Reversal of Fortune: The crash of Lauda Air flight 004
Note: this accident was previously featured in episode 25 of the plane crash series on February 24th, 2018, prior to the series’ arrival on Medium. This article is written without reference to and supersedes the original.
On the 26th of May 1991, an Austrian airliner on its way from Bangkok to Vienna suddenly spiraled out of the sky and broke apart in midair, sending flaming wreckage streaking across the heavens in a remote part of western Thailand. By the time rescuers and investigators reached the widely spread remains of the Boeing 767, 223 people were dead, and the fate of an airline hung in the balance. Founded by champion racing driver Niki Lauda, the holiday charter airline Lauda Air carried its owner’s reputation as well as his financial future, and a crash could be devastating for both. For Lauda, everything depended on one question: what caused the crash, and was he responsible?
At first, experts suspected that the plane had been brought down by an act of sabotage, and the Los Angeles Times went so far as to report that “all evidence points to a bomb.” And yet, as investigators pored over the wreckage and the cockpit voice recording, the evidence started to point toward something altogether much stranger: in fact, by some horrific chain of events, the left engine on the ill-fated 767 had abruptly gone into reverse at 24,000 feet, tearing the plane from the sky in a matter of seconds. How and why this failure occurred, and why the pilots could not recover, became matters of intense debate, some of which would never be fully settled, as questions about whether Lauda Air could have prevented the crash linger to this day. But in the end, one thing was clear: that fatal assumptions had been made about the thrust reversers on many modern passenger jets, and that manufacturers around the world needed to take action before more lives were lost.
The story of Lauda Air ought not be told without first telling the story of its founder, the three-time Formula One world champion Andreas Nikolaus “Niki” Lauda. Born in 1949 to a family of wealthy Austrian industrialists, Lauda decided early in life to take up motor racing, despite his parents’ opposition. His persistence, sometimes in the face of reason, became apparent early in his career, as he took out risky loans to buy his way into Formula Two, and nearly went bankrupt before his natural talent for motorsport was recognized by Enzo Ferrari. With Ferrari and later McLaren, he went on to race in Formula One, ultimately winning three world championships. Two of these came despite a devastating crash at the 1976 German Grand Prix, in which Lauda’s Ferrari suddenly veered into a wall and caught fire. Other drivers quickly pulled him from the inferno, but in the process he suffered severe burns to his face and lungs, and he nearly died in hospital, surviving only at the price of permanent disfigurement. And yet, despite his injuries, he was back in the driver’s seat six weeks later, and continued racing until 1985.
In addition to motorsports, Niki Lauda was also an airplane enthusiast and licensed pilot, and in 1979 he founded a charter airline which he christened Lauda Air, capitalizing on his celebrity status. From a financial standpoint, the company was not particularly successful, and it barely survived the early 1980s before expanding into the scheduled airline business in 1987. At the time, the state-owned Austrian Airlines had a virtual monopoly over Austria’s air travel industry, a situation which arose primarily because the country was too small to support a well-developed domestic market. Nevertheless, Lauda Air was able to support a modest existence by providing quality service on routes to holiday destinations in both Europe and Asia, for which it used a mixed fleet of several short- to medium-range Boeing 737s and (initially) two long range Boeing 767s. Niki Lauda himself acquired a commercial pilot’s license and sometimes flew as captain on the 767s.
It was one of these 767s, registered as OE-LAV, which departed Hong Kong on the 26th of May 1991, bound for Vienna, Austria with a scheduled stop in Bangkok, Thailand. Designated Lauda Air flight 004, the two-leg trip would be split between two sets of pilots, the first of which flew that afternoon from Hong Kong before disembarking in Bangkok. Stepping into their place were 48-year-old Captain Thomas Welch, an American, and 41-year-old First Officer Josef Thurner, who was from Austria. Joining them on the 10-hour flight to Vienna were eight flight attendants and 213 passengers, totaling 223 people on board.
Night was already falling when the pilots pushed the thrust levers forward, sending flight 004 rumbling away down the runway in Bangkok. Seconds later, it took to the air, climbing out over the city and the countryside beyond.
