Airbus A380 Under Fire

jose parinas writes "The security of the Airbus A380 jetliner is questioned by a U.S. Engineer that faces arrest and bankruptcy in Austria. A year ago, Mangan told European aviation authorities that he believed there were problems with a computer chip on the Airbus A380, the biggest and costliest commercial airliner ever built."

The airline industry...

[Anonymous Coward]

They always fix KNOWN problems with airplanes. A known major problem has never been ignored in a passenger airliner.... [wikipedia.org]

Re:easy

[Cylix]

Except now the chip has to be recertified for aviation.

In effect, the article states it has already been modified and there was some sentiment that it really should be re-certified yet once again.

Re:WTF?

[biryokumaru]

Maybe he was thinking that they Airbus was built and designed in Europe? And that he'd need to move there in order to work on it?

http://www.airliners.net/info/stats.main?id=29

Re:WTF?

[DrSkwid]

He lived & committed the crime in Vienna, how would your US law provide any protection ?

Try reading stuff, it usually helps.

the answer is in the article silly

[guardiangod]

If you care enough to RTFA, you will see the following line

Yet his employer ignored his concerns, he alleges, because fixing the glitches would be costly, could take up to a year and would further delay the A380's launch.(a year behind already)

Re:easy

[saj_s]

And given the fact that they've only built about 3 A380's so far, it should be pretty easy to do!

Very strange reporting

[Anonymous Coward]

Really strange reporting. For starters, they don't even get basic facts right, e.g. they report Airbus was "owned by Dutch and British companies", when in fact it is owned by EADS (80% share, French/German) + BAE (20%, British). They also keep calling it a problem between Airbus and Mangan, when the actual events (as per their own article) seem to only involve Mangan and his former employer, TTTech. Airbus doesn't seem to have any involvment in this.

Re:Under fire?

[Anonymous Coward]

To be under fire, which originates from being under artillery fire, means to be under attack.

Re:But are the problems only limited to the one ch

[Anonymous Coward]

Read the article again. This chip didn't "get through." According to the whistle blower, the company forged his signature on documents approving the chip. If true that means they knew about the problem and tried to cover it up.

Joseph Mangan's Blog

[Anonymous Coward]

Looks like his blog is here: http://www.eaawatch.net/ [eaawatch.net]

His blog

[HotNeedleOfInquiry]

I'm not positive this is his blog (it looks more like a static web page) but it does have a ton of information on the subject:
http://www.eaawatch.net/index.html [eaawatch.net]

Re:Oddities in the article.

[Yoohoo Ladies!]

A slow decompression is even more dangerous than an explosive one because hypoxia can sneak up on anyone without them realising it. It takes a very special person to recognise the symptoms of hypoxia when they're not looking for them specifically.

Re:Pure propaganda, or whatever...

[niXcamiC]

RTFA! It says that both Airbus AND Boeing are going to be useing this new chip. It seems like people go out of their way to trash stories, when they have no idea what there talking about.

Re:Oddities in the article.

[Chmarr]

I agree. However, there are other systems in the aircraft that detect the low pressure, and THESE cause additional alerts, plus the oxygen systems to activate.

In addition, a slow 'leak' gives the pilots great time for an emergency descent. Give me a slow leak over a fast one anyday.

No, it was an Airbus

[LibertineR]

The pilot had made a slow pass over the field, and when he tried to pull the plane up, the computer overrode his commands thinking he was trying to land, and that is why they crashed into the forest. After that, an emergency pilot override was placed in AirBus jets. The Boeing 777 can takeoff and land automatically. Hell, that airplane can do anything.

Re:Autopilot

[jsight]

Not true at all... some airplanes can land automatically with a full ILS.

And, of course, the UAVs (as used in Iraq and elsewhere) can as well.

Re:Autopilot

[david.given]

They were trying to take off, and the enhanced autopilot decided they were trying to land and took over, so it got about 100ft off the ground and started heading back down, off the end of the runway and into a forest. Nice large fireball too.

Sorry, that's incorrect.

