National Aeronautics and Space Administration
SYSTEM FAILURE CASE STUDIES
J
anuary 2011 Volume 5 Issue 1
Fire in the Sky
Trans World Airlines (TWA) ight 800 was only twelve minutes into
a July 19, 1996 trip from New York to Paris when an in-ight explo-
sion destroyed the passenger jet, plunging it into the Atlantic with
230 people on board. The aircraft was climbing south of the Long
Island coast near East Moriches, New York when suddenly, portions
of the Boeing 747-131 fuselage beneath the center wing fuel tank
began to separate from the rest of the aircraft. This led to the loss of
the entire forward fuselage. Investigators labored over 15 months to
recover more than 300 tons of debris and to separate material of the
Boeing from earlier boat and aircraft accidents; the subsequent Na-
tional Transportation Safety Board (NTSB) investigation required
over four years. Eventually, NTSB concluded that an explosion in
the center wing fuel tank separated the fuselage (Figure 1), causing
the passenger jet to crash into the ocean.
What happened
In-Flight Breakup
O
n July 17, 1996, a Boeing 747-131 arrived at John F. Ken-
nedy International Airport from Athens, Greece. When it
taxied to the gate at approximately 4:30 pm EST, it was
hot. Temperatures on the ground exceeded 80°F. The airplane’s next
ight as TWA 800 was not scheduled to depart until 7:00 pm, so to
keep the cabin interior cool, aircraft operators left two of the three
air-conditioning packs running for about 2 ½ hours.
Flight 800 was destined for Paris, France, and because the distance
from New York to Paris did not require additional fuel, the center
wing fuel tank (CWT) only contained a relatively small amount of
fuel that remained from the inbound ight. After the 230 passengers
and crewmembers boarded, they waited through an hour-long delay
when a disabled ground service vehicle blocked the airplane at the
gate. At 8:19 pm, TWA 800 departed JFK.
The aircraft reached its assigned altitude of 13,000 feet without in-
cident, but at 8:29 pm, the cockpit voice recorder (CVR) recorded
the captain saying, “look at that crazy fuel ow indicator there on
number four…see that?” Immediately following this comment, the
pilots received air trafc control instructions to climb to 15,000 feet.
At 8:30, the CVR recorded the captain ordering, “Climb thrust.” The
ight engineer replied, “Power’s set.” Then at 8:31, as the 747 ap-
proached 14,000 feet, the CVR recorded interruptions in the back-
ground electrical noise, a “very loud sound,” and an unintelligible
word. The CVR and ight data recordings then terminated abruptly.
At the time, the aircraft had been ying in clear weather over the
ocean near East Moriches, New York. Witnesses near the area re-
ported seeing an explosion in the sky and a reball over the ocean.
Debris rained into the water and spread across a four-mile radius.
Figure 1: The reconstructed fuselage of TWA 800
The widespread distribution of wreckage and eyewitness observa-
tions were the rst indications that TWA 800 had experienced a sud-
den and catastrophic in-ight structural failure. It had been airborne
for only 12 minutes.
Search and salvage
Following a fruitless search for survivors, a ten-month recovery ef-
fort by multiple agencies and companies found three debris elds,
called red, yellow, and green (Figure 2). Within the rst weeks, in-
vestigators found initial evidence of an explosive event in a fuel
tank. Aircraft, re, and explosive experts from the NTSB, DoD, FBI,
ATF, FAA, and other parties associated with the investigation exam-
ined each recovered piece (over 95% of the aircraft) for evidence of
bomb, missile or high-order explosive characteristics. They found
no such evidence, and 18 months after the crash, the FBI ofcially
terminated its criminal investigation. The safety investigation con-
tinued for nearly three more years.
Trans World Airlines Flight 800
Crashes, Killing 230.
Proximate Causes:
• Short circuit in wiring external to fuel tank allows
excess charge to enter center fuel tank.
• Latent fault inside center fuel tank allows electric
arc to ignite vapors inside fuel tank.
