Posts about: "Fuel (All)" [Posts: 1005 Pages: 51]

sorry if it was not clear : when you move the switches to cutoff and the thrust levers are above idle imho the engines would NOT cutoff , the command would be ignored .

Ok, thanks. I wanted to be sure what you intended before I told you it was nonsense.

Im pretty certain in those conditions the engines will shutdown. Haven\x92t flown the 787, but every other plane would and for good reason\x97how do you deal with an uncontrollable engine?

*On the ground* you get into a latched state, once TCMA deploys: after activation the relays stay latched to prevent a re-runaway. A full power reset of the affected EEC channel(s) and relay logic - normally done only at the gate - is required before fuel can flow again. So you can\x92t easily relight.

I rather think of more than one failure. For example (and I don't think that is what happened!): Some 11 year old contactor fails fatally in the central electrical equipment bay. This failure leads to a total electrical blackout. The engine driven fuel pumps, being older as well, don't do gravity feed anymore as they should.
ONCE AGAIN: I don't think that is what happened - it's just an example of a chain of events triggered by worn out and/or older equipment. Both failures would never happen on a new aircraft.

Thanks, makes sense.

Technically, then, if TCMA deployed erroneously during takeoff, there would be no way for the pilots to restart the engines?

It would surely be nice to get clarified. Does the FADEC control the fuel cut-off valves? Isn't that messing up the hierarcy somewhat? And wouldn't/shouldn't these be separate from everything else?
If so , the likelyhood of this having anything to do with the switches, their harness, or connectors drops way down. (although most theories are dealing with statistical "impossibilities", what better time than after decades for such to occur.)

The switches are double on's or 4 pole, that means they are (can be) connected to 2 different systems individually. Anyone know how that system looks? Why 2 signals?

DISCLAIMER: Poster (a) is one of the (apparently quite numerous) lawyers following this thread; (b) a long-time forum lurker and aviation enthusiast who loves studying FCOMs for fun (to each his own, I guess); (c) has followed and read this thread from the start.

What I cannot do is add new theories or uncover any new facts the actual experts have not already thought of. However, since summarizing and structuring information is one thing lawyers tend to regularly do (and sometimes even do well), here is my attempt at a useful contribution to this thread: an attempt to summarize the main theories discussed here since day one (which I think hasn't been done for quite some time) in the hope that a birds-eye view will be helpful to those who have not read everything since the beginning or might even trigger some new flash of inspiration for someone more knowledgable than me. I have focused on the cons since there does not seem to be enough evidence to come to any positive conclusion.

I shall try to be concise and to refrain from personal evaluations of my own. Of course, no disrespect whatsoever is intended towards all those who have contributed to this thread and to the individual theories, one or combinations of which may turn out to have led to this tragic outcome. That arguments can be made against every single theory that has been propagated seems to be the result of the highly improbable and unusual nature of this deplorable event and certainly not due to any lack of knowledge or reasoning skills in this forum.

DEAR MODS: If I have distorted anything or if, meaning well, should have achieved the opposite \x96 I guess you know where the delete button is\x85

Anyway, here goes:

A. Misconfiguration or wrong takeoff data
Widely refuted, since

• rotation, takeoff and initial climb seem normal;
• likely extreme errors would have been required to have such tragic effect (the fuel tanks should have been only about half full, so not close to MTOW);
• there is strong evidence that at least some flaps were extended for takeoff (post-crash photo, perhaps also visible in video from behind)

B. Flaps retracted post-takeoff instead of gear
Still brought up from time to time. However, widely disregarded due to

• the fact that with two working engines an inadvertent flap retraction should easily be recoverable, even with gear down;
• strong indications that hydraulic and electric power were lost (audible/visible indications of RAT extension, survivor statement, lack of engine noise, position of MLG bogies).

For a while, the forward tilt of the bogies as first part of the retraction cycle was seen as additional evidence that the gear had been selected up. However, it has been pointed out that the forward tilt and the opening of the gear doors occur almost simultaneously so that it seems unlikely that hydraulic power was lost in the split second between bogie tilt and gear door actuation. It is now assumed the forward tilt of the bogies was merely a consequence of the hydraulic power loss.
It should be pointed out that the question of "RAT in or out" was for a while the most contentious in this thread.

