Well I muss confess the whole narrative is perplexing.

I have admittedly no experience with this specific power plant but I really fail to see how it's engine control software can be erroneously installed, be functional to the point of passing all static tests yet fail in such an extreme way to crash the aircraft.

I can understand that it was mis-configured, was getting erroneous inputs from sensors or - most likely - was simply buggy - all explanations apparently not applying here. An installation error that goes undetected until flight time ? On 3 out of 4 engines ? Wow... :uhoh:

I think when they said a quality failing you have to take a metaphorical step back and look at the "whole" picture.

A software install can be 100% correctly completed and still be "wrong" ie the installers have been issued a wrong version of the correct software; configuration control, process control-it may well be not the fault of the techs doing the actual upload if the information they were supplied with was wrong in the first place...

Roulis,

Have a good look at DAL. It's not a case of rewrite the code, upload, off you go. Safety critical software has to demonstrate an appropriate level of verification and assurance in manufacture and testing before it goes anywhere near an aircraft.

Something went wrong, speculation over such a complex failure will not solve anything.cwe will get the investigation findings in due course.

Safety critical software has to demonstrate an appropriate level of verification and assurance in manufacture and testing before it goes anywhere near an aircraft.

A cornerstone of the ZD576 case! It is depressing reading many of the excellent comments here as you could substitute tail numbers and be talking about any number of accidents.

Why don't Airbus introduce a suitable series of levers and rods from the thrust levers on the flight deck directly to the fuel control units on the engines.

Then they could have a third chap sit on the flight deck to help manage these levers and when not doing that could carry out walk rounds, a bit of down route engineering and seek out "interesting" places to take the crew too for refreshments...

Ditch FADEC and software and bring back flight engineers?

Bigpants, if only it were that simple!

UK yet to decide on A400M safety - 6/5/2015 - Flight Global (http://www.flightglobal.com/news/articles/uk-yet-to-decide-on-a400m-safety-413141/)

Bigpants wrote:
Ditch FADEC and software and bring back flight engineers?

Yes, if you want to turn the clock back about 30 years. But at least that would mean the presence of a moose-trapper amongst the aircrew....:yuk:

"You haven't seen ugly until you've seen something rejected by an air engineer!"

I'm not quite sure what you mean by that statement Beags?

Well, I'm not a military airman, but I'm absolutely certain I know what Beags was referring to!

https://www.yahoo.com/tech/s/exclusive-a400m-probe-focuses-impact-accidental-data-wipe-194900525--finance.html
Exclusive: A400M probe focuses on impact of accidental data wipe

...Yet as the pilots took off, another safety feature came into play only to turn against the crew, industry experts said.

Without the vital data parameters, information from the engines is effectively meaningless to the computers controlling them. The automatic response is to hunker down and prevent what would usually be a single engine problem causing more damage.

This is what the computers apparently did on the doomed flight, just as they were designed to do.

"Nobody imagined a problem like this could happen to three engines," a person familiar with the 12-year-old project said.

basically some torque calibration data got wiped during software installation/checkout. Missing that data, computers decided engines were maybe harmed and to prevent further damage- simply shut down- Three out of four engines..

HAL wins again !! :ugh:

So much for ' fail safe' modes due to garbaged data...:sad:

Exclusive: A400M probe focuses on impact of accidental data wipe | Reuters (http://www.reuters.com/article/2015/06/09/us-airbus-a400m-idUSKBN0OP2AS20150609)

(..) the key scenario being examined is that the data -- known as "torque calibration parameters" -- was accidentally wiped on three engines as the engine software was being installed at Airbus facilities. (..) European NATO buyers have now been instructed not to use the Airbus computer system that was used to conduct the software installation on the A400M, people familiar with the order said. (..) the first warning pilots would receive of the engine data problem would be when the plane was 400 feet (120 meters) in the air, according to a safety document seen by Reuters.

I can't understand why a very possible failure mode (lack or erasure of parameters) is not self-detected (e.g. by a checksum/hash mechanism), and reported in pre-flight checks. Note: I'm an engineer designing security-critical software (though no safety-critical as in aviation).

Computers are smart :E

Keep it simple folks.

I've long been skeptical of FADEC systems that decide that an engine should go to idle, or shut down absent pilot input. In many cases (eg uncommanded reverser deployment), it's easy to see the logic, but I've always thought that it's best to have some sort of override built in, just in case of corrupt data.

an override of the override?

The latest twist in the tale - Airbus is now running out of ramp space to park its grounded A400Ms Airbus running out of room to park grounded A400Ms - IHS Jane's 360 (http://www.janes.com/article/52145/airbus-running-out-of-room-to-park-grounded-a400ms)

Park them on the `grass`...they are `tactical `aircraft after all...

