Posts about: "FAA" [Posts: 108 Pages: 6]

Has this been discussed already?

https://ad.easa.europa.eu/blob/NM-18...SIB_NM-18-33_1

I\x92m sure this is wrong; was looking for confirmation. I read somewhere that the 787 keeps the fuel valve open by an electric driven actuator, and closes it by spring force.

I seem to remember Fred Dibner talking about how railway cars brake by draining the piston not by pressurising it, so trains will stop when supply lines break.

The electrical system updates to 787s for ADs and SBs - do any of these include software updates? For example the integer overflow causing GCU failsafe rectified under AD 2018-20-15. If so, who is writing and implementing these software updates? The original engineers? Their apprentices who had years long handovers? Or have they been outsourced and offshored? When these updates occur, does the entire system get tested and ratified or just the bit the bug fix is meant to fix? Because I\x92ve seen new bugs introduced by bug fixes in areas seemingly nothing to do with the original problem.

Dual engine failures? Or uncommanded dual engine shutdowns?

ANA NH-985, a 787-8, suffered dual uncommanded engine shutdown just after air-ground transition. That was a TCMS "feature."

Baltic BT-139 likewise, resulted in an FAA AD to upgrade FADEC software on a whole bunch of P&W engines.

It isn't unheard of. It may not have been seen at rotation before.

Does anyone have a link to a document (Boeing / FAA) that attests / mandates to the solenoid being a locking type?

There is no inter-engine interaction. But if both FADECs are running the same software then they will potentially behave identically to some bug or external input / condition. That's why software redundancy isn't always redundancy.

I agree.

Thank you. So saying "TCMA would only trigger if WoW and RA have failed somehow" is incorrect? Those are simply inputs to software, which might itself fail badly for other reasons. See the FAA AD to replace FADEC software on certain P&W engines following a previous uncommanded dual engine shutdown.

On this matter, your numbers fall within the range I earlier calculated from doppler shift on the rooftop video's audio, so yes the numbers make sense and, given the circumstances, are reasonably close together.

I also placed the relevant positional data (last ADSB, video source, resting site) into a GIS application and used this along with the audio stream duration to calculate average speed. Obviously it is necessary to correct the speed of sound for environmental conditions but even with this I wasn't happy with the early results I got. At about this time I came to a view that this information wasn't really going to help anyone much so didn't go any further.

From detail that may be retrieved here the FAA noted that Boeing made the following 'Request for correction' (my bolding to highlight why I quote this):

"Boeing explained that the RAT will remain operational as the airplane decelerates through the minimum RAT design speed of 120 knots, not 130 knots. Boeing expressed that the performance of the RAT was shown to meet the Boeing Model 787 requirement that specifies 120 knots as the minimum RAT design speed. We agree that the RAT will remain operational as the airplane decelerates through the minimum RAT design speed of 120 knots, not 130 knots..."

Again I'm not sure this is of any particular utility now, but is included here in the interests of ensuring as much factual data is available as possible.

FP.

Whilst you\x92re right to highlight the type of software in a FADEC, it should also be recalled that after the dual uncommanded engine shutdown event on the Baltic CS300, the FAA mandated updated FADEC software for all of a family of P&W engines. FADEC s/w can contain what we\x92d call bugs (whether they\x92re mistakes of coding or mistakes of logic in the design assumptions).

Sadly I'm unable to post links or I would have done so in my original post.

First off I should note that what I wrote is a massive oversimplification. I'd expect that neat metal box with the nice rugged connectors that Safran shows on their homepage to contain an ungodly mess of microcontrollers, ICs for signal conditioning, the FPGAs I mentioned and components that are well beyond my understanding of electronics. But from personal experience with a certain aircraft related company operating in Munich I can tell you that marketing level slides like you showed are so far removed from the technical reality that they might as well be fan-fic.

