Normal people working in normal organizations with normal equipment: System safety and cognition in a mid-air collision

Normal people working in normal organizations with normal equipment:

System safety and cognition in a mid-air collision

Paulo Victor Rodrigues de Carvalhoa,b,*, Jose´ Orlando Gomesb, Gilbert Jacob Huberb, Mario Cesar Vidalc

a Comissa˜o Nacional de Energia Nuclear, Instituto de Engenharia Nuclear, Cidade Univerisitária, Ilha do Funda˜o, CEP 21945-970 Rio de Janeiro, RJ, Brazil

b Graduate Program in Informatics-NCE&IM, Cidade Universitária, Rio de Janeiro, RJ, Brazil

c Luis Alberto Coimbra Research Institute, COPPE, Federal University of Rio de Janeiro, Rio de Janeiro, RJ, Brazil

a r t i c l e i n f o

Article history:

Received 1 February 2008

Accepted 28 November 2008

Keywords:

Mid-air collision

System safety

Cognitive strategies

Air traffic management system

a b s t r a c t

A fundamental challenge in improving the safety of complex systems is to understand how accidents

emerge in normal working situations, with equipment functioning normally in normally structured

organizations. We present a field study of the en route mid-air collision between a commercial carrier

and an executive jet, in the clear afternoon Amazon sky in which 154 people lost their lives, that illus-

trates one response to this challenge. Our focus was on how and why the several safety barriers of a well

structured air traffic system melted down enabling the occurrence of this tragedy, without any cata-

strophic component failure, and in a situation where everything was functioning normally. We identify

strong consistencies and feedbacks regarding factors of system day-to-day functioning that made

monitoring and awareness difficult, and the cognitive strategies that operators have developed to deal

with overall system behavior. These findings emphasize the active problem-solving behavior needed in

air traffic control work, and highlight how the day-to-day functioning of the system can jeopardize such

behavior. An immediate consequence is that safety managers and engineers should review their tradi-

tional safety approach and accident models based on equipment failure probability, linear combinations

of failures, rules and procedures, and human errors, to deal with complex patterns of coincidence

possibilities, unexpected links, resonance among system functions and activities, and system cognition.

.if there is no seed, if the bramble of cause, agency, and

procedure does not issue from a fault nucleus, but is rather

unstably perched between scales, between human and non-

human, and between protocol and judgment, then the world is

a more disordered and dangerous place

Galison (2000), p. 32

1. Introduction

Mid-air collisions of en route aircraft are extremely rare events. A

review of air traffic management (ATM) related accidents world-

wide, from 1980 to 2001, (Van Es, 2003) showed that ATM-related

accidents account for 8% of all accidents (the ATM-related accident

rate is 0.44 per million flights). This review also showed that most

the fatalities are caused by mid-air collisions (63%), and the major

causal factors (classified according to the ICAO taxonomy – Flight

Crew, Air Traffic Controller (ATC), Environmental, and Aircraft

System) that contributed to the mid-air collisions were: 1) ATC –

Failure to provide separation – air, and 2) Flight Crew – Lack of

positional awareness – in air.

In this paper, we use a systemic framework to analyze the

functioning of the ATM cognitive system during the mid-air

collision between flight GLO1907 (a commercial aircraft Boeing

737-800) and flight N600XL (an EMBRAER E-145 Legacy jet) to

understand how and why this tragedy happened. This ATM-related

accident occurred at 16:56 Brazilian time on September 29, 2006, in

the clear afternoon Amazon sky. Our aim is to understand how

a mid-air collision can still happen, despite the various defense

layers that exist in the ATM system to prevent just such an event.

Based on our findings we develop some insights about the cognitive

functioning of the Brazilian Air Traffic Controllers and its safety

implications to the ATM system operation.

Accidents and incidents by themselves cannot be considered

absolute and direct indicators of the safety of any system (Woods

and Cook, 2006). However, the analysis of the dynamic interplay of

loosely and tightly coupled subsystems during the emergence of

incidents and accidents can reveal patterns of behavior in the

* Corresponding author. Comissa˜o Nacional de Energia Nuclear, Instituto de

Engenharia Nuclear, Cidade Univerisitária, Ilha do Funda˜o, CEP 21945-970 Rio de

Janeiro, RJ, Brazil. Tel.: þ55 21 21733835.

E-mail address: [email protected] (P.V. Rodrigues de Carvalho).

Contents lists available at ScienceDirect

Applied Ergonomics

journal homepage: www.elsevier.com/locate/apergo

doi:10.1016/j.apergo.2008.11.013

Applied Ergonomics 40 (2009) 325–340

functioning of the whole system that may indicate a drift to unsafe

states (Snook, 2000). The basic safety goal of the ATM system

during en route commercial flights is to avoid mid-air collisions.

Therefore, an analysis of the system operation during a mid-air

collision can provide insights about system weaknesses and safety.

1.1. A systemic framework for accident analysis

Modern organizations are complex sociotechnical systems

comprised of many nested levels: government, regulators,

company, management, staff, and activities/work/processes/tech-

nical systems. According to Rasmussen and Svedung (2000), safety

can be viewed as a control problem involving all these levels and

must be managed by a control structure embedded in an adaptive

sociotechnical system. From this perspective, accidents are emer-

gent properties of complex systems that are more prone to occur

when the control systems (safety barriers included) do not

adequately handle the day-to-day system failures/disturbances in

a broad sense (external disturbances, component failures, human

failures, or dysfunctional interactions among system components),

throughout the system’s life cycle (Hollnagel, 2004). The outcome

of a controlled system – the result of reasonably foreseen input

changes – is directly influenced by the system’s control mecha-

nisms in place. Hazardous situations occur when flaws in the

control mechanisms (technical, human, organizational) enable the

emergence of unexpected outcomes that generate negative

consequences. Accidents in safety-critical systems, like ATM, with

many layers of control (defense-in-depth concept) can happen only

when there are simultaneous failures in various control mecha-

nisms in different system layers (Hollnagel, 2006).

