Slashdot Mirror
Missing Files Blamed For Deadly A400M Crash
An anonymous reader writes: Think you had a bad day when your software drivers go missing? Rejoice, you get to live! A fatal A400M crash was linked to data-wipe mistake during an engine software update. A military plane crash in Spain was probably caused by computer files being accidentally wiped from three of its engines, according to investigators. Plane-maker Airbus discovered anomalies in the A400M's data logs after the crash, suggesting a software fault. And it has now emerged that Spanish investigators suspect files needed to interpret its engine readings had been deleted by mistake.This would have caused the affected propellers to spin too slowly causing loss of power and eventually, a crash.
The story seems to massively simplify how the ECUs work. Each engine needs to be calibrated after production so that the sensor data it hands to each ECU is actually meaningful due to the way it's actually acquired in the engine. The parameter set isn't stored in the engine, but in the associated ECU. To prevent them from getting out of sync, the engine itself contains a little register with the checksum of the parameter set. If that checksum doesn't match, the ECU shouldn't power up the engine. However, the register and the ECU are initially loaded with a default parameter set used in testing scenarios. Looks like that one might have been untouched for the engines on that flight. Now, this is bad because the ECU now misreads the true engine status in various ways and can even think that an engine which is otherwise running fine is seemingly in some critical condition - e.g. power output too high, which causes an immediate shutdown to prevent engine damage. A jet engine that fails by disintegration has a high chance of slicing other airplane parts with ripped off fan blades. This is why hard engine shutdowns do make sense. But when putting the pieces of this puzzle together, this is starting to look similar to how Murphy's law came to be: an exceptionally unlikely chain of human errors ruining everyone's day.
if the calibration data are so important that the engine shuts down without them, how did the aircraft take off?
One engine delivering full power and 3 engines running at low RPM would be enough to take off, since the plane was empty and probably had a small fuel load as well.
Wiki has an article on the crash: http://en.wikipedia.org/wiki/2...
Looks like they took off, but noticed a problem with the engines, turned around to do an emergency landing, but hit an electrical pylon and crashed. So it's not like they lost all power and fell out of the sky, they had some power and were doing an emergency landing when they hit an object on the ground just before touchdown. 2 of the 6 people on the plane survived.
+ http://en.wikipedia.org/wiki/T...
The first computer controlled X-ray machine.... which accidentally irradiated some people to death...
due to *gasp* software faults! (say it ain't so!)
I first heard about the Therac-25 during my "Ethics in Computer Science" class many years ago - it made an excellent case study... about problems just like this one.
Once the textbooks get updated, Therac-25 will be replaced with a case study about the a400m roll out. ^_^
As I read it, the files weren't used until the plane was 400 feet off the ground. So takeoff wasn't a problem.
You would be sadly mistaken.
I've seen software writers follow RFC and ONLY RFC for communications protocols, to the point that anything not explicitly expected per the newest standard of RFC will cause the daemon to crash hard. Doesn't matter if it's garbage on accident, garbage on purpose to try to cause a buffer overflow, or even deprecated commands from previous RFCs, the daemon should handle unexpected input gracefully even if it throws a 500 and closes the connection. To do otherwise (as was done) is irresponsible, but all too common.
Do not look into laser with remaining eye.
As others have mentioned, limp mode is not just a transmission control feature. It is a fail safe built into the Engine Control Unit. When all sensors are operating correctly, the car has a map to determine the appropriate air/fuel mixture taking into consideration temperature, pressure, exhaust etc to ensure your car runs optimally. When in limp mode, the ECU cannot trust the sensors to determine the optimal air/fuel ratio. There is a base map that will allow your car to run with a rich fuel mixture (safer than lean) to prevent damage to the motor. Besides being worse for emissions and fuel economy, you can drive the car normally until you can get the issue repaired.
... you'd think the A400M engine software would have a *baked in* "go home without crashing" dataset.
From how I read the article, it does have a default dataset that it switches to when it detects a problem. From TFA:
Limiting the speed of a ground vehicle is safe. However, limiting the speed of an aircraft causes a crash. It sounds like they need to reevaluate their "limp home" calibration, as we call it in the industry.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
That was toyota's excuse. In reality it actually *was* a software error (actually several)
>(yeah, I know, that means no left-foot braking, but if you're doing that in an SUV, you're probably doing it wrong).
Sooooooo... no offroading for your SUV?
SUV's arent built to go off road.
They dont have locking diffs, a low range gearbox and often, not even underside protection. Most SUV's dont even have full time AWD as they dont have a centre diff, they use systems like the Haldex Traction to transfer power from a latitudinally mounted engine (transverse mounted, AKA: east-west) that drives the front wheels 99% of the time.
Most SUV's are no more suited to going off road than your average Camry and get stumped by the first slightly damp grassy slope they come across.
And yes, if you're left foot braking you're doing things horribly, horribly wrong. Doubly so for heel-toe. There are very few times when you need to left foot brake or heel-toe and none of them are on the road. Keep the fancy foot work for the track and dance floor, drive properly on the road.
Calling someone a "hater" only means you can not rationally rebut their argument.