C. Low-altitude capture
Still argued, even if refuted by many since

• inconsistent with apparent loss of hydraulic/electric power;
• PF would have been flying manually (however, A/T reaction would have been unexpected for the PF);
• should have been recoverable (unless one assumes that the crew (a) remained unaware of the changed FMA annunciations although alerted by the unexpected FD commands; and (b) was so startled that an A/T thrust reduction was not noticed and corrected, even though the PF was apparently sufficiently alert not to follow the FD commands).

D. Loss of both engines at or shortly after rotation
Various possible reasons for this have been discussed:

I. Bird strike/FOD

• Would have to have occurred simultaneously due to lack of rudder/aileron input indicating symmetric thrust.
• No remains/traces on runway, no visual indications (flocks of birds, flames, structural engine damage).

II. Fuel-related III. Improper maintenance
Unclear which maintenance measures could possibly have been performed that would have resulted in simultaneous loss of both engines. No apparent relationships between malfunctions reported by previous passengers and essential systems.

IV. Large-scale electrical fault (e.g. due to water in E&E bay)
The engines will continue to run if electrical power is lost. FADECs are powered independently.

V. Shutdown of engines by TCMA
A parallel is drawn to the ANA incident. However, this would require not only a fault in the air/ground logic but also a sensed discrepancy between T/L position (not necessarily idle) and thrust output on both engines simultaneously.

VI. (Inadvertent) shutdown by flight crew VII. Malfunction/mishandling of the fuel cutoff switches (most recent)

The TCMAs will not 'activate' - trigger fuel shut off - on a rejected take off if the engines do what they are told when the thrust levers are set to idle. The software monitoring the engine parameters v throttle position is quite sophisticated, for obvious reasons.

User989 thanks for a nice summary
I am at risk of turning into one of those folks who gets their mind locked on one possibility and keeps banging on about it but here goes;
If the authorities determined that the accident aircraft had been treated by maintenance for microbial growth in the fuel tanks within the last week or so, and they suspected that that procedure was carried out in a way that could result in fuel contamination, then that would explain

1/ No other aircraft being affected
2/ No measures taken at the airport
3/ No AD’s from the regulators
4/ No grounding of 787’s
5/ Flight profile
6/ Rat deployment etc etc

I agree with your statement that dual flameout due fuel contamination is very unlikely, but we ARE dealing with something that is very unlikely. I favour the theory because an error in treating the fuel is so predictably human and simple, and a dual engine failure being related to fuel is also a simple and obvious idea, and it satisfies all we know both about the aircraft’s behaviour, and the authorities behaviour post accident.
I posted a report earlier of a 787-8 powered by the same engine type have both engines roll back sub-idle within a minute of each other while airborne due to this, so we know it can happen in theory.

Now……I want to be clear that I’m not saying I think I know what happened, I’m an average Joe with my hands full just flying the line, but I am a bit surprised that the idea of ‘fuel contamination specific to that airframe’ doesn’t get discussed more on this thread.
Thanks again for the clear summary of discussion thus far.

Fuel guy here. I've been "sitting on my hands" as requested by the mods but I will bite on that. Because dual engine failure is a "common mode fault" contamination is one of simplest explanations. Forget wax, think sediment, water or misfuelling. The only reason this has been discounted in favour of an electromechanical/software fault is that there is no yaw, i.e. both engines ran down at the same time at more or less the same rate, and would have to have been fed from the same tank (so the contaminated fuel reaches the engines at EXACTLY the same time on each side - is that even possible?). Its a stretch but I suppose it is possible, however the retention samples should have been tested by now. I would be interested in confirmation that they were taken and tested. I would also want to know if there is a "hot hydrant" system at AMD or if there are bowsers and if any maintenance had been done (think Cathay at Surabaya). But honestly, the fuel supply chain is usually rigorous...[edit: I have just seen a Reddit post pointing to a major construction project involving the fuelling facilities at Ahmedabad...will try to find out more...]

Does anyone have a link to a document (Boeing / FAA) that attests / mandates to the solenoid being a locking type?

Just so I have this clear, are you saying that the implementation of the TCMA functionality involved no new components being added to the pre-existing FADEC? Are you saying, in effect, that the two switch relays described in the TCMA patent application, which relays and their configuration achieves the described two channel redundancy, were already there as components or are mere depictions of what the software does itself?

