Originally Posted by
kenparry
The A400M crash was caused by incorrect software installation. That airframe was a trials aircraft, so a rather different scenario than a certificated in-service civil airliner.
After the A400M crash, we got some urgent inquiries from the FAA and a few operators as to how we make sure the same thing didn't happen on a Boeing FADEC airliner.
I basically responded that - until/unless Airbus and Rolls release details - it was impossible to answer the question since we don't know what they did wrong. I then included a brief outline of the steps that Boeing takes to validate that software is 'airworthy'. **
At least at the time I'd retired, Rolls/Airbus had not released anything public indicating how the FADEC s/w error occurred (my suspicion was that it was a silly QA type error, and they were too embarrassed to make it public - not unlike the Alaska 737MAX Door incident).
Does anyone know if a proper accident report was ever released?
** Boeing has specific procedures for FADEC software before it's used for flight. First off, the new software is checked in our Propulsion Integration Lab (aka "PIL") using a standard battery of tests - plus specific conditions intended to test whatever new logic or functionality is included in the new s/w. Assuming it checks out in the PIL, it's installed on one engine for an actual aircraft flight test. After a normal flight cycle has been successful completed, it can be installed 'cross wing' for subsequent flights.
There is also the capability to 'trim' software for specific flight test purposes - for example to raise the max N1 limits to allow testing at power settings above the normal max ratings, or in the specific case of TCMA, it's routinely disabled during the initial flight testing of a new engine type until we have adequate 'real world' data to validate the TCMA limits. Software trims are treated the same as new software loads - tested in the PIL, then installed on a single engine for a flight, before it can be installed cross-wing.
Note that FADEC s/w is also certified Part 33 - which includes all the DO-178 testing and validations - normally before we install it on an aircraft. During a flight test program, sometimes we get FADEC s/w that hasn't been formally Part 33 certified, but has gone through all the necessary validations and testing for Part 33, it just hasn't been signed off (there are some other specific steps when that happens). FADEC software should never, ever appear on a revenue passenger flight until it has both Part 33 and Part 25 certifications.
BTW, a number of 'checksum' checks are performed during the FADEC software (or trim) loading to ensure the s/w load isn't somehow corrupted.