Posts about: "FADEC" [Posts: 231 Pages: 12]

Firstly, I've read through this whole thread - thank you Admin & Mods for your considerable efforts to clean things up.

Secondly, as a (now ex) glider pilot who remains extremely interested in aviation in most of its forms, this discussion has been an education and thought-provoking, as it so frequently is whenever I lurk here (usually without logging in). Thank you all for sharing your knowledge, expertise and thoughts.

To my mind the above post (especially the sentence I highlighted) is amongst the best (and most succinct) summary of what the pilots likely faced, with little to no time to resolve the situation. I cannot imagine those last few seconds and my heart goes out to them, the passengers and the many loved ones left behind. If there is any good that can come of this, it is that the cause is found quickly, with no bias, and steps are taken to ensure the same holes in the cheese cannot happen again.

2008, a Spanair MD-82 crashed in a similar way after liftoff in Madrid. Final report Spanair .Main cause: The pilots did not configure the airplane according to checklist and took of with zero flaps and slats. Contributing: previous maintance was disabling RAT heating (MEL if not flying into icing conditions) which somehow inhibited electrically the takeoff configuration warning. I am not implying in the least that such a thing happended to this Air India crash. I just mention it as a proof that some *minor* quirks can contribute to an accident (i.e. disturb FADEC, TCMA logic, you name it) . Modern aircraft software logic is even more complex than the wired logic of an MD-82. But still: all "IF so and so THEN so and so " code can produce weird results if the conditions are corrupted or delayed by data communication lags. And according to a witness, there were some electrical quirks on the previous flight and possibly some maintenance thereafter. Again not implying any wrongdoing.

There are at least two whatsapp chain messages doing the rounds (one about the seat theory and one about water on electrics causing FADEC failure). Both are very detailed but clearly fake news with incorrect dates, ECAM instead of EICAS and lots of other things which are clearly inaccurate. They\x92ve probably seen this and reporting it as news

Why is that required for certification? Slamming the brakes and cutting fuel should do and has always sufficed in pre FADEC era. Going full power when the throttle cable brakes has been considered the safe state.
Where does that piece of software reside by the way?

It was assumed for decades that in the event of uncontrollable high thrust (UHT) that the pilot would cut the fuel. Until there was a UHT event (1999?) on the takeoff roll and the crew - in an RTO - rode it all the way down and off the runway without cutting fuel. TCMA is primarily about the RTO scenario (throttle back to idle), and after that fleet event it became a requirement for FAA Part 25 certification.

FADEC = Full-Authority Digital Engine Control

Isolation comment still applies, but 'completely' may be debatable when there are still physical connections.

Well even when I think I know something I get it wrong. Thanks for the correction. Back to reader mode.

Keeping track of this thread is tiring - again, my sympathies to the mods, as tiring as I find it, it must be far worse for them )
Apologies for a few terse posts last night, but a couple of inane posts (by a usual suspect) really set me off. I've never used the 'ignore' function, but I may need to revisit that.

I posted this previously, but it was about 70 pages ago, so I understand not going back that far, or forgetting that tidbit amongst all the noise.
In short, I'm not familiar with the specific air/ground logic on the 787/GEnx-1B - the logic I posted (3 radio altimeters, 2 Weight on Wheels, at least one of each must indicate 'on-ground) is for the 747-8 (which I'm intimately familiar with). I have a vague recollection of a discussion with my GEnx-1B counterpart 10 or more years ago that suggested that the 787 was not as complex as the 747-8, but I don't recall any details. Basic FADEC logic (BTW, as someone else noted - it's "Full Authority", not "Autonomous") is to default to 'air' if in doubt, as it's considered to be 'safer'.
The only real hardware in the TCMA system is the N2 overspeed shutdown system - which goes through a BITE style functional test on every engine start. Everything else is in software - with the only aircraft inputs being Air/Ground and thrust lever position.

As I've posted previously, the FADEC is powered by a dedicated Permanant Magnet Alternator (PMA) - aircraft power is used only as a backup for starting or if the PMA fails. If the FADEC determines it is running on aircraft power with engine running (i.e. the PMA has failed), it sets a 'No Dispatch" fault message.

The electrical failure is rather a chicken-egg question.

Not knowing the 787, I\xb4d find it extremely hard to believe that a massive electrical failure would kill the engines. I gather from this thread that the landing gear retraction is driven by the electrically-powered Center hydraulic system. Retracting the gear is hard work for the system and it will put a strain on the two pumps and their supplying electric circuits, and the time of the alleged total power loss would seem to be in the vicinity of the suitable time to retract the gear.

But if there was some freak epidemic failure this inflicted upon the aircraft electrics, it is hard to imagine that this would affect both engines. There are still the autonomous FADEC governing them that run on their own internal generators (with a small external power source from the main systems, should the permanent magnet alternators fail) and do everything they can to keep the engine alive. As long as there is fuel flowing into the feed pipes, the engine should be kept running by the FADECs, and that this does not require the large tank pumps at low altitudes has been established in this thread.

