Schneier on Security
A blog covering security and security technology.
« Security Pat Downs at Football Games |
| The Doghouse: Lexar LockTight »
October 1, 2005
Potential Airbus Flaw and Coverup
An engineer made public a flaw in a computer chip used in the Airbus A380 aircraft. The resultant cover-up is, sadly, predictable.
Posted on October 1, 2005 at 8:33 AM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thanks for sharing this story, I really enjoyed reading it but it made me sad too.
In all fairness, this could also simply be a disgruntled engineer trying to get back at his former employer.
Yawn. Yet more liberal left-wing "let's hate on American companies" nonsense.
You may as well bring up your Diebold 'insider' partisan rubbish again.
Airbus is a European company. You're thinking of Boeing; if you're thinking at all.
If he was just a disgruntled employee then surely it would be cheaper and easier just to prove his allegation false? Instead they chase him through civil and criminal courts including, significantly I believe, getting a gagging order against him.
Which would vindicate them? "Look, we have nothing to hide - here are the facts that prove him wrong." OR "We need to keep him quiet."
Also he's bankrupting himself to make his version of the facts known. If he was malicious there are many ways he could do damage without also putting himself in the firing line.
On those facts and on the balance of probabilities I'd say he's innocent and they're guilty.
If you haven't got anything useful to add to the conversation be a good chap and keep quiet, eh?
I have to confess I had a similar reaction to this story as Juergen, Ian. I don't understand all of the issues Mangan has raised because the Times didn't explain them very well. I know there's a lack of redundancy in the design for the overall system, but there was never any clear explanation of what problems the TTTech chips supposedly have.
If it were as clear and straightforward as you propose, Ian, then the problem would be as easy to prove as it is to disprove. I think the problem is much murkier than you think, which is why there hasn't been a simple engineering-based test to confirm or refute the claims.
If TTTech hadn't satisfied Airbus that their chips are sound, then Airbus would be all over them to prove that they work in the A380's system. With the controversy over this issue, do you think for a moment that Airbus aren't poring over this with a fine-toothed comb to ensure that it doesn't come back to haunt them later?
Mangan's "weblog" as referenced in the LA times story seems to be http://www.eaawatch.net/ - while it looks like a conspiracy nut site from the layout and language on the front page, there's a lot of detailed information there that makes his version of the story appear rather plausible if the documents are genuine.
I doubt he's making it up - though it's still possible that his ex-employers are correct in their assessment that the risk is negligible.
Given the amount of pressure that Airbus and their component vendors are under to finish the A380 on (revised) schedule, I wouldn't find it too surprising if some kind of cover-up was attempted.
I think you need to look at it from both sides. On one side, you have a little guy who is bankrupting himself over something he thinks is wrong. On the other side, you have a big company who asserts that they have remedied any problems that this little guy brought up.
I don't think anyone bankrupts themselves over something like this unless they are absolutely convinced they are right. However, there is the thing that you can be convinced you are right, yet be wrong. The thing is you need to know the difference. Does this guy know what he is talking about? If he was one of the people involved in engineering that chip, I'd say he probably does know what he is talking about.
On the other hand, Airbus and TTTech seem to say they have dealt with the problem. They are mum about what they did. Maybe they did fix the software defect, and our little guy's complaint is old news. But being mum is what makes this all so mysterious. However, it often makes sense, given the industry trend to try to keep "innovative" ideas secret. Whether it benefits them or not is another story. But, nevertheless, when it comes to your and my safety -- do you really really want the safety system to be hidden from the public eye? Do you really want the public to be kept in dark about how this system works? This is a scary situation -- we have a company that refuses to disclose how their mission critical technology works, and expect us to just trust them. How often have you found a business that you feel you can really trust. Do you find Airbus and TTTech to be among those business that you can trust this blindly?
And to respond to Boyd's comment about whether Airbus would look into whether the chips are actually sound, well, businesses often don't work that way. Time and time again businesses have made trade offs to save money at the expense of safety. Publicity and controversy like this can help prevent this, but only to some degree. In this instance, Airbus is probably smart enough to know that when the A380 comes out, most people would have forgotten all about this safety debacle over the chips. And our little guy won't have the ability to turn up the volume of his voice at that time.
Sadly, I think lot of the times, it takes accidents, and deaths to make changes. It did for the steam engine, and I think it will for this too. But, I'm not going to live my life worrying about the A380, and might even fly on those. I'm sure Airbus is banking on lot of people making similar decisions, which might not condone their action (assuming they are lax in this area).
If Boeing is planning on using the same chips in their 787, one assumes they think it's safe.
i don't know if he's right or wrong on the chip safety issue, but mangan has a screw loose. nothing in the article explains why he had to remain in austria, what it was he had to do there that couldn't be done just as well, with much greater civil rights and safety, here in the u.s. if he were a single man his decisions wouldn't impact other people, but he has a family, and the article doesn't say his children were polled and assented to their daddy rotting in an austrian jail for a year. his actions are inconsistent with being a good husband and father.