What you're talking about here is Air France Flight 296 [ncl.ac.uk]. There's a full description on the link, but the short version is that the pilot tried to throttle up because the plane was too low, and the fly-by-wire system overrode him due to a fault. Nothing to do with the autopilot at all --- autopilot landings are quite common these days.

(There's also been a lot of controversy about that accident, because there are a number of irregularities with the investigation indicating that the evidence has been tampered with. Check out this link [airdisaster.com] for more information.)

(Oh, yes; only three people died, although about 50 were injured.)

Re:Oddities in the article.

[Bonhamme Richard]

Navy flight surgeon http://www.vnh.org/FSManual/01/03Hypoxia.html/ [vnh.org] gives you a maxium of 45 seconds of useful consciousness at 35000 ft. assuming a rapid loss of cabin pressure. Its only 45 seconds at 40,000. This is assuming that you are sitting still. If you are preforming "moderate activity" (say screaming your head off because you are are scared stupid) it drops to 30 and 18 seconds (35 and 40 thousand ft, respectively.) Even 30 seonds isn't a lot of time. You need to recognize that there is a problem, identify the problem, and correct it, all in that time, with impared cognitive abilities due to hypoxia. If you're a hot shit Navy Jet Jock whose trained for years to handle that kind of conditions, then no problem. If you are the average airline passenger (and likely the average airline pilot) that's not nearly enough time. I have no idea how violent a depressurization of this kind would be, but if it didn't rock the plane too much, the pilot's first warning that something is wrong might be when he passes out. Hypoxia = nasty

Re:Autopilot

[Colbalt Blue]

You are way off on what pilots use autopilot for. On most commercial flights these days the pilot rarely touches the yoke after takeoff. He enters all headings, altitudes, speed and vertical speed settings into the autopilot and the computer takes care of it for him. In my plane I can enter my entire flight plan into the computer before taking off, engage the autopilot at 500 feet off the ground and not touch anything except the radio until the computer has me lined up for a landing at the destination airport.

Re:Autopilot

[Anonymous Coward]

The Russian space shuttle Buran was able to do a fully automated landing, the American space shuttles are almost fully automated except for the landing gear, which are deployed manually since they astronauts felt that if they landing gear deployed too soon it could be fatal.

Re:Autopilot

[LWATCDR]

It really is just not that easy. What happens if the sensor fails?
What happens if it is on a trans pacific flight and there is no good place to land?
What if there is more than one airport in range? How does it know where to land?
What if you do include a datalink so remote control of the plane is possible? How do you secure it?
Frankly the rapid and total loss of pressure is very rare.

Re:Autopilot

[rv8]

1. There are already multiple possible failures that could cause a depressurization (cabin window failure, door failure, engine rotor burst, crew error, etc). The design requirements call for systems to alert the crew if the cabin altitude exceeds normal values, and there must be oxygen masks that they can don within 5 seconds. The operational requirements call for the crews to be properly trained in the use of these masks, etc. So even if this chip has a problem, it doesn't necessarily create a new safety issue. Of course, the problem, if it exists, should be corrected.

2. Some business jet aircraft do have an autopilot mode that will automatically descend the aircraft if the cabin altitude exceeds a certain value (several Cessna Citation models, some Gulfstream models, latest Bombardier Global Express, etc). These aircraft often cruise at altitudes up to 51,000 ft, which is quite a bit higher than the maximum altitude for the A380 (apparently 43,000 ft, but typical cruise altitudes will be lower than that). The smaller cabin volume of the business jets mean the cabin depressurizes much quicker, given a similar failure.

Re:Par for this particular course

[Anonymous Coward]

Who is criticizing Airbus?

RTFA and note it's about TTTech and their chip & software which could become approved for use in ANY aeroplanes including those manufactured by Boeing.

Certainly there is also criticism of the way Airbus have designed the cabin-pressure valves redundancy, but this can be tested and fixed.

Re:Autopilot

[Paul Jakma]

but the short version is that the pilot tried to throttle up because the plane was too low, and the fly-by-wire system overrode him due to a fault.