I agree with your observation that current microcontrollers are more than capable enough of dealing with these types of real time computation, but keep in mind that the Boeing 787, and thus its FADEC, had its first flight in 2009. Back then I would be rather more careful with that statement. Mostly because I would have just started my Computer Science Degree at the time XD

But maybe I should explain how I've arrived at the post above. I've basically spent the past few days on and off scavenging anything I could find on the 787 FADEC specifically. It was mentioned in this thread or the old one that the 787 uses the Safran FADEC 3, so my primary jumping off point was the Safran website and the information available on it. That plus a couple of press releases namely by Actel about their flash-based ProASIC3 and ProASICPLUS FPGAs was the evidence I used to arrive at my conclusions above. I can't for the life of me find the quote about the dual signal conditioning FPGAs anymore, but they are in there as far as I can tell.
Overall information on the actual inner workings of these things are so sparse that outside of a few patents (keyword: configurable CPU) I was hard pressed to find anything at all to be honest. This all not being helped by me now finding references to my own post, thus having created my very own Woozle. Hooray.

I have only looked into the Safran FADEC 3 used on the 787 with the GEnx-1B engine. The system was very innovative for its time and uses technology not previously used on FADECs to my knowledge. Even saying that, this could be one of those "technically true" kind of statements. My intention was to highlight that due to the totality of the processes and architectural style of these types of computational device the typical kind of "software error" or "bug" was basically impossible and that we'd be looking at something way further back with implications for the base requirements. I merely want to correct the implied misconceptions about the "software" being used here. As I said, FPGAs are just very different kinds of beasts.

I half agree and half disagree. Obviously I shouldn't have stated an absolute because, yes, it is possible despite multiple layers of engineering coordination that an error occurs at one step or another and is not caught by the multiple layers of checking. My point is that even in normal development FPGAs are well known to be bug resistant due to the way they are programmed. In general we create the logic condition tables using software which then translates our table into an actual FPGA configuration. This process is obviously not immune to faults but highly resistant and most importantly: Can easily be simulated.
Now, in normal "everyday" usecases I'd fully agree with you, but in case of the FADEC we're talking about an FPGA with logic condition tables where every line is likely to have its own separate binder of engineering notes, discussions and recommendations. It is there where any "error" or "bug" is most likely to reside by a considerable margin.

They were, and continue to be, a valid and reliable technology for this type of application especially before the extreme proliferation of consumer microelectronics in the last 20 years. The Safran FADEC 3 was designed at basically the same time as the first iPhone. And boy do I feel old now.

I realize that my post is a massive simplification of the topic, considering the intricate details that are simply unknown to the general public in a system as complex as a FADEC I certainly agree that things can go wrong. What I wanted to point out is the reliability of the last steps versus the design and requirements engineering phase. In general software development bugs will happen at any stage with basically equal likelihood. Given the way the standard processes around FPGA development alone would influence this probability towards the design and requirements engineering stage and then combining it with how it is handled in the Aerospace Sector I felt it was justifiable to state the extreme mismatch in probabilities of error the way I did. With the system being in operation for this length of time I do still feel comfortable with my original statement although I would now decorate it with a little * for the reasons mentioned by you and others.

In the end I hope it was useful for understanding where the reluctance of apportioning blame to these systems originates and ​​​​at the same time talk about some pretty nifty tech that I know few Software Engineers will ever deal with in their entire career. I do still find the idea of a fault (with the understanding above of where that fault originates) in the FADEC a convincing possibility, it's merely the nature and location of that fault that I felt could benefit from some more specifics in regards to the nature of how they were most likely to actually happen. I would love to actually hear more about how the FADEC 3 is structured internally and which components it uses, but I suspect that those who know are under NDA.

Regards,
Justus

MCAS wasn't "under the radar". The designers thought:
* all MCAS can do is affect the trim
* if something goes wrong with the trim, the crew works the "runaway trim" checklist
* this cuts MCAS off from the trim
* therefore, MCAS failure of any sort is going to be contained

It just turned out that if a crew is stuck, shortly after takeoff, in an aircraft that wants to go down, and they have no clue why because "AOA disagree" indicators are considered a luxury item for Boeing and Boeing also did not want to train crews for this, the crew may not be in the right mindset to prioritise that checklist.
Today, everyone is aware, so it's no longer an issue.

