Auxiliary Power Unit Battery Fire
Japan Airlines Boeing 787-8, JA829J
Boston, Massachusetts
January 7, 2013
Incident Report
NTSB/AIR-14/01
PB2014-108867
National
Transportation
Safety Board
NTSB/AIR-14/01
PB2014-108867
Notation 8604
Adopted November 21, 2014
Aircraft Incident Report
Auxiliary Power Unit Battery Fire
Japan Airlines Boeing 787-8, JA829J
Boston, Massachusetts
January 7, 2013
National
Transportation
Safety Board
490 L’Enfant Plaza, S.W.
Washington, D.C. 20594
National Transportation Safety Board. 2014. Auxiliary Power Unit Battery Fire, Japan Airlines
Boeing 787-8, JA829J, Boston, Massachusetts, January 7, 2013. NTSB/AIR-14/01. Washington, DC.
Abstract: This report discusses the January 7, 2013, incident involving a Japan Airlines Boeing 787-8,
JA8297, which was parked at a gate at General Edward Lawrence Logan International Airport,
Boston, Massachusetts, when maintenance personnel observed smoke coming from the lid of the auxiliary
power unit battery case, as well as a fire with two distinct flames at the electrical connector on the front of
the case. No passengers or crewmembers were aboard the airplane at the time, and none of the
maintenance or cleaning personnel aboard the airplane was injured. Safety issues relate to cell internal
short circuiting and the potential for thermal runaway of one or more battery cells, fire, explosion, and
flammable electrolyte release; cell manufacturing defects and oversight of cell manufacturing processes;
thermal management of large-format lithium-ion batteries; insufficient guidance for manufacturers to use
in determining and justifying key assumptions in safety assessments; insufficient guidance for
Federal Aviation Administration (FAA) certification engineers to use during the type certification process
to ensure compliance with applicable requirements; and stale flight data and poor-quality audio recording
of the 787 enhanced airborne flight recorder. Safety recommendations are addressed to the FAA,
The Boeing Company, and GS Yuasa Corporation.
The National Transportation Safety Board (NTSB) is an independent federal agency dedicated to promoting
aviation, railroad, highway, marine, and pipeline safety. Established in 1967, the agency is mandated by Congress
through the Independent Safety Board Act of 1974 to investigate transportation accidents, determine the probable
causes of the accidents, issue safety recommendations, study transportation safety issues, and evaluate the safety
effectiveness of government agencies involved in transportation. The NTSB makes public its actions and decisions
through accident reports, safety studies, special investigation reports, safety recommendations, and statistical
reviews.
The NTSB does not assign fault or blame for an accident or incident; rather, as specified by NTSB regulation,
“accident/incident investigations are fact-finding proceedings with no formal issues and no adverse parties and
are not conducted for the purpose of determining the rights or liabilities of any person.” 49 C.F.R. § 831.4.
Assignment of fault or legal liability is not relevant to the NTSB’s statutory mission to improve transportation safety
by investigating accidents and incidents and issuing safety recommendations. In addition, statutory language
prohibits the admission into evidence or use of any part of an NTSB report related to an accident in a civil action for
damages resulting from a matter mentioned in the report. 49 U.S.C. § 1154(b).
For more detailed background information on this report, visit http://www.ntsb.gov/investigations/dms.html and
search for NTSB accident ID DCA13IA037. Recent publications are available in their entirety on the Internet at
http://www.ntsb.gov. Other information about available publications also may be obtained from the website or by
contacting:
National Transportation Safety Board
Records Management Division, CIO-40
490 L’Enfant Plaza, SW
Washington, DC 20594
(800) 877-6799 or (202) 314-6551
NTSB publications may be purchased from the National Technical Information Service. To purchase this
publication, order product number PB2014-108867 from:
National Technical Information Service
5301 Shawnee Rd.
Alexandria, VA 22312
(800) 553-6847 or (703) 605-6000
http://www.ntis.gov/
NTSB Aircraft Incident Report
i
Contents
Figures ........................................................................................................................................... iii
Tables ............................................................................................................................................ iv
Abbreviations .................................................................................................................................v
Executive Summary .................................................................................................................... vii
1. Factual Information ...................................................................................................................1
1.1 Event History .............................................................................................................................1
1.2 Airplane Information .................................................................................................................4
1.2.1 Battery Information .........................................................................................................4
1.2.2 Battery and Related Component Information ................................................................10
1.2.3 Postincident Airplane Examination ...............................................................................11
1.2.4 Additional Airplane-Related Information ......................................................................12
1.3 Flight Recorders .......................................................................................................................13
1.4 Incident Battery Examinations .................................................................................................15
1.4.1 External Observations ....................................................................................................15
1.4.2 Radiographic Examinations of Incident Battery and Cells ............................................17
1.4.3 Disassembly of Incident Battery ....................................................................................20
1.4.4 Battery Case Protrusion and Corresponding Cell Case Damage ...................................23
1.4.5 Disassembly of Incident Battery Cells ..........................................................................24
1.5 Exemplar Battery Examinations and Testing ..........................................................................30
1.5.1 Radiographic Examinations of Exemplar Battery Cells ................................................30
1.5.2 Cell Soft-Short Tests......................................................................................................31
1.5.3 Examinations of Cells From the Incident Airplane Main Battery .................................32
1.5.4 Cell-Level Abuse Tests ..................................................................................................34
1.5.5 Rivet Observations During Cell- and Battery-Level Testing ........................................37
1.5.6 Cold Temperature Cell- and Battery-Level Testing ......................................................39
1.5.7 Battery-Level Nail Penetration Tests.............................................................................40
1.5.8 Additional Testing .........................................................................................................41
1.6 Battery Manufacturing Information .........................................................................................42
1.6.1 Main and Auxiliary Power Unit Battery Development .................................................42
1.6.2 Cell Manufacturing Process ...........................................................................................45
1.7 System Safety and Certification...............................................................................................47
1.7.1 Type Certification Overview and Battery Special Conditions ......................................47
1.7.2 Certification Plan ...........................................................................................................48
1.7.3 System Safety Assessment ............................................................................................49
1.8 Additional Information ............................................................................................................52
1.8.1 Federal Aviation Administration Actions After Battery Incidents ................................52
1.8.2 Previously Issued Safety Recommendations .................................................................54
NTSB Aircraft Incident Report
ii
2. Analysis .....................................................................................................................................56
2.1 Failure Sequence ......................................................................................................................56
2.2 Emergency Response ...............................................................................................................58
2.3 Cell Manufacturing Concerns ..................................................................................................58
2.4 Thermal Management of Large-Format Lithium-Ion Batteries ...............................................62
2.4.1 Battery Internal Heating During High-Current Discharge ............................................62
2.4.2 Cell-Level Temperature and Voltage Monitoring .........................................................65
2.4.3 Thermal Safety Limits for Cells ....................................................................................66
2.5 Certification Process ................................................................................................................67
2.5.1 Validation of Assumptions and Data Used in Safety Assessments
Involving New Technology ....................................................................................................68
2.5.2 Validating Methods of Compliance for Designs Involving New Technology ..............72
2.5.3 Certification of Lithium-ion Batteries and Certification of New Technology ..............74
2.6 Flight Recorder Issues..............................................................................................................75
2.6.1 Stale Flight Data ............................................................................................................75
2.6.2 Poor-Quality Cockpit Voice Recording .........................................................................76
3. Conclusions ...............................................................................................................................78
3.1 Findings....................................................................................................................................78
3.2 Probable Cause.........................................................................................................................79
4. Recommendations ....................................................................................................................80
4.1 New Recommendations ...........................................................................................................80
4.2 Previously Issued Safety Recommendations Classified in This Report ..................................82
5. Appendixes................................................................................................................................84
Appendix A: Investigation and Hearing ........................................................................................84
Appendix B: Boeing 787 Type Certification Special Conditions 25-359-SC ...............................86
Appendix C: Comments From the Bureau d’Enquêtes et d’Analyses pour la Sécurité
de l’Aviation Civile........................................................................................................................88
References .....................................................................................................................................95
NTSB Aircraft Incident Report
iii
Figures
Figure 1. Photograph of smoke emanating from the incident airplane’s aft E/E bay. ................... 3
Figure 2. Main and APU exemplar battery. ................................................................................... 6
Figure 3. Electrode winding layout. ............................................................................................... 7
Figure 4. Exploded-view diagram of LVP65 lithium-ion cell construction. ................................. 8
Figure 5. Riveted header assembly. ............................................................................................... 9
Figure 6. Right aft corner of the battery lid and side 4 of the battery case. ................................. 16
Figure 7. Cross-sectional view of the APU battery. .................................................................... 18
Figure 8. Cross-sectional view of cell 5 aluminum current collectors......................................... 19
Figure 9. Cross-sectional view of cell 6 aluminum current collectors......................................... 20
Figure 10. Thermal damage to battery. ........................................................................................ 22
Figure 11. Lower and upper fixation trays. .................................................................................. 23
Figure 12. Protrusion on the lower left of battery case side 3. .................................................... 24
Figure 13. Cell 5 winding closest to cell 6. .................................................................................. 27
Figure 14. Cell 6 winding closest to cell 5. .................................................................................. 28
Figure 15. Results of cell-level internal short circuit abuse test. ................................................. 36
Figure 16. Winding flattening process. ........................................................................................ 46
NTSB Aircraft Incident Report
iv
Tables
Table 1. Specifications for the main and APU battery and cells. ................................................... 5
Table 2. Events surrounding APU shutdown. .............................................................................. 14
NTSB Aircraft Incident Report
v
Abbreviations
AC
ACO
AD
APSIF
APU
ARAC
ARC
ARFF
ARP
ATP
BCU
BEA
BMU
BOS
CFR
CT
CVR
DPA
EAFR
EASA
ECS
EDS
E/E bay
NTSB Aircraft Incident Report
vi
EICAS
EPS
EUROCAE
FAA
FAI
FDR
FHA
FMEA
FOD
JAL
JTSB
KAI
NASA
NRT
NTSB
ODA
SAE
SCD
SEI
SEM
SPU
TAK
TSO
UL
NTSB Aircraft Incident Report
vii
Executive Summary
On January 7, 2013, about 1021 eastern standard time, smoke was discovered by cleaning
personnel in the aft cabin of a Japan Airlines (JAL) Boeing 787-8, JA829J, which was parked at
a gate at General Edward Lawrence Logan International Airport (BOS), Boston, Massachusetts.
About the same time, a maintenance manager in the cockpit observed that the auxiliary power
unit (APU) had automatically shut down. Shortly afterward, a mechanic opened the aft electronic
equipment bay and found heavy smoke coming from the lid of the APU battery case and a fire
with two distinct flames at the electrical connector on the front of the case. None of the
183 passengers and 11 crewmembers were aboard the airplane at the time, and none of the
maintenance or cleaning personnel aboard the airplane was injured. Aircraft rescue and
firefighting personnel responded, and one firefighter received minor injuries. The airplane had
arrived from Narita International Airport, Narita, Japan, as a regularly scheduled passenger flight
operated as JAL flight 008 and conducted under the provisions of 14 Code of Federal
Regulations (CFR) Part 129.
The APU battery model is the same model used for the 787 main battery. On
January 16, 2013, an incident involving the main battery occurred aboard a 787 airplane operated
by All Nippon Airways during a flight from Yamaguchi to Tokyo, Japan. The airplane made an
emergency landing at Takamatsu Airport (TAK), Takamatsu, Japan, shortly after takeoff. The
Japan Transport Safety Board investigated this incident with support from the National
Transportation Safety Board (NTSB).
Boeing was responsible for the overall integration and certification of the equipment in
the 787’s electrical power conversion subsystem, which is part of the airplane’s electrical power
system (EPS). Boeing contracted with Thales Avionics Electrical Systems to design the 787
electrical power conversion subsystem, which includes the main and APU batteries. Thales then
subcontracted with various manufacturers for the main and APU battery system components,
including GS Yuasa Corporation, which developed, designed, and manufactured the main and
APU batteries.
Boeing was required to demonstrate that the 787’s design complied with the Federal
Aviation Administration’s (FAA) Special Conditions 25-359-SC, “Boeing Model 787-8
Airplane; Lithium-Ion Battery Installation,” which detailed nine specific requirements regarding
the use of these batteries on the airplane. As part of the compliance demonstration with these
requirements and 14 CFR Part 25 airworthiness standards, Boeing performed a safety assessment
to determine the potential hazards that various failure conditions of EPS components could
introduce to the airplane and its occupants. Boeing determined that the rate of occurrence of cell
venting for the 787 battery would be about 1 in 10 million flight hours. However, at the time of
the BOS and TAK incidents (both of which involved cell venting), the in-service 787 fleet had
accumulated less than 52,000 flight hours.
After the BOS and TAK events and the FAAs subsequent grounding of the US 787 fleet,
Boeing modified the 787 main and APU battery design and its installation configuration to
include, among other things, a stainless steel enclosure for the battery case and a duct that vents
NTSB Aircraft Incident Report
viii
from the interior of the enclosure to the exterior of the airplane to prevent smoke from entering
the occupiable space of the airplane. In April 2013, the FAA issued an airworthiness directive
mandating the installation of the modified battery aboard US 787 airplanes before they could
return to service.
The 787 main and APU battery design was also modified to mitigate the most severe
effects of an internal short circuit (that is, cascading, cell-to-cell thermal runaway of other cells
within the battery; excessive heat; flammable electrolyte release; and fire). The recommendations
resulting from the safety issues identified during this investigation could help prevent such
effects from occurring in future battery designs.
The NTSB identified the following safety issues as a result of this incident investigation:
Cell internal short circuiting and the potential for thermal runaway of one or
more battery cells, fire, explosion, and flammable electrolyte release. This
incident involved an uncontrollable increase in temperature and pressure (thermal
runaway) of a single APU battery cell as a result of an internal short circuit and the
cascading thermal runaway of the other seven cells within the battery. This type of
failure was not expected based on the testing and analysis of the main and APU
battery that Boeing performed as part of the 787 certification program. However,
GS Yuasa did not test the battery under the most severe conditions possible in
service, and the test battery was different than the final battery design certified for
installation on the airplane. Also, Boeing’s analysis of the main and APU battery did
not consider the possibility that cascading thermal runaway of the battery could occur
as a result of a cell internal short circuit.
Cell manufacturing defects and oversight of cell manufacturing processes. After
the incident, the NTSB visited GS Yuasa’s production facility to observe the cell
manufacturing process. During the visit, the NTSB identified several concerns,
including foreign object debris (FOD) generation during cell welding operations and
a postassembly inspection process that could not reliably detect manufacturing
defects, such as FOD and perturbations (wrinkles) in the cell windings, which could
lead to internal short circuiting. In addition, the FAA’s oversight of Boeing, Boeing’s
oversight of Thales, and Thales’ oversight of GS Yuasa did not ensure that the cell
manufacturing process was consistent with established industry practices.
Thermal management of large-format lithium-ion batteries. Testing performed
during the investigation showed that localized heat generated inside a 787 main and
APU battery during maximum current discharging exposed a cell to high-temperature
conditions. Such conditions could lead to an internal short circuit and cell thermal
runaway. As a result, thermal protections incorporated in large-format lithium-ion
battery designs need to account for all sources of heating in the battery during the
most extreme charge and discharge current conditions. Thermal protections include
(1) recording and monitoring cell-level temperatures and voltages to ensure that
exceedances resulting from localized or other sources of heating can be detected and
addressed before cell damage occurs and (2) establishing thermal safety limits for
NTSB Aircraft Incident Report
ix
cells to ensure that self-heating does not occur at a temperature that is less than the
battery’s maximum operating temperature.
Insufficient guidance for manufacturers to use in determining and justifying key
assumptions in safety assessments. Boeing’s EPS safety assessment for the 787
main and APU battery included an underlying assumption that the effect of an
internal short circuit within a cell would be limited to venting of only that cell without
fire. However, the assessment did not explicitly discuss this key assumption or
provide the engineering rationale and justifications to support the assumption. Also,
as demonstrated by the circumstances of this incident, Boeing’s assumption was
incorrect, and Boeing’s assessment did not consider the consequences if the
assumption were incorrect or incorporate design mitigations to limit the safety effects
that could result in such a case. Boeing indicated in certification documents that it
used a version of FAA Advisory Circular (AC) 25.1309, “System Design and
Analysis” (referred to as the Arsenal draft), as guidance during the 787 certification
program. However, the analysis that Boeing presented in its EPS safety assessment
did not appear to be consistent with the guidance in the AC. In addition, Boeing and
FAA reviews of the EPS safety assessment did not reveal that the assessment had not
(1) considered the most severe effects of a cell internal short circuit and (2) included
requirements to mitigate related risks.
Insufficient guidance for FAA certification engineers to use during the type
certification process to ensure compliance with applicable requirements. During
the 787 certification process, the FAA did not recognize that cascading thermal
runaway of the battery could occur as a result of a cell internal short circuit. As a
result, FAA certification engineers did not require a thermal runaway test as part of
the compliance demonstration (with applicable airworthiness regulations and
lithium-ion battery special conditions) for certification of the main and APU battery.
Guidance to FAA certification staff at the time that Boeing submitted its application
for the 787 type certificate, including FAA Order 8110.4, “Type Certification,” did
not clearly indicate how individual special conditions should be traced to compliance
deliverables (such as test procedures, test reports, and safety assessments) in a
certification plan.
Stale flight data and poor-quality audio recording of the 787 enhanced airborne
flight recorder (EAFR). The incident airplane was equipped with forward and aft
EAFRs, which recorded cockpit audio data and flight parametric data. The EAFRs
recorded stale flight data for some parameters (that is, data that appeared to be valid
and continued to be recorded after a parameter source stopped providing valid data),
which delayed the NTSB’s complete understanding of the recorded data. In addition,
the audio recordings from both EAFRs during the airborne portion of the flight were
poor quality. The signal levels of the three radio/hot microphone channels were very
low, and the recording from the cockpit area microphone channel was completely
obscured by the ambient cockpit noise. These issues did not impact the NTSB’s
investigation because the conversations and sounds related to the circumstances of the
NTSB Aircraft Incident Report
x
incident occurred after the airplane arrived at the gate and the engines were shut
down, at which point the quality of the audio recordings was excellent.
The NTSB determines that the probable cause of this incident was an internal short
circuit within a cell of the APU lithium-ion battery, which led to thermal runaway that cascaded
to adjacent cells, resulting in the release of smoke and fire. The incident resulted from Boeing’s
failure to incorporate design requirements to mitigate the most severe effects of an internal short
circuit within an APU battery cell and the FAA’s failure to identify this design deficiency during
the type design certification process.
As a result of this investigation, the NTSB makes safety recommendations to the FAA,
Boeing, and GS Yuasa. The NTSB previously issued safety recommendations to the FAA
regarding (1) insufficient testing methods and guidance for addressing the safety risks of internal
short circuits and thermal runaway and (2) the need for outside technical knowledge and
expertise to help the FAA ensure the safe introduction of new technology into aircraft designs.
NTSB Aircraft Incident Report
1
1. Factual Information
1.1 Event History
On January 7, 2013, about 1021 eastern standard time,
1
smoke was discovered by
cleaning personnel in the aft cabin of a Japan Airlines (JAL) Boeing 787-8, JA829J, which was
parked at a gate at General Edward Lawrence Logan International Airport (BOS), Boston,
Massachusetts. About the same time, a maintenance manager in the cockpit observed that the
auxiliary power unit (APU) had automatically shut down.
2
Shortly afterward, a mechanic opened
the aft electronic equipment bay (E/E bay) and found heavy smoke coming from the lid of the
APU battery case and a fire with two distinct flames at the electrical connector on the front of the
case.
3
None of the 183 passengers and 11 crewmembers were aboard the airplane at the time, and
none of the maintenance or cleaning personnel aboard the airplane was injured. Aircraft rescue
and firefighting (ARFF) personnel responded, and one firefighter received minor injuries. The
airplane had arrived from Narita International Airport (NRT), Narita, Japan, as a regularly
scheduled passenger flight operated as JAL flight 008 and conducted under the provisions of
14 Code of Federal Regulations (CFR) Part 129.
The captain of JAL flight 008 reported that the APU was turned on about 30 to 40 min
before the airplane left the gate at NRT (about 0247Z) and was shut down after the engines
started.
4
He stated that the flight, which departed NRT about 0304Z, was uneventful except for
occasional moderate turbulence about 6.5 to 7 hours into the flight. Flight data recorder (FDR)
data showed that the airplane touched down at BOS at 1000:24 and that the APU was started at
1004:10 while the airplane was taxied to the gate. The captain indicated that the APU operated
normally. FDR data also showed that the airplane was parked at the gate with the parking brake
set and both engines shut down by 1006:54.
The maintenance manager (the JAL director of aircraft maintenance and engineering at
BOS) reported that the passengers had deplaned by 1015 and that the flight and cabin
crewmembers had deplaned by 1020, at which time he and the cabin cleaning crew had entered
1
All times in this report are eastern standard time unless otherwise noted.
2
The APU battery provides power to start the APU during ground and flight operations. The APU controller
monitors the parameters that are needed to operate the APU. The APU controller is powered by the APU battery
bus, which receives its power from the APU battery. If the APU battery were to fail, then the APU battery bus
would no longer receive power, and the APU would shut down.
3
The mechanic provided a written statement to the National Transportation Safety Board (NTSB) describing
his observations. The mechanic’s statement indicated that, after he checked the aft E/E bay, he saw “heavy smoke in
the compartment.” He reported that he “saw [a] small flame around [the] APU batt[ery].” He added that he “decided
[to] discharge [the hand-held dry chemical fire] extinguisher” but could not “discharge continuously” because he
believed that there was a “dangerous environment in the compartment.” Further, he stated that he “tried fire
extinguishing, but [the] smoke and flame (flame size about 3 inch[es]) did not stop.” In addition, the mechanic gave
the NTSB a drawing that showed two 3-in flames at the electrical connector on the front of the battery case. (The
front of the battery case is oriented toward the front of the airplane.) The maintenance manager also provided a
written statement to the NTSB, which indicated that the mechanic had seen “flames around the APU battery.”
4
Eastern standard time is 5 hours behind coordinated universal time (also referred to as UTC or Zulu time).
NTSB Aircraft Incident Report
2
the airplane. Shortly afterward, a member of the cleaning crew told the maintenance manager,
who was in the cockpit, about an electrical burning smell and smoke in the aft cabin.” The
maintenance manager then observed a loss of power to systems powered by the APU and
realized that the APU had automatically shut down. After confirming that the airplane’s
electrical power systems were off, the maintenance manager turned the main and APU battery
switches to the “off” position. FDR data showed that the APU battery failed at 1021:15 and that
the APU shut down at 1021:37, which was also when the APU controller lost power.
A JAL mechanic in the aft cabin at the time reported that, when the airplane lost power,
he went to the cockpit and learned that the APU had shut down. The mechanic then went back to
the aft cabin and saw and smelled smoke. A JAL station manager arrived at the airplane and
reported that, when he went into the cabin (through the door where the passenger boarding
bridge is attached), he saw “intense” smoke that was concentrated 10 ft aft of the door. The
turnaround coordinator for JAL flights 008 and 007,
5
who had also entered the aft cabin and
observed the smoke, described the smoke as “caustic smelling.” The mechanic notified the
maintenance manager about the smoke, and the maintenance manager asked the mechanic to
check the aft E/E bay. The mechanic found heavy smoke and flames in the compartment coming
from the lid of the APU battery case. The mechanic reported that he used a dry chemical fire
extinguisher (located at the base of the passenger boarding bridge) to attempt to put out the fire
but that the smoke and flames did not stop.
About 1037, ARFF personnel at BOS were notified about smoke in the cabin of a JAL
airplane.
6
Review of a time-stamped airport security camera video showed that the first of five
ARFF trucks arrived on scene within 1 min (at 1037:50).
7
The other four ARFF trucks arrived on
scene about 2.5 min after initial notification. A ladder truck, a rescue truck, an airstair truck, a
hazardous materials truck, and a fire command vehicle also responded to the incident.
The JAL mechanic advised ARFF personnel that the fire was in the aft E/E bay and led a
firefighter to the aft E/E bay door.
8
The firefighter reported that, after entering the compartment,
he could see “a white glow about the size of a softball” on a hand-held thermal imaging camera.
9
The firefighter also reported that he applied “a shot” of Halotron (a clean fire-extinguishing
agent) to knock down the fire.
10
The thermal imaging camera showed that the white glow was
5
JAL flight 007 had been scheduled to depart BOS later that morning using the incident airplane.
6
The JAL station manager stated that he asked a gate agent to call ARFF. The gate agent then called her
supervisor, who called ARFF from a telephone at the passenger check-in counter.
7
The airplane was located at gate 8A in terminal E. The first ARFF truck to reach the scene (after incident
notification) was already in terminal E for terminal familiarization training. The airport security camera recording
times were correlated to the FDR times (within 3 seconds).
8
The term “fire” is commonly used by ARFF personnel in reference to an ARFF response or event. Although
the JAL mechanic reported that flames were coming from the front of the APU battery case, none of the ARFF
personnel who responded to this incident reported seeing flames.
9
The hand-held thermal imaging cameras that ARFF personnel at BOS used had a heat-density scale portrayed
as brightness and/or coloring of an object (that is, the whiter and brighter the object, the higher the heat intensity).
10
According to the Halotron website, “Halotron is a rapidly evaporating liquidthat leaves no residue, thereby
minimizing or eliminating potential agent-related damage toassets like electronic equipment, machinery, motors
NTSB Aircraft Incident Report
3
still present but was less intense than before. The airport security camera video showed smoke
coming out of the airplane, as shown in figure 1, at 1040:26.
Source: Boston Herald.
Figure 1. Photograph of smoke emanating from the incident airplane’s aft E/E bay.
An ARFF captain went into the aft E/E bay with the thermal imaging camera, which
showed a heat signature near the APU battery. After he exited the E/E bay, another firefighter
entered it. This firefighter reported no visibility because of the smoke. He did not know where
the battery was located within the E/E bay, but he knew of a “hot spot” about 6 to 8 in ahead of
him, so he discharged a “quick burst” of Halotron for 10 to 20 seconds. The firefighter exited
and reentered the E/E bay with the thermal imaging camera. He reported that the battery case
was visible and that he saw “a white glow with radiant heat waves” but no flames. An ARFF
lieutenant who entered the aft E/E bay reported that the battery appeared to be rekindling.
The ARFF captain reentered the E/E bay and saw heavy white smoke (which he had seen
earlier billowing through the floor of the aft cabin) but no flames. The captain applied shots of
Halotron to the fire for 5 min, which he believed had knocked down the fire. He reported that the
battery was emitting white smoke, creating heavy smoke conditions. The ARFF captain also
reported that the battery was hissing loudly and that liquid was flowing down the sides of the
battery case. A firefighter (outside the airplane) reported that he heard a “pop” sound and saw
and construction materials.” Halotron is dispersed at a rate of 5 lbs per second. A “shot” of Halotron was estimated
to last between 15 and 20 seconds, corresponding to between 75 and 100 lbs of the fire-extinguishing agent
dispersed. ARFF personnel are trained to use a clean agent, such as Halotron, in electrical and avionics
compartments because water would ruin electrical and avionics components.
NTSB Aircraft Incident Report
4
smoke “pouring out of” the aft E/E bay. The ARFF captain received a minor burn on his neck
when the battery, in his words, “exploded.”
After additional firefighting efforts and the placement of a ventilation fan by the E/E bay
door to clear smoke, the incident commander decided to remove the APU battery.
11
(The airport
security camera video showed that, at 1105:58, smoke was no longer visible from the exterior of
the airplane.) Firefighters reported that removing the battery was difficult because a metal kick
shield installed in front of the battery prevented them from accessing the battery’s quarter-turn
quick disconnect knob. Also, the quick disconnect knob could not be turned because it was
charred and had melted away. The airport security camera video showed that the battery was
removed from the aft E/E bay at 1157:20, about 80 min after the initial notification of the
event.
12
The ARFF incident report showed that the event was “controlled about 1219 (about
1 hour 40 min after the initial notification).
1.2 Airplane Information
The Boeing 787 “Dreamliner” is a twin-engine, wide-body commercial airplane. The 787
program began in April 2004, with the 787’s first flight in December 2009, certification in
August 2011, and first delivery in September 2011. The incident airplane, JA829J, was delivered
new to JAL on December 20, 2012. At the time of the incident, the airplane had logged
169 flight hours and 22 flight cycles. There were no abnormal indications or maintenance
messages related to issues with the incident battery between the date of delivery and the date of
the incident.
Boeing was responsible for the overall integration and certification of the equipment in
the 787’s electrical power conversion subsystem, which is part of the airplane’s electrical power
system. Boeing contracted with Thales Avionics Electrical Systems of Neuilly-sur-Seine, France,
to design the 787 electrical power conversion subsystem, which includes the main and APU
batteries. Thales subcontracted with various manufacturers for the main and APU battery system
components.
1.2.1 Battery Information
The APU battery, part number LVP65-8-402, was developed, designed, and
manufactured by GS Yuasa Corporation of Kyoto, Japan.
13
The battery had eight individual
lithium-ion cells, all of which were from the same manufacturing lot that GS Yuasa produced in
July 2012. The APU battery installed on the incident airplane, serial number 394, was
manufactured in September 2012 and was delivered new to Boeing. The battery was installed in
11
In addition, the incident commander asked a JAL mechanic and a firefighter to disconnect the main battery as
a precaution in case it was feeding the APU battery fire.
12
ARFF personnel had to cut the kick shield installed in front of the battery case to access the battery and then
cut the connectors to the battery to remove it.
13
GS Yuasa assigned this part number to the battery model at the time of the incident. Boeing’s part number for
the battery model at the time of the incident was B3856-901.
NTSB Aircraft Incident Report
5
the incident airplane on October 15, 2012, and was initially charged by the airplane on or about
October 19, 2012. Boeing records showed no installation issues associated with the APU battery.