If there was a fault anywhere it was in the engine. The pilot claims it didn't spool up fast enough, it may have suffered a stall. The official accident report concluded he simply applied throttle way too later (some conspiracy theories say the FDR was hacked by 3s to make it look like he left it too late). That said, even if that claim of the captain's was true he still furked in several other ways, which led him to be flying 30ft off a runway, when he had intended to be at 100ft (and he would never have hit those trees then..).

Ie, it was definitely compound pilot error (as is often the case), and possibly a (what should have been) problem with an engine. "Computer overrides pilot and flies into trees!" is catchier though, but simply not true - no matter how many times people repeat it.

Re:Autopilot

[Paul Jakma]

Also, don't forget that the cockpit oxygen masks drop down before the main cabin

Cockpit masks don't "drop down" - They're a far more robust (and bulky) construction than the el-cheapo plastic cup+bag things the passenger cabin has, and anyway the space above the pilots tends to be occupied by switch gear and breakers. They're stowed within easy reach of each pilot (to the side, under the seat).

- the cockpit pressure sensor is pegged at a higher level, so that if there is a slow leak, the pilots can don their masks early and do a more controlled descent.

Lower level surely you mean (be it in terms of altitude or barometric pressure). I'll have to ask to find out if this is true, it doesn't ring true at all with me though.

modern aircraft are fitted with ground avoidance radar (what causes the 'whoop-whoop, pull up!' scenario).

The radio altimeter you mean? The one which provides highly accurate relative readings, but only when you're reasonably close to the ground (ie within 1 or 2k feet)? I've never heard it called "ground avoidance radar"...

But, as for the plane landing itself... well, we're still a fair way off with that one. Airports have to be equipeed with differential GPS beacons that allow the plane to determine its position down to about half a metre.

Ok, now I know you're definitely not a pilot but a troll. If you were a pilot you would know that ILS and auto-land systems have existed since at least the 1960's which can guide an aeroplane to within 50ft or so of the runway and that more recent ILS (since the 80s or so? i don't quite know, maybe before then) can bring the aeroplane to 0ft. You'd also know that ILS uses two polarised planes of radio waves - GPS doesn't come into it at all.

You, sir, are a troll. Mods: please undo parent's "interesting" moderation.

(FWIW, my father *really* is a retired commercial aviation pilot).

Re:Very strange reporting

[amabbi]

For starters, they don't even get basic facts right, e.g. they report Airbus was "owned by Dutch and British companies", when in fact it is owned by EADS (80% share, French/German) + BAE (20%, British).

Actually, that part of the article is spot on. EADS is multinational but incorporated in the Netherlands [wikipedia.org].

Re:Autopilot

[csirac]

There hasn't been an airliner with an "engineer's station" since the 1970s, IIRC...

But to put it bluntly, you're adding a lot of complexity, reducing reliability and introducing even more premutations of different failure modes than they already have, with VERY little gain.

Not to mention the safety-critical decisions you have now entrusted to the system: maintaining safe terrain clearance, announcing its unplanned departure from its allocated flight level to warn other traffic to avoid collision, not to mention the complexities involved if there are other problems apart from depressurisation (for instance, many autopilots disconnect and depend on manual control if there is an engine failure - is your decompression going to override that behaviour?).

There is a way of looking at this that might shed some light on why this hasn't been done: the simple fact that decompression resulting in flight crew incapacitation is extremely rare.

Therefore, we have to look at the benefits (would the proposed idea have helped these rare cases?) and the disadvantages (will failures of this system reduce overall safety more than it improves it?).

If the pilot has the presence of mind to read, understand and respond appropriately to the y/n question, they might as well dial 10,000 feet on the altitude-hold autopilot controls or just click off the autopilot completely and do the descent themselves, the way they are continuously trained every year in their ATP simulator checkrides.

The people designing these things are incredibly smart and I'm not sure people out there really appreciate the level of detail and thoroughness any new feature must be considered with in aerospace engineering... even the simple fact that most aircraft are designed with 25 year life-cycles makes the engineering effort totally unrecognisable to most other industries.