I am not suggesting you are wrong and, as I've said before, the descriptions and schematic in the patent application are just 'big hands / small maps' concepts. However, if TCMA functionality "is simply a bit of software in the FADECs", merely sending a 1 or 0 or other signal into a point in the pre-existing FADEC that already had control over fuel cutoff (with the TCMA software merely monitoring data busses, rather than direct sensor outputs, to work out thrust lever position and whether or not the aircraft is 'on the ground' for TCMA purposes) I for one would really like to know that for sure and get my head around the implications.

That is the implication I have heard all along, particularly from tdracer's posts.

It uses existing thrust-lever-angle inputs, existing N1 inputs, and (presumably) existing WoW inputs, does software stuff inside the ECU, and if necessary uses the existing overspeed cutout outputs to stop the engine.

Before this accident occurred, Boeing whistleblowers were in fact reporting that planes were leaving the line, entering service with defects (including swarf) that would cause accidents many years later.

The TWA 800 airframe was 25 years old at the time of the accident, where arced wiring was implicated in that crash. In the aftermath, industry-wide sampling of aircraft found cracked insulation on wiring, non-factory swarf added by follow-on maintenance, instances where wiring had been re-routed or manipulated in a manner that placed increased strain on looms, etc. Of course the problem with wiring-related problems is that they can produce faults that no engineer could have foreseen or have developed countermeasures for.

Not to be an alarmist, but much has been written about wiring issues on the aging fleet. I tend to believe that maintenance people in earlier generations were more conscientious about their work, where now more than ever corners are cut (beginning at the factory).

I don't have any direct knowledge, but yes, that's my understanding based primarily on tdracer's comments. It also just makes sense. I'm pretty confident that all the necessary hardware already existed because of the need for N2 overspeed protection. A failure in one FADEC channel could drive the FMV fully open, leading to an overspeed and uncontained engine failure. For regulatory purposes, it would be unacceptable to have a single point of failure with catastrophic consequences, so it would be necessary to make the inactive FADEC channel capable of cutting off fuel in that case.

The air/ground signal would've already been present as well. It would be needed for switching between ground idle, flight idle, and approach idle. Tdracer has discussed that as well, in past threads.

Yes. I simplified. The point stands that the throttle needs to be pulled back, as it was in the ANA event, because that was a landing and not a take-off.

First, you posted a good summary. I'd have added "unanticipated hardware fault" and "unanticipated software fault" as generic causes.

Note that the thrust lever actuators are wired to the FADECs, and that the TCMA gets the T/L position from that. For TCMA to trigger, it has to determine that its FADEC (on that engine) failed to achieve a commanded reduction in thrust. So we're either looking at a weird, unprecedented edge case, or a FADEC failure, or both.

It has been mentioned before that this capability existed as part of the N2 overspeed protection: the FADEC would shut down a runaway engine by cutting its fuel before it disintegrates.
The thrust lever sensors are wired directly to the FADEC (and hence the TCMA). No data bus is involved with this item.

With a MCAS crash, it required a hardware problem with an AOA sensor, used as input to a correctly working MCAS, to cause the aircraft to behave erratically. With a correctly working TCMA, I believe it'd require two hardware problems to get TCMA to shut down the engine, as there'd have to be an implausible thrust lever reading, and a FADEC/engine failure to process it within the TCMA allowed range ("contour"?). On both engines, separately and simultaneously.

That leaves a software problem; it's not hard to imagine. The issue is, at this point it's just that: imagination. I could detail a possible software failure chain, but without examining the actual code, it's impossible to verify. We simply don't have the evidence.
I could just as well imagine a microwave gun frying the electronics on both engines. An escaped hamster under the floor peeing on important contacts. A timed device installed by a psychopathic mechanic. There's no evidence for that, either.

This process is a way to psychologically cope with the unexplained accident, but because it lacks evidence, it's not likely to identify the actual cause. We've run the evidence down to "most likely both engines failed or shut off close to rotation, and the cause for that is inside the aircraft". Since the take-off looked normal until that failure, we have no clues as to the cause hidden inside the aircraft. We need to rely on the official investigation to discover and analyse sufficient evidence. The post-crash fire is going to make that difficult.

