this presentation - Cognitive Engineering Center
advertisement
Testing the Effects of Violating Component Axioms in Validation of Complex Aircraft Systems Aparna Kansal November 26, 2014 Committee Members Dr. Amy Pritchett (Chair) Dr. Brian German Curt Hanson This work is sponsored by NASA Curt Hanson, Technical Monitor Study of Aircraft Accidents Rudder USAir Flight 427 , Boeing 737-300 (September 8,Airlines 1994) DescentReversal below Visual Glidepath and Impact with Seawall Asiana Erroneous Airspeed Data Crash into Atlantic Ocean Air France Flight 447, Airbus Flight 214,(June Boeing 777-200ER (July 6, 2013) A330-203 1, 2009) Integration of Components of a Pilot sets pedal/yaw autoflight Ram Pressure Input Rudder Complex System Violation of Axiomatic Conditions Pilot disablesAirspeed autopilot, Indicated Hydraulic Power commands idle thrust fromUnit ADIRU Control Input rod Design Assumption/Axiom: Design Assumption/Axiom: •Design ServoAssumption/Axiom: valve cannot jam/only • jam Pilots know effects of setting temporarily • any Redundancy in pressure flight modes probes and ADIRU ensures • Rudder application in • opposite Pilots areairspeed aware of aircraft reliable data from direction will cause state to react appropriately ADIRU to move towards rudder neutral position modes for landing from Pitot Tubes damper input Pilot commands IAS for Relayed toValve Pilotsslide and Servo autothrottle Autoflight Systems movement PilotRudder attempts goMaintain Commanded Panel around Values movement Aparna Kansal | MS Thesis Defense Emergence of Unexpected Unfavorable Weather Autothrottle on HOLD Behavior Wake Turbulence Conditions mode at idle power Sudden yaw damper IAS command not Pitot tubes blocked input rod movement effective Erroneous Aircraft Airspeed slows Servo valve slides jam data from ADIRU excessively, unstable Pilots up to LeftAircraft rudderpitch movement too low to maintain airspeed, stall with right recover, hitsinput sea wall 2 Complex Systems and Emergence Common Goal Emergence of Adverse Behavior Integration of Complex Systems Aparna Kansal | MS Thesis Defense 3 Axiomatic Conditions Underlying assumptions of a component defined during its development. Conditions required for the functioning of a component. “Logical operations on the internal states and external conditions of a of a complex system that identifythe whether the component component If these conditions areaircraft violated or not applied, component cannot is its intended functions as expected.” perform guaranteed its functiontoasperform intended. Violation of axiomatic conditions of a component may lead to the emergence of adverse behavior in the system, even if all components perform their functions as intended. Aparna Kansal | MS Thesis Defense 4 Validation and Verification Safety Assessment Process Guidelines & Methods (ARP 4761) Intended Aircraft Function Safety Assessment of Aircraft in Commercial Service (DO-178C/ ED-12C) Functional Hazard Assessment Identify, classify failure Function, System conditions and their effects Failure & Design Safety Information based on functions Information Functional Aircraft & System Validation methodsSystem can beOperation streamlined by directing testing around the Development Processes Assign safety objectives (ARP 4754/ ED-79) construct of axioms, i.e., FTA, FMEA, CCA to identify safety • Assumptions and design considerations, and concerns • Guidelines System-level interactions due to the violation of these axioms for Integrated Modular Avionics (DO-297/ ED-124) Electronic Hardware Development LifeCycle (DO-254/ ED-80) Hardware-in-the-loop simulations Software Development LifeCycle (DO-178C/ ED-12C) Development Phase Human-in-the-loop studies In-Service/Operational Phase