Tim, just to be clear, I specifically meant that *after* all this publicity, Airbus can't blithely hope that the public will forget about it after a few months, or even a few years. If an A380 ever suffers from a catastrophic decompression, even if it has nothing to do with the TTTech chips, people will be going after them big time. While many companies do some stupid things sometimes in what they calculate is their own best interest, I'd think this one is pretty obviously one you have to be damned sure about, just to protect the potential viability of your company.
another_bruce, I agree with you on that call. I would have moved back to the U.S. at the advise of my attorney, at the latest.
According to the article, he didn't become a former employee until he blew the whistle, and refused to shut up.
i.e.: "This guy said stuff we don't like, so we fired him. He only said it because he's mad at us for firing him." - I'd love to know the space-time gyrations necessary to accomplish that Escheresque chain of events!
"In all fairness, this could also simply be a disgruntled engineer trying to get back at his former employer."
Certainly true. We have very few facts here.
September 21st, a Jet Blue A320, flight 292, out of Burbank for NYC got off the ground with the nose gear turned 90 degrees, a problem they could not clear.
The pilot flew around for hours to burn off most of the fuel, then landed very nicely at LAX's longest runway, using up 95% of its length. Hats off to that guy.
At first, nobody had ever heard of such a thing. Later it came out that the nosewheel problem had happened at least six times before and the cause had not been corrected.
The pilot had to burn off fuel because the A320 cannot dump fuel.
Keeping the A320 flying with that occasional nosewheel vulnerability was a business decision. So was omitting the option of dumping fuel. Airbus and its customers are gambling that in the long run these will prove to be profitable decisions. And they hope that no A320 will ever have to return to the ground immediately after takeoff because then the aircraft would exceed maximum weight for a safe landing.
And they are betting that terrorists will not take advantage of the inability to land in a hurry while heavy with fuel. It's a business decision.
"Don't you think we would look into it, and if we found it was true we would do something about it?"
Those are interesting words from the Airbus spokesman. That kind of phrasing sets my alarm bells ringing. Did they look into it, or did they not? If they did, why not just say that?
The nonresponsive reply, phrased as an accusatory question (similar to the "how could you think that of me?" of the wounded lover) is a classic way of avoiding the issue. It's like a bluff, raising the stakes of the conversation by making it difficult to pursue the subject politely. And it always makes me suspicious.
The article seems somewhat vague:
'TTTech executives insist that their product is safe. They portray Mangan as a disgruntled ex-employee seeking retribution and eager to blackmail them. "He's trying to destroy the company," Chief Executive Stefan Poledna said.'
"They portray" is an interpretation of what the CEO said, and isn't a direct quote. The journalist could've misunderstood. If the CEO did indeed explain a story that was inconsistent with the facts, the journalist writing the article should've asked why - or at _least_ commented on it directly.
The article reads more like a collection of facts to interpret rather than a professional attempt to produce a consistent narrative. It leaves me wanting to do further - something that is the job of the journalist writing it.
Airbus says that the A380 has achieved redundancy by installing the extra cabin-pressure valves, which provide a safety cushion in case a valve fails.
These four are in parallel, are they not? As in, any one of them could open causing a drop in cabin pressure? (Okay, but if one fails open then the drop in pressure will be less rapid than if all four open, but the outcome in the longer term is the same: depressurisation of the cabin).
And they all use the same components, thus there is some risk of a failure mode which causes all four to fail in the same way simultaneously? This should strike Airbus as a major potential problem...
You misunderstand that the A320 "cannot land in a hurry". That model airplane is rated as safe to land with full cargo and full fuel load. Since it can land with a maximum load, there was no reason to install a fuel dump. Under normal circumstances, it can turn right around and land anytime.
But this particular A320 was not normal. It had a broken landing gear. It was not "safe" to land at _any_ weight. So they lightened the load as much as possible and then landed very carefully. The dice rolled in their favor, and it came down OK.
Also- even if that particular plane had a fuel dump, they still would have wanted to circle. Airliner fuel dumps are _not_ installed at the bottom of the fuel tank. They are partway up the side. That way, it is impossible for a plane to lose all fuel if the fuel dump is opened accidentally. The dump valve can reduce some of the plane's weight, but not all of it.
Just because Boeing are planning on using the same chip, doesn't vindicate Airbus. From the scant information the issue appears to be the way the system is designed, if the chip fails so does all the air-tight valves. Boeing could have a design that overcomes this system design flaw.
Isn't it something that a correctly organized consumer pressure can solve?
What if we, the potential consumers, say that due to concerns raised regardin the TTT chip, we will refuse to fly on any plane that relies on that chip until such time as the exact details of the proposed problem be revealed to the public, along with the steps taken to handle it?
This way, if the guy is talking nonsense, we'll know about it. It's the "open source" way of making sure such problems are resolved. You and I will not know what to do with the information, but someone will.
Also, TTT will not sell a chip that Airbus won't buy, Airbus won't but equipment that will cause the plane not to sell, and air companies will not buy an airplane that the consumer won't fly with. It's the real way to create consumer pressure.
Another big reason the A320 in question didn't land right away is because there was the possibility of an accident during the landing. In the case of an airplane accident, it's best to have as little highly-flammable material in the vicinity as possible, so the pilot burned most of it off in a safe manner beforehand.