Boeing records also showed that, on December 6, 2012, the battery electrical connector was
removed (to facilitate a routine inspection of a nearby power panel) and reinstalled the same day.
As previously stated, the APU battery (installed in the aft E/E bay) provides power to
start the APU (installed in the tail of the airplane) during ground and flight operations. The aft
E/E bay is an electrical equipment compartment located aft of the main landing gear and beneath
approximately the third set of cabin doors (L3 and R3). The compartment is only accessible from
the ground by a door in the aft cargo compartment and a set of doors in the airplane belly. The
APU battery is located at floor level within the aft E/E bay.
Unique to the 787, the LVP65-8-402 battery model is also used for the 787 main battery,
which is located in the forward E/E bay. The main battery, which also has eight individual
lithium-ion cells, provides power to selected electrical/electronic equipment during ground and
flight operations for normal and failure conditions. Table 1 shows the specifications for the
LVP65-8-402 battery and LVP65 cells.
Table 1. Specifications for the main and APU battery and cells.
Specification
Battery
Cell
Nominal capacity (ampere-hours)
75
75
Nominal voltage (volts)
29.6
3.7
Operational voltage range (volts)
20 to 32.2
2.5 to 4.025
Weight (lbs)
61.8
6
Dimensions (in)
Width
10.9
5.2
Depth
14.2
2.0
Height
8.5
7.7
Note: Battery specification information was based on information from a Thales document. Cell specification
information was provided by GS Yuasa.
The 787 main and APU lithium-ion battery has primarily nonflammable components, but
the electrolyte in the battery cells is flammable. The eight cells are connected in series and
assembled in two rows of four cells, as shown in figure 2. Thermoplastic insulation sheets
provide electrical isolation and physical separation between each cell and between the cells and
the aluminum battery case, which is electrically grounded. Plastic upper and lower fixation trays
secure the position and orientation of the cells in the battery case, and forward and center brace
bars hold the fixation trays in place.
NTSB Aircraft Incident Report
6
Figure 2. Main and APU exemplar battery.
In addition to the eight individual battery cells, the battery case includes two circuit
boards that comprise the battery monitoring unit (BMU); cell voltage sensing wires between
battery internal components and the BMU; a Hall effect current sensor for current monitoring; a
contactor; bus bars for the main current pathways between the cells and to the J3 connector,
which connects to the outside of the battery case; and the J1 connector, which leads outside of
the battery case.
14
Each cell has three internal electrode winding assemblies. Each winding assembly is
about 30 ft long and is configured with an electrode, then a separator, then another electrode, and
then another separator. One electrodethe anodeis a copper foil coated in a carbon active
material; the other electrodethe cathodeis an aluminum foil coated in a lithium-cobalt-oxide
compound active material. The separator material is made of polyolefin.
The three internal cell windings have been described as flattened “jelly rolls.” The
innermost (last) wrap of the sandwiched electrode layers is the coated copper anode layer
wrapped around a thermoplastic mandrel core. The coated aluminum cathode layer begins on the
14
A Hall effect current sensor detects and measures electrical current in a wire and generates a signal
proportional to the current measured. The plastic J3 connector provides battery power to the airplane, and the
aluminum J1 connector provides signal information used by the BMU and the battery charger unit.
NTSB Aircraft Incident Report
7
second-to-last wrap and ends on the second wrap. The outermost wrap, the first wrap, is an extra
layer of anode and separator. The separator extends beyond the outermost wrap of anode and
winds several more times around the exterior of the winding. Figure 3 shows the electrode
winding layout. Two layers of thermoplastic electrical insulation surround the electrode winding
assemblies. Sheets of thermoplastic insulation (held together with thermoplastic tape) electrically
isolate the stainless steel cell cases (which are not grounded) from the windings.
Figure 3. Electrode winding layout.
Two sets of current collectorsone set for the anode and one set for the cathodeare
attached on their respective side of each winding assembly to conduct electrical current to and
from the positive (cathode) and the negative (anode) terminal assemblies, which are connected to
adjacent cells by bus bars. (The electrode edges, where the current collectors attach, are not
coated with an active material.) Current collector “fingers” provide the electrical path between
NTSB Aircraft Incident Report
8
the windings and the terminal plates on the exterior of each cell. According to GS Yuasa, the
aluminum current collector fingers were designed to melt open under high current conditions,
thereby functioning as an electrical fuse. Three pairs of copper current collector fingers are used
for the anode, and three pairs of aluminum current collector fingers are used for the cathode. The
fingers extend about one-half of the way down the left (anode) and right (cathode) sides of the
cell. At the top of the cell’s interior, the current collector fingers connect together into either
copper (anode) or aluminum (cathode) bars, which connect with their respective terminal plates
on the cell’s exterior. Thermoplastic electrical insulating material is used between the cell case
and the current collector bars and terminal plates. Figure 4 shows a diagram of the cell
construction. Section 1.4 discusses the postincident examination of the APU battery and cells
involved in the BOS event.
Figure 4. Exploded-view diagram of LVP65 lithium-ion cell construction.
Note: Figures 4a and 4b show the cell construction with the insulation (held together with thermoplastic tape) as
installed in the cell. Figure 4c shows the cell construction without the insulation.
Each current collector attaches to two rivets that connect a collector plate with the
respective terminal plate on a cell’s exterior. Two aluminum rivets are installed at the positive
terminal, and two copper rivets are installed at the negative terminal. The rivets provide electrical
NTSB Aircraft Incident Report
9
continuity between the cell’s exterior and interior. Figure 5 shows a photograph of a riveted
header assembly. Section 1.5.5 discusses the postincident examination of riveted assemblies.
Source: Underwriters Laboratories.
Figure 5. Riveted header assembly.
Boeing’s requirements for the battery, as specified in a proprietary Thales/GS Yuasa
report, included the following:
a 5-year service life under any combination of operating conditions specified within
the Thales/GS Yuasa report,
an operating temperature range of -0.4ºF to 158ºF,
a specific charge acceptance capability with an internal temperature between -0.4ºF to
32ºF,
NTSB Aircraft Incident Report
10
a specific current capacity from a fully discharged state within 75 min at an ambient
temperature of 77ºF ± 18ºF for 30,000 flight hours, and
a specific current end-of-life rated capacity or greater.
15
1.2.2 Battery and Related Component Information
The BMU is mounted inside the battery case (see figure 2). The BMU includes a main
circuit card and a subcircuit card, each of which contains two independent monitoring systems:
BMU1 and BMU2 (main circuit card) and BMU3 and BMU4 (subcircuit card). Each of the four
BMU systems has an initiated built-in test function. BMU1 monitors for cell overcharge,
overdischarge, overheating, and imbalance; controls the cell balancing function when any cell
reaches a predetermined threshold; and provides voltage measurement to the battery charger unit
(BCU). BMU2 provides redundant monitoring for cell overcharge. BMU3 controls the contactor
and provides additional monitoring for battery and cell overcharge. BMU4 monitors for cell
overdischarge and high current charge. The BMU was designed to send a signal to the BCU to
discontinue charging if any of the battery monitoring thresholds were exceeded. The incident
main circuit card and subcircuit card were manufactured by Kanto Aircraft Instrument
Company (KAI) Ltd. The main circuit card and subcircuit card do not contain nonvolatile
memory, and none of the BMU data were recorded on the FDR. Examination and testing of the
BMU components, which were thermally damaged, revealed no pre-failure anomalies.
16
The contactor is a device that can electrically isolate the battery cells from the BCU and
battery bus. The contactor, which is mounted in the bottom of the battery case near the BMU (see
figure 2), is normally closed during battery operations. The contactor can only be commanded to
open by BMU3 if a cell overvoltage or high battery voltage is detected. The incident contactor
was manufactured by Zodiac Aerospace. The damage to the contactor precluded a full functional
test from being performed. X-rays and disassembly of the contactor revealed no pre-failure
anomalies.
The BCU includes an electric connector for communication (among the BCU, battery,
and airplane), a ground wire stud, and power terminals for the two large battery cables. The BCU
of the incident APU battery was manufactured by Securaplane Technologies. At Securaplane, the
National Transportation Safety Board (NTSB) performed visual examinations, preliminary
electrical tests, and acceptance test procedure (ATP) functional testing of the BCU. The ATP
testing revealed a previously unknown electrical oscillation in the output charge voltage, which
was later determined (through additional testing at Boeing and Underwriters Laboratories [UL])
not to be related to the circumstances of the incident, as discussed in section 1.5.8.
17
15
The actual charge acceptance capability, current capacity, and current end-of-life rated capacity are
proprietary.
16
The damage to the BMU was too extensive to perform testing as a complete assembly; as a result, the testing
was conducted at the component level.
17
The NTSB contracted with UL to perform testing as part of this incident investigation. UL performed testing
in its laboratories in Northbrook, Illinois; Melville, New York; and Taipei, Taiwan.
NTSB Aircraft Incident Report
11
The APU controller operates the valves, motors, and sensors that control the operation of
the APU and contains nonvolatile memory to record various APU parameters, including battery
voltage. The APU controller in the 787 airplane is located near the bulk cargo door on the right
side of the aft fuselage (where it is separated from the APU battery and the BCU). The incident
APU controller was manufactured by Hamilton Sundstrand.
18
Examination and testing (as part of
obtaining the nonvolatile memory) showed that the APU controller operated normally and that
the APU’s function did not affect the battery’s operation at the time of the failure.
The start power unit (SPU) converts DC battery power to AC power for starting the APU
and provides excitation power for the APU during startup. The SPU of the incident airplane was
manufactured by Securaplane Technologies. ATP testing of the SPU found no anomalies, and the
SPU’s function did not affect the battery’s operation at the time of the failure.
1.2.3 Postincident Airplane Examination
The aft E/E bay (the APU battery installation location) showed damage consistent with
heat generated from the APU battery and smoke, hot gases, and electrolyte discharged from the
battery. Evidence of material expelled from the battery (in the form of residue and thermal
damage) was observed in an area that extended about 20 in from the battery installation. No
primary structures (that is, those associated with airplane flight loads) exhibited damage;
secondary structuresspecifically, the avionics rack and the floor panelexhibited thermal
damage near the APU battery’s installation location.
19
The wires that connected to the battery case had been thermally damaged, and the front of
the battery case showed thermal damage near the J1 and J3 connectors, where the mechanic’s
drawing indicated two small flames. The shielded bundle of signal wires, which were the circuits
between the BMU and BCU, had burned away from the J1 connector. The copper conductors
and shield braiding were melted, which was consistent with resistive heating due to high levels
of electrical current (beyond the level that the wires were capable of carrying). The single wire
designed to be the battery case ground wire (an intended electrical ground path) remained
connected at each end, with the wire insulation partially melted and slightly blackened on the
interior surface, which was also consistent with resistive heating due to high levels of electrical
current.
The aft E/E bay contains electrical cabinets (referred to as panels) that house components
used to distribute electrical power from each engine and the APU. The panel labeled P49 is the
source of electrical power distribution for the APU battery bus. No physical damage was noted to
the P49 panel. When the circuit breakers on the P49 panel were disengaged, continuity checks of
the circuit breakers, contactors, and battery cables to the BCU and battery bus revealed no faults.
The environmental control system (ECS) on the incident airplane was designed to
provide pressurized and heated or cooled air to the 787 passenger cabin and E/E bays. The ECS
18
Hamilton Sundstrand later merged with Goodrich Corporation to form UTC Aerospace Systems.
19
The avionics rack separated the APU battery from the BCU.
NTSB Aircraft Incident Report
12
avionics cooling function was designed to remove smoke overboard through fans in the cooling
ducts by changing supply valve positions (and using differential pressure when the airplane is in
flight).
20
During this incident, the supply valves (which were electrically driven) lost electrical
power after the APU shut down because the APU was the only source of electrical power being
used at the time. As a result, smoke generated by the APU battery could not be effectively
directed outside the cabin and aft E/E bay.
1.2.4 Additional Airplane-Related Information
According to the Japan Transport Safety Board (JTSB), on January 16, 2013, a “serious
incident” involving the main battery occurred aboard a 787 airplane operated by All Nippon
Airways during a flight from Yamaguchi to Tokyo, Japan.
21
The pilots received a smoke warning
in the cockpit after the airplane climbed above an altitude of 32,000 ft. The airplane made an
emergency landing at Takamatsu Airport (TAK), Takamatsu, Japan. Of the 137 airplane
occupants, 4 passengers received minor injuries during evacuation via the emergency slides. The
JTSB investigated this incident with the NTSB’s support and issued its final report on the
incident in September 2014 (JTSB 2014).
22
Boeing reported that, as of the date of the TAK battery event (which occurred 9 days
after the BOS battery event), the 787 fleet comprised 50 in-service airplanes that had
accumulated 51,662 flight hours and 18,665 cycles.
23
After the BOS and TAK events, Boeing
modified the 787 battery design and its installation configuration to include (1) additional
insulation between the battery cells, (2) vents in the side of the battery case, (3) a stainless steel
enclosure for the battery case, and (4) an ECS duct that vents from the interior of the stainless
steel enclosure to the exterior of the airplane to prevent smoke from entering the occupiable
space of the airplane. Section 1.8.1 discusses the Federal Aviation Administration (FAA)
airworthiness directive (AD) mandating the installation of the new battery (part number
LVP65-8-403) aboard US airplanes.
24
20
The aft E/E bay contains two smoke detectors.
21
Chapter 1 of Annex 13, Aircraft Accident and Incident Investigation,” to the Convention on International
Civil Aviation defines a serious incident as “an incident involving circumstances indicating that there was a high
probability of an accident and associated with the operation of an aircraft which, in the case of a manned aircraft,
takes place between the time any person boards the aircraft with the intention of flight until such time as all such
persons have disembarked.”
22
The JTSB’s report on the TAK incident stated that heat generation in a single cell “was probably caused by
[an] internal short circuit” which developed into “thermal propagation to other cells, [which] consequently damaged
the whole battery.” The report also stated that possible contributing factors to the thermal propagation were that “the
test conducted during the developmental phase did not appropriately simulate the on-board [battery] configuration,
and the effects of internal short circuit were underestimated.”
23
One cycle comprises a complete engine startup and shutdown. The number of 787 flight hours indicated does
not include about 6,000 flight test hours.
24
GS Yuasa assigned this part number to the redesigned battery. The Boeing part number for the redesigned
battery is B3856-902.
NTSB Aircraft Incident Report
13
On January 14, 2014, an LVP65-8-403 main battery failed on a JAL 787 airplane that
was parked at a gate at NRT. (The airplane was being prepared for scheduled flight.) The Japan
Civil Aviation Bureau is investigating this incident with assistance from the JTSB and the
NTSB. Maintenance personnel reported seeing smoke outside the cockpit window. Preliminary
information indicated that one cell had overheated and vented electrolyte and that the enclosure
for the battery case contained the vented electrolyte.
1.3 Flight Recorders
The BOS incident airplane was equipped with forward and aft General Electric model
EAFR 2100 enhanced airborne flight recorders (EAFR), which recorded cockpit voice recorder
(CVR) audio data and FDR parametric data.
25
The forward and aft recorders, which were
powered by the left and right 28-volt DC buses, respectively, recorded the same set of flight data
independently of each other. The forward recorder had an independent power supply to provide
backup power to the recorder for about 10 min if the left 28-volt DC bus lost power.
26
(The aft
recorder had no backup power supply.)
The CVR portion of the EAFR recorded 2 hours of audio data from the cockpit area
microphone, the captain’s audio selector panel/hot microphone, the first officer’s audio selector
panel/hot microphone, and the jumpseat/observer’s position. The audio information from the
forward recorder was used to produce a transcription summary for this incident. The summary
began at 0828:21, when the airplane was level in cruise flight at 39,000 ft, and ended at 1031:35,
when the forward EAFR stopped recording.
According to the transcription summary, at 1021:41, the CVR recorded sounds associated
with the APU shutting down. Conversations among maintenance personnel and the turnaround
coordinator about the APU shutdown began about 9 seconds later. At 1024:10, the turnaround
coordinator reported smoke in the cabin. No voices were heard on the CVR from 1024:22 to the
end of the recording (1031:35).
FDR data before 1021:01 showed no abnormal voltage or current indications. At
1021:01, the voltage of the APU battery decreased from 32 to 31 volts. Three seconds later, the
data showed a change in current flow from 3 amperes out of the battery to between 44 and
45 amperes into the battery.
27
The current flow into the battery occurred for about 4 seconds; the
remainder of the recording showed either no current flow or current flow out of the battery.
Between 1021:07 and 1021:09, the battery voltage continued to decrease. At 1021:10, the battery
voltage returned to 31 volts. At 1021:27, the battery voltage began decreasing again, reaching
25
Specifically, the EAFR is a multifunction recorder that records flight (FDR) data; audio (CVR) data; and
communication, navigation, and surveillance air traffic management messages. The EAFR is a new recording
system with a new flight data recording format that allows multiple predefined frames of data that can vary in length
and structure. This format provides more flexibility for storing data than older formats that use a single fixed-frame
length and structure. The EAFR is currently installed only on 787 airplanes.
26
A lithium-ion battery was used for the recorder independent power supply.
27
This behavior was consistent with the BCU attempting to charge the battery.
NTSB Aircraft Incident Report
14
28 volts at 1021:30, and the APU shut down 7 seconds later.
28
Table 2 shows selected events
recorded before and after the APU shutdown. The FDR did not record any data indicating that
the APU battery voltage had exceeded 32 volts.
Table 2. Events surrounding APU shutdown.
Time
Event
1000:24
Airplane touched down.
1004:10
APU started.
1006:15
Airplane completed turn into parking location.
1006:48
Parking brake set.
1006:52
Engine 1 shut down.
1006:54
Engine 2 shut down.
1021:01
APU battery bus voltage decreased from 32 to 31 volts.
1021:04
APU battery current increased from 3 amperes out of the battery to between 44 and 45 amperes
into the battery.
1021:07
APU battery bus voltage decreased to 30 volts.
1021:08
APU battery current flow returned to 3 amperes out of the battery.
1021:09
APU battery bus voltage decreased to 29 volts.
1021:10
APU battery bus voltage increased to 31 volts.
1021:15
Engine indicating and crew alerting system (EICAS) message discrete indicated that the APU
battery failed.
1021:27
APU battery bus voltage began decreasing 1 volt per second during the next 3 seconds.
1021:30
APU battery bus voltage reached 28 volts.
1021:37
APU battery bus voltage decreased to zero volts and returned to 28 volts three times, and APU
battery current began to move between zero and 4 to 5 amperes out of the battery.
1021:37
APU controller went offline, and APU had shut down.
1021:37
Aft EAFR stopped recording. Forward EAFR continued recording for about 9 min 58 seconds.
1021:40
EICAS message discretes indicated that the left and right 1 and 2 AC buses became unpowered.
1021:41
EICAS message discrete showed that the APU battery failure was no longer indicated.
1022:00
EICAS message discrete indicated that the main battery was discharging.
1022:10
APU controller went back online.
1022:53
EICAS message discrete indicated that the main battery power switch was off.
1023:16
Airplane systems providing data to the EAFR had shut down.
1031:35
Forward EAFR stopped recording.
Note: The APU controller is the source of 32 recorded parameters, including APU shaft speed and APU battery bus
voltage.
The EAFR has an integral flight data acquisition function, which receives data from
various sources and then transmits those data to the FDR function according to a predetermined
schedule for storage into crash-protected memory. If no new value has been received since the
last time that a parameter’s value was sent to the FDR function, the flight data acquisition
function continues to transmit the last value received from the source. These data are referred to
as “stale data.”
For some parameters, the flight data acquisition function has multiple prioritized data
sources from which it receives parameter values. For these parameters, a separate source index
28
Key parameters that showed the APU battery failure and APU shutdown are presented in figure 2 of the FDR
Group Chairman’s Factual Report, which is available at www.ntsb.gov in the public docket for this incident
(DCA13IA037). The EAFR records two parameters that indicate the APU battery voltage. Details about the sources
of these parameters (APU_Batt_VDC_A and DCBus_APU_Battery_Volts) are included in addendum 1 of the
FDR Group Chairman’s Factual Report.
NTSB Aircraft Incident Report
15
parameter that indicates the source being used is generated by the flight data acquisition function
and then recorded.
29
For parameters with a source index, stale data are indicated by the source
index being set to “no source available.” Parameters that have only a single source do not have a
source index parameter and thus do not have a recorded indication that the data could be stale.
30
This recording methodology can lead to cases in which apparently valid data continue to be
recorded after a parameter source stops providing valid data. This problem delayed the NTSB’s
complete understanding of the recorded data during the initial stages of this investigation.
Section 2.6.1 discusses issues associated with stale data in analyzing accidents, incidents, and
maintenance events.
1.4 Incident Battery Examinations
1.4.1 External Observations
The APU battery was examined at the NTSB’s materials laboratory in Washington, DC.
Observations were documented using a numbering system designating the front of the battery
(facing the external power connectors) as side 1, the left side as side 2, the back of the battery
(facing the back wall of the aft E/E bay) as side 3, and the right side as side 4.
31
Side 1 (forward face) of the battery case exhibited black residue and white powdery
material on the exterior surface, which were consistent with thermal damage from the flames
reported at the front of the case and the application of a dry chemical fire-extinguishing agent by
the JAL mechanic, respectively. Side 2 (left side) of the battery case appeared to have the least
visible damage of the four battery sides, with some soot residue and an area of buckling
observed.
Side 3 (aft face) of the battery case appeared to be more damaged near side 4 than near
side 2. Vertical black streaks, which were consistent with residue from dripping liquid, were
observed toward side 4 in a location that corresponded to the right aft corner of the battery lid. A
roughly oval deposit of black residue appeared on the side 3 upper portion near the side 4 edge.
Side 3 had a mostly circular distortion near the lower corner adjoining sides 3 and 4. This
distortion was a paint discoloration with about a 1-in diameter and a 0.25-in-wide nodular
protrusion in the middle. The protrusion, which is discussed in more detail in section 1.4.4, was
located about 1.5 in from the bottom and left edge of the battery case.
Side 4 (right side) of the battery case appeared to have the most extensive damage of the
four battery sides. The exterior was heavily coated with black residue that was concentrated near
side 3. Thicker black deposits were visible on the right side near the battery lid. Large, mostly
29
In many cases, a source index parameter defines the source of a group of parameters that are transmitted to
the EAFR from the same group of sources.
30
Left and right radio altitude are among the mandatory parameters that do not have a recorded indication that
the data could be stale.
31
When facing aft in the airplane, the left and right sides of the battery correspond with the left and right sides
of the airplane.
NTSB Aircraft Incident Report
16
circular areas of thermal damage to the paint were located at the same elevation as the battery
cell vent discs (as viewed from the exterior).
32
An area of thermal damage to the paint was
adjacent to and opposite from the cell 6 vent disc. A distortion and an area of missing paint and
soot were adjacent to and opposite from the cell 7 vent disc. Paint discolorations were visible at
the cell 5 and 8 vent locations.
The lid on the battery case was bulged and creased. The right aft lid corner (as viewed
from the front of the battery case) exhibited more soot, charring, and residue than the rest of the
lid and the most damage to the lid fastening points.
33
Figure 6 shows the bulged battery case lid
and side 4 of the battery case.
Figure 6. Right aft corner of the battery lid and side 4 of the battery case.
In addition, the NTSB’s examination of the battery found no external fire or heat source
that would have caused the battery to overheat (thermal abuse), no impact or other forces
imposed on the battery from external sources (mechanical abuse), and no external shorting of
wires (electrical abuse) associated with the battery system.
32
A vent disc is a scored plate that ruptures when the internal pressure in a cell reaches a predetermined level.
The battery was configured with the vent disc for each cell oriented toward the exterior of the battery.
33
Eight mounting tabs were used to attach the battery lid to the battery case, and screws were used to fasten the
mounting tabs. The two mounting tabs on side 1 remained engaged with the screws. The mounting tabs on sides 2
through 4 had torn from the screws by gross deformation and overstress. The torn mounting tabs and their fracture
surfaces exhibited deposits consistent with breakage during the battery failure.
NTSB Aircraft Incident Report
17
1.4.2 Radiographic Examinations of Incident Battery and Cells
The NTSB conducted radiographic examinations at Chesapeake Testing in Belcamp,
Maryland, to examine and document the internal configuration of the incident airplane’s main
and APU batteries before disassembly and six of the eight APU battery cells after removal from
the battery.
34
The batteries were documented using x-ray computed tomography (CT) scans and
digital radiography, and the battery cells were documented using CT scans. The images of the
components were examined for signs of missing or damaged parts, contamination, or other
anomalies.
The CT scans of the main battery showed no anomalies outside the cells. (The main
battery cells were subsequently examined for internal anomalies, as discussed in section 1.5.1.)
The CT scans of the APU battery showed a breach of the battery case that corresponded with a
breach of the cell 5 wall. The CT scans of the APU battery also showed that several cells were
distorted with an expanded or a contracted profile, as shown in figure 7; several current
collectors inside the cells had separated from their header assemblies; and some current collector
fingers were out of their designed parallel alignment.
34
Cells 2 and 8 were not included in the radiographic examinations because those cells were used to validate
the cutting procedure that would be employed during the NTSB’s internal examinations of all of the cells (see
section 1.4.5). Cell 2 was chosen for the procedure because the cell exhibited relatively less thermal damage and cell
case deformation than other cells in the battery. Cell 8 was also chosen for the procedure because, on the basis of
available external cell evidence, that cell was the least likely of the more heavily damaged cells on the right side of
the battery (cells 5 through 8) to have been the origination point for the event. In addition to the radiographic
examinations of the batteries and cells, neutron computed tomography studies were conducted at the National
Institute of Standards and Technology in Gaithersburg, Maryland, to examine and document the material
distribution on the header assembly of each cell in the incident battery.
NTSB Aircraft Incident Report
18
Figure 7. Cross-sectional view of the APU battery.
Note: This image was taken at the approximate midpoint of the cells. Due to the orientation of the incident APU
battery during CT scanning, the resulting images appeared as mirror images of the battery. Thus, the orientation of
the cells in this figure is different than the orientation of cells in other figures showing the APU battery.
The six individual APU battery cells that were examined were cells 1 and 3 through 7.
The CT scans for cells 1 and 3 showed that the cells’ current collectors were intact and that the
windings were not uniform in some areas due to ripples and separations. The CT scans for cell 4
showed that the cell had no separations within the winding layers and that the current collectors
were intact. Findings from the CT scans for cells 5, 6, and 7 included the following:
Cell 5: Two cell wall breaches in separate locations were identified. The larger of the
two breaches appeared to consist of separate smaller holes. The smaller breach
appeared to consist of a single hole with some material missing from the outer cell
wall around the hole. The areas inside the cell near the breaches differed from the
general appearance of the cell. Also, two of the six aluminum (cathode) current
collector fingers had breaks with rounded material on the ends. These breaks, as
shown in figure 8, appeared as complete separations through the fingers. The current
collector finger breaks occurred in the center winding. The other four aluminum
current collectors and all of the copper (anode) current collectors were intact.
NTSB Aircraft Incident Report
19
Cell 6: Four of the six aluminum current collector fingers had breaks, as shown in
figure 9, including one with breaks at multiple locations and another that was missing
more material at the breakage location than the other current collector fingers with
breaks. The current collector finger breaks occurred in the winding closest to cell 5
and the center winding. The other two aluminum current collectors and all of the
copper current collectors were intact.
Cell 7: Four of the six aluminum current collector fingers had breaks, including one
with multiple breaks. All six current collector fingers appeared to be displaced from
their original positions. The current collector finger breaks occurred in the winding
closest to cell 6 and the center winding. The other two aluminum current collectors
and all of the copper current collectors were intact.
Figure 8. Cross-sectional view of cell 5 aluminum current collectors.
NTSB Aircraft Incident Report
20
Figure 9. Cross-sectional view of cell 6 aluminum current collectors.
1.4.3 Disassembly of Incident Battery
After charred debris from the top of the battery case was removed, the physical condition
of the BMU’s sensing wiring harness was examined and was found to have damage consistent
with exposure to a high-temperature environment. The damage to the wire insulation degraded
progressively from the left side of the battery (cells 1 through 4), where the insulation was
thermally discolored, to the right side of the battery (cells 5 through 8), where the insulation was
missing for cells 5 and 6 (mostly in the position of cell 5), charred for cell 7, and thermally
discolored for cell 8. Also, the wires above cells 5 and 6 were bare, indicating that the area of the
most severe thermal damage to the wiring harness was located above cells 5 and 6.
Side 2 of the battery case was folded down to reveal cells 1 through 4. The insulation
sheet adjacent to the battery cells remained in place. Behind this insulation sheet, a portion of the
other insulation sheet was visible but was missing some sections. Although the insulation
NTSB Aircraft Incident Report
21
between cells 1 through 4 was damaged, the material could be distinguished from other
thermally damaged material in the battery case. The interior surface of side 2 had a clean area
with a similar outline to that of an insulation sheet. The rest of the interior surface of side 2 was
coated with residue.
Battery case side 4 was folded down to reveal cells 5 through 8. The cells exhibited a
darkened, charred appearance. The insulation sheets were completely charred and could not be
distinguished from each other and other thermally damaged material in the battery case, and
portions of the charred insulation adhered to the cells. The interior surface of side 4 had portions
of the charred insulation adhering to areas where the insulation sheets contacted the interior
surface. The rest of the interior surface of side 4 was coated with residue.
Side 3 of the battery case was folded down to reveal the sides of cells 4 and 5. The side of
cell 4 had staining that resembled a flowing residue. The side of cell 5 had similar staining but
also had a cleaner area on the cell case without staining, combustion products, and
fire-extinguishing residue. The corresponding area on the interior surface of side 3 was similarly
clean and had large portions of insulation that had adhered to the case. The insulation on side 3
was thermally degraded and fragmented, and the portions of the insulation adhering to the
battery case directly behind cell 5 exhibited some thinning.