Guidelines and Recommended Practices Aparna Kansal | MS Thesis Defense 5 Objectives • Defining a method to capture and describe the axiomatic set of conditions of the components within a distributed aircraft system • Establishing a simulation framework for validation that can: • incorporate models of component functions, interactions between components and dynamic model of the aircraft • monitor the key axioms of the components • Demonstrating the ability to examine the system-wide implications of: • violating axiomatic conditions of the components of the integrated system in the aircraft model • actions seeking to repair any adverse conditions, if detected Aparna Kansal | MS Thesis Defense 6 Approach Identify Axiomatic Set of Conditions Identifying axiomatic set of conditions of a component requires: Parameters Example Inputs and Outputs Component Operational Parameters Operational Parameter Limits External Design Considerations Ram Pressure Input from Pitot Tube Indicated Airspeed Maximum Operating IAS Severity of Icing Conditions Rudder Control Input, Rudder Movement Output Yaw Angle Maximum Yaw Angle Wake Turbulence Aparna Kansal | MS Thesis Defense 8 Establish Simulation Framework Simulation-based model to identify emergent behavior arising due to interactions between aircraft components in an integrated system, through the violation of their key axiomatic conditions System Components Simulation Framework Elements Aircraft Fault Aparna Kansal | MS Thesis Defense • Component functions • Axiomatic set of Conditions • Communication Channels • Aircraft dynamics • Aircraft state variables • Violate axiom • Introduce disturbance 9 Identify Fault Detection and Recovery Functions Definitions: Fault: A condition in which a component is unable to perform its function as intended. Fault Detection: Recognizing that a fault has occurred. Fault Management: Managing the fault after it is detected by notifying the relevant components about its occurrence, which in turn would apply necessary corrective actions to recover the aircraft state. SIMULATION FAULT! Complex System Axiomatic Condition Component 1 Component 2 FAULT REPAIRED Aircraft Model Aircraft State Fault Management Aparna Kansal | MS Thesis Defense 10 Case Studies Faults due to violation of component axioms may be observed when: • A component is placed outside of its allowable environmental condition and it does not respond properly for that condition, • All components act as desired, but the system as a whole fails in a given condition, or • One of the components fails to perform its intended function. Case Study 1: Elevator Reversal A component is placed outside of its allowable environmental condition and does not respond properly for that condition 12 Elevator Control Reversal: Background Adaptive Control system requires that the sign of the relationship between target state and control input is always known A control reversal occurs when the sign becomes opposite of what the adaptive control system knows Elevator Reversal Pitch up Aparna Kansal | MS Thesis Defense Elevator Down 13 Elevator Control Reversal: Simulation Configuration Components Adaptive Control Axiomatic Condition: Input: • Direction of pitchinput Elevator control for givenbased • known Pitch direction elevator on input control input Output: • Pitch based on control input/Reverse if fault detected • Aircraft stability Aparna Kansal | MS Thesis Defense Fault Management Input: Axiomatic Condition: • Pitch Any fault control in input and behavior: outputtimely direction Output: recovery action • Compare actual and commanded values • Fault: Notify adaptive control to correct fault 14 Elevator Control Reversal: Scenario Initial State ( 6DOF model of a generic large transport