In the cockpit, the pilots ran through routine checklists as they ascended toward their cruising altitude of 31,000 feet. But the sense of normality lasted a mere five minutes and forty-five seconds, for it was then that a yellow caution light illuminated on the center pedestal, and an amber message appeared on the screen of the Engine Indicating and Crew Alerting System (EICAS). “L REV ISLN VAL,” it read.
“Scheisse,” First Officer Thurner said.
“That keeps — that’s come on,” said Captain Welch.
Silently, First Officer Thurner pulled out the Quick Reference Handbook, or QRH, and began flipping through it in search of an applicable procedure.
The caution message was in fact shorthand for “left thrust reverser hydraulic isolation valve” — more specifically, that the valve was not in the position it was supposed to be in. That could potentially be a problem, because the thrust reversers, which redirect engine thrust forward to assist with braking while on the ground, should never be deployed in the air, and in fact a complex system of check valves ensures that they physically cannot open in flight, even if the pilot tries to deploy them.
To understand the significance of this particular caution message, a brief overview of the Boeing 767’s thrust reverser system is necessary. The 767 uses what is known as a “cascade-type” reverser. Unlike earlier thrust reversers, which used bucket doors to redirect exhaust at the back of the engine, a cascade reverser intercepts and redirects the bypass airstream which flows around the central turbofan section, rather than blocking the exhaust directly. Made possible by the advent of high-bypass turbofan engines, most cascade reversers feature a “translating sleeve,” made up of the aft portion of the engine cowl, which slides backwards in order to close blocking doors within the bypass airstream and redirect it through forward-facing “cascades.” While it sounds complicated, the above diagram should greatly simplify comprehension.
In order to open the thrust reversers on the Pratt & Whitney 4000 engines installed on the Lauda Air Boeing 767, four things must happen. First, both of the plane’s air/ground sensors (also called “weight-on-wheels” sensors) must detect that the plane is on the ground. Second, the reverse thrust levers in the cockpit must be moved at least 10 degrees away from the stowed position. If all of these things occur, a circuit will complete, electrically opening the hydraulic isolation valve, or HIV, which allows hydraulic fluid into the thrust reverser system. Finally, if both air/ground sensors read “ground” and the reverse thrust levers are moved at least 29 degrees toward the reverse position, the electrically-driven directional control valve, or DCV, will also open, directing hydraulic pressure to the actuators which move the translating reverser sleeve.
This redundant system ensures that two separate valves must fail simultaneously for a thrust reverser to deploy in the air. However, the yellow “REV ISLN” caution light which had illuminated aboard Lauda Air flight 004 indicated that the HIV was open when it should not have been, removing one of these layers of redundancy.
Because the improper position of the HIV could not lead to a reverser deployment without additional failures, it was considered a cautionary message rather than a warning, and this is in fact what the QRH stated. Therefore, when Captain Welch asked, “What’s it say in there about that,” First Officer Thurner read back, “Additional system failures may cause in-flight deployment. Expect normal reverse operation after landing.”
“Okay,” said Welch. “Just uh, let’s see. Okay.”
“Shall I ask the ground staff?” Thurner suggested.
“What’s that?”
“Shall I ask the technical men?”
“Oh, you can tell ’em about it,” said Welch, “it’s just, uh, no — uh, it’s probably, uh, moisture or something, ’cause it’s not just on, it’s coming on and off.” It seemed that the light would periodically extinguish, only to come back again a few seconds later.
“Yeah,” said Thurner.
“But oh, you know, it’s a — it doesn’t really — it’s just an advisory thing,” said Welch. “Could be some moisture in there or something.”
And that was where the conversation ended. The QRH indicated that no further action was needed, only that the crew should be aware of the possibility, however remote, that a reverser might deploy. Captain Welch clearly was not very concerned, believing that there was probably some moisture in the engine electronic control (EEC) system causing a switch to make contact when it shouldn’t. If the pilots thought about what they would do in the event of an uncommanded reverser deployment, they didn’t verbalize it.
As flight 004 continued climbing, the pilots returned to routine tasks. Captain Welch adjusted the position of the rudder trim, and First Officer Thurner began adding numbers out loud in German; the official transcript doesn’t say what for. Several minutes passed in relative silence.
