Missing Files Blamed For Deadly A400M Crash

An anonymous reader writes: Think you had a bad day when your software drivers go missing? Rejoice, you get to live! A fatal A400M crash was linked to data-wipe mistake during an engine software update. A military plane crash in Spain was probably caused by computer files being accidentally wiped from three of its engines, according to investigators. Plane-maker Airbus discovered anomalies in the A400M's data logs after the crash, suggesting a software fault. And it has now emerged that Spanish investigators suspect files needed to interpret its engine readings had been deleted by mistake.This would have caused the affected propellers to spin too slowly causing loss of power and eventually, a crash.

STUXNET

Done did it.

Good god.

Is it so hard to have a integrity check and diagnostic set run as part of the preflight checks? If you can place hundreds of miles of wire and know what's what, surely they have computer engineers competent enough to make something like this to catch such glaring errors.

Re:Good god.

We've lost that kind of 'slow down and make sure it's right' attitude that engineers really need to have. In this fast-paced road of cutting costs and letting the marketing group run the show, the pressure to get product out the door as quickly as possible no matter what is unstoppable for software in particular, but really almost anything that is able to be 'patched' later. Making consumers into your beta testers is douche-y enough, but doing it when lives are at stake should be punished as criminal and in an extremely harsh and public way.

Re:Good god.

[fuzzyfuzzyfungus]

What's surprising to me is not merely that; but if the calibration data are so important that the engine shuts down without them, how did the aircraft take off?

If the calibration data are nice, good for fuel economy, improve reliability, etc. you'd expect things to continue working without them, albeit possibly not as well as the manual specifies.

If the calibration data are Absolutely Vital Lest The Engine Throw A Propellor Right Through The Cockpit, or something of that nature, how did the aircraft allow you to take off with 75% of the data missing? An actual error handling arrrangement would, of course, be in good taste; but even without one I would have (naively, apparently) expected the situation to take one of two courses: if the data are semi-optional, things would work, if perhaps not well. If they are Vital, attempting to get off the ground would have failed. Successful takeoff, followed by shutdown and fiery death, though, seems weird.

Re:Good god.

[ChumpusRex2003]

My guess is that rather than "files" per se, these are look-up tables which were statically linked into the binary.

On this type of safety critical application, it's a key design aim to avoid code which might fail or throw an exception at runtime. So, rather than load data from a file, which could fail due to a memory allocation failure, a file system failure, etc. the relevant data is static linked, so if the executable successfully launches, it cannot fail to have the data available.

I don't know what these tables might have been mapping, but conceivably if they torque tuning parameters, the engine might still have run if the data was all NULLs, but delivered the incorrect torque in response to control inputs. Of course, if the missing data was things like fueling data, then the engine may have failed to start.

Re:Good god.

[Spy+Handler]

if the calibration data are so important that the engine shuts down without them, how did the aircraft take off?

One engine delivering full power and 3 engines running at low RPM would be enough to take off, since the plane was empty and probably had a small fuel load as well.

Wiki has an article on the crash: http://en.wikipedia.org/wiki/2...

Looks like they took off, but noticed a problem with the engines, turned around to do an emergency landing, but hit an electrical pylon and crashed. So it's not like they lost all power and fell out of the sky, they had some power and were doing an emergency landing when they hit an object on the ground just before touchdown. 2 of the 6 people on the plane survived.

Re:Good god.

[danomatika]

My 2001 Jeep has a base "go home mode" if there is a problem to where the normal engine parameter look up tables can't be used. This way you can still drive the thing to a shop even if some sensors, etc are shot. I know this is a pretty primitive comparison but, at the very least, you'd think the A400M engine software would have a *baked in* "go home without crashing" dataset.

Re:Good god.

[TWX]

Case in point, the Toyota vehicle acceleration problem.

Re:Good god.

[tomhath]

As I read it, the files weren't used until the plane was 400 feet off the ground. So takeoff wasn't a problem.

Re:Good god.

[TWX]

It's referred to as "limp mode" and it limits you to 2nd gear for forward and reverse. It's a transmission control feature, not an engine feature. It's designed to keep a transmission fault from stranding you but to also attempt to mitigate damage; by limiting to second gear the hope is that most owners will seek to get it fixed rather than continuing to drive it that way.

Re:Good god.

Read the article... the warning was not designed to kick in until the aircraft was at an altitude of 400ft (120m).

Not only do you not know you have a problem until are in the air. You don't know you have a catastrophic problem until you are at an unsurvivable altitude. Too low to effectively use a parachute. Too high to just 'jump out' or belly-land it.

The worst thing is... a committee signed off that this was an 'acceptable risk'. Members of that committee should be brought of up on criminal negligence and manslaughter charges.

Not a Luddite, but give me my bicycle back...

Re:Good god.

[grimmjeeper]

Absolutely this. Any kind of software on any airplane has to go through layers upon layers of specification, design, validation and acceptance before it ships. This was a deliberate choice by bureaucrats who have no idea what they are doing as much as it's a failure by the software engineers to ensure integrity of the system at all times. They should all be brought up on charges.

Re:Good god.

[ArcadeMan]

I heard the first patch recommendation came from the marketing department, but management refused their idea of cutting one leg of each Toyota owner.

Re:Good god.

[joh]

We've lost that kind of 'slow down and make sure it's right' attitude that engineers really need to have. In this fast-paced road of cutting costs and letting the marketing group run the show, the pressure to get product out the door as quickly as possible no matter what is unstoppable for software in particular, but really almost anything that is able to be 'patched' later. Making consumers into your beta testers is douche-y enough, but doing it when lives are at stake should be punished as criminal and in an extremely harsh and public way.

As far as I know aerospace software is far away from what you describe. Of course you're right if you say that these things are a reason for problems, but THIS is very well understood and usually software for planes is nothing like a consumer product.

They screwed up, yes, but if they would be "punished as criminal and in an extremely harsh and public way" nobody would ever do anything useful anymore. The problems leading to this crash have to be analyzed and understood and then they have to make sure that the same thing can't happen again.

But of course: If this was due to someone not following procedures or messing around with maintenance this can (and will) have consequences. I'm also pretty sure that one or more people will lose their job over that.

But if you really think you can make shit never happen and things working 100% all the time by "hard punishment" you're just wrong.

Re:Good god.

The engine control system often has a limp mode as well. When you get a check engine light there is a good chance that the ECU has determined that a sensors readings are incorrect and it is using fail safe parameters.

Re:Good god.

limp mode also governs engine RPM to a rather low threshold (sometimes it will simply force the vehicle to a high idle and ignore the throttle entirely if it's drive-by-wire). It is activated if the ECU detects significant engine issues, most especially extreme knocking. It is not limited to the transmission. I've had that mode happen to me on the highway when I only half-way plugged in a MAF sensor and the ECU received significantly faulty data causing wildly incorrect fuel-air mixture ratios. Rather frustrating and a bit dangerous to be honest. :( But better than the engine grenading.

Re:Good god.

[TWX]

If I remember right, Toyota got into trouble in court when the firmware provided to the investigators did not match the firmware in the vehicles. Toyota never did provide the real code if memory serves.

Re:Good god.

[Casper0082]

As others have mentioned, limp mode is not just a transmission control feature. It is a fail safe built into the Engine Control Unit. When all sensors are operating correctly, the car has a map to determine the appropriate air/fuel mixture taking into consideration temperature, pressure, exhaust etc to ensure your car runs optimally. When in limp mode, the ECU cannot trust the sensors to determine the optimal air/fuel ratio. There is a base map that will allow your car to run with a rich fuel mixture (safer than lean) to prevent damage to the motor. Besides being worse for emissions and fuel economy, you can drive the car normally until you can get the issue repaired.

Re:Good god.

[Thelasko]

... you'd think the A400M engine software would have a *baked in* "go home without crashing" dataset.

From how I read the article, it does have a default dataset that it switches to when it detects a problem. From TFA:

The automatic response is to hunker down and prevent what would usually be a single engine problem causing more damage.

Limiting the speed of a ground vehicle is safe. However, limiting the speed of an aircraft causes a crash. It sounds like they need to reevaluate their "limp home" calibration, as we call it in the industry.

Re:Good god.

[0123456]

You mean, people accidentally mashing both pedals at the same time?

Possibly. But there was a published third-party analysis of Toyota's ECU software which made me reluctant to buy one:

http://embeddedgurus.com/barr-...

I was glad to see that my new SUV automatically cuts the gas if it detects you pressing both pedals at the same time, even if due to a bad sensor or crashed throttle-monitoring process (yeah, I know, that means no left-foot braking, but if you're doing that in an SUV, you're probably doing it wrong).

Re:Good god.

No one who knows anything about the A400M program would ever accuse it of being "fast paced".

Re:Good god.

>(yeah, I know, that means no left-foot braking, but if you're doing that in an SUV, you're probably doing it wrong).

Sooooooo... no offroading for your SUV?

Re:Good god.

They are _all_ Mall Utility Vehicles.

Re:Good god.

[0123456]

Sooooooo... no offroading for your SUV?

It's not designed for serious offroading like a Jeep, and the stability control automatically brakes individual wheels when you put it in off-road mode.

Re:Good god.

What? Get it muddy?

Re:Good god.

[CanadianMacFan]

I'm thinking that if they build these decisions into the software then they should also build a couple of test scenarios into the flight simulator and have a pilot fly them a bunch of times to see what happens. Especially the ones where you decide to have them kick in at 120m.

Re:Good god.

But if you really think you can make shit never happen and things working 100% all the time by "hard punishment" you're just wrong.

Or a communist. Hate to play the "commie" card, but that's exactly the shit that was pulled during Stalin's reign, as well as Mao's: if stuff broke, people were executed. Didn't stop stuff from breaking, and decreased the number of trained people.

Re:Good god.

[ChumpusRex2003]

Except in an aircraft you have multiple redundant engines, so the idea of dropping a faulty engine to idle is not that unreasonable.

The problem here was 3 faulty engines, for which there was insufficient redundancy - in this case a "common cause" failure that's a much more difficult problem to deal with.

Re:Good god.

[tlhIngan]

They screwed up, yes, but if they would be "punished as criminal and in an extremely harsh and public way" nobody would ever do anything useful anymore. The problems leading to this crash have to be analyzed and understood and then they have to make sure that the same thing can't happen again.

You know, when an accident happens, the safety board (NTSB, TSB, BEA, etc) interviews are actually privileged information. As in, if you're being interviewed by the safety board, anything you say cannot be used as evidence against you.

It's a privilege that the safety boards all fight for.

