This is an archived page and is no longer updated.
Please visit our current pages at https://rvs-bi.de

Computer-Related Incidents with Commercial Aircraft

The Lauda Air B767 Accident

26 May 1991

Synopsis A Lauda Air Boeing B767-329ER suffered an in-flight upset and breakup over Thailand while climbing out at 7000m after takeoff from Bangkok. Analysis of the accident was hindered by damage to the Flight Data Recorder (FDR), which rendered it unreadable. Airline owner Niki Lauda said on 2 June 1991 that a thrust reverser had deployed in flight. Boeing initially denied that this was possible - the thrust reverser mechanism had an electro-hydraulic interlock which prevented this. Simulator trials showed that, if a thrust reverser were actually to deploy during flight, the B767 would be incapable of controlled flight unless "full wheel and full rudder were applied within 4-6s after the thrust reverser deployed" (Reverser balmed in Lauda crash report, Flight International, 1-7 September 1993, p5). Windtunnel data determined that the aerodynamic effect of the reverser plume in flight as the engine ran down to idle was a 25 per cent loss in lift across the wing. The report further determined that "[...] recovery from the event was uncontrollable [sic] for an unexpecting flight crew".

Further testing showed that disintegration of an oil seal could physically block a valve essential for the functioning of the interlock, leading to a scenario in which the reverser could, in fact, reverse thrust in flight. It was not determined if such an event happened to the accident aircraft. Subsequent to the discovery of this potential interlock failure mode, the FAA issued in August 1991 an AD prohibiting use of thrust-reverse on late-model B767s. Similar mechanims were also to be found on other aircraft, and after a solution to the problem was developed, Boeing retrofitted B737, B757 and B767 aircraft, 2,100 of them in all, with a third, mechanical, thrust-reverser interlock (which also required a hydraulic system mod on the B767).

There was a report by Bill Richards in the Seattle Post-Intelligencer of 14 December 1991 of the view of Darrell Smith, an ex-Boeing engineer, who had reported to Boeing that faults in the `proximity switch electronics unit' (PSEU) could have resulted in actual thrust-reverser deployment. Boeing passed on the report to the software writer, Eldec Corp (Boeing contracts out much of its software), but neither company had, as the time of reporting, studied Smith's argument in detail. I do not know the resolution of this issue. Thus, one may consider this accident to remain `computer-related' until one knows the resolution of Smith's reports. synopsis as well as the final accident report from the Thai authorities has been prepared for the WWW by Hiroshi Sogame of All-Nippon Airways Safety Promotion Committee, to whom we are are very grateful.

The official report on the crash determined

" [...] the probable cause of this accident to be uncommanded in-flight deployment of the left-engine thrust reverser, which resulted in loss of flightpath control. The specific cause of the thrust-reverser deployment has not been positively identified."
(op.cit., Flight International, 1-7 September 1993, p5).

The report of The Times, 3 June 1991, was relayed to RISKS-11.78 and RISKS-11.82 by the articles
Lauda Air Crash by Paul Leyland, and
Re: Lauda Air Crash by Steve Philipson.
Hermann Kopetz reported to RISKS-11.82 what appeared in the Austrian press in the article
Lauda Air Boeing 767 Aircraft Crash.
Boeing's initial denials were reported in the Washington Post of 3 June, relayed to RISKS-11.82 in
Lauda Air plane crash by Joe Morris.
The Wall Street Journal of 3 June 1991 reported that in order to obtain certification of the B767, Boeing had had to demonstrate the effects of in-flight reversal by flight test: also conyeved to RISKS-11.82 in
Re: Lauda Air crash by Jeremy Grodberg.
Peter Neumann reported on some of the details of the FADEC design in RISKS-11.84:
Lauda 767 crash by Peter G. Neumann.
The European, a weekly newspaper, carried an article by Mark Zeller entitled Boeing skipped essential test on Lauda crash jet, which clarified the situation over certification of the reverser mechanism. According to the FAA administrator at the time, James Busey, the interlock was demonstrated by attempted in-flight deployment, but only at low airspeed and idle thrust. Boeing had argued to the certification authority that `...sophisticated flight control computers made an accidental inflight deployment of the thrust reversers impossible' (I think Zeller meant FADECs - the B767 has no flight control computers in the strict sense). The report also stated that examination of the wreckage and the CVR showed that one reverser `...failed to lock in place...' and that the pilots had been discussed what to do about the warning light when the upset took place. The European's article was relayed to RISKS-11.95 and discussed by Peter Mellor:
Lauda air crash by Peter Mellor.
An article in the Seattle Times of 23 August 1991, Flawed part in 767 may be flying on other jets by Brian Acohido, reported in detail the possible oil-seal disintegration problem and that it didn't seem to be restricted to late-model B767 aircraft. This commentary was relayed to RISKS-12.16 by Nancy Leveson:
More on the Lauda air crash by Nancy Leveson.
Nancy also relayed Bill Richards' reporting of Darrell Smith's concerns about the PSEU to RISKS-12.69 in
More on Lauda crash and computers by Nancy Leveson.

Other comment on this accident may be found in RISKS-11.78, RISKS-11.79, RISKS-11.82, RISKS-11.84, RISKS-11.95.

Subsequently, there was some discussion whether measures taken by other manufacturers in the wake of the Lauda Air crash to prevent in-flight deployment of reversers had contributed to their lack of deployment when required in the A320 Warsaw accident:
Lufthansa in Warsaw by Peter B. Ladkin, and
Re: Lufthansa Airbus Warsaw Crash 14 Sep 93 by Udo Voges.
Noted human-factors expert Erik Hollnagel cited some CVR material from the crash whilst discussing the efficacy and design of alarms in
Re: alarms and alarm-silencing risks in medical equipment by Erik Hollnagel.

up