And then, fifteen minutes after takeoff, at a height of 24,700 feet, the left thrust reverser suddenly activated, and the left engine instantly went into reverse. A massive shudder rocked the plane, which yawed and rolled hard to the left, turning on its side in the blink of an eye.
“Reverser’s deployed!” Thurner managed to shout.
An automatic safety system immediately reduced thrust on the left engine to idle to mitigate the effect of the uncommanded deployment, but the aircraft was already out of control. As the plane rolled past 90 degrees of bank, Captain Welch wrenched his control column hard to the right, and someone cut fuel flow to the left engine, shutting it down, but the plane had turned over into an inverted dive in a matter of seconds and was now accelerating downward, straight toward the ground.
“Jesus Christ!” Welch exclaimed as he fought to level his plane. Horrific shuddering sounds filled the cockpit as the airframe vibrated under the enormous stress of the dive. Somewhere in the background, something broke with a metallic snap. The overspeed alarm began to sound, producing a terrifying rapid-fire clackclackclack which warned that the plane was exceeding its maximum operating speed.
Breathing heavily, Welch shouted, “Here, wait a moment,” followed seconds later by, “Dammit!”
The pilots began to pull back on their controls, but at the speed they were going, recovery was impossible; any attempt to pull out of the dive would stress the airframe to its breaking point.
Traveling so fast that the sound of the wind could be heard clearly on the cockpit voice recording, Lauda Air flight 004 began to break apart. Twenty-nine seconds into the dive, the recorder abruptly cut out as the stress of the attempted recovery ripped the right horizontal stabilizer clean off the plane. The left horizontal stabilizer and vertical stabilizer followed almost instantaneously; then, with the loss of downforce provided by the tail, the plane pitched so steeply nose down that the wings failed downward and ripped away with a massive explosion. Engulfed in flames, the fuselage streaked across the night sky like a falling star, disintegrating as it went, burning pieces of the wings trailing behind it. Seconds later, the debris slammed to earth with a thunderous boom, echoing over the jungles and mountains of the Thailand-Burma frontier. It had been less than a minute since Lauda Air flight 004 was climbing normally toward 25,000 feet, and already it was gone.
◊◊◊
In Bangkok, controllers watched as flight 004 suddenly vanished from radar, and the pilots of a Delta Air Lines flight on approach to the city caught sight of a large explosion in the far distance, but at first no one was completely sure what had happened. It would be many hours before rescuers managed to reach the remote crash site in the highlands of what is now Thailand’s Phu Toei National Park. As Lauda Air executives on the other side of the world slowly became aware of the unfolding disaster, first responders came across a horrific scene of destruction. Pieces of the plane were scattered over several square kilometers of jungle, some of them on fire, and all around were the bodies of the victims, strewn about like autumn leaves. Despite their best efforts, there was nothing they could do to help — all 223 passengers and crew were dead, by far the worst accident in the history of both Austria and Thailand.
The investigation into the crash was led by the Aircraft Accident Investigation Committee of Thailand, with assistance from its Austrian and American counterparts. As they worked to find all the pieces of the plane, which had clearly broken apart and exploded before hitting the ground, experts openly speculated that a bomb must have been responsible. It had been less than three years since the Lockerbie bombing, and the possibility of sabotage was still at the forefront of the popular consciousness, so much so that the Los Angeles times ran an article entitled “All Evidence in Thai Air Crash Points to Bomb.” But all of that changed just a few days into the inquiry, when investigators stumbled across an incredible sight: lying on the floor of the jungle was the 767’s left engine, with its thrust reverser unambiguously deployed.
The condition of the thrust reverser showed beyond any shadow of doubt that it had deployed before the plane hit the ground, and investigators were immediately certain that this had something to do with the cause of the accident. But before they could prove it, they had to answer two questions: why did the thrust reverser deploy, and could it really tear a Boeing 767 so violently from the sky?
The second question was especially important, because if the answer was yes, it would call into question the certification basis not only for the 767’s thrust reversers, but for those on other similar airplanes as well.