The reason for this is the safety board's goal is to not find fault, but to find solutions to preventing it from happening again. Doesn't matter if someone hit a button that said "Crash this plane" and pushed it on purpose. They know that if the interviews were not privileged communications, no one would speak to them for fear of self-incrimination. And when that happens, everyone clams up, and you can't figure out why an accident happened or make recommendations to prevent the issue the next time it happens.

This is especially more so when most complex accidents are a chain of events - this happened, then that happened, then this next thing, plus X, Y and Z and if any of them didn't occur, the accident wouldn't have happened. Almost never is it the result of one definitive action.

Re:Good god.

You clearly have not done the SAAB slide to get around a corner faster. You do not press the clutch or change gears during the maneuver as the whole point is to apply power during the turn. Although heel-toe, or fat-footing works to apply both throttle and brake, it is not as controllable.

Sadly many use the left foot for braking under normal circumstances as they are unfamiliar with a manual transmission.

Re:Good god.

That was toyota's excuse. In reality it actually *was* a software error (actually several)

Re:Good god.

Oh, the marketing department will quickly state that "we had nothing to do with this", and then they will yell harsh words at the people who were following marketing's directions previously. That's the way these things work: marketing makes bad decisions, yells at those implementing the decisions if they are not done fast enough, yell "We go now!" even if the job isn't complete, then yell at those who were doing the work when things go badly. They don't understand all that they need to know to make sound decisions, but are in charge anyway "because we want to be in charge".

Re:Good god.

One engine delivering full power and 3 engines running at low RPM would be enough to take off

No pilot would continue a takeoff under these circumstances. You watch the engine gauges like a hawk during the takeoff roll.

Re:Good god.

that is simply not true, there is a point in time during take off where it is simply too late to abort without actually crashing, depending on the failure and gauges it is not uncommon to proceed with take off and take the chance of an emergency landing rather than a certain crash because it is too late to abort the take off before the end of the runway.

Re:Good god.

[khb]

#!/bin/ksh

if [[ ! -r $config_file ]] ; then
      abort "Cannot find engine configuration files"
fi

Re:Good god.

[demonlapin]

"Jump out"? This thing has a rotation speed around 120 knots... good luck surviving a jump like that even if you managed to get the rear cargo door open in time. What kind of fixed-wing aircraft other than a glider has a stall speed low enough for you to survive jumping?

Re:Good god.

[bobbied]

This is pretty bad bit of piloting then. There are at least two ways they should have known something was wrong if the engines where not producing enough power.

1. The engine gauges should be abundantly clear between the RPM and pressure ratio. Both are an excellent indicator of how much power you are getting and if either was incorrect or unsteady after throttle up from flight idle, in ANY of the engines you DON'T proceed but abort your takeoff. You NEVER take an airplane airborne with an engine problem which should have been obvious well before V1. Wasn't somebody watching the gauges?

2. The rate of acceleration will be less if the engines are not putting out what they should. This means you will reach the V1 point of the runway BEFORE you have the V1 speed and you again ABORT takeoff. Somebody in that cockpit wasn't watching the runway markers go by.

If they really took off w/o full engine power, multiple somebodies messed up on the flight deck. Then they proceeded to make additional mistakes when they attempted the reset of the engines. They obviously had a positive rate of climb and should have used that to put some distance between them and the ground before trying to turn back, apparently they didn't take advantage of that long enough and ended up landing short.

Re:Good god.

[serbanp]

It is possible though that the engine uses two sets of tweak parameters, a "default" one during take-off and the "optimized" one when altitude hits 400ft. Everything went downhill (bad pun) when the empty LUT was switched in (at 400ft) and only then the 3 engines lost their thrust.

Re:Good god.

[mjwx]

>(yeah, I know, that means no left-foot braking, but if you're doing that in an SUV, you're probably doing it wrong).

Sooooooo... no offroading for your SUV?

SUV's arent built to go off road.

They dont have locking diffs, a low range gearbox and often, not even underside protection. Most SUV's dont even have full time AWD as they dont have a centre diff, they use systems like the Haldex Traction to transfer power from a latitudinally mounted engine (transverse mounted, AKA: east-west) that drives the front wheels 99% of the time.

Most SUV's are no more suited to going off road than your average Camry and get stumped by the first slightly damp grassy slope they come across.

And yes, if you're left foot braking you're doing things horribly, horribly wrong. Doubly so for heel-toe. There are very few times when you need to left foot brake or heel-toe and none of them are on the road. Keep the fancy foot work for the track and dance floor, drive properly on the road.

Re:Good god.

[bobbied]

If that's true, this this is an incredibly bad design flaw by Airbus, something on par with forgetting to connect the emergency break handle to the devices designed to stop the wheels from turning.

Re:Good god.

[mjwx]

But of course: If this was due to someone not following procedures or messing around with maintenance this can (and will) have consequences. I'm also pretty sure that one or more people will lose their job over that.

If someone was deliberately messing around with the files when they weren't meant to, that would be grounds for criminal negligence. They could end up in front of a court, not just out of work. But I agree with your point, harsh punishments dont work as much as people pretend they do. But this incident will be investigated with the attention to detail that only an aviation security board can bring. There's no point in pre-judging anyone until they've completed their investigation, it could be negligence on part of the worker, company or just an event which no-one could have foreseen. The A400 has been in service since 2009 and flying since 2007, this is the first incident.

Re:Good god.

every bug is obvious in hindsight - 'how hard could it have been to check xxx'. Easy to say when you know xxx

Re:Good god.

Well, it's normally safe on the A400M as well - the loss of a single engine (or a single dropping to 'limp home mode') would not really be news. The other three can easily support the plane and keep everything running, with the pilot on near-instinct increasing the throttle and computer assisted compensation for the torque due to the now-uneven thrust distribution.

The problem is the loss of THREE of the engines at a mere 400 feet just after take-off.

"Under the A400M's design, the first warning pilots would receive of the engine data problem would be when the plane was 400 feet (120 meters) in the air, according to a safety document seen by Reuters. On the ground, there is no cockpit alert."

Re:Good god.

[DieByWire]

This is pretty bad bit of piloting then...

Do us all a favor. When the full accident report comes out and you find out you had your head in your ass, please try to learn from it. Then apologize to the families of those you've slandered.

I wouldn't fault your ignorance of how transport category aircraft are operated if you didn't try to pass judgement on men who are/were far more accomplished than you will ever be.

Re:Good god.

One of the key reasons Qantas had such a great safety record was their approach to engineering. Staff knew they could report it when they screwed up, without recriminations. I'm not sure if that is still Qantas's approach, or the approach of the companies they have outsourced maintenance to.

Re:Good god.

ALL of the Toyotas involved in these incidents were automatic transmission. You evidently haven't bought a car in America these days. It is almost impossible to get a manual transmission. Mainly only available to base model work trucks and even then it's iffy that the option exists. Oh but wait, you just wanted to make a dick joke right, well then, yeah my dick IS long enough to work a clutch...

Re: Good god.

On /. When engineers fuck up it is marketing's fault

Re:Good god.

[ne0n]

Hmm your comment got me thinking.. perhaps the extra weight of all those integrity checks and redundant storage modules was too much for the A400 to handle...

maybe those engineers did their job too well...

It's hard to think with all the tinfoil i gotta wear these days.

Re:Good god.

[Jack+Griffin]

And yes, if you're left foot braking you're doing things horribly, horribly wrong.

Says you. Left foot braking has been proven to be quicker, therefore improves stopping distance and reduces chances of a crash. It's just not taught as standard technique because there's too much risk of a numpty getting in wrong and making things worse. But if you do know what you are doing, left foot braking is the better choice.

Re:Good god.

>SUV's arent built to go off road.
>They dont have locking diffs, a low range gearbox and often, not even underside protection

Tell me you're trolling, or that you've never driven a Jeep (Not the craptastic cheap ones, a properly factory kitted wrangler or anything with Cherokee in the name--not that other companies aren't making proper offroad capable SUVs). I had all those, straight from the factory, though I admit they could have better armoured certain portions of the vehicle better, and one can greatly improve the offroad performance with added modifications (at the significant expense of onroad capability--they do have to offer both uses from the factory or they're a bit tough to sell).

>Most SUV's are no more suited to going off road than your average Camry and get stumped by the first slightly damp grassy slope they come across.

I believe you're talking about CUVs and very low end cheap SUVs. Based on your faulty reasoning, cars aren't intended to go on the highway. After all, they have 4-cylinder engines that lack the power to perform safe passes, have gearboxes that run the engine like a hummingbird in top gear at 60+ mph, and get bowled over by the slightest breeze from an 18-wheeler. Not to mention the poor drum brakes that will never stop a speeding vehicle safely.

>And yes, if you're left foot braking you're doing things horribly, horribly wrong.

If you're left foot braking and you're offroading, you're using a perfectly valid technique.

>drive properly on the road.

Did you even read the comment you replied to at all? Tell me you're just a professional troll and not an idiot.

Re:Good god.

Perhaps you should clarify which SUV you're driving then, as there are a wide range of vehicles that take that designation, and if one does offroad, the typical vehicle used is an SUV and, occasionally, a truck.

Re:Good god.

[mjwx]

And yes, if you're left foot braking you're doing things horribly, horribly wrong.

Says you. Left foot braking has been proven to be quicker, therefore improves stopping distance and reduces chances of a crash.

Citation.

Here are the reasons you dont use left foot braking, especially in an emergency situation.

1. In an emergency, you use the left foot to brace yourself against the body of the car to prevent injury (for those of us who can drive properly, this means dont clutch in when you're going to crash for the same reason).
2. You're less likely to mistake the brake for the accelerator.
3. You're less likely to press the brake as you're accelerating. In the olden days, this only meant that the brake lights would come on as you rode the pedal. In modern cars this cuts the accelerator and increasing the risk of a collision with the person behind you.

Further more, in an emergency situation it doesn't help you stop faster as your reaction speed is still the same (this is the time it takes your brain to realise something is wrong and send a message to do something) and you are more likely to continue pressing the accelerator at the same time as the brake, in many cars this means you'll be accelerating and braking at the same time, which will increase the braking distance.

Further more, left foot braking under power (which is why you do it in racing cars) can induce oversteer in FWD cars (I personally have drifted a Honda Integra using this method) meaning the driver loses control over the rear wheels.

So I re-iterate, if you're left foot braking, you're doing it wrong.

Re:Good god.

doing it when lives are at stake should be punished as criminal and in an extremely harsh and public way.

Fine, as long as it's the company and not the employees you are holding to account. The actual developers are probably simply following orders from management on what to do and how much time to spend on each task.

Re:Good god.

You missed the point of the statement you quoted. They went on to ask, how did the aircraft ALLOW you to take off with 75% of the data missing? The fact that the plane doesn't have even a minimal diagnostic to check that it's working even to be able to start the engines is borderline criminal.