TCMA was motivated by a similar observation: that crews can fail to shut down an engine that no longer follows command input. So the FAA requires aircraft to detect that condition and do it automatically when on the ground, where an engine running at significant thrust is a danger to people and movable objects in the vicinity. The safety consideration here is, if you're on the ground and the thrust reverser is not deployed, you're not going to need the engine that badly. (I think there are actually two more conditions that I don't remember right now.)

In safety, you kinda need to weigh the consequences of having this system (with a chance that it might malfunction) vs not having it. Also consider that the benefit of having it, all of the occasions where it correctly shuts an engine off, don't get reported in the press.

If a TCMA bug caused this accident, the investigation will find out.
But right now, we don't have any evidence that that's what happened.

\x94Designers thought\x94 = MCAS flying under the radar from Boeing themself.

Anyway, I think we agree here.

I cannot se TCMA logic flying under the Boeing radar in this case?

TCMA is a logic nuilt in the EEC/FADEC by the Engine manufacturer I guess?

Yes. and whe\x92re discussing scenarios here.

With extremely little data for us to use I think people are grabbing anything as a cause.

TCMA as a cause has been interresting, learning. But it should be designed safe. Can we find a data point that takes us away from TCMA or can\x92t we?

I do not agree at all that MCAS was \x91not debatable.\x92 It was required for certification of a stretched type and probably not something Boeing wanted to install at all (there are plenty of aircraft with less than desirable stall characteristics mitigated by staying out of that regime). The \x91regulation happy\x92 approach is often counterproductive and hangs boxes on airplanes that have hidden traps. Without necessarily mitigating risks (like those idiotic seat belt dingers on cars or auto-start stop. If my seat belt isn\x92t on there\x92s a damn good reason for it and I don\x92t want a distracting and uncancelable alarm).

I also think that saying \x91cutting corners\x92 is an unjustified indictment. They didn\x92t IMHO. What WAS wrong was not making it clear how the system operated and that it could be triggered by a single AOA probe failure. And making it clear that the crew handles it just like any other runaway trim scenario. So to me it was mostly a training issue.

IF \x97 and it\x92s a big IF \x97 this accident was caused by an FAA requirement to automatically cut engines with engine runaway due unresponsive throttle (which isn\x92t needed in the first place with FCS and fire handles available) then the primary culpability lay with the regulatory entity (FAA) requiring more silly boxes on airplanes. Without zero thought towards unintended consequences.

But at this point it\x92s wayyyyyyy too early to do any Boeing Bashing based on an accident none of us have any clue as to the cause.

One note of QAR data\x97it\x92s transmitted to provide flight data monitoring (.Flight Ops Quality Assurance, in FAA land). The QAR data might help, but it\x92s not transmitted in real time only after block in.

...by the FAA

"This AD was prompted by reports of water leakage from the potable water system due to improperly installed waterline couplings, and water leaking into the electronics equipment (EE) bays from above the floor in the main cabin, resulting in water on the equipment in the EE bays"

The FAA is saying it's a problem . Any suggestion that it's related to this incident is pure speculation. Possibly brought on by that slop 'report', which may have itself been somewhat inspired by the ADs.

The engines controllers are powered internally, and the control signals appear to be redundant wiring to the thrust lever module. Perhaps there are joints in the E/E bays (probably to be avoided) but asserting liquid intrusion would cause simultaneous loss of all four signals seems laughable.

Flight controls are primarily in the fwd E/E bay but there is a set of actuator control electronics in the aft E/E bay. So even if one bay gets a deluge, it shouldn't take out all flight controls. And the flight path isn't consistent with uncontrolled flight, much less uncommanded flight with high thrust.

Consider that there's standby instruments with independent sensors and computing and mostly independent power. Thrust and flight control is subject to greater scrutiny and requirements.