The battery case contained no foreign object debris (FOD). There was no evidence of
cell-to-battery case shorting before the thermal event, bus bar shorting, or resistive heating of the
bus bars (including those leading to the J1 connector through the contactor and Hall effect
current sensor) within the battery case. There were no loose electrical connections at terminals or
on BMU wires. There was also no visible evidence of water (resulting from condensation) within
the battery case or external surfaces of the battery cells.
Cells 1 through 4 exhibited the least thermal and mechanical damage. Of these cells,
cell 3 appeared to be the most thermally damaged. Cells 1 through 3 had vented (with their vent
discs opened slightly), and the cell 4 vent disc remained intact.
35
Even though the cell 4 vent disc
did not rupture, weight measurements for the cell were lower than specifications.
Cells 5 through 8 exhibited the most thermal and mechanical damage, as shown by the
thermal decomposition and degradation of the materials in contact with these cells. These
materials included bisphenol A thermoplastic polyester and crystalline thermoplastic; the lowest
decomposition temperature of these materials is 550ºF. Thermal damage was the most severe
near cells 5 and 6, as shown in figure 10. The vent discs on cells 5 through 8 had ruptured in a
manner indicative of a rapid pressure release.
36
Cells 5 through 8 sustained gross mechanical
plastic deformation with cells pressing into adjacent cells.
35
The vent discs are scored with an “x” pattern, which enables preferential tearing when the disc ruptures,
creating four independent petals. For the vent discs on cells 1 through 3, the four petals had parted slightly but
remained in the same plane.
36
For the vent discs on cells 5 through 8, the four petals were generally splayed out and positioned out of plane
with each disc’s original position, which was indicative of a more forceful opening than that for the vent discs for
cells 1 through 4. For cell 5, the petal closest to side 1 of the cell was completely missing.
NTSB Aircraft Incident Report
22
Figure 10. Thermal damage to battery.
The bus bars were removed from the cell terminal assemblies to allow extraction of the
battery cells. The electrical contact surfaces of the bus bars showed no indications of localized
resistive heating or arcing.
Debris and discoloration consistent with thermal damage were present on the cell 1
through 4 footprints on the lower fixation tray. The footprints of cells 5 through 8 were thermally
decomposed, as shown in figure 11. Portions of the lower fixation tray under cells 5 and 6 could
not be readily distinguished from other thermally damaged materials in the battery case. The
portions of the upper fixation tray that contacted cells 1 through 4 sustained less damage than the
portions that contacted cells 5 through 8. The cell 4 upper fixation tray imprint remained mostly
intact, but the imprints for cells 1 through 3 showed progressively more damage. Minimal
material remained from the portions of the upper fixation tray that contacted cells 5 through 8,
which is also shown in figure 11.
NTSB Aircraft Incident Report
23
Figure 11. Lower and upper fixation trays.
The J3 connector and receptacle were also examined. The J3 connector had dark deposits
on one of the blades on the positive terminal. Analysis of the dark deposits revealed the presence
of a hydrocarbon. The other blades on the positive terminal and the blades on the negative
terminal of the connector appeared clean with no deposits, stains, or discoloration. The
J3 receptacle had thermally induced deformation in one corner. The terminals on the receptacle
showed no indications of deposits, stains, or discoloration.
1.4.4 Battery Case Protrusion and Corresponding Cell Case Damage
As stated in section 1.4.1, the battery case exhibited a 0.25-in-wide nodular protrusion on
the lower left of side 3, as shown in figure 12. The protrusion extended about 0.12 in from the
case. The protrusion appeared metallic and had no paint. Two concentric rings surrounding the
protrusion corresponded with the discoloration of exterior paint. Deposits consistent with
thermally degraded materials were observed on and near the protrusion. Three holes on the
periphery of the protrusion were identified. The largest of these holes was elliptical in shape,
with its longest dimension measuring 0.080 in. The two other holes, which were similar in size,
measured about 0.004 in. Most of the interior side of the protrusion contained dull gray flaky
material consistent with spatter, as well as shiny black material consistent with charred plastics
and tars.
NTSB Aircraft Incident Report
24
Figure 12. Protrusion on the lower left of battery case side 3.
The side of the cell 5 case that faced side 3 of the battery case had been heavily damaged,
especially toward its edges and corners. Four holes were identified on the lower portions of this
side of the cell case, all of which exhibited large amounts of dark, rough-appearing features
consistent with decomposition products. The largest hole (in terms of size and amount of
decomposition products) was about 0.2 in; this hole corresponded with the location of the
protrusion on the battery case.
The battery case protrusion was examined using a scanning electron microscope (SEM)
and energy dispersive x-ray spectroscopy (EDS). The examinations found that the observed
damage was consistent with electrical arcing and contact between the cell 5 case and the battery
case.
37
(Before contact, the cell 5 case was located about 0.2 in from the battery case with a
plastic insulator in the space.) Specifically, evidence of material transfer between the cases was
found on the interior surface of the battery case and the exterior surface of the cell case. Also, the
battery case exhibited no inward deformation at the protrusion, but the cell case exhibited
outward expansion. SEM and EDS examinations further showed that all the holes on the cell 5
case contained various compounds and alloys that were not consistent with the cell case material
(a stainless steel) but were instead consistent with the battery case material (an aluminum alloy).
1.4.5 Disassembly of Incident Battery Cells
The NTSB conducted a teardown of each individual battery cell to determine whether the
cells contained any anomalies.
38
The teardown, which was conducted in the NTSB’s materials
37
The other seven cells did not exhibit any evidence of electrical arcing on the exterior of the cell cases.
38
Cell observations were documented using a numbering system that was similar to that for the battery. The
front of the cell (facing the J1 and J3 power connectors) was designated as side 1, the left side was designated as
side 2, the back of the cell (facing the back wall of the aft E/E bay) was designated as side 3, and the right side was
designated as side 4.
NTSB Aircraft Incident Report
25
laboratory, consisted of disassembling the cell cases, removing the electrode windings,
separating the individual windings from the header assembly and current collectors, and
unrolling the individual windings. Internal evaluations of each cell consisted of visual, chemical,
electrical, and other observations about the overall condition of the internal cell components, the
internal surface of the cell case, the current collectors, the header assembly, and the windings.
The windings had been heavily damaged as a result of the incident. The internal
evaluations of the cells found no evidence of preexisting defects in, or internal damage to, the
copper anode, aluminum cathode, or polyolefin separator. There was also no evidence of
preexisting current collector separation, FOD of sufficient size within the cells to cause an
internal failure that could lead to thermal runaway, and lithium deposits within the cell windings.
As stated in section 1.4.3, external observations of the cells showed that cells 5 through 8
were more thermally damaged than cells 1 through 4. In particular, the thermal damage to the
materials near cells 5 through 8 and the opened vent discs of those cells (with the vent disc petals
either missing or peeled outward from the cell cases) were consistent with a higher pressure,
more energetic event in cells 5 through 8 compared with cells 1 through 4. The internal
examination of the cells showed differences in the degradation of materials that were also
consistent with higher temperature exposure in cells 5 through 8.
Cells 1 through 4, when opened, were generally wet and had a smell consistent with
liquid electrolyte. The components of cells 1 through 4, including the anode, separator, and
cathode, were found intact with most damage limited to a change in opacity in portions of the
separator, which was consistent with the activation of the shutdown properties of the separator.
39
Damage patterns in cells 1 through 4 were consistent with greater external thermal exposure on
battery side 4, which was closest to cells 5 through 8. The damage patterns were also consistent
with less external thermal exposure on side 2, which faced the exterior of the battery case. In
general, the windings for cells 1 through 4 exhibited damage consistent with greater thermal
exposure on the exterior of the cells and the sides that were closer to other cells compared with
the interior of the cells and the sides that were exposed to open areas within the battery case.
There was no visual evidence of electrical short circuits found in the windings of
cells 1 through 4.
Cells 5 through 8, when opened, were dry and did not have a smell consistent with liquid
electrolyte. The components of cells 5 through 8 exhibited evidence of damage consistent with
high heat exposure and localized high current, including several aluminum current collector
fingers that had separated from their header assemblies. For each cell, the aluminum cathode was
heavily damaged and was missing large sections of the foil. The copper anode was generally
intact but contained pinholes and discolorations with areas of missing active coating material.
The separator was missing, which was consistent with thermal exposure above the melting
39
The separator is opaque but becomes more transparent as it thermally degrades. When this degradation
occurs, the pores in the separator close, shutting down the lithium-ion transport between the anode and cathode. The
shutdown properties of the separator activate just before melting begins.
NTSB Aircraft Incident Report
26
temperature of the separator material. Sections 1.4.5.1 through 1.4.5.4 provide additional details
about the teardown of cells 5 through 8, respectively.
40
1.4.5.1 Cell 5
The cell 5 examination found evidence of arcing damage on the cell case interior and
relatively minor damage to the winding adjacent to the protrusion in the battery case. The cell
case was mostly intact. The lower half of the winding closest to battery case side 3 and adjacent
to the protrusion in the battery case had adhered to the cell case. The appearance of the cell case
and the adherence of the electrodes were consistent with localized heating, melting, separation,
and solidification from electrical arcing. No visible portion of the thermoplastic insulation in the
cell case remained. Black residue was present on the interior surfaces of the cell case and the
exterior of the windings. SEM/EDS analysis found that the chemical composition of the residue
was consistent with that of the thermoplastic insulation.
The condition of the aluminum cathode and the copper anode in each winding was
consistent with high heat exposure. Most of the cathode material was present but was brittle.
Most of the uncoated aluminum foil (at the edges of the windings) remained intact, but portions
were missing. The coated aluminum foil was discolored and fractured with areas of the foil
missing generally near the header (top) or footer (bottom) fold. Most of the missing aluminum
foil had melted and solidified into oblong-shaped globules. The copper foil was intact but had
discolorations and small pinholes that propagated through several wraps. The coating on the
copper foil had mostly flaked off. The separator was not found during the examination.
For the winding that was closest to battery case side 3, the copper foil was discolored at
the header fold with small ripples. The copper foil also exhibited a band of darker color adjacent
to the nodular protrusion, which was consistent with high heat exposure. This band of color
propagated from the exterior to interior wraps of the winding. The center winding copper foil had
ripples along the header fold. This winding appeared to have more overall damage than the other
two windings. The winding closest to cell 6 showed the most fragmentation of the aluminum foil
and the coated material. The first and second wraps of the winding had thermally adhered to the
interior of the cell case, and portions of the first wrap had also thermally adhered to subsequent
wraps of the winding. One of the innermost wraps showed folds in the copper foil on the side
facing cell 6, which were present through several layers of the winding, as shown in figure 13.
Other notable features found during the winding examination were the lack of any sizeable
repeating rifts in the windings and the greater amount of damage to the exterior wraps of the
windings compared with the interior wraps.
40
For additional information about the teardown of cells 1 through 4, see Materials Laboratory Factual
Report 13-060, which is available at www.ntsb.gov in the public docket for this incident. Also, during the teardown
of the eight cells, numerous specimens were excised to examine, using SEM and EDS, the physical and chemical
characteristics of various internal components. Materials Laboratory Factual Report 13-060 also includes
information from these examinations.
NTSB Aircraft Incident Report
27
Figure 13. Cell 5 winding closest to cell 6.
The pair of aluminum current collectors for the center winding (which in this cell were
adjacent to the vent disc) were no longer connected to the header assembly. The detachment of
the current collectors occurred at the top of the current collector fingers where the collectors
were designed to act as a fusible link. SEM examinations found that the breaks were consistent
with thermal fracture associated with high current, as shown by the CT scans of the rounded
features at the fracture surfaces (see figure 8). The two other pairs of aluminum current collectors
and the three pairs of copper current collectors were intact.
1.4.5.2 Cell 6
The interior of the cell 6 case exhibited a blackened appearance. Portions of the windings
and other charred materials were stuck to the bottom of the case on sides 1 and 3. There was no
evidence of electrical arcing or short circuits between the windings and the cell case.
The windings exhibited varying degrees of thermal damage based on the amount of
aluminum cathode material remaining and the thermal discoloration of the copper anode foil.
The winding closest to cell 5 had the least cathode material remaining, and the winding closest to
cell 7 had the most cathode material remaining, which was consistent with higher temperatures
on side 3 of the cell that tapered off toward side 1. The separator material had melted and could
not be identified in all three windings.
For the winding closest to cell 5 and the center winding, the aluminum foil was mostly
missing, with the active material coating remaining. Remnants of the aluminum foil were visible
as specks or small blobs of solidified aluminum. For the winding closest to cell 7, the aluminum
foil was intact but was brittle. The second wrap included an area where the aluminum foil had
fused to the copper foil.
NTSB Aircraft Incident Report
28
For all three windings, large portions of the active material coating for the copper foil had
delaminated, exposing large areas of the foil. Pinholes and localized areas of thermal
discoloration, which were consistent with localized hot spots, were observed near the edges of
the copper foil. The winding closest to cell 5 showed areas of concentrated thermal discoloration
that appeared in a repeating pattern on the copper foil, as shown in figure 14. One area of thermal
discoloration began on multiple exterior wraps and became lighter toward the interior wraps.
Another area of thermal discoloration began about midway through the wraps and continued all
of the way to the interior wraps. This pattern of thermal discoloration, which was concentrated
on the side of the foil closest to the copper current collectors, exhibited a radiating pattern of
wrinkles. The center winding showed an area of thermal discoloration that began at one of the
outermost wraps and continued into the winding. The winding closest to cell 7 showed a
repeating area of thermal discoloration at one of the outermost wraps.
Figure 14. Cell 6 winding closest to cell 5.
The current collector sides of the winding assemblies (cell sides 2 and 4) appeared
blackened and charred and had no remaining insulation material. The copper current collectors
were intact and attached to the windings. The aluminum current collectors exhibited fractures
with areas of missing material, and two of the three pairs of aluminum current collectors (those
in the winding closest to cell 5 and the center winding) had fused and were disconnected from
the header assembly. The other pair of aluminum current collectors were intact.
1.4.5.3 Cell 7
The condition of the cell 7 electrodes was consistent with high heat exposure. The three
windings had varying amounts of the aluminum cathode foil remaining. The winding closest to
cell 8 had more aluminum foil and active material remaining than the two windings that were
closer to cell 6. In each of the windings, the coated aluminum was discolored and fractured with
areas of aluminum missing generally near the header or footer fold.
The copper anode foil in the winding closest to cell 6 was discolored at the header fold
and had small ripples. The copper foil in the center winding was missing a section adjacent to the
vent disc, which was consistent with high thermal exposure. The missing section propagated
through the winding, with the most material missing from the exterior of an outermost wrap. The
NTSB Aircraft Incident Report
29
copper foil in the winding closest to cell 8 was discolored at the header fold and contained small
ripples in a radiating pattern. The separator was not found.
The pair of aluminum current collectors for the center winding and the pair for the
winding closest to cell 6 were no longer connected to the header assembly. The separation in
these current collectors occurred at the top of the current collector fingers where the collectors
were designed to act as a fusible link. The center winding current collector fingers were
separated in one location, and the current collector fingers closest to cell 6 were separated in
several locations. The other pair of aluminum current collectors and the three pairs of copper
current collectors were intact.
1.4.5.4 Cell 8
For cell 8, there was no discernible difference in the amount of thermal damage between
the cathode and anode sides of the winding assemblies. All of the current collectors were intact
and showed no readily identifiable abnormalities.
Portions of copper anode windings adhered to the side 1 and side 3 surfaces of the cell
case and exhibited hues of purple and blue, consistent with exposure to high temperatures in an
oxidizing environment. The cell case surfaces did not reveal any evidence of electrical arcing.
The side 2 and side 4 surfaces exhibited a blackened appearance, and charred thermoplastic
insulation had adhered to the surfaces. The bottom of the cell case also exhibited a blackened
appearance with pieces of charred material adhering to the bottom surface.
The aluminum cathode foil in all three windings was found melted and discontinuous, but
the winding closest to cell 7 appeared to be exposed to the highest temperatures because the
aluminum foil in the center winding and the winding closest to the BMU had more intact
aluminum remaining. (More aluminum remained on the winding closest to the BMU than on the
center winding.) For each winding, the copper anode foil could be seen in the areas where the
aluminum foil was missing. Small globules of solidified aluminum were interspersed throughout
the remaining carbon active material. The separator material had completely melted and could
not be identified.
For the winding closest to cell 7, most of the copper foil exhibited discoloration
consistent with severe thermal exposure, particularly along the edge where the electrode attached
to the current collector near the header fold of the winding. This discoloration continued
throughout the winding. The center winding and the winding closest to the BMU showed
concentrated thermal discoloration along the edge of the copper foils where they had been
attached to the current collector near the header fold of the windings. This discoloration also
continued throughout the windings. Areas speckled with small holes appeared throughout the
copper foils, some of which continued through several wraps of the windings.
1.4.5.5 TIAX Examination of Cell Teardown Samples
The NTSB contracted with TIAX LLC of Lexington, Massachusetts, to independently
examine and analyze cell 6 samples (which included remnants from all three cell windings) to
determine if any internal short circuit indicators were present. TIAX’s examination of the cell 6
NTSB Aircraft Incident Report
30
evidence confirmed the findings of the NTSB’s cell 6 examination (TIAX Review 2013). For
example, TIAX determined that the winding closest to cell 5 was more thermally and physically
damaged than the other two windings, with almost no aluminum cathode foil remaining; the
winding closest to cell 7 had the least damage. TIAX found that most of the aluminum current
collectors and all of the separators had melted and that a major portion of the copper (anode)
current collectors remained.
41
TIAX also found that most of the copper current collectors had
small holes, especially near wrinkled and folded areas of the copper foil. TIAX found no
evidence of foreign metal.
TIAX’s examination of the winding closest to cell 5 showed regions of thermal
discoloration on the copper current collector. TIAX indicated that such areas could be consistent
with the presence of an internal short but that it was not possible to determine whether a short
could have occurred locally or developed from an external source.
TIAX’s examination of the remaining copper current collectors showed that, in the
winding closest to cell 7 and the center winding (which, as previously stated, were less damaged
than the winding closest to cell 5), the windings outer regions appeared more damaged
thermally than the inner regions. TIAX indicated that this observation was consistent with “an
origin of thermal stress” outside these windings with elevated temperatures that decreased
toward the windings’ inner regions.
Some abnormalities were observed in multiple regions of the windings. For example, a
significant amount of beaded metal was observed around the edge of an irregularly shaped hole
in a copper current collector in the winding closest to cell 5. TIAX noted that this type of
formation could indicate the highest temperatures reached during the incident. The NTSB
analyzed the ridges using EDS and found that the beads at the edge of the irregularly shaped hole
were copper, which indicated that the hole had resulted from the melting of copper.
1.5 Exemplar Battery Examinations and Testing
1.5.1 Radiographic Examinations of Exemplar Battery Cells
Additional radiographic studies were conducted to examine and document the internal
configuration of individual battery cells from five batteries. One of the batteries was the main
battery installed on the incident airplane (referred to as battery 412); the other four batteries
(referred to as batteries 149, 305, 344, and 376) were provided by Boeing.
42
These batteries had
been installed on 787 airplanes being assembled at Boeing but were removed before any flight
41
TIAX referred to the current collector fingers and the foils of the electrode winding assemblies as current
collectors.
42
The battery numbers reflect the battery serial numbers.
NTSB Aircraft Incident Report
31
time because the batteries overdischarged and latched.
43
The CT scans of these cells were
examined for indications of missing or damaged parts, contamination, or other anomalies.
44
The CT scans showed that all of the cells from all five batteries contained areas of
wrinkled and/or separated windings. Three batteries (149, 376, and 412) showed an anomaly
(specifically, a small protrusion from the insulator) in the aluminum terminal plate for one cell;
one battery (305) showed this anomaly for two cells. Battery 305 showed a measureable angle
between the aluminum current collectors and the cell header in one cell; battery 149 showed this
condition for two cells. (The measured angles ranged from about 1.0º to 1.7º.) Battery 149 also
showed a localized bulge in one cell’s wall. In addition, battery 305 showed copper current
collectors that had out-of-alignment clips in two cells.
1.5.2 Cell Soft-Short Tests
A soft short can occur when the electrical isolation between the positive and negative
electrodes of a cell is compromised. TIAX indicated that features creating soft shorts could
reside undetected within a cell and develop slowly over time. TIAX further indicated that some
soft shorts could dissipate over time, whereas others could become severe enough to result in the
early failure of a battery (a loss of capacity and failure to hold a charge) or progress to “a more
serious, higher-magnitude short” that could cause “catastrophic failure of the cell”
(TIAX Report 2013).
The Naval Surface Warfare Center, Carderock Division, and TIAX performed two
different types of nondestructive soft-short testing. A total of 40 cells from the incident airplane
main battery and the four batteries that Boeing provided were used for the soft-short testing. The
test results were used along with the radiographic examination results (discussed in section 1.5.1)
to identify possible cells for TIAX’s destructive physical analysis (DPA) of an exemplar battery
cell, as discussed in section 1.5.3.
The Carderock soft-short testing involved a procedure that monitored cell self-discharge
rate decays, which, for lithium-ion cells, occur from current leakage across the separator.
45
The
test procedure discharged cells to a low state of charge, removed the discharge load, and
observed the cells during a 1- to 2-week period to determine whether any anomalous decays in
cell voltage occurred.
46
(Voltage decay is an indicator of a potential soft-short formation within
43
Overdischarging of the battery occurs when the battery or any cell is below a predetermined voltage. If a
cell’s voltage drops below the predetermined level, the BMU latches a fault and prevents the battery from
recharging.
44
Before CT scanning began, the five exemplar batteries were disassembled at the Naval Surface Warfare
Center, Carderock Division, US Department of the Navy. During disassembly, the batteries were evaluated for
construction consistency and the presence of FOD. No anomalies were found.
45
The Carderock soft-short testing was based on the Darcy test method, which was developed by the battery
group lead for projects and integration at the National Aeronautics and Space Administration’s (NASA) Johnson
Space Center in Houston, Texas.
46
State of charge is the percent of electrical potential between the designed minimum and maximum voltage
potentials.
NTSB Aircraft Incident Report
32
the cell.) None of the eight cells from the five batteries exhibited anomalous decays in cell
voltage during the observation period.
The TIAX soft-short testing involved (1) charging each cell individually to the nominal
voltage of 3.7 volts, (2) placing each cell test group in a pre-test configuration for 12 hours to
equalize any variations in the state of charge, and (3) connecting each cell group to soft-short test
instrumentation and monitoring the response of each cell for 24 hours to measure the level of
self-discharge of each battery cell.
47
(According to TIAX, an internal short could have “an
anomalously higher level of self-discharge” compared with other cells in the test group.) TIAX’s
report on the testing indicated that “all [40] cells showed normal (short-free) response
characteristics.”
UL conducted additional soft-short-related tests, referred to as aging sorting tests. UL
conducted these tests to identify cells with possible internal anomalies because, according to UL,
cells with such anomalies could exhibit higher self-discharging rates than cells without internal
anomalies (Tabaddor and others 2014). The testing, which was conducted at temperatures of
77ºF, 32ºF, and -0.4ºF, produced generally consistent results among the cells in each battery. The
testing found all but one cell to be within acceptable limits. (At -0.4ºF, a cell in one battery
displayed a performance change in the discharge rate that differed from the other cells; this
characteristic had not been displayed at other temperatures, and the specific cause of the
difference was not determined.)
1.5.3 Examinations of Cells From the Incident Airplane Main Battery
TIAX and UL performed separate DPAs of cells from battery 412 to note any
abnormalities in the cells. The laboratories used different methods to conduct the DPAs, but both
laboratories’ DPAs found areas in the cell windings that were susceptible to lithium deposits.
TIAX conducted coin cell tests before its DPA to determine the anode-to-cathode ratio in
the cells and the tolerance of the electrodes to the specific charging conditions likely to lead to
lithium deposits.
48
The coin cells were built from samples of electrodes and electrolyte harvested
from cell 4 in battery 344. According to TIAX, the tests showed that (1) the anode-to-cathode
ratio had “a large anode capacity excess,” which would be consistent with a cell designed to
avoid lithium deposits on the anode, and (2) voltage, charging current, and temperature extremes
(within allowed operational ranges for the cell) did not produce visual evidence of lithium
deposits (TIAX 2014).
49
Thus, according to the results of the coin cell tests, the LVP65 cell
chemistry was not susceptible to lithium deposits under high-current or low-temperature
conditions.
47
The TIAX soft-short testing, which was based on a proprietary test method, was quicker and more sensitive
than the Carderock soft-short testing.
48
Coin cells are small specimens extracted from battery cells that are used to examine the electrochemical
properties of the anode and cathode, excluding cell- and battery-level effects.
49
According to GS Yuasa, the 787 battery cells were designed so that the capacity of the anode was greater
than that in previous cell designs.
NTSB Aircraft Incident Report
33
Before TIAX’s DPA, cell 1 in battery 412 was charged to the maximum voltage allowed
by the BMU (4.2 volts) at the maximum normal charging current (46 amperes) at 32ºF to
simulate the worst-case conditions for potential lithium deposits (within the airplane’s specified
operating envelope).
50
A fully charged cell, in which the anode appears bright gold in color,
facilitated the identification of potential abnormalities. This process was repeated 20 times (with
rest periods in between each charging cycle) before the DPA was performed. According to
TIAX’s report, the following abnormalities were observed during the DPA:
More than 100 areas of “ingressed under-lithiation” of the anode (that is, areas of the
anode that were incompletely charged) were found in each winding.
More than 90 full creases spanning the width of the electrodes and several hundred partial
creases (that is, those that did not run from one side of an electrode to its other side) were
found in all three windings.
51
The full creases in the anodes were located generally where
the connection to the current collectors (along the edges) ended. Many of the full and
partial creases showed features consistent with underlithiation of the anode.
A total of 61 clusters of silver-colored deposits were located in the outer two windings,
with fewer clusters located in the center winding.
52
These deposits were generally
adjacent to underlithiated areas on the anode. According to TIAX, these areas indicated
that mechanical abnormalities in the windings resulted in uneven charging of the anode,
which might have caused lithium to deposit adjacent to underlithiated areas.
Samples of the silver-colored deposits observed during TIAX’s DPA were analyzed at the
Naval Surface Warfare Center, Carderock Division, using x-ray photoelectron spectroscopy. The
analysis showed that the deposits contained lithium along with the constituents of the electrolyte
(Mansour and others 2014). No metallic elements besides lithium were found.
The DPAs that UL performed were conducted as part of testing to determine whether
potential risks of cell degradation, failure, or loss of performance under specific applications,
such as low temperature, existed for LVP65 cells. The DPAs involved three cells from
battery 412 (cells 3, 5, and 6). All of the test cells were at 100% state of charge (4.025 volts).
Cell 3 was subjected to pulse charging at -0.4ºF, cell 5 was subjected to normal constant-current
constant-voltage charging at 32ºF, and cell 6 was subjected to pulse charging at 77ºF.
53
The pulse
50
The DPA could not be performed at the battery’s minimum operating temperature (-0.4ºF) because, upon
charging at this temperature, the voltage reached 4.025 volts rapidly, causing the current to spike and drop. Thus,
high current could not be sustained long enough to produce lithium deposits.
51
The normal folds at the top and bottom of the windings were not considered to be creases.
52
Each cluster represented an entire feature area and not the number of individual deposits.
53
Pulse charging involves applying current in rapid short repetitive intervals. During the UL tests, the intervals
ranged from about 0.25 to 0.50 second.
NTSB Aircraft Incident Report
34
charging tests revealed no lithium deposits in the cell tested at 77ºF and a progressive decrease in
charge transfer (cell capacity) as the temperature decreased to -0.4ºF.
54
Visual examinations of the windings from cells 5 and 6 revealed features consistent with
lithium deposits. (UL referred to these deposits as lithium dendrites).
55
No features consistent
with lithium deposits were observed in the cell 3 windings. All observed features were found
adjacent to wrinkled regions of the windings. According to UL, wrinkles can form dendrites by
creating “non-uniform current density distributions” within the windings due to the “uneven
contact between the electrodes and separator in a wrinkled region” (Tabaddor and others 2014).
A normal electrode assembly with consistent uniform spacing between the anode and
cathode allows uniform lithium-ion transport via the shortest pathway. Thus, an assembly with
wrinkled or creased regions could result in non-uniform lithium-ion transport. According to UL,
non-uniform lithium-ion transport could also occur from following causes:
localized deformations of the windings during manufacturing, such as those that
occur when flattening the assemblies to the “jelly roll” shape or by stresses resulting
from welding the current collectors to the electrodes;
poor quality control of the coating and winding processes during manufacturing; and
cell swelling during charge and contracting during discharge, which creates
movement of the current collector fingers attached to the windings.
1.5.4 Cell-Level Abuse Tests
UL conducted testing to understand and compare the energy level of a thermal runaway
in response to three different methods of simulating an internal short circuit within a single cell
from exemplar battery assemblies.
56
The internal short circuits were initiated in a single cell
winding using the indentation, nail penetration, or hot pad methods.
57
The tests were conducted
at temperatures of 77ºF and 158ºF. Cell temperatures were measured by thermocouples at
54
In its submission to the NTSB for this investigation, GS Yuasa stated that, after the incident, it conducted
more than 100 cold charge cycle tests, all of which revealed a loss of capacity when charging repeatedly at -9.4ºF.
55
A lithium dendrite is a lithium metal deposit that can form on a coated anode surface. Lithium dendrites can
grow over time and cause internal short circuiting. The lithium metal can react exothermically with electrolyte. In
addition, lithium dendrites can cause the electrodes to become unstable and thus result in an exothermic reaction.
Such reactions at both the anode and cathode, as well internal short circuits from lithium dendrite formation, can
result in a thermal runaway (Belov and Yang 2008, 885-894).