Re:Good god.

Wikipedia, not wiki... dagnabbit!

Re:Good god.

[dgatwood]

2. You're less likely to mistake the brake for the accelerator.

No, it really is the other way around. In an emergency situation, the action that requires the least thought is always least likely to fail. Consider the difference:

• With right-foot braking, you have to consider the horizontal position of your foot and adjust it prior to stomping.
• With left-foot braking, you just have to remember the difference between left and right and stomp the correct foot, which if you've been doing it for years, becomes a purely instinctive reaction..

You're less likely to press the brake as you're accelerating. In the olden days, this only meant that the brake lights would come on as you rode the pedal. In modern cars this cuts the accelerator and increasing the risk of a collision with the person behind you.

I've never encountered this in any car, thankfully. I would argue that this is an inherent design defect that makes it harder to safely get started while your car is on an uphill slope....

Further more, in an emergency situation it doesn't help you stop faster as your reaction speed is still the same....

Yes and no. The amount of time it takes you to start reacting is the same. The amount of time it takes you to stomp one foot is considerably less than the amount of time it takes you to lift one foot, move it sideways, and then stomp, because three motions always takes less time than one. No matter how you look at it, unless you're driving with cruise control turned on and your right foot hovering over the brake pedal, you'll stop significantly faster when driving with two feet than with one.

Re:Good god.

[AmiMoJo]

Incorrect. They provided the requested firmware and it proved to be robust. The only way the investigators could make it fail was to use the debugger to very carefully manipulate data in RAM in a very specific way. The probability of that happening in real life is vanishingly smaller. Your car is more likely to be hit by a falling meteorite.

There were some other vague claims, but the investigators were hampered by the fact that the source code was in Japanese and they couldn't read it, only copy/paste it into a translation web site a comment at a time. Of course, the machine translation was pretty poor...

The unwanted acceleration was caused by people getting their car mats caught between the brake and the accelerator.

Re:Good god.

[Luckyo]

Wait, are you here suggesting that you can use one foot to brace your body against a car to prevent injury?

Do you at all comprehend the forces involved? Your entire musculature in this kind of situation is utterly miniscule and irrelevant.

Re:Good god.

Indeed. In the US NASA operates ASRS, the scheme whereby a pilot, traffic controller etc. can report things that weren't even accidents, but could have been. Single errors, mistakes, confusions, faults, that never came close to anybody being injured but, if something else had gone wrong, if nobody had noticed in time, or whatever, they could have. It will anonymise the report, collate it and use that to influence future safety decisions and feed it into the industry. In fact if you're busted for an unsafe incident, and you've got the paperwork to show you voluntarily submitted to the anonymous NASA program before you got busted, you're immune in most cases.

This encourages people not to stay quiet about things that seem a bit "off" but not so awful that they're willing to lose their job or get pilloried for reporting. That controller who said "Climb" but meant "Descend" and then acted like he did nothing wrong? You don't want him fired, but he does need someone to firmly tell him he fucked up and to get it correct. Why does this altimeter have a mode where it just stays at the same value even though you're ascending or descending? If it needs such a mode, why is it identified by the word "Auto" in white and not, say, "IGNORE ME I AM WRONG" in red ?

Re:Good god.

[Hognoxious]

What kind of fixed-wing aircraft other than a glider has a stall speed low enough for you to survive jumping?

A DC3, a C130, a Short Stirling...

Re:Good god.

http://www.safetyresearch.net/blog/articles/toyota-unintended-acceleration-and-big-bowl-%E2%80%9Cspaghetti%E2%80%9D-code

"robust" isn't the word I would use to describe the code.

Re:Good god.

"investigators were hampered by the fact that the source code was in Japanese "

are you high?? So Michael Barr is Japanese? (google him)

"The unwanted acceleration was caused by people getting their car mats caught between the brake and the accelerator."

Holy shit! Mr. Toyota, is that you??

Re:Good god.

[drerwk]

Many a Super Cub. https://www.youtube.com/watch?... https://www.youtube.com/watch?...

Re:Good god.

In fact, we've taken my wife's stupid Chrysler minivan places that have defeated luxury SUVs. I'm still super-paranoid about the tranny cooler that's just hanging behind a cross-member, but your average modern SUV is sprung so grandmaishly that it's less suitable for a washed out dirt road than your average mommymobile.

Re:Good god.

I sent this comment a co-worker. I've never commented here before, but I couldn't possibly agree more.

Re:Good god.

[GTRacer]

And yes, if you're left foot braking you're doing things horribly, horribly wrong. Doubly so for heel-toe. [...] Keep the fancy foot work for the track and dance floor, drive properly on the road.

OK, I've read some of the following discussion and you're all making interesting points. But in the world of "Everyone has an anecdote" I have an anecdote: My current car, a Mazda RX-8 was bought used, and the synchros in second and third gear were knackered. Second was essentially unsynchronized and third was a 50/50 proposition. The only way to drive with any fluidity was to heel-toe. And heel-toe saves wear and tear on the remaining synchros - drove that beastly gearbox for 6 years before finally replacing the box.

Re:Good god.

Not true.

Re:Good god.

[matfud]

From what I have read, the engines were working Ok ish but in flight the crew noticed some glitches. They switched to cruse idle mode to see if that would resolve the issue. The engines refused to come out of that state. By the way the ECU which is thought to be a fault is part of the engine https://en.wikipedia.org/wiki/...
Not technically Airbus (but probably their responsibility 2 years into flight testing)

Re:Good god.

[cyn1c77]

We've lost that kind of 'slow down and make sure it's right' attitude that engineers really need to have.

Do you really think that the engineers lost it, or do you their that their profit-driven overlords are just ignoring their calls for concern?

Re:Good god.

[deadweight]

My Toyota had the unintended acceleration issue. I made my way to the dealership with a lot of early upshifts to 5th, shutting off the engine, and banging the pedal with my foot. After about 15 minutes the mechanic and the manager came in to the waiting room trying very hard not to laugh. They held up my floor mat and pointed out how the frayed edge of it was tangling up in the gas pedal. One new floor mat and I was on my way :)

Re:Good god.

The car industry has the luxury of "self-regulation". Basically they can ship a product which will kill scores of people and simply pay them off without changing ANYTHING. And certianly there are zero government inspectors during the design phase.

At least that is true for software.

The "idea" is that lawsuits will "regulate" this shitty practice.

Compare that to the medical industry with a shitload of oversight and government inspector looking at every single bit of the software R&D process, if they desire. And shut down a medical product plant if they like. Happend to Siemens.

Re:Good god.

You can buy a military grade Mercedes G class car. You just cannot export it to Iran, then. Also, don't try speeding on the autobahn, that is very dangerous because a true Geländewagen needs a soft suspension to climb over obstacles.

Also, many G class cars are fucked up to become Autobahn class cars.

Re:Good god.

The poor spainiards probably did this job for the first time of their life and just got out of uni five months ago. How often in your life do you learn about the details of a new aircraft model, with a somewhat exotic prop tech ?

Also, the folks got the job out of a pool of 4 million unemployeds for political reasons, can be assumed. Spain is a shithole of socialism combined with banksterism and rampant speculation.

They are propped up because America says so and some idiots want a Euro Imperium so that they can feel important when meeting Obama and the Chinese boss. In reality Spain is a third world economy like Greece and Portugal.

Re:Good god.

In reality, no amount of brutality can completely eliminate technical issues. Brutality can just remove the stops in organizations, but you will still have plenty of mishaps. Von braun and the Russkies had lots of mishaps. But they also had more resources than they needed, some of it forced labour. So they could blow up and learn from the blow up. Just build a new copy. Again and Again.

One Russkie rocket general blew himself up by being too stubborn and too pushy.

Having said that, marketing in capitalism does indeed fuck up lots of stuff. That's why America needed the SS man von Braun.

Re:Good god.

[nickweller]

"Is it so hard to have a integrity check and diagnostic set run as part of the preflight checks? If you can place hundreds of miles of wire and know what's what, surely they have computer engineers competent enough to make something like this to catch such glaring errors."

Even the simplest PC app would know enough to re-create a missing config file. Amd this software is designed to keep an airplane in the air. I don't believe it.

Re:Good god.

[KGIII]

Any new car that I have purchased has had a manual transmission. You must, I have found, be willing to order it and wait for it. I have not found one on the lot that met my needs in many years.

Re:Good god.

[Jack+Griffin]

And yes, if you're left foot braking you're doing things horribly, horribly wrong.

Says you. Left foot braking has been proven to be quicker, therefore improves stopping distance and reduces chances of a crash.

Citation.

Er every professional racing car driver that needs to stop in a hurry...
Oh but if you need a link to some website then try this: http://jalopnik.com/why-you-sh...
If you can't do it properly that's fine, but it doesn't make to wrong for those of us that can.

Re:Good god.

[hsu]

My experience on Lexus GS300, 1994 model:

I took the car from service center after regular service. It was still wet from wash. This was wintertime and I think the weather was freezing.

After driving some hundred meters, I noticed that the car anti-skid light started blinking and the car started accelerating.

After fraction of second thinking that I was pressing brakes and accelerator at the same time or something, I put the car on neutral, after which the engine immediately revved up to limited and revs then started going back and forth close to the limiter.

Put the car in Park, turned it off, checked the floor mats, as this was after the big headlines, nothing stuck there.

Turned on again, immediately it revved up.

Stopped the car, and called service. They come in a minute as I was close, we looked under the hood, and service center guy fiddled with things under there. We started it again, now it worked normally.

They took the car back to service center and investigated. No results, no obvious reason.

This did not repeat. It could have something to do with freezing weather and wet car, or the car's age (more than 300 000km in it) but it was a bit scary...

I have since left internal combustion engines behind me, with no regrets. ICEs have too many parts causing too many failure modes :)

Re:Good god.

Did you miss this?
http://embeddedgurus.com/state-space/2014/02/are-we-shooting-ourselves-in-the-foot-with-stack-overflow/

Re:Good god.

[toddestan]

Bracing yourself like that is about the worst thing you can do. Ideally you'd try and go as limp as possible to avoid injury, and if at all possible let go of the steering wheel before crashing. Which is of course counter to what your brain and body wants to do, as your reflex is to tense up. Not tensing up is one of the reasons that drunks tend to better survive the accidents they get themselves into.

Re:Good god.

[X0563511]

What is "heel-toe?"

Re:Good god.

[X0563511]

The kind of car I drive doesn't even "shift."

Well, so it has engaged, engaged-reverse, and disengaged. Doesn't count.

Re:Good god.

