Engine Shutdown Results in Revised SOV Rigging Instructions (Dassault Falcon 2000EX HB-IAU)
On 4 October 2018 Dassault Falcon 2000EX HB-IAU suffered a rare Pratt & Whitney Canada (PWC) PW308C turbofan engine failure mode when an emergency fuel shut-off valve (SOV) “activated because of its incorrect rigging” say investigators. Rather than simply dismiss this as a “Failure to Follow Procedures” following the investigation the manufacturer is enhancing its maintenance instructions.
The Incident Flight
The business jet took off from Zurich for Paris at 06:43 UTC, with two flight crew, a cabin attendant and two passengers. The commander was the pilot flying (PF), the copilot the pilot monitoring (PM). The Swiss Safety Investigation Board (SUST) explain in their safety investigation report, issued on 19 January 2021, that:
As the aircraft was climbing through Flight Level (FL) 70 about two minutes after take-off, the flight crew heard a dull bang and noticed the failure of the right [No. 2] engine.
The copilot tried to inform the air traffic controller about the engine failure and realised that radio No. 2 was inoperative. Using radio No. 1, he repeated the transmission, this time successfully, and requested immediate radar guidance for a return to Zurich…
The flight crew realised that the autopilot and the elevator trim had also failed. At the suggestion of the copilot, the right bus-tie (rotary switch) was closed and both systems worked again.
In addition, because of the bang, the commander decided not to attempt an engine restart. The copilot repeatedly advised the commander to declare an emergency, which he did at 06:52 UTC…
The aircraft made a safe landing at 06:59 UTC, however only after difficulties with interception of the localiser for runway 14.
The SUST Safety Investigation and Conclusions
The SUST say that the electronic engine control unit data “did not give any indication of a malfunction of the engine”. However, when the engine was examined the emergency fuel shut-off valve was found to be closed. This valve is only intended to stop fuel supply if the event of a low-pressure turbine shaft failure.
It is permanently open and can be closed rapidly and irreversibly only once by moving its actuating lever beyond a trigger point. This happens automatically and cannot be influenced from the cockpit. The control lever has an adjustable connection to a Bowden cable.
The No 2 engine had been installed on 2 October 2018 after repairs.
The rigging of the emergency fuel shut-off valve was checked. The next day, training flights were carried out with the HB-IAU without complaint.
[O]n 4 October 2018…it was determined that the rigging was outside the tolerance range.
The valve was readjusted in accordance with the applicable maintenance data.
A follow-up check carried out after four further flights on 16 October 2018 showed that the rigging had shifted again by 0.050 inches. The subsequent adjustment had to be repeated three times until a stable result was obtained.
SUST comment that:
The description of the adjustment procedure in the current documentation is very complicated.
An in-depth investigation finally revealed, when pulled by hand, the Bowden cable leading to the valve was stiff, difficult to move and jerky, and that the restoring force of a spring installed inside the valve was reduced.
[PWC] stated that the reason for the closure of the emergency fuel shut-off valve could not be determined with certainty and that the valve and the Bowden cable had no defects.
No malfunction had occurred in 2.5 million flight hours on valves of the same type, and only on 4 occasions in 16 million flight hours on comparable valves, each time after a reinstallation of the engine. In 3 of these cases, the malfunction could be attributed to an incorrect rigging.
As a precautionary safety action the maintenance data…
…was revised to enhance its comprehension; a supplemental revision containing instructions for checking the cable for freedom of movement in the emergency fuel shut-off valve reset procedure is planned for June 2021.
In relation to electrical power:
The electrical system of the aircraft contains the distribution busbars left main bus and right main bus, which in normal operation are fed by the generator of the corresponding engine. After the shutdown of the right generator, the right main bus is de-energized and can be replaced by the left generator by manual operation of the right bus-tie rotary switch.
The three systems (radio, autopilot and elevator trim) which in this case failed as a result of the engine shutting down are supplied via the right main bus.
By operating the right bus-tie rotary switch according to the engine failure checklist, the crew was able to recover these systems.
SUST examined the Flight Data Recorder (FDR) and identified that:
…the crew had programmed the autopilot according to the instructions of the air traffic controller, i.e. to intercept the instrument approach with the heading mode engaged (170°) and the approach mode armed. Consequently, the autopilot, which was following a heading of 210°, then initiated a left turn. During the left turn, there was a disturbance in the signal of the localiser which caused a change in the autopilot programming to roll mode engaged and approach mode disarmed.
The crew corrected this at 16:54:53 UTC after the aircraft had turned to an easterly heading.
If this missrigging had been discovered on the ground and not been subject to an independent safety investigation then it would most likely been investigated internally.
Sometimes investigators tend to assume procedure are perfect and any deviations are either a choice or a sign of a lack of competence. This is often because the airlines and maintenance organisation in question still have safety investigation processes that are orientated around feeding information into ‘review panels’. These panels are tasked with determining individual ‘culpability’ i.e. blame (sometimes rebranded as ‘accountability’) rather than focusing on safety improvement. They are usually expected to determine what action is to be directed at the individuals involved using flowcharts that are paradoxically both simplistic (as in unnuanced) and so complicated that their advocates recommend extensive training (which they of course happen to sell). Bizarrely the advocates of this approach confuse the existence of these procedures with the organisation having an actual ‘Just Culture’. In fact they simply have a ‘just culpability’ process to judge their employees and one that discourages the oneness a Just Culture is meant to foster.
You may also find these Aerossurance articles of interest:
- Airworthiness Matters: Next Generation Maintenance Human Factors
- Rockets Sleds, Steamships and Human Factors: Murphy’s Law or Holt’s Law?
- Professor James Reason’s 12 Principles of Error Management
- Back to the Future: Error Management
- King Air 100 Uncontained TPE331-6 Failure – Inappropriate Repair Scheme
- NDI Process Failures Preceded B777 PW4077 Engine FBO
- Maintenance Human Factors in Finnish F406 Landing Gear Collapse
- Inadvertent Fire Bottle Discharge During Maintenance
- Lost in Translation: Misrigged Main Landing Gear
- Falcon 7X LOC-I Due To Solder Defect
- Cessna Citation Excel Controls Freeze
- UPDATE 19 February 2021: Flybe Fume Event (Part 1): Compressor Wash Maintenance Human Factors Case Study