A400m New strategic and tactical airlifter for the RAF
Discussion
Scuffers said:
exactly..
in reality, this is not so much a software flaw as a catastrophic design flaw - ie, the one that allows the engines to even start without a basic SW verification/checksum or the like.
Yep, the 787 for example checks not only that the software configuration of the FADEC is valid for flight, but also that if the two engines have different software revisions, that the combination is certified for flight. I'd be amazed if the A3xx family don't do the same.in reality, this is not so much a software flaw as a catastrophic design flaw - ie, the one that allows the engines to even start without a basic SW verification/checksum or the like.
Scuffers said:
eccles said:
The pre delivery flight should be about sorting out little problems, just like you get after any big servicing or build. Finding software flaws should have been picked up during the prototype flight trials, not on a production aircraft.
exactly..in reality, this is not so much a software flaw as a catastrophic design flaw - /quote]
If it's a "catastrophic design flaw" how come they all didn't fall out of the sky
Somewhere along the line there has either been a process error [then again see above], a procedural error or a Human Error particular to this airframe, IMO.
Mojocvh said:
Scuffers said:
eccles said:
The pre delivery flight should be about sorting out little problems, just like you get after any big servicing or build. Finding software flaws should have been picked up during the prototype flight trials, not on a production aircraft.
exactly..in reality, this is not so much a software flaw as a catastrophic design flaw -
Somewhere along the line there has either been a process error [then again see above], a procedural error or a Human Error particular to this airframe, IMO.
a "catastrophic design flaw" is one where it's possible for human error to make the plane fall out of the sky.
As has been said before, accidents like this are never the result of a single failure, they usually are the result of a series of poor decisions/design all lining up.
Back to this one, it's a "catastrophic design flaw" that the engines could be started and the plane take off with the FADEC(s) loaded with a non-valid firmware etc.
No, I don't think that is correct.
As I understand the situation at present...
...the software that was in the fadec was engine test software used to set and store engine parameters..
..it was then replaced with operational software.
..that operation was not verified or gave a false verification on this airframe...
As I understand the situation at present...
...the software that was in the fadec was engine test software used to set and store engine parameters..
..it was then replaced with operational software.
..that operation was not verified or gave a false verification on this airframe...
Mojocvh said:
No, I don't think that is correct.
As I understand the situation at present...
...the software that was in the fadec was engine test software used to set and store engine parameters..
..it was then replaced with operational software.
..that operation was not verified or gave a false verification on this airframe...
ie, "catastrophic design flaw" in the lack of verification/false verification.As I understand the situation at present...
...the software that was in the fadec was engine test software used to set and store engine parameters..
..it was then replaced with operational software.
..that operation was not verified or gave a false verification on this airframe...
how hard does this have to be?
Aside this, we then get the SW design that once the engines were cut back to idle, they then locked out in idle, whilst the plane is in the air!
If you map out the logic of all this, it's a disaster waiting to happen, and surprise surprise, that's what happened.
Scuffers said:
Mojocvh said:
No, I don't think that is correct.
As I understand the situation at present...
...the software that was in the fadec was engine test software used to set and store engine parameters..
..it was then replaced with operational software.
..that operation was not verified or gave a false verification on this airframe...
ie, "catastrophic design flaw" in the lack of verification/false verification.As I understand the situation at present...
...the software that was in the fadec was engine test software used to set and store engine parameters..
..it was then replaced with operational software.
..that operation was not verified or gave a false verification on this airframe...
how hard does this have to be?
Aside this, we then get the SW design that once the engines were cut back to idle, they then locked out in idle, whilst the plane is in the air!
If you map out the logic of all this, it's a disaster waiting to happen, and surprise surprise, that's what happened.
Not by Design
Do you know what the output of this engine actually is ? The effect on the aircraft’s handling if an engine or propeller ran away would be one reason that the fadec could have a flight idle auto fall back to reduce crew workload and retain control...and the aircraft remained under control whilst carrying out a forced landing.
Mojocvh said:
Yes, because it appears the operational software upload was was not verified, either due to a process or other omission.
Not by Design
Do you know what the output of this engine actually is ? The effect on the aircraft’s handling if an engine or propeller ran away would be one reason that the fadec could have a flight idle auto fall back to reduce crew workload and retain control...and the aircraft remained under control whilst carrying out a forced landing.
yes, by design - ie, the flight control software clearly does not have enough firmware/software verification checking before engine start.Not by Design
Do you know what the output of this engine actually is ? The effect on the aircraft’s handling if an engine or propeller ran away would be one reason that the fadec could have a flight idle auto fall back to reduce crew workload and retain control...and the aircraft remained under control whilst carrying out a forced landing.
that's a design issue, one that you're only ever going to spot when something like this happens, it, in itself, did not cause the crash, BUT would have prevented it.
Output of the engine? yes, 8,250 kW (according to Wiki), although how that's at all relevant to this you're going to have to explain?
Scuffers said:
a "catastrophic design flaw" is one where it's possible for human error to make the plane fall out of the sky.
It seems common knowledge that the vast majority of fatal aircraft crashes are casued by human (not just "pilot") error, so are you therefore saying that all the aircraft that crash due to human error have "catastrophic design flaws"? I'd say it's almost the exact opposite.Mojocvh said:
The effect on the aircraft’s handling if an engine or propeller ran away would be one reason that the fadec could have a flight idle auto fall back to reduce crew workload and retain control...and the aircraft remained under control whilst carrying out a forced landing.
