Incident Details

Incident: Critical Software Bug Causes Fatal Airbus A400M Crash in Spain

Published Date: 2015-05-20

Postmortem Analysis
Timeline	1. The software failure incident involving the Airbus A400M aircraft occurred earlier in May 2015 as per the article [36029]. Therefore, the estimated timeline for the software failure incident would be May 2015.
System	1. Electronic Control Units (ECU) on the aircraft's engines [36029]
Responsible Organization	1. Airbus [36029]
Impacted Organization	1. Airbus [36029]
Software Causes	1. The software bug identified in the Airbus A400M aircraft caused a fault in the control units of three out of four engines, leading to their power-off shortly after takeoff [36029].
Non-software Causes	1. The software problem caused a fault in the control units of three of the aircraft’s four engines, leading to a power-off shortly after takeoff [36029].
Impacts	1. The fatal crash in Spain resulted in the death of four Spanish air force crew members and injuries to two others, leading to a tragic loss of life and human casualties [36029]. 2. The fleet of A400M military transport planes was grounded by the UK, Germany, and Turkey following the crash, impacting the operational capabilities of these countries' air forces [36029]. 3. The software bug causing a fault in the control units of three out of four engines led to the power-off of these engines shortly after takeoff, highlighting a critical safety issue that could potentially affect the operational reliability of the aircraft [36029]. 4. The delays in delivering the Airbus A400M due to technical issues with software and other operations have caused disruptions in the planned deployment and operational readiness of the aircraft, affecting the overall efficiency of the defense project and potentially impacting military capabilities [36029].
Preventions	1. Implementing thorough software testing procedures during the development phase to identify and rectify any potential bugs or faults [36029]. 2. Conducting comprehensive risk assessments specifically focusing on software-related issues to proactively address any vulnerabilities [36029]. 3. Ensuring robust quality assurance processes for the software components, especially critical systems like control units for engines, to minimize the chances of failures [36029]. 4. Regularly updating and maintaining the software to address any emerging issues or vulnerabilities that could lead to failures [36029].
Fixes	1. Conducting immediate checks on all A400M aircraft to identify and rectify the software bug that caused the fatal crash in Spain [36029]. 2. Performing one-time specific checks of the Electronic Control Units (ECU) on each of the aircraft’s engines before the next flight and introducing additional detailed checks in the event of any subsequent engine or ECU replacement as part of the Alert Operator Transmission [36029].
References	1. Der Spiegel [36029]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident having happened again at one_organization: The article reports that Airbus issued a critical alert for immediate checks on all its A400M aircraft after a fatal crash in Spain was identified to have been caused by a software bug [36029]. This incident highlights a software problem causing a fault in the control units of the aircraft's engines, leading to a power-off shortly after takeoff. Airbus had previously faced technical issues with the complex software needed to run the A400M's four engines, indicating a recurring challenge within the organization. (b) The software failure incident having happened again at multiple_organization: The article mentions that the Airbus A400M aircraft, developed by European Nato governments, has faced problems related to software and other technical issues, causing delays in delivering the aircraft [36029]. This suggests that software failures or technical challenges are not unique to Airbus but have also been experienced by other organizations involved in the development and operation of military transport planes.
Phase (Design/Operation)	design	(a) The software failure incident related to the design phase is evident in the article. Airbus issued a critical alert for immediate checks on all its A400M aircraft after a software bug was identified as the cause of a fatal crash in Spain. The report mentioned that the software problem caused a fault in the control units of three of the aircraft’s four engines, leading to a power-off shortly after takeoff. This indicates a failure introduced during the system development phase [36029]. (b) The software failure incident related to the operation phase is not explicitly mentioned in the provided article. Therefore, there is no specific information available regarding contributing factors introduced by the operation or misuse of the system in this incident.
Boundary (Internal/External)	within_system	(a) The software failure incident related to the Airbus A400M crash in Spain was within the system. Airbus issued a critical alert for immediate checks on all A400M aircraft after identifying a software bug as the cause of the fatal crash. The software problem caused a fault in the control units of three of the aircraft’s four engines, leading to them powering off shortly after takeoff [36029]. The incident was attributed to an internal software issue within the aircraft's systems.
Nature (Human/Non-human)	non-human_actions	(a) The software failure incident in the Airbus A400M crash was attributed to a software bug that caused a fatal crash in Spain. The report identified a software problem that caused a fault in the control units of three of the aircraft’s four engines, leading to them powering off shortly after takeoff. This indicates a failure due to contributing factors introduced without human participation [36029]. (b) The article does not provide specific information about human actions contributing to the software failure incident.
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware: - The article mentions that a software bug caused a fatal crash of an Airbus A400M aircraft during a test flight in Spain. The software problem caused a fault in the control units of three of the aircraft’s four engines, leading to them powering off shortly after takeoff [36029]. (b) The software failure incident related to software: - The same article highlights that a software bug was identified as the cause of the fatal crash of the Airbus A400M aircraft. The software problem affected the control units of the engines, indicating a software-related issue [36029].