It would still make sense to have a dump valve installed for exceptional circumstances, but not having one doesn't strike me as a very bad idea.
Problem with "customer won't ride, airline won't buy, airbus won't use" chain of event is that for most part customers don't care all that much about the technical properties of the specific airplane. Plus, we book by flight, not by plane.
I wouldn't go as far as claiming it's a cover-up solely based on that article. As far as I know A380's aren't yet in production so there's likely going to be glitches and fixes to them. And didn't the manufacturer of the chip admit there was a glitch and that they have already fixed it? I mean, this still isn't a production plane, so like they say, they still have plenty of time to fix any problems they find. The story of the family made me a bit sad tho.
Some excellent comments above, but many seem to be in search of more data.
This reprint of the WSJ article from April 28, 2005 says the core question is whether "simple" commercial off-the shelf (COTS) products should be trusted, or throroughly evaluated before they are used on a commercial plane.
"a former employee of a subcontractor to Airbus...alleges that company managers misled Airbus and authorities about shortcomings in the certification paperwork for a chip and software to be used on the plane"
"A pivotal issue in the case is that TTTech's system was developed using commercial off-the-shelf, or Cots, systems that were designed for other purposes, rather than custom aviation software developed from scratch. TTTech developed its Cots equipment in the 1990s mainly for cars and trains, and more recently adapted it for aviation."
The article goes on to say "European regulators and other people familiar with the certification of TTTech's equipment supported some of Mr. Mangan's claims about documentation shortcomings. These people said TTTech and Nord-Micro initially took the position that some equipment required a low level of certification documentation because of its use in other transport applications. Regulators said documentation was insufficient and have asked the companies to meet higher certification standards. The companies are now preparing the documentation."
I think the question is really whether projects like this should be allowed to use implicit trust when evaluating security (to expedite the project and meet "productivity goals") or whether every part should be tested and validated.
So although consumers might want safe airplanes, if Airbus does not have enough quality engineers (or other resources) on the job to do the proper tests, and their project managers are driven to produce without a realistic sense of risk/accountability, then Mangan was right to raise a flag and to demand validation even for COTS. On the other hand, if Airbus could show documentation today that the device was sufficiently simple to be trusted and the risk managed through redundancy (pun not intended), then we might all rest better at night, including Mangan.
An economics professor I knew once told a story about how rigid productivity markers and incentives that ignore inputs as well as consumer values can have odd effects.
He said (and supposedly it was true) that a glass-making plant in the USSR was told that they would be measured on the weight of glass produced per day. Since they could not increase the amount of raw materials, and there was no fear of consumer backlash, they started making hugely thick panes that wouldn't fit any frame. Eventually this was found to be unacceptable and so the plant was told they would be measured by metre of glass produced. Again, without control of the raw materials or regard for the consumer, the result was many more metres of panes produced but so thin that they broke before they ever made it into the frames.
My point is that I see the markings of a similar problem here.
One last thought. Although I hate to make a brief comment on the connection, since there are clearly other factors to consider, I couldn't help but notice that one of the more "security conscious" airlines (El-Al) just ordered Boeing 777s instead of the new Airbus.
My reading of the Yahoo article cited by Davi is that El Al chose the 777 over the A340 and *not* the "new Airbus" (A380).
Well... In the case of El Al, I think politicis play a major part in choosing airplanes. Would Israelis prefer to buy a plane made by mainly pro-palestinian countries or by the USA ?
You can also wonder whether the US would let Israel buy European planes :
As for technical reasons, I don't think El Al owns Airbus planes. It does make technical/business sense to standardize your fleet to save money on maintenance/training/...
Could it be economical warfare?
Against TTTech? I don't know what's so special about "time-triggered protocol", but it seems really "hot" and the primary revenue for TTTech
Against Airbus? Much of the "buzz" is aimed at A380 safety..
Anyway, public disclosure would be welcomed..
"...the core question is whether "simple" commercial off-the shelf (COTS) products should be trusted, or throroughly evaluated before they are used on a commercial plane."
I'm hardly an expert, but isn't the evaluation/certification process largely responsible for high reliability/safety record of commercial aircraft? That, and the redundancies built into the aircraft? These things do cost money, but would anyone argue they're not worth it?
There's clearly tension between for-profit aircraft manufacturers trying to cut costs and costly certification processes, but that's what makes the processes necessary. Without them, companies will typically choose the least costly route rather than the safest, and the "tort reform" that reduces corporate liability removes yet another force constraining the behavior of companies.
I don't know how many of y'all are trained as engineers, but I can tell you right off that while this guy should have left the country (even if only to stay in Germany) he is doing the same thing that a lot of other engineer-folk would be doing. If our signature gets attached to a life-safety device and that device fails any one of us engineer folk could be looking at really long jail terms. That is the way it is. Managers happen to usually be exempt from this, by the way. One of the complaints made is that his signature was forged--a really big deal no matter what.
That out of the way--what is being protested against, mind you, more than anything else is the requirement by his employer that he "un-blow" the whistle. This is the real problem. Even if they can fire him for blowing the whistle (which arguably, they should not be able to do--even if he would want to leave afterward anyway), the company should not be able to force him to retract statements made to officials about questionable practices and actions inside of the company. If any company can force individuals to back down on comments made to officials then the rule of law fails.