"Both engines failed or shut off close to rotation" explains all of the evidence : it explains an unremarkable take-off roll, loss of lift, absence of pronounced yaw, loss of electrical power, loss of the ADS-B transponder, RAT deployment, the noise of the RAT banging into place and revving up, emergency signs lighting up, a possible mayday call reporting loss of thrust/power/lift, and a physically plausible glide from a little over 200 ft AAL to the crash site 50 feet (?) below aerodrome elevation .
It explains what we saw on the videos, what the witness reported, where the aircraft ended up, and the ensuing sudden catastrophe.

I don't believe we have evidence for anything else right now—I'd be happily corrected on that.

-----
Edit: the evidence of the crash photo with the open APU inlet door, and the main gear bogeys tilted forward, are also explained by the dual engine failure/shut off.

I'm not suggesting you are wrong wheelsright, my post to you was in response to posts I have made about potential fuel contamination, being removed. A central point of failure is more likely than the simultaneous shutdown by systems on two separate engines at the point at which the aircraft left the ground. If what is being speculated on is possible then all ETOPs approval should be removed and the engine manufacturers told to start again.

If power failed first,
What happens to TCMA sensors like Weight on Wheels? Radio altimeter? Is there one Weight on Wheels per engine? Is there one radio altimeter per engine? If not, why not? Are the TCMA sensors directly powered as part of FADEC? If not, why not?
Is it possible that there was a noticeable loss of thrust caused by loss of fuel pumps and the pilot responded by cycling thrust to zero and back, trying to clear the problem, inadvertently triggering the TCMA?

Engineer not a pilot. Experience in analog front ends, A2D and R2D conversion and embedded systems generally but no specific knowledge of the 787 or GEnx.

I like everyone else have no evidence that TMCA played a role but given that it is one of the few systems with the ability to cut fuel to the engines, here are some thoughts on how signal processing could have extended the window of when TMCA could bite. In particular, I'm looking at the time immediately after the nose lifts up when something may have physically shifted onboard.
I'll phrase it as a number of questions but realise that the few people who can answer may not be able to for now.

Thanks to tdracer's explanation on TMCA (albeit 747 not 787), we know that TMCA is a logic block within the FADEC whose only external inputs are a logic signal fron the aircraft that indicates whether it is on the ground or not and throttle position as determined by two independent resolvers per throttle side.

The logic would seem to be something of the form
If (G AND (N2>A OR N2>B)) Then CutOffFuel()
where G is true when the aircraft is on the ground,
A is an envelope defined by throttle resolver channel A and
B is an envelope defined by throttle resolver channel B

Q1: Am I correct in that assumption that when on the ground, overspeed with respect to EITHER resolver A OR resolver B can trigger TMCA?

We have been told that the logic (ie true or false) signal G is determined from the Weight-on-wheels sensors and the RadALT. It is reasonable to suppose that the designers still wanted TMCA to function after a hard landing where some landing gear components had failed.

Q2: When the nosewheel lifts off but the MLG is still on the ground and RadALT is close to ground, will G still be true?

Next, it is common when data fusing multiple inputs that there is a desire to clean up a signal before it is sampled digitally. This can remove effects such as switch bounce. The inclusion of low pass filters or hysteresis will generally add a propogation delay.

Q3: Is there a slow filter (Tc>=1s) in the ground/air logic which could have caused a slight delay before G became false after takeoff further extending the opportunity of TMCA to activate?

Q4: Does TMCA act almost instantly or does it wait for the fault condition to stay asserted for a period of time before acting?

At that point, the total energy of the system would have comprised of the kinetic energy of the aircraft travelling at Vr, the rotational inertia of the engines and the potential energy of whatever fuel is beyond the cutoff valves.

Q5: Would this total energy have been sufficient to get the aircraft 100ft into the air?

It would still need a mechanism for at least one throttle input to each FADEC to misbehave at the same time. Resolvers are fed with an excitation signal to the rotor and take back two orthogonal signals (Cos and Sin) from stator windings. Usually, the excitation comes directly from the resolver-to-digital (R2D) circuit but sometimes an external signal source is used. I would hope that in an aircraft system, each channel would be kept independent of everything else.

Q6: Does the excitation signal for the 4 throttle resolvers (2 per side) come from 4 independent (internal) sources?

My last thought for a single point of failure between both throttles would be a short between two wires or connection points carrying resolver signals, one from each side. Whether this could be caused by swarf wearing within a wiring loom, a foreign object moving about, crushed wires or even stretching of adjacent wires, I have absolutely no idea.

Q7: Do resolver signals from left or right, either channel A or B, run next to each other in a loom at any point?