Ever since Malaysia Airlines MH370 disappeared there has been much speculation in the media and across the web about what may have happened. Unfortunately, the somewhat spasmodic release of official information, together with too many reports citing anonymous sources, has blurred the true picture.
Malaysian sources were saying early on that MH370 had likely crashed at the point where ADS-B (automatic dependent surveillance-broadcast) had last broadcast the plane's position. Based on the available information, I assumed that a catastrophic event had occurred, with the most likely candidate being a failed wing repair. I was wrong.
Based on reports that MH370 was last seen by radar heading west, I closely examined several contemporaneous satellite images for contrails. I found one in the right place and in the right time-slot. Later official announcements prove that, yet again, I was wrong.
I have held off writing about the lost plane again until I had a better chance to distinguish fact from fiction in the various reports and theories cropping up across the planet.
Accident or malice?
No investigating agency has reported any 'red flag' information. Despite a complete lack of evidence to show that the plane was diverted out of malice, rumors abound blaming the crew. Most commonly it is said that either the pilot/s deliberately flew the best course to avoid radar or else they programmed such a course into the automatic navigation system. The idea of that course being set for a non-malicious motive seems never to have been addressed.
I present here a plausible explanation for why a pilot would carry out such a seemingly bizarre series of actions. The theory is strongly grounded in physics and in the evidence of an official accident investigation report1 on electrical fires in various Boeing 777s. The theory is easy to understand: the crew were not seeking to avoid radar - they were seeking to avoid as far as is humanly possible the prospect of their aircraft - which they believed to be on fire - crashing into a populated area or another plane while they attempted to sort out the problem and perhaps dump fuel over the sea.
Before I go into the safety and engineering aspects of those electrical failures and fires it may help my readers to know something about the physics of fire. Knowledge of the physics is essential to the understanding of a self-extinguishing electrical fire, as against the far more common self-sustaining fire. A fire of the latter type will usually be catastrophic on a plane, whereas a self-extinguishing fire is highly likely to leave a 777 capable of being flown under control.
The fire triangle
A fire can only happen if three conditions are fulfilled: there must be a fuel, sufficient heat to raise the fuel to its ignition temperature and oxygen. Absent any one of those essentials and there can be no fire or such fire as exists will be extinguished. The three essential components of fire are commonly known as the fire triangle.
The fire triangle.
For a fire to be self-sustaining, three conditions must be met. The rate of heat input must be equal to or greater than the heat loss. The rate of oxygen input must be greater than or equal to the rate of oxidation. There must be adequate unburned combustible material or a sustained fuel source. Cooling, smothering or fuel starvation or some combination of those three will extinguish the fire. It is common in the event of an electrical fire that - if the fire does not spread to combustible materials - the fire will self-extinguish. The primary factors leading to self-extinguishing are loss of electric power which removes the heat source, and natural cooling by air convection. Use of materials which self-extinguish or which are not readily pyrolized increases the chance that any fire which results from an electrical fault will rapidly self-extinguish once power is removed.
The fire on N786UA at London Heathrow Airport self-extinguished. There were electrical faults and smoke just after engine start and the plane was evacuated without incident but when fire services checked the plane there was no fire. Other similar 777 electrical faults occurred both before and after the N786UA incident. None has caused a self-sustaining fire. Images below, from the N786UA incident report, show damage to 777 power systems components typical of a major electrical fault.
May 2006 aircraft PH-BQD and August 2006 aircraft A6-EBF
December 2004 aircraft 9V-SVO, a Boeing 777-200ER
Aviate, Navigate, Communicate.
Let's jump ahead a little way. Assume for now that there was an electrical fire on MH370 with multiple fault indications. There is a widely-known (and followed) rule of aviation which prioritizes tasks in an emergency for the best possible outcome - aviate, navigate, communicate. There is a lesser-known rule which takes priority over those rules - sterilize.
Aviate
A sterile cockpit is one in which the aircrew can aviate without being distracted and are not in danger of being distracted by cabin staff. A sterile cockpit is normal during take-off and landing. It is also highly desirable when the flight crew are dealing with an emergency. It is achieved at the flick of a switch as the cockpit door is locked against entry even by the cabin crew. The flight crew's deadbolt over-rides the key or keypad entry which is normally available to cabin crew.
Flight deck door
What would a very experienced and conscientious 777 pilot do in the event of fire? At the first notice of smoke or fire he would start a procedure intended to take him safely to an airport. He starts his turn. He may want to dump fuel. Fuel dumping is best done over water, but his plane is already lined up to cross land.
Navigate
The pilot leaves the flying to the autopilot so that he can focus on checklists which will help determine what best to do about the fire. In order to best leave control to the autopilot he 'navigates' only by entering into a keypad some few waypoints which will keep the plane over water with a view to dumping fuel, having crossed the land at a fairly high speed. The entry of waypoints can be done very swiftly by a pilot who knows his plane and his home area of operations. He is also concerned not to add to the potential loss of life if his plane - which he believes to be on fire - should crash into a populated area. This is another reason he would want to stay over water. In the particular circumstances it makes perfect sense to set waypoints which will keep him over water but roughly parallel to land. As a last resort, a really serious fire might be more survivable by ditching near land.
