Fuel Flammability, Flight Path Coercion and Technical Security Analysis

Peter B. Ladkin with Frank Taylor

Report RVS-J-01-01

In German, the words for safety and security are the same. I used to think this was a conflation of two different things, but then came to realise that they both speak of failures with disastrous consequences. In system safety engineering, the word "accident" as it is defined does not distinguish between intentional and unintentional failures, because the notion of intention does not enter.

An accident is defined as an "unwanted" event or occurrence (or even process); some specify "unwanted" as meaning loss of life, or of money, or environmental harm, or other specific modes of loss. But logically it is a simple choice what counts as "unwanted". It is some specified event, state, or chain of either, which it is desired to avoid during operation.

Safety is defined as "lack of accidents", but this cannot distinguish the common meaning of safety from that of security, if the notion of accident does not. The distinction must come in the process which leads to the accident: are there elements of human intention towards the accident occurrence, or not?

The word to characterise things with a purpose is "teleological". Most artificially engineered systems are teleological; they may be said to have a purpose. Airplanes certainly do. But the process that leads to an accident may or may not have teleological components. Whether the process has purposeful components affects significantly the way in which we much think about prophylactic measures in logical terms. If an accident process does not purposefully aim towards the goal (the accident) then all one must do to avoid a repeat is to break one link in one of the causal chains leading to the accident. If one succeeds, such an accident cannot occur. This is the approach used by investigative body recommendations arising from accident investigations, although of course one tries to do better. One tries to be as general as possible, to "cover" the most potential future incidents; one tries to be complete, "breaking" as many links as reasonable; and recommendations may also arise from any observations which do not relate directly to the accident.

If there is purpose involved, that is, if one is dealing with what philosophers and cognitive scientists call an "intentional agent", then things are a little more difficult. Break one causal chain, and the intentional agent may find a substitute with the same outcome. So one has to look at, not just links, but paths in the causal graph, with endpoints, and ask not just how to break one link, but how to break all physically possible paths with the same endpoints. This is a much harder technical problem. But it has the same nature, nonetheless.

Technical safety and security analyses are thus logically similar.The same (adequate set of) concepts used for safety analysis would suffice in principle for technical security analysis (as I should like to call it) but the analytical problem becomes much, much harder.

Common security analysis tries to control the existence of intentional agents and the access of such agents to system processes. One could surmise that this is because controlling the agents is regarded as easier than solving the logical-analytic problem above, for the most part.

In the aftermath of the horrendous events of September 11, 2001, we might well like to think again about technical security analyses. There is at least one major component of that deliberate "accident" which has been looked at technically for a while, without resounding success. So far.

The buildings collapsed because of the fire, estimated at some 800 degrees Celsius. It weakens, even melts, the metal support structure through the concrete, and at some point the upper part of the building can no longer be supported. There was an estimated 100,000-150,000 tonnes of building above the impact points and fire, and when that collapses, it acts as a pile driver and inevitably brings the rest down. A structural engineer, Chris Wise, who has worked on the Commerzbank building in Frankfurt, said to be Europe's largest, said it on BBC World on Tuesday, September 11. The BBC also talked to Prof. John Knapton of Newcastle U. The story is on their WWW site. Smith said he was surprised that the buildings withstood the fire for so long (1 hour plus), and said it was a help to people trying to get out that it lasted even that long. He is surely right. He also said that the impact forces alone (that is, the kinetic energy delivered on impact) could likely not destroy the buildings, and they would likely have withstood, were it not for the fire.

Commercial aircraft are the largest incendiary devices, and probably the devices with the highest kinetic energy, in the public domain. Widebody fuel loads are of the order of 100 tonnes at departure; a full fuel load on a B747-400 is upwards of 170 tonnes. A full B747-400 weighs upwards of 400 tonnes and flies at roughly 300 to 800 kph in various phases of flight. Aircraft are also highly mobile and can go virtually anywhere.

