Airbus A380 Under Fire 587
jose parinas writes "The security of the Airbus A380 jetliner is questioned by a U.S. Engineer that faces arrest and bankruptcy in Austria. A year ago, Mangan told European aviation authorities that he believed there were problems with a computer chip on the Airbus A380, the biggest and costliest commercial airliner ever built."
The airline industry... (Score:2, Informative)
Re:easy (Score:5, Informative)
In effect, the article states it has already been modified and there was some sentiment that it really should be re-certified yet once again.
Re:WTF? (Score:3, Informative)
Maybe he was thinking that they Airbus was built and designed in Europe? And that he'd need to move there in order to work on it?
http://www.airliners.net/info/stats.main?id=29
Re:WTF? (Score:4, Informative)
Try reading stuff, it usually helps.
the answer is in the article silly (Score:4, Informative)
Yet his employer ignored his concerns, he alleges, because fixing the glitches would be costly, could take up to a year and would further delay the A380's launch.(a year behind already)
Re:easy (Score:2, Informative)
Very strange reporting (Score:5, Informative)
Re:Under fire? (Score:1, Informative)
Re:But are the problems only limited to the one ch (Score:5, Informative)
Joseph Mangan's Blog (Score:2, Informative)
His blog (Score:4, Informative)
http://www.eaawatch.net/index.html [eaawatch.net]
Re:Oddities in the article. (Score:4, Informative)
Re:Pure propaganda, or whatever... (Score:5, Informative)
Re:Oddities in the article. (Score:5, Informative)
In addition, a slow 'leak' gives the pilots great time for an emergency descent. Give me a slow leak over a fast one anyday.
No, it was an Airbus (Score:2, Informative)
Re:Autopilot (Score:3, Informative)
And, of course, the UAVs (as used in Iraq and elsewhere) can as well.
Re:Autopilot (Score:5, Informative)
Sorry, that's incorrect.
What you're talking about here is Air France Flight 296 [ncl.ac.uk]. There's a full description on the link, but the short version is that the pilot tried to throttle up because the plane was too low, and the fly-by-wire system overrode him due to a fault. Nothing to do with the autopilot at all --- autopilot landings are quite common these days.
(There's also been a lot of controversy about that accident, because there are a number of irregularities with the investigation indicating that the evidence has been tampered with. Check out this link [airdisaster.com] for more information.)
(Oh, yes; only three people died, although about 50 were injured.)
Re:Oddities in the article. (Score:3, Informative)
Re:Autopilot (Score:5, Informative)
Re:Autopilot (Score:1, Informative)
Re:Autopilot (Score:3, Informative)
What happens if it is on a trans pacific flight and there is no good place to land?
What if there is more than one airport in range? How does it know where to land?
What if you do include a datalink so remote control of the plane is possible? How do you secure it?
Frankly the rapid and total loss of pressure is very rare.
Re:Autopilot (Score:5, Informative)
1. There are already multiple possible failures that could cause a depressurization (cabin window failure, door failure, engine rotor burst, crew error, etc). The design requirements call for systems to alert the crew if the cabin altitude exceeds normal values, and there must be oxygen masks that they can don within 5 seconds. The operational requirements call for the crews to be properly trained in the use of these masks, etc. So even if this chip has a problem, it doesn't necessarily create a new safety issue. Of course, the problem, if it exists, should be corrected.
2. Some business jet aircraft do have an autopilot mode that will automatically descend the aircraft if the cabin altitude exceeds a certain value (several Cessna Citation models, some Gulfstream models, latest Bombardier Global Express, etc). These aircraft often cruise at altitudes up to 51,000 ft, which is quite a bit higher than the maximum altitude for the A380 (apparently 43,000 ft, but typical cruise altitudes will be lower than that). The smaller cabin volume of the business jets mean the cabin depressurizes much quicker, given a similar failure.
Re:Par for this particular course (Score:1, Informative)
RTFA and note it's about TTTech and their chip & software which could become approved for use in ANY aeroplanes including those manufactured by Boeing.
Certainly there is also criticism of the way Airbus have designed the cabin-pressure valves redundancy, but this can be tested and fixed.
Re:Autopilot (Score:5, Informative)
If there was a fault anywhere it was in the engine. The pilot claims it didn't spool up fast enough, it may have suffered a stall. The official accident report concluded he simply applied throttle way too later (some conspiracy theories say the FDR was hacked by 3s to make it look like he left it too late). That said, even if that claim of the captain's was true he still furked in several other ways, which led him to be flying 30ft off a runway, when he had intended to be at 100ft (and he would never have hit those trees then..).