[dgatwood]

Err... because three motions always take more time than one. (Too many edits. *sigh*)

Well...

[nospam007]

Tuesday is crash-day, oops I meant patch-day.

FMEA

[EMG+at+MU]

The engineers probably did one but obviously it wasn't good enough. Software fails, but you can design it to fail in safe ways.

Re: FMEA

They apparently accounted for this in their FMEA and, because of checks that were supposed to be implemented, it was considered to be so unlikely an occurrence that it was not put on the list of items that needed addressing.

Re: FMEA

[EMG+at+MU]

I expect every engineer to assume human error is guaranteed to happen.

Re:FMEA

[tomhath]

That was kind of the problem. They designed it to shutdown the engine if something appeared drastically wrong. Normally a single engine shutdown wouldn't be a problem, but three engines all detected the same problem at the same instant and all shut themselves off.

Re: FMEA

[TWX]

You would be sadly mistaken.

I've seen software writers follow RFC and ONLY RFC for communications protocols, to the point that anything not explicitly expected per the newest standard of RFC will cause the daemon to crash hard. Doesn't matter if it's garbage on accident, garbage on purpose to try to cause a buffer overflow, or even deprecated commands from previous RFCs, the daemon should handle unexpected input gracefully even if it throws a 500 and closes the connection. To do otherwise (as was done) is irresponsible, but all too common.

Re: FMEA

[grimmjeeper]

If you make your system idiot proof, the world will send you bigger idiots. But it appears in this case that everyone from management on down didn't perform their due diligence. They didn't even bother to try to make it idiot proof. And in the avionics software business, means that people are going to die.

Re: FMEA

[Registered+Coward+v2]

I expect every engineer to assume human error is guaranteed to happen.

We do\/P>

Except we hide the real problem

.by deeply bring it in bulleted text that is so dense

and full of DOPO between the JIC and JAC

that is so obfuscated and lost in the dense text in 8 point type that things are

fu

bar

Re:FMEA

[viperidaenz]

The article said 3 of the engines "hunkered down" not shut themselves off. They stopped responding to input and stayed at their current power.
They did turn around and attempt to land the plane, but hit a pylon in the process.

Re: FMEA

[confused+one]

No. If the probability is low enough, no resources will be allocated to creating a solution.

Re: FMEA

Anyone who doesn't accept the "Treat all inputs as hostile" paradigm should be barred from writing software.

Re:FMEA

[Moof123]

The FMEA's I was party to were basically to give cover. "We had an FMEA, and it still managed to fail." When usually it was actually managed into failure despite engineers asking for more time and less feature creep, and specification uncertainty.

Re: FMEA

So then the problem lies in the RFC. It should treat all inputs as hostile.

Re: FMEA

> I've seen software writers follow RFC and ONLY RFC for communications protocols [...] anything not explicitly expected per the newest standard of RFC will cause the daemon to crash hard.

Then they aren't really following the RFCs, especially not the robustness principle, stated in RFC1122, a.k.a. Postel's Law.

Throw the book at them. All of the RFCs. Hardbound.

Re: FMEA

[TWX]

Dude, their boss was pissed off enough with them when I threw the deprecated POP3 command "TOP" at them. He didn't realize that they were written so poorly.

Can you say squirrel

I think Facebook and cellphones have caused our attention span to fall so short that people can't even finish a line of code ;)

Let's all sue facebook and cellphone companies for the reduction in IQ they are responsible for and the related disasters they are now causing do to this ever worsening trend of brain lapses. This can only get worse as more students with lower IQs and more aptitude to be distracted causes them to be unable to comprehend the consequences of their coding/actions/thoughts/etc.

Squirrel!

Re:Can you say squirrel

[serbanp]

I hate squirrels!

So, how did ...

[PPH]

... the engines even start. Or throttle up to take-off power?

Come on, folks. Turn the power on to the engine controllers at the flight line and the status display should have been flashing warnings. Nobody should have even started this thing.

Re:So, how did ...

Yeah, you would think that a missing data file should have at least thrown an error message, let alone be ignored altogether.

Re:So, how did ...

[Spazmania]

It was written in Java. The program caught the exception and moved on.

Re:So, how did ...

The story seems to massively simplify how the ECUs work. Each engine needs to be calibrated after production so that the sensor data it hands to each ECU is actually meaningful due to the way it's actually acquired in the engine. The parameter set isn't stored in the engine, but in the associated ECU. To prevent them from getting out of sync, the engine itself contains a little register with the checksum of the parameter set. If that checksum doesn't match, the ECU shouldn't power up the engine. However, the register and the ECU are initially loaded with a default parameter set used in testing scenarios. Looks like that one might have been untouched for the engines on that flight. Now, this is bad because the ECU now misreads the true engine status in various ways and can even think that an engine which is otherwise running fine is seemingly in some critical condition - e.g. power output too high, which causes an immediate shutdown to prevent engine damage. A jet engine that fails by disintegration has a high chance of slicing other airplane parts with ripped off fan blades. This is why hard engine shutdowns do make sense. But when putting the pieces of this puzzle together, this is starting to look similar to how Murphy's law came to be: an exceptionally unlikely chain of human errors ruining everyone's day.

Re:So, how did ...

[Rinikusu]

I dunno, the asshole in me thinks this sounds like one of those Microsoft Validation things.. Free Engine Software for 500 miles, then activation required!

Re:So, how did ...

An accident is a series of small mistakes.

Rarely do major accidents occur without such a chain of events. The trick becomes to recognize the start of that chain and halt your behavior.

Re:So, how did ...

[JackieBrown]

You forget where you are posting..

Every accident in the private market is always the fault of the free market and money hungry CEOs.

Re:So, how did ...

[Todd+Palin]

But then the Ask Toolbar tried to find a solution to the problem.

Re:So, how did ...

Every accident in the private market is always the fault of the government and overbearing regulation.

I'm a Republican you insensitive clod!

Re:So, how did ...

[TubeSteak]

A jet engine that fails by disintegration has a high chance of slicing other airplane parts with ripped off fan blades.

It's actually exceedingly rare for there to be an uncontained failure.

That engine shroud is intended to handle catastrophic failures at full throttle.
This video is a test of the Rolls-Royce Trent 900 engine that went into the Airbus A380. The test starts ~3:25 in.
https://www.youtube.com/watch?v=j973645y5AA

Then again, this is the same engine after an oil leak led to an internal engine fire
https://www.atsb.gov.au/media/2891294/vh-oqa-fig7.jpg
https://www.atsb.gov.au/media/4173628/ao-2010-089_vh-oqa.jpg

The Australian Transport Safety Bureau (ATSB) found that a number of oil feed stub pipes within the High Pressure / Intermediate pressure (HP/IP) hub assembly were manufactured with thin wall sections that did not conform to the design specifications. These non-conforming pipes were fitted to Trent 900 engines, including the No. 2 engine on VH-OQA. The thin wall section significantly reduced the life of the oil feed stub pipe on the No. 2 engine so that a fatigue crack developed, ultimately releasing oil during the flight that resulted in an internal oil fire. That fire led to the separation of the intermediate pressure turbine disc from the drive shaft. The disc accelerated and burst with sufficient force that the engine structure could not contain it, releasing high-energy debris.

Most of the shroud's strength is focused around the main fan blades instead of the turbine blades that are much deeper in the engine.

Re:So, how did ...

C'mon guy, you've been making excuses in this whole thread. If you have a base cal program loaded then it should return the message "Base Cal Program Loaded" and refuse to do anything else. There is no application not inside a test cell that requires a base program. Even the Limp Home table should be marked as such even if it is programmatically identical to the cal program. But what do I know? I'm just sitting here babysitting a P&W F135 engine....

Re:So, how did ...

On something as critical as a plane engine, a test firmware should probably light up the fault lamp continuously (or have it blinking a special test pattern or whatever). It's not like the fault lamp is important when you have the diagnostics cable plugged in.

Re:So, how did ...

[lloydchristmas759]

Actually, the engine case is designed to withstand blade failures, including fan blades, compressor blades and turbine blades, but not disc failures. Usually, discs fail when the engine is overspeed, when the centrifugal forces are higher than what the disc was designed to withstand. This is why the ECU/FADEC/EEC will shut the engine down immediately when it detects an overspeed condition on any of the shafts.

The case of QF32 you cite was indeed a disc failure. You can see a section of the failed disc here. The turbine blades were mounted in the notches you can see on the outer diameter of the disc. The disc punctured through the wing (including the fuel tank), as you can see here and here.

Re:So, how did ...

It's a turboprop. A blade departing, while rare, is much more likely than an uncontained failure in a modern fan. Going into fuel topping for a prop governor problem is a whole hell of a lot better than the worst cases, which include a prop through the passengers and the ungodly vibration that occurs when one of those fuckers lets go. Image of this Q400 in Canada courtesy of .

Re:So, how did ...

[PPH]

Air/ground logic can handle this.

Prior to the take-off roll, any anomalies should result in flashing lights, alarms and possibly a refusal to even start the engines. Once the airplane becomes airborne, the system logic should switch to warn the pilots but keep the engines running under most conditions.

This comes down to a failure in the engineering/manufacturing/QA processes. We design airplanes with an assumption of critical system seperation and redundancy. Single systems failures are accounted for in the design. But systemic failures, particularly of the manufacturing and QA process are rarely accounted for. Some enginers sat down and figured that, for a loss of one engine's configuration file, it can shut down because the airplane can be flown on three. But they never looked for a process failure that would affect multiple engines.

Back when I was at Boeing, engineering poking their nose into, or even implying that, manufacturing might screw up at this level would result in a major inter-organizational poo-flinging battle. And possibly a shortened career as well. The two processes (and organizations) were designed such that once engineering was done, we would have no visibility or responsibility for downstream manufacturing processes. Because these might very well be completed in China.

Old timers rejoice!

[stoned_ritual]

Remember when you could start your car with the turn of a key and not have to worry about a software update refuckulating your engine timing system? Adding computers to EVERYTHING is a really bad idea, especially because PEOPLE are required to write the code that runs the software that controls X Y and Z systems on the engine, chassis, and security systems.

Re:Old timers rejoice!

Yep.

Yesterday it was a chain that connected A to B.

Today it's a modified ethernet cable running a custom protocol designed in Korea connecting software component A that was designed and built in Germany, tested in Sweden and validated by Japan. Software component B was reverse engineered and written by Joe in a shed.

The chain was probably easier to work with.

Re:Old timers rejoice!

I don't worry about that, but I drive a 20 year old car. (Still has a computer in it, though, for fuel injection.)

People design the engine, chassis, and security systems too.

Re: Old timers rejoice!