ATM systems are composed of many nested layers resulting in

complex interactions. Interactions occur between human operators

(controllers and pilots), between human operators and procedures

(flight plans, rules to define the controlled air space, the air space

sectors that must be handled by some specific controller team,

general safety rules for the control of traffic, and so forth), and

between operators and hardware/software technical systems

(radar systems, computer processing of radar and flight data,

aircraft navigation systems, traffic alert and collision avoidance

system – TCAS, communication systems between controllers and

pilots, flight progress strips).

Brooker (2006) simplified the ATM system description into

three structural system layers acting as the system controls: Plan-

ning (pre-operational), Operation (the flight in progress), and Alert

(the ground and air protection enabled by conflict alert systems, on

which the controller/pilot will act). Humans in the several ATM

system layers participate in control of the system, acting to operate

the system in a safe manner. Failure of system control occurs when

the mechanisms used to keep system stability fail and make the

situation worse against reasonably foreseen threats. The funda-

mental issue here is how to identify reasonably foreseen threats in

dynamic real-life situations. To do so, we must understand how

people address the overall constraints of the control system during

their daily work. The most important question regarding human

control performance in safety-critical systems is to understand how

and why normal work done by normal people enables the emer-

gence of accidents (Dekker, 2006).

2. Method

The research methodology to investigate the functioning and

safety of the ATM system based on the analysis of a single case

study – the GLO1907/N600XL collision – can be justified by Yin’s

(1994) rationale. According to Yin case studies can be used when

how and why questions are being posed, and when the focus is on

a contemporary phenomenon within some real-life context.

Understanding HOW two airplanes collided in the clear afternoon

Amazon sky satisfies Yin’s HOW criterion. The concurrence of

organizational and cognitive factors that enable the emergence of

this tragedy – directly related to the ATM system’s safety – satisfies

Yin’s WHY criterion.

Catastrophic accidents in the domain of ultra-safe systems –

such as commercial fixed wing scheduled flight, with risk lower

than 10À6 – provide a unique opportunity to study the safety of

complex systems. This condition also justifies the use of a single

case study according to Yin’s rationale: an extreme and unique case

or a revelatory one (Yin, 1994). The mid-air collision satisfies these

two criteria. It is unique and extreme in the sense that mid-air

collisions are the least frequent ATM-related accidents, and it is

revelatory due to the generation of a considerable amount of data

that become available to the public and researchers through

secondary sources. The availability of these data is especially

important in the case of the Brazilian ATM system as it is operated

under military administration and the data about its functioning

(e.g. danger reports, near misses) are not usually available to the

public and social scientists.

In our research method, we search for the mid-air collision

antecedents traced through the concurrence of performances of the

several actors (pilots and controllers) and their interaction with the

contextual conditions of the several ATM subsystems. Our aim is to

understand how and why this accident happened based on the rich

data set that, because the occurrence of this tragedy is now available

to the public. Data and evidences, antecedents and consequences

from this mid-air collision come from a wide range of publicly

available sources. These sources include official government docu-

ments, congressional hearings, including controllers’, pilots’, and air

traffic management authorities’ testimonies, video tapes, audio

tapes of many media centers, press releases, newspaper clippings,

flight plans, regulations, maps, directives and so forth.

3. The air traffic management system – ATM

To understand the control functions of the ATM system, we use

the systems layers concepts as defined by Brooker (2006). The ATM

system layers are formed by human, technological (hardware and

software), and organizational components. Some of them, impor-

tant to avoid mid-air collisions, are briefly described:

– Controllers and pilots, sharp-end operators at the bottom layer

of the system;

– Prescribed safety rules for the control of traffic, including the

minimum separation to be permitted between aircraft, flight

plans;

– Communications equipment between controllers and pilots

(special radio communications frequencies);

– Airways to structure aircraft traffic in the controlled air space

and provide references for traffic separation;

– Air space sectors to allow the division of air traffic control

among different controller teams;

– Many other software rules to discipline where and how the

different types of aircraft must fly;

– Flight progress strips based on the flight plan data used by

controllers to quickly recall the order (in time) and the details

of the flights they have to handle; recommendations regarding

the maximum number of flights that can be managed by the

controller;

– Radar systems:

B Primary Surveillance Radar (PSR), that works by passively

bouncing a radio signal off the skin of the aircraft and whose

advantage is that it operates totally independently of the

P.V. Rodrigues de Carvalho et al. / Applied Ergonomics 40 (2009) 325–340

326

target aircraft – that is, no action from the aircraft is

required for it to provide a radar return – but that does not

positively identify the aircraft, generates imprecise altitude

information, and has a range limited by distance, altitude,

terrain and rain or snow;

B Secondary Surveillance Radar (SSR) that overcomes these

limitations but depends on a transponder in the aircraft to

respond to interrogations from the ground station to make

the plane more visible and to report the aircraft’s altitude.

