Vulnerability of digital engine control can be a common mode failure
The crash of a British Airways B777 on 17 January 2008 ended approximately 13 accident-free years since the high-technology fly-by-wire airplane first entered revenue service in 1995. From what can be surmised at this point, the crash could potentially be a black eye for automation. Details remain sketchy, but the flight BA038 accident occurred in the last moments before landing at London’s Heathrow Airport after a trans-polar flight from Beijing. Up until that point, the flight had been like thousands the B777 has made routinely over intercontinental distances.

In this case, however, there was a last-minute power loss in which Captain Peter Burkill and First Officer John Coward (the pilot flying) were able to sustain a maximum glide profile leading to an incipient last minute stall that, in turn, led to a heavy impact. They just cleared the perimeter road and a boundary fence, slamming down well short of the runway proper. The force of the rapid descent and landing gear sinking into the unreinforced under run rammed the left main gear oleo through the wing, tore up much of the wing structure and twisted the fuselage. (See Figure A) Fortunately, it appears that most, if not all, emergency evacuation slides functioned properly, and the 151 passengers and crew evacuated, albeit some with minor injuries. One passenger suffered a compound fracture to the leg. (See Figure B) Even though the wings were badly damaged, there was no post-crash fire, probably due to the low fuel state following the long flight from China. There was a brief flame under the left wing at impact, but it was quickly gone.

Figure A

Foam applied to the crash site, although no fire erupted, probably due to the minimal fuel remaining in the tanks after the long flight fromShanghai.

Figure B

The moment of touchdown, indicating the extent of damage to the left wing root. Note also the closeness of the airport perimeter and the adjacent road. This photo of the aircraft at the moment of impact shows a small flash of flame at the joint of the left engine and the wing, which probably fortuitously extinguished itself.

The ground at the time of the accident had been softened by weeks of rain, which helped cushion the force of impact. The airplane stopped in the length of just more than one section of approach lights.

It was apparently a very close call. Touchdown was a mere 50 feet inside the airport perimeter fence. Another 600 feet shorter, and the crash would have occurred on a major road (the A30 highway), recalling the fatal accident in 1989 at Kegworth, UK, when a British Midland B737 crashed short of the airport against a steep highway embankment, killing 47 of the 126 passengers and crew aboard.

As it was, the B777 shed its landing gear, ploughed through the grass and came to a rest almost exactly on the runway threshold, slewing 45 degrees to the right as it did so.

Passengers reported no advance warning of any emergency and thought it was a bumpy landing until the oxygen masks came down and pieces of the cabin ceiling liner and sections of some overhead bins came off.

It is estimated the pilots only had some 45 seconds before impact to trouble shoot and then attempt to compensate for the momentary loss of power. Captain Burkill’s decision to allow First Officer Coward to continue flying the aircraft was probably the correct decision. The First Officer had the feel of the aircraft on the approach, and Captain Burkill was simultaneously freed up for trouble shooting, analysis and decision making. It is believed that he rapidly retracted the flaps to a lesser stage, thus killing some drag and critically extending the glide ratio.

As it was, options were limited. There was almost nothing else to do other than optimize the aircraft’s pitch attitude (i.e., angle of attack) and speed for the residual thrust. Gear retraction? Probably unwise. When the airplane impacted the ground, experience had always shown that the landing gear and structure to which it is attached (wing rear spar) absorb so much energy that it could only increase the chances of survival for all occupants.

What were the circumstances that were different on this particular journey that led, not to a routine landing, but to an accident? From what is known, it is possible to postulate a theory as to what happened.

The weather was extremely cold that day, from China to the UK. Some pilots reported they had to descend to lower altitude to keep their fuel from freezing. A South African Airways pilot reported;

“I was flying a B747 that morning across Russia and Germany, landing at [Heathrow] at 5 a.m. from the Far East. I have never had to descend to a lower flight level [FL] in order to increase my fuel temperature in 25 years of jet flying. But on that particular morning, I had to go down the last hour of cruise to FL250 before my fuel temperature began to warm up. Every other jet in my vicinity that day also descended for the same reasons … There was an unusually cold air mass over southern Russia and Germany that day …”

And this comment from a Qantas pilot flying the same height as BA038:

“I was out of Singapore that night … across Russia. EICAS [Engine Indication & Crew Alerting System] complained at -37˚ C fuel temperature. Crossing into Germany, we descended to FL340 with a TAT [Total Air Temperature] of -37˚ C. Fuel temp continued to drop. At -40˚ C I descended to FL3000 and temp carried on down to -41˚ despite a TAT of -34˚. Then I decided it was time to stop messing around and I descended to FL 250 for the last hour in the cruise to [Heathrow]. Fuel began to warm up slowly at FL250. All other flights in our vicinity from the Far East were descending that morning … for the same reason. The BA 777 would have been on a more northerly flight plan out of Shanghai and would have been in the cold air mass longer than us. Undoubtedly, he would have had to descend with low fuel temps as well, but if the temp gauge/system was malfunctioning, he may not have had a ‘low fuel temp’ EICAS message. All speculation, of course, but the cold air mass that morning was giving everyone problems.” (See Figure C)

Figure C

Fuel temperature on the B777 is displayed in the lower right corner. If the fuel temperature reaches the established minimum, the indication turns from white to amber in color. Note the amber ‘Fuel Temp Low’ message in the upper right, as well. Source: Boein

Another pilot commented that “the air temp over the UK at the time [of the accident] was some of the coldest I’ve ever experienced with OAT [outside air temperature] at higher levels down to -70 degrees Celsius.”

There is an unconfirmed report that the BA038 pilots did not descend during cruise to lower altitude.

At very low temperatures, wax crystals form in the fuel and “flowability” may be impeded (akin to the way a blood clot or embolus can cause a stroke). The cold fuel approaches a semi rigid state. Jet fuel also contains some amount of water, and at very low temperatures it will freeze. Icing may not have been an immediate issue here, but rather a contributory one, like paraffin waxing, to the clogging of sensor points/connections. This is particularly relevant to the Full Authority Digital Engine Control (FADEC), which metered fuel to the airplane’s Rolls Royce Trent engines. FADECs use reference air and fuel pressures to perform their function; loss of those due to ice obstruction or clogging from waxing can lead to the FADEC’s logic becoming confused or unresponsive. Indeed, both FADECs could be affected almost simultaneously by dint of exposure to an identical environment.

Add in a second factor: Heathrow has adopted a new air traffic control procedure known as the Continuous Descent Approach (CDA). The procedure is more fuel efficient than the traditional step-down approach, and basically the engines are at idle power. During aircraft operation, fuel is withdrawn from the fuel tanks and passed to a filter at the inlet to the engine fuel system. To prevent blocking of the filter due to formation of wax or ice in the fuel, a heat exchanger warms the fuel upstream of the filter. Such heat exchangers use hot air bleed from the engine compressor or heat from engine or hydraulic oil. Of note, the times when the greatest heating is required are often those times when the engine is not operating at maximum, for example, during a lengthy descent at idle from high altitude.

With ultra-cold en route temperatures inducing clumps of paraffin or ice, and a cool engine during descent at flight idle, perhaps the stage was set. Any blockages occurring at different times during the descent, and the simultaneity of the thrust loss, would have been seen only when (and because) the auto-throttle called for a thrust increment on finals after gear and flap extension. There is an account that the aircraft did not hold during the approach, which would tend to support the low-power, low-temperature scenario.

In a preliminary report of 23 January, Britain’s Air Accidents Investigation Branch (AAIB), which is conducting an inquiry into the accident, reported as follows:

“Whilst the aircraft was stabilized on an ILS approach with the autopilot engaged, the auto thrust system commanded an increase in thrust from both engines. The engines both initially responded but after about three seconds the thrust of the right engine reduced. Some eight seconds later the thrust reduced on the left engine to a similar level. The engines did not shut down and both engines continued to produce thrust at an engine speed above flight idle, but less than the commanded thrust.”

As Captain Burkill reportedly told an AAIB investigator, there wasn’t power when he needed it. With landing gear and flaps down, an increase in engine thrust was needed to counter the extra drag. Given the super-cold temperatures in the dead of winter, and the prolonged CDA glidepath, the first time after the beginning of descent that a significant amount of fuel flow was called for may have been at or below 1,000 feet. One suspects also that only when symmetrical power was demanded by the autothrottle that the “frozen” thrust was apparent. (See Figures D & E)

Figure D

The left engine of the B777. Damage to blades indicates that the engine was producing some rotation when it hit the dirt short of runway 27L at Heathrow.

Figure E

The right engine of the B777. The fan blades appear relatively undamaged, supporting the theory of some that the engine flamed out due to a starboard fuel tank port being uncovered due to low fuel state as the airplane made the turn onto finals for runway 27L. However, the AAIB reports, “Recorded data indicates that an adequate fuel quantity was on board the aircraft.”

As contributing editor John Sampson remarked, “It’s shades of the previous GE90 ‘rollback’ and in-flight shutdowns from earlier days. The only difference was in those cases it was in cruise and was caused by entrained moisture freezing in the air reference lines to the FADEC. However, it was allegedly resolved by increasing the tubing diameters.”