Your car analogy is poorly chosen. Ignition timing is an example of a parameter where digital controls has dramatically improved engine performance.

Re:Old timers rejoice!

[geekmux]

Yep.

Yesterday it was a chain that connected A to B.

Today it's a modified ethernet cable running a custom protocol designed in Korea connecting software component A that was designed and built in Germany, tested in Sweden and validated by Japan. Software component B was reverse engineered and written by Joe in a shed.

The chain was probably easier to work with.

Correction: The chain did not create jobs.

All of this other bullshit did.

Re:Old timers rejoice!

People design everything.

The difference between a software system and a mechanical system is that a software system can have an infinite degrees of freedom, and thus an infinite number of ways to fsck up. Mechanical systems, not so much**. Electrical systems are sort of in-between.

It's not about whether people are designing it. It's whether the system has sufficient built-in constraints (mimicking external, environmental constraints in the real world) that channel development in such a way as to minimize the number of failure modes. The problem with software engineers is that too many hate constraints--they value freedom and "abstraction" above all else. Yet, ironically and somewhat hypocritically, these same people tend to stick to just one or a few languages, rather than learning how to use or implement domain specific languages. Which provide unparalleled freedom of expression _and_ the ability to bake-in meaningful constraints. Or when they use an additional language or similar tool, it's just yet another all-purpose solution which adds expressive power but not much constraint.

** Of course, there are technically an infinite number of ways for mechanical systems to fail, given time and enough quantum mechanics.

Re:Old timers rejoice!

[sims+2]

so we are supposed to buy more stuff that's more complex that doesn't work instead of stuff that actually works and has been tested all so we can keep a bunch of people in india employed?

just so when we call and say my car won't start and instead of a error code it has a picture of a cat looking at you in sunglasses they can tell you i am being so verry sorry sir but we are not having that code in our system you will have to call the dodge support line who will then redirect you to back to the indian call center and then this continues until you give up

no real support

no help

no repair

couldn't we pay them to do something useful how about we build a road from one side of the pacific to the other just right through the middle we would get much more benefit from that the satisfaction of knowing our great great grandchildren will see it and wonder wth we built it and never be able to come up with any plausible reason

while i'm at it do we really need to keep making the tax code more complex just to keep the people at h&r block employed? pretty much no american now is certain that they have their taxes correct i'm not saying tax less but i am saying it should be simple enough that after consulting with h&r block and 3 tax lawyers you should be able to be reasonably sure you have your taxes right

Re:Old timers rejoice!

Don't worry, the tax code will continue to grow until "not even" H&R Block are capable of preparing your taxes. You'll still be liable when they're wrong though.

At that point everyone will be a criminal but we won't be able to explain why. Win.

Re:Old timers rejoice!

[Jumunquo]

I hear ya. Even the oven timer is now a digital unit, and that broke on us (thankfully under warranty). They do it because a computer chip is a lot cheaper than a bunch of gears. The problem is that it's a lot easier to cut corners with computer components and software. Also, the first thing cost-cutting measure is to not test the UI, so the UI usually sucks. Like my Cisco phone at work - I still don't understand why I can't program speed dial from the phone.

Re:Old timers rejoice!

[matfud]

Remember when you could not start your car cos the choke was not in the correct position and the distributor had twisted or rotted?

Re:Old timers rejoice!

[matfud]

Easier to fix I suppose but then I do have a 12 year old car with an ECU which just keeps running and tells me when the catalytic converter is fucked. And when the Ox burn is out of whack, and when the COx and sulfur emissions are getting weird. All are indications that the engine is not good.

And it is a tiny 1.8 liter 4 cylinder 20 valve little car by american standards ;)

Re:This is what happens when you use Luddite softw

[fuzzyfuzzyfungus]

Depressingly, that might actually be true.

Not because of 'apps' of course; but because no self-respecting consumer OS would fail to cryptographically verify the execution environment(lest some precious 'premium content' be absconded with by pirates) and an entire missing file probably would have caused the aircraft to refuse to move until taken back to Airbus HQ for re-blessing by the vender.

They don't succeed against motivated pirates, of course; but this is one area where consumer software vendors do actually give a fuck. If people believed that a sabotaged voting machine or a defective ECU could pirate Blu-rays, we'd live in a safer world.

Strange...

[The+Grim+Reefer]

You'd think there would be some kind of checks in place that wouldn't allow the plane to operate when critical files are missing. Or that the files couldn't be deleted.

Stories like these are the reason I can't believe auto manufacturers are even considering being able to push updates to cars. The checks in place for aircraft hardware is extremely rigorous. Pretty much every nut and bolt has a complete history log. If this kind of thing can happen on an aircraft, what happens when some weird conditions occur that cause brakes to fail in an automotive update? That's a a rhetorical question. The answer is the manufacturer will deny everything and make counter accusations, and hope they can fix the problem before anyone finds out.

I'm all for moving forward with technology, but sometimes it seems we're creating more dangerous problems with our solutions.

Re:Strange...

[MarioXXX]

Might using EPROM's be a good compromise?

Re:Strange...

There might be on a production model, but on a test model, well, they may have been changing the software so much they didn't have good CRC values for it, so they fudged things and took out a lot of the checks and tests to it.

Yay for expediency?

Re:Strange...

erasable
programmable
read
only
memory

Those first two are the gotcha.

Means that you still need to check to make sure all the files necessary to run safely are present.

Re:Strange...

[Cochonou]

This was a production model. The test models have had no problems so far.

Re:Strange...

Hermetic testing.

Problem solved.

Re:Strange...

checks are in place, the problem appears to be rather than just missing data they had incorrect data resulting in incorrect reading from the engine, no data would have actually been a far better scenario.

Re:Strange...

[matfud]

Depends on how you put it, this was a test flight for a production model. The craft had not flown before. The aircraft (general model) have been flying for 2 years at this point. An Aircraft testing in Italy for delivery to Turkey I think.

Crash-by-wire

The most advanced crashing in history.

BIST - Built In Self Test

[presidenteloco]

My printer at home does it every time it starts up.

Too bad the airplane doesn't.

I guess production delays are more expensive than debugging-by-crash. Sad.

Re:BIST - Built In Self Test

[NatasRevol]

More expensive to mgmt.'s bonuses, for sure.

Re:BIST - Built In Self Test

The aircraft DID perform a power-on self test and integrity check. The ECUs on this aircraft are matched to the engine's serial number. The engine has a PROM containing its serial number and a checksum of the calibration data. The ECU interrogates this PROM on boot, and if the engine serial number and checksum don't match, it will not start the engine.

The issue in this case appears to be that a default calibration is loaded onto the ECUs for bench testing. After bench testing, a new firmware is supposed to be compiled with the engine's operational parameters burned in and loaded onto the ECUs. It appears that the flight firmware wasn't loaded onto the engines, and differences in operational performance caused the ECU to drop into safe mode.

Re:BIST - Built In Self Test

that's silly, planes don't have the range of noises to demonstrate

Re:BIST - Built In Self Test

[Jack+Griffin]

My printer at home does it every time it starts up.

Because your $50 printer has the same complexity a $200M aircraft...

Re:BIST - Built In Self Test

Fucking idiot - of course the COMPONENTS have B.I.T.E. or B.I.S.T. modes, the FAA and RTCA and who knows who else make sure of all that, but the plane as an entire entity? Does not exist. Can not exist. And you're tagged insightful instead of ignorant... :(

Re:This is what happens when you use Luddite softw

Don't feed the trolls.

Extreme Euphemism

"Reduced control of an airplane" is such an extreme euphemism for "Engines quit abruptly after take-off and kill most of the crew."

Rather than try to run in some fail-safe manner, the control system was DESIGNED to shut down the misconfigured engines. The article suggests that while this could have been reasonable for shutting down one engine, it's not to automatically shut down three of four engines. What's crazy is that the engines start and run at high speed for take-off, but then shut down at 400ft - that's not the usual behavior from a "safety system."

Manual shutdown of failing engines can lead to problems too, as in the Kegworth Air Disaster. http://en.wikipedia.org/wiki/K...

Re:Extreme Euphemism

[tomhath]

Reminds me of the term that airlines' use when they collect the insurance on a crashed plane - "Involuntary Conversion of an Asset"

Re:Extreme Euphemism

[viperidaenz]

Engines did not quit abruptly or kill any crew.
3 out of 4 engines stopped responding to changes in power level and continued to run as they were.
The pilot noticed this, talked to air traffic control and requested to make an emergency landing.
They plan was turned around and headed back to the airport.
The plane crashed into a pylon while attempting the emergency landing.

Re:Extreme Euphemism

Engines did not quit abruptly or kill any crew.
3 out of 4 engines stopped responding to changes in power level and continued to run as they were.
The pilot noticed this, talked to air traffic control and requested to make an emergency landing.
They plan was turned around and headed back to the airport.
The plane crashed into a pylon while attempting the emergency landing.

Yes, but unfortunately "as they were" was idle, as the pilots had dropped the power to idle and then (attempted) to bring them back up to the required power.

Re:Extreme Euphemism

[matfud]

I think the term is "hull loss" by insurance companies

Re:Extreme Euphemism

[matfud]

Just for fun ships are have been termed "bottoms" before and after they sink.

Re:Extreme Euphemism

[matfud]

https://en.wikipedia.org/wiki/...

I want to see a list of catastrophes

[gTsiros]

Separated by cause: Software bug vs Hardware bug.

Re:I want to see a list of catastrophes

[TheNastyInThePasty]

That would depend who you ask. If you ask the hardware guys, it's always a software problem and vice versa. At least that's the way it is with the hardware guys I work with ;)

Re:I want to see a list of catastrophes

[Jack+Griffin]

Software vs Hardware vs Meatbag.
After watching a few seasons of Air Crash Investigations, cause seems to favour the latter.

Re:I want to see a list of catastrophes

[matfud]

You missed the meatware. Most seems to be blamed on the dead.

Big fail from the software engineering standpoint.

[Frosty+Piss]

Just my take as a software engineer and current DoD employee that works with C17...

There should have been some process on firing up the jet / avionics / computers that ran checks to see that even if software was not latest, was it CONSISTENT?

Big fail from the software engineering standpoint.

Return codes?

[cfalcon]

This is a tragedy, but since we're on a tech site, lets talk tech.

Return values are handled oddly in pretty much every major language. Many API calls want to return something simple- int or bool- and if anything is more complex than that, generally require an actual data structure to be returned, often as a reference. This means that the "I didn't do this" action has a variety of ways to be be passed back- none of them even close to standard.