– Computer processing complementing the information coming

from the radar and flight data;

– High quality aircraft navigation systems using Inertial Naviga-

tion Systems through to satellite-based aids such GPS;

– Short Term Conflict Alert (STCA) and Separation Monitoring

Function (SMF) that are the computer processing systems for

analyzing the radar tracks to predict if aircraft might come into

proximity soon and, if they might, warn the controller by

flashing a message on his radar screen;

– Traffic Alert and Collision Avoidance System (TCAS), the on

board collision avoidance systems based on detection of other

aircraft in the vicinity through their SSR transponders. These

inform the pilot of nearby traffic – TA (Traffic Advisory) – and

aircraft coming into conflict – RA (Resolution Advisory). RAs

inform the pilot to climb or descend as appropriate to take the

flight out of risk.

In an ATM control system functioning as described above, the

safety control barriers to avoid a mid-air collision can be summa-

rized as:

– Controlled air space with straight route, with two traffic lanes,

– Opposite traffic flows along each lane,

– Distance between the two lanes of 1000 ft (vertical separation),

– Well defined flight plans received before the flight,

– Traffic flow per lane lower than 4 aircraft/hour (longitudinal

separation),

– The two aircraft are equipped with Traffic Alert and Collision

Avoidance System (TCAS),

– The two aircraft are under surveillance of ground controllers,

with radar tracking and radio communication.

In a system with this entire set of control safety barriers, how

could an accident like this ever happen? How a could a sophisti-

cated ATM system with several safety barriers, many coordinating

mechanisms, surveillance

and

communication

equipment

providing redundant layers of cross-checking possibilities allow

this to happen? There was no emergency situation, no weather

problems in the clear afternoon Amazon sky, and no sudden

equipment failure that can be considered the cause of this tragedy.

3.1. The configuration of the Brazilian ATM system

Because the research approach attaches great significance to the

work environment as the root of variation in decision-making and

cognitive behavior, we present a brief description of the Brazilian

ATM system using the means-end hierarchy (Rasmussen et al.,

1994). In particular, we will use the Rasmussen and Svedung (2000)

framework for risk management to look at management and

organization structures. Fig. 1 presents the generic actor map for

the Brazilian ATM system. This diagram provides a view of the

whole system, including many levels ranging from governmental

structures at the top, down to the local environment of sharp-end

operators (controllers and pilots), the ultimate level related to the

collision. The lower level represents the individual operators that

are interacting with the process being controlled. The third level

describes the company managers responsible for the companies’

policy and strategies, and for the supervision of the operators’

activities. The second level describes activities of regulators and

associations responsible for monitoring the activities of the

companies in the aviation sector. The first level details activities of

the government and juridical aspects related to the same sector.

The representation of all these levels is necessary because they all

interact with each other, mutually directing and influencing each

level behavior, to control the system and provide adaptation to

environmental changes. To understand the events at any particular

level, it is therefore important to understand what has gone on at

all levels in the system. As pointed out by Rasmussen and Svedung

(2000), any sociotechnical system is subject to severe environ-

mental pressure in a dynamic society. The society pressure first

appears at the higher levels in the definition of legislation, regu-

lations, budget, and so forth, going down to the companies’ policies

and strategies, reaching the sharp-end operators’ behaviors and

actions. Adequate control strategies at all levels enable the system

to operate at low risk, in which a proper co-ordination and deci-

sion-making at all levels can be achieved. These observations are

particularly important considering the rapid growth of commercial

fixed wing flights in Brazil, which is increasing the demands on the

entire Brazilian air traffic system.

The regulation of Brazilian air traffic system complies with the

international ICAO legislation. The Brazilian constitution is

the source for the development of specific regulations governing

the functioning of the Brazilian Air Space Control System (SISCEAB),

which is also regulated by the Department of Air space Control

(DECEA), responsible for the integrated air defense and air traffic

control system. The SISCEAB encompasses all of the system’s

operational functions: communication, air traffic control, air

defense, aeronautic meteorology, cartography, aeronautic infor-

mation, search and rescue, and accident investigation.

Brazilian authorities decided to have only one ATM system, the

Integrated Air Defense and Air Traffic Control System (SISDACTA).

The SISDACTA is responsible for the co-ordination and joint opera-

tion of the air defense and air traffic control activities. The SISDACTA

acts on the entire Brazilian air space and in the international regions

under Brazilian responsibility, according to ICAO agreements. The

total area covered corresponds to 22 million square kilometers

(8 511 965 Km2 above Brazilian land). The SISDACTA comprises:

1) Tower Control Centers (TWRs) – control air traffic up to 5 km

from the airports;

2) Approach Control Centers (APPs) – control air traffic between 5

and 74 km from the airports;

3) Area Control Centers (ACCs) – known as CINDACTAs (acronym

for Integrated Air Defense and Air Traffic Control Centers)

control air traffic in the airways.

For radar surveillance and air traffic control purposes, Brazil has

been divided into 4 big regions. All radar data from each region are

processed by an area control center (ACC) or CINDACTA. Each one of

the four CINDACTAs has radar control of its region and is respon-

sible for the co-ordination of the regional air traffic. Due to its

centralized localization, CINDACTA I (Brasilia ACC), which operates

from Brasilia and was the first center installed, is responsible for

controlling most of the air traffic in Brazil. CINDACTA II operates in

the south region, CINDACTA III covers the northeast air space, and

CINDACTA IV (Amazon ACC) the north region, comprising the

Amazon forest. The CINDACTAs control traffic of en route aircraft,

when the airplane is above 19.500 feet. During the approach to

airports, air traffic is controlled by the Approach Control Centers

(APPs), and the final descent is controlled by the airport’s Tower

Control Center (TWRs).

