrun following a long and fast touchdown after a wind shear
encounter. The estimated probability that the aircraft overruns the runway following a wind
shear encounter and subsequent long/fast touchdown is 6.63·10-9 per flight.
130
NLR-CR-2008-646

According to ASR data, there have been 137 cases in 2.44 million flights where the flight crew
continued the approach after a wind shear encounter and landed without any further incident.
Hence the estimated absolute probability of ‘aircraft continues landing roll’ 5.61·10-5 per flight.

The probability that the aircraft continues flight after encountering wind shear and a successful
escape manoeuvre is 2.37·10-4 × 0.874 × 0.866 = 1.79·10-4 per flight.

Flight phase: approach and landing.
Initiating Event: aircraft encounters windshear during approach/landing.
2.37·10-4 1.44·10-1 8.81·10-3 3.30·10-1

8.60·10-2
Aircraft
1.55·10-8
Aircraft encounters Flight crew fails Flight crew fails
windshear during touchdown with Hard Structural Unrecovered Runway
to detect to maintain
approach/landing excessive sink landing failure loss of control veer-off
windshear control
rate
3.10·10-8
yes Aircraft
continues
no landing roll
damaged
Flight crew fails

5.25·10-6
to execute Aircraft
windshear continues
escape landing roll
1.35·10-1
manoeuvre
succesfully
6.63·10-9
Aircraft 1.18·10-9 1
touchdown fast or
long
0
Aircraft
continues
taxi
5.61·10-5
Aircraft
continues
landing roll
1.79·10-4
Aircraft
continues
flight
131
NLR-CR-2008-646
24 ESD25 – Aircraft handling by flight crew during flare inappropriate

Initiating Event: Aircraft handling by crew during flare inappropriate
Aircraft handling by Aircraft

Runway
crew during flare touchdown fast or
overrun
inappropriate long
yes
no
Aircraft
touchdown with Hard Structural Aircraft
excessive sink landing failure damaged
rate
Flight crew fails

Unrecovered Runway
to maintain
control
Aircraft
continues
landing roll
Aircraft
continues
landing roll
24.1 Definitions
Aircraft handling by crew during flare inappropriate

During the flare manoeuvre the pilot reduces the rate of descent so that an excessively hard
touchdown is avoided. In the execution of the flare the pilot relies on his experience and
judgement. For the purpose of this ESD, ‘aircraft handling by crew during flare inappropriate’ is
defined as a flare that starts from a stabilised condition at the runway threshold but the
manoeuvre itself is conducted inappropriately. A stabilised condition at the runway threshold is
defined as a situation where the aircraft is not more than 10 ft above or below the prescribed
height and not more than 10 kts faster or slower than the target (or bug-) speed.

For the purpose of this ESD, a fast or long touchdown is defined as an aircraft landing more
than 2000 ft down from the runway threshold.
Aircraft touchdown with excessive sink rate

For the purpose of this ESD, a touchdown with excessive sink rate is defined as a touchdown
were the vertical acceleration exceeds 1.85 g or the vertical speed is more than 1000 ft/minute.
Structural failure
The aircraft is damaged as a direct result of the hard landing. This includes failures of the
landing gear and failures of the aircraft structure such as wing spars, fuselage frames and skin
panels.
132
NLR-CR-2008-646

flight crew to maintain control is affected by human factors (fatigue, training, etc), aircraft
Runway overrun
Runway veer-off
24.2 Quantification
To determine the frequency of inappropriate aircraft handling during the flare, a study of
landing performances during ILS approaches conducted by NLR in 2006 was used [van Es &
van der Geest, 2006]. This study analysed in-flight recorded data of 40,764 landings. The data
was limited to two types of aircraft: Boeing 737-400 and Airbus A319/A320/A321. All data was
obtained from a European airline. The flight data were obtained from the airline’s flight data
monitoring program. The recording effort lasted for more than 7 months and covered winter,
spring and summer time operations.
The point of crossing of the runway threshold is not directly captured by the flight data recorder
but needs to be calculated from other parameters. To perform this calculation it was assumed
that all approaches in the data sample were according to a 3-degree glide slope and that for all
approaches the ILS Reference Datum Height that marks the height of the intersection of the
glide slope beam with the runway threshold was 50 ft.
133
NLR-CR-2008-646
The aircraft touchdown point was calculated from the flight data by differentiation of the normal
acceleration signal. The peak value in this differentiated normal acceleration was considered to
indicate the point of touchdown. The longitudinal distance of the touchdown point relative to
the runway threshold was calculated by integrating the recorded ground speed of the aircraft
from the point of runway threshold crossing until touchdown.
The set contains 3 hard landings and 946 long landings that occurred in spite of a stabilised
condition at the runway threshold (see definitions). There were no occurrences where the
aircraft landed both hard and long after a stabilised condition at the runway threshold. The
corresponding probability of inappropriate aircraft handling during the flare is estimated to be
949 / 40,764 = 2.33·10-2 per flight.
To estimate the accident rates due to inappropriate aircraft handling during the flare, the
Airclaims accident and incident database was analysed. Only large Western-built jets and
turboprops in commercial operations between 1985 and 2005 were considered. Business jets
were excluded from the data sample. In the time frame under consideration, this group
conducted a total of 399 million flights.
The data sample contained 47 hard landings which can be contributed to inappropriate aircraft
handling during the flare and in which the aircraft remained on the runway. In 45 occurrences
the hard landing resulted in a structural failure, in 2 cases there was no damage to the aircraft.
The data sample contained 12 cases of runway veer-off accidents that were the result of a
structural failure following a hard landing that was caused by an inappropriate flare. In addition,
the database contained 13 cases where a hard landing resulting from an inappropriate flare did
not cause a structural failure but led to a loss off control and subsequent veer-off.
The data sample contained 9 overruns where the aircraft touched down long or fast due to an
inappropriate flare. The results of the analysis are summarised in table 32.
Table 32 A summary of the probabilities for the end states of ESD 25

End state Number of Probability
accidents per flight
Runway overrun 9 2.26·10-8
Aircraft damaged 45+12 1.43·10-7
Runway veer-off 13 3.26·10-8
134
NLR-CR-2008-646
The conditional probability of a fast or long touchdown given inappropriate aircraft handling
during the flare is 2.26·10-8 / 2.33·10-2 = 9.69·10-7 per flight.
The probability of a touchdown with excessive sink rate following an inappropriate flare is
3 / 40,764 = 7.36·10-5 per flight. The corresponding conditional probability that the aircraft
touches down with an excessive sink rate given an inappropriate flare is 7.36·10-5 / (2.33·10-2 ×
(1- 9.69·10-7)) = 3.16·10-3 per flight.
The conditional probability of a structural failure in the event of a touchdown with excessive
sink rate due to an inappropriate flare is 1.43·10-7 / 7.36·10-5 = 1.94·10-3.
The conditional probability that the flight crew fails to maintain control when the aircraft
touches down with an excessive sink rate as a result of an inappropriate flare is 3.26·10-8 /
(7.36·10-5 × (1 - 1.94·10-3)) = 4.44·10-4.
The probability of end state “Aircraft continues landing roll” becomes: 2.33·10-2 × (1 - 9.69·10-7)
× (1- 3.16·10-3)×1 = 2.32 10-2.
135
NLR-CR-2008-646
25 ESD26 - Aircraft handling by flight crew during landing roll

inappropriate
25.1 Definitions
Aircraft handling by flight crew during landing roll inappropriate

This ESD describes the scenario in which a touchdown is made with a correct speed and sink
rate, but due to an action by the crew during the landing roll, control of the aircraft is
(temporarily) lost or maximum braking is not achieved. Included in this initiating event are off-
centreline touchdowns. Inappropriate aircraft handling includes inappropriate use of rudder and
aileron, inappropriate use of the steering tiller, delayed operation of deceleration devices such as
lift dumpers, thrust reverser and wheel brakes and inappropriate differential braking. The
occurrence of aquaplaning is also considered to be in the scope of this initiating event.

This pivotal event refers to the ability of the flight crew to maintain (directional) control on the
runway after touchdown.

136
NLR-CR-2008-646
Runway overrun
Runway veer-off
25.2 Quantification
Initiating event
To estimate the probability of an inappropriate aircraft handling during the landing roll,
operational data from a large western European airline has been used. The data set consists of
286,753 flights from the year 2001. This set contains 61 reports of inappropriate pilot handling
during the landing phase without technical or environmental reasons. In 58 cases, the report
only reports an “exceedance” due to pilot handling. It is assumed that these 61 cases are due to
inappropriate aircraft handling during the landing roll. The corresponding probability is
estimated to be 61/286,753 = 2.13·10-4 per flight.
137
NLR-CR-2008-646
End states
The Airclaims accident and incident database was analysed to estimate the probability of
occurrence of the end states. Only large Western-built jets and turboprops in commercial
operations between 1985 and 2005 were considered. Business jets were excluded from the data
sample. In the time frame under consideration, this group conducted a total of 399 million
flights.
The data sample contains 62 veer-off accidents that are attributed to inappropriate aircraft
handling during landing or off-centreline touchdowns. The corresponding probability is
62 / 3.99 108 = 1.55·10-7 per flight.
The data sample contains 59 runway overrun accidents that are attributed to inappropriate
aircraft handling during the landing roll and/ or the occurrence of aquaplaning. The
corresponding probability is 59 / 3.99·108 = 1.48·10-7 per flight.
Pivotal events
The conditional probabilities of the pivotal events can be estimated from the probability of
occurrence of the initiating event and the end states.
The conditional probability of ‘flight crew fails to maintain control’ if aircraft handling during
the landing roll is inappropriate is 1.55·10-7 / 2.13·10-4 = 7.28·10-4 per flight.
The conditional probability of ‘failure to achieve maximum braking’ if aircraft handling during
the landing roll is inappropriate and the crew is able to maintain control is 1.48·10-7 / (2.13·10-4
× (1-7.28·10-4)) = 6.95·10-4 per flight
138
NLR-CR-2008-646
26 ESD27 - Aircraft directional control related system failure during

landing
26.1 Definitions
Aircraft directional control system failure

An aircraft directional control system failure is a failure of any of the aircraft’s systems that
affects the directional controllability of the aircraft during the landing roll. Included are failures
of the aileron and aileron controls, rudder and rudder controls, tyres, and landing gear.
Directional control problems as a result of asymmetric thrust due to an engine failure are
covered in ESD 28. Directional control problems as a result of thrust reverser failures are
covered in ESD 29.