If something returns a distance, magnitude, or size, "0" normally means "Error, nothing happened" which is often the same as "Sure, I wrote 0 bytes. Really."
If something needs to distinguish between success ("I did the thing 0 times as requested" and failure "I couldn't do the thing because of an error condition"), then sometimes a -1 is returned, or an exception thrown, or something else.

In this plane, something was, at some point, responsible for getting data about the engines. Likely, this happened in layers, each one having access to the results of the lower pieces. One of those pieces had the task of parsing those files.

So EITHER someone (process, program, whatever) meant to say "This is a problem" and instead said "Here's some default data", OR someone ELSE in that chain of commands (process, program, whatever) has a default for a "This is a problem" result to use as a failsafe, and it was never tested or never communicated up.

We probably won't get the technical details that go from "files missing" to "engines don't work". Certainly, several level of software or hardware could allow for any number of workarounds in this case, and I'm sure they have a complex system and this was some eventuality that was hard to test for.

Still, interesting to think about the error return methodology, and how it's so different everywhere in CS.

Re:Return codes?

Unfortunately making assumptions about return/error codes is a perfect example of what leads to broken software. There's no replacement for checking the docs and especially exhaustive (ie, full coverage for anything that can be tested) testing.

Re:Return codes?

[rdnetto]

Return values are handled oddly in pretty much every major language. Many API calls want to return something simple- int or bool- and if anything is more complex than that, generally require an actual data structure to be returned, often as a reference. This means that the "I didn't do this" action has a variety of ways to be be passed back- none of them even close to standard.

If something returns a distance, magnitude, or size, "0" normally means "Error, nothing happened" which is often the same as "Sure, I wrote 0 bytes. Really."
If something needs to distinguish between success ("I did the thing 0 times as requested" and failure "I couldn't do the thing because of an error condition"), then sometimes a -1 is returned, or an exception thrown, or something else.

This is true of mostly just C, though it does get used a little in C++ as well. (To be fair, C-family languages are the majority of popular languages.)
Most high-level languages use exceptions, and Haskell (and to a lesser extent, Rust) use the Maybe type so that the type system forces error checking to occur.

Missing calibration data, not drivers

[radtea]

The summary, as usual, is terrible. The missing files were calibration data for the engine controllers, not executables of any kind.

However, the article says some astonishingly stupid things, like: "'Nobody imagined a problem like this could happen to three engines,' a person familiar with the 12-year-old project said."

Well, duh.

Since the human imagination is known to be almost completely useless as a tool for understanding reality or predicting the future, this has to be the most obvious observation since the dawn of time.

Anything that can happen, will. Since we have finite resources, we have to guess what is most likely to happen. If we have data, we can run predictive models to inform our guesses. The one thing we know with near-certainty is that what we imagine might happen is completely irrelevant to what will actually happen.

The human imagination is no better at understanding or predicting today than it was when people were imagining bloodletting balanced the humours. It makes as much sense mentioning it in this context as saying, "Our astrologers and scriers never saw this coming!"

Re:Missing calibration data, not drivers

[tompaulco]

However, the article says some astonishingly stupid things, like: "'Nobody imagined a problem like this could happen to three engines,' a person familiar with the 12-year-old project said."

If it was a mechanical issue, then yes, I would believe it would be a billion to one chance for something to happen to all three engines. On the other hand, since it is software, I would say that it is a billion to one chance that it would NOT happen to all three engines.

Many regs trace back to accidents

[perpenso]

The checks in place for aircraft hardware is extremely rigorous.

Yes, but how many of those regulations and checks trace back to accidents versus an engineer's foresight? I'd expect that most items in a pilot's pre-flight checklist do trace back to accidents. And it seems the computer's pre-flight checklist will too.

I once heard that the expression "Navy regulations are written in blood" was used to explain to new sailors why so many tasks are to be performed exactly the way the regs say and in no other manner. The phrase was then elaborated on explaining to the sailors that when things were done otherwise sailors sometimes died, for small things like failing to properly secure a hatch (door).

Re:Many regs trace back to accidents

[matfud]

I must agree.
But thing do change slowly. Sometimes those things are no longer relevant.

Did you hear the myth of the soldiers how spend many long and painful hours painting the ground. Just because it had always been painted? It was always painted as someone spilled the paint and said nothing.

Re:Many regs trace back to accidents

[matfud]

Not that I know anything about the military. But it would not surprise me. It was related to your comment about the Navy "Navy regulations are written in blood". They can be wrong. But It is ideal if everyone believes it.

Re:Big fail from the software engineering standpoi

There was a warning. From the article:" the first warning pilots would receive of the engine data problem would be when the plane was 400 feet (120 meters) in the air". Probably a messages along the lines "you're f@#$-ed! have a nice day!"

Does the Therac-25 ring a bell for anyone?

[dav1dc]

+ http://en.wikipedia.org/wiki/T...

The first computer controlled X-ray machine.... which accidentally irradiated some people to death...
due to *gasp* software faults! (say it ain't so!)

I first heard about the Therac-25 during my "Ethics in Computer Science" class many years ago - it made an excellent case study... about problems just like this one.
Once the textbooks get updated, Therac-25 will be replaced with a case study about the a400m roll out. ^_^

Re:Does the Therac-25 ring a bell for anyone?

[viperidaenz]

Will the case study say when a risk is identified and a manual procedure put in place to mitigate the risk is specified, don't be surprised when the procedure fails?

Re:Does the Therac-25 ring a bell for anyone?

[nickweller]

@dav1dc: "I first heard about the Therac-25 during my "Ethics in Computer Science" class many years ago - it made an excellent case study... about problems just like this one."

Mainly because the software was adapted for use in a dual purpose machine and once you selected a particular mode and then changed it, the previous mode was still in and the display showed the new-and-wrong settings.

Re:Does the Therac-25 ring a bell for anyone?

Therac-25 was not the first computer-controlled imaging machine. It was the successor to several earlier models by the same manufacturer.

What's notable is the -25 was the first model in the series without hardware failsafes that had been thoughtfully included in the earlier models.
Had those dedicated failsafes been present, then they erroneous data inputs would not have resulted in significant patient harm.

One of the lessons of this incident was that a dedicated, out-of-band sanity-check (however expensive or redundant it may seem) serves an important purpose in safety-critical systems.

Can throw an exception but will anyone catch it ?

[perpenso]

EPROMS are no more immune to bad data than flash memory.

Besides, being well into the era of malware I'm surprised that files aren't delivered as a complete image. Complete with a manifest of files and version numbers and each file being digitally signed.

Or maybe some developer did have such a manifest, his/her code detected the error, reported the error, but the error/exception was handled in a way that didn't rise to the pilot's attention nor prevent engine startup.

Too much automation by computers

[Gordo_1]

FTFA: "...Without the vital data parameters, information from the engines is effectively meaningless to the computers controlling them. The automatic response is to hunker down and prevent what would usually be a single engine problem causing more damage. This is what the computers apparently did on the doomed flight, just as they were designed to do."

So, in other words, each engine did exactly what is was designed to do, which is to act independently and shut itself down. There's no executive override function that says "hmmm, maybe we shouldn't shut down 3 engines at the same time!" The crew had no chance against an obviously buggy software implementation. Pilots need more control to override complex software like this in emergencies.

Mordac did it

[goombah99]

Dilbert explains:
http://dilbert.com/strip/2000-...

Too Slowly?

[Thyamine]

They were spinning too slowly? Isn't this why the pilot has a throttle? And if they are supposed to 'correct' and 'adjust' the input from the pilot, as one article explains, then how did it ever take off in the first place? Shouldn't there be a basic check like 'if altitude != 0 { allow_engine_off("NO!") } I'm sure there are all sorts of reasons why it's better this way, but it seems like when the plane is able to just ignore the pilot, then you are simply waiting for a catastrophe to occur.

Re:Too Slowly?

[kschendel]

A throttle is of no use when the engines can't respond to it. The engines (3 out of 4) initially did not respond to the pull-back from takeoff power at around 1500 feet. The pilot then pulled back to flight idle, and the engines dropped to flight idle. Unfortunately they then did not respond to the throttle back up, and remained stuck at flight idle. You can't keep a plane in the air with 3 out of 4 engines at idle for very long at 1500 feet. (You also can't fly a plane very well with the engines stuck at TO power, they aren't going to last all that long and it's a bit hard to land that way.)

The engine controllers are called FADEC (Full Authority Digital Engine Control) for a reason. Controlling a modern turbofan or turboprop engine isn't like squirting gas into great-granddad's Hudson flathead, it's just a little more complicated and it takes a dedicated controller to keep the engine running optimally.

I don't know what "missing files" exactly means in this instance, but I bet the controller software gets updated to include a validation check on the calibration tables.

Re:Too Slowly?

[viperidaenz]

Apparently the engines did not turn off. They just didn't respond to an increase in power.

When the airflow meter in a car spits out invalid date, the engine ECU doesn't shut the engine off. It logs a check-engine code and ignores data from that sensor and runs in a safe mode, using parameters it knows will not result in catastrophic failure.

Same thing happens in automatic transmissions, they'll stick themselves in 2nd or 3rd gear and refuse to shift to any others except N or R (Park is still a mechanical selection in a modern computer controlled automatic transmission) The transmission ECU doesn't just spit the dummy and go "oh no, pressure sensor A is giving me invalid data, better open all the solenoids and switch to neutral so no transmission damage occurs". It ignores the sensor and ignores the drivers request for a specific gear and runs in 'limp home' mode.

Re:Too Slowly?

Airbus software has always overridden pilot inputs. It's the logic of save the plane from human error. There have been many instance where aircraft manufactured by airbus override pilot inputs.

Re:Too Slowly?

It is possible that the engine controller thought the engine was in some error condition, delivering way too much power for example. It may make sense to turn it off to prevent the turbine from flying appart and shredding the plane (of course the shroud around the engine should and probably would stop this, but why take chances).

Re:Too Slowly?

[matfud]

This was what I thought.

The last word...

[Unknown74]

" The more they overthink the plumbing, the easier it is to stop up the drain. " - Montgomery Scott, Star Trek III

Re:This is what happens when you use Luddite softw

[ArcadeMan]

If the plane had used apps, it would have systemD!

Something smells fishy and it's not the fish.

[Charcharodon]

I highly doubt the maintenance software is used to operate the engines during flight. If it is that is a VERY big fuck up on the part of the manufacture. None of the planes I've worked on used the maintenance software for flight ops. Sure it records during flight, but that is separate from the instruments and the throttles.

The high tech word of aviation is at least 30 years old. There is a reason for that, it works and it rarely fails. All the fancy stuff is bolted on top of the bombproof legacy gear, which usually will keep working even after a complete loss of power.

