Reports of A400 Crash, Saville, Spain
Hmm suprised this doesn't generate more noise. It is quite a big deal in my book.
Errors happen but in this line of business avoidable mistakes are no acceptable.
Errors happen but in this line of business avoidable mistakes are no acceptable.
Fun facts
Quote: (from a while back in this thread)
A bigger software issue these days is 'supposed' redundancy that actually isn't. Like the Boeing 787 that has 4 generators fail at the same time, because their software has a flaw.
Let's put this "flaw" in perspective.
1. It has NEVER happened operationally, only in the test lab.
2. It will ONLY happen if the system runs continuously for 248 days.
3. The "workaround" to prevent this from happening is to shut down the system before 248 days have elapsed.
4. No one anywhere has ever or will ever run a 787 continuously for 248 days. Conclusion: not a problem in any meaningful sense, but Boeing still notified its users of this "flaw", which was eliminated in the next software revision.
A bigger software issue these days is 'supposed' redundancy that actually isn't. Like the Boeing 787 that has 4 generators fail at the same time, because their software has a flaw.
Let's put this "flaw" in perspective.
1. It has NEVER happened operationally, only in the test lab.
2. It will ONLY happen if the system runs continuously for 248 days.
3. The "workaround" to prevent this from happening is to shut down the system before 248 days have elapsed.
4. No one anywhere has ever or will ever run a 787 continuously for 248 days. Conclusion: not a problem in any meaningful sense, but Boeing still notified its users of this "flaw", which was eliminated in the next software revision.
I first saw this in about 1997 in production kit that was expected to work for years without a reboot.
In that case the code came from some old Unix(y) stuff that was re-purposed. The thing simply stopped working after 248 days until turned off and on again.
248 days = 2,142,720,000 hundredths of a second
(2^31) -1 = 2,147,483,647
Gamekeeper
Join Date: Aug 2000
Location: South East
Age: 61
Posts: 215
Likes: 0
Received 0 Likes
on
0 Posts
Some truly awful photo's have appeared today on twitter through from the Spanish media. I won't put them up out of respect. But do we have a final report published yet for this accident?
Not sure we'll ever get to see much in the way of a report.
It's well known that the aircraft suffered a dramatic loss of thrust, but probably also an accident that would have had a somewhat better outcome had they conceded a forced landing off-base was inevitable and concentrated more on a wings-level arrival while they still had limited control (i.e. enough airspeed) of the aircraft.
It's well known that the aircraft suffered a dramatic loss of thrust, but probably also an accident that would have had a somewhat better outcome had they conceded a forced landing off-base was inevitable and concentrated more on a wings-level arrival while they still had limited control (i.e. enough airspeed) of the aircraft.
Join Date: Feb 2012
Location: raf
Posts: 610
Likes: 0
Received 0 Likes
on
0 Posts
Ah! The old (2^31) - 1 hundredths of a second signed 32 bit integer problem.
I first saw this in about 1997 in production kit that was expected to work for years without a reboot.
In that case the code came from some old Unix(y) stuff that was re-purposed. The thing simply stopped working after 248 days until turned off and on again.
248 days = 2,142,720,000 hundredths of a second
(2^31) -1 = 2,147,483,647
I first saw this in about 1997 in production kit that was expected to work for years without a reboot.
In that case the code came from some old Unix(y) stuff that was re-purposed. The thing simply stopped working after 248 days until turned off and on again.
248 days = 2,142,720,000 hundredths of a second
(2^31) -1 = 2,147,483,647
Ecce Homo! Loquitur...