The moral of the story is, automated aircraft systems make day-to-day operations much smoother, more efficient, and less tiring for the human pilot. When it comes to emergency scenarios, it really does take a human to make the best decisions - autopilots don't have situational awareness of the surrounding scenario, and are unable to correctly prioritise aspects of the flight and consider everything in the full context of the emergency which requires human reasoning.

Not Quite

[WindBourne]

1. Finding the problem is sporting.
2. From there, you then have the programmer(s) test it and make sure that there are no more issues.
3. Once that has passed, then you have the test group re-design a set of new tests and test them as well.
4. Once there, an internal auditor goes over your work.
5. From there, an Airbus auditor goes over said work.
6. Then an EU FAA-equivilence auditor.
7. Then an American FAA auditor.

Just that little bit of a fix, takes no less than 9 months (normally closer to 1.5 years). Delaying the A380 will cause serious issues right now. In fact, there are probably performance clauses penalties associated with this that would probably sink TTTech (hence the reason why they want to cheat).

BTW, if you wish to argue with me over this (and some idiot will ), I currently do the coding of the test for the data AND APIs of an american unit that be in the cockpit of the A-380 (and other aircrafts). I have found out that getting this level C cert. has been very sporting.

Re:Poor engineering journalism

[plasmacutter]

pardon me.. but above certain altitudes it may as well be instantly.. as in blood boiling, the bends.. sudden depressurization without warning would suck the air from your lungs.. you would have no way of knowing to hold your breath.

Re:Autopilot

[Martin Blank]

No, it does not have a 100% mortality rate. The Aloha Air accident a number of years ago in which a section of the first class wall and roof ripped away at 24,000 feet was an example of instant decompression, but only the flight attendant that was sucked out of the plane was killed. All passengers and remaining crew survived.

Most depressurizations are survived entirely.

Re:easy

[iamwahoo2]

The problem is that there is no redundancy in the system. You can never guarantee that a system is 100% failsafe and in safety critical systems you counter this by adding redundancy into the system. Why else would Boeing put triple redundancy in cabin pressurization valves for their aircraft? They do not like spending extra money or adding weight anymore than Airbus. It will of course come back to haunt Airbus if this gets more publicity.

Re: proving a negative

[Anonymous Coward]

different AC here, so bear with me :)

you assume the circuit to be stateless. Then indeed you have 2^N states to test. The GP questioned this - if the circuit is somehow stateful, so there is a slight dependence on input history, you're stuck with an infinite set of possible histories. All you can do then is make an assumption about the chip's useful lifetime and estimate an upper cut-off for the length of the history chain. Then test all chains of at most said length.

Wait, but there is more. You need to test for various conditions under which the chips might operate. And allow for production differences between chips. And failure modes of associated non-digital components. And so on. Plenty of parameter space to test. When all is said and done, 100% certainty is in fact impossible. But that's not the point - you don't want 100%, you want a reasonably close value. After all, quite a few of the possible failure conditions would probably have killed the passengers even if the chip operated correctly.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Ethics & Technology - Mangan's blog is

[kupci]

There seems to be something more at work here. I'll read more about this, but both parties are acting unusual to the point where I am really on neither side, whereas normally I suppose I would be on his side.

Mangan's blog [eaawatch.net] has significant details. It makes quite a bit of sense if this guy, has more integrity than your average person. He's a super smart guy apparently, and he's probably right, firing him was probably not a good idea. Who wouldn't be miffed, and want to restore their good name? For the Austrian company, I'm betting they don't have the time to improve the design, or fix it properly.

I've read the various articles in the LA Times and WSJ, and his blog, and my take is he is an engineer, and he's not going to let politics and bureaucrats cover this flawed design. Any whistleblower faces this - it's what sets them apart from the average person.

The articles are very interesting, he was testing the system and found flaws not only in the functionality but the system design (not redundant). Seems there's politics and big money involved.