56
Cells 1 through 8 from batteries 149 and 241 were used for the indentation, nail penetration, and hot pad
tests; cell 8 from battery 171 was also used for a hot pad test. (Boeing provided batteries 241 and 171, in addition to
the previously provided battery 149, for the cell-level abuse tests). A total of 17 cells were tested.
57
The indentation method, which UL developed, creates a localized, small-scale internal short circuit condition
by stressing the electrodes without breaching the cell case. The nail penetration method involves inserting a nail
through a cell case to penetrate the electrodes and induce an internal short circuit condition within the cell. The hot
pad method involves placing a small electric heating pad on a cell to heat the cell to a desired temperature to induce
an internal short circuit condition.
NTSB Aircraft Incident Report
35
various locations on the cell cases, and cell voltage responses were measured by probes attached
to the cell terminals.
During all tests, when the internal short circuit was induced in a single winding of a cell,
the cell voltage decreased immediately.
58
The cell voltage then recovered but, within 30 seconds,
decreased again and remained at a level consistent with the failure of all three windings
(Wang and Wu 2014). The most significant effects observed from the tests included the
temperature increase and venting as the cell entered thermal runaway, the decrease and recovery
in cell voltage that occurred immediately after the induced internal short circuit, and the fused
aluminum current collectors in response to the internal short circuit.
59
Figure 15 shows the cell voltage output measured during an internal short circuit test. The
test was conducted at 77ºF, and the internal short circuit was induced using the indentation
method. Region A in the figure shows the fully charged cell before the introduction of the
simulated internal short circuit in a single winding of the cell. Region B shows the cell voltage
output immediately after the initiation of the internal short circuit but before the failed winding’s
current collector fused open. The cell’s temperature reached about 150ºF at this point in the test
(about 5 seconds after the initiation of the internal short circuit). Region C shows the voltage
output after the failed winding’s current collector fused open and the subsequent recovery of the
cell with the voltage output from the two remaining windings. Region D shows the decreasing
cell voltage output as the remaining two windings fail due to the heat generated by the first failed
winding.
60
The cell’s temperature reached about 500ºF at that point in the test (about 27 seconds
after the initiation of the internal short circuit). The cell’s maximum temperature, about 610ºF,
occurred about 90 seconds after the initiation of the internal short circuit.
58
For the 158ºF tests, the voltage drop was between 0.50 to 0.75 VDC; for the 77ºF tests, the voltage drop was
between 1.00 and 1.25 VDC.
59
Excessive current flow through the current collector finger causes the fuse portion of the finger to heat to the
point of melting and open the electrical circuit between the winding and the other windings in a cell. Postincident
discussions with GS Yuasa revealed that the current collector fingers were sized to allow for required power loads
that the cell would encounter in service without fusing open.
60
The three electrode windings in the 787 main and APU battery cell design are electrically connected in
parallel. When the voltage of a single winding arranged in parallel with other windings drops below that of the
adjacent windings, the remaining windings will attempt to charge the lower voltage winding to equalize the voltage
across the parallel circuit. The charging currents that result could discharge the remaining windings, causing an
overall drop in cell voltage or a rupture of the cell assembly. (Reddy and Linden, 2011).
NTSB Aircraft Incident Report
36
Figure 15. Results of cell-level internal short circuit abuse test.
Note: The preceding paragraph describes each region depicted in this figure. The thermocouples used to measure
cell temperature were typically placed at the cell’s copper (negative) rivet (thermocouple 1), the aluminum (positive)
rivet (thermocouple 2), 0.2 in from the internal short circuit initiation point (thermocouple 3), and 0.1 in from the vent
disc (thermocouple 4).
During all indentation and nail penetration tests conducted at 77ºF and 158ºF, the current
collector fingers in the initiating outer winding fused open. During some of the indentation and
nail penetration testing at 158ºF, the current collector fingers in the center winding also fused
open. During all hot pad testing conducted at 77ºF and 158ºF, only the current collector fingers
in the initiating outer winding directly adjacent to the hot pad fused open. None of the center or
far outer windings had fused current collectors.
When nail penetration testing was conducted at 158ºF on two separate cells with a nail
that entered the top of the cells (rather than the side of the cells) and shorted only the center
winding, the center winding current collector fingers fused open, and the current collector fingers
in the outer windings remained intact.
61
Data recorded during these tests showed that, after the
internal short circuit was induced, the cell voltage dropped immediately, abruptly recovered, and
then dropped to zero volts. For the tests in which the current collector fingers fused open in the
61
A similar behavior involving only the center current collector fingers fusing open in the initiating cell was
observed during the 158ºF full-scale battery nail penetration test described in section 1.5.7. Also, as stated in
section 1.4.2, CT scans of the incident battery showed that, for cell 5, the current collector fingers in only the center
winding fused open as a result of the battery thermal event.
NTSB Aircraft Incident Report
37
outer winding and the center winding, the recorded data showed two separate voltage decreases
with two recoveries.
UL’s testing showed that, with a significant internal short circuit, the current flow
through a winding could reach a level sufficient to open the winding’s fusible link. In addition,
the testing showed that conduction of the heat generated by an internal short circuit in one
winding of a parallel arrangement to adjacent windings could cause thermal damage in those
windings and lead to thermal runaway of the entire cell.
Thermal abuse testing performed using accelerating rate calorimetry (ARC) showed that
the cells, at zero and 100% state of charge, started to generate internal heat at temperatures as
low as 144ºF, which is below the maximum operational temperature of the battery
(158ºF).
62
When the ambient condition of a fully charged cell was increased beyond 176ºF, the
self-heating rate exceeded 0.04ºF per minute. When the temperature of the cell was raised to
about 266ºF, the separator melted, and the cell entered thermal runaway and vented. None of the
current collectors fused during the abuse testing using ARC.
1.5.5 Rivet Observations During Cell- and Battery-Level Testing
The aluminum and copper rivets on 787 main and APU battery cells clamp together the
electrical components at the top of each cell, including a copper top plate, external and internal
thermoplastic seals, and a current collector, to conduct current flow into and out of the cells.
63
The rivets also provide a hermetic seal intended to prevent leakage of electrolyte from the cell
case and protect the electrolyte from external moisture. Evidence of rivet seal leakage was found
in cell 4 of the incident APU battery, which had melted seals and weighed less than
specifications despite the vent disc remaining intact.
During tests to determine the effects of simulated APU starts on individual cells and a
complete battery assembly, UL made observations about the aluminum rivets (Wang, Chiang,
and Wu 2014).
64
The APU start simulations on a full battery were performed using battery 459 at
temperatures of 77ºF and 32ºF after the individual battery cells underwent the same levels of
charge and discharge.
65
After a normal battery-level first charge/discharge cycle at 77ºF, the
62
The cells were slowly heated in an ARC chamber so that an adiabatic condition existed (that is, no heat was
transferred between the cells and the surrounding environment) until the cells began to self-heat to the point that
they eventually failed.
63
The aluminum rivets conduct energy from the aluminum current collector, and the copper rivets conduct
energy from the copper current collector.
64
UL disassembled the battery before the battery-level tests to examine and test the individual cells and
reassembled the battery afterward using GS Yuasa documentation provided to UL by the NTSB. (The battery could
be disassembled and reassembled outside of GS Yuasa.)
65
The APU start profile is similar to two failed starts followed by a successful start during a short time period
using the APU battery as the only starting power source. An APU start discharge attempt at -0.4ºF was not
completed because the battery voltage dropped and the test was stopped to prevent battery damage. As shown in
UL’s test plan (which was distributed to the parties to the investigation before testing began), the discharge rate used
during UL’s testing was based on the design requirement at the time of certification, and a post-test review found
that this discharge rate was not exceeded.
NTSB Aircraft Incident Report
38
temperature of the aluminum rivets on the positive terminal of cell 5 increased progressively
through 14 cycles to a maximum temperature of 315ºF, which exceeded the melting temperature
of the separator and the temperature at which the thermoplastic seals begin to soften.
66
An infrared thermal image taken at 32ºF during the last of the 14 battery-level test cycles
showed that the aluminum rivets on cell 5 were sources of heat in addition to heat from the
electrode windings. The image also showed that heat was conducted from the cell 5 aluminum
rivets through the copper bus bar to the copper rivets on cell 6. Further, strain gauges placed on
the sides and tops of the cell cases showed that the stresses in the cells increased during
discharge, with cell 5 exhibiting the highest strain during a test at 32ºF. In addition, the
efficiency of the cells decreased as temperatures decreased such that 30% of the discharge
energy heated the cell when the temperature was reduced to 0ºF.
UL performed subsequent examinations and testing on cell 5 from battery 459, including
CT scans; DC resistance measurements; cell leakage tests; and a cell DPA, which included visual
inspection of the separator and compositional analysis of the electrolyte. The testing showed that
the aluminum rivet seals leaked and that the DC resistance between the aluminum current
collectors and the riveted joint was significantly higher (three orders of magnitude) than that of
the same joint in other cells. The CT scans revealed visible gaps between the rivet and the
current collector (internally) and the rivet and the copper top plate (externally). During the DPA
examination, plastic seals were found deformed, and the separator material showed localized
melting between the anode and cathode adjacent to the aluminum center winding current
collector finger. Separator melting was not observed elsewhere in the windings.
The 787 battery was designed to measure temperature only on two cell bus bars and not
at or within each cell. Infrared thermal images and thermocouple data from the UL battery-level
testing showed that (1) temperatures were not even across the surfaces of individual cells, (2) the
cell temperatures differed from each other, and (3) the bus bar temperatures were lower than the
cell temperatures and substantially lower than the temperature at the rivets, and (4) the changes
in bus bar temperatures lagged behind the changes in cell temperatures. As a result, UL
conducted heat flow tests on a header assembly that had been removed from a cell to determine
the internal temperatures of a cell. The interior portion of one of the aluminum rivets was heated
until the exterior of the rivet reached the 315ºF maximum temperature measured during the APU
start simulations. At that temperature, the interior portion of the rivet measured 332ºF, and the
top of the internal aluminum current collector measured 277ºF, which was higher than the
melting temperature of the separator.
67
The NTSB’s CT scans of the rivet assemblies in cells from the main battery on the
incident airplane (battery 412) revealed gaps and voids between the rivets and assembly
components. After the rivet assembly in cell 5 was cross-sectioned, rinsed, and dried, water
66
During the testing, the temperature of both aluminum rivets was measured using an infrared camera. A
thermocouple was also placed on one of the rivets to further measure temperature.
67
The interior portion of the rivet and the current collector had been within the cell before it was disassembled
for the heat flow test.
NTSB Aircraft Incident Report
39
seeped out of gaps at the edges of the plastic seals in the assembly. The water revealed gaps that
were not initially seen under magnification.
Further examination of cell 5 in battery 412 revealed brown deposits that were consistent
with dried electrolyte. These deposits were found around a rivet hole of the internal current
collector, which had been in contact with an aluminum rivet. Closer examination of the current
collector’s surface showed evidence of material consistent with oxidation products under the
rivet head. The current collector was bent and skewed out from the rivets, and the exterior plastic
seal was deformed, diminishing the sealing surface. The deformation caused the plastic sealing
surfaces to separate from the top of the stainless steel cell case. Multiple gaps between the
contact surfaces were found between the rivet and copper top plate and between the rivet and
current collector. The copper plate had a nickel finish, and the shoulder of the rivet had an
impressed circular pattern (consistent with machining ridges) that had not been transferred into
the nickel plating, which was consistent with a lack of compressive force in this area. The rest of
the plating around the rivet hole showed no indications of contact with the rivet.
1.5.6 Cold Temperature Cell- and Battery-Level Testing
The airplanes involved in the BOS, TAK, and NRT events were based in Tokyo and were
exposed to below-freezing temperatures during the winter months. At the time of the NRT event,
the 787s based in Japan represented less than one-third of the worldwide 787 fleet. Even though
other 787 airplanes had occasionally been exposed to below-freezing temperatures while at their
base location, the winter temperatures in Tokyo were the coldest of the cities where 787
airplanes were based. The NTSB was concerned that cold weather exposure could be a
significant risk factor for the 787 main and APU lithium-ion battery.
68
As a result, UL conducted
cold temperature testing at the cell and battery levels to determine the effect that cold
temperature charging could have on the battery’s performance. During the cell-level testing, the
cells heated significantly more when discharged at temperatures between 0ºF and 32ºF than at
temperatures above 32ºF.
As previously stated, during battery-level testing at 32ºF, the aluminum rivets on a cell
increased in temperature to a maximum of 315ºF, which exceeded the melting temperature of the
separator material. Cell disassembly found melting at the edges of the separator layers that had
been adjacent to the aluminum current collector fingers. (Such melting was not found during the
cell-level tests.) Measurement of the electrical resistance across rivet-to-collector joints after cell
disassembly showed that the resistance in a cell that heated (cell 5 of battery 459) was
74.5 milliohms; the resistance of other cells was typically 0.03 milliohm. In its submission for
this investigation, Boeing stated that it was revising the low temperature charging limit for the
main and APU battery and BCU to “reduce the likelihood of an internal short circuit and
improve cell and battery reliability.”
68
In its report on the TAK incident, the JTSB noted the cold temperatures that existed at the time of the three
battery events and indicated that cold temperature could be related to the cause of the failures.
NTSB Aircraft Incident Report
40
1.5.7 Battery-Level Nail Penetration Tests
UL conducted nail penetration tests on LVP65-8-402 batteries to determine the effects of
a simulated short circuit within a single cell. The nail penetration tests were conducted with
battery numbers 436 and 445, which Boeing provided in addition to the other 787 exemplar
batteries.
69
A specially designed nail with an embedded thermocouple (which provided a single
temperature within the nail-penetrated cell) was used during the tests.
In one test, the battery was electrically grounded using a single ground wire that was
representative of the ground wire installed on the 787 airplane (Chapin and others, NTSB Battery
Tests [Asset 445], 2014).
70
The battery temperature at the start of this test was between 52ºF and
57ºF, which was consistent with temperatures in the E/E bay during a typical flight, as measured
by Boeing.
71
In another test, the battery was not electrically grounded (similar to the test setup
used by GS Yuasa in a 2006 battery development test, as described in section 1.7.3), and the test
was conducted at the battery’s maximum operating temperature of 158ºF (Chapin and others,
NTSB Battery Tests [Asset 436], 2014).
72
The test with the electrically grounded battery showed that thermal runaway occurred
when a short circuit was induced into a single cell inside the battery, resulting in cell swelling
and venting of the nail-penetrated cell. None of the other cells in the battery underwent thermal
runaway or vented. This test also showed that the initiating cell and other cells within the battery
case began to electrically discharge at an uncontrolled rate, causing a high electrical current to
discharge through the ground wire circuit.
73
Within 30 seconds of the initiation of cell venting of
the nail-penetrated cell, the ground wire fused open, and the current flow through the grounding
path ceased. The post-test examination of the battery found evidence of arcing between the
nail-penetrated cell (cell 6) and the battery case, including welding of the cell case and the center
brace bar of the battery case.
The test with the ungrounded battery showed that thermal runaway of a single cell
propagated to all other cells inside the battery case. This result (propagation to and venting of all
cells) differed from the results of GS Yuasa’s battery development test (venting of the
69
Before the testing, the batteries were disassembled so that nondestructive tests could be performed. Cells 1
and 2 from battery 445 were damaged during disassembly, so they were replaced with identical cells from
battery 271, which Boeing also provided.
70
The battery case, when installed in the airplane, is grounded via the 787 common return network. The battery
test setup did not include all electrical ground paths to the battery case as installed on the airplane (that is, the
ground wire, shielded signal wires, and a physical connection between the battery case mounting rails and ground).
71
APU battery temperature was not recorded on the incident EAFR. After the incident, Boeing monitored E/E
bay temperatures during several flights and reported average values of 50ºF to 59ºF during a typical flight.
72
UL’s reports on these tests included detailed information about the test facility, test fixture, instrumentation,
data acquisition, test procedures, and results.
73
As previously stated, the incident battery ground wire was found intact with the wire insulation exhibiting an
undamaged exterior surface but a slightly blackened interior surface, which was consistent with resistive heating
associated with the flow of high levels of electrical current. Also, the shielded signal wires exhibited signs of
internal heating that were consistent with resistive heating by high levels of electrical current.
NTSB Aircraft Incident Report
41
nail-penetrated cell and no propagation to and venting of other cells), but the NTSB notes that
GS Yuasa performed its battery test at a temperature that did not represent the battery’s
maximum operating temperature under normal conditions (158ºF). The post-test examination of
the ungrounded battery used for the UL test found no evidence of arcing between the
nail-penetrated cell (or other vented cells) and the battery case.
The findings of these tests were part of the basis for Safety Recommendations A-14-32
through -36, which were issued in May 2014 (see section 1.8.2).
1.5.8 Additional Testing
Early in the investigation of the BOS incident, the NTSB performed ATP functional
testing of the BCU of the incident airplane’s APU battery at Securaplane’s facility. At the request
of the JTSB, the NTSB also performed ATP testing on both BCUs from the airplane involved in
the TAK incident. As stated in section 1.2.2, the ATP testing revealed a previously unknown
electrical oscillation in the output charge voltage of each BCU. Boeing and UL conducted
separate detailed examinations of the BCU from the APU battery that had been installed on the
BOS airplane and integrated system testing of a battery, the BCU, and battery-related
components. The testing at Boeing and UL found that the oscillation could slightly diminish the
battery’s life but was unrelated to thermal runaway.
74
As a result of its testing, Boeing changed
the BCU design to minimize the oscillation. GS Yuasa conducted testing as part of the JTSB’s
investigation of the TAK incident and similarly found that the BCU oscillation could shorten a
cell’s life.
During the investigation of the BOS and TAK incidents, Boeing developed and
conducted (along with its contractors) more than 40 different laboratory and airplane tests to
understand various battery failure modes. Boeing also performed tests to learn information that
would support the redesign of the main and APU battery systems.
75
Boeing performed a laboratory test to understand the effects of moisture condensing on
the battery. This test subjected the battery case and internal battery components to simulated
flight cycles in an environmental chamber with varying temperature, pressure, and humidity
conditions.
76
After the testing was completed, small amounts of condensation were noted on the
top of the cells. The condensation created an electrical short path between the cell case and the
battery case. Boeing performed a subsequent laboratory test in which a single cell was placed in
a container with saline solution and voltage was provided to represent the other cells of a battery.
74
One of the reports that UL developed as part of this investigation refers to the BCU oscillation testing as part
of the “Noisy Test Procedure” (Tabaddor and others 2014). “Noisy” electrical power refers to the lack of continuous
voltage; current; and, if AC power, frequency. UL’s report includes specific details about the frequency and current
characteristics used for the testing.
75
For additional information about the testing that Boeing performed, see the testing addendum to the
Airworthiness Group Chairman’s Factual Report, which is available at www.ntsb.gov in the public docket for this
incident.
76
The battery assembly used during this test did not use actual cells; thermally equivalent representative cells
were instead used for the testing.
NTSB Aircraft Incident Report
42
The single cell vented, and post-test examination revealed damage internal to the cell header,
including evidence of arcing, shorting, and heat damage.
Another laboratory test examined the vibration environment of the battery. This test
subjected the battery to vibration levels in the pitch, roll, and yaw axes in excess of the levels
occurring during in-service operations. The battery’s performance was monitored, and the battery
was examined, before and after each vibration series. Slight changes in cell case voltages were
noted, but no changes in the battery’s performance were observed. Post-test examinations of the
battery revealed areas of slight abrasions to battery components and one failed BMU sensing
wire.
77
In addition to the previously mentioned integrated battery/BCU system component
testing, Boeing conducted flight and ground tests with an instrumented 787 airplane to determine
the atmospheric and electrical environment of the system installation. During the flight and
ground tests, the battery and charger performed with no anomalies, and no thermal or vibration
data exceeded the design requirements. Temperatures for the main and APU battery and the
forward and aft E/E bays during the flight tests were comparable with in-service temperatures.
Examination of the flight test data showed oscillations during the constant-voltage charging
cycle at low-current loading, which were similar to the oscillations observed during the BCU
testing at Securaplane. No other abnormal electrical transients were observed in the flight and
ground test data.
1.6 Battery Manufacturing Information
1.6.1 Main and Auxiliary Power Unit Battery Development
In 2003, Boeing created a statement of work to outsource the design and manufacture of
the 787 power conversion subsystem and awarded this contract to Thales in May 2004. Thales
then subcontracted (with concurrence from Boeing) the design and manufacture of the 787 main
and APU battery to GS Yuasa and the design and manufacture of the 787 battery charging
system to Securaplane Technologies.
78
Boeing, with participation from Thales, created the specification control drawing (SCD)
and interface control drawing to be used during the development and manufacture of the 787
battery and battery charging system.
79
Thales was responsible for providing these specifications
to GS Yuasa and Securaplane, managing these subtier suppliers, and meeting all of the
77
The LVP65-8-403 battery design incorporated improvements to the BMU sensing wiring installation.
78
Outsourcing is an industry practice that can be practical and effective when all aspects of the design,
manufacture, and certification of a component or system have been verified to ensure an airplane’s safety of flight.
Postincident interviews revealed that all of the companies involved with the design and manufacture of the 787
power conversion subsystem agreed that each would retain ownership of their associated intellectual properties.
79
According to Boeing, the SCD depicts the performance and design requirements, functional and physical
interfaces, and quality assurance requirements for the development, procurement, and configuration control of an
item or assembly. The interface control drawing is a formal engineering document that defines, among other things,
the interface between mating parts, connections, and signals.
NTSB Aircraft Incident Report
43
specification requirements for the battery and battery charger system. Thales, along with its
subtier suppliers, was also responsible for providing Boeing with required testing and analysis
results.
The basic design of the battery began in 2005. As part of the design, GS Yuasa contracted
with KAI to design and manufacture the BMU. As the battery design matured, preliminary
design reviews and critical design reviews were conducted by Boeing along with Thales and
GS Yuasa. Qualification testing was witnessed by delegated representatives from Boeing.
80
In early 2007, GS Yuasa and Thales redesigned the battery (with Boeing’s approval) after
a November 2006 fire at Securaplane during the development of the BCU.
81
The redesigned
battery included a contactor and a BMU subcircuit card to interrupt charging in an abnormal
situation. Qualification testing of this redesigned battery was completed in June 2007. In
October 2009, GS Yuasa and Thales redesigned the battery again (with Boeing’s approval) after
a July 2009 cell venting event at UTC Aerospace Systems’ Airplane Power Systems Integration
Facility (APSIF), where 787 power conversion subsystem components were tested as an
integrated electrical system.
82
The redesigned battery included a modified BMU4 subcircuit card
to avoid the subsequent recharging of the battery after overdischarge and a battery diode module
(added to the electrical system) so that the main battery could be charged only by the dedicated
charger and not be inadvertently charged by the airplane’s electrical system. The critical design
review for this battery redesign was completed in January 2010, and qualification testing was
completed in June 2010.
83
(The FAA was aware of both battery events.)
Boeing required its suppliers and subtier suppliers to perform first article inspections
(FAI), according to industry standards, on first production runs of any component. The FAI was
the primary method for inspecting and testing vendor components and was considered to be an
essential step in approving an order or a contract. The intent of the FAI was to determine if a
vendor’s product met acceptance and quality control requirements to ensure that all engineering,
design, and specification requirements were correctly understood, accounted for, verified, and
80
Qualification tests are performed to demonstrate that a design conforms to a set of requirements, such as the
requirements defined in Boeing’s main and APU battery SCD.
81
On November 6, 2006, a fire occurred at the main Securaplane building when a 787 development battery was
being charged for a test. The battery had been in use for about 14 months. Investigation of the incident found that
thermal runaway of the battery occurred and that the BMU was not connected directly to the BCU. The cause of
battery failure was unknown but was surmised to be a cell internal short circuit followed by overcharge of at least
one other cell.
82
On July 7, 2009, an APU battery experienced a loss of voltage and vented electrolyte during integrated
system testing at UTC Aerospace Systems’ APSIF. An investigation of the incident by Boeing, Thales, and
GS Yuasa determined that the failure of the battery most likely resulted from thermal runaway of a single cell due to
an internal short circuit created by repetitive overdischarge and subsequent high-rate charging operations. During the
NTSB’s April 2013 investigative hearing on the BOS incident, Boeing representatives testified that integrated
system testing was conducted on the entire electrical system, including the APU and its grounding system, and that a
number of protective (non-abuse) tests were conducted to ensure that the APU system would meet its design
requirements.
83
The changes to the battery that were made after the BOS and TAK incidents are discussed in sections 1.2.4
and 1.8.1.
NTSB Aircraft Incident Report
44
recorded. GS Yuasa accomplished the FAI for the main and APU battery in November 2008, and
Thales approved the FAI results in January 2009. GS Yuasa performed another FAI of the
battery after its redesign resulting from the APSIF event. Further, in November 2010, Boeing
performed an FAI on an LVP65-8-402 battery at GS Yuasa and found that the battery complied
with acceptance and quality control requirements.
Boeing’s surveillance of Thales was conducted in accordance with contractual
specifications and requirements. Boeing also relied on the Bureau Veritas Certification to
perform surveillance assessments of Thales twice a year.
84
Thales conducted two audits of GS Yuasa between the time that battery production began
and the incident. These audits, which were conducted in June 2011 and September 2012, found
11 discrepancies, all of which were subsequently closed. None of the discrepancies were directly
related to battery or cell manufacturing. Thales reported the results of these audits to Boeing.
Boeing did not conduct any audits of GS Yuasa before the incident and relied on Thales
to audit its subtier suppliers.
85
After the incident, Boeing sent an audit team to Thales and GS
Yuasa (and KAI) to review the management of subtier suppliers, quality of manufacturing and
business processes, and adherence to Boeing standards. The audit found 17 items of
noncompliance with Boeing requirements. Most of the noncompliance items at GS Yuasa
involved adherence to written procedures and communication with Thales and Boeing regarding
authorization for proposed procedural and testing changes for the battery. The noncompliance
items at Thales involved adherence to contractual requirements for Boeing’s approval on
drawing or procedural changes. Corrective actions for all of the noncompliance items have been
completed by Thales and verified by Boeing.
The FAA did not conduct any audits of GS Yuasa before the incident.
86
In late
January 2013, the FAA conducted an audit of GS Yuasa (and KAI) and found several items of
noncompliance, including (1) noncompliance with component/assembly part markings and no
traceability to assembly drawings and instructions and (2) noncompliance with assembly and
installation instructions of battery components.
87
Corrective actions for these and other items of
noncompliance have been completed by GS Yuasa and verified by the FAA.
84
The Bureau Veritas Certification is an international certification organization that Boeing used to help ensure
that its suppliers had an accredited quality management system in place.
85
Boeing had a source inspector at GS Yuasa, but the inspector was contractually limited to determining
whether specific inspection and checklist items, as detailed in agreements among Boeing, Thales, and GS Yuasa,
met minimum quality standards. Any issues that the inspector found had to be routed to a US Boeing representative
to coordinate through Thales.
86
The FAA did not consider the 787 battery to be a critical component because the Seattle Aircraft
Certification Office (which was responsible for the airplane’s certification) regarded the battery as a redundant
system. As a result, the FAA’s automated supplier selection process, which identifies suppliers for evaluation, did
not select GS Yuasa.
87
Other items of noncompliance involved storage procedures for returned batteries and the root cause and
analysis for returned batteries.
NTSB Aircraft Incident Report
45
1.6.2 Cell Manufacturing Process
After the BOS incident, the NTSB visited GS Yuasa’s production facility for the 787
main and APU battery to observe the LVP65 cell manufacturing process, including the electrode
coating, winding, flattening, assembly, and postassembly inspection stages.
88
The coating
process involved placing a foil roll on a reel in an enclosed case, unrolling the foil, and coating
the foil (except its edges) with anode or cathode active material.
89
The machine operator checked
the thickness of the coating periodically using a hand-held micrometer. The uncoated area on the
edge of the foil material was monitored visually and measured periodically by the operator.
90
During operations in which the foils were unwound, the machine operator also monitored the foil
roll for defects such as wrinkles.
91
After one side of the foil roll was coated, dried, and rewound,
the roll was inverted, unwound, coated on the opposite side, dried, and rewound. Winding
sensors in the machinery were in place to prevent misalignment of the foil roll. The machine
operator visually inspected the winding edges for burrs. If defects were found during the coating
process, an engineering-level review board would be convened to determine the disposition of
the foil material.
Another machine used a cylindrical winding mandrel to wind the cathode and anode foils
together with the separator sheets to create the cell windings. Afterward, the machine operator
measured the alignment and weight of each winding. The machine operator then partially
flattened each winding by hand compression, as shown in figure 16a, and positioned the three
windings for final flattening. The final flattening process was accomplished using a compression
jig with two flat plates facing the three windings. After final flattening, the machine operator
attached heat-resistant plastic tape to the ends of the cell where the curves of the windings were
located, as shown in figure 16b. Figures 16a and 16b also show perturbations of the electrode foil
that were created during the flattening process.
92
88
At the time of the NTSB’s visit, GS Yuasa was manufacturing LVP65-8-403 batteries.
89
As previously stated, the current collectors are attached to the uncoated edges of the electrode winding
assembly.
90
At the time of the NTSB’s visit, operators involved with cell manufacturing were working either 0800 to
2000 or 2000 to 0800 (local time) Monday through Friday unless production demands required more work hours.
Operators involved in the postassembly CT inspection process received two 15-min breaks and one 45-min meal
break during each shift.
91
GS Yuasa defined wrinkles as visible longitudinal or diagonal surface creases in the electrode coating on
the foil that occur before the winding and flattening processes.
92
In this report, a perturbation is defined as a change in the electrode foil nominal form due to compressive
buckling.
NTSB Aircraft Incident Report
46
Figure 16. Winding flattening process.
Note: Figure 16a shows an electrode being hand flattened after winding and removal from the mandrel, and
figure 16b shows the three-electrode assembly after final flattening and taping.