Agreed. But the FAA itself does speculate - on what basis, I have no idea. They use the word "may", see here, last sentence (and in other ADs in the sequence):

https://www.federalregister.gov/d/2022-26933/p-18

This paragraph (and one before) is/are also worth a read - they see no rush to fix, obviously. https://www.federalregister.gov/d/2025-08346/p-20

100% Agree: any suggestion that it's in any way related to 171 is pure speculation. Sounds like these ADs apply only to small numbers of 787s. Don't even know if 171 was one of them.

But installing lavatories directly above EE Bays? Who's the genius...? .

Anyway, I make a point of not going 'there' during the last half of any long flight. They are frequently "awash" and unpleasant places to be. The washbasins themselves are also prone to the ejecting of water onto the floors. Agreed, it's a ####ty problem.

The requirements I have seen indicate that RIPS is applicable only to CVR or the CVR function of an EAFD. If you are aware of any requirement for RIPS to support flight data recording would you please provide a reference.

FAA requirements and the discussion/changes that resulted from the initial NPRM here -

https://www.federalregister.gov/docu...er-regulations

Yes, possible electric failure on the eafr is of course a totally different story concerning voice recording

This could be several issues aligning to cause the loss of thrust. If the new engine was installed and the synchronisation step was omitted by maintenance staff and the engines had different CPU/software versions then there could be an emergent failure mode when maximum thrust is applied resulting in a FADEC rollback. Almost impossible to anticipate and create that in a test scenario. Don't overlook that the pilot moving thrust levers to override rollback will be ignored by the software, if the FADEC has flipped into protective mode.

That said, the continued absence of the FAA issuing an Emergency Airworthiness Directive for the Dreamliner suggests to me the fault was something like contaminated fuel which was specific to that flight.

Thanks for the whole answer, more stuff to learn.

Elmer Fudd (an alternative spelling of "PhD") by all accounts knows a thing or two about a thing or two, aerodynamics of ducks, and ballistics, at the 12-Ga, birdshot level at least. That is a step above GT.

1. There is zero reason for the engines to have to be DOA before rotate. A point of note will be a close look at the elevator deflection at rotate, and that alone would put paid to such a position.
2. The engines being lost shortly after rotate is consistent with the video from the NE met sensor camera.
3. Determining the liftoff point by ADSB without adding a correction for the flow change at the PS sensor due to AOA is going to give nonsense, and that appears to be the case. The video gives a fair, not brilliant geometry to shoot a transit sighting of the aircraft at liftoff, and that is before the point that GT states.
4. I am impressed that GT has the deceleration rates for a B787 gear down, flaps at 5, for zero thrust. I know what it is for gear up, gear down, not so much, but it will be on the prompt side of ugly.
5. Undertaking an MLE estimate of the kinematics, do add the change for AOA if assuming a deceleration rate. You can get away with a rough overall estimate, but then lets not "gild the Lilly" by assuming accuracy at the decimal point level.
6. Every sensor has measurement errors, position errors, and granularity factors when converting to an output, accuracy to multiple decimal points just looks tacky.
7. The weight of the aircraft, if it is within +/-2% of the actual is doing pretty well, we have analysed baby puppy FAA aircraft that alter their actual weight by over 6% depending on whether they are using EASA weights for PLD, or FAA, or maybe the aircraft just happen to suffer from Coriolis.
8. GT's heart is in the right place, I don't agree with much of what he says, but then my wife doesn't agree with me often either, so maybe that is inconclusive.

We remain in the same holding pattern with a curious event that was recorded in daylight, and from which the recorders are recovered. The answers will start "flowing" "short"ly I guess.

For the past 30 years, we have collectively bagged Boeing in increasing measure, for doing what all corporations are obliged to do; the board is answerable to the investors, and the investors have a "10-second Tom" event horizon when it comes to their earnings. It is little wonder that the race to the bottom is being won by Boeing, it is what Wall Street demands, and in the end, after the bones of the OEM are picked clean by those that do such things on the carcasses of once great US engineering giants, then they will bitch and moan about the losses to shareholders while they pocket the profit of their profession, fleecing the investors. L-M has been better in managing the milking of the public purse, and maybe that is the way it should be.