I sat in on an ethics class, directed towards engineers, at Stanford once, forgot the name of the class, but the professor posed the question - if you, as an engineer on a major project (whether it be designing a new drug or a spaceship), and discovered an issue, what would you do? Now perhaps the dishonest person, rushing to finish the project and look good, would move on. The average person would write an e-mail perhaps, and then if nothing was done, perhaps at most quit their job. And if you're fired? Anyway, interesting class.

Re:Poor engineering journalism

[Anonymous Coward]

The Aloha 243 accident was not caused by a pressurization failure. The depressurization was a secondary effect of the structural fatigue failure of the lap joints.

There has been an accident with the root cause of a pressurization failure with the loss of all aboard. It was a recent one, too (August 14). Helios 522 was a Boeing 737 which suffered a pressurization failure and crashed. Investigation is still underway. Those with long memories will also remember the 1999 crash of Payne Stewart's Learjet 35. http://www.ntsb.gov/ntsb/brief.asp?ev_id=20001212X 19931&key=1 [ntsb.gov]

Re:NEWFLASH

[wasted]

I definitely agree that it is stupid to use a chip with such a flaw.

I agree it could be deadly.

US Federal Aviation Regulations, if followed, might prevent the deaths, though. At altitude, either the pilot or copilot is supposed to be on oxygen full time. In the event of a rapid decompression, that person would be able to descend the plane to an altitude where the pressure is great enough for all to regain consciousness.

Unfortunately, at the lower altitude, the fuel flow would be a lot greater for a given distance, and if the plane is on an extended overwater flight, the plane may not make it to a safe destination, especially since the four-engine design exempts it from ETOPS.

If anyone who has their ATP license sees anything incorrect, please correct me.

Re:But are the problems only limited to the one ch

[Zork the Almighty]

This is a question of a $500 vs $50 part in a plane that costs a couple hundred million. I would be quite amazed that any company in the modern litigious world would forge a signature to get a part as critical to safety as this one passed when knowing that the part was sketchy.

Airbus didn't forge his signature, that would be the company who makes the $50 part.

Re:Autopilot

[EvanED]

Good luck designing a computer system that can safely land a extremely heavy aircraft at several hundred MPH

It's been done! For years!

Read the other comments in this thread, or something about autopilots. For instance, the Wikipedia entry, which states that "Modern autopilots generally divide a flight into taxi, take-off, ascent, level, descent, approach, landing, and taxi phases. Autopilots exist that automate all of these flight phases except the taxiing, and some incorporate automated collision-avoidance, as well."

(Oh, and BTW, your "several hundred MPH" is greatly overstating. For instance, the typical landing speed of an A340 is 140 knots, or 160 MPH. This [google.com] says the landing speed of a 747-400 with full flaps is about 120 mph. (Another site said 160.) The 767 lands at 150 mph.)

Re:But are the problems only limited to the one ch

[dfjghsk]

mod parent up.

we're not talking about Airbus forging someones signature so they don't have to spend a few extra bucks on a plane worth millions... we're talking about a manufacturer who forged someones signature so they wouldn't lose out on sales of their $50 part.

Re:Autopilot

[Anonymous Coward]

Whoh, easy on the idiots.

Working in aerospace simulation I have learned a great deal about the design concerns going behind the software used in these aircraft. Yes, the autopilot and flight managment system (FMGC on the A380) could potentially be programmed in very few lines of code to do exactly what you propose, however, it is always the preference in design that the pilot has actual control over where the airplane goes. 2001 must have been popular with the FAA and other certification authorities.

If an emergency landing is needed, the pilot is expected to be capable of selecting the airport to land at.

In the case of cabin pressure loss on the A380 the pilot recieves a warning from the onboard monitoring computer (Fault Warning Computer). When that warning is recieved all the pilot needs to do is select the altitude target on the FCU to 15000 (spin knob a few times) and press the expediate desent button on the FCU. This will cause the AP to fly the aircraft at the maximum descent rate in the flight envelope of the aircraft and level off when reaching 15000 ft.

Nobody can see all ends, but calling designers of the requirements for aerospace saftey systems idiots is a bit overboard.