Commercial aircraft can not adequately be protected by physical isolation with controlled boundaries, as with a static object such as a nuclear power station. It would make no sense to accompany every commercial flight with a couple of fighter aircraft.

Commercial aircraft have far more destructive power in their current configuration than anything a small group can construct alone. If one wants to bomb available targets in or near to civilian airspace, without using obvious military devices, hikacking one is a way to do it.

Various sectors have been planning for such an event for at least 30 years. When I worked for the UK CEGB (as it was then) in 1970-73, the pressure vessels of the nuclear reactors in the power stations were designed to withstand the impact caused by a direct hit from a commercial aircraft (whether the analysis was adequate is a different question, and I don't recall anyone working on the fire aspects). I think it likely that the World Trade Center was well designed to withstand an impact from a commercial aircraft. But not such a fire, because it seems as if that would be a structural engineering problem with no possible solution.

I hold it likely that commercial airplanes will remain targets for those wishing to construct bombs in the civilian domain, until the point at which one inerts the vaporised fuel.

The issue of vaporised fuel within a tank came to significant public attention first with the accident to TWA flight 800 in 1996. A fire requires a flammable agent (in this case, jet fuel), sufficient oxygen for the duration (provided by the air in a tank with low fuel), and a source of ignition. The US Federal Aviation Administration's (FAA) attitude to the existing fuel-tank vapor problem extends back beyond TWA 800, and consists in controlling and eliminating possible sources of ignition through design and certification of the aircraft. The US National Transportation Safety Board now recommends inerting the vapors.

The FAA's solution cannot work against purposeful on-board ignition devices, such as small explosives or incendiary devices. The idea is to control these by controlling what is brought on board. However, airports are big places with small fences; it is likely to remain possible, although to become much harder, for someone to install a small device while the aircraft is being serviced, or parked, and for a subsequent passenger to ignite it with a pager-like device. Inerting the tanks would significantly reduce this kind of threat. One would need a much larger device to destroy the structure completely, without help from a fuel conflagration, and such devices can more easily be detected on a simple walk-around and walk-through before loading.

There has been a search for some time for an anti-misting additive or something that would hinder the burning of vaporised jet fuel in all circumstances other than being ignited in a jet engine. People working on aviation accidents know that many if not most victims of most crashes die through asphyxiation or burns rather than through trauma alone. Hindering the post-crash fire caused when a commercial aircraft with significant fuel on board crashes is close to the Holy Grail of accident prevention and mitigation. No one knows how to do it yet. But one knows how to try a little bit.

NASA tried out a potential fuel inerting agent, so-called Anti-Misting Kerosene (AMK), developed by UK's ICI over about 17 years, in a controlled crash of a B720 in the Mojave Desert in 1984. The aircraft was flown remotely into what amounted to a series of large knives on a dirt runway. However, the fuel ignited and burned anyway. Not the way normal kerosene would burn, and indeed large amounts of data were collected on the fire, and on the impact, from the dummies in the passenger seats. But it did burn, destructively and hot.

Frank Taylor commented:

I believe that [AMK] would work in the majority of cases and indeed might have minimised the fires in recent events so that the structures held. However the problem remains of getting a suitable AMK into the aircraft in the correct 'mix' day in day out such that a wrong mix 'never' occurs that could stop all engines with disastrous results. I use 'never' in the 'acceptably rare' sense.

Fuel inerting in this form is about risk mitigation: the hazard remains, but the severity of the outcome is much reduced. The accident along with its severity can be considered a causal product of the flight path of the aircraft bringing it into proximity and collision with an object, the kinetic energy of the aircraft, and its potential incendiary energy. We have looked at the incendiary aspects. There is little one can reasonably do about the kinetic energy. What about the flight path? People have mulled over the flight path problem. Frank Taylor again:

On the security side I reckon an effective answer might be to ensure that [...] any threatening event caused an irreversible (or apparently so) take over by the autopilot/autoland system to send the aircraft to some designated airfield.
He pointed out that such measures might not be perfect - the airplane might still be prone to accident - but that one could avoid collisions into a major target. Such measures were also suggested to me by a well-known UK safety-critical systems expert (who suggested considering passenger UAV's) and by an avionics engineer, who suggested an enforced takeover by a ground controller.