Sycamore

I had to chuckle at your "park em on the grass". I put this down to how we sometimes miss the glaringly obvious. It reminded me of a story from the space race in the 60s. Apparently the Americans spent $10 million trying to develop a biro type pen that would perform in zero gravity. The soviets used a pencil.

It reminded me of a story from the space race in the 60s. Apparently the Americans spent $10 million trying to develop a biro type pen that would perform in zero gravity. The soviets used a pencil.

Ah that old chestnut.

A common urban legend states that NASA spent a large amount of money to develop a pen that would write in space (the result purportedly being the Fisher Space Pen), while the Soviets just used pencils. There is a grain of truth: NASA began to develop a space pen, but when development costs skyrocketed the project was abandoned and astronauts went back to using pencils, along with the Soviets. However, the claim that NASA spent millions on the Space Pen is incorrect, as the Fisher pen was developed using private capital, not government funding. NASA – and the Soviets - eventually began purchasing such pens.

You can buy one too!

Fisher Space Pen Co. (http://www.spacepen.com/)

I suspect that lots of graphite dust floating around electronics in zero g isn't the most fabulous idea, either. :E

If I was going to buy a pen then it wood be one of these, pun intended...

Caithness Pens (http://www.caithnesspens.com/for-sale-spitfire.php)

Park them on the `grass`...they are `tactical `aircraft after all...

Having visited Airbus at Seville on numerous occasions, I can vouch for there being very little in the way of spare grass on which to park grounded A400Ms. Not only is the Airbus side of the facility pretty much completely paved (and I assume it is this area that is rapidly filling up), but the facility abuts onto the international airport which would again limit room for overspill.

I had to chuckle at your "park em on the grass". I put this down to how we sometimes miss the glaringly obvious. It reminded me of a story from the space race in the 60s. Apparently the Americans spent $10 million trying to develop a biro type pen that would perform in zero gravity. The soviets used a pencil. False story.

1. NASA used pencils all through the Mercury and Gemini programs. It was not until Apollo that they used pens.

2. The "space pen" was developed commercially by the Fisher company at zero cost to NASA or the government. (And it cost $2M to develop, not $10M) It did not sell well commercially because it was pricey. Not until they sold their pens to NASA did Fisher call it the "Space Pen", but they made a bundle from that point on. Indeed Fisher claimed that their space pen saved the astronauts on the moon on Apollo 11. The toggle for the switch that armed the launch engine for the lander broke off. Buzz Aldrin used a pen to reach inside the switch to close the circuit and launch the lander. Fisher still markets the space pen and still claims it saved Apollo 11. But in his book Buzz revealed that he did not use a Fisher space pen to do the job.

3. Russia used (and continues to use) Fisher space pens on all its Soyuz flights as well as Mir and ISS flights. Its still the only pen that works in zero G.

Opinion is divided on that one, Ken.

Ballpoints don't feed by gravity, the feed by capillary action. Most won't work if held upside down for any length of time because the -1g tends to pull the ink away from the ball and, once separated from it, the ink loses its capillary action. Zero g is a different matter. There is no force to pull the ink either way so the surface tension can do its work.

One of the astronauts on ISS (or was it Space Lab?) tried it with a ball point he nicked from NASA and reported in his blog that it was working fine.

That said, if the 50c biro stopped working they wouldn't be able to do their homework any more so the space pen is certainly a safer option!

I've long been skeptical of FADEC systems that decide that an engine should go to idle, or shut down absent pilot input. In many cases (eg uncommanded reverser deployment), it's easy to see the logic, but I've always thought that it's best to have some sort of override built in, just in case of corrupt data.

But it wasn't a FADEC system. FADEC systems are certified under engine rules and have their own backup, fail-safe protocols. If a FADEC system had it's data wiped beforehand you wouldn't even have been able to takeoff.

I stand corrected.

It's still the only pen that works reliably in zero G.

Nice post Nutty! now that is enterprising :D:D:D

Wait........the Spitfire used wooden propellers? I never knew.

But it wasn't a FADEC system. FADEC systems are certified under engine rules and have their own backup, fail-safe protocols. If a FADEC system had it's data wiped beforehand you wouldn't even have been able to takeoff.

I keep thinking there is still more to this than is being reported. It is a "FADEC" control. For those of you who may not know, on a turboprop, the FADEC will adjust the prop to hold a constant speed, then adjust the turbine to hold the desired output torque (and the FADEC measures the torque on the output shaft directly - at least on the turboprop I worked on many moons ago it measured the shaft twist to determine the output torque).

The linked articles suggest that they have the ability input engine specific torque calibrations - but as a long time engine guy it's inconceivable to me that the FADEC would not have a 'default' torque calibration, and/or set some sort of no-dispatch message (or even prevent the engine from starting) if the engine specific torque calibration was corrupted or "wiped".

We're still not getting the full story.