Personally I like to control what my engine is doing. If I want Flight Idle I'll tell it, you know by retarding the throttle. I don't want some IT dweeb deciding what's best for me - especially when they are safe sitting on the ground!Ginetta G15 Girl said:
Personally I like to control what my engine is doing. If I want Flight Idle I'll tell it, you know by retarding the throttle. I don't want some IT dweeb deciding what's best for me - especially when they are safe sitting on the ground!
Yes but you can't always have it both ways: there are times when failures in flight require much faster remedial action than can be delivered by the crew. It is those 'IT dweebs' that will subsequently help to get you back on the ground in one piece.Red555 said:
Yes but you can't always have it both ways: there are times when failures in flight require much faster remedial action than can be delivered by the crew. It is those 'IT dweebs' that will subsequently help to get you back on the ground in one piece.
yes and no..for the IT dweebs to write software/firmware that allows an engine to be started, taxied, brought up to take-off power all without a 'vital' torque table, and only realise this when the pilots are unable to throttle the engines back, select flight idle, then have the engines lock-out in flight idle is nothing short of catastrophic logic failure in the design.
Put simply, the engines should never have been able to start in the first place.
Having started and got the plane in the air, to then have a condition where they lock into flight idle is also catastrophically stupid, at the very least they should be able to default to a 'working' set of parameters, even if the engine performance is degraded (to keep the engine away from any perceived limits).
using the logic that it's a 4 engined plane so losing one is not a problem is a bit of a stupid philosophy when the same fault can affect all 4.
I simple cannot believe that this situation could have come about, seriously, what the hell were they thinking when they spec'ed all this? did nobody do the 'what if?' scenarios?
Scuffers said:
yes and no..
for the IT dweebs to write software/firmware that allows an engine to be started, taxied, brought up to take-off power all without a 'vital' torque table, and only realise this when the pilots are unable to throttle the engines back, select flight idle, then have the engines lock-out in flight idle is nothing short of catastrophic logic failure in the design.
Put simply, the engines should never have been able to start in the first place.
Having started and got the plane in the air, to then have a condition where they lock into flight idle is also catastrophically stupid, at the very least they should be able to default to a 'working' set of parameters, even if the engine performance is degraded (to keep the engine away from any perceived limits).
using the logic that it's a 4 engined plane so losing one is not a problem is a bit of a stupid philosophy when the same fault can affect all 4.
I simple cannot believe that this situation could have come about, seriously, what the hell were they thinking when they spec'ed all this? did nobody do the 'what if?' scenarios?
Can't disagree when considering the specifics of the A400M accident. My point was in reply to GG's generic preference of being exclusively responsible for the operation of the engines. for the IT dweebs to write software/firmware that allows an engine to be started, taxied, brought up to take-off power all without a 'vital' torque table, and only realise this when the pilots are unable to throttle the engines back, select flight idle, then have the engines lock-out in flight idle is nothing short of catastrophic logic failure in the design.
Put simply, the engines should never have been able to start in the first place.
Having started and got the plane in the air, to then have a condition where they lock into flight idle is also catastrophically stupid, at the very least they should be able to default to a 'working' set of parameters, even if the engine performance is degraded (to keep the engine away from any perceived limits).
using the logic that it's a 4 engined plane so losing one is not a problem is a bit of a stupid philosophy when the same fault can affect all 4.
I simple cannot believe that this situation could have come about, seriously, what the hell were they thinking when they spec'ed all this? did nobody do the 'what if?' scenarios?
Ginetta G15 Girl said:
Mojocvh said:
The effect on the aircraft’s handling if an engine or propeller ran away would be one reason that the fadec could have a flight idle auto fall back to reduce crew workload and retain control...and the aircraft remained under control whilst carrying out a forced landing.
Personally I like to control what my engine is doing. If I want Flight Idle I'll tell it, you know by retarding the throttle. I don't want some IT dweeb deciding what's best for me - especially when they are safe sitting on the ground!It got really, really boring doing countless over torque checks on the C130K where the crew couldn't manage between three of them to keep it below 19,600! I'm sure as aircrew you appreciate engine developments that allow slam accelerations/ deceleration a etc, auto throttle that allows more time to concentrate at low level etc, or auto feather when slow & low meaning you don't need the reactions of a cat to prevent the huge drag of a dead donk putting you uncomfortably close or below Vmca, or ending up massively assemetric.
I do agree however that there should be a fast & easy override for situations like Seville.... Airbus seem to like pilots fighting the technology rather than working with them!
Red555 said:
there are times when failures in flight require much faster remedial action than can be delivered by the crew.
Really? What are those then pray tell?I have some 6000+ Military Flying hrs and not once in all that time have I ever had a situation where I would have needed an engine cut back/shut down faster than I or my Co-Pilot could do ourselves. In fact shutting engines down rapidly has killed more aircrew than not; indeed, as a QFI I taught my students to 'sit on their hands' until they were absolutely sure that they needed to shut oan engine.
Ginetta G15 Girl said:
Red555 said:
there are times when failures in flight require much faster remedial action than can be delivered by the crew.
Really? What are those then pray tell?I have some 6000+ Military Flying hrs and not once in all that time have I ever had a situation where I would have needed an engine cut back/shut down faster than I or my Co-Pilot could do ourselves. In fact shutting engines down rapidly has killed more aircrew than not; indeed, as a QFI I taught my students to 'sit on their hands' until they were absolutely sure that they needed to shut oan engine.
Mojocvh said:
If it's a "catastrophic design flaw" how come they all didn't fall out of the sky
Which bit are you actually disagreeing with?"catastrophic" - in which case what number of deaths per flying hour is your threshold for "catastrophic"
Or "design" as in "specification for a solution to a requirement"
Or "flaw" as in something isn't quite right.
Gassing Station | Boats, Planes & Trains | Top of Page | What's New | My Stuff