Incident Details

Incident: Asiana Flight 214: Auto-Throttle Software Failure Leads to Crash

Published Date: 2014-03-31

Postmortem Analysis
Timeline	1. The software failure incident involving the Asiana flight into San Francisco happened in July last year as mentioned in the article [25292]. 2. The article was published on 2014-03-31. 3. Estimating the timeline: - Incident happened in July last year. - Published date of the article is 2014-03-31. - Therefore, the incident occurred in July 2013.
System	1. Auto-throttle system on the Boeing 777 aircraft used by Asiana Airlines [25292]
Responsible Organization	1. Asiana Airlines - Asiana faulted its crew for failing to notice the airplane was flying too slowly due to bad software design and inconsistencies in the aircraft's automation logic [25292]. 2. Boeing - Boeing focused on the crew's failure to maintain proper airspeed, but Asiana's filing aimed to have the plane's design characteristics listed among the contributing factors [25292].
Impacted Organization	1. Asiana Airlines [25292]
Software Causes	1. Bad software design led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. 2. A system to warn the crew of low airspeed did not sound soon enough due to software issues [25292]. 3. The auto-throttle went into sleep mode due to a quirk in the autopilot and auto-throttle systems, which was a software-related issue [25292].
Non-software Causes	1. Crew's failure to maintain proper airspeed [25292] 2. Excessive pilot workload during the final approach [25292] 3. Crew not being trained on a characteristic of the Boeing 777 [25292] 4. Errors by the crew in maintaining a stabilized approach [25292]
Impacts	1. The software failure incident in the Asiana flight into San Francisco led to three fatalities and scores of injuries [25292]. 2. The incident caused debris to be spread over a few hundred feet of the runway [25292]. 3. The software failure incident resulted in the unexpected disabling of airspeed protection without adequate warning to the flight crew, contributing to the crash [25292]. 4. The crew's belief in the auto-throttle system manipulating the engines to maintain safe airspeed was shattered due to the software failure incident [25292]. 5. The incident highlighted inconsistencies in the aircraft's automation logic, leading to excessive pilot workload during the final approach [25292].
Preventions	1. Improved training for pilots on the characteristics and potential pitfalls of the auto-throttle system, such as the "flitch trap," could have prevented the software failure incident [25292]. 2. Enhanced communication and dissemination of information regarding system quirks and potential failures between aircraft manufacturers, regulatory bodies like the Federal Aviation Administration (FAA), and airlines could have helped prevent the incident [25292]. 3. Implementation of more robust warning systems and alerts within the aircraft's automation logic to provide timely and adequate notifications to the flight crew about critical issues, such as low airspeed, could have mitigated the software failure incident [25292].
Fixes	1. Improved training for pilots on the characteristics of the auto-throttle system, specifically the "flitch trap" issue, to ensure they are aware of potential pitfalls during landing approaches [25292]. 2. Revision of the auto-throttle system design to prevent it from going into sleep mode unexpectedly, leading to the disabling of airspeed protection without adequate warning to the flight crew [25292]. 3. Implementation of enhanced warning systems or alerts to notify the flight crew promptly of low airspeed conditions, providing them with more time to react and take corrective actions [25292].
References	1. Asiana Airlines - The airline itself provided information about the software failure incident in a filing with the National Transportation Safety Board [25292]. 2. National Transportation Safety Board (NTSB) - The NTSB is mentioned as the entity receiving the filing from Asiana Airlines and conducting investigations into the incident [25292]. 3. Former director of the office of aviation safety at the NTSB - Thomas Haueter, who is now a consultant to the airline, provided insights into the software failure incident [25292]. 4. Asiana Pilots Union - The pilots union of Asiana Airlines submitted information to the safety board regarding the incident [25292]. 5. Federal Aviation Administration (FAA) - The FAA raised concerns about the auto-throttle system on Boeing planes, including the 777, and had interactions with Boeing regarding this issue [25292].

