PARIS/SEVILLE (Reuters) - Airbus and European safety authorities were warned in late 2014 of a software vulnerability in the A400M military plane that was similar to a weakness that contributed to a fatal crash seven months later, Spanish investigators have found.
The Airbus-built cargo and troop carrier crashed near Seville during a test flight in May 2015, killing four of the six crew, after three out of four engines froze minutes after take-off.
Data needed to run the engines had been accidentally erased when Airbus workers installed software on the ground, and pilots had no warning there was a problem until the engines failed, Reuters reported weeks after the disaster, citing several sources with knowledge of the matter.
A confidential report by Spanish military investigators into the crash, completed this summer, sheds new light on poor coordination and misjudgments that have dogged Europe’s biggest military project.
The findings confirmed the engines were compromised by data being wiped, according to extracts of the report seen by Reuters and three people familiar with the inquiry.
The report also said the engine-makers had warned Airbus and the European Aviation Safety Agency (EASA) in October 2014 that software installation errors could lead to a loss of engine data, and that technicians may not receive any warning before take-off that a problem had occurred.
When contacted by Reuters, Airbus said the crash was the result of “multiple, different factors and contributory causes”, but declined detailed comment about the investigators’ findings because they are not public.
The planemaker has since reviewed all systems and acted to “ensure the chain of identified causes could not happen ever again”, a spokesman added.
EASA declined to comment.
The engine-makers Europrop International (EPI), a pan-European consortium owned by Britain’s Rolls-Royce, Germany’s MTU and France’s Safran, declined to comment.
Spain’s defence ministry, whose air accident agency conducted the investigation, also declined to comment.
The crash is seen by some safety experts as an example of how failures - though rare - can occur in increasingly complex aircraft systems when several apparently minor weaknesses line up together to produce a serious risk.
The A400M was developed for Spain, Belgium, Britain, France, Germany, Luxembourg and Turkey and has been beset by delays and cost overruns which have taken it well beyond the original budget of 20 billion euros ($23 billion).
The A400M faced flight restrictions immediately following the crash but France’s air force has since praised its performance in operations against Islamist militants in Africa’s Sahel region, and it has also been used by France, Germany and Britain in hurricane relief efforts in the Caribbean.
The findings of the investigators show a rift between Airbus and its engine suppliers, at a time when the planemaker is negotiating a new delivery schedule with European governments and expects further writedowns on the A400M project this year.
Airbus and EPI disagree on who was responsible for installing the engine software, according to the investigators.
The software was installed by Airbus workers using the planemaker’s systems, but EPI says it should have been loaded by its own staff and using EPI systems, the report said.
EPI argued that it had authority over the software installation under civil rules, according to the report, which sheds light on regulatory confusion at the time of the accident about civil and military jurisdiction over the aircraft.
The A400M is a rare hybrid: a military plane with European civil certification.
Airbus argues it was right to install the software itself because it had authority under military rules, but says the design did not meet its specifications - a claim denied by EPI, according to the three people familiar with the inquiry, who declined to be named due to the sensitivity of the matter.
Spanish officials have backed Airbus, saying the assembly line is a defence facility and not subject to civil rules.
The potential problems flagged to Airbus by the engine-makers in October 2014 involved the possibility of human error in the installation process, according to the investigators.
The problem that actually occurred before the crash was of a technical nature, they added. The data for three engines was wiped when the software installation initially failed, and those files were never restored in the subsequent uploading process.
The investigators said the response to the 2014 warning from the engine-makers was inadequate. “The mitigation measures derived from that (problem) report were not sufficient,” they said in their findings. The warning should have led to a fuller risk analysis of the installation process, they added.
Once the plane was airborne, the fatal chain of events accelerated.
Unable to understand how to run the engines because of missing data, the plane froze the power at maximum, priming the huge transporter to go higher and faster, according to the three sources familiar with the inquiry.
But controllers ordered the crew to stay at 1,500 feet. Trying to obey, the crew reduced thrust, unaware that the faulty engines could only offer all or nothing, the sources said. The engines were then locked at idle, leaving only one working.
Seconds later, the plane plunged into a field.
Even though technical odds were against them, some experts have questioned how the pilots responded, saying that when an engine problem occurred they could have ignored controllers and climbed to safer levels before adjusting power.
Investigators found the pilots had not been trained to expect this scenario and that the A400M’s troubleshooting system did not help them. Airbus said the pilots were qualified and highly experienced.
($1 = 0.8649 euros)
Reporting by Tim Hepher in Paris and by Seville newsroom; Additional reporting by Sarah White in Paris; Editing by Pravin Char