As a result of the degraded directional control capabilities of the aircraft the crew may find it
difficult to maintain control, particularly in conditions of crosswind and a slippery runway. This
pivotal event is defined as an unrecovered loss of directional control during the landing roll.
Runway veer-off
139
NLR-CR-2008-646
26.2 Quantification
The main source of information was the database of Service Difficulty Reports (SDRs), see also
appendix A. The time period 1985-2003 was selected as representative of current aviation. The
analysis was limited to air carrier operations, thereby excluding general aviation. Only events
which resulted in precautionary procedures were included in the data sample. Finally, events
which were the result of a false warning were excluded.
Table 33 Directional control problems during landing phase
ATA ATA description Nr of Exposure Failure rate

code reports (flights) (per flight)
2710 Aileron control system 13 2.16·108 6.02·10-8
2711 Aileron tab control system 2 2.16·108 9.27·10-9
2720 Rudder control system 14 2.16·108 6.49·10-8
2722 Rudder actuator 1 2.16·108 4.63·10-9
3200 Landing gear 1437 2.16·108 6.56·10-6
Total 1467 2.16·108 6.79·10-6
The probability of a directional control related system failure is estimated as 6.79·10-6 per flight.
To estimate the probability of runway veer-offs that are caused by directional control related
system failures, the Airclaims accident and incident database was analysed. Only large Western-
built jets and turboprops in commercial operations between 1985 and 2005 were considered.
Business jets were excluded from the data sample. In the time frame under consideration, this
group conducted a total of 399 million flights. A total number of 44 veer-offs were identified.
The probability of a veer-off due to a directional control related system failure is estimated to be
The conditional probability of ‘flight crew fails to maintain control’ in the event of a directional
control related system failure is estimated to be 1.10·10-7 / 6.79·10-6 = 1.62·10-2 per flight.

Initiating Event: aircraft directional control related system failure.
6.79·10-6
1.62·10-2 1.10·10-7
Aircraft directional Loss of traction Flight crew fails
Unrecovered Runway
control related or steering to maintain
system failure capability control
yes 6.68·10-6
no Aircraft
continues
landing roll
140
NLR-CR-2008-646
27 ESD28 - Single engine failure during landing

Initiating Event: single engine failure.
Loss of traction
Flight crew fails to Unrecovered Runway
Single engine failure or steering
maintain control loss of control veer-off
capability
yes
no maximum braking overrun
Aircraft
continues
landing roll
27.1 Definitions

For the purpose of this ESD, a single engine failure is defined as any failures of one of the
systems that correspond with the ATA codes between 6100 and 6197 or between 7100 and
8097.

Because of the asymmetric thrust that is a result of the engine failure, the crew may find it
difficult to maintain control, particularly in conditions of crosswind and a slippery runway. This
pivotal event is defined as an unrecovered loss of directional control during the landing roll.
Runway veer-off

141
NLR-CR-2008-646
Runway overrun
27.2 Quantification
Initiating event
The database of service difficulty reports (see App. A) has been used to estimate the probability
of occurrence of landing roll-outs with an engine failure. All engine failures that occurred
between an take-off (not rejected) and landing roll were considered. According to the SDR
database, out of a total of 215,800,000 flights there have been 10,562 occurrences of landings
with a single engine failure. The corresponding probability of occurrence is 4.89·10-5 per flight.
End states
To estimate the probability of runway overruns and veer-offs that are caused by landings with
one-engine inoperable, the Airclaims accident and incident database was analysed. Only large
Western-built jets and turboprops in commercial operations between 1985 and 2005 were
considered. Business jets were excluded from the data sample. In the time frame under
consideration, this group conducted a total of 399 million flights.
According to the Airclaims database, there have been 3 veer-off accidents that were contributed
to landing with one engine inoperable, and 2 overrun accidents. The corresponding probabilities
are 7.52·10-9 per flight for veer-off and 5.01·10-9 for overrun.
142
NLR-CR-2008-646
Pivotal events
The probability of ‘flight crew fails to maintain control’ in the event of a landing with one
engine inoperable is 7.52·10-9 / 4.89 10-5 = 1.54·10-4.
The conditional probability of ‘failure to achieve maximum braking’ in the event of a landing
with one engine inoperable is 5.01·10-9 / (4.89·10-5 × (1-1.54·10-4)) = 1.02·10-4.
143
NLR-CR-2008-646
28 ESD29 - Thrust reverser failure
28.1 Definitions
Thrust reverser failure

A thrust reverser is a system that redirects a jet engine’s airflow such that the resulting thrust
force acts against the forward travel of the aircraft. On propeller driven aircraft reverse thrust is
obtained by changing the pitch of the propeller blades to a negative angle, thereby directing air
flow into the direction of travel. For the purpose of this ESD a thrust reverser failure is defined
as a failure of system ATA 7830 reverser for aircraft with jet propulsion and a failure of system
ATA 6120 propeller control for aircraft with propeller propulsion. Only technical malfunctions
of the thrust reverser system are considered in this initiating event. Failures of the flight crew to
correctly operate the thrust reverser system are covered in ESD 26.


144
NLR-CR-2008-646
Runway overrun
Runway veer-off
28.2 Quantification
Thrust reverser failure frequencies were determined from the database of Service Difficulty
Reports (SDRs), see appendix A. The time period 1985-2003 was selected as representative of
current aviation. The analysis was limited to commercial operations of large (> 5700 kg
MTOW) aircraft. Only events which resulted in precautionary procedures were included in the
data sample. Finally, events which were the result of a false warning were excluded. According
to the SDR database there have been 92 failures of the thrust reverser system (ATA 7830)
during the approach and landing phase in 2.05·108 corresponding flights. Only exposure data for
aircraft equipped with thrust reversers is taken into account. This results in a frequency of
4.49·10-7 thrust reverser failures per approach and landing for aircraft with jet engines.
According to the SDR database there have been 170 failures of the propeller control system
(ATA 6120) during the approach and landing phase in 5.52·107 corresponding flights. Only
145
NLR-CR-2008-646
exposure data for aircraft equipped with propellers is taken into account. This results in a
frequency of 3.08·10-6 propeller control system failures per approach and landing.
For the overall aircraft fleet that is represented in the SDR database, the frequency of thrust
reverser or propeller control system failures is 1.01·10-6 per approach and landing.
End states “runway veer-off” and “runway overrun”

To quantify these end states, ADREP and Airclaims data are used. The time span was set to
1990-2005. Aircraft types include jet, turbofan and turboprop aircraft with a Maximum Take-off
Weight of more than 5700 kg, operated in commercial operations (passenger and cargo flights).
Aircraft manufacturers include ‘Western’ airframe manufacturers such as Airbus, Boeing,
McDonnell Douglas, Lockheed, Fokker, and Embraer. Aircraft manufacturers from former
USSR or Eastern-block countries (e.g. Tupolev, Let, Antonov) are excluded from the query. All
operators of aforementioned aircraft types, irrespective of country of origin, are included.
Military operators and accidents/incidents during test flights and training flights are excluded.
The number of flights associated with this query is 452 million flights for the ADREP and
Airclaims databases.
When selecting on “reverse”, Airclaims data show 100 accidents. Of these accidents, the
following can be related to thrust reversers:
• 19 runway veer-offs;
• 6 runway overruns; and
• 4 veer-offs and overruns where the crew made a mistake in using the thrust reversers.
This latter category, however, is considered outside the scope of this ESD, but is considered to
be part of ESD 26.
Since the Airclaims database does not necessarily cover all accidents that have occurred in the
period 1990-2005, also ADREP data has been analysed.
As a result of a similar query, using the keyword “reverse” ADREP shows 232 occurrences.
Note that this selection partly overlaps with the Airclaims selection. Analysis of these
occurrences results in the following additional occurrences:
• 5 runway veer-offs; and
• 1 runway overrun.
This gives a total number of relevant occurrences of:

• 24 runway veer-offs; and
146
NLR-CR-2008-646
• 7 runway overruns.
This number of accidents can be related to 452 million flights. Although not all of these flights
are equipped with thrust reversers and, if available, thrust reversers are not always used, it is
assumed here that all of the 452 million flights are applicable. This leads to the following
frequencies:
• Runway veer-off, due to a thrust reverser failure: 5.31·10-8 per flight
• Runway overrun, due to a thrust reverser failure: 1.55·10-8 per flight
The conditional probability of a failure to maintain control in the event of a thrust reverser
failure is estimated to be 5.32·10-8 / 1.01·10-6 = 5.26·10-2.
The conditional probability of failure to achieve maximum braking in the event of a thrust
reverser failure and the flight crew maintains control is estimated to be 1.11·10-8 / (1.01·10-6 ×
(1-5.26·10-2)) = 1.62·10-2.
147
NLR-CR-2008-646
29 ESD30 - Aircraft encounters unexpected wind

Flight phases: landing.
Initiating event: aircraft encounters unexpected wind.
Aircraft encounters Flight crew fails to Unrecovered Runway

unexpected wind maintain control loss of control veer-off
yes
Aircraft
continues
landing roll
29.1 Definitions
Aircraft encounters unexpected wind

The initiating event is defined as significant unexpected cross wind, gusting winds and/or
turbulence. For the purpose of quantification, it is assumed that “unexpected cross wind” is
defined as a situation where the cross wind speed encountered during landing is more than 15
knots and deviates more than 10 kts from the reported cross wind speed. Wake vortex
encounters due to insufficient ATC separation are not taken into account. Wind shear is not
regarded as ‘unexpected wind’, but is treated separately in ESD 23.


