Incident: Communication Error Leads to Incorrect Passenger Seating Configuration on Aircraft

Published Date: 2020-10-09

Postmortem Analysis
Timeline 1. The software failure incident happened on 16 January [106473].
System 1. Communication system between the Operational Control Centre (OCC) in Budapest and the Operational Handling Department (OHD) and Passenger Services Department (PSD) at Luton [106473] 2. Software responsible for updating the passenger seating plan according to the aircraft change [106473]
Responsible Organization 1. Operational Control Centre (OCC) in Budapest, Hungary [106473] 2. Operational Handling Department (OHD) at Luton [106473] 3. Passenger Services Department (PSD) at Luton [106473]
Impacted Organization 1. Passengers at the front of the plane [106473]
Software Causes 1. The software cause of the failure incident was a communication error that led to the automated message about the aircraft change not being received due to a "technical issue" [106473].
Non-software Causes 1. Communication error leading to the failure to pass on an email about the aircraft change [106473] 2. Technical issue causing the automated message about the aircraft change not to be received [106473] 3. Failure to inform the Passenger Services Department (PSD) about the aircraft change, resulting in passengers being seated in the old configuration [106473]
Impacts 1. The software failure incident led to a communication error where too many passengers were seated at the front of the plane, causing take-off issues for the pilot [106473]. 2. The incorrect passenger seating plan due to the software failure resulted in the aircraft not responding to the pilot's normal take-off commands, requiring extra thrust for a safe departure [106473]. 3. The incident highlighted the importance of improving the flow of information between operational departments when there is a change of aircraft type to reduce the risk of similar events occurring in the future [106473].
Preventions 1. Proper communication protocols and procedures between the Operational Control Centre (OCC), Operational Handling Department (OHD), and Passenger Services Department (PSD) could have prevented the software failure incident. Ensuring that messages about aircraft changes are effectively received and acted upon is crucial to avoid discrepancies in passenger seating configurations [106473]. 2. Implementation of automated alerts or notifications within the relevant software systems could have helped in promptly informing all relevant departments about any changes in aircraft type. This would have ensured that necessary adjustments, such as updating passenger seating plans, are made in a timely manner to prevent operational issues during take-off [106473].
Fixes 1. Implement a robust communication system to ensure that important messages, such as aircraft changes, are effectively relayed between departments and personnel [106473]. 2. Enhance the software used for managing passenger seating plans to automatically update configurations when there is a change in aircraft type to prevent discrepancies [106473].
References 1. Operational Control Centre (OCC) in Budapest, Hungary 2. Operational Handling Department (OHD) 3. Passenger Services Department (PSD) at Luton 4. Air Accident Investigations Branch (AAIB) [106473]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the passenger seating plan not being adjusted to the bigger aircraft due to a communication error causing take-off issues happened at one_organization. The incident led to the aircraft not responding to the pilot's normal take-off commands, requiring extra thrust for a safe departure. An internal investigation was carried out, and the operator took action to improve information flow between operational departments to reduce the risk of a similar event occurring again within the same organization [106473]. (b) The articles do not mention any similar incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident in the article can be attributed to the design phase. The incident occurred because of a communication error where an email about the change in aircraft type was not passed on, leading to the passenger seating plan not being adjusted to the bigger craft. This design flaw in the communication process between the Operational Control Centre (OCC) and the Operational Handling Department (OHD) resulted in the incorrect passenger distribution, causing take-off issues for the pilot [106473]. (b) The software failure incident can also be linked to the operation phase. The article mentions that the details were altered in the relevant software, but the Passenger Services Department (PSD) was not informed about the change in aircraft type. This lack of communication and operational oversight led to the passengers still being seated in the old configuration, contributing to the take-off issue experienced by the pilot during the flight [106473].
Boundary (Internal/External) within_system (a) The software failure incident in the article is primarily within_system. The failure occurred due to a communication error within the Operational Control Centre (OCC) in Budapest, Hungary, which resulted in the automated message about the aircraft change not being received by the Operational Handling Department (OHD) and Passenger Services Department (PSD) at Luton Airport. This internal communication breakdown led to the passenger seating plan not being adjusted in the software, causing the imbalance in passenger distribution on the aircraft [106473].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was primarily due to non-human actions. The failure occurred because of a communication error where an email about the change in aircraft from an A320 to an A321 was not passed on, leading to the passenger seating plan not being adjusted to the bigger craft. This non-human error resulted in too many passengers being seated at the front of the plane, causing take-off issues for the pilot [106473]. (b) Human actions also played a role in this software failure incident. The Operational Control Centre (OCC) in Budapest sent an automated message about the aircraft change to the Operational Handling Department (OHD) and Passenger Services Department (PSD) at Luton. However, due to a "technical issue," this message was not received. Additionally, the Passenger Services Department (PSD) was not informed about the change in aircraft type, leading to the passengers being seated in the old configuration. Improved communication and information flow between operational departments could have mitigated this human error [106473].