Consequently, I\xb4d deem it plausible that the alleged power failure must have been a consequence of whatever happened to the engines. After all, the engines drive the available generators at this stage of flight, the APU with its additional generators is apparently not run for takeoff on the 787. I find it logically much easier to wrap my head around a situation in which an engine failure takes along the generators than one in which a massive, epidemic electric breakdown kills the engines.

I'm not familiar with the details of how the FADEC s/w is coded (it's the responsibility of the engine manufacturer - in this case GE). Boeing provides specific requirements as to the aircraft/engine interface (documented in an "Interface Control Document" - ICD).
My understanding is that GE uses an automated coding system that takes logic diagrams of what we want the s/w to do and turns that into the s/w code - again don't know details (my expertise is engine control and engine/aircraft interface - not s/w development).
The FADEC is a dual channel device (most of the sensors are also duplicated between channels), but both channels use the same s/w (Rolls did a thing many years ago where the channels used different s/w - it was mess and caused all sort of problems - I don't think anyone else has tried that since).

FADEC software is classified as "Design Assurance Level A" (aka DAL 'A') - flight critical - same thing as FBW software. There are specific requirements for the creation, testing, and certification of DAL A software and it's quite exhaustive (those requirements are documented in an FAA/EASA approved s/w requirements document (DO-160 IIRC). Yes, it is possible for something designed and certified to DAL A to have 'bugs' (and yes it has happened), although those 'bugs' have nearly always been traced to requirements errors - not the actual incorporation of those requirements.
It's also worth noting that the GEnx-1B has millions of hours of operation. Nothing is 'impossible' - even a 10-9 event will happen given enough opportunities - but the odds are very low of it happening.
Then again, all of the plausible explanations for dual engine power loss that would explain this accident are of a very low probability.

DO-178 unless propulsion systems are for some reason different from displays and flight controls.

I have been on the fringes of dissimilar hardware and dissimilar software designs (MD-11 flight controls). Sometimes it is necessary but there is a huge overhead in both development and test.

Edit to add - Even with dissimilar processor and software the requirements for both will trace up to some common high level system requirements specification. There is a non zero probability that those top level requirement were inadequate or included an error.

FADEC issue I suspect.

With both engines?

Adding to your response TD, there is no time in this event where a high AOA arose prior to the final moments, around 13 seconds after the problem has occurred. AOA, intake separation is not a factor.

Going back to your prior comments on FADEC and TCMA; these are independent systems to each engine, however the event indicates a symmetric loss, and the potential of water ingress from a failed E/E sealing from the main cabin services remains a single causation that could result in multiple failures at the same moment. The last time I assessed issues in the E/E bay related to unauthorised inflight access to the fwd E/E of a B777 it was sobering how many irreversible conditions could arise. The B744 water inundation cases I was involved in were both on TO, the QF event was during deceleration. We are looking at vectors that come from outside of the normal assumptions in the SSA's, water fits that bill.

One related question: since it was reported that the packs were not functional on the previous flight and were (presumably?) fixed before the accident flight, could condensation of excess humidity in the E/E bay be a relevant mechanism?

As I noted previously, the FADEC is a dual channel device. It's long been the case that dispatch is allowed with a single FADEC channel failed (this goes back to the original PW4000/CF6-80C2 as installed on the 747-400 and 767.
The MMEL says something like "4 installed, 3 required" (referring to individual FADEC channels) - so you can dispatch for a short time with one FADEC channel failed. Yes, if the remaining channel of faulted FADEC fails, the engine will fail - but the FADEC reliability is such that the probability of losing the remaining channel (and hence the engine) is sufficiently small as to be acceptable.

Both channels can operate TCMA, so a single channel failure has not overall effect on the system.

Again, 'channel out' dispatch is nothing new - it's been the case since 1989 (when the PW4000/767 entered service).

No, it doesn't.
There are already 'dual-path power redundancy for FADEC' - dedicated engine driven FADEC power supply, and aircraft supplied 'backup' power. Again, there is no known way that an aircraft issue could cause the FADEC to lose power.

I'd rack this up to more AI generated nonsense.

Edited to add - others have beat me to the punch...

Have to admit, that made me chuckle

There have been many speculations about latent threats in systems\x92 design. If you can easiliy come up with some possible latent threat, what are the changes that not a one professional person designing, testing and certifying it couldn\x92t figure it out? Or it was ignore if recognised?

Without any 787 knowledge, I would assume two discreet signals from respective Engine Fuel Switch to each FADEC channel, possibly with other redundancies. Or other solution that is at least as robust.

Repeating myself (again), but ALL the TCMA logic is resident in the FADEC. It takes aircraft inputs of air/ground (again, not familiar with the specifics of the air/ground logic used on the 787/GEnx-1B, so don't ask), thrust lever position, and what the engine is actually doing (mainly N1) to determine if the engine is 'out of control'.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.

And most of all, the SISO principle (#### in #### out) applies with regard to data from other systems, which are obviously processed in TCMA. Multiple transient faults may not be considered comprehensively e.g. in input processing and filtering.