148
NLR-CR-2008-646
Runway overrun
Runway veer-off
29.2 Quantification
For the purpose of quantification, it is assumed that “unexpected cross wind” is defined as a
situation where the cross wind speed encountered during landing is more than 15 knots and
deviates more than 10 kts from the reported cross wind speed. According to [van Es et al.,
2001], the probability that the encountered cross wind speed deviates more than 10 knots from
the reported crosswind speed is 0.06 per flight. According to the same reference, the probability
that the mean actual cross wind speed exceeds 15 knots is 0.02 per flight. Based on these
numbers, the probability of an unexpected cross wind is estimated at 0.06 × 0.02 = 1.20·10-3 per
flight.
To estimate the probability of encountering turbulence during the approach and landing,
operational data from a large western European airline has been used. The data set consists of
286,753 flights from the year 2001. This set contains 3 turbulence encounters during the landing
149
NLR-CR-2008-646
phase. Wake vortex encounters due to insufficient separation by ATC were not taken into
account. As a result, the probability is estimated to be 3/286753 = 1.05·10-5 per flight.
On total, the probability of encountering unexpected wind is estimated to be 1.21·10-3 per flight.
To estimate the probability of runway overruns and veeroffs that are caused by unexpected
wind, the Airclaims accident and incident database was analysed. Only large Western-built jets
and turboprops in commercial operations between 1985 and 2005 were considered. Business
jets were excluded from the data sample. In the time frame under consideration, this group
represented a total of 399 million flights. A total number of 23 veer-offs were identified, and 9
overruns. The probability of a veer-off due to unexpected wind in the landing is estimated to be
5.76·10-8 per flight. The probability of an overrun due to unexpected wind in the landing is
estimated to be 2.26·10-8 per flight.
The conditional probability of flight crew fails to maintain control in the event of a unexpected
wind encounter is estimated to be 5.76·10-8 / 1.21·10-3 = 4.76·10-5.
The conditional probability of failure to achieve maximum braking in the event of an

unexpected wind encounter is 2.26·10-8 / (1.21·10-3 × (1-4.76·10-5)) = 1.86·10-5.

Flight phases: landing.
Initiating event: aircraft encounters unexpected wind.
5.76·10-8
1.21·10-3 4.76·10-5
Aircraft encounters Flight crew fails to Unrecovered Runway
unexpected wind maintain control loss of control veer-off
2.26·10-8
yes -5
Failure to achieve 1.86·10 Runway
1.21·10-3
Aircraft
continues
landing roll
150
NLR-CR-2008-646
30 ESD31 - Aircraft are positioned on collision course
30.1 Definitions
Aircraft are positioned on collision course

This event refers to a situation where two airborne aircraft are positioned such that their
trajectories, if unaltered, will bring the aircraft closely together leading to a risk for collision.
The initiating event “Aircraft are positioned on collision course” describes an aircraft proximity
(Airprox) incident. An airprox is described by ICAO as ‘A situation in which, in the opinion of
a pilot or Air Traffic Controller, the distance between aircraft as well as their relative positions
and speeds have been such that the safety of the aircraft involved was or may have been
compromised’. [CAA, 1997]. They are classified into four different categories, A through D,
with classes A and B being “risk bearing” proximities.
ATC fails to detect and resolve conflict

This event refers to any situation where action or inaction of the air traffic controller fails to
resolve the collision risk that has been arisen due to the aircraft trajectories.
151
NLR-CR-2008-646
Flight crew fails to detect and resolve conflict

This event refers to any situation where action or inaction of the flight crew fails to resolve the
collision risk that has been arisen due to the aircraft trajectories.
30.2 Quantification
Aircraft are positioned on collision course

The initiating event “Aircraft are positioned on collision course” is considered to be an aircraft
proximity (airprox) incident. An airprox is described by ICAO as ‘A situation in which, in the
opinion of a pilot or Air Traffic Controller, the distance between aircraft as well as their relative
positions and speeds have been such that the safety of the aircraft involved was or may have
been compromised’. [CAA, 1997]. They are classified into four different categories, A through
D, with classes A and B being “risk bearing” proximities. In these cases it was assessed that the
safety was not assured or that there was a risk of collision. The initiating event “Aircraft are
positioned on collision course” is quantified by the number of risk bearing airproxes per flight.
Figure 10 below shows the risk bearing airprox frequency for the UK [CAA, 2002], the
Netherlands [LVNL, 2004], Germany [DFS, 2006] and Switzerland [Skyguide, 2004] as a
frequency per flight.
3.00E-05
2.50E-05
2.00E-05
UK
NL
1.50E-05
CH
DE
1.00E-05
5.00E-06
0.00E+00
1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004
Fig. 10 Frequency of airproxes in 4 European states
152
NLR-CR-2008-646
By taking the average over the period 2000-2004, the frequency is estimated to be 9.20·10-6
airproxes per flight. The average was taken by summation of all airproxes, summation of all
accompanying movement data and then dividing the two numbers.
Mid air collisions

From 1985 through 2004, there have been 7 mid air collisions involving western-built large jet
aircraft in commercial operations (see Tab. 34), and also 7 mid-air collisions involving western-
built turboprop aircraft in commercial operations (see Tab. 35).
Table 34 Midair collisions involving commercial jet aircraft

Date Location Aircraft 1 Type Aircraft 2 Type
31-08-1986 Los Angeles, Douglas DC9 Passenger Piper Private
USA PA28
16-06-1987 Fuzhou, Boeing 737 Passenger Jian-6 Military
China
22-12-1992 Tripoli, Boeing 727 Passenger Mig 23 Military
Libya
12-11-1996 Delhi, Boeing 747 Passenger Ilyushin Passenger
India 76
12-02-1999 Grenouillet, Airbus A320 Passenger Grob Glider
France G103
01-07-2002 Überlingen, Boeing 757 Cargo Tupolev Passenger
Germany 154
26-12-2002 Windhoek, Boeing 737 Passenger Cessna Private
Namibia 404
Table 35 Midair collisions involving turboprop aircraft

Date Location Aircraft 1 Type Aircraft 2 Type
18-06-1986 USA DHC-6 Twin Passenger Bell Jet Helicopter
Otter Ranger
15-01-1987 Salt Lake City, Swearingen Passenger Mooney Private
USA Metro II M20C
09-04-1990 Gadsen, Embraer 120 Passenger Cessna 172 Private
USA Brasilia
09-12-1993 Dakar, NAMC YS-11 Passenger DHC-6 Passenger
Senegal Twin Otter
09-12-1993 Dakar, DHC-6 Twin Passenger NAMC Passenger
Senegal Otter YS-11
01-05-1995 Sioux Lookout, Swearingen Passenger Piper PA- Passenger
Canada Metro 23 31
30-07-1998 Baie de Quiberon, Beech 1900 Passenger Cessna 177 Private
France
153
NLR-CR-2008-646
Exposure data from the period 1985-2004 gives in total 416,360,000 flights in that period. It
involves western-built aircraft, >5700 kg MTOW in commercial operations. Hence, the mid-air
collision rate is 3.36·10-8 per flight.
ATC fails to detect and resolve the conflict

In many Air Traffic Control centres the radar controllers are supported with a short-term
conflict alerting system (STCA). This computer system monitors Secondary Surveillance Radar
(SSR) data and alerts the controller if two aircraft are dangerously close to each other. Two
aircraft are dangerously close if they are (potentially) going to collide within a certain time
period that is less than the warning time. The warning time is set such that it is judged to be
sufficient to resolve the conflict from the moment the warning is given. The STCA is a last-
resort backup tool.
The UK Airprox Board (UKAB) investigates all proximities in UK airspace. To determine the
probability of occurrence of ‘ATC fails to detect and resolve the conflicts’, a set of 414 UK
Airproxes in the period 1999-2003 was analysed. The data set needed to be limited to cases
where STCA was available. For cases where STCA was not available, the information was
insufficient for quantification of the pivotal event. When we only consider class A or B
airproxes and only those situations where STCA was available, 22 incidents remain. The results
are presented in table 36.
In 2 cases the traffic controller resolved the potential conflict before an STCA alert was given.
In 35% of the remaining cases, no warning was given by the STCA. In 5% of the cases an alert
was given, but the controller did not respond properly.
Table 36 Impact of STCA on number of class A and B airproxes

Number of airproxes
STCA event description
class A and B
Acted before possible warning 2 (9%)
No STCA warning 7 (32%)
Warned and acted 12 (55%)
Inappropriate controller response 1 (5%)
Total 22 (100%)
In 8 cases (36.4 %), the controller did not resolve the conflict (with or without the help of
STCA). Hence, the conditional probability that the controller fails to resolve the conflict is
3.63·10-1. This conditional probability only represents situations where STCA is available. .
154
NLR-CR-2008-646
Flight crew fails to detect and resolve the conflict

Based on the frequencies of the Airproxes, the ATC failure to detect and resolve the conflict,
and the frequency of mid-air collision, the probability that the flight crew fails to detect and
resolve the conflict is calculated as 3.38·10-8 / (9.20·10-6 × 0.36) = 1.02·10-2.
Table 37 Summary of the probabilities for the initiating and pivotal events
Event Probability (per flight)
Aircraft are positioned on a collision course 9.20·10-6
ATC fails to detect and resolve conflict 3.63·10-1
Flight crew fails to detect and resolve conflict 1.02·10-2
Collision in mid-air 3.38·10-8
Accident type: mid-air collision.

Flight phases: initial climb, en-route and approach.
Initiating event: aircraft are positioned on collision course.
ATC fails to Flight crew 3.36·10-8

Aircraft are 9.20·10-6 detect and
0.36 fails to detect
1.02·10-2 Collision in
positioned on
resolve the and resolve mid-air
collision course
conflict the conflict
yes
3.28·10-6
Aircraft
no continues
flight
5.89·10-6
Aircraft
continues
flight
155
NLR-CR-2008-646
31 ESD32 - Incorrect presence on runway in use
Accident type: collision on ground.