The flattened three-winding assembly was then manually attached to a prefabricated cell
header assembly, which consisted of the cell header cover, two sets of current collectors attached
to the cover with insulators in between, and two threaded terminals. Metallic tweezers were used
to align the windings with the cell header assembly before manual ultrasonic welding.
93
A
vacuum and vacuum brush on the ultrasonic welding machine (operated by a foot pedal) were in
place to remove FOD generated from welding. Afterward, the cell was wrapped with an
insulating polymer film and heat-resistant tape and placed inside a prismatic
(rectangular-shaped) stainless steel cell case.
The next process involved manual tungsten inert gas welding of the header cover to the
cell case. During this process, the welded cell was examined visually by an inspector using a
magnifying glass to identify potential weld deposit defects. If a defect was identified, the cell
case header cover would be welded again. The cell was also inspected for potential damage to
the insulating film, excessive heat, and other defects. If such damage was found, an
engineering-level review board would determine the disposition of the cell. A prefabricated
small hole in the side of the cell case was used to manually fill the battery cell with liquid
electrolyte. The electrolyte filling process was performed using three separate steps to prevent
overflow, and the cell was precharged to low voltages in between each filling step.
94
The postassembly inspection process involved examining a cell’s interior using CT scans.
An inspector viewed the CT image to identify any potential ultrasonic weld defects on the
current collectors and any enclosed FOD. (The CT resolution settings were unknown because
93
Metallic tweezers were used for processes in which precision was needed to assemble parts.
94
The NTSB did not observe the electrolyte filling process during its visit to GS Yuasa.
NTSB Aircraft Incident Report
47
they were not supplied to the NTSB.) If a defect was identified, the cell would be subject to
further assessment.
95
GS Yuasa stated that less than 1% of manufactured cells were rejected.
1.7 System Safety and Certification
As part of its investigation of this incident, the NTSB reviewed the Federal Aviation
Regulations and special conditions applicable to the 787 main and APU battery and battery
charger system. The NTSB also reviewed the corresponding certification plan, which Boeing
developed and the FAA approved. The plan defined the agreed-upon methods to be used to
demonstrate that the battery and its charger system met applicable FAA and European Aviation
Safety Agency (EASA) requirements.
96
In addition, the NTSB reviewed sections of
Boeing’s 787-8 electrical power system (EPS) safety assessment that pertained to the main and
APU battery, which Boeing developed to evaluate the EPS design for compliance with safety
requirements defined by the FAA and EASA.
1.7.1 Type Certification Overview and Battery Special Conditions
On March 28, 2003, Boeing applied for a type certificate for the 787-8 airplane. The
FAA’s aircraft certification office (ACO) in Seattle, Washington, conducted the certification
oversight process. In September 2004, Boeing met with representatives from the ACO to indicate
the company’s intent to use lithium-ion technology for the main and APU battery on the
787 airplane.
97
At that time, the 787 was expected to be the first transport-category airplane to
have permanently installed, rechargeable lithium-ion batteries.
98
In response, the FAA reviewed
the adequacy of the existing regulations governing the installation of batteries in large
transport-category airplanes and determined that the regulations did not sufficiently address
several failure, operational, and maintenance characteristics of lithium-ion batteries that could
affect the safety of the battery installations.
99
Title 14 CFR 21.16, “Special Conditions,” states that, if the FAA finds that airworthiness
regulations do not contain adequate or appropriate safety standards for an aircraft because of a
“novel” or an “unusual” design feature, special conditions should be issued to prescribe safety
standards that establish a level of safety equivalent to that established in the regulations. Special
conditions are developed by the appropriate ACO with the applicant’s full participation. The
ACOs use issue papers to review the adequacy of existing regulations; determine the special
95
Information about other steps in the cell assembly process (and information about the battery assembly
process) is detailed in the Manufacturing Data and Manufacturing Cell Group Factual Report, which is available at
www.ntsb.gov in the public docket for this incident.
96
The 787-8 FAA certification was also validated by EASA.
97
Boeing also intended to use lithium-ion batteries in the 787’s flight control electronics, emergency lighting
system, and recorder independent power supply.
98
After the incident, the FAA stated that the Cessna Citation CJ4 was the first civil airplane certificated with a
lithium-ion main battery. The Citation CJ4 is not a transport-category airplane.
99
The battery regulations that existed at the time were in 14 CFR 25.1353, “Electrical Equipment and
Installations,” paragraphs (c)(1) through (4).
NTSB Aircraft Incident Report
48
conditions that would be proposed to address any inadequacies; and track the relevant technical,
regulatory, and administrative issues that could arise in certifying the new technology.
In a March 31, 2006, issue paper, “Special Condition: Lithium-Ion Battery Installations”
(referred to as Issue Paper SE-9), the FAA stated that, despite limited experience with the use of
lithium-ion batteries in commercial aviation applications, other users of lithium-ion batteries,
including wireless telephone manufacturers and electric vehicle manufacturers, had experienced
safety problems with this technology. These problems included overcharging; overdischarging;
and flammability of cell components as a result of the liquid electrolyte, which could serve as a
source of fuel for an external fire if the battery case were breached. The FAA also noted that, in
general, lithium-ion batteries are “significantly more susceptible to internal failures that can
result in self-sustaining increases in temperature and pressure (thermal runaway)” than
nickel-cadmium or lead-acid batteries.
On April 23, 2007, the FAA issued a notice of proposed special conditions
(Federal Register 2007, 21162), which proposed nine safety requirements regarding the use of
lithium-ion batteries for the 787 to ensure that these battery installations would not be
“hazardous or unreliable.” On September 28, 2007, the FAA issued Final Special
Conditions 25-359-SC, “Boeing Model 787-8 Airplane; Lithium-Ion Battery Installation”
(Federal Register 2007, 57842), which became effective on November 13, 2007. The intent of
the final special conditions, which are shown in appendix B, was to establish additional safety
standards that the FAA considered necessary to provide a level of safety equivalent to the
existing standards for aircraft batteries.
According to the 787-8 type certificate data sheet, the airplane received
transport-category approval on August 26, 2011. The type certification basis included the
14 CFR Part 25 airworthiness standards and the special conditions for the lithium-ion battery
installation.
100
1.7.2 Certification Plan
FAA Order 8110.4, “Type Certification,” described the responsibilities and procedures
for the FAA and the type certificate applicant to follow when evaluating and approving design
data for new civil aircraft, such as the 787-8.
101
In accordance with paragraph 2-11d(1)(d) of the
order, Boeing’s 787 EPS certification plan presented a high-level system description of the EPS,
which included the main and APU battery and battery charger system; defined the methods (for
example, tests and analyses) to show compliance with applicable FAA and EASA requirements;
100
The applicable regulations were 14 CFR Part 25 through amendment 25-119 and amendments 25-120,
25-124, 25-125, and 25-128 (with exceptions). Other applicable regulations were 14 CFR Part 26, Continued
Airworthiness and Safety Improvements for Transport Category Airplanes”; 14 CFR Part 34, Fuel Venting and
Exhaust Emission Requirements for Turbine Engine Powered Airplanes”; 14 CFR Part 36, Noise Standards:
Aircraft Type and Airworthiness Certification; equivalent level of safety references; and special conditions for
13 other subjects.
101
When Boeing submitted its application for the 787-8 type certificate, revision B of FAA Order 8110.4, dated
April 24, 2000, was in effect. Revision C of the order was issued on October 12, 2005.
NTSB Aircraft Incident Report
49
and defined the compliance submittals (that is, certification deliverables) to be provided to the
agencies. The FAA approved the initial certification plan on December 22, 2005. Boeing was
required to ensure that the certification plan was kept current throughout the 787’s design,
development, and certification phases, and any revisions to the certification plan were required to
be approved by the FAA.
According to Boeing, on January 8, 2007, the FAA approved revision C of the
certification plan and indicated that Boeing could proceed with the implementation of the
proposed certification activities. Boeing conducted tests and analyses to demonstrate, among
other things, that the main and APU battery and battery charger system complied with relevant
14 CFR Part 25 requirements, including sections 25.863, Flammable Fluid Fire Protection,”
paragraphs (a) and (b)(3); 25.1309, “Equipment, Systems, and Installations,” paragraphs (a),
(b)(1), (b)(2), and (c) through (g); and Special Conditions 25-359-SC.
1.7.3 System Safety Assessment
Safety assessments are a primary means of compliance for systems that are critical to safe
flight and operation. These assessments are performed by the manufacturer and its suppliers and
are reviewed and accepted by the FAA. Safety assessments proceed in a stepwise, data-driven
manner to ensure that all significant single-failure conditions have been identified and all
combinations of failures that could lead to hazardous or catastrophic airplane-level effects have
been considered and appropriately mitigated. The safety assessment process, which is outlined in
FAA Advisory Circular (AC) 25.1309-1A, “System Design and Analysis,” is not mandatory, but
manufacturers that do not conduct safety assessments must demonstrate compliance in another
manner, such as ground or flight tests. Boeing indicated in certification documents that it used a
version of AC 25.1309 (referred to as the Arsenal draft) as guidance during the 787 type design
certification program.
102
Overall compliance with the applicable 787-8 main and APU lithium-ion battery safety
requirements was shown through formal analyses and qualification tests. Thales and GS Yuasa
performed these analyses and tests, and Boeing reviewed and approved the results.
Boeing’s 787-8 EPS safety assessment, dated September 16, 2009, presented the overall
safety analysis of the EPS. This analysis evaluated the design of the EPS for compliance with
safety requirements derived from 14 CFR Part 25, EASA certification specifications, Special
Conditions 25-359-SC, and accompanying advisory material. For the main and APU lithium-ion
battery and battery charger systems, the safety assessment included a failure modes and effects
analysis (FMEA) to provide a bottom-up qualitative and quantitative way to identify the effects
102
In 1996, an FAA aviation rulemaking advisory committee (ARAC) was chartered to harmonize the FAA’s
practices related to 14 CFR 25.1309 with those of Europe and Canada. The committee released its final report to the
FAA in August 2002, but the revised AC 25.1309, referred to as the Arsenal draft, has not yet been issued. On
April 29, 2003, the FAA published a notice of availability of the ARAC-recommended proposed changes to the
airworthiness standards for transport-category airplanes regarding equipment, systems, and installations as well as
the current AC 25.1309 (version 1A). This notice of availability indicated that the ARAC-recommended proposed
changes could be used for airplane certification programs through a request for an equivalent level of safety finding.
NTSB Aircraft Incident Report
50
of a failure at the next (higher) level of a system; a functional hazard assessment (FHA) to
determine the potential hazards that various failures of electrical system components could
introduce to the airplane and its occupants; and a fault tree analysis for the hazards identified in
the FHA.
103
The FHA identified and classified two hazards associated with the main and APU
lithium-ion battery: “battery vents smoke/fire,” which was classified as catastrophic, and “battery
vent and/or smoke (without fire),” which was classified as hazardous.
104
On the basis of the
FHA’s results, Boeing defined failure detection and mitigation requirements for the main and
APU battery, including the following three requirements related to smoke, gas, and electrolyte
release:
The battery shall have a probability of less than 1 x 10
-7
for gas emission.
The battery shall have a probability of less than 1 x 10
-7
for smoke emission.
The battery shall be designed to prevent spilling flammable fluid, a hazardous event
with a probability of less than 1 x 10
-9
.
This analysis determined that overcharging was the only known failure mode that could
result in cell venting with smoke and fire. As a result, Boeing established additional design
requirements to ensure that the likelihood of occurrence of an overcharge event would be
extremely improbable (one in 1 billion flight hours or a probability of 1 x 10
-9
).
105
Boeing further
determined that cell venting without fire could be initiated by several different failure modes,
including external overheating, external short circuiting, internal short circuiting, recharging a
battery that has been overdischarged, a high rate of charging, or charging at cold temperatures.
103
A FMEA is an analytical process that postulates all known and reasonable failure modes. The FMEA
assesses the effects of those failures and documents the effects that the failures could have at the airplane level. The
FMEA also supports the development of fault tree basic events. An FHA examines a system’s functions and
purpose, identifies failure conditions that could occur with a loss or malfunction of the system, and classifies those
conditions by severity (at the airplane and system levels). After the hazard classification for a system is established,
the manufacturer conducts system-specific safety analyses to identify ways to mitigate the adverse effects of a
failure condition. A fault tree analysis is a structured, deductive, top-down qualitative and quantitative analysis that
depicts the relationship(s) between each failure condition and its primary cause(s).
104
The harmonized requirements for 14 CFR 25.1309 define a catastrophic event as one that normally involves
a hull loss with multiple fatalities. This event is assigned an allowable qualitative probability of being extremely
improbable and an average quantitative probability of less than 1 x 10
-9
per flight hour. The harmonized
requirements for section 25.1309 define a hazardous event as one that normally involves a large reduction in
functional capability or safety margins of the airplane with serious or fatal injury to a small number of passengers or
cabin crew along with physical distress or excessive workload impairing the flight crew’s ability. This event is
assigned an allowable qualitative probability of being extremely remote and an average quantitative probability of
less than 1 x 10
-7
per flight hour.
105
The risk of fire was addressed through overcharge protections. For example, Boeing required that “the
battery monitoring unit when combined with the overall battery protection subsystem shall prevent undetected
over-charge (over-voltage).”
NTSB Aircraft Incident Report
51
One of the objectives of a FMEA is to support safety analyses by documenting that there
are no known single-point failures that would result in catastrophic failure conditions. Boeing’s
787 EPS safety assessment identified no single-point-failure catastrophic effects for the main and
APU lithium-ion battery.
Boeing’s FMEA was based on information contained within GS Yuasa’s FMEA, which
GS Yuasa developed with assistance from Boeing and Thales. GS Yuasa’s FMEA included a
calculation of a representative failure rate for the LVP65 cell. This calculation was based on
in-service data from about 14,000 existing large-scale industrial lithium-ion cells manufactured
by GS Yuasa, which had a similar design and manufacturing process as the LVP65 cell.
106
GS Yuasa’s FMEA indicated that none of the industrial cells had experienced any failures,
including venting, electrolyte release, or rupture of a vent disc. (GS Yuasa’s FMEA did not
include an analysis of usage and environmental similarities between the industrial cells and the
LVP65 cells or a discussion of the hazardous effects of a lithium-ion cell failure, including
overheating or venting.) On the basis of this information, Boeing determined that the rate of
occurrence of cell venting for the 787 battery would be about 1 in 10 million flight hours.
Boeing’s 787 EPS safety assessment also included Boeing’s analysis of the results of a
single development (noncertification) nail penetration test that GS Yuasa performed in
November 2006.
107
This test involved driving a steel nail through a cell case to penetrate the
electrodes of a fully charged single cell within a fully charged, nongrounded, preproduction
battery to induce an internal short circuit within the cell. The purpose of the test, which was
conducted at a temperature representative of the E/E bay operating temperature during a typical
flight, was to observe the behavior of the cells near the nail-penetrated cell, observe any release
of smoke or initiation of fire, and document any damage to the battery case.
108
The nail penetration test results showed that the surface temperature of the
nail-penetrated cell increased, smoke vented from the cell and the battery case, and the surface
temperature of the adjacent cells increased with no venting.
109
On the basis of this development
test and the in-service data of the industrial cell that GS Yuasa designed and manufactured,
Boeing determined that the effects of a cell internal short circuit would be limited to (1) the
106
According to GS Yuasa, failure rate data from industrial cells were used because, at that time, there were no
available in-service failure history data for the LVP65 cells. According to GS Yuasa, a cell’s failure rate was related
more to the cells manufacturing process and mechanical design rather than the materials used in the construction of
the cell. GS Yuasa noted that some variation in chemistry existed between the LVP65 cell and the industrial cell but
indicated that the difference in chemistry could impact the effect of the failure and not the probability of occurrence.
107
Boeing collaborated with GS Yuasa and Thales about the development tests to be performed on cells and
batteries. Results from this testing helped Boeing determine what types of abuse (thermal, physical, and/or
electrical) certification testing and/or safety analyses needed to be performed to show compliance with the
applicable battery regulations, including the special conditions. The development tests were not required by the
FAA.
108
As previously stated, Boeing reported that E/E bay temperatures during a typical flight ranged from 50ºF to
59ºF.
109
Tests and analyses that GS Yuasa performed were reviewed by Boeing project engineers, safety reliability
and maintainability engineers, and authorized representatives (who acted on behalf of the FAA during certification
tasks).
NTSB Aircraft Incident Report
52
release of smoke from the battery, which could be effectively handled by the airplane’s
ventilation system, and (2) an increase in surface temperature of the short-circuited cell with no
propagation of thermal runaway to adjacent cells, damage to the battery case, fire, or explosion.
At the conclusion of the 787 testing and safety assessment process, Boeing prepared
documentation for the FAA showing Boeing’s proposed methods for demonstrating compliance
with 14 CFR 25.1309 and each of the nine special conditions in 25-359-SC. The FAA used this
information to make findings of compliance. Title 49 CFR 44702(d) allows the FAA to delegate
to a qualified individual a matter related to issuing a certificate or a matter related to the
examination, testing, and inspection necessary to issue a certificate. In October 2005, the FAA
established the organization designation authorization (ODA) program to address delegations to
organizations and standardize its oversight of organizational designees.
110
With an ODA,
FAA-approved engineering designees in various technical areas act on behalf of the FAA during
certification tasks. Boeing, which received ODA approval in August 2009, refers to its
engineering designees as authorized representatives. They can make findings, as authorized by
the FAA, for certain reports or tests in support of type certification programs, but only the FAA
can issue a type certificate. Boeing’s and the FAA’s roles in the certification of the 787 main and
APU battery are further discussed in section 2.5.
1.8 Additional Information
1.8.1 Federal Aviation Administration Actions After Battery Incidents
On January 11, 2013, 4 days after the BOS incident, the FAA announced that it would
undertake a comprehensive review of the 787’s critical systems with the possibility of further
action pending new data and information. The FAA stated that, in addition to a review of the
787’s design, manufacture, and assembly, it would verify that the 787 battery system complied
with the special conditions that were part of the 787’s certification (as discussed in section 1.7
and appendix B).
On January 16, 2013, after the TAK incident, the FAA issued emergency AD 2013-02-51
to address a potential battery fire risk in the 787.
111
The emergency AD “was prompted by recent
incidents involving lithium-ion battery failures that resulted in release of flammable electrolytes,
heat damage, and smoke on two Model 787-8 airplanes.” The emergency AD indicated that these
conditions “could result in damage to critical systems and structures, and the potential for fire in
the electrical compartment.” The emergency AD instructed owners and operators of
Boeing 787-8 airplanes to, “before further flight, modify the battery system, or take other
110
Before that time, designated engineering representatives performed certification activities that the FAA
delegated.
111
Earlier that day, JAL and All Nippon Airways had voluntarily decided to stop 787 operations as a result of
the TAK battery event. On January 17, 2013, the Japan Civil Aviation Bureau issued a directive with the same
content as FAA emergency AD 2013-02-51. Civil aviation authorities in other countries also required operators of
787 airplanes to temporarily cease operations.
NTSB Aircraft Incident Report
53
actions, in accordance with a method approved by the Manager, Seattle Aircraft Certification
Office.
112
On March 12, 2013, the FAA announced that it had approved Boeing’s certification plan
for a redesigned 787 battery system. The FAA stated that the certification plan required Boeing
to conduct “extensive testing and analysis” to demonstrate compliance with the applicable safety
regulations and special conditions. Also, the FAA stated that the improvements to the battery
system included “a redesign of the internal battery components to minimize initiation of a short
circuit within the battery, better insulation of the cells and the addition of a new containment and
venting system.”
On April 19, 2013, the FAA announced that it had approved Boeing’s modifications to
the 787 battery system, which were designed “to address risks at the battery cell level, the battery
level and the aircraft level.” The FAA stated that a team of agency certification specialists
observed “rigorous tests” that Boeing was required to perform and reviewed a “detailed analysis”
of the design changes. The FAA also stated that it would monitor the modifications of the
affected airplanes in the US fleet to ensure proper installation of the new design.
On April 22, 2013, the FAA superseded AD 2013-02-51 with AD 2013-08-12, which
became effective on April 26, 2013 (Federal Register 2013, 24673). AD 2013-08-12 required
787 operators to (1) install main and APU battery enclosures and ECS ducts; (2) replace the main
battery, the APU battery, and their respective battery chargers; and (3) revise the maintenance
program to include a requirement for replacement of the main and APU battery enclosure vent
burst discs.
113
The AD was intended to allow the aircraft to return to service as soon as possible
by mandating a modification that will address the unsafe condition.” The AD noted that, for all
future 787 airplanes, the replacement batteries, their respective chargers and enclosures, and duct
installations would be incorporated before delivery.
AD-2013-08-12 detailed Boeing’s measures to improve the reliability of the battery and
prevent any hazardous effects on the airplane from a battery failure. According to the AD, those
measures are as follows:
Minimize the Probability of a Single Battery Cell FailureEach main and
APU battery consists of a set of individual cells within a battery case. Each
battery cell will be encapsulated to isolate the cell electrically. Locking nuts
with specific torque values will be used on every cell terminal to prevent
overheating of the terminal due to a loose electrical connection. Drainage
within the battery case will be improved to remove any condensation within
the battery. The battery monitoring and charging unit will be changed to
112
One US operator had six 787s in service when the emergency AD was issued. On February 1, 2013, the
FAA issued AD 2013-02-51, which stated that emergency AD 2013-02-51 had previously been sent to all known
US owners and operators of 787-8 airplanes but that “this AD is effective February 22, 2013 to all persons except
those persons to whom it was made immediately effective by Emergency AD 2013-02-51” (Federal Register 2013,
12231).
113
The vent burst discs are frangible discs on the battery enclosures.
NTSB Aircraft Incident Report
54
reduce the operational voltage range to lessen electrical stress on the battery
cell and to enhance overdischarge protection. Boeing has also made
mandatory changes to the battery manufacturing and acceptance testing
processes to improve the overall quality of the battery.
Minimize the Probability of Multiple Cell Failure PropagationAdditional
insulation will be provided between each battery cell and between each cell
and the battery case to thermally and electrically isolate the individual battery
cells. High temperature sleeving will also be added to the battery internal
wiring harness to protect against short circuits. In addition, cell venting will be
added to the battery case to allow any cell [gases], including electrolytes, to
escape into the battery enclosure to minimize heat build-up within the battery
case.
Preclude Hazardous Airplane-Level Safety Effects of a Battery Failure That
Might OccurAs stated previously, each main and APU battery consists of a
set of individual cells within a battery case. The case containing the cells will
be secured within a stainless steel, sealed enclosure. This enclosure will be
connected to a titanium ECS duct that vents to the outside of the airplane.
Should a battery failure occur, and generate significant heat, pressure, and
[gases], a metallic frangible disc (also referred to as a vent burst disc) at the
interface of the enclosure and vent duct will open and allow the heat, pressure,
and [gases] to safely vent overboard through the ECS duct. This will prevent
the introduction of any heat, pressure, or [gases] in the electronics equipment
bays or any occupied area of the airplane.
On March 19, 2014, the FAA announced the findings of a joint FAA-Boeing team that
was formed in January 2013 to review the Boeing 787’s design, manufacture, and assembly
processes. The team found that the 787 “was soundly designed” and “met its intended safety
level” and that Boeing and the FAA had “effective processes in place to identify and correct
issues that emerged before and after certification.”
In the team’s report on its findings, the team made recommendations to further improve
Boeing processes and FAA oversight (FAA 2014). The team recommended that Boeing
(1) continue to implement gated design and production processes, (2) ensure that suppliers are
fully aware of their responsibilities, (3) ensure that suppliers identify realistic program risks, and
(4) require suppliers to follow industry standards for personnel performing Boeing-required
inspections. The team recommended that the FAA revise its orders on (1) certificate management
of manufacturers to recognize new aircraft manufacturing business models; (2) production
approval procedures to better address complex, large-scale manufacturers with extended supply
chains; and (3) engineering conformity inspections to ensure that they are based on risk. The
FAA indicated that it was taking actions to address these three recommendations.
1.8.2 Previously Issued Safety Recommendations
In response to the circumstances leading to this incident, on May 22, 2014, the NTSB
issued Safety Recommendations A-14-32 through -36 to the FAA. In its letter to the FAA, the
NTSB Aircraft Incident Report
55
NTSB stated that the type of failure that occurred during this incidentthermal runaway of a
single cell as a result of an internal short circuit and the cascading thermal runaway of other cells
within the batterywas not expected based on the testing and analysis of the APU battery
system that Boeing performed as part of the 787 certification program (see section 1.7.3). The
recommendations asked the FAA to take the following actions to (1) account for internal short
circuits and thermal runaway during lithium-ion battery certification tests and (2) ensure the safe
introduction of new technology into aircraft designs:
Develop abuse tests that subject a single cell within a permanently installed,
rechargeable lithium-ion battery to thermal runaway and demonstrate that the
battery installation mitigates all hazardous effects of propagation to other cells
and the release of electrolyte, fire, or explosive debris outside the battery case.
The tests should replicate the battery installation on the aircraft and be conducted
under conditions that produce the most severe outcome. (A-14-32)
After Safety Recommendation A-14-32 has been completed, require aircraft
manufacturers to perform the tests and demonstrate acceptable performance as
part of the certification of any new aircraft design that incorporates a permanently
installed, rechargeable lithium-ion battery. (A-14-33)
Work with lithium-ion battery technology experts from government and test
standards organizations, including US national laboratories, to develop guidance
on acceptable methods to induce thermal runaway that most reliably simulate cell
internal short-circuiting hazards at the cell, battery, and aircraft levels. (A-14-34)
Review the methods of compliance used to certify permanently installed,
rechargeable lithium-ion batteries on in-service aircraft and require additional
testing, if needed, to ensure that the battery design and installation adequately
protects against all adverse effects of a cell thermal runaway. (A-14-35)
Develop a policy to establish, when practicable, a panel of independent technical
experts to advise on methods of compliance and best practices for certifying the
safety of new technology to be used on new or existing aircraft. The panel should
be established as early as possible in the certification program to ensure that the
most current research and information related to the technology could be
incorporated during the program. (A-14-36)
Boeing’s description of the certification testing performed on the redesigned battery
model (LVP-8-403) before the 787 returned to service was consistent with the NTSB’s
certification recommendations. On August 19, 2014, the FAA responded to Safety
Recommendations A-14-32 through -36. Section 2.5.3 discusses the FAA’s response and the
NTSB’s classifications of the recommendations.
NTSB Aircraft Incident Report
56
2. Analysis
2.1 Failure Sequence
According to the available evidence from this incident investigation, the NTSB concludes
that the battery failure did not result from overcharging, overdischarging, external short
circuiting, external heating, installation factors, or environmental conditions of the airplane.
Specifically, EAFR data before the event did not show any evidence of the battery being charged
to a level above the designed operating voltage, the battery being discharged to a level below the
overdischarge threshold, or any high-current discharges that could be associated with an external
short circuit. The EAFR data showed no preexisting battery failure messages indicating that the
overdischarge protection circuit had activated. In addition, examination of the aft E/E bay (where
the APU battery was installed) showed no evidence of external short circuits, such as chafing on
the battery cables, or external sources of heat, mechanical damage, or electrical abuse that could
have initiated the battery failure.
Individual component tests (including those for the BCU, SPU, and APU controller) and
integrated system tests, which included a BCU and other battery-related components, found no
evidence indicating that external components were related to the battery failure. Vibration testing
was performed at levels that exceeded in-service levels without damage that could lead to battery
failure. A battery-level test showed that condensation could occur within the battery and result in
a shorting path between the cell and battery cases, and a cell-level test with moisture showed that
a cell failure could occur and result in arcing, shorting, and heat damage internal to the cell
header. However, the damage observed during the cell-level test was not found in the cell header
from the incident APU battery. In addition, airplane flight test data did not show any abnormal
electrical transients that could lead to battery failure.
External observations of the battery case showed more thermal damage on the right side
of the case than the left side. The right aft corner of the battery case showed the most thermal
damage and the most damage to the case lid and its fastening points. The right aft area
corresponded to the positions of cells 5 and 6.
The inside of the battery case, the BMU sensing wiring harness, and the lower and upper
fixation trays showed the most thermal damage in the areas near cells 5, 6, and 7. The insulating
material between the cells was the most damaged in the areas adjacent to cells 5 through 8.
Further, cells 5 through 8 vented, and the petals of their vent discs were splayed out, indicating
that the cells vented under high pressure. Cells 1 through 3 also had ruptured vent discs, but they
remained mostly in the same plane as the vent opening, indicating that the venting occurred with
less force than the venting for cells 5 through 8. This evidence showed that the initiating thermal
event and subsequent thermal runaway of additional cells began on the right side of the battery
where cells 5 through 8 were located.
CT scans of the battery showed that the aft side of cell 8 had expanded into cell 7 and that
cell 7 appeared to have expanded into cell 6, indicating that cell 8 vented after cell 7 and that
cell 7 vented after cell 6. CT scans and examinations showed that side 3 of cell 6 (which was
closest to cell 5) was slightly convex with a flat area in the middle of the cell. CT scans and
NTSB Aircraft Incident Report
57
examinations also showed that side 1 of cell 5 (which was closest to cell 6) was convex with a
concave-to-flat area in approximately the middle of the cell. Although the sequence of whether
cell 5 or cell 6 expanded first could not be determined due to the complexity of these features,
the NTSB was able to determine that the thermal event initiated in a single cell.
Cells 5 and 6 exhibited comparable internal thermal damage, including the melting of the
aluminum cathode, no remaining separator or other insulating materials, and fused current
collector fingers. Cells 5 and 6 also showed evidence of internal short circuiting, including
pinholes, radiating patterns, and thermal discoloration. The lower and upper fixation trays were
more thermally damaged in the position of cell 6, and cell 3 (across from cell 6) exhibited the
most thermal damage of the cells on the left side of the battery. Cell 7 also sustained internal
thermal damage similar to cells 5 and 6, including two pairs of fused current collector fingers.