According to Federal Aviation Administration rules, a transport category aircraft seeking certification must meet the following standards: first, if a reverser were to deploy in flight, it must generate no greater than idle reverse thrust; and second, it must either be possible to return the engine to forward thrust after an uncommanded reverser deployment, or it must be possible to continue to a safe landing with the reverser in any possible position. The FAA and Boeing both agreed that the 767 met these standards — in fact, Boeing had demonstrated compliance by deploying a reverser in midair during a test flight, proving that it was a controllable emergency. Niki Lauda, who had by this point attached himself to the investigation in an informal capacity, publicly stated to the press that in light of this information, the reverser deployment alone could not have caused the crash. But he also made a bold declaration: that if Lauda Air or its pilots were found at fault, he would resign and the airline would cease operations.
The proof, one way or another, would lie in the black boxes. But investigators were disappointed to discover that because the wreckage had burned for a long period before anyone reached the site, the flight data recorder was completely destroyed and no information could be retrieved. Fortunately, the cockpit voice recorder survived and offered several critical clues. Most importantly, it showed that the pilots immediately recognized a thrust reverser deployment as the cause of their sudden upset, but were not able to recover. Simultaneously, data extracted from a memory chip in the left Engine Electronic Control (EEC) system provided some basic data, such as airspeed and engine power. These data showed that an automatic system reduced power on the left engine to idle as designed, and that a pilot cut off fuel flow altogether several seconds later. But by the time they had done so, the recorded airspeed and Mach number proved that the plane was already in an irrecoverable dive. There was only one reasonable conclusion: that the pilots had reacted correctly to the failure, but lost control anyway. That forced investigators to take a second look at the tests Boeing had performed during certification of the 767.
The history of regulations surrounding in-flight thrust reverser deployments began with tests which were performed during certification of the Boeing 747 in the 1960s. At that time, some four-engine planes, such as the Douglas DC-8 and the Soviet-built Ilyushin Il-62, were capable of using reverse thrust on their inboard engines as an air brake while in flight, but Boeing and Airbus aircraft do not have this capability. In the case of the 747, and other planes developed simultaneously, it was believed that a reverser deployment would be most critical during approach and landing, when the speed of the plane is low. This is because an airplane’s flight controls are less effective at lower speeds, and in theory this means that a pilot will find it more difficult to counter the yaw and roll effects of a reversed engine. This is the case for almost every type of major failure that could affect controllability, and as a standard its use in the aviation industry is widespread. Consequently, Boeing always demonstrated compliance by deploying a thrust reverser at a relatively low speed of about 200 knots and a low Mach number, beginning from the 747 and continuing through the 767. The test pilots on the 767 reverser demonstration experienced some alarming buffeting and a partial loss of lift on the affected wing, but they were easily able to recover control using the rudder, ailerons, and throttles. The 767 passed the test with flying colors and its thrust reverser system was approved by the FAA, with help from a simulation which showed that greater control authority at higher speeds would make a deployment in cruise or climb even more easily manageable.
Investigators noted, however, that this simulation had not been backed up, nor was it required to be backed up, by any high-speed wind tunnel tests to prove some of its basic mathematical assumptions. One of these assumptions was that loss of lift during a reverser deployment did not change substantially with airspeed, a belief which had proved basically correct during a handful of uncommanded reverser deployments which occurred in service on the Boeing 747.
But the CVR and EEC data from Lauda flight 004 indicated that the deployment of the reverser led to an immediate and catastrophic loss of control. That prompted the investigators and Boeing to conduct wind tunnel tests to determine the actual behavior of a 767’s wing with a reverser deployed at the altitude and speed at which flight 004 was actually flying (24,700 feet and Mach 0.78).
The most dangerous aspect of such an event is not the asymmetric thrust per se, but rather the existence of a plume of disturbed air which flows from the reverser and across the leading edge of the wing, disrupting the smooth airflow which is required to generate lift. The automatic system that reduces engine power to idle in the event of an uncommanded reverser deployment, which worked normally on the accident flight, eliminates any danger of a reversed engine overpowering the other engine and putting the plane into a spin. Instead, the asymmetric loss of lift from the reverser plume causes most of the control difficulties. And when the conditions of the accident flight were simulated in Boeing’s advanced wind tunnel, the result was astonishing: the loss of lift suffered by the left wing of flight 004 was actually about 25%, not the 10% measured at lower speeds during the certification test.