Flight phases: taxi, take-off and landing.
Initiating event: incorrect presence of aircraft/vehicle on runway in use
Flight crew or
Incorrect presence of ATC fails to
Runway vehicle driver Collision on
aircraft/vehicle resolve the
incursion fails to resolve runway
on runway in use conflict
the conflict
yes
Aircraft
no continues
flight
Aircraft
continues
flight
31.1 Definitions
Incorrect presence of aircraft / vehicle on runway in use

According to a definition from ICAO, a runway incursion is any occurrence at an aerodrome
involving the incorrect presence of an aircraft, vehicle or person on the protected area of a
surface designated for the landing and take-off of aircraft. For the purpose of this ESD, only the
runway incursions are considered that could lead to a collision between two aircraft or an
aircraft and a vehicle. ICAO uses a categorisation of runway incursions to denote the severity.
For this study only class A and B incursions are taken into account, i.e. runway incursions
where there was a significant potential for a collision.
ATC fails to resolve the conflict

Failure of Air Traffic Control to successfully provide corrective instructions to flight crew or
vehicle driver in case of a runway incursion.
Flight crew or vehicle driver fails to resolve the conflict.

Failure of the flight crew or vehicle driver to successfully perform corrective actions in the
absence of corrective ATC instructions.
31.2 Quantification
According to Eurocontrol’s mandatory incident reporting scheme, there have been 350 runway
incursions reported in the ECAC area in 2002. This corresponds to 15,300,000 movements or
7,650,000 flights (one flight involves two movements) [EUROCONTROL, 2004]. Since the
156
NLR-CR-2008-646
definition of a runway incursion includes any occurrence involving the incorrect presence of an
aircraft, vehicle or person on the protected area of the runway, not all runway incursions are
taken into account for this scenario. In the mandatory reporting scheme, runway incursions are
classified A through D based on their severity. Of the above mentioned incursions, 5% were
classified as class A (“Very serious”) and 30% as class B (“Significant risk”). For this ESD only
class A and B runway incursions are taken into account denoting incursions with a significant
potential for a collision. Hence, the probability of a runway incursion with a significant
potential for a collision (class A and B) is estimated to be 1.60·10-5 per flight. Such a runway
incursion could involve two aircraft or an aircraft and a vehicle.
In 2001, the National Aerospace Laboratory NLR conducted a study to collect and analyse a
selected number of air traffic management related accidents, which occurred in the period 1980
through 1999 and involved civil transport aircraft [van Es, 2001]. The accidents involved
aircraft operated by commercial operators, including and limited to:
• Western-built aircraft,
• Freight operators and air carriers involved in public transport,
• Scheduled and non-scheduled flights,
• Freight, passenger, training and positioning flights,
• International and domestic flights,
• Turbojet, turboprop and piston-engine fixed-wing aircraft,
• Aircraft in the takeoff weight category of 5,700 kg or higher.
But excluding:
• Experimental/test flights;
• Accidents with helicopters; and
• Accidents caused by sabotage, terrorism and military actions.
According to this study, there were 25 runway incursion accidents in 70 million flights. The
corresponding accident rate is 3.57·10-7 per flight. This implies that 2.23% of all runway
incursions with significant risk lead to an accident.
To analyse the causes and effects, a set of runway incursions on airports controlled by ATC
from a western-European country in the period 1995-2001 has been studied. The set involved
259 runway incursions. From this set only incursions are considered where there was a possible
collision. For example, unauthorised entries of a runway with no other traffic were excluded
from the data sample. In total 170 runway incursion remained. It is assumed that this set is
representative for class A and B runway incursions in the ECAC area.
157
NLR-CR-2008-646
In the analysis the two parties involved in the incursion and their flight phases are determined:
landing aircraft, aircraft in take-off, taxiing aircraft (e.g. crossing the runway) or a vehicle
(including a tow truck). The take-off phase is considered to start when the aircraft enters the
runway to line-up for departure (authorised or not). The landing phase ends when the aircraft
has left the runway. If it was not clear from the incident description if an aircraft entered the
runway to take-off or to cross, it is assumed that the aircraft was crossing the runway, i.e. that
the aircraft was taxiing.
Furthermore, it was determined who resolved the conflict: ATC or the flight crew. If ATC is
notified by the crew or if ATC did not take any evasive action, but no collision occurred, the
resolution of the conflict is contributed to the flight crew or vehicle driver.
Table 38 The number of runway incursions resolved by ATC or the flight crew per conflict type
ATC resolved Flight crew (or driver)
Type of conflict Total
conflict resolved conflict
Landing - Landing 2 8 10
Landing - Take-off 39 10 49
Landing - Vehicle 30 12 42
Landing - Crossing 24 5 29
Take-off - Take-off 3 5 8
Take-off - Vehicle 13 13 26
Take-off - Crossing 1 5 6
Total 112 58 170
In this ESD, the risk is calculated from an aircraft perspective. Therefore, the above results are
transformed into the number of times (per flight phase) an aircraft was involved in a runway
incursion. In 102 cases (60%), the runway incursion involved two aircraft. In 68 (40%) runway
incursions a vehicle and an aircraft were involved. In total, 272 aircraft were involved in 170
runway incursion situations. The probability of a class A or B runway incursion for a particular
aircraft is: 272/170 × 1.60·10-5 = 2.58·10-5 per flight. Similarly, the probability of an aircraft
experiencing a collision due to a runway incursion is 272/170 × 3.57·10-7 = 5.71·10-7 per flight.
Table 39 The number of runway incursions resolved by ATC or flight crew per flight phase
Flight phase ATC resolved Flight crew (or driver) Total
conflict resolved conflict
Taxi 25 10 35
Take-off 59 38 97
Landing 97 43 140
Total 181 91 272
158
NLR-CR-2008-646
By distinguishing between the different flight phases, using the ratios as given in table 39, the
following probabilities are derived.
Table 40 Summary of runway incursion probabilities per flight phase

Flight phase Number of Probability of Probability of
occurrences runway incursion collision
Taxi 35 3.30·10-6 7.41·10-8
Take-off 97 9.14·10-6 2.05·10-7
Landing 140 1.32·10-5 2.96·10-7
Total 272 2.56·10-5 5.76·10-7
It was computed before that 97.78% of all incidents are resolved by ATC or the flight crew.
From the ratio between the number of conflicts resolved by ATC and by the flight crew as given
in table 39, the conditional probabilities are derived. For an aircraft in landing, 97/140 = 69.3%
of all conflicts are resolved by ATC. So, the probability that ATC resolves the conflict is
97.78% × 69.3% = 0.677. The corresponding probability that ATC fails to resolve the conflict is
3.23·10-1. The probability that the flight crew or the vehicle driver fails to resolve the conflict
given that ATC does not resolve the conflict becomes 0.0223 / (1-0.677) = 6.92·10-2. The other
flight phases are calculated in a similar way. The results are given in the table below.
Table 41 Summary of conditional probabilities of the pivotal events per flight phase
Flight phase Probability that ATC fails Probability that flight crew
to resolve conflict fails to resolve conflict
Taxi 3.02·10-1 7.39·10-2
Take-off 4.05·10-1 5.50·10-2
Landing 3.23·10-1 6.91·10-2

Flight phases: taxi
3.30·10-6
Flight crew or
7.41·10-8
Incorrect presence of ATC fails to 3.02·10-1 7.39·10-2
the conflict
yes
9.23·10-7
no Aircraft
continues
flight
2.30·10-6
Aircraft
continues
flight
159
NLR-CR-2008-646

Flight phases: landing
1.32·10-5
Flight crew or
2.96·10-7
Incorrect presence of ATC fails to 3.23·10-1 6.91·10-2
the conflict
yes
3.97·10-6
no Aircraft
continues
flight
8.94·10-6
Aircraft
continues
flight
160
NLR-CR-2008-646
32 ESD 33 – Cracks in aircraft pressure cabin
32.1 Definitions
The various events (initiating and pivotal) and end states are defined as follows:
Cracks in aircraft pressure boundary (initiating event)

This event covers a crack in an aircraft pressure boundary. This crack can vary in location and
size and it develops over time [Salamanca & Quiroz, 2005]. For this ESD, the focus is on those
cracks that are, or should have been, detected during maintenance or line checks.
Explosive decompression (pivotal event)

In the event of an explosive decompression, the aircraft cabin quickly decompresses, resulting
in major structural failure to the aircraft fuselage. Although there have been cases where aircraft
landed ‘safely’ following an explosive decompression, most notably Aloha Airlines flight 243
on 28 April 1988, it is assumed here that a explosive decompression results in the end-state ‘in
flight break-up’.
In-flight break-up (end state)

Severe damage to the aircraft caused by an explosive decompression. This could be a crash of
the aircraft but also damage without crashing, but which fits the ICAO Annex 13 definition of
an accident.
Aircraft damage / aircraft continues flight

This is the outcome of a crack in the aircraft pressure boundary which did not cause an
explosive decompression. This could mean that there has been decompression of the pressure
cabin but not of an explosive nature and it did not result in an accident, or nothing happened at
all such that the aircraft safely continued the flight.
161
NLR-CR-2008-646
32.2 Quantification
In [van Es & Post 2006] ‘outcome ratios’ have been calculated for a number of unsafe
conditions. These outcome ratios express the conditional probability that given the occurrence
being assessed, a particular aircraft level unsafe outcome will result. Among the unsafe
conditions studied, the following two are useful for the quantification of ESD 33:
• Cracks in the pressure boundary;
• Cabin decompression or failure to pressurize.
The frequency of occurrence of these two unsafe conditions and the unsafe outcomes of these
conditions have been assessed by means of a combination of statistical data from the NLR Air
Safety Database and background technical knowledge. The selection criteria for data analysis
that were used by [van Es & Post, 2006] are the following:
• Fixed wing aircraft with a take-off mass of 5,700 kg or higher;
• Western-built aircraft;
• No business jet aircraft;
• No occurrences due to unlawful actions; and
• Timeframe from 1980 to 2003.
Cracks in aircraft pressure boundary

An estimate of the frequency of occurrence of the initiating event “cracks in the pressure
boundary” is based on service difficulty reports (see App. A). The dataset of service difficulty
reports contains descriptions of all occurrences where ‘reportable’ cracks have been detected
during maintenance or line checks.
The dataset contains at total of 3050 occurrences of “cracks in aircraft pressure boundary” and
covers a total of 153.5 million flights. The associated frequency is 1.99·10-5 per flight.
In-flight break-up
According to the NLR Air Safety database, there have been 4 accidents that where initiated by
‘cracks in the aircraft pressure cabin’ and meeting the data inclusion criteria listed in the
previous section. The corresponding number of flights is 438.2 million, which results in a
frequency of 9.12·10-9.
Explosive decompression
The conditional probability of an explosive decompression if there are cracks in the aircraft
pressure boundary is 9.12·10-9 / 1.99·10-5 = 4.58·10-4.
162
NLR-CR-2008-646
Table 42 Summary of the probabilities for each end state

Estimated probability
Cracks in the pressure boundary 1.99·10-5
In-flight break-up 9.12·10-9
Aircraft damage 1.99·10-5
Accident type: structure overload.