I've long been skeptical of FADEC systems that decide that an engine should go to idle, or shut down absent pilot input.
At least on the FADEC systems I've worked, the only reason the FADEC will go to idle or shutdown absent pilot input is for:
a sensed unsafe condition (e.g. rotor overspeed), or
failures have made the FADEC incapable of safely controlling the engine.

I know there is still a certain skepticism of FADEC, but the fact is that engine control caused shutdowns and "loss of thrust control" events are roughly an order of magnitude better with FADEC than with the old hydromechanical systems.

I keep thinking there is still more to this than is being reported. It is a "FADEC" control. For those of you who may not know, on a turboprop, the FADEC will adjust the prop to hold a constant speed, then adjust the turbine to hold the desired output torque (and the FADEC measures the torque on the output shaft directly - at least on the turboprop I worked on many moons ago it measured the shaft twist to determine the output torque).

The linked articles suggest that they have the ability input engine specific torque calibrations - but as a long time engine guy it's inconceivable to me that the FADEC would not have a 'default' torque calibration, and/or set some sort of no-dispatch message (or even prevent the engine from starting) if the engine specific torque calibration was corrupted or "wiped".

I would certainly agree.

And I can't imagine that if it wasn't the case (ie no "fallback / safe mode") this would not raise some alerts during the static tests that have (hopefully ?) been undertaken before this flight !?

Another question: given that the aircraft was most likely nowhere near MTOW wouldn't this situation allow some measure of controlled flight / managed emergency landing ? Or where they extremely unlucky not being able to walk out of this one ?

Wait........the Spitfire used wooden propellers? I never knew



Internet is wonderful................


"LONDON, May 23. The Royal Commission on inventions last night announced it had awarded £.15,000 to Mr. Bruno Jablonsky for his laminated wood aeroplane propellers which helped to win the Battle of Britain.

"Mr. Jablonsky, a Polish Jew, came to Britain in 1930, and founded the firm of Jablo Propellers Ltd. He did much of his experimentation on the propeller at a laboratory at the bottom of his Croydon home's garden. Finally, he perfected a plastic wood which replaced metal propellers and enabled the Government to divert much needed metal to other purposes.

"Previously it had been found impossible to produce wooden propellers which would stand the strain of such modern high-speed aircraft as the Spitfire. 'Almost all Spitfires and Hurricanes in the Battle ot Britain were fitted with my laminated wood propeller,' Mr. Jablonsky said to-day."

So Spitfires and Hurricanes did not have controllable pitch/constant speed propellers. Fascinating. I had no idea.

I keep thinking there is still more to this than is being reported. It is a "FADEC" control. For those of you who may not know, on a turboprop, the FADEC will adjust the prop to hold a constant speed, then adjust the turbine to hold the desired output torque (and the FADEC measures the torque on the output shaft directly - at least on the turboprop I worked on many moons ago it measured the shaft twist to determine the output torque).

The turboprop I'm most familiar with did not maintain constant torque, it maintained constant TIT. Trying to maintain constant torque at a constant prop RPM while in a climb resulted in overtemps, so the TIT became the controlled parameter.

KenV

Individual wooden blades fitted into hubs which allowed variable pitch/constant speed. And nowadays the blades tend to come from Germany...

Ken, the original Watts props fitted to the Spit and Hurricane were indeed fixed pitch props. Later props were wobbly ones, ie variable pitch

This shows the various props

http://spitfirespares.co.uk/propellors.html


I have "spoken" via email In the past with the chap that produces the pens ( nothing to do with me ) and he told me he only uses props that are fit for nothing else, ie well past the possible display standard.

Sorry for the thread drift.

..

I'm still using my Fisher pen or 5B pencil when I'm writing in my bed or on the wall board !
KISS !

Good to see an A400M flying again today in the local area. I presume it was a Brize-based Atlas?

No further information yet on the AD&S website, but I would assume that the cause of the MSN23 accident has now been positively identified and adequate provision made to prevent anything similar happening again?

UK clears A400M for training flight resumption - 6/16/2015 - Flight Global (http://www.flightglobal.com/news/articles/uk-clears-a400m-for-training-flight-resumption-413705/)

Good news.

The article states "to immediate effect"- guess Beagle saw it as the release was coming of the presses...

Germany to follow in a few weeks article states. No word on other customers or those still operating with the manufacturer. Paris show next week.

So like Beagle says, must be high confidence between proper software/loading process and suspect software/process. Will be interesting to learn how that was sorted.

FWIW, a relatively new design with a similar problem?
Deadly Osprey crash spurred safety changes, heroics | SanDiegoUnionTribune.com (http://www.sandiegouniontribune.com/news/2015/jun/30/osprey-crash-at-sea-command-investigation/)

There's a salutary lesson about AEA integration in that article.

RequestPidgeons FWIW, a relatively new design with a similar problem?