Investigators noted that the design of the 767, with two engines mounted below and slightly ahead of the wings, accounted for the difference between these results and the in-service experience on other aircraft types. A two-engine plane will obviously suffer greater adverse effects from a single reverser deployment than will a four-engine plane, but the particular position of the 767’s engines made matters even worse, bringing the zone of disrupted air closer to the wing leading edge where its interference with the airflow was greater.
When Boeing programmed a 767 simulator using the newly acquired data, the difference was profound. Boeing’s chief test pilot discovered that if he failed to reduce power to the opposite engine to reduce the thrust asymmetry, apply full opposite rudder, and add full opposite aileron, all within six seconds of the reverser deployment, the airplane would suffer an irrecoverable loss of control. This margin was reduced to four seconds if he made the control inputs before reducing thrust on the opposite engine. And throughout that critical period, the plane would roll toward the reversed engine at a rate of 28 degrees per second, turning fully inverted in less than five seconds, at which point it would enter a high-speed descent that exceeded the structural capabilities of the airframe. His conclusion was stark: no line pilot could be expected to recover in such a situation without superhuman awareness and reaction times.
More broadly, this discovery meant that the certification basis for the 767s thrust reverser system was fatally flawed, since continued flight to a safe landing with a reverser deployed was not ensured. The FAA was immediately notified of the findings, and within days it had issued an airworthiness directive mandating that the thrust reversers be deactivated on every Boeing 767 with Pratt & Whitney 4000 engines, until a solution could be found to bring the design into compliance with regulations.
But finding a solution first required figuring out why the thrust reverser came open in the first place. This was no easy task, because the engine had been severely damaged in the crash, and to make matters worse, a local looking for scrap metal had apparently walked off with the directional control valve (DCV). Investigators put up a monetary reward to try to get it back, but it took more than 6 months before someone finally turned it in. And even after this long wait, the result proved disappointing: someone had clearly tampered with the valve after it was taken from the crash site, and little useful information could be gleaned from it.
However, the periodic illumination of the “REV ISLN” caution light did strongly indicate that the hydraulic isolation valve (HIV) was cycling open and closed in the minutes before the crash. No mechanical fault was found with the HIV or with the hydraulic system, and a simultaneous fault in both air/ground sensors as well as the reverse thrust lever position sensor was considered extremely remote. But there was actually a way to bypass all these layers of redundancy, and it is here where investigators believe the fault must have occurred.
When a pilot closes the thrust reversers after deploying them on landing, the movement of the reverse thrust lever back to the zero degree position will disconnect the solenoid-activated HIV, which can only open if the lever is moved at least 10 degrees. Closing the HIV would cut off hydraulic pressure to the DCV and consequently to the actuators which move the translating reverser sleeve, rendering it impossible to stow the reverser. In order to ensure continued hydraulic pressure until the reverser is fully stowed, an “auto-restow” circuit kicks in, bypassing the normal circuitry, to hold the HIV open whenever the positions of the reverser and the reverse thrust lever disagree. By extension, this system could also stow the reverser if it were to deploy in the air. Furthermore, activation of the auto-restow circuit while airborne would cause the “REV ISLN” light to illuminate in the cockpit whenever it opened the HIV. Investigators therefore suspected, but could not completely prove, that a short circuit caused the auto-restow system to activate erroneously during the accident flight, bypassing the air/ground logic to open the HIV and supply hydraulic pressure to the reverser system.
However, this was only half of the puzzle, because something must also have caused the DCV to move to the “deploy” position. The investigation committee tested a number of possible short circuits which might affect the DCV, but were unable to find any which they could prove would result in an erroneous “deploy” command. However, they did discover another possibility. If debris contaminated the DCV’s hydraulic return line, which ports hydraulic fluid back out of the valve to equalize the pressure inside it, pressure could instead have built up on the “deploy” side, causing the valve to open. Therefore, with the auto-restow circuit intermittently opening the HIV and pushing hydraulic fluid into the system, any concurrent blockage of the DCV’s hydraulic return line could have led to increased pressure in the “deploy” line, causing the left thrust reverser to deploy in flight.
The possibility of contamination in the DCV was especially worrisome, as this is a latent failure which might not be detected until an uncommanded reverser deployment occurs. The possibility of such a latent failure rendered invalid the logic informing the procedure in the QRH — which was to continue normal flight — because it could not be guaranteed that the second layer of redundancy provided by the DCV in the event of an HIV failure was actually present. The probability of an uncommanded deployment therefore increased considerably, and as the Boeing tests had showed, this would be a catastrophic event almost certainly resulting in the loss of the airplane.
