Scavenged ice theory

Fri, Feb 29, 2008 — David Evans


What follows relates to the British Airways B777 crash 17 January 2008 at London’s Heathrow Airport (see Aviation Safety & Security Digest, ‘Crash May Stem From Sustained Exposure to Extreme Cold Weather,’ home page).

Because the B777-200ER, the model of airplane involved, has a large center wing tank with relatively flat surface areas, it should not be surprising that it can contain more water below the threshold at which that fluid can be detected. This is not the case for a standard B777-200, which has smaller center tanks near the left and right wing root only, not in the fuselage/wing center section as in the 200ER model. This design difference may be key to the accident, as water or wax from the fuel (which precipitates out under extremely cold conditions) in the larger ER tank can play all kinds of mischief, and could cause the sort of power loss seen in the accident at the last minute during the approach and descent at Heathrow. Thawed ice, suddenly pulled from the center tank to the wing tanks, could have displaced fuel and caused the power loss that triggered the aircraft’s stall and crash.

Much remains to be analyzed by investigators, but they have issued a special bulletin based on the widespread interest in the crash. Herewith, extracts from the bulletin plus three comments:

From Air Accidents Investigation Branch Special Bulletin S1/2008 of February 2008 (extracts):

“Because of the interest within the aviation industry, and amongst the traveling public, it is considered appropriate to disseminate the results of the initial investigation as soon as possible.

“At 1,000 ft the aircraft was fully configured for the landing, with the landing gear down and flap 30 selected. The total fuel on board was indicating 10,500 kg [23,149 gal], which was distributed almost equally between the left and right main fuel tanks, with a minor imbalance of about 300 kg [660 gal]. The fuel crossfeed valves indicated that they were closed and they had not been operated during the flight.

The first officer took control for the landing at a height of approximately 780 ft, in accordance with the briefed procedure, and shortly afterwards the autothrottles commanded an increase in thrust from both engine. The engines initially responded but, at a height of about 720 ft, the thrust of the right engine reduced. Some seven seconds later, the thrust reduced on the left engine to a similar level. The engines did not shut down and both engines continued to produce thrust at an engine speed above flight idle, but less than the commanded thrust.

“The engines failed to respond to further demands for increased thrust from the autothrottles, and subsequent movement of the thrust levers fully forward by the flight crew. The airspeed reduced as the autopilot attempted to maintain the ILS [instrument landing system] glide slope and by 200 ft the airspeed had reduced to about 108 kt. The autopilot disconnected at approximately 175 ft, the aircraft descended rapidly and its landing gear made contact with the ground some 1,000 ft short of the paved runway surface just inside the airfield boundary fence (see illustration below).


“During the impact and short ground roll the nose gear collapsed, the right main landing gear separated from the aircraft and the left main landing gear was pushed up through the wing.



Inside and outside view of damage caused by the compression and loss of the right main landing gear.

“The aircraft came to rest on the paved surface in the undershoot area of Runway 27L. …


“The lowest TAT [total air temperature] recorded during the flight was -45˚C [-49˚F], and the minimum recorded fuel temperature was -34˚C [-29˚F]. The fuel temperature in flight must not reduce to a temperature colder than at least 3˚C [37˚F] above the fuel freezing point of the fuel being used. The specified freezing point for Jet A-1 fuel is -47˚C [-52.6˚F]; analysis of fuel samples taken after the accident showed that the fuel onboard the aircraft had an actual freezing point of -57˚C [-70.6˚F] ….

“At the point when the right engine began to lose thrust the data indicated that the right engine EEC [electronic engine controller] responded correctly to a reduction in fuel flow to the right engine, followed by a similar response from the left EEC when fuel flow to the left engine diminished. Data also revealed that the fuel metering valves on both engines correctly moved to the fully open position to schedule an increase in fuel flow. …

“The evacuation checklist for the Boeing 777, issued by Boeing, shows operation of the fuel control switches to cut-off prior to operation of the fire handles. This sequence allows for both CLOSE paths to the spar valve to be exploited and increases the likelihood that the spar valves close before electrical power to the spar valves is isolated. However, if the fire handle is operated first, then only a single path is available.

“The operator’s evacuation checklist, for which Boeing has raised no technical objection, required the commander to operate the fuel control switches whilst the first officer operated the fire handle. This was in order to reduce the time require to action the checklist. These actions were carried out independently, with no measure in place to ensure the correct sequencing. The evacuation drill was placarded on the face of the control column, directly in front of each pilot.