"If our signature gets attached to a life-safety device and that device fails any one of us engineer folk could be looking at really long jail terms"
That's the fear, but does it really ever play out that way?
US tort law seems to say that experts are supposed to be aware of the risks and act accordingly (e.g. the decision in T.J. Hooper v. Northern Barge Corp, which stated "There are precautions so imperative that even their universal disregard will not excuse their omission"), but the question here is quite a bit more murky especially because of the difference to EU/Austrian laws.
A system appears to have been put in place to reduce the bureaucracy and paperwork around "simple" COTS products. That transitive trust relationship takes the engineers (validators) out of the loop to large degree. It's not clear who/how a product gets defined as simple enough to not need a deep-dive review (as opposed to complex products), and if memory serves correctly even bolts, nuts and washers go through an extremely thorough review process and are classified prior to use in the airline industry. Mangan was apparently arguing that the devices were "complex" and their behavior uncertain/unpredictable enough to require more thorough testing before trust could be established.
So if a bolt fails because it was deemed too simple to bother evaluating beyond the vendor's claims, do you blame the regulators who came up with the "simple" clause, Airbus for trusting the paperwork, the vendor for producing the paperwork to be trusted, the manager for signing the paperwork to establish trust, or the engineer who signed the document that was included in the paperwork, etc.. Now, what if the engineer wasn't required to sign anything except a document that says the device is predictable in certain circumstances, and then the device is used in different circumstances?
Beyond that, in the case of most software the concepts of "thorough review" and "security classification" are almost anathema to its creation. I find very few, if any, COTS software products are actually to be trusted at face value and require extensive review, if not reverse engineering, before they can truly be trusted. The "go fever", as NASA described it after their shuttle disaster(s), is endemic to software development culture. From the buyers perspective I believe Gartner once referred to this as the 90-10/10-90 rule -- 90 percent of money spent on COTS software in the first year will be the license, etc., with only a 10 percent modification required to make it meet expectations, but then the percentages flip (the honeymoon is over) and 90 percent of the product cost will be trying to get the thing to do what was advertised, and maybe even do it reliably.
Note, I touched on the hidden risks of COTS software and didn't even mention Microsoft.
"El Al chose the 777 over the A340 and *not* the "new Airbus" (A380)"
Yes, I noted that but I also wondered if Airbus would have been able to sell El-Al an A380, even if they wanted it, given the uncertain delivery date.
When people die, someone has to pay. It eventually will boil down to the engineer that signed off on the design, no matter if there was pressure from management.
@ Fred F.
Well, don't you think circumstances matter a little? I mean if an engineer is told they have to go along with something against their protestations, then how hard would it be for the engineer to prove that they disagreed...was it not the vice president of engineering at Morton Thiokol, Bob Lund, who was in hot water for the Space Shuttle Challenger disaster?
To paraprase loosely: The engineers were worried about the cold weather and the Shuttle so they tryied to convince management to delay the launch. During that meeting Bob Lund was told by Jerry Mason, the General Manager, to "take off his engineering hat and put on his management hat".
Alas, were the engineers held accountable for the failure? It does not appear so:
Or, to put a finer point on this topic, compare the harsh review of management to the awards and recognition given to Roger Boisjoly as an engineer who tried (in vain) to avert a predictible disaster:
From a broader perspective, Edwin Layton had some interesting insights into this kind of "manager versus engineer" dilemma in his classic book "The Revolt of the Engineers : Social Responsibility and the American Engineering Profession".
FWIW, the recent news about the Concorde investigation seems to be aimed squarely at the Director of program:
So it seems to me that when an engineer values initiative, loyalty, and the team effort over quality, safety, and superior design, they have become management and must therefore assume the related accountability. On the other hand, if someone is still expected to be an engineer, then they should be expected to produce quality, safety and superior design.
I read the LA-Times link, and whether it is true the allegations of this gentleman or not, I do feel that LA-Times has focused it in a very one-sided manner and on various points has lead to false assumptions. For example, I do not think anyone is trying to "gag" him. Courts (at least in the European countries I know of) issue orders that people involved in a case are not allowed to talk about it to the press or in public.
The articles is purely relying on the emotions of the reader and painting Mr. Mangan to be the poor victim.
Another thing to consider, and this may be far fetched, maybe not; the Airbus 380 is a big blow to Boeing and somewhere down the line, and although they are coming out with other low-cost alternatives aswell as a replacement for the 747, it will be quite a while before we see any of these in the commercial arena. Mr. Mangan could eventually be re-imbursed under some other identity by some competing company to Airbus. Now there's a conspiracy theory to think about :)
Did anybody actually read the second paragraph in my last post? Note what I say--I'm more worried about the rule of law than I am about this guy's scalp.
This message is from Joe Mangan, the whistleblower from the Los Angeles Times Article.
At a total cost of $80 per aircraft, AIRBUS can totally eliminate any possibility of a deadly rapid cabin depressurization from occurring. The absurdity of the Ford Pinto Cost / Benefit analysis has now come to dominate the Civil Aircraft business.