P.V. Rodrigues de Carvalho et al. / Applied Ergonomics 40 (2009) 325–340

327

In each CINDACTA, there are two air traffic control systems in

two different control rooms:

– Military Operations Centers (COPM) that handle flight control

of military aircraft that are in military operation, operated by

military controllers, under military rules.

– Area Control Centers (ACCs), responsible for the air traffic

control of aircraft (civilian and military) flying under the

general aviation circulation rules, operated by civilian and

military controllers, under civilian rules.

Military controllers operate both centers. The integration of air

space and air defense control in Brazil – an option that is not used in

most countries – enables the use of the same resources for

communication, detection, surveillance, control and early warning

for air traffic control and for air space defense purposes.

4. The facts – what happened?

The collision was a very brief event. About 1 hour elapsed

from the moment when flight N600XL, the Embraer E-145 Legacy

jet, entered the air space controlled by the Brasilia ACC (CIN-

DACTA I), until the collision with flight GLO1907, the Boeing 737-

800, in the surveillance intersection zone between the Amazon

and Brasilia control centers. Fig. 2 shows the collision path. Flight

N600XL, even with some damage, was able to land at a military

base airport.

Fig. 3 shows a time-line with the main events before and after

the collision. Flight N600XL, an Embraer Legacy executive jet, took

off from Sa˜o Jose dos Campos airport (in Sa˜o Paulo state) at 14:30

(Brasilia time) to Eduardo Gomes airport in Manaus (in Amazonas

state) with a crew of two (pilot and co-pilot) and 4 passengers.

Flight N600XL’s plan stipulated two level changes (see Fig. 3).

However, the flight level stipulated for the first leg (until Brasilia) of

the flight, 370 (or 37 000 ft), was reached at 15:33 and was main-

tained up to the moment of the collision.

Flight GLO1907, the Boeing 737-800, took off from Eduardo

Gomes airport in Manaus to Brasilia International Airport at 15:35.

At 15:58, it reached the 370 flight level in the UZ6 airway (a dual

lane airway with 1000 ft of vertical separation between lanes), and

maintained this level, as stipulated by its flight plan, up to the

collision moment.

The last successful bilateral contact between the N600XL and

the Brasilia ACC happened at 15:51. At 15:55, the N600XL flew over

the Brasılia VOR vertical line, and entered the UZ6 airway (the same

as flight 1907, but in the opposite direction), without requesting or

receiving any instruction from the Brasilia traffic control center and

keeping the 370 flight level. At 16:02, the Brasilia ACC lost the

secondary surveillance radar (SSR) information about the N600XL,

which presents accurate altitude information to the traffic

controller. At 16:30, there was a 2 min loss of primary radar contact

with the N600XL, which transmits the aircraft’s geographic posi-

tion to the controller. No contact was attempted between 15:51 and

16:26 by either the N600XL or the Brasilia traffic control center.

From 16:26 to 16:53the Brasilia ACC made seven unsuccessful call

attempts. At 16:38, the Brasilia center lost definitively the primary

radar contact with the N600XL (it should have been transferred to

the Amazon control center).

The N600XL, at 16:48, began a series of 12 call attempt to the

Brasilia ACC. At 16:53:39, the N600XL was able to hear the last

(unilateral) call by the Brasilia center, instructing the N600XL to call

the Amazon ACC, but the crew was not able to copy the frequencies

provided. At 16:53:57, the N600XL radioed the Brasilia center

requesting the repetition the decimals of the first frequency,

because it had not been able to copy these values. The Brasilia

center did not receive this message. After that, the N600XL made

seven more unsuccessful call attempts to the Brasilia center from

16:54 to 16:57.

National

Congress

Min. of Defense

Air Force Command

Min. of

Planing

Min. of

Finance

Min. of

Labor

Air Space Control

Dept. - DECEA

Area Control Centers (ACCs)

–CINDACTA I, II III, IV

Civil Aviation National

Agency - ANAC

Aeronautic Infrastructure,

Airports Administration -

INFRAERO

Control System of Brazilian

Air Space - SISCEAB

International Civil Aviation

Organization – ICAO

Air Defense and Traffic Control

System – SISDACTA

Civil Controllers

Workers Association

TWRs Civil

Controllers

1. Government,

Legislation &

Budgeting

3. Companies

2. Associations

4. Operators

2. Regulatory

Bodies

CINDACTA Controllers

Workers Association

Tower Control

Centers (TWRs)

Approximation

Control Centers (APPs)

APPs Civil

Controllers

ACCs Civilian and Military

Controllers

Military Operations Control

Centers (COPM) –

CINDACTA I, II III, IV

COPMs Military

Controllers

Fig. 1. Generic actor map of Brazilian ATM system.

P.V. Rodrigues de Carvalho et al. / Applied Ergonomics 40 (2009) 325–340

328

The mid-air collision occurred when both aircraft were in the

UZ6 airway, flying in opposite directions, in the same lane – FL370

or 37000 ft – at 16:56:54. With the collision, flight 1907 became

uncontrollable, immediately going into a dive until it crashed into

the ground, causing the death of all passengers and crew members

(154 people), while flight N600XL was still able to fly and suc-

ceeded in making an emergency landing at the Brigadeiro Veloso

military air base.

5. The analysis – how and why it happened

The commander of the Department of Air space Control

(DECEA), responding to a senator’s question in the senate public

hearing after the accident said: ‘‘I am as puzzled as you Sir. A thing

like this is impossible to happen.’’