Ie, it was definitely compound pilot error (as is often the case), and possibly a (what should have been) problem with an engine. "Computer overrides pilot and flies into trees!" is catchier though, but simply not true - no matter how many times people repeat it.
Re:Autopilot (Score:5, Informative)
Cockpit masks don't "drop down" - They're a far more robust (and bulky) construction than the el-cheapo plastic cup+bag things the passenger cabin has, and anyway the space above the pilots tends to be occupied by switch gear and breakers. They're stowed within easy reach of each pilot (to the side, under the seat).
- the cockpit pressure sensor is pegged at a higher level, so that if there is a slow leak, the pilots can don their masks early and do a more controlled descent.
Lower level surely you mean (be it in terms of altitude or barometric pressure). I'll have to ask to find out if this is true, it doesn't ring true at all with me though.
modern aircraft are fitted with ground avoidance radar (what causes the 'whoop-whoop, pull up!' scenario).
The radio altimeter you mean? The one which provides highly accurate relative readings, but only when you're reasonably close to the ground (ie within 1 or 2k feet)? I've never heard it called "ground avoidance radar"...
But, as for the plane landing itself... well, we're still a fair way off with that one. Airports have to be equipeed with differential GPS beacons that allow the plane to determine its position down to about half a metre.
Ok, now I know you're definitely not a pilot but a troll. If you were a pilot you would know that ILS and auto-land systems have existed since at least the 1960's which can guide an aeroplane to within 50ft or so of the runway and that more recent ILS (since the 80s or so? i don't quite know, maybe before then) can bring the aeroplane to 0ft. You'd also know that ILS uses two polarised planes of radio waves - GPS doesn't come into it at all.
You, sir, are a troll. Mods: please undo parent's "interesting" moderation.
(FWIW, my father *really* is a retired commercial aviation pilot).
Re:Very strange reporting (Score:4, Informative)
Actually, that part of the article is spot on. EADS is multinational but incorporated in the Netherlands [wikipedia.org].
Re:Autopilot (Score:3, Informative)
But to put it bluntly, you're adding a lot of complexity, reducing reliability and introducing even more premutations of different failure modes than they already have, with VERY little gain.
Not to mention the safety-critical decisions you have now entrusted to the system: maintaining safe terrain clearance, announcing its unplanned departure from its allocated flight level to warn other traffic to avoid collision, not to mention the complexities involved if there are other problems apart from depressurisation (for instance, many autopilots disconnect and depend on manual control if there is an engine failure - is your decompression going to override that behaviour?).
There is a way of looking at this that might shed some light on why this hasn't been done: the simple fact that decompression resulting in flight crew incapacitation is extremely rare.
Therefore, we have to look at the benefits (would the proposed idea have helped these rare cases?) and the disadvantages (will failures of this system reduce overall safety more than it improves it?).
If the pilot has the presence of mind to read, understand and respond appropriately to the y/n question, they might as well dial 10,000 feet on the altitude-hold autopilot controls or just click off the autopilot completely and do the descent themselves, the way they are continuously trained every year in their ATP simulator checkrides.
The people designing these things are incredibly smart and I'm not sure people out there really appreciate the level of detail and thoroughness any new feature must be considered with in aerospace engineering... even the simple fact that most aircraft are designed with 25 year life-cycles makes the engineering effort totally unrecognisable to most other industries.
The moral of the story is, automated aircraft systems make day-to-day operations much smoother, more efficient, and less tiring for the human pilot. When it comes to emergency scenarios, it really does take a human to make the best decisions - autopilots don't have situational awareness of the surrounding scenario, and are unable to correctly prioritise aspects of the flight and consider everything in the full context of the emergency which requires human reasoning.
Not Quite (Score:4, Informative)
BTW, if you wish to argue with me over this (and some idiot will ), I currently do the coding of the test for the data AND APIs of an american unit that be in the cockpit of the A-380 (and other aircrafts). I have found out that getting this level C cert. has been very sporting.
Re:Poor engineering journalism (Score:2, Informative)
Re:Autopilot (Score:3, Informative)
Most depressurizations are survived entirely.
Re:easy (Score:3, Informative)
Re: proving a negative (Score:1, Informative)
you assume the circuit to be stateless. Then indeed you have 2^N states to test. The GP questioned this - if the circuit is somehow stateful, so there is a slight dependence on input history, you're stuck with an infinite set of possible histories. All you can do then is make an assumption about the chip's useful lifetime and estimate an upper cut-off for the length of the history chain. Then test all chains of at most said length.