See Pinto Madness
The Commercial Aircraft Industry economic business model is seriously flawed, and is actively engaged in transferring financial risk from Corporations to threaten the lives of the passengers and crew without their informed consent.
This issue is not about AIRBUS vs BOEING, this is AIRBUS and Boeing, and FAA, and EASA, and the Aircraft system suppliers and their sub suppliers. This is about all of the elements of the system being under tremendous pressure to be overly aggressive in the use of untested, unproven, low cost technology containing high uncertainty. The use of technology of high uncertainty always results in projects taking far longer to complete and costing far more than originally planned. This is project risk, and risk is nearly always significantly underestimated in project planning of modern Aerospace Programs. In essence we have the worlds biggest game of “Russian Roulette��?. With Boeing and Airbus gambling that the other will pull the trigger on the chamber containing the live round, thus ending the game. I believe that what we are about to see if the combatants do not “throttle back��? is the story of the 3 Japanese fighting fish, where the smart fish (China, India, Japan) allows the other 2 fish to fight to the death, leaving the survivor too weak to fend off an attack from the stronger smarter fish who wins virtually unopposed.
I feel a great sympathy and compassion for those who failed the morality test, challenged with facing the agonizing decision over career and wealth, vs the cost to human lives of their choice. My Christian conscience would not allow me to look the other way, realizing that for my own comfort and security, I would have to knowingly rationalize my own selfish interest, and thereby place at risk the lives of innocent Men, Women, and Children.
I have waited an entire year (October 2004) in a tireless pursuit to work with AIRBUS, Nord Micro, TTTech, EASA, and FAA to correct these issues in private. These organizations refused to take any action. I was left with no other avenue than to pursue the issue in the public domain one year later. I had simply exhausted every opportunity available to me. I even visited the CEO of Nord Micro in his booth at the Paris Airshow, spending 40 minutes with him and his engineers in an attempt to convince them to act in the interest of public safety. Numerous failed attempts in good faith with TTTech are documented on my website. In each and every case, TTTech violated agreed to terms, and demanded in each case a retraction of my official statements to EASA and FAA, which has always been understood to be non-negotiable.
Are these people who failed the moral challenge evil? No, they must decide what is more important to them, the lives of people vs profit, comfort, and security for themselves. The laws currently favor those who choose profit over safety. Protections and safeguards, even in the United States are insufficient to motivate a whistleblower to put themselves and their families in “harms way��?. One only need to look at the Corporate Crime Spree of WORLDCOM, ENRON, TYCO, ADELPHIA, HEALTHSOUTH and others.
Conscience can only motivate a whistleblower to act first in the interest of others.
When confronted by Executive Management with data showing the program is significantly over schedule and over budget, direct pressure is applied to find a way to “get back on schedule��?. Just as with the WORLDCOM case of Ebbers, all that must be said, is that “we have to make our numbers��?, providing the executive management with culpable deniability. As the message passes down the chain, ultimately to “middle management��? and the engineers, fraud is committed to hit the numbers to impress the boss.
The “Honor System��? of Aircraft Certification, is completely open to exploitation. No safeguards exist. No pressure relief exists for someone to “stop the process��? when something is discovered to be seriously wrong. Everything continues to move forward, and the troublemakers are eliminated. The companies hope that when issues are discovered on an aircraft, they will not cause someone to be killed, and they will fix the problem later, after the Aircraft is in commercial service, over many years of incremental updates, in a system known as “fly-fix-fly��?.
The Aerospace industry has a name for this disease, “NASA Chicken��?, and it comes from the Challenger disaster. Read the minority opinion section of the Columbia NASA Return to Flight Task Force, and the comments by the Co Chair of the Task Force, former astronaut, now Boeing President, Richard Covey '''If you watch sausage being made, it's not always pretty and some people are going to find it uglier than others. I personally did not find the process, as it played out, unusual.'' These comments coming from systemic non-compliance with safety critical processes and procedures. Coming from a Boeing Aerospace executive, tells you the level of disdain for compliance within the Aerospace industry.
With the contracts signed with the airlines requiring the payment of penalties by Boeing and AIRBUS for each day an aircraft is delayed from the contract delivery date, on a contract signed years earlier, the pressure to meet ridiculous schedules with multimillion dollar penalties is causing the aircraft system suppliers, aircraft manufacturers, and certification authorities to look the other way, because they will be blamed for the costs and delays for the program.
I have a duty to protect public safety, which is far higher than to a “preliminary injunction��? gag order, obtained by the false statements of TTTech Executives under oath, that while legal in Austria, is not legal in the European Union.
In addition, as Chief Engineer, I have personal liability for the systems which are approved under my signature authority. The Chief Engineer of the Concourde in 1969, is, this week, being charged with manslaugter in 2005, 36 years later, for the accident which ruptured the fuel tank, resulting in a crash which took the lives of 113 passengers.
The former head of the Concorde program is reported to have been put under judicial investigation for manslaughter in the case looking into the 2000 crash of the supersonic jet that killed 113 people.