5.1. Preliminary investigation questions

The preliminary report elaborated by CENIPA (Ferreira, 2006)

indicated the following important things that did not happen in this

accident

There was no loss of radar surveillance between the Amazon

ACC (CINDACTA IV) and flight 1907, until its transference to the

Brasilia ACC;

There is no evidence in the communication records of any

N600XL request to the air traffic control centers to change its

flight level, after having reached the 370 flight level.

There is no registered evidence regarding any instruction for

the N600XL to change its flight level coming from air traffic

control, after the last successful bilateral contact (15:51)

between this aircraft and Brasilia center.

There is no registered evidence of any traffic alert alarm or

instruction for evasive action to the respective crews to avoid

collision in the TCAS systems, existing in both aircraft.

There is no registered evidence of any manifestation in either

crew related to any possible visual perception of the

approaching aircraft.

There is no attempt for action or evasive maneuver, according

to the data existing in flight recorders.

Looking through the list it seems that the entire system

(including

man-pilots and

controllers –

technology

and

TERES

NABOL

UZ6

MANAUS

BRASÍLIA

Surveillance

intersection zone

between Amazon

and Brasilia control

centers

Legacy

Boeing

Fig. 2. The mid-air collision occurred approximately 20 Km northwest from Nabol, flight level 370 (37 000 ft), geographic coordinates 10 440 S/053 310 W, at 16:56:54 Brazilian

time. Both aircraft were flying in the UZ6 airway in opposite directions at the same altitude when the left wing of the Legacy, flight N600XL to Manaus, collided with left wing of the

Boeing 737, flight GLO1907 to Brasilia. (source Ferreira, 2006).

N600XL

1907

NABOL

TERES

BRASÍLIA

1555

SÃO JOSÉ

1451

Requested N600XL levels

MANAUS

1535

position &

time

Flight level

1533

360

370

380

1551

Last bilateral

contact

370

1657

Lost SSR

information

1602

From 1626 until collision many contact attempts

UZ6 airway

Lost of primary

radar contact

1638

1654

Unilateral contact:

change freq.

Fig. 3. Time-line with the main events before and after the collision.

P.V. Rodrigues de Carvalho et al. / Applied Ergonomics 40 (2009) 325–340

329

organization) was not aware that two aircraft were flying in the

same lane and in opposite directions.

5.2. Some official explanations

Charles Perrow pointed out that conventional explanations for

accidents are ‘‘operator error, faulty design or equipment, lack of

attention to safety features, lack of operating experience, inadequately

trained personnel, failure to use the most advanced technology, and

systems that are too big, under financed, or poorly run’’ (Perrow, 1984,

pp 63). The conclusions from the Senate Public Hearing report

confirm Perrow’s view and leans toward faulting the operators:

‘‘(.) it is possible to learn that several factors contributed to the

accident: possible technical failures, pilot failures and air traffic

controller failures. However, analyzing the event, I conclude that the

human factor is the main cause. Eliminating the human errors from

the causal chain, the accident would never have happened (.)’’

(Senado Federal, 2007, pp 61).

We want to go beyond these obvious explanations to consider

the complexity of the events, understanding the details of each

situation (how and why things happened). Our aim is to uncover

the underlying cognitive and organizational dynamics that enabled

the emergence of the tragedy, using the rich set of data that was

made available by the accident investigations as a window to grasp

a more fundamental understanding about the ATC system’s normal

functioning. To do so, in the following sections, we will discuss

HOW and WHY the safety barriers against mid-air collisions

described in Section 4 eroded enough to allow the emergence of

this accident.

5.3. The controlled air space

The controlled air space – the first safety barrier – is an abstract

construction, which aims to create ‘‘airways’’ in the space by

prescribing routes, altitudes, and directions to be followed by air

traffic. These airways are represented on aeronautical navigation

charts and should be followed by pilots and controllers. The flight

plan is the artifact that enables pilots and controllers to virtually

construct a flight, allocate a portion of the controlled air space to it,

and then discipline the flights and air traffic control.

In this accident, the flight levels prescribed in flight N600XL’s

flight plan were not followed. How could this happen? We will use

the investigation findings and human decision-making theories to

explain how normal pilots’ and controllers’ cognitive behaviors lead

to this unwanted system outcome.

5.3.1. Pilots’ behavior

Fig. 3 includes a representation of the prescribed altitudes of

flight N600XL’s approved flight plan. Starting in Sa˜o José dos

Campos, it passed through Poços de Caldas, in the UW2 airway at

flight level 370 (37000 ft) until Brasilia, where it would drop to

flight level 360 (36 000 ft) and enter the UZ6 airway. The flight plan

called for another altitude change at the Teres (virtual) notification

point, after which the aircraft would continue in the UZ6 airway,

but at FL380 (38 000 ft). The UZ6 is a dual lane airway with 1000 ft

vertical separation distances, in which the odd flight levels (370,

390, 410) are used for north-south navigation (Manaus to Brasılia),

and the even flight levels (360, 380, 420) are used for south-north

navigation (Brasılia to Manaus). According to the CPI final report

(Câmara dos Deputados, 2007), the submitted flight plan was

approved without modification by the Brasilia ACC.