Wait, but there is more. You need to test for various conditions under which the chips might operate. And allow for production differences between chips. And failure modes of associated non-digital components. And so on. Plenty of parameter space to test. When all is said and done, 100% certainty is in fact impossible. But that's not the point - you don't want 100%, you want a reasonably close value. After all, quite a few of the possible failure conditions would probably have killed the passengers even if the chip operated correctly.
Comment removed (Score:3, Informative)
Ethics & Technology - Mangan's blog is (Score:3, Informative)
Mangan's blog [eaawatch.net] has significant details. It makes quite a bit of sense if this guy, has more integrity than your average person. He's a super smart guy apparently, and he's probably right, firing him was probably not a good idea. Who wouldn't be miffed, and want to restore their good name? For the Austrian company, I'm betting they don't have the time to improve the design, or fix it properly.
I've read the various articles in the LA Times and WSJ, and his blog, and my take is he is an engineer, and he's not going to let politics and bureaucrats cover this flawed design. Any whistleblower faces this - it's what sets them apart from the average person.
The articles are very interesting, he was testing the system and found flaws not only in the functionality but the system design (not redundant). Seems there's politics and big money involved.
I sat in on an ethics class, directed towards engineers, at Stanford once, forgot the name of the class, but the professor posed the question - if you, as an engineer on a major project (whether it be designing a new drug or a spaceship), and discovered an issue, what would you do? Now perhaps the dishonest person, rushing to finish the project and look good, would move on. The average person would write an e-mail perhaps, and then if nothing was done, perhaps at most quit their job. And if you're fired? Anyway, interesting class.
Re:Poor engineering journalism (Score:1, Informative)
There has been an accident with the root cause of a pressurization failure with the loss of all aboard. It was a recent one, too (August 14). Helios 522 was a Boeing 737 which suffered a pressurization failure and crashed. Investigation is still underway. Those with long memories will also remember the 1999 crash of Payne Stewart's Learjet 35. http://www.ntsb.gov/ntsb/brief.asp?ev_id=20001212
Re:NEWFLASH (Score:3, Informative)
I agree it could be deadly.
US Federal Aviation Regulations, if followed, might prevent the deaths, though. At altitude, either the pilot or copilot is supposed to be on oxygen full time. In the event of a rapid decompression, that person would be able to descend the plane to an altitude where the pressure is great enough for all to regain consciousness.
Unfortunately, at the lower altitude, the fuel flow would be a lot greater for a given distance, and if the plane is on an extended overwater flight, the plane may not make it to a safe destination, especially since the four-engine design exempts it from ETOPS.
If anyone who has their ATP license sees anything incorrect, please correct me.
Re:But are the problems only limited to the one ch (Score:4, Informative)
Airbus didn't forge his signature, that would be the company who makes the $50 part.
Re:Autopilot (Score:3, Informative)
It's been done! For years!
Read the other comments in this thread, or something about autopilots. For instance, the Wikipedia entry, which states that "Modern autopilots generally divide a flight into taxi, take-off, ascent, level, descent, approach, landing, and taxi phases. Autopilots exist that automate all of these flight phases except the taxiing, and some incorporate automated collision-avoidance, as well."
(Oh, and BTW, your "several hundred MPH" is greatly overstating. For instance, the typical landing speed of an A340 is 140 knots, or 160 MPH. This [google.com] says the landing speed of a 747-400 with full flaps is about 120 mph. (Another site said 160.) The 767 lands at 150 mph.)
Re:But are the problems only limited to the one ch (Score:3, Informative)
we're not talking about Airbus forging someones signature so they don't have to spend a few extra bucks on a plane worth millions... we're talking about a manufacturer who forged someones signature so they wouldn't lose out on sales of their $50 part.
Re:Autopilot (Score:1, Informative)
Working in aerospace simulation I have learned a great deal about the design concerns going behind the software used in these aircraft. Yes, the autopilot and flight managment system (FMGC on the A380) could potentially be programmed in very few lines of code to do exactly what you propose, however, it is always the preference in design that the pilot has actual control over where the airplane goes. 2001 must have been popular with the FAA and other certification authorities.
If an emergency landing is needed, the pilot is expected to be capable of selecting the airport to land at.
