Falcon 7X LOC-I Due To Solder Defect
On 25 May 2011, Dassault Falcon 7X business jet, HB-JFN, operated by Jet-Link, suffered a pitch trim runaway that caused a 40° pitch up, rapid climb and temporary Loss of Control Inflight (LOC-I) over Malaysia.
First flown in 2005 and certified in April 2007, after a 590 flight, 1600 flying hour test programme, the 7X features a fly-by-wire (FBW) control system. This Digital Flight Control System (DFCS) and the Falcon family’s EASY (Enhanced Avionics SYstem) flight deck design draw on Dassault’s 30 years of military fighter experience, especially its Rafale and Mirage 2000. The type had accumulated 75000 flying hours at the time of the incident.
The French Bureau d’Enquêtes et d’Analyses (BEA), to whom the investigation was delegated, has now reported (in French) on this serious incident (commenting that the long duration was necessary to examine the organisational factors).
The Incident Flight
While descending through 13000 feet at the end of a positioning flight to Kuala Lumpur, over 15 seconds the elevator pitch trim began to move from neutral to the full nose-up position.
The First Officer (Pilot Flying), a former military pilot with experience on Mirage IV and Mirage 2000, put the aircraft into a steep right-hand bank to aid recovery partially replicating the ‘palier-ressource’ military manoeuvre (which involves approaching a target in level flight before pulling up at 30° pitch to release the weapon, and then banking to 90° to reduce pitch and escape).
At two points (for 9 and 12 seconds) both the Commander (Pilot Non-Flying) and the First Officer were simultaneously using their side stick. The First Officer used the priority button to override the Commander’s inputs and asked him to stop. The pitch subsequently decreased, as did the load factor (from a maximum of 4.6 g to less than 1.5 g). After about 2.5 minutes the crew regained control and landed safely. The aircraft had however climbed to 22500 feet.
Immediate Response
The incident prompted such concern that the next day that the European Aviation Safety Agency (EASA) published an Emergency Airworthiness Directive (EAD), prohibiting further flights by the Falcon 7X fleet until further notice. A further Airworthiness Directive (AD), in two stages, permitted operations to resume with modifications and operational limitations. A third AD with modifications and operational tests followed.
The Safety Investigation
The BEA found that a defective ‘cold’ solder joint at a pin of a component of the Horizontal Stabilizer Electronic Control Unit (HSECU) led this computer to sending erroneous signal to the actuator driving the horizontal stabiliser trim (HRT) and a simultaneous failures of monitoring channel which were not detected.
The two failures associated with the soldered pin (Credit: BEA)
The solder had not reached an adequate temperature because the board had acted as a heat sink, resulting in micro-cracking. They highlight a similar, but unconnected case in 2007 (Airbus A321 I-BIXK that suffered a braking failure after similar solder defects in its Brakes and Steering Control Unit).
A number of contributory factors are identified by the BEA. One is the non-detection of the production fault. They also comment on the HSECU supplier’s Failure Modes and Effects Analysis (FMEA) which was not suitably comprehensive. They note that this FMEA was not subject to detailed review by the aircraft Type Certificate (TC) Holder. The TC Holder’s System Safety Assessment (SSA) in accordance with 25.1309, being partly based on that FMEA, was therefore incomplete.
The BEA also reference safety assessment lessons from an Australian Transport Safety Bureau (ATSB) report into an upset involving a A330 VH-QPA in 2008 (in that case not fully considering the potential effects of frequent spikes in the data from an air data inertial reference unit). They go on to comment there is little attention on human factors affecting designers and latent errors that can creep into documentation.
The BEA note that the crew were only able to recover the aircraft by the prompt application of techniques the First Officer had learnt and practiced flying military fast jets.
Safety Recommendations & Safety Actions
The BEA make recommendations on:
- Using methods to supplement FMEAs (particularly for critical electronic systems)
- Ensuring independence between the control and monitoring channels
- The Operational Suitability Data (OSD) framework should include initial and recurrent training relating to taking over control of aeroplanes equipped with non-coupled control sticks (previously also made in relation to an accident to A321 SX-BHS we have previously discussed)
Following the serious incident, in addition to the aircraft design changes by Dassault as part of the series of ADs, HSECU manufacturer Rockwell Collins has:
- Updated their FMEA. The BEA report it now contains more detailed descriptions of the effects of failures of each component or HSECU function.