Communicate
This is impossible if, due to severe electrical failure, no radio can be operated. It is possible that that all radios were soon out of action except for the satcom modem. Note that a modem and ACARS (Aircraft Communications Addressing and Reporting System) are two entirely different things. Not ACARS but the modem, powered by the 28V DC bus, would continue to 'ping' on demand or on reset as a dumb modem but due to other, remote electrical failures the modem would have no data to transmit. There is an 'ident' button which a pilot can use to make his squawk code stand out briefly on an ATC display. Unfortunately, even if it remained operational for a while, the squawk only works within radar range and it appears that the problem which triggered the turnback happened by chance after hand-off from Malaysian ATC and beyond radar range.
A self-extinguishing fire on a 777
The majority of materials likely to show flame or smoke in the event of an electrical fire on a plane are self-extinguishing. Once a hot cable or assembly ceases to pass current for whatever reason it starts to cool down. Smouldering materials are now no longer being held at a high enough temperature to burn. The fire goes out.
The fire on Boeing 777-222, registration N786UA did exactly that. By the time the firefighters accessed the equipment bay there was no fire. There were, however, smoke and fumes and the fire left quite a mess.
Electronics bay damage.
The report into the fire goes into very great detail and lists other incidents involving electrical fires on 777s.
The investigation identified the following causal factors:
1. An internal failure of the Right Generator Circuit Breaker or Right Bus Tie Breaker contactor on the P200 power panel inside the Main Equipment Centre resulted in severe internal arcing and short-circuits which melted the contactor casings. The root cause of contactor failure could not be determined.
2. The open base of the P200 power panel allowed molten metal droplets from the failed contactors to drop down onto the insulation blankets and ignite them.
3. The aircraft’s electrical protection system was not designed to detect and rapidly remove power from a contactor suffering from severe internal arcing and short-circuits.
4. The contactors had internal design features that probably contributed to the uncontained failures.
Note that although action was taken to reduce the probability of another such failure, as noted in para.1 - the root cause of contactor failure could not be determined.
We know that Captain Zaharie Ahmad Shah was extremely enthusiastic about flying. It is reasonable to expect that he knew about the contactor incidents. If there was a fire on board he would have known the need to plan to land.
Airborne toxins from an electrical fire come in 5 forms: gas, vapor, mist, fume, particulates. The survival of persons exposed to some or all of these toxins depends on toxin density, altitude - which affects partial pressures - the severity and duration of the fire, and the availability and duration of an oxygen supply.
It is possible that the aircrew of MH370, believing they faced a catastrophic fire scenario, set waypoints and left the plane to fly itself along a safe path while they did everything humanly possible to solve the problem. Unfortunately they succumbed to toxins and/or hypoxic hypoxia. Despite major electrical power losses the DC powered triple-triple redundant2 flight control computer system can still fly the plane.
The wrong test
Any breaker which is likely to combine or separate two independent sources of AC power - whether by design or by accident - must be tested as a bus breaker, not as a load switch.
Various modifications were made to the breakers and they were tested under excess loads and fault conditions. It was determined that they now complied with safety standards.
The contactors were not tested under out-of-phase bus-coupling conditions.
A power source contact pair can only be subjected to a maximum current limited by the source impedance and by the downstream short circuit path total resistance.
The heating effect in Watts at a contact pair face is given by I2R. The current I is set by the Volts across the contact resistance R according to Ohm's law. If two 110V AC power sources in antiphase are coupled by a 110V contactor then the immediate voltage across the resistance is 220V r.m.s. That is 311 Volts peak. The heat dissipated in this fault condition is significantly greater than for a simple short circuit. If a contactor rated for use on 110V is likely to be subjected to a cross-phase fault condition it must be derated.
Synchronization
In normal engineering practice a pair of generators is only linked when they are synchronized - matched in frequency and phase. Ideally the contactors should close at, or close to, the zero-crossing point of the pair of generators.
Boeing 777s use 400Hz AC. Electromechanical relays cannot operate fast enough to open or close only at or near a zero crossing. In the 777 a contactor can be subjected to a cross-phase fault for a few milliseconds.
If two AC power sources are linked without regard to phase then they will rapidly self-synchronize in the manner of a Kuramoto model. However, the contact resistance forms part of the load until synchronization is achieved.
There are over 1000 777s still flying.
I hope I am wrong about these contactors being a potential problem.
--------------------------------------------------------------------------------
I hope to find time to write more on this topic. In the meanwhile I will try my best to respond to questions.
Footnotes
1 - Report No: 2/2009. Report on the accident to Boeing 777-222, registration N786UA at London Heathrow Airport on 26 February 2007 web site aaib.gov.uk pdf document
2 - Triple-Triple Redundant 777 Primary Flight Computer
Y.C. Yeh, Boeing.
A great amount of useful data came from Boeing documents kindly made available to the public by smartcockpit.com
Comments