This is a fishing trip to try to dump the blame on the manufacturer. Pilot error is in the high 90's when it comes to crashed planes. Props spinning to slowly? When all else fails look out the window and fly the goddamn plane!

Re:Something smells fishy and it's not the fish.

It was not maintenance software. It was operations software that takes readings from engine sensors to provide feedback into the fly by wire computers. Kinda of important for routine flight.

That data is massaged to account for minute physical differences between engines. The massaging is informed by a text file for each engine. These are the files that were missing.

The death blow came when the pilots, following normal troubleshooting procedures for recalcitrant engines, temporarily set the power to idle. Turns out in this particular failure mode, the engines would not come back out of idle. They did look out the window and try to fly the goddamn plane, but then the engine power won't come back up no matter what throttle setting you try....

Please try a spot of research before defaming the dead.

Re:Something smells fishy and it's not the fish.

[viperidaenz]

The maintenance software is probably used to load the software on the ECU.
It was ECU software configuration that caused the failure.
Perhaps that's why they're telling their customers not to use the maintenance software.

Re:Something smells fishy and it's not the fish.

How about these engineers try a spot of QUALITY CONTROL before killing the living? You're shilling hard, son.

It's time to regulate software

For too long a wild West attitude has prevailed over software engineering.

Only strict government regulation can prevent programmers from cutting corners.

Programming should be like any other profession. No one should be allowed to practice programming unless they've been certified by the government as capable. They should also be bonded, so that any damage they do can be paid for.

There's the EPA. There's OSHA. There should be a regulator that can oversee all software engineering. Programmers should have to justify their code and prove its correctness before it's allowed out in the wild.

Of course some programmers will complain that such regulations will hurt the industry. What they really mean is that they can't exploit their customers.

Re:It's time to regulate software

[weilawei]

Perhaps we should limit your statement to "developers who create applications intended to be used in a setting which may critically impair a human or endanger their life". You can still build all sorts of things privately (performing engineering activities) without ever selling it to anyone or placing anyone's life in jeopardy--and without being licensed. I see no reason for software to be different.

Re:It's time to regulate software

Impractical.

Suppose a developer uses GCC to compile code. Does the developer need to prove the correctness of GCC?

What about the Windows OS? Or the Linux OS?

And software moves so readily from place to place and is so easily incorporated into other projects that it's difficult to imagine a project in a safety critical environment being written completely de novo.

Had the software (and hardware, for that matter) industry been held accountable from the beginning, we wouldn't have these problems today.

It's time computer engineering grew up. Sure, regulation will slow the pace of progress and make things difficult for entrepreneurs, but programmers shouldn't make their money off the backs of those injured by their incompetence. Other industries labor under very strict regulation. There are literally thousands of regulations just for banking, and we saw what happened when things were simplified.

Only strict government oversight of the software industry can prevent injuries to the public.

Re:It's time to regulate software

Re: Banking, saying "simplified" is over-simplifying. Oversight by the CFTC was effectively removed by the Bush administration. That's what gave the banks free reign to give million dollar mortgages to Walmart greeters. Then they sliced and diced that crap with good loans, packaged it up as investable instruments on Wall St. and then sold it to the nice folks in Iceland (among many others).

Of course Iceland didn't know that the ratings agencies were also in on the scam. And not many knew about the $500T in notional value swaps that leveraged the crap at 100:1 ratios. Much of which still sits as off-balance sheet assets that will never be unwound.

That's why you regulate the piss out of the banks and Wall St. It's really not about politics, it's about keeping the cobra in a closed box and never trust him outside of it.

Re:It's time to regulate software

[lgw]

Programmers should have to justify their code and prove its correctness before it's allowed out in the wild.

"Proof of correctness" of code is a bit of nonsense. Practically it comes down to "rite the code in two languages and prove they're equivalent", which does nothing for bad design assumptions. For some components, the firmware is already developed by 2 teams isolated from one another who work in different languages, and you use components from both teams together in a failsafe way. That has at least a chance of protecting you from bad design assumptions. It's quite expensive, however.

For commercial flights, you can't have all the engines serviced by the same crew, to prevent service mistakes. But wasn't this a military flight?

Re:It's time to regulate software

[gnupun]

"Proof of correctness" of code is a bit of nonsense.

Really? Something that mathematically proves the code is correct is nonsense? I don't think so. It may be incredibly tough and difficult, incredibly expensive, but it's not nonsense. Expect the aviation software to be 10x-100x more expensive if proofs were used. With code reuse, (i.e. reusing code that has already been proved valid), the cost of "proof of correctness" code will decrease over long periods.

Practically it comes down to "rite the code in two languages and prove they're equivalent", which does nothing for bad design assumptions.

What if both implementations have the same buggy response to an input or what if both implementations have a hole and don't implement the feature (eg: both implementations don't check for data files before starting propellers)? You've reduced the bugs by multiple implementations, but not eliminated them.

Re:It's time to regulate software

[pscottdv]

All software?

I write software for a website that hires people. If it fails, people have to wait a little while to get their paperwork done.

Re:It's time to regulate software

[lgw]

Really? Something that mathematically proves the code is correct is nonsense? I don't think so

Really. There's no magic correctness fairy. You have to define "correct" - the desired behavior of the system, let's call it "B" - in some formal language. But that's what all coding is - defining the behavior of a system in some formal language. So you're proving that some code in some programming language is equivalent to B. Well, we can do better, we can prove that the object code emitted by the compiler is equivalent to B. Wait, why stop there, why not just write a compiler for the formal language of B in the first place?

Ultimately test driven development, with comprehensive testing requirements (i.e., test every error condition and corner case), is the practical equivalent of all that, and is common for automotive firmware. But it doesn't address corner cases that no one thought of during the design phase. You can't prove code correct, you can only prove it works as designed.

What if both implementations have the same buggy response to an input or what if both implementations have a hole and don't implement the feature

It's an imperfect world, but you have to understand that simple bugs - not behaving as designed - are rare in life-safety software to begin with, and the two-teams approach effectively squares the bug chance (e.g., if simple bugs occur once per million lines of code, they will overlap once per trillion lines of code), But the real issue isn't coding bugs but design oversights, and the real advantage of the two-teams approach is that you get two unrelated brainstorming sessions for corner cases, two different test suites, perhaps even test approaches, to shake out the bugs no one saw coming, and so on. It's done in the real world because it's the best approach anyone has found.

Re:It's time to regulate software

[awing0]

If software were regulated that way, it would have set the whole industry permanently back. Whatever country didn't regulate, say China, India or Russia would gain a huge competitive advantage. Realistically, how many deaths have been cause by software to warrant such a lock down?

Not to mention the coming AI systems. They are going to be pretty indeterminate by design.

Left Hand vs Right Hand

[toygeek]

Engineer 1: "Hey, I know, I'll build in a function that wipes the entire control system when it starts a firmware update so that no old software gets left behind after the update."
Engineer 2: "It'll save a ton of time on this firmware update if I leave out the engine control functions, since those aren't being updated. My bosses will love me!"

Re:Left Hand vs Right Hand

[viperidaenz]

Except it wasn't engine control functions in the firmware, it was engine-specific calibration data.

Re:Left Hand vs Right Hand

*sigh* As if that makes a difference. It was obviously critical data so it should have been checked. You just like to be pedantic don't you? I'm getting really worn out with you asshats playing your technically correct cards.

Re:Left Hand vs Right Hand

"Hey, I know, I'll build in a function that wipes the entire control system when it starts a firmware update so that no old software gets left behind after the update."

This may not be too far from the truth. I've dealt a fair bit with LRU loads for A350's and A320's. Not the same plane, obviously, but the A400 probably uses the same A615-A protocol for uploading media sets (software) to its LRUs.

One thing I found that was very surprising to me was that performing an upload of a program load not only replaces the old program load, but it wipes out any data loads (database, config files, etc.) that you may have loaded onto that LRU previously. There's probably a really good reason for that (eg: a new program load likely requires a new confg file), but in practice I've found it very error-prone. Its easy to forget to reapply all those old data loads until you get a visit from an unhappy pilot or engineer.

20 years old

[Impy+the+Impiuos+Imp]

(icon of plane) + (icon of computer) = (icon of computer)

Re:This is what happens when you use Luddite softw

[schlachter]

WTF? No automated system check to determine if all needed files are present before flying??!

they slowed down alright

[schlachter]

We've lost that kind of 'slow down and make sure it's right' attitude that engineers really need to have.

Oh, they slowed down alright, but the attitude was not right.

this would have caused the affected propellers to spin too slowly causing loss of power and eventually, a crash.

Re:they slowed down alright

[bobbied]

A "landing" is where you run out of altitude, airspeed and ideas at exactly the same time you are over the touch down zone of the runway. They ran out of altitude before they ran out of airspeed and ideas, and they did it at the wrong location.

Re:they slowed down alright

[schlachter]

because they had the wrong attitude....

Re:This is what happens when you use Luddite softw

WTF? No automated system check to determine if all needed files are present before flying??!

Sure there is.

We call it 'gravity'.

Re:This is what happens when you use Luddite softw

[viperidaenz]

Don't starve the trolls.

Re:Big fail from the software engineering standpoi

More like (after 400 feet of ascent):

Device driver file power.drv missing for engine OS.
Device driver file control.drv missing for engine OS.
Device driver file fan_sensor.drv missing for engine OS.
Engine 1 will shut down.
Engine 2 will shut down.
You may want to concider a religion with afterlife: now

Those error messages are important, y'know.
But also important to keep a sense of humour in all the seriousness..

Re:This is what happens when you use Luddite softw

[x0ra]

Boeing has an equally unimpressive architecture track record... http://www.cnn.com/2015/05/17/... So you shouldn't fly much...

Re:This is what happens when you use Luddite softw

[x0ra]

So it would probably have worked, and not crash because someone was using tr(1) to parse some output in an overly complicated shell startup system...

Doesn't sound credible...

>caused the affected propellers to spin too slowly
Propellers? On a jet?
Low credibility.

Re:Doesn't sound credible...

[nedlohs]

It's not a jet moron.

Re:Doesn't sound credible...

[ihtoit]

it's a quad turboprop, fool.

Re:Doesn't sound credible...

[petermgreen]

The A400M is a turboprop.

Re:This is what happens when you use Luddite softw

And what exactly make of plane would you fly on that is safer? Boeing has an equally bad track record. Sounds like you must walk everywhere

Rope and pulley broke a lot, too

[TigerPlish]

I like reminiscing about the rope-and-pulley days but i've been stranded with a broken clutch steel-rope cable, I've had another one snap on a bike, and points-and-condenser ignitions are inhumane and intolerant of lapses in maintenance. That peculiar smell that old cars and old planes had? incomplete combustion.