The technology is certainly there to implement some kind - many kinds - of non-pilot control in the event of a hijacking, especially if the measures are looked at as risk mitigation and not as outright avoidance. Frank Taylor:

[...] back in the early 1980s we were proposing a series of crash tests using retired BA Tridents (which were of course the first aircraft to have full all weather autoland). The CAA, AAIB, BA and the manufacturer all agreed that it could be done and to contribute. It was proposed to set the whole flight up to take-off, circuit and land towards obstructions, etc. We couldn't get the money to do it but the Americans did for their CID in 1984 using a radio controlled B720.

The ground control for the 1984 B720 crash also used video, as do controllers for some UAV's. Video may be intentionally obscured by hijackers, of course, but it is most significant only for approach and landing. These tasks could likely be accomplished well enough through telemetry and precision radar (say, augmented GCA radar at appropriate military bases). It is, after all, only an remote autoland. Even risky flight phases could be avoided by cruising the aircraft to a point in space over a suitably-equipped air force base, holding it until it runs low on fuel, and then giving control back to the aircraft occupants, whose options would then be limited to landing, inevitably, somehow and somewhere close.

Whether accomplished by on-board avionics, or by telemetry and remote control, the technology exists to implement such risk mitigation measures. The procedures to be used are another, more difficult, matter, No technical analysis can reasonably be performed until concrete proposals are put forward, because the details of such plans could vary so widely. I have likely said enough for this short essay.


Technical security analysis first involves constructing a causal graph of the accident progression, as in traditional accident analysis. It then involves selecting some part of some causal chain involved, selecting its first node ("factor") and its last node ("outcome"), and showing how all physically possible methods of proceeding from factor to outcome may be confounded.

One may think for example to mitigate, or avoid, the outcome. I have suggested one mitigation for intentional accidents similar to those of September 11, 2001, namely developing procedures for, and using, some form of anti-misting kerosene, or better performing successors. Another way of avoiding, or mitigating, the outcome consists of rigorous flight-path control, consisting in ensuring rigorously that the flight path of no commercial aircraft can come within collision range of such potential targets as population centers and sensitive military facilities, whatever the intention of the occupants. I have briefly mentioned some possibilities which could be implemented using available technology.

Such measures have benefits also for inadvertent accidents. Here, flammability reduction measures could have great impact. One thinks of Manchester, of Habsheim 1988, Warsaw 1992, TWA 800, and Bangkok 2001, as well as others. Reducing flammability could significantly reduce the number of deaths and injuries resulting from asphyxiation and burning through post-crash fires. Comparatively, accidents in which flight path coercion might have helped are much rarer. One thinks maybe of Birgen Air in Puerto Plata or Korean Air in Guam, but it very much depends on the type of coercion. Although coercion measures are on the tip of many tongues, considering fuel flammability could well have the greater impact on aviation overall.

Maybe it is time to spend a few billions of dollars on attempting again to develop a fuel combination that will burn much less fiercely, or not burn at all, when vaporised in air in the presence of ignitive devices. That would reduce or remove the possibility for using commercial airplanes as incendiary devices, and thereby any rationale for using them as such.


Peter Ladkin is Professor of Computer Networks and Distributed Systems at the University of BielefeF6d, Germany. His research is concerned with the causal analysis of complex systems and their failures. Frank Taylor is Director of the Cranfield Aviation Safety Centre in the College of Aeronautics at Cranfield University, UK. He is an expert inter alia on aviation fires and explosions.

ladkin@rvs.uni-bielefeld.de http://www.rvs.uni-bielefeld.de

A.F.Taylor@cranfield.ac.uk http://www.cranfield.ac.uk/coa/tech-atm/avsafety.htm