But two simultaneous failures in the thrust reverser system shouldn’t just appear out of the blue — there must have been warning signs. Whether Lauda Air reacted correctly to those signs would become a subject of considerable uncertainty and debate.
The Thai commission, for its part, barely looked into the history of maintenance on OE-LAV. They did discover that this plane had experienced a large number of faults related to the left thrust reverser and to the left EEC in general, resulting in at least 13 separate maintenance actions since August 14th, 1990, including 10 in the four months immediately before the accident. The Thai commission stated that Lauda Air repeatedly applied the procedures from the Boeing Fault Isolation Manual, but was unable to end the constant thrust reverser fault messages. Nevertheless, the plane was kept in service through an apparent loophole, which allowed continued flight for 500 hours with this particular fault unresolved. Although it had been more than 500 flying hours since the fault first appeared, Lauda Air was allowed to dispatch the plane because the 500 hours reset every time it completed a flight without the fault recurring. Since the problems were intermittent, this condition was easily fulfilled, and Lauda Air effectively got away with never fixing the problem.
The Thai commission did not find Lauda Air at fault, however, assigning full blame to Boeing and the 767’s fatal design flaw. That led Niki Lauda to declare his initial promise fulfilled: Lauda Air was not responsible, so its operations would continue with him at the helm.
Ever since, the common narrative has typically stuck to Niki Lauda’s side of the story. Lauda tended to portray himself as a central character in the investigation, and in an oft-repeated anecdote, he claimed that Boeing was reluctant to admit that a reverser deployment was irrecoverable at high speed and altitude. In response, Lauda claimed that he personally challenged Boeing to take him aboard a test flight which would recreate the accident conditions, at which point the company backed down and acknowledged that this would result in a crash. Evidence for this story, however, is scant. The only real source is Lauda himself, and research for this article did not turn up any reliable corroboration, so in the author’s opinion, the anecdote is probably apocryphal.
Research did however reveal that Austrian investigators wrote a secret report which was highly critical of Lauda Air. Commissioned by the Vienna Public Prosecutor’s Office, the full findings of this parallel investigation have never been released, but they were summarized by aviation magazine Austrian Wings in 2011. According to the report, Austrian investigators dived deep into Lauda Air’s maintenance records and found a large number of worrying discrepancies. From the very beginning, they alleged, Lauda Air was not as forthcoming as its owner pretended — in fact, it took ten days for the airline to hand over critical documents which are supposed to be given to the investigation immediately. Furthermore, the report stated that Thai investigators were only allowed to view Lauda Air’s maintenance records for five to eight hours, nowhere near long enough to ascertain the scope of the airline’s culpability. The Austrian investigators, on the other hand, had access to the documents for many months, and in all they counted no less than 61 thrust reverser fault messages between April 27th and May 26th, 1991 — far more than were identified by the Thai commission. Indeed, the airplane was practically screaming that something was wrong, and yet Lauda Air never once contacted Boeing for assistance, even after the procedures in the Fault Isolation Manual repeatedly failed to fix the problem.
Instead, the report claims, Lauda Air turned to unapproved procedures — namely, replacing the thrust reverser actuators, the HIV, and the DCV, actions which were not listed as applicable solutions to the type of fault messages the airplane was generating. In fact, Boeing pointed out that these components were irrelevant to the faults, which originated in the electrical system which controlled the thrust reversers, and not in the hardware itself. Nevertheless, Lauda Air continued to replace the valves every time the faults returned, including in Vienna on May 25th, the day before the accident. Mechanics did eventually begin a deeper inspection of the wiring in the left engine, but records indicated that the inspection program, initiated on March 6th, was never completed.
Furthermore, records showed that sometime between May 5th and May 15th, the outer locking mechanism on the left thrust reverser sleeve was marked inoperative, a condition which required mechanics to deactivate that reverser before the plane could be approved for further flight. However, this was not done, and while this omission did not contribute to the accident, it did mean that the plane was legally unairworthy when it took off from Bangkok on its final flight.