Underlying Issues:
• Flawed Assumptions
• Aging Equipment
• Preexisting Failures
Figure 2: Red, Yellow, and Green Debris Fields
Fuel System
The Boeing 747-100 series uses Jet-A fuel from seven fuel tanks.
Each wing contains three tanks. The lower fuselage holds a sev-
enth tank, known as the center wing fuel tank (Figure 4). The CWT
has a fuel capacity of 86,363 pounds, but whenever the six wing
tanks hold sufcient fuel for a ight, the CWT only contains fuel
remaining from the last ight, providing optimal spanwise wing
load distribution. Ground crew personnel measured approximately
300 (about 50 gallons) pounds of fuel in the CWT prior to Flight
800’s nal takeoff. Under such conditions, the CWT ullage – the
unlled portion of the tank above the surface of the fuel – contains
a mixture of fuel molecules and air whose combustibility depends
upon its fuel-air ratio, temperature, and pressure. The aircraft’s three
air-conditioning packs, which could radiate heat at up to 350 de-
grees F, rested in an uninsulated, unvented compartment just inches
beneath the CWT’s aluminum oor. The tank and ullage absorbed
heat from the packs for 2 ½ hours on the ground. Testing found that a
near-empty center tank heats quickly, speeding fuel evaporation and
increasing the ammability of the ullage. Additionally, increasing
altitude as the airplane climbed lowered the air pressure, reducing
the temperature needed to ignite the fuel/air mixture. (Figure 3 il-
lustrates the ammability envelope for Jet-A fuel.)
Fuel System Wiring
The Fuel Quantity Indication System (FQIS) includes probes and
compensators connected in series inside each fuel tank. The system
measures capacitance values inside each tank and uses those values
to calculate the total amount of fuel on the aircraft. Wiring within the
fuel tanks is silver-plated copper that is insulated with Teon. Wires
routed between the tank entrance and the ight deck were insulated
with an aromatic polyimide, known as Poly-X (BMS13-42A). The
CWT also contained a junction block for wiring routed to each of
the other fuel tanks.
The minimum ignition energy for hydrocarbon fuels is 0.25 mil-
lijoules
(mJ). To keep the vapor in the tank from igniting, the power
supplied to FQIS wiring was intended to have a limit of 0.02 mJ,
which would be extremely low when compared to other B-747 sys-
tems. The FQIS wiring runs from the fuel tanks to the ight deck
along raceways shared with wiring from other systems such as the
cockpit voice recorder (CVR), fuel ow meter, and cabin lights.
Such circuits carry much higher voltages and energies than allowed
in the FQIS. For example, some cabin lights operate at up to 350
VAC at 400 hertz. FQIS wires co-routed with these other wires in
large bundles were found tightly bound together, so that a chafe or
cut could affect more than one wire (see Figure 4).
probable Cause
After an exhaustive investigation, the NTSB determined that “the
probable cause of the TWA ight 800 accident was an explosion
of the center wing fuel tank, resulting from ignition of the am-
mable fuel/air mixture in the tank.” The source of ignition energy
for the explosion could not be determined with certainty, but, of the
sources evaluated by the investigation, the most likely was a short
circuit outside of the CWT that allowed excessive voltage to enter
it through electrical wiring associated with the fuel quantity indica-
tion system. Contributing to the accident was a design and certi-
cation concept that fuel tank explosions could be prevented solely
by precluding all ignition sources. The design and certication of
the Boeing 747 with heat sources located beneath the CWT without
means to reduce the heat transferred into the CWT or to render the
fuel vapor in the tank nonammable also contributed to the accident.
Because FQIS wires are the only wires to enter the CWT and be-
cause they are co-routed within wire bundles containing circuitry
from higher-voltage systems, investigators theorized that a high-
voltage circuit contacted FQIS wires due to chafed, frayed, or other-
wise damaged conditions. Once this higher voltage passed through
FQIS wires to the FQIS probes inside the CWT, a latent fault on the
probes, such as silver sulde deposits, may have caused an electrical
arc and subsequent tank explosion.