This thermal damage pattern, centered about the position of cell 6 and extending to cells 5, 7,
and 3, is consistent with the battery thermal event originating in cell 6.
The NTSB and UL’s postincident testing on individual cells showed that an internal short
circuit could cause current collector fingers to fuse open and lead to failure of a cell.
114
Data
recorded during these tests showed a distinctive trace in which the cell voltage initially
decreased, abruptly recovered, and then decreased to zero volts. The incident EAFR recorded a
decrease in battery voltage followed by a single recovery in voltage and then a drop in voltage to
a level consistent with one failed cell in the battery. Visual examinations and CT scans showed
that one set of cell 5 aluminum current collector fingers (in the center winding) had fused open
and that two sets of cell 6 aluminum current collector fingers (in the winding closest to cell 5 and
the center winding) had also fused open.
During the individual cell tests in which two sets of aluminum current collector fingers
fused open as a result of an internal short circuit, the recorded data showed two separate voltage
decreases with two recoveries, which were not seen in the incident EAFR data. In addition, a full
battery test that simulated an internal short circuit (via nail penetration) in cell 6 showed arcing
between cell 6 and the center brace bar, which was not found in the incident battery. The
similarity between the voltage drop behavior observed during testing for a single pair of fused
current collector fingers and the EAFR data from the incident and the lack of welding between
cell 6 and the center brace bar are consistent with an internal short circuit originating in cell 5.
The NTSB concludes that the battery failure resulted from an internal short circuit that
occurred in cell 5 or cell 6 and led to thermal runaway that propagated to adjacent cells. The
thermal damage to the battery cells precluded a determination of the cause of the internal short
circuit, and postincident laboratory testing and subsequent engineering analysis of potential
failure modes were unable to determine the precise cause of the internal short circuit.
Possible
causes for cell internal short circuits are discussed in sections 2.3 and 2.4.
114
The NTSB and UL’s testing showed that, when current collector fingers fused open only in the center
winding, that winding had to be the initiation point of the internal short circuit rather than initiation due to heat from
an adjacent cell or winding.
NTSB Aircraft Incident Report
58
2.2 Emergency Response
The response to the incident was timely. According to airport security camera video, the
five BOS ARFF vehicles that responded to the incident did not experience any delay from initial
notification to arrival at the scene. The ARFF truck that was positioned near the incident airplane
responded to the event within 1 min of initial notification, and the four other ARFF vehicles
arrived on scene within 2.5 min of initial notification. The firefighting procedures used during
the incident, including the use of Halotron, were appropriate and consistent with guidance in
effect at the time.
115
The incident commander decided to have the APU battery removed from the airplane
once the intensity of the battery fire diminished. ARFF personnel encountered difficulties in
removing the battery from its installation location, especially given that they could not readily
access the battery’s quick disconnect knob. One of Boeing’s postincident changes to the battery
and its installation involved placing the redesigned battery into a sealed stainless steel enclosure
connected to a duct that was intended to allow heat, pressure, and gases resulting from a battery
failure to vent outside of the airplane. As a result of this change, Boeing created and distributed
firefighting procedures for events involving the main and APU lithium-ion battery. These
procedures advise ARFF personnel to allow a battery undergoing thermal runaway to vent
overboard and then stand by to monitor for additional fire. Thus, during active venting of the 787
main or APU battery, it is no longer necessary for ARFF personnel to enter the E/E bay.
116
2.3 Cell Manufacturing Concerns
GS Yuasa stated that it manufactured the incident battery according to drawing
specifications provided by Thales and Boeing, and GS Yuasa’s and Boeing’s FAI processes
showed that the battery complied with Boeing’s acceptance and quality control requirements.
However, the NTSB’s observations of GS Yuasa’s cell manufacturing process identified several
concerns.
First, the manual cell winding flattening process can create perturbations (that is,
electrode foil buckling) in the windings. Such perturbations (see figure 16) were visually
consistent with the wrinkles found in the CT scans of LVP65-8-402 exemplar batteries and those
115
On June 12, 1995, the FAA issued CertAlert 95-03, which described the approved use of Halotron in airport
firefighting operations. Also, Safety Alert for Operators 09013, “Fighting Fires Caused By Lithium Type Batteries
in Portable Electronic Devices,” which was issued on June 23, 2009, stated that a Halon replacement (Halotron)
could be used to prevent the spread of such fires to other flammable materials. At commercial airports, Halotron has
been effectively used to fight fires in areas with sensitive electrical equipment, such as that in the aft E/E bay. In
January 2014, the FAA issued a report indicating that, for consumer electronic devices, water was “the most
effective” in suppressing lithium-ion battery fires and preventing thermal runaway propagation (FAA 2014). The
report did not address the use of water for suppressing fires involving large, permanently installed, rechargeable
lithium-ion batteries, such as the 787 main and APU battery.
116
According to Boeing, if the battery is not venting or when active venting is complete, firefighters should
enter the E/E bay to ensure that no visible fire source exists. If a visible flame is present, Halon (or Halotron) is the
recommended agent for suppressing the fire. Boeing procedures indicated that the battery pack should not be
disconnected from the airplane’s electrical system by using the quick disconnect knob or cutting the battery cables.
NTSB Aircraft Incident Report
59
observed during DPAs of the main battery on the incident airplane (as discussed later in this
section). The windings are predisposed to such defects because flattening a round cylindrical
object into an oval cylindrical object can cause uneven deformation and distortion due to the
non-uniform distribution of stress, which results in buckling in areas of compressive stress. Also,
subsequent swelling and contracting of the electrodes during charging and discharging can
further exacerbate perturbations within the winding layers.
Second, two of the welding operationsultrasonic welding of the current collectors to
the winding and tungsten inert gas welding of the cell header to the cell caseoccur in an area
where internal cell components are also assembled. Welding can generate FOD in the form of
weld spatter and small metallic particles that become airborne. No physical shielding was used at
the tungsten inert gas weld station to isolate this FOD-generating process from adjacent
FOD-sensitive processes, such as those involving internal components of nearby open cells.
Even though the ultrasonic welding machine incorporated a vacuum system to mitigate the
amount of FOD generated, this process was observed generating airborne FOD.
Third, some of the cell manufacturing processes were not consistent with industry
practices.
117
For example, production of wound prismatic (rectangular-shaped) battery cells is
typically performed on a flattened elliptical or rectangular mandrel, which reduces the chance for
perturbations and folds during winding, but GS Yuasa used a cylindrical mandrel during the
winding process.
The cell electrolyte filling process was also inconsistent with industry practices. The
electrolyte was filled in three iterative steps to prevent overflow followed by a precharge to low
voltages after each step. GS Yuasa stated that the cell’s solid electrolyte interphase (SEI) layer
does not form during the precharging process because the final precharge brings the battery to
20% state of charge.
118
Industry practices for electrolyte filling include one-step filling followed
by a full charging sequence to develop the SEI layer. Developing the SEI layer is important
because it allows safe cell operation during normal charging and discharging, and disruption of
the SEI layer could lead to internal short circuiting. It is unknown whether GS Yuasa’s
precharging process affects the development of the SEI layer or the chemical properties or
performance aspects of the cell. GS Yuasa representatives stated that the company has not
studied the effect of its iterative electrolyte filling process on battery safety. Thus, the safety
effect of GS Yuasa’s precharging process during the electrolyte filling process is unknown.
119
Last, GS Yuasa used CT equipment during the postassembly inspection process to ensure
that the current collectors were properly welded to the winding edges and that FOD was not
117
The industry practices discussed in this section were based on information from (1) discussions with
industry personnel, including those from the Naval Surface Warfare Center, Carderock Division; the US Department
of Energy; and TIAX; and (2) site visits to other battery manufacturer plants.
118
During the full initial charge and discharge of a cell, the surface of the anode forms the SEI layer.
119
Although the NTSB did not observe the electrolyte filling process during its visit to GS Yuasa, the NTSB
did observe dried material consistent with solid electrolyte residue on the electrolyte filling container and tube,
which was not consistent with industry practices because superfluous solid material introduced into a battery cell
could interfere with the battery charging and discharging processes.
NTSB Aircraft Incident Report
60
enclosed in a cell. However, the resolution settings of GS Yuasa’s CT equipment was such that
many internal cell features, including individual winding layers, could not be identified during
the NTSB’s visit to GS Yuasa’s facility. As a result, perturbations in the windings and
small-sized FOD and burrs might not be recognized with the CT equipment used at the time of
the NTSB’s visit. GS Yuasa stated that it was not aware that FOD might not be visible on the
company’s CT scans.
GS Yuasa’s CT scans also did not detect features that the NTSB, TIAX, and UL
identified during this investigation. For example, TIAX’s and UL’s DPAs of cells from the main
battery on the incident airplane found cell windings with numerous wrinkles, folds, and
creases.
120
Also, the NTSB’s CT scans of the eight cells in each of the five exemplar batteries
(including the main battery from the incident airplane) revealed wrinkled windings, cell-to-cell
inconsistencies in the clearances between the current collector fingers and the cell case sides, and
variances between the rivet heads of the terminals and the top of the cell windings. GS Yuasa
indicated that it did not know whether such features could result from its LVP65 cell
manufacturing process and that it did not have a process to inspect for the features.
Manufacturing defects, including FOD, burrs on component edges, and perturbations in
windings (which were visually consistent with the wrinkles found in postincident CT scans and
cell teardowns), are known to lead to local lithium deposits, perforation of the separator layer, or
shorting between electrodes (Mikolajczak and others 2011). During the UL and TIAX DPAs of
battery cells from the main battery on the incident airplane, silver-colored deposits consistent
with lithium metal were observed adjacent to wrinkles (that is, those features that were visually
consistent with perturbations). According to GS Yuasa representatives, the company has not
studied the effects of folds and wrinkles on battery safety, performance, and reliability.
GS Yuasa monitors for “wrinkles” (that is, visible longitudinal or diagonal surface
creases) in the anode and cathode foils before the winding process but does not monitor for
features such as perturbations formed during the winding, flattening, and assembly processes.
Further, although GS Yuasa stated that it had a formal process for actively monitoring for and
controlling burrs, GS Yuasa’s process for monitoring for FOD was not a formal standardized
quality control process for locating, reducing, and preventing FOD generation during the cell
assembly process.
GS Yuasa performed most of its quality control inspections after a cell was fully
manufactured and indicated that less than 1 percent of manufactured cells were rejected. This
low rejection rate could be the result of few defects to detect; however, most of the evidence
(that is, poor internal manufacturing steps along with the lack of a formal inspection for
manufactured defects) indicated that GS Yuasa’s inspection process did not adequately screen
for defects that developed during the manufacturing process. GS Yuasa’s checks during the
manufacturing process relied on visual inspection rather than formal sampling processes that
included rejection or acceptance criteria.
120
The wrinkles and folds can modify the anode-to-cathode ratio locally, resulting in lithium deposits on the
anode surface.
NTSB Aircraft Incident Report
61
Vigilance decrements might also have played a role in the inadequate inspection process.
GS Yuasa indicated that personnel involved with cell manufacturing for LVP-8-402 batteries
worked 8-hour shifts. The visual inspection tasks performed by these personnel were vigilance
tasks.
121
Human factors research on inspection indicates that, as time on task increases, defects
are more likely to be missed, especially if they seem to rarely occur (Fisher and others 2006,
997-1024).
122
Industry research on lithium-ion battery hazards showed that, about the time that the
LVP65 cells were being manufactured, cell failures in various industries had been caused by,
among other things, internal faults resulting from manufacturing defects (Mikolajczak and others
2011). However, GS Yuasa did not establish its cell manufacturing process to minimize the
potential for manufacturing defects or develop formal inspection criteria of the cells that would
reliably identify any defects that were introduced during the process.
Although GS Yuasa was responsible for manufacturing the 787 main and APU battery
and cells, Thales was responsible for providing Boeing with consistent and safe power
conversion subsystems (which included the main and APU battery systems) for 787 airplanes.
Thales audited GS Yuasa in June 2011 and September 2012, and all of the discrepancies noted in
the audits were subsequently addressed. However, none of the discrepancies were related to cell
features, such as perturbations created and FOD generated, from GS Yuasa’s cell manufacturing
process. Postincident interviews revealed that Thales did not recognize that such features could
result from the cell manufacturing process or that GS Yuasa’s quality controls were not
established to detect these features.
Boeing and FAA personnel did not conduct any audits of GS Yuasa before the incident.
(Boeing stated that it relied on Thales to audit its subtier suppliers.) Boeing, as the production
approval holder (that is, the holder of a production certificate), provided oversight to ensure that
its contracted suppliers of the 787 power conversion subsystem adhered to their approved quality
control system for the manufacturing of subsystem components. The FAA provided oversight of
Boeing to ensure that (1) its contracted suppliers followed approved procedures for the production of
products, articles, and parts that conformed to Boeing’s approved type design and (2) such products,
articles, and parts were airworthy and safe for operations. However, given the observations
discussed above about GS Yuasa’s cell manufacturing process, Boeing’s and the FAA’s
oversight of suppliers manufacturing the 787 power conversion subsystem components could
have been more effective.
The NTSB concludes that GS Yuasa’s cell manufacturing process allowed defects that
could lead to internal short circuiting, including wrinkles and FOD, to be introduced into the
121
The NTSB notes that visual inspection tasks performed during 8-hour workdays can lead to vigilance
decrements. At the time of the NTSB’s visit to GS Yuasa, personnel involved with cell manufacturing were working
12-hour shifts because of the demand for new LVP65-8-403 batteries after the 787 returned to flight.
122
The greatest performance decrements are expected within the first 30 minutes of time on task; during that
time, performance can be reduced as much as 30% but is typically reduced no more than 10% (Teichner 1974,
339-353). A 30% performance decrement is more likely for a highly detectable signal (defect) during a 3-hour
period.
NTSB Aircraft Incident Report
62
Boeing 787 main and APU battery. Therefore, the NTSB recommends that GS Yuasa (1) review
its cell manufacturing processes to minimize or prevent defects that could affect cell safety and
(2) ensure that its employees are properly trained to identify and eliminate these defects. The
NTSB also recommends that Boeing develop or revise processes to establish more effective
oversight of its suppliers (including subtier suppliers) to ensure that the product being
manufactured adheres to established industry standards. Further, the NTSB recommends that the
FAA develop or revise processes to establish more effective oversight of production approval
holders and their suppliers (including subtier suppliers) to ensure that they adhere to established
manufacturing industry standards.
2.4 Thermal Management of Large-Format Lithium-Ion Batteries
Testing performed during the investigation showed that a cell in a 787 battery assembly
generated localized high-temperature conditions during maximum current discharge. This
measured high temperature was above the allowable design maximum temperature, which could
lead to an internal short circuit and cell thermal runaway. This section describes those test results
and discusses the importance of ensuring that large-format lithium-ion battery and cells are
sufficiently designed and monitored to prevent degradation that can lead to cell thermal runaway.
2.4.1 Battery Internal Heating During High-Current Discharge
The NTSB and UL performed testing on an exemplar 787 battery to evaluate the battery’s
performance during discharge under the highest currents that the battery was rated to carry. The
testing included simulated APU starts at 77ºF and 32ºF with a high-current load. The battery cell
design used riveted joints (part of the terminal assembly in the cell headers) as part of the current
conduction path into and out of the cells. The simulated APU start tests revealed significant
localized heating near the aluminum rivets of one of the test battery’s cells. The temperature
change was the greatest during the discharge phase of repeated battery charge and discharge
cycles at lower temperatures.
123
The affected cell, located in position 5 of the test battery, began
to exhibit a more substantial temperature rise in the area of the aluminum riveted joint compared
with the temperature rise in other cells in the battery after the first full charge/discharge cycle of
the test. During the subsequent test cycles, the affected cell’s temperature increased
progressively to a maximum temperature of 315ºF near this joint.
Post-test measurement of the riveted joint of the affected cell showed a significant
increase in contact resistance (three orders of magnitude) between the aluminum rivet and the
current collector compared with the contact resistance of cells from another
787 battery.
124
Because the heating occurred during periods of maximum current draw on the
123
In this context, a cycle comprises three high-current discharges followed by one charge. The battery was
allowed to stabilize after each cycle.
124
The affected cell’s post-test contact resistance measured between the aluminum rivet and the current
collector was 74.5 milliohms, whereas the resistance in the same location for a cell from another battery was
0.030 milliohm. The Boeing battery SCD required contact resistance for new components to be less than
0.025 milliohm.
NTSB Aircraft Incident Report
63
battery and was localized to the area of the riveted joint, the NTSB and UL determined that the
source was resistive heating resulting from current through the area of high contact resistance.
125
The cell’s windings were also a source of resistive heating during the simulated APU start
testing, with the most significant heating occurring at 32ºF.
126
Although all of the battery cells
would have been affected by this heating, only cell 5 showed excessive localized heating near the
cell’s aluminum riveted joint.
This testing also showed that the heat generated inside the battery during the heaviest
current loading condition of a full APU start could expose a cell to temperatures exceeding the
maximum approved operating temperature of the battery (158ºF) without detection by the
battery’s monitoring system. Post-test disassembly and examination of the affected cell showed
thermal degradation (melting) along the edges of the cell’s separator in the location where the
aluminum current collectors attached to the cell windings, indicating that the cell’s maximum
temperature (at the aluminum riveted joint) exceeded the melting temperature of the separator.
127
The post-test examination of the affected cell also showed that the excessive temperature of the
cell caused (1) softening and deformation of the plastic insulator material positioned between the
aluminum rivet, the aluminum current collector, and the cell case to provide a hermetic seal at
each rivet and (2) electrolyte leakage through the riveted joint.
128
Moisture entering the cell and
electrolyte exiting the cell due to the softening and deformation of the seal could degrade internal
cell chemistry and lead to cell failure, including thermal runaway.
The NTSB reviewed the design of the 787 main and APU battery cells to determine
potential causes of the resistive heating observed near the aluminum rivets. The Boeing SCD for
the battery stated that “connector contacts shall be designed to carry the same or better electrical
current as the equivalent wire size.” However, the aluminum rivet used in the 787 main and APU
battery cell had a smaller cross-sectional area than would be required, according to the American
Wire Gauge standard, for a wire rated to carry an equivalent current. Further, the Boeing SCD
for the battery required terminal attachments to have “a complete metal-to-metal compression
system.” Examination of the rivet assemblies showed that the riveted joint had no springs or
125
The electrical contact resistance between mated components (such as an aluminum rivet and a current
collector) is a function of the real contact surface area between interfacing parts of a joint, contact pressure between
mating surfaces, surface topography, and the presence of an oxide on mating surfaces, among other factors. The
smaller the contact area between interfacing parts of the joint, the higher the resistance to current flow, and the more
heat generated. The heat generated when a current is passing through a conduction path is directly proportional to
the square of the current multiplied by the resistance of the conduction path.
126
Testing performed by the NTSB and UL showed that, as the 787 main and APU battery approached
temperatures below 32ºF, the battery’s efficiency decreased such that 30% of the discharge energy was released as
heat instead of usable electrical energy at 0ºF. This heat loss was the result of both electrochemical and resistive
heating losses in the cell windings, which increased at colder temperatures. (Lithium-ion cells normally heat during
discharge as a result of the electrochemical reaction that occurs within the battery cells. Heat is also produced as a
result of resistance in electrical current conduction paths within the battery and cells.)
127
Boeing’s EPS safety assessment indicated that heat-induced shrinkage of a cell separator, such as that
observed after the NTSB and UL’s testing, is a potential cause of cell internal short circuiting and could lead to
thermal runaway.
128
According to UL, the thermoplastic seals used between the rivets, the cell case, and the current collector can
permanently deform when exposed to temperatures between about 176ºF and 230ºF under load.
NTSB Aircraft Incident Report
64
other compression devices.
129
Thus, the aluminum riveted joint assembly could be a significant
source of resistive heating during maximum current discharge conditions for the 787 main and
APU battery. Proper sizing of electrical components and positive retention of pressure in a joint
are essential in preventing resistive heating, particularly during the most severe discharge current
levels for the battery (that is, those that occur during a full APU start).
Another potential cause of the resistive heating was the poor electrical connection
between the rivet and current collector components in the riveted joint. During the APU start
tests, the excessive heating in the joint became evident only after the affected cell had
successfully completed earlier cell- and battery-level simulated APU starts, indicating that the
electrical connection between the rivet and current collector components degraded with
continued usage. Proper design, manufacture, and damage tolerance of electrical connections
among the components of a joint intended to transmit current through the cells is critical to
minimize resistive heating inside the battery under the most severe operating conditions during
repeated charge and discharge cycles. Testing of large-format lithium-ion batteries designed to
carry large currents (similar to the 787 main and APU battery) for other applications showed that
heat generated by poorly formed joints can flow toward the internal battery and cell structure,
resulting in a considerable temperature increase that can lead to thermal runaway (Taheri and
others 2011, 6525-6533).
After the BOS and TAK battery incidents, Boeing modified and recertified the 787 main
and APU battery design to prevent a full battery thermal runaway resulting from a cell internal
short circuit. The redesign also included a stainless steel enclosure designed to mitigate the
effects of a full battery thermal runaway if it were to occur, even though FAA Special
Conditions 25-359-SC did not require this enhanced level of mitigation.
130
Preventing cell
thermal runaway by minimizing sources of heating is critical to the safety of future lithium-ion
battery designs. However, current industry standards for the design and qualification of
permanently installed, large-format, rechargeable lithium-ion batteries used on civil aircraft do
not include guidance on industry best practices to minimize internally generated sources of
heating, such as resistive and electrochemical heating, in the design and manufacture of these
batteries.
Identifying and minimizing all sources of heating generated within a large-format
lithium-ion battery during operation (particularly heating that can be localized to a cell as a result
of electrical current flow through components, connections, and cell windings at lower
temperatures) are important parts of the battery’s design and manufacturing processes. These
129
Without such devices, additional causes of joint degradation could include thermal shock, torque applied to
the terminal during assembly, bending of the current collectors during the manufacturing of the cell header
assembly, manufacturing errors, or the stress created within various cells when the battery is subjected to
temperature extremes. A NASA technical standard requires that clamping pressure across semipermanent joints
(such as those containing rivets) be consistent with applicable mechanical engineering assembly and installation
requirements (NASA 2013).
130
According to Boeing, the redesigned battery system included changes to prevent and isolate a fault if one
were to occur. The redesign incorporated multiple layers of protection, including the new enclosure, to ensure that
there would be no impact to the airplane and no possibility of fire if a battery failed. The enclosure was designed to
keep any amount of battery overheating from affecting the airplane.
NTSB Aircraft Incident Report
65
actions are necessary to account for the cumulative effects of electrochemical and resistive
heating within a cell or in other locations within the battery to minimize the possibility that a cell
(or cells) could be exposed to temperatures above allowed operational limits during high-current,
low-temperature discharging that could cause permanent damage to a cell and lead to thermal
runaway.
The NTSB concludes that the thermal protections incorporated in large-format
lithium-ion battery designs need to account for all sources of heating in the battery during the
most extreme charge and discharge current conditions and protect cells from damage that could
lead to thermal runaway. Therefore, the NTSB recommends that the FAA work with aviation
industry experts to develop or modify design safety standards for large-format lithium-ion
batteries to require that sources of excessive heating, including electrical contact resistance from
components and connections, be identified, minimized, and documented as part of the design.
The standards should include measures for identifying and minimizing potential sources of
heating that consider the range of operating temperatures and the most extreme electrical
currents that the battery could be expected to experience during repeated charge and discharge
cycles.
2.4.2 Cell-Level Temperature and Voltage Monitoring
FAA special condition 1 (see appendix B) required the 787 main and APU battery to
maintain safe cell temperatures during any foreseeable charging or discharging condition and any
failure of the charging or battery monitoring system not shown to be extremely remote.
Maintaining safe cell temperature is critical because, once a cell heats to the point that the SEI
layer degrades or the separator becomes thermally damaged, an internal short circuit and thermal
runaway can occur. Further, as shown by the affected cell in the NTSB and UL’s simulated APU
start tests, localized heating of the cell to excessive temperatures occurred rapidly and went
undetected by the BMU when the battery was discharged at its maximum current rating. Thus,
the thermal management protections incorporated into the battery did not detect the developing
temperature exceedance and prevent the cell from reaching an unsafe temperature.
The 787 main and APU battery was designed to measure temperature only on two cell
bus bars and not at each cell. The NTSB and UL’s simulated APU start tests showed that the
temperature sensors on the bus bars recorded a peak value that was less than the cell temperature
at the aluminum riveted joint. Thus, the temperature measured on the bus bars did not accurately
reflect actual cell temperatures. In addition, the temperatures measured on the bus bars are not
recorded by the BMU or at another location in the airplane. Accurate temperature data at the cell
level, when monitored and recorded, could allow the battery monitoring system to (1) detect a
rise in cell temperature and take actions before the temperature exceeded safe limits and caused
damage and (2) provide timely notification to the flight crew or maintenance personnel if
required.
Special condition 7 addressed voltage monitoring to prevent overcharging that could lead
to thermal runaway. During the NTSB and UL’s simulated APU start testing on individual cells,
cell voltages (in millivolts) were found to be an important indicator of battery health and could
NTSB Aircraft Incident Report
66
thus be used to mitigate failures. Also, during cell abuse testing, a drop in voltage of an
individual cell preceded thermal runaway and venting.
131
The 787 main and APU battery design
incorporated provisions to monitor each cell’s voltage and inhibit discharging of the battery
below a specified voltage to protect the cells against overdischarge. Comparing the voltage drops
of various cells during discharge could allow the BMU to inhibit subsequent charging or
electrically isolate the cell to minimize further damage to the battery. The voltages measured by
the sensors on the 787 cell bus bars were not recorded, and design standards do not require
voltage data to be recorded. These data, if recorded, could provide maintenance or engineering
personnel with trend data or other important information that could be used to determine the
cause of a cell failure.
The NTSB concludes that more accurate cell temperature measurements and enhanced
temperature and voltage monitoring and recording could help ensure that excessive cell
temperatures resulting from localized or other sources of heating could be detected and
addressed in a timely manner to minimize cell damage. Therefore, the NTSB recommends that
the FAA work with aviation industry experts to develop or modify existing safety standards
related to the design of permanently installed lithium-ion batteries to require monitoring of
individual cell temperature and voltage and recording of exceedances to prevent internal cell
damage during operations under the most extreme operating temperatures and currents. The
NTSB also recommends that, once the guidance requested in Safety Recommendation A-14-115
has been issued, the FAA require type certification applicants to demonstrate that the battery
monitoring system maintains each individual cell within safe temperature limits at the most
extreme battery operating temperatures and the heaviest electrical current loads approved for
operation. In addition, the NTSB recommends that the FAA work with lithium-ion industry
experts to (1) conduct research into battery monitoring system technologies that could improve
the recognition of conditions leading to thermal runaway, (2) develop active mitigation of such
conditions to minimize damage, and (3) update design and safety standards accordingly.
2.4.3 Thermal Safety Limits for Cells
Boeing established the 787 main and APU battery’s maximum operating temperature
(158ºF) at the same maximum operating temperature as that for nickel-cadmium batteries
installed in other airplane models. The NTSB and UL’s ARC testing on 787 main and APU
lithium-ion battery cells determined that the cell began to self-heat at 144ºF.
132
Maintaining cell
temperature at or just above a cell’s self-heating threshold for an extended period of time could
131
For example, the testing found that about 0.8 second elapsed between the time that an initial failure in a cell
(as indicated by a 20-millivolt voltage drop) was detected and the time when the cell went into thermal runaway and
vented.
132
Different types of cell-level testing are available to determine the onset of cell damage and objectively
establish limits for the battery monitoring system to provide a margin of safety. The ARC test is a well-documented
technique that slowly heats cells in adiabatic conditions to document the heat absorbed or generated by the cells.
NTSB Aircraft Incident Report
67
result in thermal runaway.
133
Thus, the upper temperature limit of the 787 battery was
inappropriate for the cell materials.
GS Yuasa did not use the self-heating threshold to determine the safe temperature limit
for the 787 battery. Instead, GS Yuasa determined the safe cell temperature by conducting a test
in which cell temperatures were elevated until cell venting occurred; in another set of tests, the
cells were exposed to reduced temperatures for varying durations, and no cell venting occurred.
These test methods were inadequate because the cells might not have been at elevated
temperatures long enough to go into thermal runaway from the breakdown of cell materials. The
temperature at which cell self-heating begins can be an objective measure for establishing a
battery’s margin of safety.
Thermal runaway due to overheating can occur either rapidly when a cell is exposed to
temperatures that are high enough to melt the separator or slowly as the cell’s SEI layer degrades
when above the self-heating temperature. Research showed that SEI layer damage is cumulative
and that the thermal degradation of some commercial cells, when maintained at their self-heating
temperature, continued for 2 days before thermal runaway occurred (Mikolajczak and others
2011).
As previously stated, FAA special condition 1 required the 787 main and APU battery to
maintain safe cell temperatures during any foreseeable charging or discharging condition and any
failure of the charging or battery monitoring system not shown to be extremely remote.
However, current aviation industry standards do not define methods to determine safe cell
temperature limits. Such standards exist for non-aviation-related applications.
134
The NTSB concludes that determining the initial point of self-heating in a lithium-ion
cell is important in establishing thermal safety limits. Therefore, the NTSB recommends that the
FAA work with industry experts to develop appropriate test methods for determining the initial
point of self-heating in a lithium-ion cell to establish objective margins of thermal safety for
future battery designs.