I say no. Sounds like the crew of the MV-22 started up and took of while in maintainence mode, robbing the engines of ~20% power- so human factors primary cause, design (allowing flight in that mode and no warning/indicators) contributory.

Any news about the investigation? Or tagging it as military voided any reporting obligations?

Kevan Jones, MP, has formally asked the Secretary of State for Defence what outstanding safety issues there are relating to the A400m Atlas aircraft.

In his reply, Philip Dunne takes a while to say not very much, but he ends with this the Ministry of Defence is satisfied that there are no safety issues, and that the risks associated with operating A400M are fully consistent with its certified safety requirements – for the basic airframe and engine these are consistent with a civilian airliner – and that the platform is not subject to intolerable or unmanaged safety issues.
If you want to see more, I'm indebted to Think Defence at 4554 - Future Large Aircraft (Answered) - Think Defence (http://www.thinkdefence.co.uk/2015/07/4554-future-large-aircraft-answered/)
but if you want it from the horse's mouth, then Hansard is probably your best bet.

airsound

Is this still being investigated? Or just a "nothing to see here" incident?!


Well little bit more than 2 years now and seems this has just never happened

Airbus knew of software vulnerability before A400M crash (http://www.reuters.com/article/us-airbus-a400m/airbus-knew-of-software-vulnerability-before-a400m-crash-idUSKBN1D819P)

PARIS/SEVILLE (Reuters) - Airbus and European safety authorities were warned in late 2014 of a software vulnerability in the A400M military plane that was similar to a weakness that contributed to a fatal crash seven months later, Spanish investigators have found.

The Airbus-built cargo and troop carrier crashed near Seville during a test flight in May 2015, killing four of the six crew, after three out of four engines froze minutes after take-off. Data needed to run the engines had been accidentally erased when Airbus workers installed software on the ground, and pilots had no warning there was a problem until the engines failed, Reuters reported weeks after the disaster, citing several sources with knowledge of the matter.

A confidential report by Spanish military investigators into the crash, completed this summer, sheds new light on poor coordination and misjudgments that have dogged Europe’s biggest military project. The findings confirmed the engines were compromised by data being wiped, according to extracts of the report seen by Reuters and three people familiar with the inquiry.

The report also said the engine-makers had warned Airbus and the European Aviation Safety Agency (EASA) in October 2014 that software installation errors could lead to a loss of engine data, and that technicians may not receive any warning before take-off that a problem had occurred.

When contacted by Reuters, Airbus said the crash was the result of “multiple, different factors and contributory causes”, but declined detailed comment about the investigators’ findings because they are not public. The planemaker has since reviewed all systems and acted to “ensure the chain of identified causes could not happen ever again”, a spokesman added.

EASA declined to comment.

The engine-makers Europrop International (EPI), a pan-European consortium owned by Britain’s Rolls-Royce (RR.L), Germany’s MTU (MTXGn.DE) and France’s Safran (SAF.PA), declined to comment.

Spain’s defense ministry, whose air accident agency conducted the investigation, also declined to comment......

No comment all round... Not a surprise if it was known within the organisation that engine software could be wiped and no-one would know.

Not exactly an open, transparent and safety-lead investigation process is it.

Well they requalified what was in my view a civilian test flight into a military one and decided to completely burry the investigation.

Apparently there seems to be a huge case of negligence here and some people are leaking the findings.
All in all I'd say that this reflects extremely poorly on CASA / EADS.

Hmm suprised this doesn't generate more noise. It is quite a big deal in my book.
Errors happen but in this line of business avoidable mistakes are no acceptable.

Quote: (from a while back in this thread)
A bigger software issue these days is 'supposed' redundancy that actually isn't. Like the Boeing 787 that has 4 generators fail at the same time, because their software has a flaw.
Let's put this "flaw" in perspective.

1. It has NEVER happened operationally, only in the test lab.
2. It will ONLY happen if the system runs continuously for 248 days.
3. The "workaround" to prevent this from happening is to shut down the system before 248 days have elapsed.
4. No one anywhere has ever or will ever run a 787 continuously for 248 days. Conclusion: not a problem in any meaningful sense, but Boeing still notified its users of this "flaw", which was eliminated in the next software revision.

Ah! The old (2^31) - 1 hundredths of a second signed 32 bit integer problem.

I first saw this in about 1997 in production kit that was expected to work for years without a reboot.

In that case the code came from some old Unix(y) stuff that was re-purposed. The thing simply stopped working after 248 days until turned off and on again.

248 days = 2,142,720,000 hundredths of a second
(2^31) -1 = 2,147,483,647

Some truly awful photo's have appeared today on twitter through from the Spanish media. I won't put them up out of respect. But do we have a final report published yet for this accident?

Not sure we'll ever get to see much in the way of a report.