The CVR had recorded dropouts in the background electrical noise
immediately preceding the explosion, which were indications that a
short circuit had been affecting the energy in the electrical system
intermittently. Further, the captain’s comment concerning unusual
behavior of the #4 engine fuel ow meter led investigators to focus
on the wire routes used for the fuel ow meter system. Since wires
for the fuel ow meters share a bundle with FQIS wires, NTSB
theorized the captain’s “crazy fuel ow” observation might actually
have been a short circuit from the fuel ow meter wire to the FQIS
The red and green lines superimposed upon the graph represent hypothetical ight
proles of an essentially empty CWT (red) and 6 full wing tanks (green). Because
the temperature of the wing tanks is dictated by the temperature of the fuel, the
wing tanks spend most of a typical ight outside the ammability zone since the
fuel is relatively cool. The CWT, on the other hand, spends a substantial portion
of the ight within the ammability zone. This is due in part to its proximity to air-
conditioning packs, which thermally inuence the CWT.
Figure 3: Flammability envelope for Jet A
fuel. To the left of the blue line, the vapor
is too lean to support combustion. To the
right of the pink line, the vapor is too rich to
support combustion.
January 2011
System Failure Case Studies - Fire in the Sky
2|Page
A
B
Figure 4: Wiring conguration on the Boeing 747. Investigators suspect that high voltage from
the fuel ow meter (A) passed to the FQIS system (B) because of a short in the wire bundle.
wire. The
same wire routes were then found to contain other poten-
tial electrical energy sources, such as the cabin lights that had been
beneath the cockpit. The cabin lights had required maintenance on
multiple occasions in the month before the accident. Any of these
potential sources could have passed excessive energy to the FQIS
system within the CWT (See Figure 4).
underlying issues
FlaWed assumptions
Fuel tank explosions require both an ignition source and a com-
bustible fuel/air mixture. Because of the pressure and temperature
variations that can occur during an airplane’s ight, it is difcult
to predict the times at which the fuel/air mixture in a tank’s ullage
is combustible. Prevailing industry practice assumes the mixture is
combustible at all times. When designing the 747, engineers relied
solely upon eliminating ignition sources to prevent fuel tank explo-
sions. According to the FAA, “it was generally believed that design
practices were capable of completely eliminating in-tank ignition
sources.” This capability depended upon several assumptions: an
“explosion-proof” FQIS system, appropriate wire conguration,
and sufciently sensitive circuit breakers. After the accident, in-
vestigators realized that a history of fuel tank explosions proved
these assumptions invalid. Even after reviewing the designs of all
transport airplane fuel systems to the tougher standards that were
developed after the accident involving TWA ight 800, known as
Special Federal Airworthiness Rule (SFAR) 88, the FAA and indus-
try continued to nd that the post SFAR88 review did not identify
all potential hazards.
Aging FQIS Components
During qualication testing in the 1960’s, FAA examiners found
FQIS probes free of arcing up to 2,000 volts and deemed the FQIS
system “explosion-proof.” After the accident, NTSB investigators
tested FQIS components in aircraft that had been in service for more
than 30 years - the same length of time the accident airplane had
been operating. These examiners observed that silver sulde depos-
its had accumulated on the probes – presumably because of their
long exposure to jet fuel contaminants. NTSB concluded the semi-
conductive nature of this deposit was probably enough to induce an
electrical arc inside the CWT at minimal voltage, igniting the fuel
vapor and resulting in the subsequent tank explosion.
Investigators also found other conditions from routine service that
could lead to potential ignition hazards. For example, drilling con-
ducted as routine maintenance could leave shavings that bridged
between the fuel probes and aluminum structure, acting as potential
heating laments when subjected to excessive energy from a short
circuit elsewhere in the system.
Although the FQIS system displayed explosion-proof capability at
the time of aircraft certication, designers did not account for the
effects of aging upon the system. Certied as explosion-proof, the
probes were never retested.
