Incident: Software Update Causing Engine Failures on Airbus A220 Aircraft

Published Date: 2020-01-15

Postmortem Analysis
Timeline 1. The software failure incident on the Airbus A220 due to engine failures and unexpected vibrations occurred last year, as mentioned in the article [94454]. 2. The article was published on 2020-01-15. 3. Estimation: If the article was published in January 2020 and the incident happened last year, the software failure incident likely occurred in 2019.
System 1. GTF engine software update for the Airbus A220 2. Engine manufacturer software interpreting pilot commands on modern aircraft [94454]
Responsible Organization 1. Pratt & Whitney, a subsidiary of United Technologies Corp, was responsible for causing the software failure incident on the GTF engine of the Airbus A220 [94454].
Impacted Organization 1. Lufthansa subsidiary Swiss International Air Lines AG [94454] 2. Airbus 3. Pratt & Whitney
Software Causes 1. The software causes of the failure incident on the Airbus A220 were related to a software change that allowed unexpected vibrations, leading to engine failures and emergency landings [94454].
Non-software Causes 1. The engine failures on the Airbus A220 were linked to unexpected vibrations that tore parts and forced emergency landings, leading to checks being ordered on the GTF engine [94454].
Impacts 1. The software failure incident led to engine failures on aircraft operated by Lufthansa subsidiary Swiss International Air Lines AG, resulting in three emergency landings [94454]. 2. The incident caused Airbus and Pratt & Whitney to instruct pilots not to push engines above 95% of their maximum thrust when flying above 29,000 feet, a configuration currently required only by Swiss [94454]. 3. The software issue occurred at high altitude and high speeds, making it a complex and challenging problem [94454]. 4. The software update to address the issue is pending regulatory approval and is expected to automate processes to reduce or eliminate the need for current inspections [94454].
Preventions 1. Implementing thorough software testing procedures to identify and address potential issues before deployment [94454]. 2. Conducting comprehensive risk assessments on software updates to anticipate and mitigate unexpected consequences [94454]. 3. Ensuring close collaboration between software developers, aircraft manufacturers, and regulatory bodies to validate software changes and updates [94454].
Fixes 1. Implementing a software update for the GTF engine on the Airbus A220 [94454]
References 1. United Technologies Corp's Pratt & Whitney aircraft engine division executive - Graham Webb [94454] 2. Airbus Chief Commercial Officer Christian Scherer [94454]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the GTF engine on the Airbus A220 has happened again within the same organization, specifically with Pratt & Whitney, a subsidiary of United Technologies Corp. The incident involved engine failures on aircraft operated by Lufthansa subsidiary Swiss International Air Lines AG, prompting checks and investigations into potential software issues [94454]. (b) The software failure incident has also occurred at multiple organizations, as the article mentions that a U.S.-led investigation was looking into a series of engine failures on the A220, indicating that similar incidents may have happened with other airlines operating the same aircraft model [94454].
Phase (Design/Operation) design (a) The software failure incident in the article is related to the design phase. The article mentions that checks were ordered on the GTF engine on the Airbus plane following engine failures on aircraft operated by Swiss International Air Lines AG. An investigation was studying whether a software change allowed unexpected vibrations that tore parts and forced three emergency landings. Additionally, the article discusses a software update for the GTF engine on the A220 that is expected in the spring pending regulatory approval, indicating a design-related issue that needs to be addressed through a software update [94454]. (b) The article does not provide specific information about the software failure incident being related to the operation phase.
Boundary (Internal/External) within_system (a) The software failure incident related to the GTF engine on the Airbus A220 involved contributing factors that originated from within the system. The incident was linked to a software change that allowed unexpected vibrations, leading to engine failures and emergency landings. Pratt & Whitney planned a software update to automate processes and reduce the need for inspections, pending regulatory approval [94454]. The problems arose following a recent update of the software controlling engine settings, indicating an internal software issue within the system.
Nature (Human/Non-human) non-human_actions (a) The software failure incident in this case was related to non-human actions. The incident was attributed to a software change that allowed unexpected vibrations, leading to engine failures and emergency landings on Airbus A220 aircraft operated by Swiss International Air Lines AG. The investigation was focused on whether the software change introduced these unexpected vibrations that caused parts to tear and forced the emergency landings [94454]. The article also mentions that the engine settings on modern aircraft are controlled by engine manufacturer software, indicating that the software played a critical role in the incident. (b) The articles do not provide specific information about the software failure incident being directly caused by human actions.
Dimension (Hardware/Software) software (a) The software failure incident mentioned in the article is related to contributing factors originating in software. The article discusses a software update for the GTF engine on Airbus' A220, which is pending regulatory approval. The investigation into engine failures on the A220 is studying whether a software change allowed unexpected vibrations that tore parts and forced emergency landings. Additionally, the problems with the engine settings arose following a recent update of the software [94454].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident mentioned in the article is non-malicious. It was related to a software update for the GTF engine on Airbus' A220 jet, which was being investigated for engine failures that led to emergency landings. The investigation was focused on whether a software change allowed unexpected vibrations that caused parts to tear and forced the emergency landings. The incident prompted checks on the GTF engine, and a software update was planned to address the issue pending regulatory approval [94454].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions The software failure incident related to the engine failures on the Airbus A220 involved both poor decisions and accidental decisions: (a) poor_decisions: The incident involved poor decisions related to a software change that allowed unexpected vibrations, leading to engine failures and emergency landings. The investigation was studying whether this software change contributed to the tearing of parts [94454]. (b) accidental_decisions: The incident also involved accidental decisions or unintended consequences, as the problems first arose following a recent update of the software controlling engine settings on the aircraft [94454].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the article as it mentions that checks were ordered on the GTF engine on the Airbus A220 following engine failures on aircraft operated by Lufthansa subsidiary Swiss International Air Lines AG. The investigation was studying whether a software change allowed unexpected vibrations that tore parts and forced three emergency landings. Additionally, the article highlights that the Swiss problems first arose following a recent update of the software, indicating potential issues with the software development process [94454]. (b) The software failure incident related to accidental factors is also apparent in the article as it mentions that the problems with the GTF engines on the A220 and A320 NEO family planes arose following a recent update of the software. This suggests that the issues were unintentionally introduced during the software update process, leading to unexpected consequences and engine failures [94454].
Duration temporary The software failure incident related to the GTF engine on the Airbus A220 involved a temporary failure. The incident was attributed to unexpected vibrations that tore parts and forced three emergency landings, potentially caused by a software change that allowed these vibrations. Pratt & Whitney was working on a software update to address the issue, pending regulatory approval, which would automate processes and reduce or eliminate the need for current inspections [94454].
Behaviour other (a) crash: The software failure incident in the article does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is related to engine failures on Airbus A220 aircraft due to unexpected vibrations that tore parts and forced emergency landings, leading to checks and software updates to address the issue [94454]. (b) omission: The software failure incident does not involve omission where the system omits to perform its intended functions at an instance(s). The focus of the incident is on addressing unexpected vibrations and engine failures on Airbus A220 aircraft through software updates and inspections [94454]. (c) timing: The software failure incident does not involve timing issues where the system performs its intended functions correctly but too late or too early. The incident primarily revolves around addressing the complex issue of unexpected vibrations at high altitude and high speeds on the Airbus A220 aircraft engines [94454]. (d) value: The software failure incident does not involve a value issue where the system performs its intended functions incorrectly. The incident is centered around addressing engine failures and unexpected vibrations on Airbus A220 aircraft through software updates and inspections [94454]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The incident primarily focuses on addressing the specific issue of unexpected vibrations leading to engine failures on Airbus A220 aircraft [94454]. (f) other: The software failure incident involves addressing a complex issue related to unexpected vibrations that tore parts and led to engine failures on Airbus A220 aircraft. The incident required checks, software updates, and regulatory approval to automate processes and reduce or eliminate inspections currently being performed [94454].