Phases: take-off, initial climb, en route, approach and landing.
Initiating event: cracks in aircraft pressure boundary
9.12·10-9
1.99·10-5 -4
Cracks in aircraft Explosive 4.58·10 In-flight
pressure boundary decompression break-up
yes 1.99·10-5
Aircraft
no damage
163
NLR-CR-2008-646
33 ESD35 - Flight crew decision error/operation of equipment error

(CFIT)
33.1 Definitions
This event sequence diagram describes Controlled Flight Into Terrain (CFIT) accidents. CFIT
accidents are those in which an aircraft, under the control of the crew, is flown into terrain,
obstacles or water, with no prior awareness on the part of the crew of the impending disaster
[Khatwa and Roelen 1997].
Flight crew decision error / operation of equipment error

This initiating event describes any decision error or operation of equipment error that results in
a deviation of the aircraft’s flight path from a previously established safe route.
Flight crew CRM failure

A failure by a member of the flight crew in cross checking, monitoring or challenging the other
flight crew member(s).
Flight crew loss of situational awareness

The flight crew’s mental picture of the position of the aircraft in the horizontal or vertical plane
does not correspond with the actual aircraft position.
164
NLR-CR-2008-646
GPWS failure
This event describes an occurrence where a Ground Proximity Warning System (GPWS) or
Terrain Avoidance Warning System (TAWS) is not installed, or the GPWS/TAWS is switched
off, or he GPWS/TAWS is not functioning properly.
Flight crew fails to execute GPWS manoeuvre

If a GPWS “terrain, terrain” or “pull up, pull up” warning occurs the flight crew should
immediately and simultaneously advance the power levers to the maximum available while
disengaging the auto throttle and rotate smoothly to a target pitch attitude of 15 degrees while
disconnecting the autopilot. A wing-level pull-up should be made unless terrain being avoided
can be seen [Simmons 1998].
Relevant dates on Ground Proximity Warning Systems

• Early 1974 introduction of first GPWS.
• Since May 1994, FAR 135.153 requires GPWS installation for aircraft with more than 10
seats.
• EGWPS introduced in 1996.
• ICAO SARP Annex 6, Part I, Standard 6.15.6 requires for all aircraft a TAWS Class A
equivalent from January 2003.
• JAR-OPS 1.665(c)(2) TAWS Class A required from January 2005
33.2 Quantification
Initiating event
The initiating event has been estimated from the fourth CATS interim report [CATS, 2006].
According to that report, analysis of controlled flight towards terrain incidents recorded in the
British Airways BASIS system during 1997-2001 shows that the probability of occurrence of
‘flight towards terrain commanded’ is 6.10·10-5 per flight. The same probability is used here as
probability of the initiating event ‘flight crew decision error / operation of equipment error’.
Pivotal event flight crew loss of situational awareness

Operational data from a large western European airline has been used to estimate the probability
of the pivotal event ‘flight crew loss of situational awareness’. The data set contains information
of 286,753 flights from the year 2001. In this set, 9 ‘EGWPS terrain closure incidents’ have
been reported. None of these resulted in a CFIT accident. It is assumed that ‘EGPWS terrain
closure incidents’ are by definition similar to ‘flight crew loss of situational awareness’. This
probability can then be estimated at 3.14·10-5 per flight. This frequency is similar to that
presented in [Bateman, 2003].
165
NLR-CR-2008-646
The conditional probability of ‘CRM failure’ in the event of a ‘flight crew decision error /
operation of equipment error’ is 3.14·10-5 / 6.10·10-5 = 0.515.
GPWS failure and failure to execute GWPS manoeuvre

For quantification of the pivotal events ‘GPWS failure’ and ‘failure to execute GPWS
manoeuvre’, the accident data sample was limited to the 10 most recent years for which accurate
data was available. This was done because of the significant advances that have been made in
GPWS systems over the past decades. These changes are not only technical, but also regulatory.
The data sample was restricted to western built large commercial jet aircraft in the period 1993-
2002. In this period 40 CFIT accidents have occurred. Information from accident investigation
reports (if available) and [Bateman, 2000] and [Bateman, 2003] was combined to determine for
each of these accidents whether the aircraft involved was equipped with GPWS and whether the
GPWS (if installed) provided a timely warning. Results are summarised in table 43.
Table 43 Number of accidents for the different levels of GPWS equipment

Number of
accidents
Not GPWS equipped 2
GPWS equipped 32
Terrain warning 11
No terrain warning 12
Unknown 9
Unknown 6
Total 40
From the 11 accidents in which a terrain warning was given, 4 warnings were generated 6
seconds or less before impact. As a typical response time to a GPWS warning is 6 seconds
[Bateman 2003], these warnings are regarded as too late because the pilot did not have sufficient
time to respond. This corresponds to 36%. In the other 64% of the accidents in which a terrain
warning was given more than 6 seconds before the impact and the flight crew responded too late
or even did not respond at all.
166
NLR-CR-2008-646
18000
16000
14000
12000
Aircraft fleet size
10000 EGPWS equipped

GPWS equipped
8000 No (E)GWPS
6000
4000
2000
0
00
01
02
03
04
05
93
94
95
96
97
98
99
20
20
20
20
20
19
19
19
20
19
19
19
19
year
Fig. 11 Annual distribution of GPWS and EGPWS equipped aircraft of the western built large
commercial jet fleet Source: [Bateman 2003]
Table 44 Annual distribution of GPWS and EGPWS equipped aircraft of the

western built large commercial jet fleet Source: [Bateman 2003]
Year Number of flights Not equip GPWS EGPWS
1993 17,502,370 3% 97% 0%
1994 18,247,064 3% 97% 0%
1995 18,978,107 3% 97% 0%
1996 19,664,925 3% 97% 0%
1997 20,200,655 3% 90% 7%
1998 20,696,493 2% 78% 19%
1999 21,595,794 2% 69% 29%
2000 22,157,667 2% 67% 31%
2001 23,015,410 2% 53% 45%
2002 22,421,310 1% 45% 54%
2003 23,084,147 1% 26% 73%
Total 227,563,942 4,945,966 164,865,523 57,752,453
Table 44 and figure 11 show the number of aircraft with equipped with EGWPS and GPWS
[Bateman 2003]. On total there are 227.6 million flights in that period performed by western-
built large commercial jet aircraft. It is estimated that 4.9 million flights are performed by non-
GPWS equipped aircraft, 164.9 million flights by GPWS equipped aircraft and 57.7 million
flights by EGPWS equipped aircraft.
167
NLR-CR-2008-646
Table 45 Accident probability for non-GPWS, GPWS and EGPWS equipped aircraft
Accidents Flights Probability per flight
Non-GPWS equipped aircraft 2 4.9 million 4.04·10-7
GPWS equipped aircraft 32 164.9 million 1.94·10-7
EGPWS equipped aircraft 0 57.7 million <1.70·10-8 8
For the purpose of this model, it is assumed that all aircraft are equipped with EGPWS, i.e. the
CFIT accident probability is estimated at 1.70·10-8 per flight.
The probability of a (E)GPWS system malfunction is estimated by using the database of service
difficulty reports (SDR), see appendix A. According to the SDR database, there are 92 reported
GPWS failures (ATA 3444) for a total exposure of 2.16·108 flights, a failure frequency of
The probability that the flight crew fails to properly execute a GPWS manoeuvre can be
calculated from the probabilities for ‘flight crew loss of situational awareness’ (3.14·10-5),
‘GPWS failure’ (4.26·10-7) and ‘collision with ground’ (1.70·10-8). The probability that the
flight crew fails to successfully execute the GPWS manoeuvre becomes 5.41·10-4.
Table 46 Summary of the results for ESD 35

Event Probability (per flight)
Flight crew decision error/operation of equipment error 6.10·10-5
Flight crew CRM failure 5.15·10-1
Flight crew has lost situational awareness = YES 3.14·10-5
EGWPS failure 4.26·10-7
Flight crew fails to execute GPWS manoeuvre 5.41·10-4
8
In Bateman 2003 the probability of a CFIT accident by an EGPWS equipped aircraft is estimated at 1.1·10-8 per flight.
168
NLR-CR-2008-646
169
NLR-CR-2008-646
34 ESD 36 Collision on taxiway/apron
Ground ATC fails to Flight crew fails Ground crew

Aircraft
collision resolve the to resolve the fails to resolve
damaged
imminent conflict conflict the conflict
yes Aircraft
no continues
taxi
Aircraft
continues
taxi
Aircraft
continues
taxi
34.1 Definitions
Ground collision imminent
This initiating event refers to a situation where a taxiing aircraft moves towards an object (other
aircraft, vehicle, either stationary or moving, or a stationary object like a blast fence, lamp post,
etc) or a vehicle moves towards a taxiing aircraft (either moving or temporarily stationary) such
that a collision will result unless avoidance acting is taken by flight crew or ground crew. This
initiating event only refers to situations in which the subject aircraft is in the process of taxiing
from the gate to the runway of departure (including the pushback process) or taxiing from the
arrival runway to the gate, including the process of docking at the gate.
ATC fails to resolve the conflict

Failure of Air Traffic Control to successfully provide corrective instructions to flight crew or
ground crew in case of an imminent collision on the taxiway or apron. This is not necessarily an
ATC error.
Flight crew fails to resolve the conflict

Failure of the flight crew to successfully perform corrective actions in case of an imminent
collision on the taxiway or apron. This is not necessarily a flight crew error.
Ground crew fails to resolve the conflict.