aircraft) 500 10000 52 10000 Altitude (ft) Altitude(Knots) (ft) Airspeeds Elevator Angle (deg) Airspeeds (Knots) Elevator Angle (deg) Altitude: 10,000 feet Vertical Speed: 700 fpm Commanded Airspeed (Indicated): 230 knots TAS IAS 450 0 8000 0300 8000 TAS IAS 400 -5280 -2 6000 6000 350 -10260 4000 -4 4000 300 -15240 2000 2000 -6 250 -20 0220 0 -8 200 00 0 20 20 100 100 200 200 40 40 300 300 400 60 500 80 80 600 600 100800 700 100 800 700 120 120 900 900 600 700 900 Time (s) Time (s) Time(s) Adaptive Control: 44 4 x 10 x 10 10 Fault Introduced after 100 seconds: Elevator control direction reversed Theta (deg) Thrust, Elevator Angle, Pitch Angle set for descent Vertical Speed (fpm) Theta (deg) Vertical Speed Thrust (lbf)(fpm) Thrust (lbf) 0.5 50 070 8 6 -1 6 -200 05 0 -2 4 4 -400 -3 2 -50 3 -0.5 -600 -42 0 -100 -51-1 -800 000 Aparna Kansal | MS Thesis Defense 0 100 20 100 20 200 200 300 40 40 300 400 500 Time (s) 60 500 400 60 80 80 600 800 100 800 700 100 120 120 900 Time Time Time(s) (s) (s) 15 Elevator Control Reversal: Impact of Fault Recovery Comparison of aircraft behavior varying fault duration 4 5 10000 0 x 10 0 Altitude (ft) Vertical Theta (deg) ElevatorSpeed Angle (fpm) (deg) 9000 -0.5 -20 0 8000 -40 -1 7000 -60 -1.5 -80 -5 6000 -2 -100 500090 No Fault 1 Sec No Fault 2 Sec 15Sec Sec 210 Sec Sec 511 Sec Sec 10 Sec No Recovery 11 Sec No Recovery 95 100 10 -3 3000 -3.55 -15 2000 -40 1000 -5 -20 -4.5 0 90 -10 90 105 110 115 120 110 115 120 110 115 120 Time (s) -2.5 -10 4000 Thetadot (deg/s) Altitude needed time to recover after fault recovery was initiated Increase in descent rate with fault duration Elevator at maximum downward deflection for the fault duration Increasing downward pitch angle No Fault Fault No Sec 1 Sec Sec 2 Sec 5 Sec Sec 10 Sec Sec 10 11 Sec Sec 11 No Recovery Recovery No 95 100 105 Time (s) 95 100 105 Time (s) Aparna Kansal | MS Thesis Defense 16 Elevator Control Reversal: Result Requirement for fault management function: Recovery from fault depends on fault duration 4 10000 0 9000 -0.5 8000 -1 Vertical Speed (fpm) 6000 5000 4000 2000 1000 0 90 No Fault 1 Sec 2 Sec 5 Sec 10 Sec 11 Sec No Recovery 95 -1.5 -2 -2.5 -3 -3.5 -4 100 105 110 115 -4.5 90 120 No Fault 1 Sec 2 Sec 5 Sec 10 Sec 11 Sec No Recovery 95 100 105 110 115 120 110 115 120 110 115 120 Time (s) Time (s) 5 0 No Fault 1 Sec 2 Sec 5 Sec 10 Sec 11 Sec No Recovery -20 Theta (deg) 0 -40 -60 -80 -5 -100 90 No Fault 1 Sec 2 Sec 5 Sec 10 Sec 11 Sec No Recovery 95 100 105 Time (s) 10 -10 Thetadot (deg/s) Elevator Angle (deg) Altitude (ft) 7000 3000 x 10 -15 -20 90 95 100 105 110 115 120 5 0 -5 -10 90 Time (s) Aparna Kansal | MS Thesis Defense 95 100 105 Time (s) 17 Case Study 2: Erroneous Airspeed Data All components act as desired, but the system as a whole fails in a given condition 18 Erroneous Airspeed Data: Background Air Data Inertial Reference Unit (ADIRU) ADIRU Static Pressure, Ps Pitot Pressure, Pt Indicated Airspeed: 𝑉𝑖𝑛𝑑 = 2 (𝑃𝑡 − 𝑃𝑠 ) 𝜌0 𝑉𝑡𝑟𝑢𝑒 = 𝑉𝑖𝑛𝑑 Aparna Kansal | MS Thesis Defense 𝜌0 𝜌 19 Erroneous Airspeed Data: Simulation Configuration Components ADIRU Autopilot Autothrottle Fault Management Input: Axiomatic Condition: • Total Pressure: Redundant Pitotpitot tubes • Static Pressure: Eliminates any static pressure erroneous input ports Output: • Indicated Airspeed Input: • Selected Pitch Mode: V/S, FLCH • Commanded Value: VSpeed/Airspeed/ θ Output: • Pitch to maintain commanded value Input: • Indicated Airspeed: ADIRU • Thrust: Commanded Output: • Power to maintain airspeed: SPD Mode • Maintain commanded thrust: THR Mode Input: Axiomatic Condition: Aircraft • Any faultState: in altitude/airspeed behavior: timely • recovery Commanded Value action Output: • Compare actual and commanded values • Fault: disregard airspeed, command θ and thrust Aparna Kansal | MS Thesis Defense 20 Erroneous Airspeed Data: Scenario V/S Mode Descent V/S Mode Climb 4 10000 2 x 10 9000 1.8 8000 1.6 6000 Altitude (ft) Altitude (ft) 7000 5000 4000 1.4 1.2 3000 2000 1 1000 0 0 100 200 300 400 500 600 700 800 0.8 900 0 100 200 300 Time (s) 400 500 600 700 800 900 800 900 Time (s) FLCH Mode Descent FLCH Mode Climb 4 12000 3 10000 x 10 2.5 Altitude (ft) Altitude (ft) 8000 6000 2 1.5 4000 1 2000 0 0 100 200 300 400 500 600 700 Time (s) 0.5 0 100 200 300 400 500 600 700 Time (s) Aparna Kansal | MS Thesis Defense 21 Erroneous Airspeed Data: Impact of Fault V/S V/S Mode FLCH Descent: V/SDescent: Mode Fault Descent: Climb: introduced Fault Fault introduced introduced at 100 sec, atat at recovery 100 200 sec sec at 700 FLCH Mode Climb: Fault introduced 200 sec Mode Fault introduced at 100 sec, no recovery 250 sec 44 10 x 10 360 500 800 450 300 No NoFault Fault Fault Fault No Fault Fault No Fault Fault 1.6 8000 6000 2 5000 1.4 6000 1.5 4000 1.2 4000 No Fault Fault 2000 1 2000 1 0 0 0.8 0.5 0 0 100 100 50 200 200 100 300 500 500 300 600 300 200400 400 250 500 600350 150 500 700 700 400 800 800 800 450 No Fault No NoFault Fault Fault Fault Fault Fault 340 450 700 400 TAS TAS (Knots) TAS (Knots) (Knots) 1.8 10000 2.5 8000 Altitude (ft) Altitude (ft) Altitude (ft) Altitude (ft) Altitude (ft) 2 3 10000 10000 12000 10000 280 320 400 600 350 260 300 350 500 240 280 400 300 250 220 250 260 300 200 200 240 200 150 900 900 500 No Fault Fault 00 50 100 100 100 100 100 200 200 150300 400 250 500 500 300 600 600350 300 200 400 400 700 700 700 450 800 800 800 500 900 900 700 400 700 700 800 450 800 800 500 900 900 Time (s) Time (s) Time (s) Time Time (s) (s) 6.015 2.5 87 1000 1000 6 2 6.01 6 5 1.5 6.005 4 1 3 6 2 0.5 2 -2000 Thrust (lbf) 0 500 -400 -1000 -1000 0 -2000 -600 -2000 -500 -3000 -800 -1000 -3000 -4000 xx 10 10 Thrust (lbf) Thrust (lbf) Thrust (lbf) Thrust (lbf) Vertical Speed (fpm) (fpm) Vertical Speed (fpm) Vertical Speed Speed (fpm) Vertical (fpm) 4 55 4 2000 1000 1500 0 0 0 100 100 100 50 200 100 200 300 500 300 200400 500 300 600 300 400 250 500 500 600350 150 600 700 700 400 700 800 800 450 800 900 900 500 900 010 5.995 00 100 50 100 100 100 200 100 200 500 300 600 150300 600350 300 200 400 400 250 500 Time (s) Time (s) Time Time (s) Time (s) Time (s) THETA AutopilotMode: Mode:FLCH V/S Recovery: Autopilot -0.5 Commanded Airspeed: 230 knots Pitch:700 -1.5 deg Commanded V/S: fpm 300 Aparna Kansal | MS Thesis Defense Autothrottle Mode: THR SPD Commanded Thrust: 23000 lbf Commanded Airspeed: 300 Commanded Thrust: Maximum 230 Commanded Thrust: Idleknots 22 Erroneous Airspeed Data: Result Requirement for fault management: Recovery from fault depends on Parameter to consider for fault detection function Fault duration Flight path and initial aircraft state 4 No Fault Fault 2000 0 6000 V/S Descent 200 300 400 500 600 700 800 Altitude (ft) 500 0 200-500 300 400 500 600 700 800 900 Time (s) 0 100 200 300 400 0 500 600 700 800 0 -3000 3 0 Altitude (ft) 4000 0 0 0 50 100 150 200 250 300 350 400 450 100 2002000 300 1000 400 500 600 700 800 900 Time (s) 0 -1000 -2000 TAS wentafter below Recovery 150IAS sec -3000 -4000 700 800 900 V/S Climb 0 100 200 300 400 500 600 700 600 700 800 900 100 200 300 400 500 600 700 800 900 600 700 800 900 Time (s) 4 x 10 2 1.5 0.5 500 Time (s) Vertical Speed (fpm) FLCH Descent 600 1000No Fault Fault 500 0 1 2000 -600 500 Time (s) 1500 2.5 6000 400 Time (s) Vertical Speed (fpm) Altitude (ft) -400 300 2000 -2000 900 8000 200 4000 0 No Fault Fault 10000 100 6000 -1000 12000 -200 -800 8000 Time (s) 0 No Fault Fault 1.2 1000 Vertical Speed (fpm) Vertical Speed (fpm) 100 10000 1.4 0.8 900 1000 -1000 Vertical Speed (fpm) 100 1500 2000 0 0 1.6 1 Time (s) 4000 0 No Fault Fault 0 50 100 150 200 250 300 350 400 450 500 0 -500 100 200 300 400 500 Time (s) -1000 2000 Vertical Speed (fpm) Altitude (ft) 8000 6000 4000 No Fault Fault 1.8 Altitude (ft) Altitude (ft) 8000 10000 x 10 2 10000 0 100 200 300 400 1000 500 FLCH Climb 800 900 Time (s) 0 -1000 -2000 -3000 -4000 0 100 Time (s) Aparna Kansal | MS Thesis Defense Altitude started Recovery afterincreasing 600 sec 200 300 400 500 600 700 800 900 Time (s) 23 Case Study 3: Human-Automation Interface Failure One of the components fails to perform its intended function 24 Human-Automation Interface Failure: Background Autopilot V/S Mode: Commanded Vertical Speed FLCH Mode: Commanded Indicated Airspeed Autothrottle SPD Mode: Power to Maintain Commanded Indicated Airspeed THR Mode: Power to Maintain Commanded Thrust Mode Control Panel Aparna Kansal | MS Thesis Defense 25 Human-Automation Interface Failure: Simulation Configuration Components Pilot Input: Axiomatic Condition: • Aircraft Aware ofState outcomes Output: of selecting any • autoflight Enable/Disable modes Flight Modes • Continuously • Command Values in monitors aircraft MCP state to take timely action in case of abnormal aircraft behavior Autopilot Input: • Selected Pitch Mode • Commanded Values Output: • Pitch to maintain commanded value Aparna Kansal | MS Thesis Defense Autothrottle Input: • Commanded Indicated Airspeed • Commanded Thrust Output: • Power to maintain airspeed: SPD Mode • Maintain commanded thrust: THR Mode 26 Human-Automation Interface Failure: Scenario 4000 FLCH Mode (150 - 240 sec) Altitude: 2,000 feet Commanded Indicated Airspeed: 150 knots Mode Changed to Descend Faster, but Climb Initiated Autopilot Disabled (240 - 300 sec) Idle Thrust Commanded Pitch Angle: -3.0 degrees Flight Path Angle Altitude (ft) 2000 0 50 100 FPA 150 200 250 300 350 400 250 300 350 400 Time (s) 1000 500 0 -500 -1000 -1500 0 50 100 150 200 Time (s) 190 TAS IAS 180 170 160 150 140 Commanded FPA: -3.0 degrees Commanded Indicated Airspeed: 150 knots Fault: Autothrottle Remains in IDLE/HOLD THRUST, THETA AIRSPEED, VSPEED 1000 0 Vertical Speed (fpm) Altitude: 4,000 feet Vertical Speed: 1,000 fpm Commanded Indicated Airspeed: 160 knots FLCH 0 50 100 150 200 250 300 350 400 250 300 350 400 Time (s) 4 6 x 10 5 Thrust 3000 Airspeeds V/S Mode (0 - 150 sec) 4 3 2 1 0 50 100 150 200 Time (s) Aparna Kansal | MS Thesis Defense 27 Human-Automation Interface Failure: Impact of Fault Recovery Fault (at 300 sec) Fault NoFault No Fault No Airspeeds IAS (Knots) Theta (deg) Theta (deg) 4000 1000 2004 0 160 800 2 3000 180 600 -2 150 0 2000 160 No Recovery Recovery NoRecovery TAS IAS 400 -2 -4 140 200 1000 140 -4 130 0 -6 0280 120 -6 0 0 Fault Recovery 290 50 50 300 100 100 340 330 320 310 250 200 150 250 200 250 200 150 Time (s) (s) 350 300 300 300 360 350 350 290 50 50 300 100 100 310150 150 320 200 250 200 250 340 200 330 250 300 300 350 300 350 350360 4 Time (s) Time (s) (s) Time 500 2 x 104 8 FlightPath Path Angle (deg) Flight Angle (deg) Thrust Thrust (lbf) Vertical VerticalSpeed Speed (fpm) (fpm) x 10 Commanded thrust: 80,000 lbf Attempt go-around Repair 41s Repair41s Repair 20s Repair 20s Repair 1200 2 170 Altitude (ft)(ft) Altitude Airspeed Commanded but Autothrottle on HOLD, not changed to SPD Thrust on idle Altitude: < 500 feet 1000 64 20 0 56 00 -2 4 -500 4 -2 -4 3 -1000 -4 2 -1000 -6 2 -6 -2000 -8 -1500 10 -8 280 0 0 Time (s) (s) Time(s) Time (s) Aparna Kansal | MS Thesis Defense 28 Human-Automation Interface Failure: Result Requirement for fault management: Recovery from fault depends on 4000 4000 3000 3000 Altitude (ft) Altitude (ft) Fault duration Parameter considered for fault detection 2000 1000 0 0 50 100 150 