IoT System Layer

Layer Option Rationale
Perception processing_unit, embedded_software (a) sensor: The software failure incident related to the Airbus A220 engine failures was not directly attributed to sensor errors. The issues were more focused on software changes allowing unexpected vibrations that led to engine failures and emergency landings [94454]. (b) actuator: The articles did not mention any direct involvement of actuator errors in the software failure incident related to the Airbus A220 engine failures. The focus was on software changes causing unexpected vibrations and engine failures [94454]. (c) processing_unit: The software failure incident was primarily linked to processing errors introduced by software changes that allowed unexpected vibrations, leading to engine failures and emergency landings on the Airbus A220 aircraft [94454]. (d) network_communication: There was no mention of network communication errors contributing to the software failure incident related to the Airbus A220 engine failures. The focus was on software changes causing unexpected vibrations and engine failures [94454]. (e) embedded_software: The software failure incident on the Airbus A220 engine failures was directly related to embedded software errors. The incident involved a software change that allowed unexpected vibrations, leading to engine failures and emergency landings on the A220 aircraft [94454].
Communication unknown Unknown
Application FALSE Based on the provided article [94454], the software failure incident related to the GTF engine on Airbus' A220 jet was not explicitly attributed to the application layer of the cyber physical system. The article primarily discusses a software update for the GTF engine, inspections, unexpected vibrations, and engine failures, but it does not specifically mention bugs, operating system errors, unhandled exceptions, or incorrect usage as contributing factors to the failure. Therefore, it is unknown whether the failure was related to the application layer based on the information provided in the article.

Other Details

Category Option Rationale
Consequence no_consequence (a) death: People lost their lives due to the software failure - There were no reports of deaths resulting from the software failure incident mentioned in the article [94454].
Domain transportation The software failure incident reported in the article is related to the transportation industry. Specifically, the incident involves the GTF engine on Airbus' A220 jet, which is used for air transportation [94454]. The article mentions that checks were ordered on the GTF engine following engine failures on aircraft operated by Lufthansa subsidiary Swiss International Air Lines AG, indicating a transportation-related issue [94454]. Additionally, the article discusses the impact on pilots and the operational restrictions imposed on flying the A220 above certain altitudes, further emphasizing the transportation aspect of the software failure incident [94454].

Sources

Back to List