I think there was an unmanned Ariane 5 space rocket carrying four satellites that was lost on launch due to a software integer problem. They used older software from Ariane 4 and it ran out of numbers when Ariane 5's flightpath was different. It's quoted as the most expensive software bug in history.
https://sma.nasa.gov/docs/default-so...vrsn=eaa1ef8_4
Although it no longer directly affects me since I'm retired, shortly after the crash multiple commercial operators and the FAA came to us and wanted to know if this issue with the engine control software could possibly affect any of the Boeing commercial aircraft. I drafted up a stock response that basically said 'We can't answer that question because Airbus/EASA haven't provided sufficient information for us to understand the cause. Please come back when an accident report with the root cause is released'. Sounds like that's not going to happen - fortunately for my co-workers most people have pretty much forgotten about this one and are no longer asking the question.
I worked engine controls and FADEC software for the majority of my career. I was also an engine controls DER or the delegated equivalent of a DER for 28 years. I know a lot about engine controls and FADEC software.
If I put on my conspiracy hat for a minute, I suspect the root cause is clearly known and so embarrassing to Rolls, Airbus, and EASA that they are covering it up and it'll never be publicly released. A very basic requirement for 'modifiable' critical software is that it has to have failsafe protections incorporated. If the necessary data hasn't been loaded (or is invalid), you either prevent operation (i.e. the engine won't start, or if it starts won't go above idle), or you program default values that will allow safe (although not optimal) engine operation. Oh, and you put up a bunch of fault messages. FADEC software is level A flight critical, it's certified to the same level as FBW flight control s/w.
If I assume that the limited public information on the cause is remotely correct - basically that torque curves were not correctly loaded in the FADEC s/w on multiple engines - and the most basic protections to prevent unsafe operation were not in place - it means that NONE of the people responsible for certifying the FADEC software did their job (again, Rolls, Airbus, and EASA). Further, there was a catastrophic breakdown in Airbus QC to allow an aircraft to be released for first flight without the appropriate s/w loaded.
Approving FADEC software without the most basic of safety protections is unforgivable - those responsible should loose the jobs. IF that's what happened and it's being covered up, that's criminal - people responsible should go to jail...
I worked engine controls and FADEC software for the majority of my career. I was also an engine controls DER or the delegated equivalent of a DER for 28 years. I know a lot about engine controls and FADEC software.
If I put on my conspiracy hat for a minute, I suspect the root cause is clearly known and so embarrassing to Rolls, Airbus, and EASA that they are covering it up and it'll never be publicly released. A very basic requirement for 'modifiable' critical software is that it has to have failsafe protections incorporated. If the necessary data hasn't been loaded (or is invalid), you either prevent operation (i.e. the engine won't start, or if it starts won't go above idle), or you program default values that will allow safe (although not optimal) engine operation. Oh, and you put up a bunch of fault messages. FADEC software is level A flight critical, it's certified to the same level as FBW flight control s/w.
If I assume that the limited public information on the cause is remotely correct - basically that torque curves were not correctly loaded in the FADEC s/w on multiple engines - and the most basic protections to prevent unsafe operation were not in place - it means that NONE of the people responsible for certifying the FADEC software did their job (again, Rolls, Airbus, and EASA). Further, there was a catastrophic breakdown in Airbus QC to allow an aircraft to be released for first flight without the appropriate s/w loaded.
Approving FADEC software without the most basic of safety protections is unforgivable - those responsible should loose the jobs. IF that's what happened and it's being covered up, that's criminal - people responsible should go to jail...
Join Date: Aug 2014
Location: New Braunfels, TX
Age: 70
Posts: 1,954
Likes: 0
Received 0 Likes
on
0 Posts
For me, the really puzzling part of this accident is that the engines initially produced enough thrust to get safely airborne, and do so without any warning or caution indications, but then suddenly stopped producing enough thrust to stay airborne. That is one heck of a troubling failure mode for incorrectly loaded software. That such a failure mode was not identified and positively prevented as tdracer noted above is indeed very very disturbing. And if it is being covered up, would indeed seemingly be criminal. I'm not saying there is or has been a cover up, but everyone involved sure appear to be very tight lipped with the facts concerning this fatal accident. What assurance do the current and future operators of this aircraft have that the problem is fully understood and has been thoroughly designed out to prevent a recurrence?