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to the Asiana flight crash into San Francisco highlighted issues with the design of the Boeing 777's automation logic. Asiana faulted its crew for failing to notice that the airplane was flying too slowly, but also blamed "inconsistencies in the aircraft’s automation logic" which led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. (b) The article mentions that in 2010, when another Boeing plane with a similar auto-throttle, the 787, was being certified by the Federal Aviation Administration (F.A.A.), concerns were raised about the way the throttles went into sleep mode. Boeing declined to make a change and agreed with the F.A.A. to put a warning into the pilot manuals. After the Asiana crash, test pilots from the F.A.A. and the airline had severe difficulties flying the approach that air traffic controllers had given the Asiana flight, indicating potential issues with the software or design that could affect multiple organizations [25292].
Phase (Design/Operation)	design, operation	(a) The software failure incident in the Asiana flight crash into San Francisco was attributed to design issues related to the aircraft's automation logic. Asiana faulted the crew for failing to notice that the airplane was flying too slowly, but also blamed "inconsistencies in the aircraft’s automation logic" which led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. (b) The software failure incident can also be linked to operational factors. The crew believed that the auto-throttle system would manipulate the engines to maintain the plane's airspeed, but due to a quirk in the autopilot and auto-throttle systems, the auto-throttle went into sleep mode. This operational misunderstanding, combined with the crew's manual adjustments to the throttles, contributed to the failure during the landing approach [25292].
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident in the Asiana flight crash into San Francisco was primarily attributed to issues within the system. Asiana faulted its crew for failing to notice that the airplane was flying too slowly, but also blamed "inconsistencies in the aircraft’s automation logic" which led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. The auto-throttle system, a part of the aircraft's automation logic, went into sleep mode due to a quirk in the autopilot and auto-throttle systems, contributing to the failure [25292]. The crew's lack of training on certain characteristics of the 777, such as the "flitch trap," also played a role in the software-related failure incident [25292].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in the Asiana flight crash into San Francisco was attributed to non-human actions. Asiana faulted its crew for failing to notice that the airplane was flying too slowly, but also blamed "inconsistencies in the aircraft’s automation logic" and bad software design that led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. (b) Human actions were also identified as contributing factors in the software failure incident. The crew believed that the auto-throttle system would manipulate the engines to maintain the plane's airspeed, but due to a quirk in the autopilot and auto-throttle systems, and because the crew manually adjusted the throttles at one point, the auto-throttle went into sleep mode. Additionally, the pilots were not trained on certain characteristics of the Boeing 777, including the "flitch trap" issue, which was a setup for the unwary [25292].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware can be seen in the article where it mentions that bad software design led to the unexpected disabling of airspeed protection without adequate warning to the flight crew, and a system to warn the crew of low airspeed did not sound soon enough [25292]. This indicates a failure originating in the software design that affected the hardware system of the aircraft. (b) The software failure incident related to software itself is evident in the article where it discusses the quirk in two tightly linked systems, the autopilot, and the auto-throttle, which led to the auto-throttle going into sleep mode due to a manual adjustment by the crew. This software-related issue caused a critical failure in the system, contributing to the crash [25292].
Objective (Malicious/Non-malicious)	non-malicious	(a) The software failure incident related to the Asiana flight crash into San Francisco was non-malicious. The incident was attributed to bad software design that led to the unexpected disabling of airspeed protection without adequate warning to the flight crew. Asiana faulted its crew for failing to notice that the airplane was flying far too slowly to stay in the air, and also blamed inconsistencies in the aircraft's automation logic. The crew believed that an auto-throttle would manipulate the engines to keep the plane's airspeed in the safe landing range, but due to a quirk in the autopilot and auto-throttle systems, the auto-throttle had gone into sleep mode, leading to the crash [25292].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The software failure incident related to the Asiana flight into San Francisco was primarily due to poor decisions. Asiana faulted its crew for failing to notice that the airplane was flying too slowly, but also blamed "inconsistencies in the aircraft’s automation logic" which led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. Additionally, the crew believed that the auto-throttle system would manipulate the engines to maintain the plane's airspeed, but due to a quirk in the autopilot and auto-throttle systems, the auto-throttle went into sleep mode, leaving the crew with no protection against aerodynamic stall. This characteristic was known as the "flitch trap" and the crew had not been adequately trained on this aspect of the 777 aircraft [25292].