Failure of the flight crew to successfully perform corrective actions in case of an imminent
collision on the taxiway or apron. This is not necessarily a ground crew error.
170
NLR-CR-2008-646
Aircraft damaged
Aircraft damaged is defined as a situation where the aircraft is damaged as a direct result of a
collision with another aircraft, vehicle or stationary object.
34.2 Quantification
According to the ICAO definition, occurrences where the aircraft damage is limited to the
engine, its cowlings or accessories, or for damage limited to propellers, wing tips, antennas,
tires, brakes, fairings, small dents or puncture holes in the aircraft skin, are not considered to be
accidents. These occurrences are therefore not subject to the ICAO rules regarding accident
reporting and investigation and reliable information on the frequency of occurrence such
damage events cannot be obtained from accident and incident databases like ADREP.
Quantification of the end-state aircraft damaged

According to an older study by SAE [SAE 1980], the frequency of aircraft damage caused by
ground support equipment is 4.12x10-4 per flight (833 aircraft damage occurrences over
2,023,834 departures). Only occurrences at the gate were considered in this study.
To obtain more recent information, one year of ASR reports from a large European airline was
analysed. The time span was from 16 April 1997 to 15 April 1998. Flight phases ‘parked’,
‘push-back’, ‘taxi-in’ and ‘taxi-out’ were included in the analysis. The data file remains
confidential. The data sample included a total of 44 occurrences of aircraft damage as a result of
a collision on the taxiway or apron. 42 of those occurred while the aircraft was ‘parked’, 1
occurred while the aircraft was ‘taxiing in’ and 1 occurred while the aircraft was ‘taxiing out’.
The corresponding number of flights is 107,000, resulting in a frequency of 4.11x10-4 per flight.
Note that if we only look at damage to ‘parked’ aircraft the frequency is 3.92 x10-4 per flight,
which corresponds well with the SAE result of 4.12x10-4 per flight for aircraft at the gate.
Based on the results of the analysis of the SDR data sample, we assume a frequency of
4.11x10-4 per flight for the end state ‘aircraft damaged’.
Quantification of the initiating event ground collision imminent

Estimating the frequency of occurrence of the initiating event is hampered the absence of a
formal requirement to report these occurrences. The best source of information for
quantification of this event is probably an airline’s internal air safety reporting system. For
quantification of the initiating event ‘ground collision imminent’ we analysed one year of ASR
reports from a large European airline. The time span was from 16 April 1997 to 15 April 1998.
Flight phases ‘parked’, ‘push-back’, ‘taxi-in’ and ‘taxi-out’ were included in the analysis. The
data file remains confidential. All reported events were read by the analyst to determine whether
171
NLR-CR-2008-646
there had been a collision risk. Events such as ‘aircraft proximity’, ‘obstacles on apron’ and
‘collision risk’ were interpreted as genuine cases of ‘ground collision imminent’. The data
sample included a total of 29 of such cases in addition to the 44 collisions that are mentioned in
the previous paragraph. The corresponding number of flights is 107,000, resulting in a
frequency of 6.82x10-4 per flight. All but one of the reported near collisions occurred during
push-back and taxi.
Table 47 shows the distribution of near collisions and damage occurrences for the data sample.
Table 47 Results of one year of ASR data

on ground collisions.
Near collision Damage
Parked 1 42
Push-back 3 0
Taxi-in 21 1
Taxi-out 4 1
The ASR system is a reporting system for flight crew. Occurrences where a ground crew
member just narrowly manages to avoid a collision of his vehicle with an aircraft that is
standing at the gate will not show up in the ASR database. This is also evident from table 1. For
these cases we need an alternative way of estimating the probability of occurrence.
We therefore looked at one year of data from Schiphol’s OASIS database (1998 data). This data
sample contains occurrence reports from airlines but also ground servicing companies. The
sample included 95 occurrences of aircraft damage and 44 occurrences of near collisions
(aircraft – aircraft or vehicle – aircraft), see table 48. The data file remains confidential.
Table 48 OASIS results

Near collision Damage
Parked 8 81
Push-back 15 7
Taxi-in 19 6
Taxi-out 2 1
No exposure data is available, so this information can only be used to estimate the relative
frequency of occurrence. Based on these results we assume that of all near collisions, in 50% of
the cases the flight crew prevents a collisions (taxi-in and taxi out), and in 50% of the cases the
ground crew prevents a collision (parked and push-back). Furthermore we assume that Air
Traffic Control plays no role in the prevention of collisions on the apron or taxiway.
172
NLR-CR-2008-646
6.82x10-4 1 8.00x10-1 7.50x10-1

ATC fails to Flight crew fails Ground crew 4.11x10-4
Ground collision Aircraft
resolve the to resolve the fails to resolve
imminent damaged
conflict conflict the conflict
yes
Aircraft 1.36x10-4
no continues
taxi
Aircraft
1.36x10-4
continues
taxi
Aircraft 0
continues
taxi
173
NLR-CR-2008-646
35 ESD 37 Wake vortex encounter
Flight crew fails to

Wake vortex Collision
maintain control
encounter with
ground
Personal injury Personal

yes
injury
no
Aircraft
continues
flight
35.1 Definitions
Wake vortex encounter

The wake of an aircraft consists of two counter rotating swirling rolls of air, the wake vortices,
that trail from the wing tips of the aircraft, see figure 12. The wake vortex pair may last for
several minutes and stretch for many kilometres behind the aircraft. The strength of the wake
vortex is influenced by the wing geometry and is approximately proportional to the lift
generated by the aircraft, which is equal to the weight of the aircraft. Vortices propagate
downward, away from the flight path, initially descending at 300-500 ft/s. This descent velocity
may change in time due to ambient meteorological conditions and the decay of the vortices. The
lifetime of a vortex depends upon local meteorological conditions, circulations decay to about
one half their initial value in 60-90 s.
Fig. 12 Wake vortex pair generated by an aircraft.
An aircraft encountering the wake vortex of a preceding aircraft may undergo considerable
variations in pitching, rolling and yawing moments and lift. The effect of a wake vortex
encounter depends on:
174
NLR-CR-2008-646
• Wake characteristics (influenced by characteristics of the wake-producing aircraft and

local atmospheric conditions)
• Wake intercept route,
• Properties of the encountering aircraft.
To avoid wake vortex encounters, ATC regulations prescribe longitudinal separation minima
between aircraft, expressed as either time or distance. These minima are a function of the weight
category of the leading and following aircraft.
For the purpose of this ESD, a wake vortex encounter is defined as an occurrence where an
aircraft encounters the wake vortex of a preceding aircraft such that noticeable deviations from
the aircraft’s initially intended flight path or attitude occur.

pivotal event does not necessarily imply a failure or error of the flight crew. The ability of the
flight crew to maintain control of the aircraft is affected by human factors (training, fatigue, etc)
aircraft system performance, weather conditions, etc.
Personal injury
This pivotal event is defined as an occurrence where one or more of the aircraft’s occupants are
injured as a result of unusual aircraft attitude and/or accelerations caused by a wake vortex
encounter. Injuries may result from falls (people standing in the aisle) or people being struck by
loose objects.
American Airlines flight 587

This accident is described separately as it is illustrative of the considerations that are relevant
when individual accidents have to be assigned to a defined set of ESDs.
On November 12, 2001, American Airlines flight 587, an Airbus Industrie A300-605R, crashed
into a residential area of Belle Harbor, New York, shortly after takeoff from John F. Kennedy
International Airport, New York. All 260 people aboard the aircraft and 5 people on the ground
were killed. The NTSB concluded “that the probable cause of this accident was the in-flight
separation of the vertical stabilizer as a result of the loads beyond ultimate design that were
created by the first officer’s unnecessary and excessive rudder pedal inputs” [NTSB 2004] The
first officer’s rudder pedal inputs were a reaction to an encounter with the wake vortex of a
Japan Airlines Boeing 747 which departed immediately before flight 587. The local air traffic
controller complied with FAA wake turbulence spacing requirements when handling flight 587
175
NLR-CR-2008-646
and Japan Air Lines flight 47 9, and the wake encounter itself was considered to be “nothing
extraordinary” or mild wake turbulence. The safety board concluded that the wake encounter
did not place flight 587 in an upset condition 10, and the airplane’s response to the wake did not
indicate that an upset was imminent. The first officer had a tendency to overreact to wake
turbulence by taking unnecessary actions, including making excessive control inputs. The first
officer’s initial control wheel input in response to the wake turbulence encounter was too
aggressive, and his initial rudder pedal input response was unnecessary to control the airplane.
The wake encountered by AA flight 587 was not very strong, all separation criteria were met
and the aircraft’s change in flight path and attitude were in itself not hazardous, and formally
(i.e. according to the NTSB) the wake vortex encounter is not considered to be a cause of the
accident. Nevertheless, for the purpose of the causal risk model this accident is classified as an
‘ESD 37 occurrence’, because, regardless of discussions on the cause, the sequence of events of
this accident fits ESD 37.
35.2 Quantification
When quantifying wake vortex occurrences it must be kept in mind that neither the flight crew
nor accident/incident investigators have the means to determine incontrovertibly if a disturbance
is caused by a wake vortex or by atmospheric turbulence.
In the 1990-2003 timeframe, wake vortex encounters initiated 7 accidents involving large
commercial aircraft, Western-built (Tab. 49). The corresponding number of flights is 387
million.
Table 49 Relevant accidents, 1990-2003, western-built large commercial aircraft