Henri Perrier was the chief engineer on the plane's first test flight in 1969 for Aerospatiale
http://edition.cnn.com/2005/WORLD/europe/09/27/... nce.concorde/index.html [cnn.com]
I must remain in Austria to face both the Civil and Criminal Charges, and to receive a final report from the European Aviation Safety Agency (EASA) with the determination of my allegations, so that the responsibility is transferred from myself to the European Union Government, and to the European state of Austria. If I fail to defend myself against the charges of TTTech, by running to the United States, I will be found guilty of the charges. If the allegations are not fully investigated, and serious injuries and deaths result from a failure of the system, I will be presumed to be guilty, having failed to perform my duty to protect public safety.
As Dickens wrote in the “tale of two cities��?, “The needs of the many outweigh the needs of the few, or the one��?. My needs, and the needs of my family pale in comparison to the needs to protect the lives of the passengers and crew of the aircraft, which will grow to be certified to a maximum of 856 persons.
Preliminary data from an internationally recognized Cabin Pressurization Expert, shows that the passengers and crew will be exposed to an external pressure equivalent of 38,000 feet. At and above 33000 feet, even with an oxygen mask on, passengers will quickly become unconscious. With 500 to 800 passengers, there is not enough time for stewardesses to get the masks on passengers who failed to get their masks on before passing out. In addition, decompression sickness can cause death for passengers, especially those over the age of 40, and further risk increases with increased fat content, as fat stores a tremendously dense amount of nitrogen.
The data also show that the passengers will be exposed to a cabin altitude above 25,000 feet for more than 2 minutes. This violates FAA, JAA, and EASA regulations 25.841, and the amendment known as 25-87. As a result, AIRBUS has asked for, and have been given an Exemption by the FAA to this rule, over the protests of the medical community.
http://126.96.36.199/search?... www.flightinternational.com/FALANDING_193601.htm+% 22FAA+pressed+on+altitude+limits%22&hl=en [188.8.131.52]
The Boeing 787 Cabin Pressurization System, is to also be provided by Nord Micro, however Boeing demanded that the traditional 3 motor Outflow Valve Design be used, instead of the AIRBUS A380 single motor design. The system implements the “dissimilar redundancy��? required by the regulations to assure that the system is “fail safe��?, and the outflow valve control is redesigned to contain 2 equally functional redundant controllers, (primary and secondary).
However, Honeywell, chosen to provide the Boeing 787 Fly by Wire Flight Control System, is using the TTP/C controller as the exclusive communications element for each of the redundant channels of the system. Honeywell had demanded changes to the TTP/C controller and Protocol to eliminate safety critical defects in October 2003. TTTech Chairman of the Board, TU Vienna Professor Dr. Hermann Kopetz grudgingly agreed to make the changes, in order to win the “exclusive contract��? in the use of the TTP/C chip in the fly by wire proposal to Boeing. TTTech’s CEO and CFO failed to make the investments to comply with the agreement, and in July of 2004 Honeywell was awarded the Fly By Wire contract. In August, Honeywell asked for the new chip and protocol with the as agreed corrections. In the period between October 2003 and August 2004, TTTech CFO and his sales staff communicated to Honeywell that work was on schedule and proceeding. In September of 2004, I informed the management at Honeywell that TTTech had not performed the work, which it had promised, and no work would be performed without a contract, (with a likely cost of several million dollars). Honeywell was furious, and began a desperate attempt to configure the chip in a way to cause the safety defects to be disabled, with the end result that the behavior of the chip and the software no longer conformed to documented behavior and tests.
Boeing, still intends to use the chip in the Honeywell provided Fly By Wire system.
An extensive amount of evidence is available at my website www.eaawatch.net [eaawatch.net]
I provide this information so that anyone can review the evidence and information, and reach their own conclusions.
Both EASA and FAA have failed to perform their duty to protect public safety. The reports were never fully investigated. Calls to the FAA Whistleblower Hotline resulted in no response from the FAA.
Intense questioning from the news media ultimately resulted in a call from the FAA Type Certification Manager, nearly 3 months after the report was filed with the FAA. Both the EASA and FAA type certification managers were replaced on the very day that the Wall Street Journal article was published on April 28th 2005. No further communication was allowed with their replacements. Only public affairs officials from EASA and FAA were allowed.
The government authorities FAA and EASA have failed to perform investigations, trusting the defamatory, slanderous and libel statements of the suppliers. The defects in the TTTech Chip and Operating System Software, or defects in the system design for Outflow Valve Control by Nord Micro, have not been investigated, nor corrected, according to sources within both the EASA and the FAA.
The public affairs representatives of both EASA and FAA have repeated these defamatory statements to the news media. When confronted by the media for evidence to back up the statements, EASA and FAA admitted that they had not performed an investigation.
However, evidence provided by the news media to EASA and FAA contradict their and EASA and FAA have now made commitments to the news media, that they will now perform an official investigation, one year after the original reporting. The public must insist that all reports be made public, so that there is complete assurance that all allegations have been fully investigated, and any defects and non-compliance with regulations are corrected.