It's well known that the aircraft suffered a dramatic loss of thrust, but probably also an accident that would have had a somewhat better outcome had they conceded a forced landing off-base was inevitable and concentrated more on a wings-level arrival while they still had limited control (i.e. enough airspeed) of the aircraft.

Thanks for the reply H Peacock.
Having read further back on the thread I can understand to what you refer. All very sad.

Ah! The old (2^31) - 1 hundredths of a second signed 32 bit integer problem.

I first saw this in about 1997 in production kit that was expected to work for years without a reboot.

In that case the code came from some old Unix(y) stuff that was re-purposed. The thing simply stopped working after 248 days until turned off and on again.

248 days = 2,142,720,000 hundredths of a second
(2^31) -1 = 2,147,483,647

I think there was an unmanned Ariane 5 space rocket carrying four satellites that was lost on launch due to a software integer problem. They used older software from Ariane 4 and it ran out of numbers when Ariane 5's flightpath was different. It's quoted as the most expensive software bug in history.

I think there was an unmanned Ariane 5 space rocket carrying four satellites that was lost on launch due to a software integer problem. They used older software from Ariane 4 and it ran out of numbers when Ariane 5's flightpath was different. It's quoted as the most expensive software bug in history.

I think the Mars Climate Orbiter ended up costing a fair bit more overall....

https://sma.nasa.gov/docs/default-source/safety-messages/safetymessage-2009-08-01-themarsclimateorbitermishap.pdf?sfvrsn=eaa1ef8_4

Although it no longer directly affects me since I'm retired, shortly after the crash multiple commercial operators and the FAA came to us and wanted to know if this issue with the engine control software could possibly affect any of the Boeing commercial aircraft. I drafted up a stock response that basically said 'We can't answer that question because Airbus/EASA haven't provided sufficient information for us to understand the cause. Please come back when an accident report with the root cause is released'. Sounds like that's not going to happen - fortunately for my co-workers most people have pretty much forgotten about this one and are no longer asking the question.

I worked engine controls and FADEC software for the majority of my career. I was also an engine controls DER or the delegated equivalent of a DER for 28 years. I know a lot about engine controls and FADEC software.
If I put on my conspiracy hat for a minute, I suspect the root cause is clearly known and so embarrassing to Rolls, Airbus, and EASA that they are covering it up and it'll never be publicly released. A very basic requirement for 'modifiable' critical software is that it has to have failsafe protections incorporated. If the necessary data hasn't been loaded (or is invalid), you either prevent operation (i.e. the engine won't start, or if it starts won't go above idle), or you program default values that will allow safe (although not optimal) engine operation. Oh, and you put up a bunch of fault messages. FADEC software is level A flight critical, it's certified to the same level as FBW flight control s/w.
If I assume that the limited public information on the cause is remotely correct - basically that torque curves were not correctly loaded in the FADEC s/w on multiple engines - and the most basic protections to prevent unsafe operation were not in place - it means that NONE of the people responsible for certifying the FADEC software did their job (again, Rolls, Airbus, and EASA). Further, there was a catastrophic breakdown in Airbus QC to allow an aircraft to be released for first flight without the appropriate s/w loaded.
Approving FADEC software without the most basic of safety protections is unforgivable - those responsible should loose the jobs. IF that's what happened and it's being covered up, that's criminal - people responsible should go to jail...

For me, the really puzzling part of this accident is that the engines initially produced enough thrust to get safely airborne, and do so without any warning or caution indications, but then suddenly stopped producing enough thrust to stay airborne. That is one heck of a troubling failure mode for incorrectly loaded software. That such a failure mode was not identified and positively prevented as tdracer noted above is indeed very very disturbing. And if it is being covered up, would indeed seemingly be criminal. I'm not saying there is or has been a cover up, but everyone involved sure appear to be very tight lipped with the facts concerning this fatal accident. What assurance do the current and future operators of this aircraft have that the problem is fully understood and has been thoroughly designed out to prevent a recurrence?

I'm not so sure there is any cover-up, although disappointing that a detailed report hasn't been published for all to see.

Astonishingly, I believe the first cockpit indications of a problem were probably inhibited by the EICAS (or Airbus equivalent) until the aircraft was above the usual 400ft agl, then the default high thrust setting rapidly became a steady 'flight idle' when the thrust levers were retarded to try to contain the issue. With only one engine operating normally, and 3 at a very low power, a forced landing was the only option.

I'm not so sure there is any cover-up, although disappointing that a detailed report hasn't been published for all to see.And absent such a report I repeat my question: "What assurance do the current and future operators of this aircraft have that the problem is fully understood and has been thoroughly designed out to prevent a recurrence?"