Objective (Malicious/Non-malicious)	non-malicious	(a) The software failure incident related to the Airbus A400M crash in Spain was non-malicious. The incident was caused by a software bug in the control units of the aircraft's engines, leading to a fatal crash during a test flight. Airbus issued a critical alert for immediate checks on all A400M aircraft to address the software problem that caused the engines to power off shortly after takeoff. The alert required operators to perform specific checks on the Electronic Control Units (ECU) of each engine before the next flight, indicating a non-malicious software failure incident [36029].
Intent (Poor/Accidental Decisions)	unknown	(a) The software failure incident related to the Airbus A400M crash in Spain was not due to poor decisions but rather a software bug that caused a fatal crash. The incident was attributed to a software problem that caused a fault in the control units of three of the aircraft’s four engines, leading to them powering off shortly after takeoff [36029]. The alert issued by Airbus called for immediate checks on all A400M aircraft to address the software bug, indicating that the failure was not a result of poor decisions but rather a technical issue within the software system.
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident related to development incompetence is evident in the Airbus A400M crash in Spain. An article reported that a software bug caused a fatal crash, leading to the grounding of the A400M fleet by multiple countries. The software problem caused a fault in the control units of three of the aircraft’s four engines, resulting in them powering off shortly after takeoff. This issue highlights the challenges faced in developing and testing the complex software needed to run the aircraft's engines, which is a collaborative effort between multiple companies [36029]. (b) The accidental aspect of the software failure incident is also apparent in the Airbus A400M crash. The report identified a software bug as the cause of the fatal crash during a test flight in Seville. The incident resulted in the death of four Spanish air force crew members and the injury of two others. The software issue was not intentional but rather a result of a bug that led to the engines powering off unexpectedly after takeoff, indicating an accidental failure [36029].
Duration	temporary	(a) The software failure incident related to the Airbus A400M crash in Spain was temporary. The incident was caused by a software bug that led to a fault in the control units of three of the aircraft's four engines, causing them to power off shortly after takeoff. This specific software problem was identified as the contributing factor to the fatal crash, leading to immediate checks being called for on all A400M aircraft [36029].
Behaviour	crash	(a) The software failure incident in the Airbus A400M aircraft crash in Spain was due to a crash, where the system lost state and did not perform its intended functions, leading to a fatal outcome [36029]. The software problem caused a fault in the control units of three of the aircraft’s four engines, resulting in them powering off shortly after takeoff, leading to the crash [36029].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, processing_unit, embedded_software	(a) sensor: The software bug in the Airbus A400M aircraft caused a fault in the control units of three of the aircraft’s four engines, leading to them powering off shortly after takeoff. This indicates a failure related to the sensor layer as the control units of the engines were affected by the software bug [36029]. (b) actuator: The article does not specifically mention any issues related to actuators in the context of the software failure incident. (c) processing_unit: The software bug identified in the A400M aircraft was related to the Electronic Control Units (ECU) on the engines, indicating a failure at the processing unit level due to the software error [36029]. (d) network_communication: The article does not mention any network communication errors contributing to the software failure incident. (e) embedded_software: The software bug identified in the A400M aircraft was within the embedded software that controlled the engines' Electronic Control Units (ECU), leading to the engines powering off shortly after takeoff. This points to a failure related to the embedded software layer [36029].
Communication	unknown	The software failure incident related to the Airbus A400M crash in Spain was not directly related to the communication layer of the cyber-physical system. The incident was attributed to a software bug causing a fault in the control units of the aircraft's engines, leading to a power-off situation shortly after takeoff. This issue was not specifically linked to the communication layer but rather to the control units of the engines [36029].
Application	TRUE	The software failure incident involving the Airbus A400M aircraft was related to the application layer of the cyber physical system. The incident was caused by a software bug that led to a fault in the control units of three out of four engines, resulting in them powering off shortly after takeoff [36029]. This aligns with the definition of an application layer failure, which can be attributed to bugs and errors in the software code.

Other Details

Category	Option	Rationale
Consequence	death, harm, delay	(a) death: People lost their lives due to the software failure - The software bug in the Airbus A400M aircraft caused a fatal crash in Spain, resulting in the death of four Spanish air force crew members [36029]. (b) harm: People were physically harmed due to the software failure - In addition to the fatalities, two Spanish air force crew members were injured in the fatal crash caused by the software bug in the A400M aircraft [36029]. (e) delay: People had to postpone an activity due to the software failure - The fleet of A400M aircraft was grounded by the UK, Germany, and Turkey following the crash, causing delays in the delivery of the aircraft [36029].
Domain	transportation, government	(a) The failed system was intended to support the transportation industry. The software bug in the Airbus A400M military transport plane caused a fatal crash during a test flight in Spain, leading to the grounding of the fleet by multiple countries [36029]. The A400M aircraft is a military transport plane developed by European Nato governments to replace ageing military transporters, indicating its role in supporting the transportation industry.

Sources

Airbus issues software bug alert after fatal plane crash - The Guardian - Published on: 2015-05-20
Article ID: 36029

Back to List