2.5 Certification Process
Type certification is a regulatory process that the FAA uses to ensure that aircraft product
designs comply with applicable Federal Aviation Regulations and, as in this case, applicable
special conditions. The 787 main and APU lithium-ion battery design was evaluated and
approved as part of the Boeing 787 type design certification program. Although the investigation
of this incident found that thermal runaway of a cell (due to an internal short circuit within a
133
According to a NASA technical memorandum, “above a threshold temperature, a ‘self-heating’ condition
could occur due to exothermic reactions occurring internally within the cell. Such reactions may include reactions
between lithium and electrolyte and the thermal decomposition of internal cell components. If the internal heat
generation is allowed to continue, a catastrophic cell ‘thermal runaway’ condition could occur, which would be a
serious safety concern for a manned application”(Baldwin and others, 2010).
134
For example, see Sandia National Laboratories’ electrical energy storage system abuse test manual for
electric and hybrid electric vehicles (Doughty and Crafts, 2006).
NTSB Aircraft Incident Report
68
single cell of the APU battery) propagated to other cells and resulted in thermal runaway of the
battery and fire, this design vulnerability was not identified during the certification of the
787 battery installation.
The NTSB’s investigation of this incident found that more effective implementation of
the certification process for designs incorporating new technology could be achieved through
improvements in several focused areas. These areas include validation of the assumptions made
and the data used in preliminary and final safety assessments developed during certification
programs and the manner in which the FAA evaluates methods of compliance with special
conditions during the certification process, as discussed in sections 2.5.1 and 2.5.2, respectively.
Improvements in these areas could help foster better interactions between type design applicants
and the FAA to ensure the completeness of data used by the applicant to demonstrate compliance
with FAA requirements.
2.5.1 Validation of Assumptions and Data Used in Safety Assessments Involving
New Technology
To effectively show compliance with FAA requirements during the certification process,
Boeing needed to identify all foreseeable ways that 787 main and APU battery failures could
cause the identified airplane-level hazards of venting with smoke and fire (classified by Boeing
as a catastrophic event) or venting with or without smoke (classified by Boeing as a hazardous
event).
Boeing recognized that the propagation of cell-to-cell thermal runaway was a failure
condition that could result from an internal short circuit in a single battery cell and evaluated this
failure condition using the results of GS Yuasa’s November 2006 development nail penetration
test.
135
As stated in section 1.7.3, the nail penetration test results showed that the surface
temperature of the nail-penetrated cell increased, smoke vented from the cell and the battery
case, and the surface temperature of the adjacent cells increased with no venting. As a result of
this test, Boeing, Thales, and GS Yuasa determined that an internal short circuit in a single cell
that resulted in thermal runaway would not propagate to other cells within the battery case or
generate a fire.
Boeing and Thales performed preliminary and final EPS safety assessments, which
included fault tree analyses, FMEAs, and failure rate data provided by GS Yuasa. These
assessments considered internal short circuit failures but were developed with the underlying
assumption that the most severe effect of an internal short circuit within a cell would be limited
to venting of only that cell without fire and propagation to other cells. Thus, the potential for an
internal short circuit to lead to multiple-cell or battery thermal runaway with venting, electrolyte
leakage, excessive heat, and fire was not analyzed in the safety assessment.
As shown by the circumstances of the BOS incident, the assumption that thermal
runaway of a cell would not propagate to other cells within the battery case was incorrect.
135
Boeing, Thales, and GS Yuasa indicated that other battery-level development nail penetration tests were
performed, but no documentation of those tests and their results was available for the NTSB’s review. For
information about these tests, see the addendum to the System Safety and Certification Group Chairman’s Factual
Report, which is available at www.ntsb.gov in the public docket for this incident.
NTSB Aircraft Incident Report
69
Validation of assumptions related to failure conditions that can impact safety is a critical step in
the development and certification of an aircraft. The validation process must employ a level of
rigor that is consistent with the potential hazard to the aircraft in case an assumption is incorrect.
Society of Automotive Engineers (SAE) Aerospace Recommended Practice (ARP) 4754
provides a structured process for managing and validating assumptions with steps that include
ensuring that assumptions are explicitly stated, appropriately disseminated, and justified by
supporting data (SAE 2010).
136
The ARP notes that validating assumptions can be accomplished
using reviews, analyses, and tests.
Development testing is often necessary to validate important design assumptions, but the
nail penetration test performed by GS Yuasa did not adequately account for a number of factors
that were relevant to propagation risk. For example, the test was not conducted at the battery’s
maximum operating temperature of 158ºF, and the test setup did not fully represent the battery
installation on the 787 airplane.
137
Also, the test did not include repeated trials of inducing
thermal runaway of a cell in multiple batteries to understand how the repeatability of these tests
could impact the validity of the test results. Further, the test was performed using a development
unit that did not incorporate the final battery design certified as part the 787 type design.
138
Other development tests were performed to evaluate various aspects of the 787 battery’s
performance, including the July 2009 integrated system test at UTC Aerospace Systems’ APSIF.
This test was not designed to evaluate internal short circuiting effects or the cell-to-cell
propagation risk. During the test, the battery was unintentionally charged at an excessive rate,
which resulted in the venting of a single cell. Although the thermal runaway of that cell did not
propagate to other cells within the battery case, the results of this test should not have been
considered to be confirmation of the results of GS Yuasa’s 2006 nail penetration test because the
APSIF test was not designed to examine engineering factors that could likely influence whether
136
SAE ARP 4754 is an industry guideline that addresses design development for civil aircraft systems with
failure modes that could affect the safety of aircraft on which the systems are installed. SAE ARP 4754 defines
validation as “the determination that the requirements for a product are correct and complete. The original version
of the ARP, “Certification Considerations for Highly-Integrated or Complex Aircraft Systems,” was issued in
November 1996 and was in use at the time of the 787 certification program. The current version of the ARP,
revision A, was issued in December 2010 and was retitled, Guidelines for Development of Civil Aircraft and
Systems. The revised guideline was expanded to include all types of aircraft certification programs and not just
those incorporating highly integrated or complex systems.
137
The NTSB and UL’s postincident nail penetration testing with an ungrounded battery at the battery’s
maximum operating temperature showed that thermal runaway of a single cell propagated to all other cells inside the
battery case. Also, the JTSB conducted a heat propagation test on three 787 main and APU batteries. During all
three tests, an internal short circuit was initiated in a single cell of each test battery using the nail penetration
method. According to the JTSB’s final report on the TAK incident, propagation of thermal runaway to multiple cells
within the battery occurred during two of the three tests. For both of these tests, the battery was connected to the
BCU, and the battery case was grounded, simulating the actual configuration as installed on the airplane. One of
these tests was conducted at 158ºF, and the other test was conducted at 86ºF. The test involving the ungrounded
battery case (during which no propagation occurred) was conducted at 86ºF.
138
According to Boeing, Thales, and GS Yuasa, electrolyte leakage was observed during two engineering
(noncertification) cell vent tests in September 2009; as a result, the battery case design was modified to incorporate
additional sealing to prevent electrolyte leakage. Also, the preproduction battery design used during GS Yuasa’s
testing had a different vent disc arrangement than the arrangement in the final battery design.
NTSB Aircraft Incident Report
70
an internal short circuit would lead to propagation. As a result, the repeatability of the test result
under all operating environments and usage conditions was not ensured.
Further, GS Yuasa’s qualification abuse tests, which were intended to demonstrate that
the battery design met the criteria established in the 787 main and APU battery SCD, did not
provide adequate evidence to discount the possibility of propagation in the event of cell thermal
runaway resulting from an internal short circuit.
139
Specifically, none of these tests drove a cell
into thermal runaway to demonstrate that propagation would not occur or that the battery case
could contain the effects of multiple-cell venting. Also, the batteries used during the tests were
not grounded as installed on the airplane. Thus, the results of these tests were not relevant or
sufficient for making assumptions about propagation with a grounded battery and for the full
range of operating conditions.
140
In addition to underestimating the most severe effects of a cell internal short circuit,
Boeing, Thales, and GS Yuasa also underestimated the rate of occurrence for this failure mode.
Boeing indicated in its EPS safety assessment that the rate of occurrence of cell venting would be
about one in 10 million flight hours. However, this predicted failure rate was significantly lower
than the actual failure rate observed for the 787’s first 52,000 hours of service, during which time
both the BOS and TAK incidents occurred.
Boeing used data from GS Yuasa to determine the rate of occurrence of cell venting.
These data were based on GS Yuasa’s experience with a lithium-ion battery with a similar
mechanical design, which GS Yuasa manufactured for use in an industrial application. Of the
more than 14,000 similarly designed lithium-ion battery cells in service at the time, GS Yuasa
found that none had experienced thermal runaway or venting. Because no failures had occurred,
GS Yuasa used probabilistic methods to estimate a failure rate for the industrial battery cells.
141
After accounting for capacity differences between the two battery applications and establishing
that the environmental and usage conditions and the manufacturing processes for the 787 and
industrial applications would be similar, GS Yuasa determined that the 787 main and APU
battery cells would have a failure rate similar to that of the industrial cells.
The method that GS Yuasa used in estimating the failure rate for 787 main and APU
battery cells was consistent with industry practices for components manufactured with controlled
processes and subjected to similar stress conditions during normal use over time. However, the
NTSB found no documented analysis comparing the duty cycle and environment expected in the
139
The qualification abuse testing included two external short circuit tests (low and high impedance shorts at
battery terminals), one overcharge test (charge battery to 36 volts for 25 hours), and one overdischarge test
(discharge battery to zero volts). These qualification tests were conducted at the battery’s maximum operating
temperature of 158ºF, and no thermal runaway occurred. A qualification test involving high-temperature storage
(185ºF for 18 hours) also resulted in no thermal runaway.
140
During the NTSB’s April 2013 investigative hearing on the BOS incident, a Boeing representative testified
that Boeing used “state of the art in testing” and that no propagation of cells occurred during qualification abuse
testing, nail penetration testing, and the venting event at APSIF.
141
Probabilistic methods model and describe the random variations in systems. Probabilistic methods
demonstrate compliance in the certification process using probabilistic risk analysis techniques.
NTSB Aircraft Incident Report
71
787 application with that experienced in the industrial application. If the 787 application had
higher mechanical and/or electrical stress levels than the industrial application due to differences
in duty cycle and environment, the onset of certain failure modes could be accelerated, or failure
modes not previously exhibited in the industrial cells, such as internal short circuiting and cell
venting, could be manifested in the 787 battery cells.
142
Given the potential safety consequences
of cell venting and the lack of historical data on cell and battery performance in an airplane
application, Boeing, Thales, and GS Yuasa should have performed a structured engineering
analysis, supplemented by testing, to compare the differences in duty cycle and environment
between the two applications and measure the impact on battery and cell features that drive
safety-related failure modes, effects, and rates. This level of rigor was needed to determine
whether the use of the industrial cell failure rate was appropriate for the 787 application.
Boeing indicated in certification documents that it used a version of AC 25.1309 (referred
to as the Arsenal draft) as guidance in preparing the EPS safety assessment for the 787 type
design certification program. The draft AC addressed the treatment of assumptions and data,
stating that the underlying assumptions, data sources, and analytical techniques used in safety
analyses should be identified and justified to ensure the validity of the conclusions made in
safety assessments. However, the analysis that Boeing presented in its EPS safety assessment did
not appear to be consistent with the guidance provided in the draft AC. Specifically, the analysis
did not (1) identify Boeing’s assumption that thermal runaway of a cell would not propagate to
other cells and (2) provide the engineering rationale needed to justify broad use of this
assumption under all operating conditions. Also, the analysis did not sufficiently evaluate and
justify the use of the industrial battery failure rate data in predicting the risk of a cell venting
occurrence for the 787 battery. Further, even if this information had been included in the EPS
safety assessment, the validity of the supporting safety analyses would have been difficult to
justify given the limited data available. For example, the assumption that propagation would not
occur was based on the result of GS Yuasa’s single 2006 nail penetration test, and the failure rate
prediction for cell venting was developed without a rigorous comparison of the most severe
environmental and usage conditions between the industrial and 787 battery applications.
AC 25.1309 (Arsenal draft) also stated, “where it is not possible to fully justify the
adequacy of the safety analysis and where data or assumptions are critical to the acceptability of
the failure condition, extra conservatism should be built into either the analysis or the design.”
The assumption that the design of the main and APU battery prevented thermal runaway of a
single cell from propagating to other cells inside the battery case was critical to accepting the risk
of an internal short circuit in a cell because, if the assumption were incorrect, thermal runaway of
the battery could occur. As a result, Boeing should have taken a more conservative approach in
its safety analyses by including the possibility that propagation of thermal runaway from cell to
cell could result from an internal short circuit and considering the potential effects if this failure
condition were to occur. If such an approach had been taken, Boeing authorized representatives
142
For example, stresses on the cells introduced by altitude changes would only be present in the 787
application, and these stresses applied over time in service could change the failure modes, the severity of failure
effects, and increase the rates of failure for the cells and the entire battery installation. Deterministic methods that
involve accelerated stress testing are commonly used to evaluate the influence of engineering factors, such as stress,
design, and environment, on item reliability (Condra 1993).
NTSB Aircraft Incident Report
72
and/or FAA certification engineers independently reviewing the EPS safety assessment would
likely have required Boeing, Thales, and GS Yuasa design engineers to (1) perform more
exhaustive test and analysis to properly validate claims about propagation and cell failure rate or
(2) incorporate design features to safely accommodate cascading thermal runaway of all cells
inside the battery case.
143
Critical assumptions and conclusions made in GS Yuasa’s and Thales’ safety analyses
and used in Boeing’s EPS safety assessment were not fully delineated and justified with
appropriate data and engineering rationale. However, multiple independent reviews of the EPS
safety assessment by Boeing authorized representatives and FAA certification engineers did not
reveal these deficiencies. The review process for safety assessments should be designed to
closely examine the data used to support conclusions and challenge assumptions, particularly
those that could result in significant safety consequences if incorrect. Also, the review process
should be designed to ensure a conservative approach when available engineering data and
experience are limited.
The NTSB concludes that Boeing’s EPS safety assessment did not consider the most
severe effects of a cell internal short circuit and include requirements to mitigate related risks
and that the review of the assessment by Boeing authorized representatives and FAA
certification engineers did not reveal this deficiency. Therefore, the NTSB recommends that
Boeing modify its process for developing safety assessments for designs incorporating new
technology to ensure that the conclusions made are validated and that any identified deficiencies
are corrected. The NTSB also recommends that the FAA provide its certification engineers with
written guidance and training to ensure that (1) assumptions, data sources, and analytical
techniques are fully identified and justified in applicants’ safety assessments for designs
incorporating new technology and (2) an appropriate level of conservatism is included in the
analysis or design, consistent with the intent of AC 25.1309 (Arsenal draft). Further, the NTSB
recommends that, during annual recurrent training for engineering designees, the FAA discuss
the need for applicants to identify, validate, and justify key assumptions and supporting
engineering rationale used in safety assessments addressing new technology.
2.5.2 Validating Methods of Compliance for Designs Involving New Technology
The FAA was responsible for approving Boeing’s methods of compliance and the data
produced from various analyses and tests. The FAA approved Boeing’s qualification test
program (which was outlined in Boeing’s EPS certification plan) and Boeing’s EPS safety
assessment as methods of demonstrating that the battery complied with the FAA’s special
conditions. Boeing’s safety assessment was an important method of compliance because it
identified the battery failure modes that could produce conditions prohibited by the FAA’s
special conditions and defined the safety requirements needed to mitigate the potential risks to a
143
Regarding the process for validating assumptions, ARP 4754 stated, “where the consequences of an
erroneous assumption appear to have significant potential to reduce safety, one possible validation strategy consists
of showing how the system design, in fact, limits or bounds the achievable consequences of an assumption error.”
NTSB Aircraft Incident Report
73
level deemed acceptable by the FAA.
144
However, because Boeing’s safety assessment did not
consider the potential for cell-to-cell propagation with fire as a result of an internal short circuit,
Boeing did not identify, in the 787 main and APU battery SCD or elsewhere, safety requirements
directly addressing battery performance with a single cell in thermal runaway. Also, because the
battery SCD did not contain a specific requirement for battery performance with a cell in thermal
runaway, the need for a thermal runaway qualification test or other related verification activity as
part of the battery’s certification would have been less visible to Boeing authorized
representatives and FAA certification engineers.
145
Although GS Yuasa’s battery design included features intended to prevent cell-to-cell
propagation, such as cell spacing and thermal insulation materials between cells, these provisions
were insufficient, as demonstrated by the BOS and the TAK incidents. These battery design
features were not fully linked to defined, measurable performance criteria in Boeing’s battery
SCD, so the effectiveness of the design features in preventing propagation was not verified
during battery qualification testing. The NTSB concludes that Boeing failed to incorporate
design requirements in the 787 main and APU battery SCD to mitigate the most severe effects of
a cell internal short circuit and that the FAA failed to uncover this design vulnerability as part of
its review and approval of Boeing’s EPS certification plan and proposed methods of compliance.
AC 25.1309 (Arsenal draft) noted that a safety assessment should trace the work leading
to conclusions (including the basis for classification of the severity of hazards, the assumptions
made, and supporting rationale for assumptions) as part of certification. However, none of the
certification deliverables to which the FAA and Boeing agreed established the relationships
among each individual special condition, related hazards and assumptions from the EPS safety
assessment, safety requirements in the main and APU battery SCD, and the resulting data used to
show compliance.
146
Thus, the FAA could not effectively use traceability principles to evaluate
the completeness of Boeing’s proposed methods of compliance, particularly for special
condition 2, which addressed battery thermal runaway.
147
As a result, the FAA approved
Boeing’s proposed EPS certification plan, including qualification tests, for the 787 main and
APU battery without the details necessary to demonstrate compliance with the individual special
conditions.
If these relationships had been fully discussed in certification documentation or through
other communications between Boeing and the FAA as part of the certification process, Boeing
authorized representatives and FAA certification engineers would have had a better
understanding of how the assumption regarding the propagation of thermal runaway as a result of
144
AC 25.1309 (Arsenal draft) provided guidance on the acceptable failure probability per flight hour of
equipment and systems installed on an airplane as a function of the severity of the resulting failure condition.
145
ARP 4754 defines verification as “the evaluation of an implementation of requirements to determine that
they have been met.”
146
Traceability is defined in revision A of ARP 4754 as the recorded relationship established between two or
more elements of the development process.”
147
Special condition 2 indicated that the “design of the lithium-ion batteries must preclude the occurrence of
self-sustaining, uncontrolled increases in temperature or pressure.”
NTSB Aircraft Incident Report
74
a cell internal short circuit related to special condition 2.
148
In addition, traceability would likely
have revealed the absence of safety requirements addressing cell thermal runaway and
propagation in the battery SCD and the need for a thermal runaway test as part of planned
qualification tests to demonstrate that the design met the requirements of special condition 2 for
the internal short circuit failure condition. However, guidance used by FAA certification staff at
the time of Boeing’s application for the 787-8 type certificate, including FAA Order 8110.4,
“Type Certification,” revision B, did not include the use of traceability principles that relate each
special condition to design data and compliance deliverables (such as test procedures, test
reports, and safety assessments) as part of certification planning to ensure that the methods of
compliance were correct and complete.
The NTSB concludes that unclear traceability among the individual special conditions,
safety assessment assumptions and rationale, requirements, and proposed methods of compliance
for the 787 main and APU battery likely contributed to the FAA’s failure to identify the need for
a thermal runaway certification test. Therefore, the NTSB recommends that the FAA develop
written guidance for its certification engineers and engineering designees about the use of
traceability principles to verify that the methods of compliance proposed by type certification
applicants for special conditions involving new technology are correct and complete. The NTSB
also recommends that, once the guidance requested in Safety Recommendation A-14-121 has
been issued, the FAA provide training to its certification engineers and engineering designees on
the subjects discussed in the guidance. The NTSB further recommends that the FAA require
applicants to discuss key assumptions related to safety-significant failure conditions, their
validation, and their traceability to requirements and proposed methods of compliance during
certification planning meetings for type designs involving special conditions.
2.5.3 Certification of Lithium-ion Batteries and Certification of New Technology
As stated in section 1.8.2, the NTSB issued Safety Recommendations A-14-32
through -36 to the FAA regarding (1) insufficient testing methods and guidance for addressing
the safety risks of internal short circuits and thermal runaway and (2) the need for outside
technical knowledge and expertise to help the FAA ensure the safe introduction of new
technology into aircraft designs. On August 19, 2014, the FAA responded to these
recommendations.
In its response letter, the FAA stated that it has been working with RTCA Special
Committee SC-211 to revise RTCA document DO-311, “Minimum Operational Performance
Standards for Rechargeable Lithium Battery Systems,” to “capture all the enhancements and
lessons learned” from the BOS incident, including the need for a test that subject a single cell
148
A review of available minutes from monthly meetings between the FAA and Boeing during the planning
and implementation phases of the 787 certification program did not reveal any communications related to Boeing’s
assumption or proposed qualification test plan for the main and APU battery as it related to the thermal runaway
propagation failure condition due to cell internal short circuiting.
NTSB Aircraft Incident Report
75
within a lithium-ion battery to thermal runaway as a result of an internal short circuit.
149
The
FAA also stated that, until these revisions are completed, it would use the issue paper process to
provide new design applicants with acceptable methods of compliance for conducting tests and
analyses to address the potential failure effects of permanently installed, rechargeable lithium-ion
batteries. The FAA further stated that it was surveying previous approvals of rechargeable
lithium battery systems to determine those existing approved designs that require additional
testing and/or analysis to ensure that they can mitigate all adverse effects of a cell thermal
runaway. In addition, the FAA stated that it was setting up meetings with internal stakeholders to
determine how best to implement Safety Recommendation A-14-36.
The NTSB is encouraged that the FAA is taking steps to enhance RTCA document
DO-311 but is concerned that aircraft installation factors might not be addressed in the document
given that DO-311 is a battery-level standard. On the basis of the FAA’s actions, the NTSB
classifies Safety Recommendations A-14-32 through -36 Open—Acceptable Response”
pending review of future updates regarding the FAA’s progress in completing the recommended
actions.
2.6 Flight Recorder Issues
2.6.1 Stale Flight Data
The EAFR is a new recording system with a new flight data recording format, and the
787 is currently the only airplane that uses the EAFR to record CVR, FDR, and other data. The
investigation of this incident found that the EAFR recorded stale data for some parameters (see
section 1.3). The recording of stale data impacted the early stages of this investigation because
significant additional effort was required to identify stale data when possible as well as those
parameters for which it was not possible to determine whether the data samples were stale. This
process delayed the NTSB’s complete understanding of the recorded data.
Stale EAFR data could impact future investigations as well. The recording of stale data
could lead to cases in which apparently valid data continued to be recorded after a parameter
source stopped providing valid data, which could result in latent faults in the recording system
for mandatory parameters.
150
These mandatory parameters would thus be unavailable because an
EAFR’s source would no longer be providing the data. In addition, the safe operation of an
aircraft could be impacted if stale EAFR data were unintentionally used by an operator to assess
and resolve maintenance issues.
149
In 2006, the FAA chartered a federal advisory committee, known as RTCA Special Committee SC-211, to
develop a standard for the design, certification, production, and use of permanently installed, rechargeable
lithium-ion battery systems. The committee included representatives from the FAA, US Air Force, US Navy,
US Army, commercial air carriers, and battery and aircraft manufacturers. Boeing, Thales, and GS Yuasa were also
members of the RTCA special committee. The resulting standard, DO-311, which was issued in 2008, is currently
considered by the FAA to be an acceptable means of compliance to the special conditions for rechargeable
lithium-ion batteries and battery systems.
150
Title 14 CFR 121.344, “Digital Flight Data Recorders for Transport Category Airplanes,” details mandatory
parameter requirements. Title 14 CFR Part 121 Appendix M provides supplemental information to 14 CFR 121.344.
NTSB Aircraft Incident Report
76
The NTSB concludes that stale EAFR data could impede future accident and incident
investigations by delaying the full understanding of the recorded data; stale data could also
impact aircraft safety if an operator’s maintenance activities were based on these data. At this
time, the NTSB is concerned with the EAFR stale data recording issue on 787 airplanes because
future EAFR installations might take greater advantage of the flexibility of the new recording
format, which could mitigate the stale data issue. Therefore, the NTSB recommends that the
FAA require Boeing 787 operators to incorporate guidance about the EAFR stale data issue in
their maintenance manuals to prevent stale data from being used for maintenance activities or
flight recorder maintenance. In addition, the NTSB recommends that the FAA (1) evaluate
whether the recording of stale data by the Boeing 787 EAFR, including whether the data are
specifically identified as stale, impacts the certification of the recording system regarding the
ranges, accuracies, and sampling intervals specified in 14 CFR Part 121 Appendix M and
(2) take appropriate measures to correct any problems found.
2.6.2 Poor-Quality Cockpit Voice Recording
The investigation of this incident found that the audio recording obtained from both
EAFRs was poor quality. The signal levels of the three radio/hot microphone channels of the
audio recording (the captain’s audio selector panel, the first officer’s audio selector panel, and
the jumpseat/observer’s position) were very low and used only about 25% of the available total
dynamic range of the recorder. Further, throughout the recording, random full-deflection noise
spikes could be heard. These random noise spikes were very short in duration but used the full
dynamic range of the radio/hot microphone channel recording.
The recording from the cockpit area microphone channel of the EAFR was also poor
quality. During the airborne portion of the flight that was captured on the recording, almost all of
the individual crew conversations were completely obscured by the ambient cockpit noise. After
the airplane landed, the cockpit noise was reduced, so the crew conversations became clearer.
Once the airplane arrived at the gate and the engines were shut down, the crew conversations
could easily be heard, and the overall quality of the recording was excellent. Thus, the issues
with the EAFR audio recording did not impact this investigation because the conversations and
sounds related to the circumstances of the incident occurred during the portion of the recording
that was excellent quality.
The EAFR was certified under FAA Technical Standard Order (TSO) C123B, “Cockpit
Voice Recorder Equipment,” which was based on the European Organization for Civil Aviation
Equipment (EUROCAE) ED-112A document, “Minimum Operational Performance
Specification for Crash Protected Airborne Recording Systems.” The installation and
performance requirements in chapter I-6 of the EUROCAE document also include guidance to
determine if a CVR installation would be acceptable. This guidance stated that the CVR should
use all available dynamic ranges of the recorder and mitigate cockpit area background noise. The
FAA took exception to this chapter of the EUROCAE ED-112A document and removed the
chapter’s requirements from the final TSO C123B language. As a result, the CVR certifier and
installer can determine what constitutes an acceptable recording without the use of any
industry-approved standard regarding specific installation guidance.
NTSB Aircraft Incident Report
77
The NTSB concludes that the poor audio recording quality of the EAFR could impede
future aircraft investigations because the recorded conversations and other cockpit sounds might
be obscured. Therefore, the NTSB recommends that the FAA require Boeing to improve the
quality of (1) the EAFR radio/hot microphone channels by using the maximum available
dynamic range of the individual channels and (2) the cockpit area microphone airborne
recordings by increasing the crew conversation signals over the ambient background noise. In
addition, the NTSB recommends that the FAA either remove the current exception to ED-112A
chapter I-6 in TSO 123B or provide installers and certifiers with specific guidance to determine
whether a CVR installation would be acceptable.
NTSB Aircraft Incident Report
78
3. Conclusions
3.1 Findings
1. The battery failure did not result from overcharging, overdischarging, external short
circuiting, external heating, installation factors, or environmental conditions of the
airplane.
2. The battery failure resulted from an internal short circuit that occurred in cell 5 or cell 6
and led to thermal runaway that propagated to adjacent cells.
3. GS Yuasa’s cell manufacturing process allowed defects that could lead to internal short
circuiting, including wrinkles and foreign object debris, to be introduced into the
Boeing 787 main and auxiliary power unit battery.
4. The thermal protections incorporated in large-format lithium-ion battery designs need to
account for all sources of heating in the battery during the most extreme charge and
discharge current conditions and protect cells from damage that could lead to thermal
runaway.
5. More accurate cell temperature measurements and enhanced temperature and voltage
monitoring and recording could help ensure that excessive cell temperatures resulting
from localized or other sources of heating could be detected and addressed in a timely
manner to minimize cell damage.
6. Determining the initial point of self-heating in a lithium-ion cell is important in
establishing thermal safety limits.
7. Boeing’s electrical power system safety assessment did not consider the most severe
effects of a cell internal short circuit and include requirements to mitigate related risks,
and the review of the assessment by Boeing authorized representatives and Federal
Aviation Administration certification engineers did not reveal this deficiency.
8. Boeing failed to incorporate design requirements in the 787 main and auxiliary power
unit battery specification control drawing to mitigate the most severe effects of a cell
internal short circuit, and the Federal Aviation Administration failed to uncover this
design vulnerability as part of its review and approval of Boeing’s electrical power
system certification plan and proposed methods of compliance.
9. Unclear traceability among the individual special conditions, safety assessment
assumptions and rationale, requirements, and proposed methods of compliance for the
787 main and auxiliary power unit battery likely contributed to the Federal Aviation
Administration’s failure to identify the need for a thermal runaway certification test.
10. Stale enhanced airborne flight recorder data could impede future accident and incident
investigations by delaying the full understanding of the recorded data; stale data could
NTSB Aircraft Incident Report
79
also impact aircraft safety if an operator’s maintenance activities were based on these
data.
11. The poor audio recording quality of the enhanced airborne flight recorder could impede
future aircraft investigations because the recorded conversations and other cockpit
sounds might be obscured.
3.2 Probable Cause
The National Transportation Safety Board determines that the probable cause of this
incident was an internal short circuit within a cell of the auxiliary power unit (APU) lithium-ion
battery, which led to thermal runaway that cascaded to adjacent cells, resulting in the release of
smoke and fire. The incident resulted from Boeing’s failure to incorporate design requirements to
mitigate the most severe effects of an internal short circuit within an APU battery cell and the
Federal Aviation Administration’s failure to identify this design deficiency during the type
design certification process.