In the case of cabin pressure loss on the A380 the pilot recieves a warning from the onboard monitoring computer (Fault Warning Computer). When that warning is recieved all the pilot needs to do is select the altitude target on the FCU to 15000 (spin knob a few times) and press the expediate desent button on the FCU. This will cause the AP to fly the aircraft at the maximum descent rate in the flight envelope of the aircraft and level off when reaching 15000 ft.
Nobody can see all ends, but calling designers of the requirements for aerospace saftey systems idiots is a bit overboard.
Not propaganda, or whatever... (Score:4, Informative)
From the article [latimes.com]:
"Unlike U.S. laws that shield whistle-blowers from corporate retaliation, Austrian laws offer no such protection. Last year an Austrian judge imposed an unusual gag order on Mangan, seeking to stop him from talking about the case.
Mangan posted details about the case anyway in his own Internet blog. The Austrian court fined him $185,000 for violating the injunction.
To help pay living expenses and legal fees, Mangan sold his house in Kansas. With only about $300 left in his bank account, Mangan missed a Sept. 8 deadline to pay his $185,000 fine and faces up to a year in jail. Next month he's likely to be called before a judge on his criminal case.
The family expected to be evicted this month from their apartment, but their church in Vienna took up a collection to pay their rent.
TTTech has offered to drop its legal action against Mangan, court records show, and pay him three months of severance, if he retracts his statements. But Mangan has refused.
Mangan said he was looking for a new job. He has contacted dozens of aerospace firms in the U.S. and Europe, but none have returned his calls. "Nobody wants to touch me," he said."
Re:But are the problems only limited to the one ch (Score:3, Informative)
Why do people think this? It's idiotic. When you prove a positive, you also disprove it's opposite. If I prove I am a man, I also prove I am not a woman.
I think what people mean is that they cannot prove an existentially qualified negative (i.e. there does not exist), or a universal positive (i.e. everything in the universe is blue).
But anyway, proving and disproving those types of statements is why we have second-order logic.
Not the same for the Navigation Box (Score:3, Informative)
Some additional facts (Score:2, Informative)
Well that's what the company says. So the real facht is that he worked there for 6 months and that this chip development started years before 2004. Because they needed these chips for the ground tests. And before that these chips have to be tested. So Mangan was too much involved in this.
Also for me that looks like: He got that job, he scewed it up and was laid off in his probationary period.
Re:ha (Score:3, Informative)
Re:No, it was an Airbus (Score:3, Informative)
The pilot had made a slow pass over the field, and when he tried to pull the plane up, the computer overrode his commands thinking he was trying to land, and that is why they crashed into the forest.
While there some conspiracy [airdisaster.com] theories, as with many catastrophes, the generally [aviation-safety.net] accepted [planecrashinfo.com] story [forpilots.com] differs very substantially from the above.
The aircraft was flown at maximum angle of attack (AOA) at about 30-35 ft above the runway during an air show, with passengers on board. The pilot disconnected the autothrottle system, as its "alpha-floor" system would have automatically increased the engine thrust, preventing him from slowing the aircraft as much as he wanted. The aircraft eventually ended up at about 30-35 ft above the runway, with the engines at idle, and at the maximum allowable AOA.
The co-pilot noted that the obstacles ahead were higher than the aircraft, alerted the pilot, who pushed the thrust levers (i.e. throttles) ahead, and pulled back on the controls. The flight control system did not allow the pilot to raise the aircraft's nose, as that would have required increasing the angle of attack, and the wing would have stalled. The only way out of the hole he dug was to get more thrust. The faster you go at a given AOA, the more lift the wing produces. The fact that lift is now greater than the weight means the flight path starts to curve upwards, and the nose rises, even at the same AOA. But, it takes about 7 seconds for a modern high-bypass ratio turbofan engine to accelerate from idle to full thrust (the regulations allow 8 seconds), and they hit the trees 5 seconds after he pushed the thrust levers forward.
The flight control system's AOA limiting function prevented a much more serious accident, as if the wing had stalled the aircraft would have went out of control. As it was, it hit the trees in controlled flight, and only three people died.
After that, an emergency pilot override was placed in AirBus jets.
There is no emergency override in the Airbus jets. The pilot can manually turn off enough flight control computers to put the flight controls in Direct Law, where there are no longer any artificial limits on what he can do, but this would not have prevented this accident. He would have crashed much earlier in the sequence if he had tried to do the same thing in Direct Law.
The Boeing 777 can takeoff and land automatically.