I like this computer-controlled world. Things work much better.

The rope-and-pulley analog here would be "Hey Bertie, did you put the cotter pin on that rod?" "Ya ya, sure sure!"

Meanwhile, as the plane reaches 400 ft:

*clink* "Hey.. what was that?" "Hey man the thrott*BLAM* (impact on ground)

With 20-20 hindsite

[presidenteloco]

The pilots should have reasoned: "Engines not responding to control. Since the engines are still at least giving us high power, we should climb to a height that gives us options, then try some things to fix the problem, or figure out how to cut the engines completely and glide in, having enough height to get the setup of the difficult approach just right."

Of course the maintenance program manager for the aircraft manufaturer should have reasoned: "All maintenance procedures should be performed by checking off, in an app, a detailed automated checklist of steps, such as restoring custom-data files. The maintenance software app should not permit maintenance to be signed off as complete until the automated checklist is all checkmarked. and it goes without saying that all such step-by-step procedures should be verified as complete and working before being included in allowed maintenance procedures of operational aircraft."

Punish all the Managers

It was simply a rush job, and extremely likely the managers were responsible. I am sure no developer worth her / his salt (avionics engineers generally dont have the temperament of 19year kids) would have liked to proceed in this manner that led to deletion of the said integral files.

Re:This is what happens when you use Luddite softw

So, one unsubstantiated claim versus hundreds of proven examples of intentional incompetence by Airbus? I'm flying Boeing.

Terrible

The engines should have never have started without the missing files. Crazy crazy.

Re: This is what happens when you use Luddite soft

[sycodon]

This is why Dr. McCoy didn't trust the transporter.

Windows Blue

[argee]

In other news, Microsoft announced today the release of Microsoft Windows Blue. This is a version of Windows to run all kinds of aerial vehicles,
from the Airbus A400M to the smallest 4-rotor drone. Contrary to rumors, the "Blue" has to do with the color of the sky, not the color of the
computer screen when ....

Re:This is what happens when you use Luddite softw

Boeing doesn't have anywhere near the horrible record that Airbus does.

I'd bet this isn't the first time

[JustAnotherOldGuy]

I'd bet a million dollars that this isn't the first crash caused by this, or something similar (damaged configuration settings file, mis-matched file versions, etc). Great- another thing to worry about when flying. :(

Re:Big fail from the software engineering standpoi

You act like it is hard to have the ECU during bootup tell itself it's at 400ft and then see if everything is OK. This was half assed shit programming and there's really no excuse.

Re: This is what happens when you use Luddite soft

And how many episodes were we treated with transporter transposition accidents that the ol' Doc then had to deal with, hmmm?

whatever happened to real controls?

[ihtoit]

having a computer between the pilot of any system and the mechanical components is just bending over and begging for it. Humans are mechanical. Engines are mechanical. Keep the fucking interfaces mechanical and the transport later the same way, the only thing that's coming of all this so-called automation and computer controlled engine management is butthurt and dead people. I come off as a bit of a luddite? Good. I'd sooner fucking walk anyway, the only thing I have to worry about is blisters. You go fly, the only thing you have to worry about is:

"NOT READY READING DRIVE A. (A)BORT, (R)ETRY, (F)AIL?>

six vertical miles away from your nearest Apple Genius.

Re:whatever happened to real controls?

But, having those computers in between the operator and the mechanicals allows you to eventually get rid of the operator when the computers are good enough.

That's good for the airlines, investors, and the economy. Surely the needs of the many outweigh the needs of the few passengers, or the one operator.

Re:whatever happened to real controls?

[matfud]

Try and run all the parameters of a modern jet engine and try to figure it out as you fly. You can not and never have been able to. Along with an airframe which a human can not control.

Way before you or I were born you could not fly an aircraft without something in the way.

Re:whatever happened to real controls?

[ihtoit]

modern jet engines are little different mechanically from that which pushed the Gloster E28 to 350mph in 1941. They were entirely manual, from the control surfaces to the fuel flow. Computers back then were the size of houses. Complications set in when you overtake the plumbing. And when all you need to do to disable a jet engine is pop a ten cent fuse, well, that twelve million Dollar Trent is just so much scrap metal, now, isn't it?

Re:This is what happens when you use Luddite softw

[ihtoit]

well, good for you. The A400m isn't generally available for civilian use anyway (unless you have 200 million Dollars cash just lying around), it's a ramp heavylifter.

negative values

The standard way to return an error is to return a negative value, as zero can very often be a normal value but a negative value is more often than not never valid (distance, weight, volume, etc...). Unfortunately that means that the program can mistake a negative value for an incredibly non signed int value...

THIS IS NO ACCIDENT !!!

THIS IS BAD SOFTWARE DESIGN !!!

It is simply INCREDIBLY STUPID to create a "workflow" by which CATASTROPHIC SYSTEM FAILURE "happens" for a stupid reason like this .... as evidently there was no backup "safety" ....

this warrants the REMOVAL of the management structure of Airbus and the FULL STOP UNTIL A COMPLETE FIX AND REPURPOSE is done to further development of a plane which was originally designed to replace the C130 but MARKETED AS A STRATEGIC AIRLIFTER like the C17 ( BUT WHICH CANNOT EVEN CARRY A MID SIZE MILITARY ASSAUT TRACK VEHICLE , AND IMPOSSIBLE TO CARRY A MBT (MEDIUM BATTLE TANK like the C17...)

This is a COLOSSAL WASTE of public money and it should be stopped JUST AS the incredibly stupid F35 flying chicken....probably THE largest MILITARY PLANNING FAILURE of the century....

Re:THIS IS NO ACCIDENT !!!

Boy, you should appreciate the Monopoly Game. It will tell you to cool down and simply accept what happens. You play, you get money, you get a wife, you have nice kids, you go to jail because you have grown into a slimy bizman. You get killed by a another slimy bizman's Hyperjet 626. Because bizman was too thrifty. Bizman pulls the free-out-of-jail card this time. They nab him later for tax evasion.

So - it's all just a GAME. RELAX.

Up, up, and *file not found*

[Mats+Svensson]

Crashing in [30] seconds. Press OK, to crash now.

Military project with multi-nation politics

[Qbertino]

A military project with multi-nation politics. Need I say more?

My cousing worked with airbus as an engineer, prepping the A380 for release, after the cableing debacle. No single responsible project lead with competence and a mandate, subcontractors 6 levels deep with the suits drawing out money at every level, nationalistic policing, etc.. A burocratic nightmare barely imaginable by the human mind.

Think Berlin Airport but with a bunch of EU nations thrown into the mix involving complex new machinery and avantgarde technology. Yeah, right.

Re:Military project with multi-nation politics

[matfud]

Well yes, It is almost as bad as the US where they spread the pork. But this was primarily France and Germany with sales to Italy and Turkey and potentially UK and Norway.

Re:This is what happens when you use Luddite softw

[TheDarkMaster]

The new breed of developers do not care about boring details. If you doubt, a few more years and we will have a joker wanting to program avionics using javascript.

Re: This is what happens when you use Luddite soft

2 if I remember correctly and 1 where it was used to fix the aging issue.

Never update all your production systems in one go

[Gunstick]

Yea, standard rule.
Maybe the plane was in test? So not production. So no need to follow that rule?
Well ok, a test plane is still running in production as far as avionics goes, even if it's still in testing!
And if you have 4 systems in your test environment, there's a reason. You *don't* update all of them, or 3/4 of them. But half!
And I guess, with 2 engines, the plane could have been saved.
I'm a sysadmin, and I blame the sysadmin as the cause of the catastrophe.

Well

Then the engine should either report a shitload of warnings to the cockpit or it should refuse to turn on.

files in the engines?

This "software" thing has gone horribly horribly wrong.

No

The engine should refuse to start when some critical files are missing.

On the other hand, there are so many ways to mess up, that the quest for perfection is elusive. Especially when a team is inexperienced, politically appointed instead of by real skills or when the relationshipt between management and employees is bad. This often comes from underfunding ANY YOU BET this program is underfunded.

"Europe" is ruled by a bunch of socialist posers who are basically clueless about modern industry, modern technology and modern military. And even the captains of industry are mostly simpletons here. We have no such thing as Google, Intel, Huawei, Samsung here.

They have huge ambitions and want a super-duper aircraft, but then proceed to piss away the necessary money for people who never worked and will never work. The typical socialist disease.

Jäger 90 was the same thing. Lots of ambition, little funding. The amazing thing is it actually does the job somehow. 15 years later than planned, of course.

The boss of Airbus already said he will never again do an underfunded program like this. And I know why, because I know the Euro Collectivists. People who want somebody else to bring them the Paradise of Laziness and Irresponsibility. They are both dumb and malicious, otherwise they would do some real, hard work. Because THAT is what generates WEALTH. Printed paper DOES NOT bring wealth is everybody is playing lazyman.

Me ? A swabian.

Re:Ah, Airbus...

We'll round up a few Jews, make them confess and then throw a big show of executing them and their families, as always. It's not possible a plane made by European Aryan ubermensch could fail unless sabotaged by Jews.

Not Good Either

Just google for "reset button Tiltrotor".

Aviation software MUST WORK. When you are in the air and errors pop up it is very often TOO LATE.

And of course there are some well-funded, well-executed projects like the A320 which absolutely depend on correct software. They had a major problem which was actually solved by "overriding", but that approach is not a panacea, rather a last-ditch measure.

Dear Mr Shitball

You apparently know nothing about Spain. General Franco was a highly capable and intelligent guy. He steered his country around both Materialism (a London Bankster invention) and Fascism. After the war he was best friend with NATO. That didnt stop liars like you to call him a "fascist", I know that.

https://en.wikipedia.org/wiki/Spain_and_World_War_II#Jews_and_other_refugees

So he GAVE JEWS ASYLUM. But yeah, the Cultural Marxists label him a "fascist" until today. What a load of wicked, devil-worshipping scumbags. I bet they have an icon of Feliks Dzhershinsky which they pray to every night.

Also, how much does Boeing pay you for this shite ?

And, why dont you drop yourself off a bridge. It's all easier then.

I don't believe it !

[nickweller]

I don't believe it!

Fail Safe?

[OklahomaRed]

Did anyone ever hear of distributed systems? One simple computer to run evey critical system all networked together. Each and everyone can keep it's device functioning with manual command if everything else fails. The only way to upgrade the system is to physically remove it an plug in a new one.

It's embedded programming 101!!

Re:This is what happens when you use Luddite softw

[Pascal+Sartoretti]

WTF? No automated system check to determine if all needed files are present before flying??!

Ironically, I would call this "preflight checks"...

Re:This is what happens when you use Luddite softw

What nonsense!