Astonishingly, I believe the first cockpit indications of a problem were probably inhibited by the EICAS (or Airbus equivalent) until the aircraft was above the usual 400ft agl,
No idea how the Airbus logic works, but on Boeing EICAS the takeoff inhibit doesn't kick in until 80 knots, so if there is something wrong you can do a low speed abort.
On Boeing, if the FADEC detects a serious fault, EICAS message "ENG X CONTROL" (L/R ENG CONTROL on twins) is displayed - the procedure is No Dispatch. ENG CONTROL is inhibited above 80 knots and in flight - the logic being there is not procedure once airborne, and if the engine is still running we don't want the crew to shut it down because of the message.

I am still not convinced this was not a civil flight (as far as I understand the pilots where civilians employees of Airbus and the plane was not yet handed over to it's intended customer) and the total lack public investigation report (even a somewhat censored one) is really a shame. I really hope that the heads that needed to roll did so.

I am still not convinced this was not a civil flight (as far as I understand the pilots where civilians employees of Airbus and the plane was not yet handed over to it's intended customer) and the total lack public investigation report (even a somewhat censored one) is really a shame. I really hope that the heads that needed to roll did so.
Similar accidents in the early years of tne A320 gave Airbus a reputation that they were not being wholly honest about the aircraft.

"What assurance do the current and future operators of this aircraft have that the problem is fully understood and has been thoroughly designed out to prevent a recurrence?"

Given that France, Germany, Spain and UK all released their aircraft for flight following the initial investigation, these operators must have received suitable assurances from Airbus Mil or the aircraft would have remained grounded. As an example, Boeing assured the UK that Rivet Joint was fully airworthy at point of delivery but the MAA was not convinced; the aircraft stayed on the ground (for many months) until the UK had enough information, beyond that provided by the manufacturer, to satisfy the assurance requirements of the post Haddon-Cave airworthiness environment. The fact that any assurance in this case has not been made public does not mean that none has been offered to customers.

As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.

A400M was built to EASA civil certification standards.

As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.In the US, military transports not yet delivered to the military customer (via DD250) are assigned a temporary FAA "N" registration and operated under FAA "Experimental" rules. Every KC-46 and C-17 that has flown was so registered prior to DD250. Indeed there are four KC-46 tankers and one C-17 stored here in San Antonio awaiting delivery to the military customer. Each has a temporary "N" number on the tail.

Separately, both the A400 and KC-46 are initially civilly certified. On the KC-46 many mods have a civil STC (Supplemental Type Certificate) and some mods have an MTC (Military Type Certificate.) But the basic airframe is civilly certified.

Given that France, Germany, Spain and UK all released their aircraft for flight following the initial investigation, these operators must have received suitable assurances from Airbus Mil or the aircraft would have remained grounded.I get that. But it's one thing to say: "Your aircraft did not get the latest software load and are therefore safe to fly," and an entirely different thing to say: "Any and all new software loads we give you in the future are guaranteed not to result in a similar failure." Absent a detailed accident report, what assurances do the current and future operators have that the guarantee is worth anything?

As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.
The impressive safety record of modern aircraft is due to the incorporation of countless lessons learned from previous aircraft accidents.
To put it quite bluntly, if they never release the cause of this A400M accident, and any other aircraft crashes due to a similar problem, those responsible for not releasing the accident cause are guilty of murder.

As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.
My understanding is that the A-400 was always built as a dual use (military and civilian) aircraft, with all relevant EASA certifications.
Although this bird was (if memory serves) to be delivered to the Turkish air force it was still registered / operated by Airbus.
I guess (and hope) the families have been generously compensated and the lessons learned.

The only question which matters is whether the aircraft was military or civil registered. If civil, an Annex 13 investigation is a given and report publication would follow. If military, the Spanish military process would be followed and, on previous experience, publication unlikely. I don't know the answer on registration but I'm willing to guess.

EAP

The only question which matters is whether the aircraft was military or civil registered. If civil, an Annex 13 investigation is a given and report publication would follow. If military, the Spanish military process would be followed and, on previous experience, publication unlikely. I don't know the answer on registration but I'm willing to guess.

EAP
My understanding is that it was registered to CASA (Airbus). But can't find any more details about this.

To be honest it is a pretty gray area

The only question which matters is whether the aircraft was military or civil registered. If civil, an Annex 13 investigation is a given and report publication would follow. If military, the Spanish military process would be followed and, on previous experience, publication unlikely. I don't know the answer on registration but I'm willing to guess. EAPWhy would the Spanish military be involved in this accident at all? The Spanish military has no design or engineering authority for this aircraft. It was never signed over to them so they don't have operating authority for this aircraft. No Spanish military personnel were at the controls, so there was not even peripheral Spanish military involvement in the flight. So why no Annex 13 investigation report?

The link https://en.m.wikipedia.org/wiki/2015_Seville_Airbus_A400M_crash provides a plausible explanation of the cause and of the differing views of which agency would investigate.
The aircraft was still on test and destined as a military version, thus an ‘in house’ investigation might be appropriate (no public report), which may be a similar procedure to that under U.K. ‘B’ conditions (civil cert) [US ‘Experimental’?], but with military interest, and thence civilian EASA interest because of the dual certification, and some local infighting, no clear EASA policy, etc, etc...