The Boeing 777 cannot takeoff automatically. It can land automatically, as can all the other modern large airliners, including Airbus A320, A330 and A340.
Re:a non issue (Score:2, Informative)
A memo was written in June 1997 by Thomas Thurnagel, an Airbus engineer in Hamburg Germany.
From: Union: Airbus knew of crash risk
"People died because this memo wasn't disclosed, in my opinion," said John David, deputy safety chairman for the Allied Pilots Association.
http://www.slackanddavis.com/news_article.php/new
Again, as an engineer, the highest duty is to public safety. When a gag order prevents the proper notification and disclosure to the government authorities, and when the government authoritiese fail to act, the public must be informed. My actions are completely justified. I suggest you go to the web site www.onlineethics.org and further educate yourself about the other case examples where engineers have performed their duty to the public safety.
I would rather do my duty now, than to later be blamed for the serious injuries or loss of life that can be prevented by informing the public.
Re:Poor engineering journalism (Score:2, Informative)
The plane in question was a on a (very) short-haul flight between two islands in Hawaii. As such, the plane never got very high up, the maximum cruising altitude was only 24,000 feet. The Airbus A380 is a BIG plane that will be used pretty much exclusively for long-haul flights where the cruising altitude will usually be a fair bit higher, typically around 35,000 feet.
The difference in how serious a decompression is a 24,000' vs. 35,000' is quite significant. You can find some data here [vnh.org] (thanks to the person who linked the article earlier in this thread). Basically at 24,000' you've got at least a minute and a half before the lack of oxygen makes it impossible to function. At 35,000' that time could be cut down to only 15 seconds. In the article you listed it mentions that after the decompression they made an emergency descent at 4,100 feet per minute. This would bring them down to a relatively "safe" 10,000' within a few minutes. If they had been flying at 35,000' then anyone not wearing an oxygen mask would be unconscious before they made it down to 30,000'.
Re:There are far worse problems with Scarebus... (Score:3, Informative)
The A300-600 had a redesign on the rudder pedals, so that, the faster the aircraft was going, the less rudder input you needed to get full deflection. (To understand this, think of power-assist steering turned on its head: at low speeds, you need to crank the wheel all the way to turn full left. At 100 mph, touching the wheel will give you full left. smart design, huh?) At the speed they were going, the force required to achieve full rudder deflection was *less* than the "breakout" force -- i.e., the force required to deflect the rudders at all. Once the pilot elected to use the rudder, it was over.
It's not boeing vs. scarebus here, it's just dumb-ass design.
The chip is the tip of the iceberg re Airbus (Score:4, Informative)
Similar totally foobared design blew up the $400M Ariane rocket. Similarly foobared design for the Airbus flight control computer: lessee-- Pilot is pulling very hard on the stick, should we do what he says or drill a big hole in the ground? Hmmmmmm.....
Full report URL's I can find if anybody is interested.
Re:Autopilot (Score:3, Informative)
The problem with the altimeter was, again, due to pilot error. Barometric altimeters derive altitude by measuring air pressure (obviously
However, that shouldn't have mattered, as all half-modern airliners have highly accurate radio-altimeters (which measure
So yes, altimeter problem, again the pilot's fault.
Re:Somebody should take his pills here ... (Score:2, Informative)
June 27, 1972 Daniel Applegate, Director of Product Engineering for Convair, the fuselage contractor, wrote a memo to his supervisors detailing potential problems of cargo door. The problem was first recognized in Aug 69. The same thing had also happened in a ground test in 1970.
Recognized design flaws - floor, latch
FAA director John Shaffer and McDonnel Douglas President Jackson McGowan reached a gentleman's agreement to voluntarily fix problem, but no further official action was taken.
In July 1972, Three inspectors at Long Beach plant certified that Ship 29 had been modified (but it was not). Two years later, after leaving Paris, its cargo door blew off at 13,000 feet, killing 346 people.
McDonnel Douglas was in precarious financial condition - trying to beat Lockheed L1011 to market
Convair did not push too hard, since by contract, they may have been held liable for the costs of all design changes
Engineers pressed the matter through normal channels to the highest levels within both companies, but did not take it any further action, Standard operating procedure at McDonnell Douglas and Convair was for engineers to defer to upper management, even though they were aware of serious design flaws
Re:Autopilot (Score:1, Informative)
Right, because there actually are.
"Autoland" and "ILS"--look both of those up. ILS provides not only glide slope, but also a course to follow.
Thanks for playing.