Former Lauda Air employees alleged that this kind of endlessly deferred maintenance was common due to the airline’s punishing schedules. With only two 767s to operate its long-haul routes, Lauda Air had little capacity to absorb delays, and so maintenance was usually done overnight when the planes returned to Vienna. This was not enough time to search for the true cause of persistent faults, so mechanics simply followed the basic troubleshooting guidelines over and over, even though they weren’t working. One former technician even told the Austrian investigation that Niki Lauda himself would sometimes intervene to get planes back in the air, rather than holding them for additional maintenance work. Another said that he had banned his family from flying on Lauda Air because of his concern about the airworthiness of their planes. In the opinion of former employees and investigators, Lauda Air may not have been legally at fault in the crash, but there was little doubt that they could have prevented the accident if they had made even a belated attempt to get help finding the cause of the faults. Any competent airline, they felt, would have called up Boeing as soon as they had tried everything in the Fault Isolation Manual without solving the problem.
But despite these potentially explosive findings, the Vienna Public Prosecutor’s Office ordered its own report to be withheld from public release. And without access to this side of the story, the popular view of the crash is based on Niki Lauda’s account — a version of events which papers over many of the murkier elements and portrays the events as less complex than they actually were. In some ways, Lauda’s story is the one we want to be told, the one which has a hero and a villain, and in which everyone does the right thing in the end. But as time passes and grants us new vantage points, we have ever more reason to doubt that things were so simple.
There is, however, one thing we can say for certain: that the deadly flaw which brought down Lauda Air flight 004 has been fixed. Boeing completely redesigned the 767’s thrust reversers to isolate the stow and deploy functions from one another. The redesign also did away with electrically actuated valves, returning to motor-driven valves which were less susceptible to electrical faults. And just in case, Boeing introduced better shielding on the thrust reverser wiring as well. In total, these and other modifications addressed every known failure mode of the 767’s reverser systems.
But an industry-wide review by the FAA found that the basic incorrect design assumptions were not unique to the 767. Almost every large jet with two wing-mounted engines was also found to be uncontrollable in the event of a thrust reverser deployment at high speed. As a result, all of these planes, including the 767, are now required to have a third lock on the thrust reverser in addition to the HIV and DCV. This effectively eliminated any chance of an uncommanded deployment, due to a simple principle of mathematics: that each layer of redundancy is multiplicative. In other words, if two failures each have a 1 in 100 chance of occurring, then the chance that both occur independently is 1 in 10,000, but if a third similar failure is required, then the chance of all three occurring independently goes down to 1 in 1 million. In the probability zones in which aircraft components operate (typically in the 1 in 100 million to 1 in 1 billion range), this means that adding a third layer of redundancy usually makes complete failure unthinkable.
Cumulatively, these changes have made flying safer for untold millions of people. And the aviation industry learned a valuable, if harsh, lesson: that as airplane designs improve, old assumptions don’t always remain unassailable. Today, advancements in computer simulation technology mean that incorrect calculations like those which led to the 767’s design flaw are much less likely to occur, but perhaps the most important legacy of the crash is an increased understanding that those simulations indeed must be done, and that due care needs to be taken in validating them.
For Lauda Air and its founder, regardless of any culpability they may have shared, the crash was far from the end. The airline went on to have a long, accident-free run before being absorbed into Austrian Airlines in 2013. Niki Lauda passed away in 2019, having acknowledged that the loss of flight 004 was the hardest moment of his life — harder even than the crash which almost killed him. But we do not know, and may never know, to what extent his celebrity has colored the long aftermath of the disaster. In fact, had Lauda Air been owned by anyone else, the story which was told and retold would have been very different, and probably much more critical of the airline. Instead, the accident has become part of the myth of Niki Lauda, a myth which Lauda himself created, and which is too often accepted uncritically. For that reason, this article tells the story of the crash as, first and foremost, an airplane accident, and not as a classical drama pitting Lauda’s David against Boeing’s Goliath. There were no “good guys” and “bad guys” — only the cold, hard laws of physics and our flawed efforts to overcome them.
_________________________________________________________________
Join the discussion of this article on Reddit!
Visit r/admiralcloudberg to read and discuss over 220 similar articles.
You can also support me on Patreon.