Not propaganda, or whatever...

[sonamchauhan]

This does not look like a Boeing PR move. This looks like a honest-to-goodness engineer sticking to his ethics.

From the article [latimes.com]:

"Unlike U.S. laws that shield whistle-blowers from corporate retaliation, Austrian laws offer no such protection. Last year an Austrian judge imposed an unusual gag order on Mangan, seeking to stop him from talking about the case.

Mangan posted details about the case anyway in his own Internet blog. The Austrian court fined him $185,000 for violating the injunction. ...

To help pay living expenses and legal fees, Mangan sold his house in Kansas. With only about $300 left in his bank account, Mangan missed a Sept. 8 deadline to pay his $185,000 fine and faces up to a year in jail. Next month he's likely to be called before a judge on his criminal case.

The family expected to be evicted this month from their apartment, but their church in Vienna took up a collection to pay their rent. ...

TTTech has offered to drop its legal action against Mangan, court records show, and pay him three months of severance, if he retracts his statements. But Mangan has refused.

Mangan said he was looking for a new job. He has contacted dozens of aerospace firms in the U.S. and Europe, but none have returned his calls. "Nobody wants to touch me," he said."

Re:But are the problems only limited to the one ch

[autopr0n]

You can't. It's impossible to prove a negative.

Why do people think this? It's idiotic. When you prove a positive, you also disprove it's opposite. If I prove I am a man, I also prove I am not a woman.

I think what people mean is that they cannot prove an existentially qualified negative (i.e. there does not exist), or a universal positive (i.e. everything in the universe is blue).

But anyway, proving and disproving those types of statements is why we have second-order logic.

Not the same for the Navigation Box

[kcb93x]

As my father's one of the lead software engineers designing those, and they're quad-redundant within each box, and I think he mentioned something about 2 or 3 in this specific one. Might be wrong, it's been awhile since I've talked to him about it though.

Some additional facts

[prefec2]

Sep. 29 I redd an article about the Mangan vs. TTTech thing on www.spiegel.de [spiegel.de] (in German sorry). According to this article Mangan worked for TTTech for 6 months in 2004. The company said that he never complained about the chip until he gots fired because they were unsatisfied with his performance.

Well that's what the company says. So the real facht is that he worked there for 6 months and that this chip development started years before 2004. Because they needed these chips for the ground tests. And before that these chips have to be tested. So Mangan was too much involved in this.

Also for me that looks like: He got that job, he scewed it up and was laid off in his probationary period.

Re:ha

[Impy the Impiuos Imp]

If they haven't changed it since they hid it, then the cap is 50. Ironically, there is no "momentum", so you could be pegged high at 50, get a bunch of +5's in a row, which just evaporate, then get a single -1 and presto, you're down to 49.

Re:No, it was an Airbus

[rv8]

The pilot had made a slow pass over the field, and when he tried to pull the plane up, the computer overrode his commands thinking he was trying to land, and that is why they crashed into the forest.

While there some conspiracy [airdisaster.com] theories, as with many catastrophes, the generally [aviation-safety.net] accepted [planecrashinfo.com] story [forpilots.com] differs very substantially from the above.

The aircraft was flown at maximum angle of attack (AOA) at about 30-35 ft above the runway during an air show, with passengers on board. The pilot disconnected the autothrottle system, as its "alpha-floor" system would have automatically increased the engine thrust, preventing him from slowing the aircraft as much as he wanted. The aircraft eventually ended up at about 30-35 ft above the runway, with the engines at idle, and at the maximum allowable AOA.

The co-pilot noted that the obstacles ahead were higher than the aircraft, alerted the pilot, who pushed the thrust levers (i.e. throttles) ahead, and pulled back on the controls. The flight control system did not allow the pilot to raise the aircraft's nose, as that would have required increasing the angle of attack, and the wing would have stalled. The only way out of the hole he dug was to get more thrust. The faster you go at a given AOA, the more lift the wing produces. The fact that lift is now greater than the weight means the flight path starts to curve upwards, and the nose rises, even at the same AOA. But, it takes about 7 seconds for a modern high-bypass ratio turbofan engine to accelerate from idle to full thrust (the regulations allow 8 seconds), and they hit the trees 5 seconds after he pushed the thrust levers forward.