Sampson was referring to an airworthiness directive (AD 99-27-15) issued 6 January 2000 by the U.S. Federal Aviation Administration (FAA) on the GE90 turbofan engines that power American-registered B777’s (but not the British Airways B777’s, which are powered by Rolls Royce Trent engines).

Among other actions, the AD called for periodic inspection of the FADEC sensing port and fittings for nicks, burs and scratches which could cause moisture to not be purged from the lines. From relevant sections of the AD:

“The FAA has received seven reports of loss of thrust control (LOTC) … Five LOTC events occurred in-flight and two occurred on the ground. The five in-flight LOTC events were temporary in that the engine recovered and continued to operate normally for the remainder of the flight. …

“Investigation revealed that water can accumulate in the Ps3 and P3B pressure sensing system, which can freeze in the full authority digital engine control’s (FADEC) sensing ports or pressure line. Frozen water can result in a restriction or blocked signal to the FADEC. This blocked signal can cause a corruption of the FADEC signal and result in … lack of engine response to commanded thrust levels in flight. …

“This condition, if not corrected, could result in LOTC due to blockage of the FADEC sense lines which, if it occurs in a critical phase of flight, could result in loss of aircraft control.

“The FAA is especially concerned about the possibility of simultaneous LOTC on both engines installed on the Boeing 777 series aircraft due to common mode threats, such as certain atmospheric conditions that may result in ice in the Ps3 or P3B pressure sensing system and causing corrupted signals to the FADEC in both engines.”

While the AD did not apply to the Rolls Royce Trent engines, they may be vulnerable to similar failures. The Rolls Royce engines have a FADEC and similar sensing ports. As one commentator observed, “Just because the FAA didn’t put out an all points bulletin on the Trent engine doesn’t mean they’re infallible to the same control/FADEC issues! It just meant they hadn’t dealt with them at that time.”

The other possibility meriting exploration is that a passenger sitting in the middle of the cabin switched on his unprotected, non-European Union compliant Chinese mobile phone shortly before touchdown, and the transmission from the phone interfered with both FADECs. This is not as likely as a compromised pressure sensing system, but bears consideration nonetheless.

Be that as it may, on 23 January 2008 the FAA published AD 2008-02-05 addressing the Rolls Royce RB211-Trent engine on the B777, indicating, “We are issuing this AD to prevent internal engine damage due to ice accumulation and shedding, which could cause a shutdown of both engines, and result in a forced landing of the airplane.”

This AD does not address the sensing ports of the FADEC, but rather ice accumulation and damage in the engine core, but an AD targeted at the FADEC cannot be far behind.

There are rumors circulating about a Service Bulletin having been recently issued that addresses extreme cold weather cruise operations, and another claim that the FADEC software had had an update program patch applied very recently. While unable to validate or verify these assertions, they tend to highlight a disturbing aspect of software patching, updating or release of a new version. While great attention is paid to the failure of borescoping, or the potential for making the same error by carrying out maintenance simultaneously on both engines of an ETOPS (extended range twin-engine operations) airplane, it is believed that software patching is done to both engines’ computerized subsystems without any such caveat. It could be ironic if any such flawed patch could bring about a BA038 scenario without ever having been seen during program testing.

All this AD activity related to the icing vulnerabilities of B777 engines raises a disturbing question: why wasn’t the vulnerability to cold temperatures uncovered during certification of the B777? If not then, it also didn’t get addressed when the B777 was approved for polar routes a few years ago. Some wit will doubtless say, “That’s why you carry out ‘proving flights.’ ” But then the question become, “What are you proving if one day it transpires that an extended cruise within a mass of super-cold air can create a hitherto unknown problem?”

The ADs are being issued after the so-called frozen horse has escaped out the ETOPS barn door. The AAIB is some months away from issuing a final report on the BA038 accident, but standards certifying an airplane/engine combination for sustained cold-soak operations in very cold upper air transits, and crew actions in those conditions, will surely be a matter of discussion.

Figure F

One of the main landing gear bogies swung around at impact and pushed slightly into the cabin, as shown here. The other bogie reportedly punctured the empty center wing tank, leaving a 1-by-2-foot hole. A passenger with a broken leg was sitting next to the point where the right main landing gear punctured the fuselage and pushed into the cabin. Descent at impact is estimated at 30 ft/sec. Dynamic seat requirements that became effective when the B777 was introduced require seats to protect occupants for a hard landing impact up to 35 ft/sec.