Flight N600XL’s pilots had never flown in Brazil before

September 29, when they came to Sa˜o Paulo to fly the brand new

Embraer Legacy aircraft just acquired by American Excelaire. The

flight plan they were using was both prepared and submitted by

Embraer to the air traffic control center for approval. This flight plan

preparation procedure (a normal way to prepare flight plans), did not

require the pilots to look at Brazilian airways on the local aero-

nautical charts to configure their flight. As a consequence, some of

the details of the plan, and in particular, the situation regarding the

UZ6 airway, may not have come to the pilots’ attention.

The dialog in Table 1 shows the communications between flight

N600XL’s pilot and the TWR controller in Sa˜o Jose (SP) just before

departure.

The dialog above seems to be a normal departure communica-

tion between a tower controller and a pilot. In fact, we note that,

according to the basic verbal protocol rules, there are communi-

cation feedbacks and redundancies when flight N600XL’s pilot did

repeat the authorizations received. However, when the air traffic

controller did not communicate the complete flight plan (level

changes at Brasilia to 360 and at Teres to 380), (. ATC clearance to

Eduardo Gomes, flight level three seven zero .), the pilot did not

challenge the ATC’s clearance communication asking for the

clearance limits - until where he would fly at level 370 – implying

that he would fly at FL370 all the way to Eduardo Gomes airport, in

Manaus (against the flight plan information).

Table 1

Dialog between TWR controller and Legacy N600XL pilots – dialog in English.

Time

Operator

Communications

14:26:40 Legacy

Pilot

Sa˜o José ground november six zero zero x-ray lima.

14:26:47 TWR

controller

November six zero zero x-ray lima go ahead.

14:26:51 Legacy

pilot

Yes sir (.) start engines.

14:26:59 TWR

controller

Er, did you request, er, about weather?

14:27:02 Legacy

pilot

Yes sir, weather and runway.

14:27:05 TWR

controller

Roger. Er, Sa˜o José operating under visual conditions, ceiling

five thousand feet, visibility one zero kilometers, runway in

use one five, wind two two zero degrees, eight knots, quiu

eneiti one zero one nine, temperature two zero, time check

two five.

14:27:37 Legacy

pilot

Thank you.

14:31:46 Legacy

pilot

Ground, november six zero zero x-ray lima like to have push

back for taxi.

14:32:02 Legacy

pilot

Ground, november six zero zero lima, x-ray lima, like to give

ready, clear to push for taxi.

14:32:10 TWR

controller

Ah, november six zero zero x-ray lima, er, clear to start up,

temperature two zero. Er, are you ready to taxi?

14:32:24 Legacy

pilot

Yes sir, we’ll be in turn right now (.) to the taxi back.

14:32:31 TWR

controller

Er, report ready for taxi.

14:32:34 Legacy

pilot

Report ready to taxi, six hundred x-ray lima.

14:40:31 Legacy

pilot

Sa˜o José ground, november six zero zero x-ray lima ready to

taxi.

14:40:38 TWR

controller

Er, roger. Er, maintain position, november six zero zero x-ray

lima.

14:40:44 Legacy

pilot

November six zero zero x-ray lima maintaining position.

14:41:50 TWR

controller

Are you ready to copy the clearance?

14:41:53 Legacy

Ah, affirmative, yes.

14:41:57 TWR

controller

November six zero zero x-ray lima, ATC clearance to Eduardo

Gomes, flight level three seven zero, direct Poços de Caldas,

squawk transponder code four five seven four. After take-off

perform OREN departure.

14:42:26 Legacy

Pilot

Okay sir, I get the runway one five to so. ah SBEG, flight level

three seven zero, I didn’t get the first fix, I get squawk four

five seven four, OREN departure.

Source: CPI final report (Câmara dos Deputados, 2007).

P.V. Rodrigues de Carvalho et al. / Applied Ergonomics 40 (2009) 325–340

330

From this dialog, we conclude that the N600XL pilots had two

conflicting sets of information at the moment of departure: 1) the

flight plan with many level changes, and 2) the ATC’s communi-

cation clearance that mentioned only FL370. Based on the con-

flicting information (inputs) they had, why did the pilots not

evaluate and compare the inputs and query the controller?

Traditional research in decision-making has developed norma-

tive models for human decisions that involve: first, generate a range

of options, then generate a set of criteria for evaluating these

options, assign weights for the evaluation criteria, rate each option

on each evaluation criterion, perform calculations, and finally,

compare the options determining the best choice (Doherty, 1993). If

people during their normal work made decisions according to this

model, we could imagine that the pilots’ actual behavior was

completely unusual or abnormal (and probably very unlikely to

happen again with other pilots), because their decision process did

not agree with any of the normative steps described.

However, situated or naturalistic based human decision-making

models, identifying deviations from the norms, e.g. Prospect Theory

(Tversky and Kahneman, 1974) suggest that decision-makers

generally apply a wide range of heuristics, even when these result

in sub-optimal performance. Heuristic-based theories have been

superseded by descriptive models emphasizing the phenomena

themselves, without reference to abstract norms, such as Ras-

mussen’s model of Cognitive Control (Rasmussen, 1983) and Klein’s

Recognition-Primed Decision-Making - RPD model (Klein, 1993)

and more recently the efficiency-thoroughness trade-off, the ETTO

principle (Hollnagel, 2004). In such models, rather than making

a concurrent evaluation of the relative advantages and disadvan-

tages of several courses of action (the normative approach), the

decision-makers in actual situations select a course of action, which

is generated through heuristics and recognition. A situation similar

to a previous experience, a familiar situation, is evaluated for its

adequacy in the particular set of circumstances of the present

situation. There are many empirical findings that even in safety-

critical systems, for instance, nuclear systems (Carvalho, 2005;

Carvalho et al., 2005; Carvalho et al., 2006), experienced operators

use pattern recognition and simple heuristics to make decisions

during their daily work in operating the system.