The software explanation is also plausible (Ref 32, 33); preflight test calibrations / checks could reset systems or dump critical data so that the FADEC could not control the engine (other than on the ground / takeoff power), and being ‘Full Authority’ this might result in a frozen engine or auto shutdown in the air. The latter appears most likely.

Has the type actually achieved civilian certification, or a civilian aircraft formally registered ?

Has the type actually achieved civilian certification, or a civilian aircraft formally registered ?
The EASA Type certificate is here: EASA TYPE - CERTIFICATE DATA SHEET No. EASA.A.169 for AIRBUS A400M (https://www.easa.europa.eu/sites/default/files/dfu/TCDS_EASA%20A%20169_%20Airbus_A400M_%20Iss_06.pdf)

The link https://en.m.wikipedia.org/wiki/2015_Seville_Airbus_A400M_crash provides a plausible explanation of the cause and of the differing views of which agency would investigate.....The software explanation is also plausible (Ref 32, 33)Plausible explanations? Kind of my point, no? The point of an investigation is to positively determine cause, not "what is plausible." And the point of a report afterward is to assure all current and future operators that the cause is known and that the fix is certain. Its' damn tough to operate a fleet of aircraft based on "what's plausible." Especially when those aircraft may have to go into combat.

Further to what Ken wrote, pretty much every new aircraft - civil or military - has FADEC engine controls. The only way to prevent a future occurrence on another aircraft - civilian or military - is to publish a report pointing to root cause, so they everyone can make sure they don't make the same mistake - not just Airbus.
Like I said before, if the cause is known but not made public, and another aircraft crashes for the same cause - it's murder (manslaughter in US parlance).

Why would the Spanish military be involved in this accident at all? The Spanish military has no design or engineering authority for this aircraft. It was never signed over to them so they don't have operating authority for this aircraft. No Spanish military personnel were at the controls, so there was not even peripheral Spanish military involvement in the flight. So why no Annex 13 investigation report?

​​​​​​The aircraft wasn't being developed by Airbus as a standalone PV project, rather it was developed in response to a contract agreed with OCCAR (with Spain as one of the end customers), and the contract would detail the qual and cert procedures to be followed. NB the procedures used to be available on OCCAR'S website but I can't find them. The procedures could have agreed to use Airbus' standard EASA civil approval to fly development aircraft or they could've opted to flight certification under Sp military processes (which could also rely on the civil Type Certification of the Design issued by EASA although this may not have been available for early development flying). Whichever organisation was regulating the development flying would determine which accident investigation procedures to be adopted, hence my point about the registration number, military or civil.

Complex multinational military aircraft procurement programmes tend to breed complex qual and cert procedures. A friend was a senior airworthiness person in Airbus and in the early days of A400M he said that Airbus would cover the whole project under civil processes, none of these silly military processes. I patted him on the shoulder and suggested he tell me that in 10 years time and we'd see whose vision of the future was correct.

EAP

The EASA Type certificate is here: EASA TYPE - CERTIFICATE DATA SHEET No. EASA.A.169 for AIRBUS A400M (https://www.easa.europa.eu/sites/default/files/dfu/TCDS_EASA%20A%20169_%20Airbus_A400M_%20Iss_06.pdf)

A minor quibble, that's the TCDS not the TC but it does refer to the TC. I wonder whether a civil operator could procure an A400 against this TC in isolation as I suspect some additional military kit might be needed to create a flyable aircraft (radios?). I don't suppose Airbus would have any difficulty supplementing the TC to make it workable in a true civil context.

EAP

EAP - I think that it is potentially possible to buy a A400 for civil use only, however I imagine it wouldn't be allowed by OCCAR for some time. Obviously the mil spec kit would have to be replaced for civ and I guess the biggest impact will be in the avionics.

It was certified as a civil aircraft first before clearance of military specific roles and equipment. Possibly, the test aircraft had mil kit to make the MEL such as radios and transponder under exemption if necessary, rather than civil only equipment to be replaced by the customer specific equipment later on.

I just did some structures calcs on the wing so am not in the actual knowledge here...just what was talked about in the office at the time.

My understanding is that it was registered to CASA (Airbus). But can't find any more details about this.

To be honest it is a pretty gray area

Just as a point of reference EC-001 to EC-999 is, as far as I understand, civilian registry for Spain under "Test and delivery". The registrant is listed "Airbus Military", which was dissolved in 2014 to become Airbus Defence and Space SAS (https://en.wikipedia.org/wiki/Airbus_Defence_and_Space) (so It's a bit unclear how it could still be used in 2015). As far as I can tell no military personal works there and the people on board were civilians. As mentioned in a previous posts the Spanish AF was not in any shape of form concerned.
I guess there is no point insisting there - although there would be many objective reasons to have an Annex 13 investigation it will not happen.

