Incident: Software Vulnerability Leads to Fatal A400M Military Plane Crash

Published Date: 2017-11-08

Postmortem Analysis
Timeline 1. The software failure incident involving the Airbus A400M military plane occurred in May 2015 as reported in Article 65037.
System 1. Engine data wiping system on the Airbus A400M military plane [65037]
Responsible Organization 1. Airbus workers inadvertently caused the software failure incident by accidentally erasing data needed to run the engines during software installation on the ground [65037].
Impacted Organization 1. Airbus 2. European Aviation Safety Agency (EASA) 3. Engine-makers Europrop International (EPI) 4. Spain's defense ministry (air accident agency) 5. Military pilots and crew of the A400M aircraft [65037]
Software Causes 1. The software vulnerability in the A400M military plane that led to the fatal crash was due to data being accidentally erased during software installation on the ground, resulting in the engines freezing after take-off [65037]. 2. The engine-makers had warned Airbus and the European Aviation Safety Agency (EASA) in October 2014 that software installation errors could lead to a loss of engine data, and technicians may not receive any warning before take-off of a problem [65037]. 3. The software installation process had potential for human error, and the response to warnings from the engine-makers in 2014 was deemed inadequate, leading to a lack of risk analysis in the installation process [65037].
Non-software Causes 1. Poor coordination and misjudgments in Europe's biggest military project [65037] 2. Regulatory confusion about civil and military jurisdiction over the aircraft [65037] 3. Disagreement between Airbus and its engine suppliers on responsibility for installing the engine software [65037] 4. Inadequate response to warnings from engine-makers about the installation process [65037] 5. Lack of training for pilots to handle the scenario and ineffective troubleshooting system [65037]
Impacts 1. The software failure incident in the A400M military plane led to a fatal crash during a test flight in May 2015, resulting in the death of four out of six crew members [Article 65037]. 2. The incident highlighted poor coordination and misjudgments in Europe's biggest military project, the A400M [Article 65037]. 3. The software vulnerability in the A400M caused three out of four engines to freeze minutes after take-off, leading to the crash [Article 65037]. 4. Data needed to run the engines was accidentally erased during software installation on the ground, and pilots had no warning of the problem until the engines failed [Article 65037]. 5. The incident raised concerns about the complexity of aircraft systems and how multiple minor weaknesses can align to create a serious risk [Article 65037]. 6. The crash resulted in a rift between Airbus and its engine suppliers regarding responsibility for installing the engine software [Article 65037]. 7. The A400M faced flight restrictions following the crash, impacting its operational capabilities [Article 65037]. 8. The incident led to further scrutiny of the A400M project, with Airbus negotiating a new delivery schedule with European governments and expecting additional writedowns [Article 65037].
Preventions 1. Implementing a more robust risk analysis of the software installation process in response to the warning from the engine-makers in October 2014 could have helped prevent the software failure incident [Article 65037]. 2. Ensuring better coordination between Airbus and the engine-makers regarding the responsibility for installing the engine software could have prevented the incident [Article 65037]. 3. Providing adequate training to pilots on how to handle scenarios like missing engine data and improving the troubleshooting system on the A400M aircraft could have potentially prevented the software failure incident [Article 65037].
Fixes 1. Improved coordination and communication between Airbus, the engine-makers, and regulatory authorities to ensure proper installation and maintenance of software [65037]. 2. Enhanced training for pilots to handle unexpected scenarios and failures in aircraft systems [65037]. 3. Conducting a comprehensive risk analysis of the software installation process to identify and address potential vulnerabilities [65037].
References 1. Spanish military investigators 2. Airbus 3. European Aviation Safety Agency (EASA) 4. Engine-makers Europrop International (EPI) 5. Spain's defense ministry 6. Safety experts 7. France's air force 8. European governments 9. Spanish officials