Flight N600XL’s pilots’ behavior – not querying the ATC

controller, not searching for more information – indicates that they

decided based on the recognition that the clearance they received

from ATC is a familiar situation of changing a flight plan by ATC

authorities. Together with their non-familiarity with Brazilian air

space, the pilots did not have any doubt about the new flight plan

they got after the ATC clearance communication. The pilots

confirmed that they had no doubts in an interview for the Brazilian

newspaper Folha de Sa˜o Paulo on Feb. 19, 2007. The pilot said, ‘‘It is

common for there to be differences, it happens all the time. You have

to fly according to the authorization. The actual flight plan is the

clearance that you receive from the control center.’’, and the co-pilot,

‘‘As he said, it happens all the time, we have a flight plan to fly at one

altitude and we are authorized to fly at another one. Let me say that

this happens 99% of the time. The flight plan is just a proposal.’’

This behavior can also be explained according to the belief-bias

effect that occurs in reasoning when people make judgments based

on prior beliefs and general knowledge, rather than on the rules of

logic and the information available (Evans, 2004; Quinn and Mar-

kovits, 1998). In general, people are likely to make inadequate

choices when the logic of a reasoning problem (conflicting infor-

mation about the flight plan) is not supported by their background

knowledge (flight plan changes happen all the time) (Holyoak and

Simon, 1999).

Then, an unwanted system outcome – an aircraft flying at

a wrong level in a dual lane airway – was made possible by normal

behaviors of the pilots. Normal in Perrow’s sense, not desired or

expected, but a perfectly possible outcome of the system.

5.3.2. Air traffic controller behavior

From other side, the air traffic controller gave a flight authori-

zation where only the level of the first leg (FL370) was communi-

cated in a route that included two other level changes. The ICA

100-12 publication (DECEA, 2006) regulates the air traffic services

in Brazil. Chapter 8, Area Control Services, defines the rules to be

applied for ATC services. According to these rules, the submitted

flight plan can be different from the actual plan, and the controller

must indicate the various levels of the route, or the limit for the

route authorization he gave. In the ICA 100-12 there are the

following definitions:

Flight plan – specific Information, related to a planned flight or

part of a flight of an aircraft, supplied to the air traffic services.

Submitted flight plan – flight plan such as it is submitted by the

pilot, or his representative, to the air traffic services.

Current flight plan – actual flight plan, including the modifi-

cations (if they were necessary) made by air traffic services.

Based on theses rules and controller behavior the Congressional

Hearing Report concludes ‘‘(.) a message with partial authorization

for the flight of an aircraft is a procedure without any normative

support’’ (Câmara dos Deputados, 2007, p. 58).

The procedure used for flight plan authorization has many steps.

First, the plan is submitted in the Air Information Service Room,

located in the departure airport. In this room, a Sergeant specialized

in aeronautic information (not a flight controller) receives and

checks the submitted plan. Next, the plan is presented to another

Sergeant, specialized in communications, who inputs the flight

plan data into the computerized system and sends these data to the

regional ACC, where a flight controller in the Flight Plan Room

checks the proposed route comparing it to the other flight plans in

the region. If it is OK, he/she confirms the insertion of the flight plan

data in the system and sends the ‘‘Traffic Authorization or Clearance

Delivery’’ by an electronic message to the departure airport. Finally,

the TWR controller at the departure airport, responsible for the

‘‘traffic authorization’’, using a private telephone line (called ‘‘hot

line’’), calls the ACC controller to confirm the flight plan informa-

tion for the clearance delivery. Having received the ACC’s confir-

mation, the TWR controller radios the ‘‘Authorized Flight Plan’’ to

the flight’s pilot.

The last internal step of this procedure, the final communication

between flight controllers (Sa˜o Jose TWR controller with the Bra-

silia ACC) to confirm flight N600XL’s information is transcribed in

Table 2.

In this dialog, which happened about 10 min before the take-off

clearance communication dialog between the TWR controller and

the pilot, presented in Table 1, the controllers’ verbalizations refer

only to the level 370. In both dialogs, there are no explicit verbal-

izations regarding the complete N600XL flight plan. In all conver-

sations involving pilots, the TWR controller in Sa˜o Jose, and the ACC

controller in Brasilia, the level changes in N600XL’s flight plan were

not verbalized. Therefore, from this dialog, and the dialog between

TWR controller and the pilot, the controllers did not follow the

DECEA prescriptions.

The easiest way to address this situation is consider that we

have a human error. Doing so, the problem can be confined to those

specific controllers that behave in a completely different way than

the other controllers working in the system.

However, from a systemic point of view, this can also be viewed

as a normal behavior. On long routes, with many level changes, the

ATC controller may assume that pilots are aware of the need for

P.V. Rodrigues de Carvalho et al. / Applied Ergonomics 40 (2009) 325–340

331

level changes during the flight. They also may think that there will

be other communication opportunities later on, when the aircraft

reaches the clearance limits (in this flight the first one was over

Brasilia), at which time the pilots will receive the information

regarding the other legs of the plan.

