[SystemSafety] Technical information on Airbus A320 recall?

Prof. Dr. Peter Bernard Ladkin ladkin at causalis.com
Sun Nov 30 13:35:51 CET 2025 

On 2025-11-30 13:21 , David MENTRÉ wrote:
> Hello,
>
> I've heard on the news that Airbus is recalling all its A320 planes due to issue of the "control 
> software with solar radiations". Do you know where I can find more technical details of the issue 
> and Airbus' workaround(s)? Sometimes the news tell about software updates, sometimes about 
> hardware update.

https://www.flightglobal.com/safety/a320-grounding-linked-to-software-update-designed-to-protect-against-in-flight-loss-of-control/165521.article 
but watch out for some potentially misleading info.


Here is the pointer to the EAD

https://ad.easa.europa.eu/ad/2025-0268-E

>
> As typical issue with solar radiations is to flip bits randomly in the computer, I'm curious about 
> how a software update could solve the issue.

The state condition in a conditional in "new" software could theoretically be more susceptible to 
SEEs than any ancestors.

Most importantly, the EAD says "replace" or "modify" the ELAC. It doesn't say "install L103+ software".

Here is a note I just wrote to a closed list.

[begin quote]

The usual minor puzzles arise. FlightGlobal says "EASA has instructed operators, through an 
emergency directive, to uninstall the L104 software standard for the ELAC B elevator aileron 
computer hardware, and revert to the L103+ version."

That is not quite what the EAD says. It says "(1) For Group 1 aeroplanes: Before next flight after 
the effective date of this AD, replace or modify each affected ELAC with a serviceable ELAC in 
accordance with the instructions of the AOT."

It is surely clear what "replace" means. It is referring to a computer, a piece of hardware. It 
means take it out and put <something else, namely a serviceable ELAC" in. Parsing the sentence 
further, it is not clear to me what "modify each affected ELAC with a serviceable ELAC" might mean. 
It might mean that there is divergent hardware between L103+ and L104 and operators are to take out 
the divergent L104 items and install L103+ items in their place(s). (I am using the word "item" to 
mean "functional unit", as is hinted at but not explicitly defined in IEC 61508-4).

If it is just a SW uninstall/reinstall it seems odd to me that the semantic emphasis should be on 
replacing a piece of HW.

I see a couple of possibilities (some of us will know I am currently into "possibility analysis" and 
giving a short tutorial on it at the Safety-Critical Systems Symposium in York in February 2026).

One is that the L104 HW is thought for some reason to be more susceptible to SEEs than the L103+ HW.

A second is that the L104 version contains conditional actions upon certain states that the L103+ 
version does not contain. (One may first consider whether the set of L104 states could be more 
refined than the set of L103+ states, but the set of input states is ideally given by the cartesian 
product of sensor value ranges and there is no EAD requuirement for changing any sensor; it follows 
that the set of externally recognised states by both ELACs is identical.) And that this conditional 
action (resulting apparently in elevator deflection) is given by a state configuration that is 
somehow sensitive to corruption.

So I remain puzzled.

A final word about FlightGlobal's comment about "thermal neutrons." I take it with a grain of salt 
that people think they know what primarily causes SEE in the atmosphere at altitude. I looked at it 
pretty hard a couple of decades ago.

There were problems with SEEs in DRAM chips in the late1980's --early 1990's. The first occurrences 
were solved by refining the silicon substrate to get rid of thorium, which was responsible for 
emitting alpha particles and apparently causing them. But DRAMs were still suffering plenty of SEEs 
at altitude -- Concorde was flown with a few experiments on board. Concorde's cruise altitude is 
where the most cosmic-ray derivative activity is found.

Boeing Radiation Effects Lab personnel were convinced (repeatedly citing themselves) that these SEEs 
were due to neutrons. There were various publications in conferences and in the IEEE Transactions on 
(if I remember rightly) Electron Devices which claimed this had been "established". I followed the 
citation chain backwards (if you chain citations, at some point the later ones can claim something 
has been "established" and it seems not too many people will follow the chain back). It all stemmed 
from one experiment with a DRAM half-in and half-out of a beam at the Sandia Labs neutron 
accelerator in New Mexico. The part of the DRAM in the beam suffered more SEEs than the part out of 
it. But the major effect was that, amongst the bit-flips and latchings, there was high asymmetry -- 
that is, (I forget which way round) more 1's flipping to 0's than 0's flipping to 1's (or vice 
versa). Neutrons are uncharged -- if they were the proximate cause of these events you would expect 
the events to exhibit symmetry. The article reporting the experiment did not address this issue at all.

I took this article and observation to an experimental particle physicist at Bielefeld (the Uni had 
a very well-respected cohort of particle physicists, most of whom I knew because my office was on 
the same corridor as most of theirs and unlike most German academics their doors were mostly open 
and they weren't averse to someone dropping by for a short chat). His comment was that 90% of the 
publications in experimental particle physics were rubbish and IEEE Transactions were no exception. 
He wasn't at all surprised to see an article in which the major effect (asymmetry) was seemingly 
inconsistent with the claimed mechanism. There were other plausibility arguments (DRAMS in aircraft 
sit inside the fuselage, which has a thickness which can stop almost all charged particles deriving 
from cosmic rays). I talked to the theorists about these, and it was pointed out that in fact not 
much is precisely known about the exact spectrum of cosmic-ray-derived radiation at altitude, 
amongst other things because reliable detectors are huge and don't fit on airplanes. let alone 
balloons. And flying airplanes up high for lots of hours costs money which tends to gravitate more 
to the even-more-hugely-expensive terrestrial kit.

There was no "market", then as now, for getting any of my observations on this topic published. 
Since I am now just writing what I remember from then, it is also not clear how reliably I am 
remembering. Caveat lector.

[end quote]

PBL

Prof. Dr. Peter Bernard Ladkin
Causalis Limited/Causalis IngenieurGmbH, Bielefeld, Germany
Tel: +49 (0)521 3 29 31 00

More information about the systemsafety mailing list