Wire Conguration and Maintenance
Like all large aircraft of its era, B-747 design allows circuits from
multiple systems to be co-bundled along shared raceways in the
fuselage. Designers may have assumed such a layout would not
impose mechanical wear on insulation leading to failure, but when
NTSB looked at wiring inside both old and new transport aircraft,
their ndings conclusively proved otherwise. The Board observed
wiring whose insulation had been cut, degraded, chafed, or other-
wise compromised. They also discovered metal shavings on and be-
tween wires bundled together. Fluid that had leaked from the cabin
and galleys had accumulated in the wire bays, creating what inves-
tigators described as “syrup” that could serve as an electrical con-
ductor. In some cases, the wire bundles were found “adhered into
solid, stiff masses.” Board-sponsored tests showed uids that have
migrated between wires with cracked or damaged insulation could
contact copper conductors and act as mechanisms through which
short energy bursts could intermittently transfer. Metal shavings ly-
ing on and between wires in bundles could easily cut through insula-
tion and act as bridges to form short circuits between the wires. Per
the NTSB, such conditions would allow high voltage to enter FQIS
components.
FAA maintenance policy classied aircraft wiring as “on-condi-
tion,” meaning wiring components were not maintained according
to a set schedule, but addressed only when a malfunction or a failure
occurred. Maintenance personnel visually inspected wiring only in
concurrence with zonal inspections or fuel tank structural inspec-
tions. But without extensive, dedicated, and intrusive inspections,
problems such as worn wiring or degrading internal FQIS compo-
nents, corrosion, or debris in wire raceways would go undetected.
Because such inspections were not a part of the 747’s maintenance
schedule, technicians did not identify the latent failures that led to
the accident.
Unreliable Circuit Breakers
TWA 800 was equipped with thermally activated circuit breakers.
Post-accident testing showed that currents of 2 to 4 joules could
transfer between wires for as long as 25 minutes without heating
a wire to the level required to trip such a circuit breaker. Based on
these tests, NTSB concluded that thermally activated circuit break-
January 2011
System Failure Case Studies - Fire in the Sky
3|Page
ers, such as those used on TWA 800, do not function fast enough
to reliably prevent excessive energy from entering FQIS wires, as
previously assumed. Later, NTSB recommended installing arc-fault
circuit breakers and other current limiting devices, instead of simple
thermal-mechanical circuit breakers to prevent energy transfers.
aFtermath
In 2001, the FAA issued Special Federal Aviation Regulation (SFAR)
88 which required re-examination of all airplanes with regard to ig-
nition prevention. These reviews utilized the newest standards and
knowledge gained through the fuel tank investigation, rather than
the earlier standards that existed when airplanes had been certi-
cated. The SFAR also required safety enhancements, such as regular
cleansing of silver sulde deposits from FQIS probes. In 2007, the
FAA issued a requirement for aircraft wiring to undergo targeted
maintenance. The FAA also recommended improved training for air-
craft maintenance personnel since some of the hazards NTSB inves-
tigators found when inspecting airplanes similar to TWA 800, such
as metal shavings in the wire bays, could be viewed as common-
place and not considered a hazard. Because potential hazards con-
tinue to be found, even after the SFAR 88 review, the FAA continues
to monitor fuel tank designs and modications, which continues to
result in additional airworthiness directives.
During the course of the NTSB investigation, it became clear that
sole reliance upon ignition preventive design was an inadequate
means of avoiding a CWT explosion; somehow, the CWT itself had
to be rendered incombustible as an additional layer of protection.
The military had accomplished this in combat aircraft by using sys-
tems to inject inert gas such as nitrogen to displace oxygen in fuel
tanks from 21% down to 9%. Such systems had been considered
unnecessary in cost and weight by the commercial transport aircraft
industry. However, by recognition that commercial airplanes did not
need the level of inerting used by the military, the FAA developed
a relatively lightweight and simple ammability reduction system
(FRS) from advanced inerting system technologies. These develop-
ments made retrotting of commercial aircraft feasible. In 2008, the
FAA issued a fuel tank ammability rule requiring airlines to retrot
(within 10 years) a means to reduce the ammability of heated fuel
tanks in all Boeing and Airbus aircraft manufactured before 2009.