I have proposed to EASA and the FAA that a cost effective solution would be to order the modification of the outflow valves to incorporate a magnetic lock on the larger outflow dump door. Such a lock would prevent the outflow dump door from opening beyond 15 % in the region of flight, which represents the most danger to the passengers and crew. No formal response has been received, however, in consultation with FAA and EASA recognized experts in Cabin Pressurization agree that this would be the most effective cost and schedule solution to correct the issues. With a lock installed, a “fail safe��? design, as required by the regulations would result, as the danger of a rapid decompression would be eliminated. Defects in the TTTech TTP/C controller chip and Real Time Operating System software could no longer threaten the lives of the passengers and crew on the AIRBUS A380.
I believe that there is tremendous potential in the TTTech TTP/C Technology, when the dangerous defects have been corrected. Flawed judgment in decisions by the Supervisory Board of Directors and the Executive Management of TTTech to ?cover up? the issues has damaged the reputation of the technology.
The FLEXRAY consortium, formed in 2001 by a split, which formed in the TTA Consortium with the departure of BMW, Bosch, Daimler Chrysler, and Motorola, over the refusal of Dr Hermann Kopetz to modify TTP/C to correct serious safety defects in the technology. TTP/C was therefore determined by the world’s Automotive manufactures not to be safe for use in Automobiles. As a result, TTP/c is now only considered for use in some Aerospace applications and special vehicles such as forklifts. TTTech surrendered the battle with FLEXRAY, having joined the FLEXRAY consortium as a member in March of 2005, agreeing to withdraw the marketing and use of it’s TTP/C controller for use in Automobiles, and is now only providing operating system software, and consulting services in the Automotive Industry.
It remains to be seen if TTTech can recover the trust destroyed by their actions. It is highly likely that that the Aerospace Companies will use Flexray, and invest substantial sums of money to qualify it’s use for Commercial Aircraft.
The public must bring pressure on EASA and FAA to restore the “Honor System��?, and provide teeth to the regulators, and protection for whistleblowers to assure that sufficient “checks and balances��? are restored to prevent dishonorable individuals and corporations from destroying the “Honor System��? which is the most efficient and cost effective environment in which to certify Commercial Aircraft.
As opportunities with existing Aerospace Companies is likely at an end at this point.
Safety and risk are often in opposition. Communication, rationalization, and acceptance of risk for a higher benefit is critical to the advancement of new technologies which are incorporated in products which greatly enhance the quality of life for consumers. We should not have to live our lives in fear that someone failed to act in our best interests, exposing us to an undisclosed risk.
By providing complete transparency to the process of the development and certification of “high risk��? “high reward��? technology of high uncertainty, the Aerospace Industry can be advanced with the assurance that passengers lives are not placed at risk. This is envisaged to be a partnership with both Industry and Academia, with the express intent to accelerate the safe introduction of new technology advancements, with complete transparency, while substantially reducing and managing the economic risks.
The first step in this effort will be communicated at The Open Vehicles and Control Safety organization with a webpage at www.ovcsa.org [ovcsa.org]
I ask you to consider joining this effort in a partnership for a better future, for yourselves, and for those whose safety you care about.
A daily blog page for myself, and my wife Diana will be established in the next 2 days.
Check www.josephmangan.com and www.josephmangan.name www.joe-mangan.com for the addresses of all related websites.
For those interested in providing financial support for our family in this difficult time, a paypal account has been established at the following web page.
If you would like your name, and / or a personal statement to be added to the supporters page please send this information to firstname.lastname@example.org [mailto]
All of the donations go to an account which is controller by my wife Diana, so that the family can be supported financially if I am arrested and sent to prison in Austria. Contact information for my Attorney is contained on the web page with email and telephone numbers to confirm the financial situation.
Thank you for you interest and support in this matter!
Yes, a very sage point. But if Mangan had twelve kids and went to church five times a week would you care about his scalp? Sorry, I couldn't resist a cheap shot at the LA Times...
Speaking of the law, software engineers beware:
"Can writing software be a crime? A recent indictment in San Diego, California indicates that the answer to that question may be yes. [...] Software developers need to be aware of potentially illegal uses of the software that they develop, market and sell. While they generally will not be held liable for such illegal uses, they may have some liability if they know or reasonably should know about the illegal or infringing use, particularly if they advertise or promote the usefulness of the software for such use."
I think that takes the cake for the longest post on Schneier's blog. Not to say I didn't find it enlightening, but I think a pointer your site and a paragraph might have done the job. Then again I guess I was guilty of ranting a few days ago myself...
Anyway, I just wanted to note that the British "high court today imposed record penalties on companies involved in the Hatfield train crash five years ago." And while the companies themselves were heavily fined, manslaughter charges against management was dropped. There was only brief mention of the fact that engineers had reported the flaws 21 months before the disaster:
So in this case not only were the individual engineers not held accountable, but even management was deftly able to delegate blame upwards to "a systematic failure of the industry as a whole".
Having read all, I feel that the very people that are suppose to protect us such madness such as the FAA and EASA have failed us. I also understand that the Herald Tribune is investigating the story that an EASA employee has been sidelined for his part in making a statements based on these accusations. After being approached about the story it is alledged that this former EASA employee spilled the beans confirming a lot of Joe Mangan's allegations. A little bird further told me that the Tribune may not run the story, due to being gunshy as a result of another unrelated court case that they lost in a big and painful way no too long ago. I just hate and Editor without courage!