“An evacuation checklist with the division of independent tasks between the crew leaves a possibility that the fire handles could be operated before the fuel control switches which, with fire handle to spar valve wire damage, could leave the engine fuel spar shut-off valves in an OPEN position. This occurred in this accident, and resulted in loss of fuel from the aircraft. This was not causal to the accident but could have had serious consequences in the event of a fire during the evacuation. It is therefore recommended that:

Safety Recommendation 2008-009

Boeing should notify all Boeing 777 operators of the necessity to operate the fuel control switch to cut-off prior to operation of the fire handle, for both the fire drill and the evacuation drill, and ensure that all versions of its checklists, including electronic and placarded versions of the drill, are consistent with this procedure.

“Boeing has accepted this recommendation.”

Crash cause theory #1 (from a former FAA official):

“The bulletin indicates that British airways pilots do not follow Boeing checklists – a dangerous practice. I could be wrong, but I’ll continue to stand on the theory that the aircraft’s fuel state was so low that the wing tank fuel pumps were sucking some air during the nose high attitude that’s required during final landing approaches. Air passing through the fuel pumps overheated them, causing the damage that has been found.” [Comment: the problem with this scenario is that a nose high attitude is involved in virtually every landing.]

Crash cause theory #2 (from the UK-based Private Eye Magazine, ‘A Software Triple Whammy,’ February issue, extracts):

“Why both engines should fail to respond to demands from the ‘auto throttle’ and then from the two pilots is not yet known, but investigators are looking closely at the craft’s computer systems. And so they should; aircraft and computer experts warned long ago of a potentially dangerous flaw in the software driving the [aircraft’s] three primary flight computers (PFCs).

“Until the revolutionary 777 (dubbed the ‘computer with wings’), every passenger jet had a failsafe ‘triplex’ system of PFCs – three computers from three different companies with three different teams writing the software. One computer would fly the aircraft, one would monitor and take over if a problem occurred and the third would be in reserve. A mistake in one was very unlikely to be in the second and even more unlikely in the third. …

“So it was – at first – with the 777. Boeing took its proposals for a triplex PFC to the Federal Aviation Administration (FAA) which gave approval. …According to Boeing … ‘It became apparent that the three separate teams were having to ask Boeing so many questions for clarification that the independence of the three teams was irreparably compromised.’

“So instead of hiring new teams, which would have delayed the project … the three teams became one. Triplex was forgotten.

“The result was 132,000 lines of software code, unprecedented in aviation history, which, it seems, could not be independently checked. The then chairman of the British Computer Society’s safety critical systems task force, Professor Brian Wichmann, told Computer Weekly magazine (which revealed the potential flaw back in 1995) that ‘more than 20,000 lines of code are too complex to test’ … If a bug or glitch caused a failure during a take off or landing, the plane could crash before the pilot had time to react.

“But the system was approved, not by the FAA or the British Civil Aviation Authority (CAA), but by the European Joint Airworthiness Authorities (JAA) … by just three JAA specialists.

“As the certifying authority in America, the FAA asked for more comprehensive software audits, but then accepted Boeing’s argument that the lines of code had already been tested and verified so extensively that any potential for error had been ruled out. …

“Air accident investigators say that they are focusing on a more detailed analysis of the flight recorder information and examining systems modules and equipment that could influence engine operation.” [Comment: software has not been ruled out by the AAIB, based on an FAA letter of 29 January 2008.]Reportedly, the aircraft had received a software update two days before the accident.]

Crash cause theory #3 (from a contributing editor):


Layout of the fuel tanks. The fuel in the center wing tank must be pumped first to the wing tanks in order to be used by the engines. It is a zero fuel weight consideration to utilize wing fuel last. A tank plumbing schematic for a B777-200ER center tank may be seen at

“The center wing tank holds 176,400 lbs (26,100 gals) of fuel. That fuel may occasionally be contaminated by water. Water detectors in the tank will trigger an EICAS (Engine Indication and Crew Alert System) message when there is approximately 138 gallons in the center wing tank.

“The engines are fed by pumps in the wing tanks. Fuel leaves the center wing tank via two pumps (left and right). Due to a slight nose-high attitude during cruise, these pumps become uncovered and stop feeding with roughly 900 kgs remaining in the tank (1,980 lbs, or roughly 260 gals).

“The 900 kgs remains in the center tank until the wing tanks drop below a certain figure, at which point jet pumps remove the liquid from the center fuel tank and pump it into the wing tanks. No annunciations are given on the EICAS of the commencement or completion of this operation. Many ‘maintenance’ messages are available to pilots only if they call up [electronic] pages that they wouldn’t normally consult or display in flight.

“Let us assume for a moment that the EICAS message was correct, since it was flagged up on the last two sectors flown by this aircraft. My thought is that with 138 gallons settled at the back of the center tank (cruise altitude) the water would have remained there when the center tank stopped feeding with 900 kgs still in the tank.