Date Operator Aircraft type Location Phase Result
06/06/91 American Airlines MD-80 Bridgeport, TX, USA Cruise Injuries
08/07/92 KLM-UK Fokker F-27 London, UK Approach Injury
15/12/93 Martin Aviation IAI 1124 Santa Ana , CA USA Approach Fatal / hull loss
16/05/96 FedEx MD-11 Anchorage, AK, USA Approach Tail scrape
17/09/98 American Eagle ATR-42 Chicago, IL USA Approach Injury
07/01/01 Aer Lingus Airbus A-330 Canada Cruise Injuries
12/11/01 American Airlines Airbus A300-600 New York, NY, USA. Climb Fatal / hull loss
9
Japan Air Lines flight 47 and American Airlines flight 587 were separated at all times by at least 4.3 nautical miles (nm)
horizontally and 3,800 feet vertically, the minimum separation for a heavy airplane behind another heavy airplane is 2 minutes or
4 nm.
10
The Airbus A300-600 FCOM and the joint industry Airplane Upset Recovery Training Aid defined
upsets to include unintentional bank angles of greater than 45°.
176
NLR-CR-2008-646
Three accidents correspond with the end-‘state ‘collision with ground’, and accidents
correspond with the end-state ‘personal injury’. The associated probabilities are 7.75 x 10-9 for
collision with ground and 1.03 x 10-8 for personal injury.
Wake vortex encounter incidents occur more frequently than accidents. Most reported wake
vortex encounters occur in the approach phase, which can be explained by the fact that nearly
all approaches follow the same approach path, thereby increasing the probability of intercepting
the wake vortex of the preceding aircraft. In contrast, on take-off aircraft become airborne at
different points along the runway and climb at different angles.
An estimate of the frequency of occurrence of wake vortex encounters is available from the EU
sponsored CREDOS project [Balk 2007]. The estimate was based on a sample of Air Safety
Reports from airlines operating western built large (>5,700 kg MTOW) aircraft in commercial
operations from 1992-2005. This sample represents a total of 13,876,086 flights. The sample
represents European and non-European airlines. The data itself in confidential and resides in
NLR’s Air Safety database.
The data sample contains a total of 1906 wake-vortex encounters, distributed among flights
phases as indicated in table 50.
Table 50 Wake vortex encounters

distributed by flight phase
Phase Number of
encounters
Taxi-in 5
Take-off 180
Initial climb 246
Climb 163
Cruise 197
Descent 301
Holding 9
Approach 704
Landing 99
Taxi-in 2
Based on these result the overall (all phases of flight) frequency of occurrence of the initiating
event ‘wake vortex encounter’ is estimated at 1.30x10-4 per flight.
Combination of the probability of occurrence of the initiating event and the end states results in
the conditional probabilities of the pivotal events.
177
NLR-CR-2008-646
The conditional probability of ‘flight crew fails to maintain control’ if a wake vortex is
encountered is 7.75 x 10-9 / 1.30 x 10-4 = 5.96x10-5.
The conditional probability of ‘personal injury’ if a wake vortex is encountered and the flight
crew maintains control is 1.03 x 10-8 / (1.30x10-4 x (1-5.96x10-5)) = 7.92 x10-5.
-4 -9
1.30 x 10 Flight crew fails to 5.96x10-5 7.75 x 10
Wake vortex Collision
maintain control
encounter with
ground
-8
-5 1.03x10
Personal injury 7.92x10 Personal
yes
injury
no
-4
1.30x10
Aircraft
continues
flight
178
NLR-CR-2008-646
References
1. Ale, B.J.M., Bellamy, L.J., Cooke, R.M., Goossens, L.H.J., Hale, A.R., Kurowicka, D.,
Roelen, A.L.C., Smith, E. 2005. Development of a causal model for air transport safety,
Proceedings of IMECE2005, 2005 ASME International Mechanical Engineering
Congress and Exposition, November 5-11, 2005, Orlando, Florida USA, IMEC2005-
79374.
2. Antuñano and Mohler. 1992. In-flight Spatial Disorientation, Human Factors and
Aviation Medicine, Flight Safety Foundation (FSF), January/February 1992.
3. Balk, A. 2007. Credos report, working draft, NLR Amsterdam.
4. Bateman, D. 2000. CFIT Accident Statistics, August 31, 2000.
5. Bateman, D. 2003. How to Terrain-proof the World’s Civil Aircraft Fleet-Revisiting an
Old Problem, 56th annual IASS conference, November 2003.
6. Bellamy, L.J. Roelen, A.L.C. 2006. Integrated Event Sequence Diagrams. White Queen
report. Ref: Integrated ESD model_SB30_REV1, 13 June 2006.
7. CATS. 2006. Fourth interim report, TU Delft Risk Centre, May 2006.
8. Chapman, P.J.C. 1984. The consequences of in-flight incapacitation in civil aviation,
Aviation Space and Environmental Medicine, Vol. 55, Nr. 6, pp 497-500.
9. Civil Aviation Authority. 1997. Aviation Safety Review, CAA Publication CAP 673.
10. Civil Aviation Authority. 2000. Aviation Safety Review 1990-1999, CAA Publication
CAP 701.
11. Civil Aviation Authority. 2002. Aviation Safety Review 1992-2001, CAA Publication
CAP 735.
12. DFS Deutsche Flugsicherung. 2006. http://www.dfs.de.
13. DeJohn, C.A., Wolbrink A.M., Larcher J.G. 2004. In-Flight Medical Impairment of U.S.
Airline Pilots: 1993 to 1998. Civil Aeromedical Institute, Federal Aviation
Administration. DOT/FAA/AM-04/16.
14. Van Es, G.W.H. 2001. A review of civil aviation accidents – Air Traffic Management
related accidents: 1980-1999, NLR report NLR-CR-2001-056, NLR Amsterdam.
15. Van Es, G.W.H., Van der Geest, P.J. and Nieuwpoort, T.M.H. 2001. Safety aspects of
aircraft operations in crosswind, NLR report NLR-TP-2001-217, NLR Amsterdam.
16. Van Es, G.W.H and. Post, J.A. 2006. Risk assessment of potential unsafe conditions,
NLR report NLR-CR-2006-047, NLR Amsterdam.
17. Van Es, G.W.H. and Van der Geest, P.J. 2006. A Study of Normal Operational Landing
Performances on Subsonic Civil Narrow Body Jet Aircraft during ILS Approaches, NLR
report NLR-CR-2006-049, NLR Amsterdam.
18. EUROCONTROL. 2004. European SSAP Regional Workshop, Tallinn, 29-30 June 2004.
See also: http://www.eurocontrol.int/runwaysafety/public/standard_page/Runway.html
179
NLR-CR-2008-646
19. FAA. 1992. Takeoff safety training aid, AC 120-TO.

20. GAO (United States General Accounting Office). 1991. Changes needed in FAA’s
Service Difficulty Program, GAO/RCED-91-24, Washington DC, USA.
21. IATA. 2005. STEADES Safety Trends Analysis, Issue 4, p.12-13.
22. IVW (Civil Aviation Authority the Netherlands). 2004. Civil Aviation Safety Data, 1989-
2003, CAA-NL, Hoofddorp, the Netherlands.
23. James M., Green R. 1991. Airline pilot incapacitation survey. Aviation Space and
Environmental Medicine, Vol. 62, Nr. 11, pp 1068-72.
24. Khatwa, R., Roelen, A.L.C. 1997. Controlled Flight Into Terrain (CFIT) accidents of air
taxi, regional and major operators, NLR TP 97270 U, NLR Amsterdam.
25. LVNL Air Traffic Control the Netherlands. 2004. Annual reports 2001, 2002, 2003 and
2004.
26. Martin-Saint-Laurent A., Lavernhe J., Casano G., Simkoff A. 1990. Clinical aspects of
In-flight Incapacitations in Commercial Aviation. Aviation Space and Environmental
Medicine, Vol. 61, pp 256-60.
27. NASA. 1992, Making the Skies Safe from Wind shear, June 1992, available via:
28. http://www.nasa.gov/centers/langley/news/factsheets/Windshear.html.
29. NTSB. 2003. In-Flight Electrical System Failure and Loss of Control, Jet Express
Services, Raytheon (Beechcraft) Super King Air 200, N81PF, Near Strasburg, Colorado,
January 27, 2001, NTSB/AAR-03/01, National Transportation Safety Board, Washington
DC, USA.
30. NTSB. 2004. In-Flight Separation of Vertical Stabilizer, American Airlines Flight 587,
Airbus Industrie A300-605R, N14053, Belle Harbor, New York, November 12, 2001.
Aircraft Accident Investigation Report NTSB/AAR-04/04, National Transportation
Safety Board, Washington D.C.
31. Roelen, A.L.C., Wever, R.W., Hale, A.R., Goossens, L.H.J., Cooke, R.M., Lopuhaa, R.,
Simons, M., Valk, P.J.L. 2002. Causal modelling of air safety, Demonstration model,
NLR-CR-2002-662, NLR Amsterdam.
32. Roelen, A.L.C., Wever, R. 2004. A causal model of a rejected take-off, NLR report NLR-
CR-2004-039, NLR Amsterdam.
33. Roelen, A.L.C., Wever, R. 2005. Accident scenarios for an integrated aviation safety
model, NLR report NLR-CR-2005-560, NLR Amsterdam.
34. Roelen, A.L.C., Doorn, B.A., van, Smeltink, J.W., Verbeek, M.J., Wever, R. 2006.
Quantification of Event Sequence Diagrams for a causal risk model of commercial air
transport, NLR-CR-2006-520, NLR Amsterdam.
35. SAE. 1980 Aircraft damage caused by ground support equipment. Aerospace Information
report AIR 1589, Society of Automotive Engineers, Inc. Warrendale, PA, USA.
180
NLR-CR-2008-646
36. Salamanca, H.E., Quiroz, L.L. 2005. A simple method of estimating the maintenance cost
of airframes, Aircraft Engineering and Aerospace Technology: An International Journal,
77/2, pp 148-151.
37. Simmons, D.A. 1998. Boeing 757 CFIT accident at Cali, Colombia becomes focus of
lessons learned, Flight Safety Digest, Vol. 17, No. 5/6.
38. Skyguide. 2004. Safety Bulletin #5, Apr/May/June 2004.
39. Stamatelatos, M. et. al , 2002. Probabilistic risk assessment procedures guide for NASA
managers and practitioners, Version 1.1.
181
NLR-CR-2008-646
This page is intentionally left blank.
182
NLR-CR-2008-646
Appendix A Description of data sources
For many years NLR maintains a large database with data related to aviation safety, called the
NLR Air Safety Database. Air safety data are all data that characterise activities of the air
transport system. The NLR Air Safety Database is basically a collection of databases containing
different types of data. It contains detailed information on accidents and incidents of fixed wing
aircraft from 1960 onward. Currently, it contains information on more than 34,000 accidents
and serious incidents that occurred worldwide. The NLR Air Safety Database includes the
databases described in sections A.1 through A.7. Besides the data described here, the NLR Air
Safety Database also contains a large collection of non-accident related data. These data
include: airport databases, flight exposure data (hours and flights at the level of airlines, aircraft
type, and airports), weather data, and fleet data.
A.1 FAA Service Difficulty Reports (SDRs)

