Serious incident to a Dassault Falcon 7X, registered HB-JFN on 05/24/2011 at Subang (Malaisie)

ORGANISATION OF THE INVESTIGATION

The serious incident occurred in Malaysian airspace. The BEA informed the Malaysian civil aviation authorities who delegated the investigation to the BEA.

In accordance with the provisions of ICAO Annex 13, Accredited Representatives and advisers from Switzerland (State of Registry and of Operation of the aeroplane), the United States (State of Manufacture of the HSECU), and Malaysia (State of Occurrence) participated in the investigation.

The investigation lasted over four years during which the exact determination of the circumstances and the retrieval of information from equipment manufacturer Rockwell-Collins proved to be difficult. Specifically, receiving replies could take several months. This was justified by the fact that the BEA’s investigation into the organisational factors that led to the serious incident was unprecedented and the various elements required for replies took time to retrieve.

4 - SAFETY RECOMMENDATIONS
4.1 Additional Methods for FMEA

The investigation tends to show that the means required to detect errors that may be included in Failure Mode, Effects and criticality (FMEA) are inadequate, specifically when this relates to equipment that is considered as critical. This finding is also based on other accidents. It also shows the limits of FMEA which, though well adapted to simple systems and to material malfunctions for which it was designed some decades ago, seems to be less effective for electronic equipment or software.

This is why the BEA recommends that:

• EASA, in coordination with FAA, SAE and EUROCAE⁽¹⁾, evaluate and propose alternative or additional methods to the FMEA for electronic equipment and software. [Recommendation 2016-002]
• FAA, in coordination with EASA, SAE and EUROCAE, evaluate and propose alternative or additional methods to the FMEA for electronic equipment and software. [Recommandation 2016-003]

4.2 Independence between control and monitoring systems

Independence between control and monitoring systems, as well as checks on this independence, constitute key elements in the safety of a system. They are not explicitly required by certification specifications. Some errors that may exist in safety analyses are difficult or even impossible to detect based on the available technical standards, whether during checking and validation by the design organisation or during approval by the authorities responsible for certification. In the case of this serious incident, a simple brazing error led to undetected failures on both of the systems and thus to the runaway of a primary flight control surface to an undesirable position.

This is why the BEA recommends that:

• EASA, in coordination with FAA, SAE and EUROCAE, develop means or methods that make it possible to consolidate, during safety analyses, checks on the independence of system control and the monitoring of said system. [Recommandation 2016-004]
• FAA, in coordination with EASA, SAE and EUROCAE, develop means or methods that make it possible to consolidate, during safety analyses, checks on the independence of system control and the monitoring of said system. [Recommandation 2016-005]

⁽¹⁾Acronym of the EURopeanOrganisation for CivilAviation Equipment, a European organisation that defines rules for the standardisation of systems used in civil aviation.