In reference to Joe Mangan himself and his family, I must say that this guy is a hero and we should be careful how we treat our heroes, for there are not many in this mad and materialistic world. The man can be proud that his wife is standing by him in this through thick and thin. The children, although unwilling participants, will be very proud of their Papa once they fully understand the implications of his actions. Joe Mangan - THANK YOU!
This story reminds me of two sets of characters: the Morton Thiokol engineers who performed the reluctant (and with hindsight, lethal) signoff on Space Shuttle Challenger, and the host of kooks that came out of the woodworks after the TWA800 crash.
Every time I see documentary footage of the Morton Thiokol engineers I get a knot in my stomach - it could've been me if I was in the wrong place at the wrong time.
Unfortunately, I am none the wiser after spending a couple of hours digesting the press coverage and the eaawatch.net site, because the presentation of Joe's case is steeped in kookspeek. I don't know where to start: the use of font size, weight and color, the copious in-line inclusion of material better suited for an appendix, the use of legal lingo in a document aimed at convincing the public, the rambling: all of it looks alarmist at best. Neither the interview nor the website leave me convinced. If I were Joe, I'd get a better PR guy (or at least a copywriter), and forget about the lawyer.
I'm dead serious here. In matters of much lesser importance, I've been in situations where I had to flame my supporters to a crisp, because the way they brought forward their arguments, my case (and ultimately theirs) would not be taken seriously if I allowed myself to be associated with them. I'm open to the hypothesis that Joe unwillingly had become the prime obstacle to fixing the issue he uncovered.
On this blog, the jabs at Airbus and Boeing as side notes to the issue at hand illustrate why the companies involved, like the authorities, do not like to fight issues like this out in public, and especially not in an emotionally charged atmosphere.
There are plenty of good points raised by Joe, in particular the specifics regarding the proposed valve design of the A380, and the wisdom of declaring oddball chips "off the shelf items" to sidestep certification. But the way http://www.eaawatch.net/ is organized I couldn't draw a personal conclusion, let alone take sides in the debate.
The TWA800 kooks are too fresh on my retina for that.
"jabs at Airbus and Boeing as side notes to the issue at hand illustrate why the companies involved, like the authorities, do not like to fight issues like this out in public, and especially not in an emotionally charged atmosphere"
Avoiding an unnecessary misunderstanding is one thing, and fairly easy to empathize with.
However, failing to allow a reasonable amount of transparency into a life-threatening decision or eliminating a predictible disaster should not be excused on the premise that the exposure "might bring a few unwelcome jabs".
That makes Airbus and Boeing sound like a couple of glass-jawed rookies who need to hug the ropes in order to survive public interest.
When a company is so weak that it can not withstand a basic amount of scrutiny, then what exactly are they left to defend?
are made to prevent these problems. And a computer in test phase can have some bugs, their correction will be done after the in flight tests. Sorry for my bad english but I hope you can understand what I say.
oops a part was missing:
As certainly you know, the tests before certification by the official authorities, are made to prevent these problems. And a computer in test phase can have some bugs, their correction will be done after the in flight tests. Sorry for my bad english but I hope you can understand what I say.
Although this topic was started some time ago, I want to comment on Mangan's post here.
He mentions that the FlexRay consortium was founded because of security issues in TTP/C, which was not the case. The reasons for this move were licencing issues and the fact that TTP/C didn't support event-triggered messages.
I don't really know what Mangan intents with his behaviour. Seems to me like an embittered man who tries to gain some attention. On his website he even links to a wikipedia entry about himself. Additionally he has added a donation button. It would be better to look for a job, man!
Going back to the beginning, there are some things that must be known about general aviation and commercial aviation. The airbus planes are not designed with a fuel dump valve because of environmental regualtions. Boeing does not have plans for a fuel dump on its newer aircraft, and is still only available for emergency use. I am very close to the aviation industry, and I can say with absolute fact that there is a slight flaw in the control chip and fly-by wire flight control system in the Airbus planes. Airbus planes are almost too smart to be flown by a pilot. If the plane feels as though the pilot should be doing something differently, the plane will take over. For example if the pilot tries to lose altitude quickly in an emergency, the plane may feel as though there is no need in the emergency decent, the plane will actually pitch up. The only flaw I see in Airbus is the fact that they need an override switch so the pilot truly is the pilot in command.
To all, This is a sad story about a thoughtful engineer who everyone Except Joe believes he is a disgruntled employee. He didn't become disgruntled until the Austrians said go away this isn't an issue. When the engineer had proof it was. Mark this down as when it Crashes or people die because of the failure. You will all go Huh.. How 'bout that, guess he was right. At what cost. I know Joe. If it is bad, trust me it is bad. But no one had the strength except this American to stand up and blow a big whistle that all of Europe said hey who are you Erin Brochovich... Not Yet..
This is worth marking in view of
Air France 747, the lack of cabin pressurization in the Airbus plane, and the automatic system failures - the last comment on this thread by One More:
"How 'bout that, guess he (Joseph Mangan) was right. At what cost. I know Joe. If it is bad, trust me it is bad. But no one had the strength except this American to stand up and blow a big whistle that all of Europe said hey who are you Erin Brochovich... Not Yet..
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.