200 250 300 350 400 450 2000 1000 0 500 0 50 100 1000 0 -1000 -2000 0 50 100 150 200 250 150 200 250 300 350 250 300 350 Time (s) 300 350 400 450 500 Vertical Speed (fpm) Vertical Speed (fpm) Time (s) 1000 0 -1000 -2000 Time (s) 0 50 100 150 200 Time (s) Fault Duration: 20 sec IAS < Commanded Aparna Kansal | MS Thesis Defense Fault Duration: 41 sec FPA < Commanded 29 Conclusion Contributions Contribution 1: Axiomatic set of conditions • • Method to enable identifying axiomatic conditions of system components, observe emergent behavior when axioms are violated Focusing validation and testing efforts on likely problems early in the system development Contribution 2: Simulation framework • • Enabled understanding important considerations to be taken to avoid or recover from a fault involving violating an axiom Simulation of component functions enables evaluation of important failure modes and emergent effects earlier in the design process Contribution 3: Simulation to identify emergent behavior • • Case studies demonstrated the ability to simulate system wide effects due to violation of component axioms early in the design Method can also be implemented later in the design process by including more detailed component models representing more detailed functions Aparna Kansal | MS Thesis Defense 31 Future Work Focus testing on more specific areas • Type of system being tested • Number of components • Detail of component functions Identify axiomatic set of conditions • More detailed implementation • Process to systematically determine entire axiomatic set of conditions • Identify different types of axioms and study the effect of violating them Aparna Kansal | MS Thesis Defense 32 Acknowledgements Thesis Committee: Dr. Amy Pritchett, Advisor Dr. Brian German Mr. Curt Hanson, NASA Armstrong Flight Research Center NASA (Sponsors) VELCRO Research Team CEC Members This work is sponsored by: The National Aeronautics and Space Administration Aparna Kansal | MS Thesis Defense 33 Thank you! References Favarò, F. M., Jackson, D. W., Saleh, J. H., and Mavris, D. N., “Software contributions to aircraft adverse events: Case studies and analyses of recurrent accident patterns and failure mechanisms,” Reliability Engineering & System Safety, vol. 113, May 2013, pp. 131–142. Aircraft Accident Report: Runway Overrun During Rejected Takeoff, Bombardier Learjet 60, N999LJ, Columbia, South Carolina: . Aircraft Accident Report: UNCONTROLLED DESCENT AND COLLISION WITH TERRAIN, Boeing 737-300 USAIR Flight 427, N513AU, Aliquippa, Pennsylvania: . Black, J., and Koopman, P., “System safety as an emergent property in composite systems,” 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, 2009. Bloebaum, Christina L. McGowan, A.-M. R., “The Design of Large-Scale Complex Engineered Systems: Present Challenges and Future Promise,” AIAA, pp. 1–19. Leveson, N., SafeWare: System Safety and Computers, ADDISON WESLEY Publishing Company Incorporated, 1995. “Principles of System Safety,” FAA System Safety Handbook, 2000. “Integrated System Hazard Analysis,” FAA System Safety Handbook, 2000. “Aerospace Recommended Practice 4754 Rev. A: Guidelines for Development of Civil Aircraft and Systems,” 2010. “Erroneous Flight Instrument Information,” AERO Magazine. Interim Report: Crash into Atlantic Ocean, Airbus A330-203, Air France Flight 447, Paris: 2009. Bauer, M., Specialist’s Factual Report: Airspeed Indication Anomaly, A330-200 TAM Airlines Flight 8091, 2011. Bauer, M., Specialist’s Factual Report: Airspeed Indication Anomaly, A330-323 NorthWest Airlines Flight 008, 2011. Accident Docket: Impact with Sea Wall during Final Approach, Boeing 777-200ER, Asiana Airlines Flight 214, San Fransisco: . Aparna Kansal | MS Thesis Defense 35