The flight control system's AOA limiting function prevented a much more serious accident, as if the wing had stalled the aircraft would have went out of control. As it was, it hit the trees in controlled flight, and only three people died.

After that, an emergency pilot override was placed in AirBus jets.

There is no emergency override in the Airbus jets. The pilot can manually turn off enough flight control computers to put the flight controls in Direct Law, where there are no longer any artificial limits on what he can do, but this would not have prevented this accident. He would have crashed much earlier in the sequence if he had tried to do the same thing in Direct Law.

The Boeing 777 can takeoff and land automatically.

The Boeing 777 cannot takeoff automatically. It can land automatically, as can all the other modern large airliners, including Airbus A320, A330 and A340.

Re:a non issue

[Joseph Mangan]

Read below about the pilots union, which violated a US federal court gag order to disclose evidence that AIRBUS failed to disclose a known defect in the rudder control system of the A300 to the FAA and NTSB which would have prevented the American Airlines Flight 587 Airbus A300 crash.

A memo was written in June 1997 by Thomas Thurnagel, an Airbus engineer in Hamburg Germany.

From: Union: Airbus knew of crash risk

"People died because this memo wasn't disclosed, in my opinion," said John David, deputy safety chairman for the Allied Pilots Association.

http://www.slackanddavis.com/news_article.php/news _id/argval/924/argname/back_link/argval/index [slackanddavis.com]

Again, as an engineer, the highest duty is to public safety. When a gag order prevents the proper notification and disclosure to the government authorities, and when the government authoritiese fail to act, the public must be informed. My actions are completely justified. I suggest you go to the web site www.onlineethics.org and further educate yourself about the other case examples where engineers have performed their duty to the public safety.

I would rather do my duty now, than to later be blamed for the serious injuries or loss of life that can be prevented by informing the public.

Re:Poor engineering journalism

[Hoser McMoose]

The plane in question was a on a (very) short-haul flight between two islands in Hawaii. As such, the plane never got very high up, the maximum cruising altitude was only 24,000 feet. The Airbus A380 is a BIG plane that will be used pretty much exclusively for long-haul flights where the cruising altitude will usually be a fair bit higher, typically around 35,000 feet.

The difference in how serious a decompression is a 24,000' vs. 35,000' is quite significant. You can find some data here [vnh.org] (thanks to the person who linked the article earlier in this thread). Basically at 24,000' you've got at least a minute and a half before the lack of oxygen makes it impossible to function. At 35,000' that time could be cut down to only 15 seconds. In the article you listed it mentions that after the decompression they made an emergency descent at 4,100 feet per minute. This would bring them down to a relatively "safe" 10,000' within a few minutes. If they had been flying at 35,000' then anyone not wearing an oxygen mask would be unconscious before they made it down to 30,000'.

Re:There are far worse problems with Scarebus...

[DingerX]

*excessive* rudder inputs?

The A300-600 had a redesign on the rudder pedals, so that, the faster the aircraft was going, the less rudder input you needed to get full deflection. (To understand this, think of power-assist steering turned on its head: at low speeds, you need to crank the wheel all the way to turn full left. At 100 mph, touching the wheel will give you full left. smart design, huh?) At the speed they were going, the force required to achieve full rudder deflection was *less* than the "breakout" force -- i.e., the force required to deflect the rudders at all. Once the pilot elected to use the rudder, it was over.

It's not boeing vs. scarebus here, it's just dumb-ass design.