The objective of FAA's SDR program is to correct conditions adversely affecting aircraft safety.
To do this, FAA collects mechanical reliability reports of US airlines; analyzes the reports; and
disseminates trends, problems, and safety alert information to the aviation industry and FAA.
FAR §§ 121.703 and FAR 135.415 require that holders of certificates issued under part 121 (air
carriers) or part 135 (air taxi), respectively, submit reports to the FAA on certain failures,
malfunctions, or defects of specific systems and on all other failures, malfunctions, or defects
that have endangered or may endanger the safe operation of an aircraft. In addition, FAR §§
145.63 and 145.79 contain provisions for certificated US and non-US repair stations,
respectively, to report to the FAA serious defects in, or other recurring unairworthy conditions
of, an aircraft, power plant, propeller, or component. Under FAR 121.703, an airline must report
each aircraft malfunction incident within 72 hours to the FAA Flight Standards District Office
responsible for that airline. After an initial review, the district office mails reports to FAA'S
National Safety Data Branch in Oklahoma City, Oklahoma, which screens and enters them into
a national computerized data base.
The FAA SDR program has been criticised in the past [GAO, 1991]. Some of the criticism is
irrelevant for the purpose of this study. However, one of the points of criticism considers
underreporting, and this is an important issue. The number of SDRs submitted by airlines
operating similar aircraft varies significantly among airlines. Airline officials attribute reporting
differences to vague reporting requirements, leading to varying interpretations of what should
be reported and to airlines’ concerns over the public’s access to malfunction reports in
accordance with the Freedom of Information Act. Concerned about public disclosure of SDR
data, some airlines are reluctant to submit malfunction reports to FAA. Differences among
183
NLR-CR-2008-646
airlines’ reporting practices would diminish the quality of the data because they would not
reflect the actual occurrence of mechanical malfunctions.
SDR data is limited to US airlines only. Because the level of safety of US airlines is similar to
that of EASA operators [IVW, 2004], it is assumed that SDR data is also representative for
European air carriers.
Research approach
Aircraft systems were selected on ATA chapter. The main source of information was the
database of Service Difficulty Reports (SDRs). The time period 1985-2003 was selected as
representative of current aviation. This dataset was large enough to provide a statistically robust
sample, even on subsystem level. Information on the failed system and the flight phase during
which the failure took place were obtained unaltered from the SRD database.
Search criteria
The analysis was limited to air carrier operations, thereby excluding general aviation. Data from
1985 through 2003 was considered. Only events which resulted in precautionary procedures
were included in the data sample. Finally, events which were the result of a false warning were
excluded. The total data sample included 123.278 reports. The associated number of flights is
224 million.
By limiting the data sample to occurrences that resulted in precautionary procedures, the
analysis is restricted to significant occurrences. This has two advantages: a) the reliability of the
data is better, and b) only events that really have a potentially adverse effect on safety are
considered.
A.2 Air Safety Reports (ASRs)

NLR has collected several databases with Air Safety Reports (ASRs) from different European
and non-European airlines. ASRs are reports by pilots of unsafe occurrences and hazardous
situations that occurred during operations. All data concern commercial operations with
‘western’ aircraft of more than 5700 kg maximum take-off weight and cover 9 million flights
between 1998 and 2004.
A.3 Airclaims database

The Airclaims database provides brief details of all known major operational accidents to jet
and turboprop aircraft worldwide. The subset of the Airclaims database purchased by the NLR
contains data and descriptive information about all known airline accidents since 1952. The
184
NLR-CR-2008-646
accident details have been drawn from many sources both official and unofficial (including
press reports). Therefore, they may be incomplete or otherwise incorrect.
A.4 ICAO ADREP

The ICAO ADREP database is based on the accident/incident data report supplied to the ICAO
organization. ADREP is an acronym for Accident Data REPorting system. The database
includes worldwide accident/incident data of aircraft (fixed wing and helicopter) heavier than
5,700 kg since 1970.
A.5 NTSB aviation accident database

The NTSB aviation accident database contains information from 1962 and later about civil
aviation accidents and selected incidents within the United States, its territories and possessions,
and in international waters. Generally, a preliminary report is available online within a few days
of an accident. Factual information is added when available, and when the investigation is
completed, the preliminary report is replaced with a final description of the accident and its
probable cause. Full narrative descriptions may not be available for dates before 1993, cases
under revision, or where NTSB did not have primary investigative responsibility.
A.6 FAA AIDS database

The FAA Accident/Incident Data System (AIDS) database contains incident data records for all
categories of civil aviation in the US. Incidents are events that do not meet the aircraft damage
or personal injury thresholds contained in the National Transportation Safety Board (NTSB)
definition of an accident. For example, the database contains reports of collisions between
aircraft and birds while on approach to or departure from an airport. While such a collision may
not have resulted in sufficient aircraft damage to reach the damage threshold of an NTSB
accident, the fact that the collision occurred is valuable safety information that may be used in
the establishment of aircraft design standards or in programs to deter birds from nesting in areas
adjacent to airports. The FAA AIDS database contains incidents that occurred between 1978
and the present. The information contained in AIDS is gathered from several sources including
incident reports on FAA Form 8020-5. The data are presented in a report format divided into the
following categories: Location Information, Aircraft Information, Operator Information,
Narrative, Findings, Weather/Environmental Information, and Pilot Information and other data
fields.
A.7 Aviation Safety Reporting System

The Aviation Safety Reporting System (ASRS) is a confidential incident reporting system in the
Unites States. Flight crew, air traffic controllers, cabin crew, mechanics, ground personnel and
185
NLR-CR-2008-646
others involved in air traffic operations can submit reports to the ASRS if they are involved in,
or observe, an incident or a situation in which aviation safety was compromised. All
submissions are voluntary. The ASRS is operated by NASA. This ensures that the identity of
the reporter and parties involved will not be released to the authorities, and consequently
increases the willingness to report. To further stimulate the reporting process, the system is non-
punitive. ASRS information is not used against reporters in enforcement actions. Unintentional
violations of federal aviation regulations that are reported are waived of fines and penalties. The
ASRS contains reports from 1975 to present, primarily from US reporters, not restricted to a
specific class of operations or aircraft.
186

App 4a NLR 13 2008 646

Uploaded by

Copyright:

Available Formats

App 4a NLR 13 2008 646

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

App 4a NLR 13 2008 646

Uploaded by

Copyright:

Available Formats

UNCLASSIFIED Nationaal Lucht- en Ruimtevaartlaboratorium

National Aerospace Laboratory NLR

Quantification of Event Sequence Diagrams for a causal risk

of occurrence of the initiating presented in this report is an

Nationaal Lucht- en Ruimtevaartlaboratorium, National Aerospace Laboratory NLR

Anthony Fokkerweg 2, 1059 CM Amsterdam,

Quantification of Event Sequence Diagrams for a

Customer Minitry of Transport

2 Event Sequence Diagrams 13

3 ESD1 - Aircraft system failure 21

4 ESD 2 – ATC event 25

5 ESD 3 – Aircraft handling by flight crew inappropriate 31

6 ESD4 - Aircraft directional control related system failure 36

7 ESD5 – Incorrect configuration 41

7.3 Summary of results 47

8 ESD6 - Aircraft takes off with contaminated wing 50

9 ESD 7 – Aircraft weight and balance outside limits during take-off 56

10 ESD 8 – Aircraft encounters a performance decreasing wind shear after rotation 61

11 ESD9 - Single engine failure during take-off 67

12 ESD10 - Pitch control problems 71

13 ESD11 - Fire onboard aircraft 78

14 ESD12 - Flight crew spatially disoriented 82

15 ESD13 - Flight control system failure 89

16 ESD14 - Flight crew incapacitation 92

17 ESD15 - Anti-ice/de-ice system not operating 99

18 ESD16 - Flight instrument failure 104

19 ESD17 - Aircraft encounters adverse weather 107

20 ESD18 - Single engine failure in flight 110

21 ESD19 - Unstable approach 113

23 ESD23 - Aircraft encounters wind shear during approach 121

24 ESD25 – Aircraft handling by flight crew during flare inappropriate 132

27 ESD28 - Single engine failure during landing 141

28 ESD29 - Thrust reverser failure 144

29 ESD30 - Aircraft encounters unexpected wind 148

30 ESD31 - Aircraft are positioned on collision course 151

31 ESD32 - Incorrect presence on runway in use 156

32 ESD 33 – Cracks in aircraft pressure cabin 161

33 ESD35 - Flight crew decision error/operation of equipment error (CFIT) 164

33.2 Quantification 165

34 ESD 36 Collision on taxiway/apron 170

35 ESD 37 Wake vortex encounter 174

Appendix A Description of data sources 183

ACAS Airborne Collision Avoidance System

This page is internationally left blank.

1.3 Research approach

1.5 Contents of this report

2 Event Sequence Diagrams

2.1 General theory

Initiating Pivotal YES Pivotal YES End

Fig. 1 Event Sequence Diagram

Initiating event: The first event in an

Pivotal event: An event which has

End state: It is the terminating point

Comment box: Used for providing

Fig. 2 Types of events in an ESD and their iconic representation

Time condition: Represents a

Fig. 3 Types of conditions in an ESD and their iconic representation

Fig. 4 ESD quantification, absolute probabilities

Fig. 5 ESD quantification, normalised probabilities