NTSB Aircraft Incident Report
80
4. Recommendations
4.1 New Recommendations
As a result of this investigation, the National Transportation Safety Board makes the
following new safety recommendations:
To the Federal Aviation Administration:
Develop or revise processes to establish more effective oversight of production
approval holders and their suppliers (including subtier suppliers) to ensure that
they adhere to established manufacturing industry standards. (A-14-113)
Work with aviation industry experts to develop or modify design safety standards
for large-format lithium-ion batteries to require that sources of excessive heating,
including electrical contact resistance from components and connections, be
identified, minimized, and documented as part of the design. The standards should
include measures for identifying and minimizing potential sources of heating that
consider the range of operating temperatures and the most extreme electrical
currents that the battery could be expected to experience during repeated charge
and discharge cycles. (A-14-114)
Work with aviation industry experts to develop or modify existing safety
standards related to the design of permanently installed lithium-ion batteries to
require monitoring of individual cell temperature and voltage and recording of
exceedances to prevent internal cell damage during operations under the most
extreme operating temperatures and currents. (A-14-115)
Once the guidance requested in Safety Recommendation A-14-115 has been
issued, require type certification applicants to demonstrate that the battery
monitoring system maintains each individual cell within safe temperature limits at
the most extreme battery operating temperatures and the heaviest electrical
current loads approved for operation. (A-14-116)
Work with lithium-ion industry experts to (1) conduct research into battery
monitoring system technologies that could improve the recognition of conditions
leading to thermal runaway, (2) develop active mitigation of such conditions to
minimize damage, and (3) update design and safety standards accordingly.
(A-14-117)
Work with industry experts to develop appropriate test methods for determining
the initial point of self-heating in a lithium-ion cell to establish objective margins
of thermal safety for future battery designs. (A-14-118)
Provide your certification engineers with written guidance and training to ensure
that (1) assumptions, data sources, and analytical techniques are fully identified
NTSB Aircraft Incident Report
81
and justified in applicants’ safety assessments for designs incorporating new
technology and (2) an appropriate level of conservatism is included in the analysis
or design, consistent with the intent of Advisory Circular 25.1309 (Arsenal draft).
(A-14-119)
During annual recurrent training for engineering designees, discuss the need for
applicants to identify, validate, and justify key assumptions and supporting
engineering rationale used in safety assessments addressing new technology.
(A-14-120)
Develop written guidance for your certification engineers and engineering
designees about the use of traceability principles to verify that the methods of
compliance proposed by type certification applicants for special conditions
involving new technology are correct and complete. (A-14-121)
Once the guidance requested in Safety Recommendation A-14-121 has been
issued, provide training to your certification engineers and engineering designees
on the subjects discussed in the guidance. (A-14-122)
Require applicants to discuss key assumptions related to safety-significant failure
conditions, their validation, and their traceability to requirements and proposed
methods of compliance during certification planning meetings for type designs
involving special conditions. (A-14-123)
Require Boeing 787 operators to incorporate guidance about the enhanced
airborne flight recorder stale data issue in their maintenance manuals to prevent
stale data from being used for maintenance activities or flight recorder
maintenance. (A-14-124)
Evaluate whether the recording of stale data by the Boeing 787 enhanced airborne
flight recorder, including whether the data are specifically identified as stale,
impacts the certification of the recording system regarding the ranges, accuracies,
and sampling intervals specified in 14 Code of Federal Regulations Part 121
Appendix M, and take appropriate measures to correct any problems found.
(A-14-125)
Require Boeing to improve the quality of (1) the enhanced airborne flight recorder
radio/hot microphone channels by using the maximum available dynamic range of
the individual channels and (2) the cockpit area microphone airborne recordings
by increasing the crew conversation signals over the ambient background noise.
(A-14-126)
Either remove the current exception to European Organization for Civil Aviation
Equipment ED-112A, “Minimum Operational Performance Specification for
Crash Protected Airborne Recording Systems,” chapter I-6 in Technical Standard
Order 123B, “Cockpit Voice Recorder Equipment,” or provide installers and
certifiers with specific guidance to determine whether a cockpit voice recorder
installation would be acceptable. (A-14-127)
NTSB Aircraft Incident Report
82
To the Boeing Company:
Develop or revise processes to establish more effective oversight of your
suppliers (including subtier suppliers) to ensure that the product being
manufactured adheres to established industry standards. (A-14-128)
Modify your process for developing safety assessments for designs incorporating
new technology to ensure that the conclusions made are validated and that any
identified deficiencies are corrected. (A-14-129)
To GS Yuasa Corporation:
Review your cell manufacturing processes to minimize or prevent defects that
could affect cell safety, and ensure that your employees are properly trained to
identify and eliminate these defects. (A-14-130)
4.2 Previously Issued Safety Recommendations Classified in This
Report
Safety Recommendations A-14-32 through -36 are classified “Open—Acceptable
Response” in section 2.5.3 of this report.
Develop abuse tests that subject a single cell within a permanently installed,
rechargeable lithium-ion battery to thermal runaway and demonstrate that the
battery installation mitigates all hazardous effects of propagation to other cells
and the release of electrolyte, fire, or explosive debris outside the battery case.
The tests should replicate the battery installation on the aircraft and be conducted
under conditions that produce the most severe outcome. (A-14-32)
After Safety Recommendation A-14-32 has been completed, require aircraft
manufacturers to perform the tests and demonstrate acceptable performance as
part of the certification of any new aircraft design that incorporates a permanently
installed, rechargeable lithium-ion battery. (A-14-33)
Work with lithium-ion battery technology experts from government and test
standards organizations, including US national laboratories, to develop guidance
on acceptable methods to induce thermal runaway that most reliably simulate cell
internal short-circuiting hazards at the cell, battery, and aircraft levels. (A-14-34)
Review the methods of compliance used to certify permanently installed,
rechargeable lithium-ion batteries on in-service aircraft and require additional
testing, if needed, to ensure that the battery design and installation adequately
protects against all adverse effects of a cell thermal runaway. (A-14-35)
Develop a policy to establish, when practicable, a panel of independent technical
experts to advise on methods of compliance and best practices for certifying the
safety of new technology to be used on new or existing aircraft. The panel should
NTSB Aircraft Incident Report
83
be established as early as possible in the certification program to ensure that the
most current research and information related to the technology could be
incorporated during the program. (A 14-36)
BY THE NATIONAL TRANSPORTATION SAFETY BOARD
CHRISTOPHER A. HART
ROBERT L. SUMWALT
Acting Chairman
Member
MARK R. ROSEKIND
Member
EARL F. WEENER
Member
Adopted: November 21, 2014
NTSB Aircraft Incident Report
84
5. Appendixes
Appendix A: Investigation and Hearing
The National Transportation Safety Board (NTSB) was notified of this incident on
January 7, 2013, and sent an investigator to the scene the same day and two investigators to the
scene the next day. The following investigative groups were formed: airworthiness, airport
emergency response, battery and fire, manufacturing, and systems safety and certification. Also,
specialists were assigned to conduct the readout of the flight data recorder and transcribe the
cockpit voice recorder at the NTSB’s laboratory in Washington, DC. In addition, a specialist was
assigned to conduct radiographic studies of 787 batteries and cells.
The following organizations provided technical assistance to the NTSB during this
investigation:
Naval Surface Warfare Center, Carderock Division, US Department of the Navy,
West Bethesda, Maryland;
TIAX LLC, Lexington, Massachusetts;
Underwriters Laboratories LLC, Northbrook, Illinois; Melville, New York; and
Taipei, Taiwan
US Department of Energy, Washington, DC;
Chesapeake Testing, Belcamp, Maryland;
National Institute of Standards and Technology, Gaithersburg, Maryland; and
Naval Research Laboratory, Washington, DC.
Parties to the investigation were the Federal Aviation Administration (FAA) and Boeing
Commercial Airplanes. In accordance with the provisions of Annex 13 to the Convention on
International Civil Aviation, the Japan Transport Safety Board (JTSB) and the Bureau
d’Enquêtes et d’Analyses pour la Sécurité de l’Aviation Civile (BEA) participated in this
investigation. Japan Airlines and GS Yuasa Corporation participated in the investigation as
technical advisors to the JTSB, and Thales Avionics Electrical Systems and the European
Aviation Safety Agency participated in the investigation as technical advisors to the BEA, as
provided for in Annex 13.
On April 23 and 24, 2013, the NTSB held an investigative hearing regarding the
Boeing 787 battery’s design and certification. The safety issues discussed were the battery
system’s (1) selection and certification requirements, (2) design and development, (3) design
verification and validation, and (4) certification and the FAA’s findings of compliance. Parties to
the investigative hearing were the FAA, Boeing
,
Thales, and GS Yuasa
.
NTSB Aircraft Incident Report
85
Between the date of the incident and the investigative hearing, the NTSB issued an
interim factual report on this incident (March 7, 2013) and held a forum on lithium-ion batteries
in transportation (April 11 and 12, 2013). The interim factual report and presentations from the
forum are available at www.ntsb.gov.
NTSB Aircraft Incident Report
86
Appendix B: Boeing 787 Type Certification Special Conditions
25-359-SC
The FAA issued the following nine special conditions, in place of the electrical
equipment and installation requirements of 14 Code of Federal Regulations (CFR) 25.1353(c)(1)
through (c)(4), for the design and installation of lithium-ion batteries as part of the type
certification basis for the Boeing 787-8:
(1) Safe cell temperatures and pressures must be maintained during any
foreseeable charging or discharging condition and during any failure of the
charging or battery monitoring system not shown to be extremely remote. The
lithium-ion battery installation must preclude explosion in the event of those
failures.
(2) Design of the lithium-ion batteries must preclude the occurrence of
self-sustaining, uncontrolled increases in temperature or pressure.
(3) No explosive or toxic gases emitted by any lithium-ion battery in normal
operation, or as the result of any failure of the battery charging system,
monitoring system, or battery installation not shown to be extremely remote, may
accumulate in hazardous quantities within the airplane.
(4) Installations of lithium-ion batteries must meet the requirements of
14 CFR 25.863(a) through (d).
(5) No corrosive fluids or gases that may escape from any lithium-ion battery may
damage surrounding structure or any adjacent systems, equipment, or electrical
wiring of the airplane in such a way as to cause a major or more severe failure
condition, in accordance with 14 CFR 25.1309(b) and applicable regulatory
guidance.
(6) Each lithium-ion battery installation must have provisions to prevent any
hazardous effect on structure or essential systems caused by the maximum
amount of heat the battery can generate during a short circuit of the battery or of
its individual cells.
(7) Lithium-ion battery installations must have a system to control the charging
rate of the battery automatically, so as to prevent battery overheating or
overcharging, and,
(i) A battery temperature sensing and over-temperature warning system
with a means for automatically disconnecting the battery from its charging source
in the event of an over-temperature condition, or,
NTSB Aircraft Incident Report
87
(ii) A battery failure sensing and warning system with a means for
automatically disconnecting the battery from its charging source in the event of
battery failure.
(8) Any lithium-ion battery installation whose function is required for safe
operation of the airplane must incorporate a monitoring and warning feature that
will provide an indication to the appropriate flight crewmembers whenever the
state-of-charge of the batteries has fallen below levels considered acceptable for
dispatch of the airplane.
(9) The Instructions for Continued Airworthiness required by 14 CFR 25.1529
must contain maintenance requirements for measurements of battery capacity at
appropriate intervals to ensure that batteries whose function is required for safe
operation of the airplane will perform their intended function as long as the
battery is installed in the airplane. The Instructions for Continued Airworthiness
must also contain procedures for the maintenance of lithium-ion batteries in
spares storage to prevent the replacement of batteries whose function is required
for safe operation of the airplane with batteries that have experienced degraded
charge retention ability or other damage due to prolonged storage at a low state of
charge.
The FAA noted that these special conditions were “not intended to replace
14 CFR 25.1353(c) in the certification basis of the Boeing 787-8 airplane” and that the special
conditions applied “only to lithium-ion batteries and their installations.” The FAA also noted that
the requirements of 14 CFR 25.1353(c) remained in effect “for batteries and battery installations
of the Boeing 787-8 airplane that do not use lithium-ion batteries.”
NTSB Aircraft Incident Report
88
Appendix C: Comments From the Bureau d’Enquêtes et d’Analyses
pour la Sécurité de l’Aviation Civile
NTSB Aircraft Incident Report
89
BEA proposed comments to append to the report.
The BEA agrees that an internal short circuit within a cell of the APU battery led to thermal runaway that
cascaded to thermo-mechanical propagation to surrounding cells.
However, the initiating phenomenon of the internal short circuit has not been identified during the
investigation and it was impossible to conclusively determine the origin of the internal short circuit.
Indeed, the internal short circuit is not a root cause by itself but a way point” in the chain of events. The
reason of the development of the short circuit inside the first cell could not be determined from post
incident laboratory testing and subsequent engineering analysis of potential failure modes.
The fact that the root cause couldn’t be determined should also be included in the section 3.1 Findings
and also in the section 3.2 Probable Causes.
In addition, the NTSB report also lists some concerns that have been observed during the investigation
(refer to sections 2.3 and 2.4), namely:
The presence of wrinkles generated by the manufacturing process or influenced by the
manufacturing process and developed during charge and discharge due to swelling/deswelling.
The report considers that “wrinkles and folds can modify anode-to-cathode ratio locally, resulting
in lithium deposits at the anode surface”. The BEA states that although wrinkles were observed
during DPA of the incident batteries, their effect on lithium deposition hasn’t been proved (no Li-
metal was found by XPS analysis). The various tests performed by GSY, on LVP 65 cells didn’t
reveal neither Li metal dendrites nor internal short with heat generation and venting.
The presence of FOD related to the manufacturing process : no FOD was identified during the
teardown of the incident battery and during post incident investigation on exemplar batteries.
The propensity of cells to generate self-heating below the upper operational specified
temperature (70°C) (section 2.4.3): Lab in charge assessed self-heating rate in cell at 100%SOC
and stated that cells self-heat at temperature as low as 60°C with a self-heating rate near
0.01°C.min-1. However the sensitivity threshold of this equipment is as high as at 0.02°C.min-1.
Values below the sensitivity threshold are not relevant. The sensitivity threshold is reached at
85°C for 100%SOC cell
1
which is consistent with the current state of the art on lithium-ion
battery.
The seal assembly and rivets integrity. Thales testing shows that when the battery is used
within its specified power and temperature ranges then no anomaly occurs
2
.
Proposed safety actions to be taken
The BEA suggests to take into account of the various reports and the Thales testings and to consider the
following safety actions to be taken :
1
UL report entitled “Multi-Level Forensic and Functional Analysis of the 787 Main/APU Lithium Ion Battery”
Doc. ref. NTSBC130004 2014, p 120-123.
2
THALES Submission to the National Transportation Safety Board For the DCA13IA037 page 17 & 18
NTSB Aircraft Incident Report
90
“As the investigation could not identify the mechanism of the internal short circuit, the aircraft
manufacturer and the equipment manufacturers should :
continue studies of internal short circuit mechanism considering the effects of internal and
external phenomenon that potentially impacts the Li-ion batteries in operational conditions, such as
the aircraft electrical environment and particularly the risk associated to potential transient current
and voltage ;
continue studies on the impact of other environmental parameters such as humidity and
vibrations ;
continue efforts to improve Li-ion batteries quality and its reliability.
BEA detailed comments on the NTSB draft report on the serious
incident to the Boeing 787-8 registered JA829J.
Page/Section:
Sentence/Comment:
§ 1.4.3 Disassembly of the incident Battery
Existing sentence:
“There was no evidence of cell-to-battery case shorting before the thermal event, bus bar
shorting or resistive heating of bus bar …”.
Comment:
APU battery has demonstrate the presence of a protrusion on side 3 facing Cell 5. At the
place of the protrusion the cell 5 exhibits a small hole. The Cell 5 windings also demonstrate
holes that are consistent with materials that had penetrated into the cell 5 and its windings.
The material found in the cell 5 and its winding were chemically analyzed and confirmed to
be Battery aluminum alloy. This was interpreted by the investigation team as resulted from
an arcing phenomenon between the cell 5 casing and Battery case. At this stage there is no
evidence to say that arcing occurs before or during the thermal event.
Modification proposal
There was evidence of cell 5-to-battery case shorting during the JAL event. The
exact time, at which the shorting between cell 5 and battery case occurs, is not
determined. In addition there is no evidence of bus bar shorting or resistive heating
of bus bar ….”
Page/Section:
Sentence/Comment:
§ 1.4.3 Disassembly of the incident Battery
Existing sentence:
There was also no visible evidence of water (resulting from condensation) within the battery
case or external surfaces of the battery cells.
Comment:
APU battery has undergone a very significant heating during the thermal runaway.
Therefore, if water, for instance from condensation, had been present, it has been vaporized
during thermal runaway. Consequently, it was impossible to find any evidence of water
inside the battery after the event. In order not to rule out this parameter, the following
wording is proposed.
NTSB Aircraft Incident Report
91
Modification proposal
“Due to high heat exposure of the APU battery during the incident event, it was
obviously not possible to conclude on water presence resulting from condensation
within the battery before or during the incident event.”
Page/Section:
Sentence/Comment:
§ 1.5.3 Examinations of main battery cells from incident airplane
Existing sentence:
“More than 100 areas of “ingressed underlithiation” of the anode (that is, areas of the anode
than are incompletely charged) were found”
Comment:
Color variations in full charge carbon anode are known to be due to underlithiation.
However, color is only a semi-quantitative and subjective measure of Li state of charge [1],
[2].
Additionally XPS analysis from Carderock don’t show any obvious difference in lithium
concentration between “blue or purple areas”, called “underlithiated” and gold areas, called
fully lithiated”
Modification proposal
More than 100 areas of ingressedunderlithiation of the anode were found (that is,
areas of the anode than are incompletely charged. However Carderock XPS analysis
doesn’t show any significant concentration difference of lithium element between
blue/purple area, called underlithiated area, and gold area, called fully lithiated area)
[1] Direct in situ measurements of Li transport in Li-ion battery negative electrodes, Harris et
al, Chemical Physics Letters 485 (2010) 265274
[2] Revisited structures of dense and dilute stage II lithium-graphite intercalation
compounds, D. Billaud et al, J. Phys. Chem. Solids 57 (1996) 775.
Page/Section:
Sentence/Comment:
§ 1.5.3 Examinations of main battery cells from incident airplane
Existing sentence:
“According to TIAX, these areas indicate that mechanical abnormalities in the windings
results in uneven charging of the anode and might have caused lithium to deposit adjacent
to underlithiated area.”
Comment:
This explanation, representing TIAX’ interpretation, is only based on a phenomenal
description and is not supported by any technical and scientific demonstration, simulation,
calculation and complete testing.
Modification proposal
“According to TIAX, these areas indicate that, in theory, mechanical abnormalities in
the windings might result in uneven charging of the anode and might have caused
lithium to depose adjacent to underlithiated area. However TIAX didn’t perform
NTSB Aircraft Incident Report
92
chemical analysis, simulation, calculation and appropriate testing to validate this
scenario. At the opposite, Carderock showed through deep chemical analysis (XPS)
that the observed silver colored deposits didn’t contain any lithium metal,
invalidating the explanation proposed by TIAX
Page/Section:
Sentence/Comment:
§ 1.5.3 Examinations of main battery cells from incident airplane
Existing sentence:
“In its submission to the NTSB for this incident, GS YUASA stated that, after the incident, it
conducted more than 100 cold charge cycle tests, and all of the tests revealed a loss of
capacity when charging repeatedly at -9.4°F.”
Comment:
The reader would surely be interested not only by the loss of capacity during
charge/discharge cycles which is normal behavior of this battery technology in these
specific test conditions, but it would be of greater interest to learn there from those tests
that no dendrite was created during those cold charge cycles. For information, the 105
cycles of tests widely cover the time period that the incident battery was exposed onboard
airplane.
Such important and relevant information needs to be provided to the reader in order to
have better understanding of potential dendrite presence or not according to the operating
conditions specified on this airplane.
Modification proposal
“In its submission to the NTSB for this incident, GS YUASA stated that, after the
incident, it conducted more than 100 cold charge cycle tests, and all of the tests
revealed a loss of capacity when charging repeatedly at -9.4°F and no lithium
plating was observed”.
Page/ Section:
Sentence/Comment:
§1.5.4 Cell-level abuse tests
Existing sentence:
“… cells started to generate internal heat at temperatures as low as 144°F, which is below
the allowable operational temperature of the battery”
comment
As written by BEA/Thales comments on the airworthiness group report, UL used an ARC
equipment to assess self-heating rate in cell at 100%SOC and 0%SOC. The sensitivity
threshold of this equipment is given at 0.02°C.min
-1
by the equipment manufacturer (cf UL
report p121 and 122).
However UL states that cells self-heat at temperature as low as 60°C (self-heating rate near
0.01°C.min
-1
, but the self-heating rate at this temperature is below the sensitivity threshold of
NTSB Aircraft Incident Report
93
the equipment. Values below the sensitivity threshold are not relevant.
The sensitivity threshold is reached at 110 °C for 0%SOC cell (cf p 121, UL report) and 85°C
for 100%SOC cell (cf UL report 122).
Modification proposal
“…cells started to generate internal heat at temperatures as low as 85°C (100%SOC)
and 110°C (0%SOC) (and remove the last part of the sentence as the battery is qualified for
temperatures comprised between -18°C and 70°C).
Page/Section:
Sentence/Comment:
§ 1.5.5 Rivet observations during cell- and battery-level testing
Existing sentence:
the aluminum rivets on the positive terminal of cell 5 increased progressively through 14
cycles to a maximum of 157°C/315°F
Comment:
Some precision need to be added:
- In some case, the UL tests were performed with an average current of 940A.
- The worst case with a battery voltage at 20Vdc corresponds to a power of 18.8KW
during the simulation of APU start.
- With a battery fully charged before the APU start simulation, the battery voltage is
between 25 and 26Vdc the power was comprise between 23.5KW and 24.4KW.
- Thales tests have demonstrated that the rivets are designed to withstand APU start
with a maximum power of 18KW in all the temperature range in compliance with
Boeing SCD.
- In the case of APU start out of Boeing SCD (> 18KW) the rivets are damaged and
this damage are irreversible.
Modification proposal
Taking into account of Thales testing and submission, this paragraph should be
amended by adding that in the operating range this phenomenon does not occur.
Page/Section:
Sentence/Comment:
§ 1.5.5 Rivet observations during cell- and battery-level testing
Existing sentence:
“”The cell leakage test showed that the seal of the cell was damaged
Comment:
Note that all the tests performed by UL and reported in the section refer to battery that was
tested outside of the power specified domain over 18 kW as mentioned in the previous
comment. Thales tests exactly showed the same results after abnormal APU start (>18KW)
BEA suggests taking into account the THALES results in this chapter or clearly
indicates that tests were performed out of power specified domain.
NTSB Aircraft Incident Report
94
Page/Section:
Sentence/Comment:
§ 2.1 Failure sequence
Existing sentence:
“A battery-level test showed that condensation could occur within the battery and result in
shorting path between the cell and the battery cases, and cell-level test with moisture
showed that a cell failure could occur and result in arcing, shorting, and heat damage
internal to cell header. However the damage observed during the cell-level test was not
found in the cell header from the incident APU battery. In addition, airplane flight test data
did not show any abnormal electrical transients that could lead to battery failure
Comment:
During the investigation, it was not possible to show that the JAL Boston Cells, and
specifically cell 5 and cell 6, had experienced or not shortings as described in the Thales
submission. In addition based on information provided by NTSB, the flight test recording
system was capable of recording signals that had frequency up to hundreds of Khz. The
Transient phenomena that are seen as a potential contributing factor by BEA and Thales are
in a range of 2 to 4 Mhz. That means that such phenomenon couldn’t be captured by the
aircraft flight test installation.
The BEA suggests taking into account the THALES results in this chapter and to
modify it as follows :
The information collected during the investigation does not allow to determine if the
damages observed during the cell-level test on the cell headers were similar to the
incident APU battery. In addition, during the airplane flight test, the system used to
collect the electrical data had limited electrical transients recording capabilities (in the
range of hundreds Kilo Hertz) and did not make it possible to capture electrical
transient phenomenon that occurs with High Frequency range (Mhz).
NTSB Aircraft Incident Report
95
References
Airworthiness Directives; The Boeing Company Airplanes. Federal Register. Vol. 78. No. 36.
February 22, 2013. 12231.
Airworthiness Directives; The Boeing Company Airplanes. Federal Register. Vol. 78. No. 81.
April 26, 2013. 24673.
Baldwin, Richard S., William R. Bennett, Eunice K. Wong, MaryBeth R. Lewton, and Megan K.
Harris. “Battery Separator Characterization and Evaluation Procedures for NASA’s
[National Aeronautics and Space Administration] Advanced Lithium-Ion Batteries.”
NASA Technical Memorandum NASA/TM-2010-216099. NASA, Washington, DC,
2010.
Belov, D. and M.H. Yang. “Failure Mechanism of Li-ion Battery at Overchage Conditions.”
Journal of Solid State Electrochemistry 12 (2008): 885-894.
Chapin, J. Thomas, Pravinray D. Gandhi, and Paul W. Brazis, Jr. “NTSB Battery TestsFinal
Report for 787 Battery (Asset 436) Tested at 70ºC, Ungrounded.”
Underwriters Laboratories LLC, Northbrook, IL, 2014.
Chapin, J. Thomas, Pravinray D. Gandhi, and Paul W. Brazis, Jr. “NTSB Battery TestsFinal
Report for 787 Battery (Asset 445) Tested at 15ºC, Grounded.”
Underwriters Laboratories LLC, Northbrook, IL, 2014.
Condra, Lloyd W. Reliability Improvement With Design of Experiments. New York, NY:
Marcel Dekker Inc., 1993.
Doughty, Daniel H. and Chris C. Crafts. FreedomCAR Electrical Energy Storage System Abuse
Test Manual for Electric and Hybrid Electric Vehicle Applications. SAND2005-3123,
Sandia National Laboratories, Albuquerque, New Mexico, 2006.
FAA (Federal Aviation Administration), Boeing 787-8 Critical Systems Review Team. Boeing
787-8 Design, Certification, and Manufacturing System Review. Washington, DC: FAA,
2014. www.faa.gov/about/plans_reports/media/787_Report_Final.pdf
FAA, William J. Hughes Technical Center. Extinguishment of Lithium-Ion and Lithium-Metal
Battery Fires. DOT/FAA/TC-13/53, Atlantic City, NJ: FAA, 2014.
Fisher, D.L., R. Schweickert, and C.G. Drury. “Mathematical Models in Engineering
Psychology: Optimizing Performance.” In Handbook of Human Factors and Ergonomics,
by ed. G. Salvendy, 997-1024. Hoboken, NJ: John Wiley and Sons, 2006.
NTSB Aircraft Incident Report
96
Japan Transport Safety Board. Emergency Evacuation Using Slides, All Nippon Airways Co.,
Ltd., Boeing 787-8, JA804A, Takamatsu Airport, At 08:49 JST, January 16, 2013.
Aircraft Serious Incident Investigation Report AI2014-4, Tokyo, Japan: JTSB, 2014.
www.mlit.go.jp/jtsb/english.html
Mansour, Azzam N., D. Fuentevilla, and Jim A. Zaykoski. XPS [x-ray photoelectron
spectroscopy] Investigation of a Carbon Anode, Separator from a Cold Charged Li-Ion
Cell and a Lithium Foil Control Sample, Factual Report. West Bethesda, MD: Naval
Surface Warfare Center, Carderock Division, 2014.
Mikolajczak, C., M. Kahn, K. White, and R.T. Long. Lithium-Ion Batteries Hazard and Use
Assessment Final Report. Quincy, MA: The Fire Protection Research Foundation, 2011.
NASA Technical Standard, Electrical Bonding for NASA Launch Vehicles, Spacecraft,
Payloads, and Flight Equipment.” NASA-STD-4003A, Washington, DC, 2013.
Reddy, Thomas B. and David Linden. Linden’s Handbook of Batteries. Fourth edition.
New York, NY: McGraw-Hill, 2011.
SAE International. “Guidelines for Development of Civil Aircraft and Systems.” SAE Aerospace
Recommended Practice 4754A. Warrendale, PA: SAE, 2010.
Special Conditions: Boeing Model 787-8 Airplane; Lithium Ion Battery Installation.
Federal Register. Vol. 72. No. 82. April 30, 2007. 21162.
Special Conditions: Boeing Model 787-8 Airplane; Lithium Ion Battery Installation.
Federal Register. Vol. 72. No. 196. October 11, 2007. 57842.
Tabaddor, Mahmood, Helena Chiang, Dennis Grzic, and Alvin Wu. Multi-Level Forensic and
Functional Analysis of the 787 Main/APU Lithium-Ion Battery. Northbrook, IL:
Underwriters Laboratories LLC, 2014.
Taheri, Peyman, Scott Hsieh, and Majid Bahrami. “Investigating Electrical Contact Resistance
Losses in Lithium-Ion Battery Assemblies for Hybrid and Electric Vehicles.” Journal of
Power Sources 196 (2011): 6525-6533.
Teichner, W.H. “The Detection of a Simple Visual Signal as a Function of Time of Watch.”
Human Factors 16 (1974): 339-353.
TIAX LLC. Report on Soft-Short Testing of Batteries 149, 305, 344, 376, and 412.
Lexington, MA: TIAX, 2013.
. Review of Cell 6 Tear Down Samples of Incident APU Battery. Lexington, MA: TIAX, 2013.
. Teardown of LVP65 Li-Ion Cell 1 from Battery 412. Lexington, MA: TIAX, 2014.
NTSB Aircraft Incident Report
97
Wang, Carl and Alvin Wu. Cell-Level IIISC [indentation-induced internal short circuit],
Nail Penetration, Hot Pad and ARC Tests for LVP65. Northbrook, IL: Underwriters
Laboratories LLC, 2014.
Wang, Carl, Helena Chiang, and Alvin Wu. Analysis of Asset 459 Cell 5. Northbrook, IL:
Underwriters Laboratories LLC, 2014.