The pilot of the Falcon 7X that experienced runaway nose-up pitch trim in May 2011 over Malaysia used his military experience and applied a procedure he had learned for bombing to recover from an unusual and dangerous attitude, according to the recently released final report from the BEA, France’s aviation accident investigation authority. The incident caused Dassault to ground the fleet temporarily. Although the French OEM did provide details about the cause of the problem at the time, the report highlights what the BEA regards as deficiencies at manufacturers and at certification authorities.
When the pitch angle of the 7X increased rapidly, the pilot rolled the aircraft sharply to the right, applying a 40- to 80-degree bank angle for approximately 20 seconds. This quick thinking converted the pitch angle into a turning maneuver, thus arresting the climb and stabilizing speed. “The pilot had a very good reaction,” Dassault chief test pilot Philippe Deleume told AIN. The maneuver was incorporated into Dassault’s upset recovery training program in late 2014, added Frédéric Leboeuf, v-p of Falcon operational support directorate.
The BEA expressed concern that the successful execution of this maneuver contrasts sharply with the widespread “insufficient” training that pilots undergo for unusual-attitude recovery. In such situations, “identification of the problem is key,” Leboeuf noted. The EASA is preparing a new regulation it hopes to introduce in April 2018. The BEA also deemed “unsuitable” the operational documentation that Dassault provided to pilots at the time. “Our manual was requiring that pilots push the sidestick but the digital flight control system (DFCS, see sidebar) had already done the maximum it could,” according to the company.
Dassault told AIN that the DFCS did “see” the problem but lacked the authority to counter it. With the stick in the neutral position, the leading edge of the horizontal stabilizer was deflected down 11 degrees (providing nose-up pitch). The DFCS tried to counteract with elevator. However, although the elevator can apply a greater angle of deflection in the opposite direction, it has much less surface area than the horizontal stabilizer ahead of it. The best efforts of the DFCS were therefore insufficient to restore equilibrium.
(The horizontal stabilizer of simpler airplanes is a fixed surface, and the elevators—movable for pitch control and incorporating movable tabs for trim—are attached to that fixed forward surface. On more complex aircraft such as the 7X the horizontal stabilizer can be deflected up or down to provide, respectively, nose-down or nose-up trim.)
The pitch-trim failure lasted two minutes and 36 seconds, after which the temperature of an electric motor reached a limit that transferred primary trim control to a redundant system. During the trim upset, the aircraft climbed from 13,000 to 22,000 feet and its calibrated airspeed dropped to 125 knots from 300. The nose-up pitch angle peaked at 41 degrees and the highest load factor was 4.6g.
Training Changes Recommended
The report indicates that the pilots had limited experience with sidesticks. As a result, there were dual control inputs during two periods of about 10 seconds each. One factor behind the dual inputs, the BEA noted, was the sudden mental stress of the emergency. According to the BEA’s report, the pilots were counteracting each others’ movements. The pilot not flying briefly impeded the recovery the pilot flying had started.
Conflict between control inputs causes two alerts–an aural one (“dual input”) and a vibration felt through the sidestick. This enabled the pilots to identify and manage the situation. Under a defined procedure, one pilot did take priority by pushing a button (and keeping it pushed) on his sidestick. BEA investigators asserted that at the time of the incident above Malaysia, training to cope with conflicting control inputs was rudimentary. The BEA report says that 7X type rating training included only one exercise about dual input: the student pilot has to take priority control during the simulated incapacitation of the other crewmember.
The handling of conflicting dual inputs has since become part of the recurrent training curriculum on Falcons, but Deleume suggested a possible further improvement: urge the pilot to make a decision and declare “I’ll take control.” He said, “We are going to add examples more attuned to operations.”
BEA investigators want the EASA and airframers to include such training in initial and recurrent programs for all aircraft with passive sidesticks. Active sidesticks, which move together via an electronic coupling system, are currently flying on the in-development Gulfstream G500/G600. Dassault told AIN it mulled active sidesticks for the Falcon 7X. But despite the obvious benefit for situational awareness in normal operations, Deleume sees a major downside. To cope with an incapacitated pilot falling on his sidestick, he asserted, active sidesticks need automatic disconnection in the event of strong and conflicting dual input. The controls would therefore also disconnect in the event two stressed pilots make different inputs. The sidesticks would then switch to a passive mode, which would further complicate recovery because the setup would be foreign to the crew, Deleume contended.
