In yesterday’s post I argued that the reboot of MH370’s satellite communications system at 18:25 is a key piece of evidence about what happened to the missing plane. In fact, I would go so far as to say that we should discount any scenario which cannot explain the reboot.
That being the case, I thought it would be a good idea to clarify what we do know about rebooting the satcom and discuss the implications. Right up front I’d like to emphasize that I am by no means an electronics expert and I welcome any corrections or clarifications.
First, some basic background for those who might be new to the discussion. Flight MH370 took off from Kuala Lumpur International airport at 16:42 UTC on 3/7/14 bound for Beijing. At 17:07:29, the plane sent an ACARS report via its satcom. At 17:20:36, five seconds after passing waypoint IGARI and a minute after the last radio transmission, the transponder shut off. For the next hour, MH370 was electronically dark. The next ACARS transmission, scheduled for 17:37, did not take place. At 18:03 Inmarsat attempted to forward an ACARS text message and received no response, suggesting that the satcom system was turned off or otherwise out of service. At 18:22, MH370 vanished from primary radar coverage over the Malacca Strait. Three minutes later—about the amount of time it takes the Satellite Data Unit (SDU) to reboot—the satcom system connected with Inmarsat satellite 3F-1 over the Indian Ocean and inititated a logon at 18:25:27.
The question is, by what mechanisms could MH370’s satcom have become inactive, then active again?
Logging on and off the satcom is not something airline pilots are trained to do. A pilot can deselect the satcom as a mode of transmission for ACARS messages so that they go out over the radio instead, but this is not what seems to have happened in the case of MH370. According to the ATSB report issued in June of 2014,
A log-on request in the middle of a flight is not common and can occur for only a few reasons. These include a power interruption to the aircraft satellite data unit (SDU), a software failure, loss of critical systems providing input to the SDU or a loss of the link due to aircraft attitude. An analysis was performed which determined that the characteristics and timing of the logon requests were best matched as resulting from power interruption to the SDU.
Satellite communications expert Mike Exner addressed the issue specifically in a guest post here and likewise concluded that in all likelihood the SDU was powered down, and then powered up again.
There is no on/off switch for the SDU in the cockpit. A person wanting to turn the SDU off has two options. The first is to descend into the electronics and equipment bay (E/E bay) through a hatch at the front of the first-class cabin and flip three circuit breakers located there. The second method, which can be accomplished directly from the cockpit, is to isolate the portion of the plane’s electrical system which feeds the SDU, the left AC bus. According to IG member Barry Martin, the left main AC bus can receive its electrical power from any one of four sources:
- left main engine IDG via a left generator circuit breaker
- right main AC bus via both left and right bus tie breakers
- auxiliary power unit generator via an auxiliary power breaker and the
left bus tie breaker
- backup generator converter which connects to the left transfer bus via a
left converter circuit breaker, and the left transfer bus connects to the left
main AC via a left transfer bus breaker.
In order to prevent any of these from supplying electrical power, Martin writes, a multi-step process is required:
The left IDG can be disconnected in a couple of ways via the flight deck electrical power system control panel. The preferred method would be via the left generator control switch. The second method is by use of the guarded drive disconnect switch, which permanently disconnects the IDG and the connection can only be remade on the ground. The L GEN CONT switch will open
the left generator circuit breaker, but the left bus tie breaker would then automatically close to re-energise the left main bus so the left BTB must be switched to ISLN on the electrical control panel before attempting to disconnect the IDG.
The left main bus can still be powered from the left transfer bus which picks up power from a solid-state variable-speed constant-frequency backup generator converter. The easiest method of preventing this is by simply opening the left transfer bus breaker, which allows the left transfer bus to remain energised to ensure the left transformer rectifier unit stays powered. However, I don’t see an option on the flight deck control panel to manually open the left transfer bus breaker. A second option would be opening the left converter circuit breaker, connecting the left transfer bus to the backup generator. Again, there’s no L CCB switch on the panel. Therefore the third option is to switch both backup generators off, which is possible via the panel.
This explanation is somewhat above my paygrade but my takeaway is that isolating the left AC bus requires some technical savvy. Indeed, when Mike Exner went to visit a professional flight-sim facility last November, the instructors there had never heard of this method of de-powering the SDU. (These are pilots whose job it is to train other airline pilots in every aspect of aircraft operation, so if it were common knowledge one would expect them to know about it.)
This is why I feel the reboot of MH370’s satcom suggests that whoever took the plane was technically sophisticated.
Some people have resisted this interpretation and instead raised the possibility that the SDU was power-cycled because someone wanted to turn something else off and back on again. The crucial question then becomes: What else is powered by the left AC bus? It wasn’t easy to find out, but after some careful digging, IG members were able to determine that the other systems fed by the AC bus are:
- TCAS (Traffic Collision Avoidance System)
- Cockpit door lock
- The centre tank override and jettison pumps
- Some galley equipment
- IFE (in-flight entertainment system)
- One of the high-frequency radios
- The main passenger cabin lighting system (the night, cabin and cross-aisle lights remain powered)
Looking at this list, it’s hard to imagine that a hijacker or suicidal pilot would feel a pressing need to depower an entire portion of the electrical system in order to turn any of these things on and off. (Also, given how hard the IG had to work to compile this list, how would they know?) I can imagine wanting to prevent passengers from seeing the moving map feature in the IFE, but it’s possible to turn this off from the cockpit without isolating parts of the electrical system.
To my mind, the only plausible explanation for the satcom reboot is the simplest one: somebody aboard the plane wanted to reboot it. But why? Again I am only able to think of one plausible answer: that they took it offline in order to tamper with it in order to effect a spoof. The fact that the reboot was apparently initiated less than a minute after MH370 left primary radar coverage would tend to support this hypothesis.
In the course of yesterday’s discussion, it was suggested that the SDU may have shut off due to fire. I don’t find this very plausible, given the evidence that MH370 went electronically dark just five seconds after passing the last waypoint in Malaysian airspace. This seems to me a clear indication of deliberate purpose. And if someone isolated the left AC bus in an attempt to fight an electrical fire, why on earth would they turn it on again an hour later without attempting to make an emergency landing or even radio for help?
Another suggestion that came forward yesterday was that hijackers might have wanted to distract the passengers and cabin crew by turning off the IFE and galley equipment. But it seems to me that doing so would have had the opposite effect—it would have alerted them to the fact that something was wrong, if they weren’t aware already.
Can anyone come up with an alternative explanation for the mysterious satcom reboot?
- After receiving input from Don Thompson, who is perhaps the most knowledgeable independent experts in the world on this topic, I’ve change the wording of the third paragraph to clarify that it was the failed transmission of an ACARS text message at 18:03 that provides the first clear-cut evidence that the SDU was inoperative.
- On the advice of Gysbreght and LG Hamilton, I’ve removed “ACARS (VHF 3)” from the list of systems on the left AC bus and added “cockpit door lock.”