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident related to development incompetence is evident in the Asiana flight crash into San Francisco. Asiana faulted its crew for failing to notice that the airplane was flying too slowly, but also blamed "inconsistencies in the aircraft’s automation logic" which led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. (b) The software failure incident related to accidental factors is seen in the quirk in the autopilot and auto-throttle systems on the Boeing 777, which led to the auto-throttle going into sleep mode due to a manual adjustment by the crew. This characteristic, known as the "flitch trap," was not adequately communicated to the pilots, leading to a situation where there was no protection against aerodynamic stall [25292].
Duration	temporary	The software failure incident related to the Asiana flight crash into San Francisco was temporary. The incident was attributed to contributing factors introduced by certain circumstances, such as bad software design that led to the unexpected disabling of airspeed protection without adequate warning to the flight crew [25292]. Additionally, the crew's misunderstanding of the auto-throttle system and the quirk in the autopilot and auto-throttle systems contributed to the temporary software failure incident.
Behaviour	crash, omission, timing, value, other	(a) The software failure incident in the Asiana flight crash into San Francisco was related to a crash. The incident involved the unexpected disabling of airspeed protection without adequate warning to the flight crew, leading to the crash [25292]. (b) The software failure incident also involved an omission. The system failed to provide a timely warning to the crew of low airspeed, which contributed to the crash [25292]. (c) The timing of the software failure incident was also a factor. The system did not sound the warning of low airspeed soon enough, impacting the crew's ability to react in a timely manner [25292]. (d) The software failure incident was related to a value failure. The system's design flaw led to the disabling of airspeed protection, causing the system to perform its intended function incorrectly [25292]. (e) The software failure incident did not exhibit a byzantine behavior as described in the articles. (f) The other behavior exhibited by the software failure incident was related to the system's interaction with other systems. The incident involved a quirk in the interaction between the autopilot and the auto-throttle systems, leading to the auto-throttle going into sleep mode, which was not anticipated by the crew [25292].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, processing_unit, embedded_software	(a) sensor: The article mentions that bad software design led to the unexpected disabling of airspeed protection without adequate warning to the flight crew, indicating a sensor-related issue [25292]. (b) actuator: The article does not specifically mention any issues related to actuators. (c) processing_unit: The article discusses how a quirk in two tightly linked systems, the autopilot and the auto-throttle, led to the auto-throttle going into sleep mode, which could be related to a processing unit error [25292]. (d) network_communication: The article does not provide any information indicating a network communication error. (e) embedded_software: The article highlights that the auto-throttle going into sleep mode due to a quirk in the autopilot and auto-throttle systems, as well as the crew not being trained on this characteristic, points to a potential embedded software error [25292].
Communication	unknown	The software failure incident discussed in the article does not directly relate to a failure at the communication layer of the cyber-physical system. Instead, the incident primarily involves issues with the automation logic of the aircraft's software, particularly related to airspeed protection and auto-throttle functionality, which impacted the flight crew's ability to maintain proper airspeed during the landing approach. The failure was more focused on the design and functionality of the software systems within the aircraft rather than failures at the communication layer of the cyber-physical system [25292].
Application	FALSE	The software failure incident related to the Asiana flight crash in San Francisco was not specifically related to the application layer of the cyber physical system. The failure was attributed to bad software design that led to the unexpected disabling of airspeed protection without adequate warning to the flight crew, inconsistencies in the aircraft's automation logic, and issues with the auto-throttle system interacting with the autopilot system [25292]. These issues were more related to the design and interaction of the aircraft's systems rather than being solely attributed to bugs, operating system errors, unhandled exceptions, or incorrect usage typically associated with the application layer of a cyber physical system.

Other Details

Category	Option	Rationale
Consequence	death, harm	(a) death: The software failure incident related to the Asiana flight into San Francisco resulted in three people losing their lives, with scores being injured [25292].
Domain	transportation	(a) The failed system in the incident was related to the transportation industry. The software failure incident occurred in the context of the Asiana Airlines flight crash into San Francisco, which raised design issues and highlighted problems with the aircraft's automation logic [25292].

Sources

Airline Blames Bad Software in San Francisco Crash (Published 2014) - The New York Times - Published on: 2014-03-31
Article ID: 25292

Back to List