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident having happened again at one_organization: The incident involving a software vulnerability in the A400M military plane occurred in 2015, where data needed to run the engines was accidentally erased during software installation by Airbus workers, leading to a fatal crash [65037]. (b) The software failure incident having happened again at multiple_organization: There is no specific mention in the provided article about a similar incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase: The incident involving the Airbus A400M military plane crashing in May 2015 was attributed to a software vulnerability that led to the erasure of critical engine data during a software installation on the ground. This design flaw, where data needed to run the engines was accidentally erased during software installation, contributed to the engines freezing minutes after take-off, ultimately resulting in the crash [65037]. (b) The software failure incident related to the operation phase: During the operation of the A400M aircraft, the pilots were not adequately warned about the problem with the engines until they failed. The pilots were unaware of the issue with the engines and were unable to understand how to run them due to missing data, leading to a fatal chain of events that resulted in the crash. Additionally, the troubleshooting system of the aircraft did not assist the pilots in addressing the engine failure, further contributing to the operational failure during the flight [65037].
Boundary (Internal/External) within_system (a) within_system: The software failure incident involving the Airbus A400M military plane was primarily due to contributing factors that originated from within the system. The incident was caused by data needed to run the engines being accidentally erased during software installation on the ground by Airbus workers. This led to the engines freezing minutes after take-off, resulting in a fatal crash [65037]. Additionally, the article mentions that the engine-makers had warned Airbus and the European Aviation Safety Agency (EASA) in October 2014 about software installation errors that could lead to a loss of engine data, indicating an internal system issue [65037].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the A400M military plane crash was primarily due to non-human actions. The incident occurred because data needed to run the engines was accidentally erased during software installation on the ground by Airbus workers. This led to the engines freezing minutes after take-off, ultimately resulting in the crash [65037]. (b) Human actions also played a role in the software failure incident. The engine-makers had warned Airbus and the European Aviation Safety Agency (EASA) in October 2014 that software installation errors could lead to a loss of engine data, and that technicians may not receive any warning before take-off that a problem had occurred. The response to this warning was deemed inadequate, indicating a human factor in the failure incident [65037].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The incident involving the Airbus A400M military plane crashing was attributed to a software vulnerability that led to the erasure of data needed to run the engines when Airbus workers installed software on the ground. This resulted in the engines freezing minutes after take-off, ultimately leading to the crash [Article 65037]. (b) The software failure incident related to software: - The software vulnerability in the A400M military plane, which contributed to the fatal crash, was related to errors in software installation that compromised the engines. The engine-makers had warned Airbus and the European Aviation Safety Agency (EASA) in October 2014 that software installation errors could lead to a loss of engine data, and technicians may not receive any warning before take-off about a problem [Article 65037].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident related to the A400M military plane crash was non-malicious. The incident was attributed to a software vulnerability that led to data being accidentally erased during software installation on the ground, causing the engines to fail during a test flight [65037]. The report highlighted poor coordination, misjudgments, and regulatory confusion surrounding the installation of the engine software, indicating that the failure was not due to malicious intent but rather a combination of technical errors and inadequate risk analysis.
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident related to the A400M military plane crash was primarily due to poor decisions. The incident occurred because data needed to run the engines was accidentally erased when Airbus workers installed software on the ground. This led to the engines freezing minutes after take-off, resulting in the fatal crash. The Spanish military investigators' report highlighted poor coordination and misjudgments that plagued the project, confirming that the engines were compromised by data being wiped [65037].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the case of the A400M military plane crash. The incident occurred because data needed to run the engines was accidentally erased when Airbus workers installed software on the ground. This accidental erasure of data led to the engines freezing minutes after take-off, resulting in the fatal crash. The engine-makers had warned Airbus and the European Aviation Safety Agency (EASA) in October 2014 that software installation errors could lead to a loss of engine data, indicating a lack of attention to detail and professional competence in the development process [65037]. (b) The software failure incident was accidental in nature as the erasure of critical engine data was not intentional but occurred due to a mistake during the software installation process. The accidental deletion of the engine data led to a chain of events that ultimately resulted in the tragic crash of the A400M military plane during a test flight [65037].
Duration temporary The software failure incident related to the Airbus A400M crash was temporary. The incident occurred due to a combination of contributing factors introduced by certain circumstances but not all. Specifically, the incident was triggered by the accidental erasure of data needed to run the engines during software installation on the ground. This led to the engines freezing minutes after take-off, ultimately resulting in the crash. The incident was not a permanent failure caused by all circumstances but rather a temporary failure caused by specific factors [65037].
Behaviour crash, omission, timing, value, other (a) crash: The software failure incident in the Airbus A400M military plane crash near Seville in May 2015 resulted in a crash where the engines froze minutes after take-off, leading to the death of four crew members [65037]. (b) omission: The software failure incident involved the accidental erasure of data needed to run the engines during software installation on the ground. This omission of data led to the pilots having no warning about the problem until the engines failed [65037]. (c) timing: The software failure incident involved a timing issue where the data for three engines was wiped during the software installation process, and those files were never restored in the subsequent uploading process, leading to the engines freezing shortly after take-off [65037]. (d) value: The software failure incident resulted in the system performing its intended functions incorrectly, as the engines were compromised by the data being wiped during the software installation process, ultimately leading to the crash of the aircraft [65037]. (e) byzantine: The software failure incident did not exhibit a byzantine behavior as described in the articles. (f) other: The software failure incident also involved a regulatory confusion regarding the responsibility for installing the engine software between Airbus and the engine-makers, Europrop International (EPI). There was disagreement on who should have been responsible for the software installation, with EPI arguing it should have been loaded by its own staff using EPI systems, while Airbus argued it had the authority under military rules to install the software [65037].