The registrant is listed "Airbus Military", which was dissolved in 2014 to become Airbus Defence and Space SAS (https://en.wikipedia.org/wiki/Airbus_Defence_and_Space) (so It's a bit unclear how it could still be used in 2015).

I have no particular knowledge on the Airbus specifics but businesses often contract under a name of the legal entity which is quite different to the name used for business organisation or marketing. The latter names can change quite often but businesses hate the costs and complications of changing the name of the legal entity.

Edit. Is it possible that due to the OCCAR contract, EASA regard the A400M as a State Aircraft which isn't subject to Annex 13? Just a thought...

EAP

Regardless of the registry (civil, military, state, whatever) what is the reason the investigation is being done in secret and the resulting report not published? It makes no sense unless someone is trying to hide something nefarious, or someone is trying to protect someone who is guilty of at best malfeasance and at worst of murder.

The truly amazing part? They seem to be getting away with it.

Ken, #332; it depends on who ‘they’ are.

ICAO, the State(s) of manufacturer / operation / location; regulator, civil / military, manufacturer(s), airframe, engine, FADEC, software, validation, …
There’s probably a link to NTSB in there somewhere: who’s ball, who’s playing field.
What requirements apply to fight test - see all of the above.

Off thread, who investigated the Nov 9, 2010, Boeing 787, ZA002 battery fire ?

Can I ask a ignorant question ,
why does no (that i know of) transport aircaft have no ejection seats?
we are constantly being told the years of training and expense of getting a pilot to a good standard is the most important thing on a aircraft(rightly so).
But yet no transport aircraft have them, fighters,bombers and trainers its a standard.I can understand if you have a full load of troops and its crashing it might not be looked on with favour if the crew eject, and the troops perish but if it's just equipment surely it's better for the crew to get out?

An absolutely safe aircraft does not exist and, for good engineering reasons, aircraft are designed to be safe enough (roughly 1 in a million per fh likelihood of fatality). Transport aircraft are generally safe enough without ejection systems whereas most fast jets need ejection systems to make them safe enough. Note that 'safety' in this context is purely associated with the risk to life.

EAP

Regardless of the registry (civil, military, state, whatever) what is the reason the investigation is being done in secret and the resulting report not published? It makes no sense unless someone is trying to hide something nefarious, or someone is trying to protect someone who is guilty of at best malfeasance and at worst of murder.

I believe it's the case that the investigation is not open because there is no overriding mandate for it to be otherwise. ICAO aircraft accidents fall under Annex 13 and most Airworthiness Authorities extend the principle to all civil types. Investigations of State Aircraft accidents require the relevant government to make a positive decision about openness. It could be argued that there's an ethical or moral imperative to publish, and while I would agree with this, it isn't a mandate. There may be legitimate sensitivities involved rather than something nefarious. FWIW I have no idea why there is secrecy in this case.

EAP

Regardless of the registry (civil, military, state, whatever) what is the reason the investigation is being done in secret and the resulting report not published? It makes no sense unless someone is trying to hide something nefarious, or someone is trying to protect someone who is guilty of at best malfeasance and at worst of murder.

The truly amazing part? They seem to be getting away with it.

Post #188 refers.

Some of the questions asked here in September 2018 have actually been answered in the full version of the Reuters report partially quoted in Post #296 in November 2017 ("Airbus knew of software vulnerability before A400M crash")

I get that. But it's one thing to say: "Your aircraft did not get the latest software load and are therefore safe to fly," and an entirely different thing to say: "Any and all new software loads we give you in the future are guaranteed not to result in a similar failure." Absent a detailed accident report, what assurances do the current and future operators have that the guarantee is worth anything?
According to Reuters, there is a report, and they saw an extract of it. I'd guess that current and future operators will get access to the report, while you and me don't.


A400M was built to EASA civil certification standards.

That's only the first step of the process. Based on the civil certification alone, the A400M isn't even allowed to carry any cargo or passengers. Actually, according to the Reuters report, one of the reasons for the accident was that Airbus and the engine manufacturer didn't agree on whether the engines were to be treated by civil or military standards.

Why would the Spanish military be involved in this accident at all? The Spanish military has no design or engineering authority for this aircraft. It was never signed over to them so they don't have operating authority for this aircraft. No Spanish military personnel were at the controls, so there was not even peripheral Spanish military involvement in the flight. So why no Annex 13 investigation report?
The Spanish Dirección General de Armamento y Material (DGAM), a military authority, is responsible for the quality control at the final assembly line and issues export certificates, based on which the aircraft obtain their Airworthiness Certificates.

According to the Reuters report, Spanish officials say the A400M assembly line is a defense facility and not subject to civil rules.