- Changed the layout of the electronic cards and added an insulating wafer to ensure that the solder reaches the necessary temperature.
Old and new HSECU board layout (Credit: Dassault via BEA)
- Added X-ray examination of the electronic cards to the production process to detect any cold solder joints.
- HSECU voltage monitoring has also been added to detect any possible latent failures.
UPDATE 6 May 2016: AINonline give more detail on the operational and training aspects: Falcon 7X Incident Prompts Training Changes
…the DFCS did “see” the problem but lacked the authority to counter it. With the stick in the neutral position, the leading edge of the horizontal stabilizer was deflected down 11 degrees… The DFCS tried to counteract with elevator. However, although the elevator…has much less surface area than the horizontal stabilizer ahead of it. The best efforts of the DFCS were therefore insufficient to restore equilibrium.
On a Falcon with conventional controls, an emergency control can disconnect the trim’s normal actuator (thus switching to the backup actuator) in the event of a problem. On a fly-by-wire Falcon 7X, the DFCS may decide which actuator to use. “Digital controls do things the pilot cannot see,” said Jean-Louis Montel, Dassault’s senior v-p of engineering….“It is better and quicker [than a human pilot]2…. During the incident, the DFCS received erroneous information, which was all the more hazardous because the system deemed it to be valid (no sensor failure was detected) and plausible.
On the matter of the dual inputs:
The handling of conflicting dual inputs has since become part of the recurrent training curriculum on Falcons.
UPDATE 10 May 2017: EASA have made the following responses (catalogued in their Annual Safety Recommendations Review 2016):
System Safety Assessments (SSA), including Failure Modes & Effects Analyses (FMEA) and Common Mode Analyses (CMA), are considered adequate methods when applied in accordance with the recommended practices laid down in industry standard SAE ARP4761. This industry standard is currently being revised for other reasons under the responsibility of the Working Groups (WG) EUROCAE WG63 and SAE S18. EASA, together with FAA, are involved in these groups. EASA will use this opportunity to discuss the need for alternative or additional methods to the FMEA for electronic equipment and software.
Since JAR 25 change 16, the JAR/CS 25.1309 requires explicitly that catastrophic failure conditions must not result from a single failure. A system architecture with independent control and monitoring is only one of the available means to comply with this requirement. The AMC 25.1309 clarifies that a single failure includes any set of failures, which cannot be shown to be independent from each other. The AMC drives then the applicant to the different existing types of common cause analyses to be conducted in order to ensure that independence is maintained. The ARP4761, as referenced in AMC 25.1309 details how to perform these common cause analyses (Particular Risk Analysis, Common Mode Analysis, and Zonal Safety Analysis). Note that the ARP4761, Appendix K “Common Mode Analysis” indicates that considerations should be given to the independence of functions and their respective monitors. The Common Mode Analysis is actually the method to check that the necessary independence between system control and monitoring of that said system is correctly implemented. The means and methods are thus considered already in place.
EASA acknowledges the need to emphasise procedures for taking over control of aeroplanes equipped with non-coupled control sticks during initial and recurrent training. Existing Air Operations and Flight Crew Licensing (OPS/FCL) Operational Evaluation Board (OEB) reports and recently approved OSD-FC (Operational Suitability Data – Flight Crew) for aeroplanes equipped with non-coupled control sticks, already include relevant dedicated Training Areas of Special Emphasis (TASE). In cooperation with manufacturers of aeroplanes equipped with such control sticks, EASA will continue to ensure that the specific TASE is included in the OSD-FC. Furthermore, EASA published, on 16 October 2015, Safety Information Bulletin (SIB) 2015-17R1 on unreliable airspeed indication at high altitude/manual handling at high altitude, which recommends, amongst other things, that the initial and recurrent training includes procedures for taking over and transfer of manual control of the aircraft, especially for fly-by-wire aeroplanes with independent side-sticks.
It should be noted that the Dassault approach to FBW design on the 7X does bring many positive benefits (as discussed in this Flight International test pilot report) and this VIDEO.
Recent Comments