Methods could include systems to displace oxygen in tanks with
inert nitrogen, or use of materials to mitigate ignition such as poly-
urethane foam ll.
For Future nasa missions
The FAA did not require airlines to schedule targeted inspections
and maintenance for the wiring network partly because of the dif-
culty such inspections would entail. A typical wide-body jet can
contain 240 kilometers of wire; accessing those wire harnesses
would mean dismantling the aircraft’s external structure. Because
of this difculty, problems resulting from aging wiring systems
are becoming prevalent in both commercial aircraft and in military
ghters. NASA faces similar challenges in its own densely wired
systems. NASA’s wire networks are equally susceptible to chang
from vibration, breakdown from moisture, or cracking from age.
While it may be impractical to dismantle and visually inspect every
inch of the wiring labyrinth winding through a spacecraft’s recesses,
knowing that arcs, shorts, and electromagnetic interference present
constant threats to product operation must lead designers to install
additional layers of safety to protect against wiring malfunctions.
Products still in the concept phase of the project life cycle should
account for the effects of age and include a means to later analyze
the wire system’s integrity.
When TWA 800 plunged into the Atlantic, certain assumptions that
aircraft designers had relied upon
for three decades vanished. When
FQIS components were new, they had qualitatively and quantitative-
ly proven to be “explosion-proof,” but, this assumption was never
reassessed, even after the aircraft logged more than 90,000 hours of
operation. At NASA, it is critical to continue questioning initial as-
sumptions about operations, equipment, and facilities. Defects that
prove to be critical may develop over time, and detecting latent fail-
ures is not always easy. Sustaining rigorous maintenance and qual-
ity checks underscores recognition that failure modes cannot always
be identied at the time of a product’s inception. Installing targeted
inspection and maintenance practices are critical to product and mis-
sion success.
Questions for Discussion
• What are some of the assumptions you made about
your project when it began?
• Have you re-evaluated those assumptions to assess
their continued validity?
•
How do your maintenance and quality procedures
protect your system from the effects of age and
wear?
• Have you considered the practicality of implementing
additional layers of safety for your system?
reFerenCes
Federal Aviation Administration. Lessons Learned from Transport Airplane
Accidents: TWA 800 at Atlantic Ocean. 11 June 2010. < http://accidents-ll.
faa.gov/ll_main.cfm?TabID=1&LLID=21&LLTypeID=2#null>.
Furse, Cynthia and Randy Haupt. “Down to the Wire.” ieee Spectrum. 1 Feb
2001. < http://spectrum.ieee.org/aerospace/aviation/down-to-the-wire/0>.
Flanner, Mark. An Analysis of the Central Fuel Tank Explosion of TWA
Flight 800. University of Wisconsin. <http://tc.engr.wisc.edu/uer/uer00/au-
thor2/printables/twa.pdf>.
“Industry Steps Forward on Fuel Tank Inerting.” Aviation Today. 4 August,
2008. <http://www.aviationtoday.com/manufacturers/boeing/Industry-
Steps-Forward-on-Fuel-Tank-Inerting_24808.html>.
National Transportation Safety Board. Aircraft Accident Report: In-ight
Breakup Over the Atlantic Ocean trans World Airlines Flight 800 Boeing
747-131, N93119 Near East Moriches, New York July 17, 1996. United
States Governement, 2000.
SYSTEM FAILURE CASE STUDIES
Executive Editor: Steve Lilley Developed by: ARES Corporation
This is an internal NASA safety awareness training document based on information
available in the public domain. The ndings, proximate causes, and contributing fac-
tors identied in this case study do not necessarily represent those of the Agency.
Sections of this case study were derived from multiple sources listed under Refer-
ences. Any misrepresentation or improper use of source material is unintentional.
Visit http://nsc.nasa.gov/SFCS to read this and other case studies online
or to subscribe to the Monthly Safety e-Message.
January 2011
System Failure Case Studies - Fire in the Sky
4|Page