Dimension (Hardware/Software) software (a) The software failure incident in the article was not directly related to hardware issues. The incident was primarily caused by a communication error where an email about the change in aircraft type was not passed on due to a technical issue, leading to the passenger seating plan not being adjusted accordingly [106473]. (b) The software failure incident was primarily caused by a communication error in the software system, where the automated message about the change in aircraft type was not received due to a technical issue. This led to the passenger seating plan not being updated in the software, resulting in too many passengers being seated at the front of the plane, causing take-off issues for the pilot [106473].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident in this case was non-malicious. The failure occurred due to a communication error where an email about the change in aircraft type was not passed on, leading to the passenger seating plan not being adjusted to the bigger craft. This resulted in too many passengers being seated at the front of the plane, causing take-off issues for the pilot [106473].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was poor_decisions. The failure occurred due to a communication error where an email about the change in aircraft type was not passed on, leading to the passenger seating plan not being adjusted to the bigger craft. This resulted in too many passengers being seated at the front of the plane, causing take-off issues for the pilot [106473].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in the article was not directly attributed to development incompetence. The issue stemmed from a communication error and a technical issue that led to the passenger seating plan not being adjusted to the bigger aircraft, causing take-off issues [106473]. (b) The software failure incident in the article was more aligned with an accidental failure. The failure was a result of a communication error, where an email about the aircraft change was not passed on, and a technical issue that prevented the message from being received. These accidental factors led to the software not updating the passenger seating plan, causing the pilot to face take-off issues due to the incorrect distribution of passengers [106473].
Duration temporary The software failure incident in the reported article appears to be temporary. The incident was caused by a communication error where an email about the change in aircraft type was not passed on due to a technical issue, leading to the passenger seating plan not being adjusted in the software. This specific circumstance of the technical issue contributed to the temporary failure, as once the issue was noticed, corrective actions were taken to adjust the details in the relevant software and inform the Passenger Services Department (PSD) to prevent a similar event from occurring in the future [106473].
Behaviour omission, other (a) crash: The software failure incident in the article did not involve a crash where the system lost state and did not perform any of its intended functions. The incident was related to a communication error that led to incorrect passenger distribution on the aircraft, causing take-off issues for the pilot [106473]. (b) omission: The software failure incident can be categorized under omission, as the system omitted to perform its intended functions at an instance. Specifically, the email about the change in aircraft from A320 to A321 was not passed on, leading to the passenger seating plan not being adjusted accordingly [106473]. (c) timing: The incident did not involve a timing failure where the system performed its intended functions too late or too early. The issue was more related to the incorrect passenger distribution due to the omission of updating the seating plan for the larger aircraft [106473]. (d) value: The software failure incident did not result from the system performing its intended functions incorrectly. Instead, the issue stemmed from the incorrect passenger distribution caused by the lack of updating the seating plan for the changed aircraft type [106473]. (e) byzantine: The incident did not exhibit a byzantine behavior where the system behaved erroneously with inconsistent responses and interactions. The failure was more straightforward, involving a communication error and lack of information flow between operational departments [106473]. (f) other: The software failure incident can be categorized as an omission combined with a communication breakdown between departments, leading to incorrect passenger distribution on the aircraft. The incident highlights the importance of effective communication and coordination in ensuring operational safety [106473].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence delay (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The consequence of the software failure incident in this case was a delay. The software failure led to a communication error that resulted in too many passengers being seated at the front of the plane, causing take-off issues for the pilot. This delay in the take-off process was the main consequence of the software failure incident [106473].
Domain transportation (a) The failed system in this incident was related to the transportation industry. The software failure incident occurred in the context of an Airbus A320 being replaced with an A321 for a flight from London Luton Airport to Prague, resulting in a communication error that led to incorrect passenger seating arrangements due to the software not being updated accordingly [Article 106473].

Sources

Back to List