I'm not so sure there is any cover-up, although disappointing that a detailed report hasn't been published for all to see.
Astonishingly, I believe the first cockpit indications of a problem were probably inhibited by the EICAS (or Airbus equivalent) until the aircraft was above the usual 400ft agl, then the default high thrust setting rapidly became a steady 'flight idle' when the thrust levers were retarded to try to contain the issue. With only one engine operating normally, and 3 at a very low power, a forced landing was the only option.
Astonishingly, I believe the first cockpit indications of a problem were probably inhibited by the EICAS (or Airbus equivalent) until the aircraft was above the usual 400ft agl, then the default high thrust setting rapidly became a steady 'flight idle' when the thrust levers were retarded to try to contain the issue. With only one engine operating normally, and 3 at a very low power, a forced landing was the only option.
Join Date: Aug 2014
Location: New Braunfels, TX
Age: 70
Posts: 1,954
Likes: 0
Received 0 Likes
on
0 Posts
And absent such a report I repeat my question: "What assurance do the current and future operators of this aircraft have that the problem is fully understood and has been thoroughly designed out to prevent a recurrence?"
Astonishingly, I believe the first cockpit indications of a problem were probably inhibited by the EICAS (or Airbus equivalent) until the aircraft was above the usual 400ft agl,
On Boeing, if the FADEC detects a serious fault, EICAS message "ENG X CONTROL" (L/R ENG CONTROL on twins) is displayed - the procedure is No Dispatch. ENG CONTROL is inhibited above 80 knots and in flight - the logic being there is not procedure once airborne, and if the engine is still running we don't want the crew to shut it down because of the message.
I am still not convinced this was not a civil flight (as far as I understand the pilots where civilians employees of Airbus and the plane was not yet handed over to it's intended customer) and the total lack public investigation report (even a somewhat censored one) is really a shame. I really hope that the heads that needed to roll did so.
I am still not convinced this was not a civil flight (as far as I understand the pilots where civilians employees of Airbus and the plane was not yet handed over to it's intended customer) and the total lack public investigation report (even a somewhat censored one) is really a shame. I really hope that the heads that needed to roll did so.
"What assurance do the current and future operators of this aircraft have that the problem is fully understood and has been thoroughly designed out to prevent a recurrence?"
As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.
Join Date: Aug 2014
Location: New Braunfels, TX
Age: 70
Posts: 1,954
Likes: 0
Received 0 Likes
on
0 Posts
As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.
Separately, both the A400 and KC-46 are initially civilly certified. On the KC-46 many mods have a civil STC (Supplemental Type Certificate) and some mods have an MTC (Military Type Certificate.) But the basic airframe is civilly certified.
Join Date: Aug 2014
Location: New Braunfels, TX
Age: 70
Posts: 1,954
Likes: 0
Received 0 Likes
on
0 Posts
I get that. But it's one thing to say: "Your aircraft did not get the latest software load and are therefore safe to fly," and an entirely different thing to say: "Any and all new software loads we give you in the future are guaranteed not to result in a similar failure." Absent a detailed accident report, what assurances do the current and future operators have that the guarantee is worth anything?
As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.
To put it quite bluntly, if they never release the cause of this A400M accident, and any other aircraft crashes due to a similar problem, those responsible for not releasing the accident cause are guilty of murder.
As for whether it was a civil or military flight (question from atakacs), most nations treat the operation of aircraft designed for military purposes as being military in nature, regardless of the status of the crew, because the aircraft are not designed or built to the standards that would apply to a civilian aircraft. It would be for Spain to decide on publication of the investigation report for a military accident that happened on its turf, not Airbus.
Although this bird was (if memory serves) to be delivered to the Turkish air force it was still registered / operated by Airbus.
I guess (and hope) the families have been generously compensated and the lessons learned.