IoT System Layer

Layer Option Rationale
Perception sensor, actuator, embedded_software (a) sensor: The software vulnerability in the A400M military plane was related to a weakness that contributed to a fatal crash. Data needed to run the engines had been accidentally erased when Airbus workers installed software on the ground, and pilots had no warning there was a problem until the engines failed, indicating a sensor error [Article 65037]. (b) actuator: The failure of the engines freezing minutes after take-off was due to data being wiped, leading to a loss of engine data and compromising the engines. The engines were then locked at idle, leaving only one working, which points to an actuator error [Article 65037]. (c) processing_unit: The failure was not directly attributed to a processing error in the articles. (d) network_communication: The failure was not directly attributed to a network communication error in the articles. (e) embedded_software: The software installation errors that led to the loss of engine data and subsequent engine failure indicate a failure introduced by embedded software [Article 65037].
Communication unknown The software failure incident related to the Airbus A400M crash was not directly related to the communication layer of the cyber-physical system that failed. The incident was primarily attributed to a software vulnerability that led to data being accidentally erased during software installation on the ground, compromising the engines and ultimately resulting in the crash [65037]. The failure was more related to the software installation process and the subsequent loss of critical engine data rather than issues at the communication layer of the system.
Application FALSE The software failure incident related to the A400M military plane crash was not specifically attributed to the application layer of the cyber physical system. The incident was primarily linked to a software vulnerability that led to data being accidentally erased during software installation, compromising the engines and ultimately resulting in the crash. The failure was more related to the data loss and technical issues rather than bugs, operating system errors, unhandled exceptions, or incorrect usage typically associated with the application layer of a system [65037].

Other Details

Category Option Rationale
Consequence death, harm, non-human (a) death: People lost their lives due to the software failure The software failure incident involving the Airbus A400M military plane led to a fatal crash during a test flight in May 2015, resulting in the death of four out of the six crew members onboard [65037]. The engines of the aircraft froze minutes after take-off due to data being accidentally erased during software installation, leading to the tragic outcome.
Domain transportation, government (a) The failed system was intended to support the transportation industry. The software vulnerability in the A400M military plane, developed for various European countries, led to a fatal crash during a test flight [Article 65037].

Sources

Back to List