The chip is the tip of the iceberg re Airbus

[Ancient_Hacker]

Now maybe Boeing is just as bad, but Airbus seems to be particularly ATROCIOUS at systems design. BAd chips are about the least of their problems. A few examples: Airbus runs off end of runway, investigation shows:

• Water in brake cylinder back end froze up. Cylinder lacked weep hole.
• Brake electronics had two identical systems running in parallel.
• If you pressed one of the brake system buttons for more than 10 msec, but less than 20 msec, one computer might see the keypress, the other might not. Never tested for.
• Brake system uber-boss hardware checks for differences between two computers.
• If it finds a difference, it turns off the secondary computer, WITHOUT SNOOPING AROUND to see if in fact it was the secondary computer that was getting off-track.
• Said turning off is not signaled to the pilots in any obvious way.
• Even if the pilot notices, by flipping to a obscure status-page, that the secondary braking system has been downed, pressing the RESET button doesnt actually reset much of anything.
• Airbus encourages pilots to use auto-braking mode, which supposedly gives a steady 0.3G's of decelleartion.
• If auto-braking doesnt seem to give 0.3G's, some TILT lights go on, but the braking system doesnt try using the suspect bad system, even after the other system is now known to be bad.

I could go on, but I think you see the basic drift here. Not a clue among the designers, testers, or managers.

Similar totally foobared design blew up the $400M Ariane rocket. Similarly foobared design for the Airbus flight control computer: lessee-- Pilot is pulling very hard on the stick, should we do what he says or drill a big hole in the ground? Hmmmmmm.....

Full report URL's I can find if anybody is interested.

Re:Autopilot

[Paul Jakma]

According to the accident report, yes there was, and it was a very basic piloting error:

The problem with the altimeter was, again, due to pilot error. Barometric altimeters derive altitude by measuring air pressure (obviously ;) ), however this means they are highly susceptible to variance, eg due to weather (as all pilots are well aware of). They must be carefully calibrated at the beginning of each flight, and sometimes recalibrated during flight. Further, the barometric altimeter measures altitude from sea-level (ASL), not from the ground (descending to X thousand feet ASL can be fatal if the ground is higher than that ;) ). The pilot got this wrong and miscalibrated the barometric altimeter so it was off by 70 feet or so.

However, that shouldn't have mattered, as all half-modern airliners have highly accurate radio-altimeters (which measure /relative/ altitude using radio ranging - bouncing radio signal off the ground and measuring the delay, RADAR but without the Direction). The pilot though for some unknown reason decided not to rely on the highly-accurate radio altimeter, but flew by the barometric altitude instead. He also decided to ignore the audio ground-proximity warning which was triggered by the radio-altimeter, which should have woken him up to the miscalibration of the baro-altimeter, deciding instead the radio-altimeter must have been wrong.

So yes, altimeter problem, again the pilot's fault.

Re:Somebody should take his pills here ...

[Joseph Mangan]

Have you ever heard about the McDonnel Douglas DC-10, known defects by Convair subcontractor for the cargo door were hidden by McDonnell Dougals and Convair from the FAA. Several fatal crashes occured before an AD was issued to finally correct the defects.

June 27, 1972 Daniel Applegate, Director of Product Engineering for Convair, the fuselage contractor, wrote a memo to his supervisors detailing potential problems of cargo door. The problem was first recognized in Aug 69. The same thing had also happened in a ground test in 1970.

Recognized design flaws - floor, latch

FAA director John Shaffer and McDonnel Douglas President Jackson McGowan reached a gentleman's agreement to voluntarily fix problem, but no further official action was taken.

In July 1972, Three inspectors at Long Beach plant certified that Ship 29 had been modified (but it was not). Two years later, after leaving Paris, its cargo door blew off at 13,000 feet, killing 346 people.

McDonnel Douglas was in precarious financial condition - trying to beat Lockheed L1011 to market

Convair did not push too hard, since by contract, they may have been held liable for the costs of all design changes

Engineers pressed the matter through normal channels to the highest levels within both companies, but did not take it any further action, Standard operating procedure at McDonnell Douglas and Convair was for engineers to defer to upper management, even though they were aware of serious design flaws

Re:Autopilot

[Anonymous Coward]

"Right - because there are autopilot programs that can land an airliner."

Right, because there actually are.

"Autoland" and "ILS"--look both of those up. ILS provides not only glide slope, but also a course to follow.

Thanks for playing.