Both behaviors – pilots’ and controllers’ – can be explained by

the by the efficiency-thoroughness trade-off, the ETTO principle

(Hollnagel, 2004). Pilots and controllers use common and simple

heuristics such as ‘‘someone one will communicate this later’’, ‘‘there

is no need to pay attention to that now’’, ‘‘flight plans can always be

changed’’ that characterize the ETTO principle. Initially conceived to

explain coping strategies to reduce the cognitive task demands (e.g.

time pressure, information overload etc.), the ETTO principle is

currently viewed as a typical strategy to cope with complexity in

a long-term perspective (Hollnagel and Woods, 2005). Using ETTO

heuristics it is possible to reduce cognitive effort and keep spare

capacity for emergency situations, making a trade-off before it is

objectively required by the current situation. Thus, the choice of

a coping strategy not only represents a short term or temporary

adjustment but may equally well indicate a more permanent way to

do things in the system functioning. The risks inherent in these

strategies use are obvious, as can be seen from their part in this

accident explanation.

We argue that the controlled air space as a cognitive system

(a system that involves people, technology and organization) may be

a weaker safety barrier than we usually expect, enabling unwanted

system outcomes that may result in system accidents, depending on

how the system is functioning daily. Due to the limitations inherent in

analyzing only one case, we are not able do know how frequently the

ETTO based strategies are actually being used in the entire Brazilian

ATC system. However, if they are frequent we may have a serious

safety problem, since the first barrier against mid-air collisions may

be not working properly, characterizing a sociotechnical drift-

to-failure situation (Snook, 2000; Rasmussen and Svedung, 2000). In

this particular case, pilots and air traffic controllers, all acting nor-

mally (albeit in this case inadequately in hindsight), interacted with

each other in a way that to all appearances – in foresight – was

normal, but allowed a mid-air collision to occur.

5.4. The TCAS functioning

Another barrier used to avoid mid-air collisions is the Traffic

Alert and Collision Avoidance System (TCAS). Both aircraft involved

in this accident were equipped with TCAS equipment. According to

Brazilian flight regulations, before entering air space with reduced

vertical separation minimum (RVSM space, where the vertical

separation distance is 1000 ft.), the pilot must check (besides other

equipment) that the transponder is normally working in mode C or

S. In Mode C, the transponder informs its code and the aircraft’s

altitude with good accuracy. In Mode S, in addition to the Mode C

information, the transponder sends other flight parameters such as

speed, direction etc. The TCAS requires the transponder function to

operate, and goes into standby mode (effectively off) whenever the

transponder is not enabled.

One of the most puzzling notes of the accident preliminary

investigation report is that ‘‘There was no attempt for action or

evasive maneuver, according to the data existing in flight recorders’’

(Ferreira, 2006), indicating that TCAS did not give the TA (Traffic

Advisory) or RA (Resolution Advisory) alarms to the pilots.

According to the time-line presented in Fig. 3, Brasilia ACC failed to

receive any transponder replies from flight N600XL for approxi-

mately the last 50 min of the flight before the collision.

Further investigations indicated that the transponder and TCAS

of flight GLO1907 was working properly during the accident, and

the transponder of flight N600XL was not functioning (it was in the

OFF mode) at the moment of the collision. Evidence that flight

N600XL’s transponder was in the OFF mode came from many

sources:

– The lack of N600XL transponder contact with the Brasilia ACC;

– The lack of N600XL transponder contact with the Amazon ACC;

– The dialog between N600XL pilots registered in the CVR

(Cockpit Voice Recorder), just after the collision.

This dialog is presented in Table 3 below.

Clearly, the Transponder/TCAS system of the N600XL aircraft

failed. However, even after extensive tests, teardowns and simu-

lations in the aircraft manufacturer and in the transponder/TCAS

manufacturer, the reason why the transponder was set in the

STAND BY mode (turned off) remains ‘‘unexplained’’ to this day.

Three main possibilities were investigated: 1) hardware/technical

failure, 2) pilots deliberately turned off the transponder, and 3)

pilots accidentally turned it off with an unintentional slip. About

the hardware/technical failure, all post-accident information made

public up to this moment – the investigation has not finished yet –

indicates that the critical transponder components were opera-

tional. The second possibility, a professional crew willingly

switching off such an important piece of equipment in the RVSM

space would have been an act of basic procedure violation (Reason,

1997). This behavior simply could not be admitted by any profes-

sional crew and has no support in the flight data collected (Câmara

dos Deputados, 2007). The last possibility, pilots accidentally

turning off the TCAS with an unintentional slip, is also not sup-

ported by the investigation findings. The only known way to put the

transponder STAND BY mode is to press the button on the Radio

Management Unit (RMU) control screen twice, within less than

20 s, as shown in Fig. 4, which could not be attributed to a slip.

In his testimony to the Senate Congressional Hearing, the official

responsible for the Brazilian aeronautic accident investigation said,

‘‘In accordance with the description documents and its certifications,

the transponder and TCAS systems did not present design or integra-

tion errors. They functioned as they had to function. (.)We now focus

our investigation on the operational factor, or either, in the relation of

the operation of. of the human being with that system’’.

In another part of this testimony, he added some new infor-

mation related to the ‘‘operational factor’’: ‘‘The transponder stopped

functioning. We did all the tests to try to exclude the possibility of

a technical failure in the transponder. We did not find technical

Table 2

Dialog between TWR and ACC controllers – Dialog in Portuguese, translated to

English.

Time

Operator

Communications

14:33:33

Brasilia ACC

Controller

Talk Sa˜o Jose

14:33:35

Sa˜o Jose TWR

controller

Hi Brasilia. The November six zero zero x-ray lima to

Eduardo Gomes Sa˜o Jose Eduardo Gomes .

requesting level three seven zero.