“Perhaps the 138 gallons of water, sitting at the back of the tank, had frozen. Normally, it would have thawed and the jet pumps would have picked it up. But (and it is a big but) the AAIB bulletin suggests the temperatures in Beijing were around -7˚C (on the ground), so there would have been no melting of any ice prior to arriving at Beijing. Hence, it may still have remained ‘detector dormant’ in the center tank in the form of a sheet of ice.

“After refueling, the maintenance message re-occurred regarding the 138 gallons of water. Even with the introduction of slightly ‘warmer’ fuel during refueling, the 138 gallons of water could have remained frozen at the tank bottom (from whence it is ‘sumped’ or drained – but only if in liquid form), and perhaps it re-froze during the return flight to London. So on its two prior sorties there were water warnings, but these reportedly ‘self-cleared.’ The cynics among us would snigger at the optimistic hypothesis of innocently accepting self-healing maladies.

“The water in the tank would have remained frozen until descending into the warmer air mass around the UK. With the attitude during the descent and initial approach being only slightly nose down (even during the brief hold prior to being cleared for its approach), the first time the jet pumps may have been able to pick up this water, some of that 138 gallons, was during gear and flap extension prior to speed reduction on assuming the ILS glide path (the perfect continuous descent) when the airplane attitude became, even momentarily, slightly more nose-down.

“Experts in the layout of the pickup points of the center tank jet pumps might enlighten us as to whether a thawed amount of water in the center tank could have been transferred to, and then picked up, by the wing booster pumps (or sucked through by each engine’s high pressure pumps) before feeding it into the associated engine before the aircraft attitude became increasingly ‘nose-up’ during the final approach.”

There are further supporting factors for this momentarily induced water-slug theory. The center tank fuel cannot gravity transfer to the wings, and supposedly the pilots manually isolate the center-section tank’s transfer pumps once they have passed its contents to the wings in cruise. But we are also informed by the AAIB that:

“The engine fuel feed line is split into two, i.e., left and right. These are connected by crossfeed valves, two in parallel, normally closed. There are two CWT [center wing tank] boost pumps. They feed into this line, one each side of the crossfeed valves. These pumps have a higher supply of pressure than the wing tank boost pumps and so are the preferred supplier of engine fuel when they are running.” [Italics added]

This system of fuel supply is normal in twin engine aircraft. The B737, B757 and B767 are basically identical. The Airbus A320 is nearly the same. Also from the AAIB bulletin: “On examination, both of the engine spar valves were found to be OPEN, allowing the fuel leak evident at the accident site.”

Perhaps this statement could help advance the theories involving water in the fuel, as it may help to explain how the fuel system was “purged” of water.

What prevents the center wing tank pumps from restarting due to the aircraft attitude change once they have shut down due to the 900 kg limit being reached? Presumably, the answer is nothing – ice melts and water covers the tank outlets during an attitude change. In which case, a “slug” of contaminated fuel could be sent down the lines, impacting both engines at a critical time, the slight time disparity being due to small differences in the left and right side installation of pickups, etc. The fuel in the center wing tank is common to both engines.

All that needs to be shown is that this fuel was contaminated by high water content. Since the water scavenge pumps presumably shut down with the boost pumps, water would have separated out and may well have been liquid due to the heat from the ambient air as the aircraft descended, heat from air conditioning packs may have played a role, too, and of course there is a much reduced volume of fuel left in the tank. Evidence of such an event may have been removed by a further attitude change, causing the center wing tank pumps to shut down again and purge “good” fuel through the lines from the wing tanks – but too late to save the day.

Looking at the center tank components that control the automatic transfer of fuel and pump inhibiting due to low pressure/contents, etc., it may be useful to explore what components in the center tank could conceivably be prevented from operating (and possibly also from supplying warnings or inhibiting transfer by switching off pumps, closing valves, and so forth) through being iced up or iced over? The thinking here is of float switches, flow switches, pressure switches or any combination of intermediate transducers or relays that could become iced – and later thaw, creating the “on approach” situation of induced water-contaminated fuel supply.

Center section tank-mounted components that are low in the tank and would be covered by sheet ice are possible candidates, but also some components may have a lower non-functioning temperature trigger threshold that has so far not shown up. Electronics can be prone to hibernation at extremely low temperatures and many components have small moving parts that can be prone to immobilization due to freezing or ice-over.

The “migrating” water in the center fuel tank theory accords with what is known about the aircraft history, its final flight, its lengthy exposure to extremely cold en route temperatures, and the dynamics of the continuous descent profile. Whether this is the cause ultimately determined by the AAIB remains to be seen, but it is fair to guess that investigators are looking at how often the “water in tank” maintenance message has occurred on other aircraft. g

Comments are closed.

Nolan Law Group