During the incident over Malaysia, could the pilot/s have pulled a pitch trim circuit breaker? Or could they have pushed the autopilot disconnect switch to shut off the electric trim? The short answer is “no.”
On a Falcon with conventional controls, an emergency control can disconnect the trim’s normal actuator (thus switching to the backup actuator) in the event of a problem. On a fly-by-wire Falcon 7X, the DFCS may decide which actuator to use. “Digital controls do things the pilot cannot see,” said Jean-Louis Montel, Dassault's senior v-p of engineering. Therefore, the system is in charge of monitoring and can draw on redundancies as it deems necessary. “It is better and quicker [than a human pilot],” Montel asserted. During the incident, the DFCS received erroneous information, which was all the more hazardous because the system deemed it to be valid (no sensor failure was detected) and plausible. “Our design was not perfect,” chief test pilot Philippe Deleume acknowledged.
As one of the first actions after the fleet’s grounding, Dassault installed an emergency control that equips the pilot to switch to the trim’s backup actuator. On the Falcon 8X, Dassault has decided that the switch is no longer needed. “We improved the design and production and could thus revert to the DFCS philosophy,” Montel said.
The root cause of the 7X’s pitch problem was a production issue: a brazing defect in an inductance pin located in the horizontal stabilizer electronic control unit (HSECU). The HSECU sent erroneous commands to the tailplane, causing the aircraft to pitch up. Simultaneously, the computer was telling the monitoring system that the control surface was applying a pitch-down force. The HSECU is made by Rockwell Collins to Dassault’s specifications.
Because a single failure almost caused a catastrophe, the consequence of one component failure in the HSECU had been underestimated, the BEA said. It studied how the failure mode and effect analysis (FMEA) had been performed and identified shortcomings in human resources.
The BEA also suggests time pressure in the development and certification process compromised the FMEA. But this kind of analysis has its own limitations, the BEA said, in that it takes into account only known failure modes and single failures rather than multiple component failures. “FMEAs were developed in the late 1940s to deal with simple mechanical and electric equipment and can be unsuited to analyze complex systems, notably those [relying on] digital computers,” the report points out. It recommends that the EASA, FAA, SAE and Eurocae assess alternative or complementary methods to FMEAs for electronic hardware and software.
On a similar note, the report highlights a lack of independence between control and monitoring. The actuator control monitoring unit relied entirely on the HSECU, and it complied with certification requirements. The architecture, however, did not guarantee that an HSECU malfunction would be detected, demonstrating to the BEA that certification authorities have weaknesses in safety analysis.
See related story on upset training in the age of fly-by-wire.
By-wire or digital?
Although the words “fly-by-wire” (FBW) have long been used in the industry, Dassault believes “digital flight control system” (DFCS) better describes the Falcon 7X’s flight controls. Early FBW systems were analog, and “fly-by-wire” does not mean wires have replaced rods, cables and so on. Digital technology allows a pilot’s control inputs to be translated into the optimum combination of control surface deflections; a roll input translates into the ailerons, spoilers and rudder moving. While such distribution of action is common on digitally controlled aircraft, only some of them (including Airbus jets, the Embraer Legacy 450 and 500 and the Falcon 7X) have autotrim, which automatically trims the aircraft in response to pilot input, thus reducing workload.
May 24, 2011 Incident happens during descent toward Kuala Lumpur, Malaysia.
May 26 At Dassault’s request, EASA grounds Falcon 7X fleet.
May 27 FAA follows suit.
June 16 Additional monitoring is introduced, independent from the horizontal stabilizer electronic control unit (HSECU). A push-button is added, enabling the pilots to manually switch to the trim’s backup actuator.
These actions, combined with an inspection of the HSECU, allow operators to resume flying. The flight envelope is restricted at high speed, however, a limitation stemming from the time needed for the new monitoring function to kick in.
July 7 Potential mechanical interference between HSECU components is eliminated.
August 29 Software is modified to improve monitoring, notably the deflection speed of the tailplane. Upgraded software also accelerates the detection of runaway pitch trim, restoring the full flight envelope.
(Source: BEA report)