Posts about: "Fuel (All)" [Posts: 345 Pages: 18]

And that\x92s the only way it makes any sense.

Hello, this is my first post on pprune; as a 787 pilot I’m also puzzled by this accident. All seem to agree that for some reason there was a complete electrical failure and RAT deployment. With a complete electrical failure all six main fuel pumps fail. Each engine also has two mechanically driven fuel pumps. On takeoff, if there is fuel in the center tank, it will be used first, pumped by the two center tank pumps.
My airline’s manuals don’t go into much detail, but I read on another site that if both the center tank pumps fail, the engine driven pumps aren’t able to suction feed well enough from the center tanks to sustain engine operation. If there was fuel in the center tanks, a complete electrical failure would soon lead to center tank fuel pumps failure (all fuel pumps failure as stated previously) and fuel starvation of both engines. A rescue from this situation would be an immediate selection of both center tank fuel pumps OFF (not if my airline’s non-normal checklists) and waiting for successful suction feed from the L and R main tanks to occur, this would take a number of seconds.

Yours is very good logic, as far as it goes.

But I'd posit these points (without making any assertions about the probabilities of the scenarios).

There is a flaw in the logic arising from the categorical assertion that the 'aircraft on ground' signal 'would have been correct' during the take off roll: "Regardless of whether the ‘aircraft on ground’ signal was incorrect after rotation it would have been correct during the takeoff roll. IF there was an unrevealed fault in a thrust lever position signal THEN why didn’t TCMA activate during taxiing or the takeoff roll?"

What IF the 'aircraft on ground' signal into the TCMA systems was INcorrect during taxi and the take off roll, thus disabling the TCMA functionality during that phase of the flight, making no difference in any event because the engines were operating normally in accordance with the thrust lever settings? In that case, any error in, for example, the thrust lever signals and engine signals to the TCMAs would not have had any consequence. Maybe the signal reversed and stayed INcorrect after take-off. Of course, that's why we are all craving to find out from what source/s the TCMAs get the 'on ground/in air' input/s and what other systems use the same source/s.

And I reiterate the point that the TCMA is "just software". I haven't seen anyone dispute the suggestion that the thing 'common' to all 4 channels of the TCMA is 4 copies of software.

In the earlier thread there was a statement about the 'obsession' of some with TCMA. I'm not 'obsessed' with it, but confess a prejudice towards trying to find a cause that is not a result of crew error. I therefore also have an attraction towards fuel contamination, but have difficulty in believing that fuel contamination would result in such a 'clean', immediate and simultaneous reduction in thrust from both engines after they'd operated normally during the take off roll.

Great first post (IMMHO!) If this is correct, then I think you are onto something very significant. No expert, just an outside the box thinker who has been trying to see what ordinary (non-pilot-blaming) explanations there could be for a near simultaneous dual engine failure. I imagine a complete electrical failure leading to fuel starvation from lack of pump feed pressure from the centre tank would not result in apparently near simultaneous engine failure, but who knows? (Aren't there (suction) bypass valves here, but maybe they get stuck after long non-opening - instead long subject to closing pressures?) This could have been the case here as my experience suggests the probabilities aren't small.

FWIW, according to earlier posts, the fuel load was about 50T, leaving about 18T in the centre tank, so (I think) about 25-30% full. A full centre tank might allow engine pump suction to work fine, but this might not? (Contrary to what some have said.)

Anyway, FWIW, not everyone agrees with RAT Deployment - see recent post by shep69. Would love to know why he doesn't go with RAT deployment...

Sorry but that doesn't really make sense. Once the power failed and all pumps are off where is the point of switching of the center fuel pumps off? Without power they aren't running anyways.
Furthermore the preference of the center tank while it's filled is just by the higher fuel pressure those center pumps deliver. There is no valve that controls that, which might be triggered by switching off pumps.

Just for me to understand: How would you shut off the engine driven pumps if there is no electrical connection whatsoever? If there is a "powered" valve, wouldn't this (also) cut fuel suppy in case of a complete electrical failure?

The fuel shut off valves are fail safe open.
This has been mentioned several times.

Wouldn't "fail safe open" imply that the valves would open on loss of control signals or power. They don't. They stay just where they were before loss of power or control signal. If I understood tdracer's description of the HPSOV it can only be open or closed. That's not true of the spar valves which are motor driven and can stop in any intermediate position if power is lost.

The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.

I am not a Boeing pilot, but a Bus pilot. I believe that what you're describing is prevented by the certification regs for transport category airplanes.

On the 320 (equipped with the old system (fuel pumps), not the newer system (transfer valves)) the center tank pumps are inhibited when the airplane is airborne with the slats extended.

Check these certification rules:

https://www.ecfr.gov/current/title-14/section-25.953
and
https://www.ecfr.gov/current/title-1...-25#p-25.903(b )

Crossky, welcome to this hamster wheel.

If you go and chat to the engineers, have a look in the IPC or MM I Ch 28, you should find a good description of the fuel boost pumps. It's been a while but I recall they are Eaton designs, the general arrangement is similar to the B777. They both have a suction feed that permits fuel feed in the event of a loss of all boost pumps. The only impact of that arises at high altitude and high thrust levels, where the engine driven fuel boost pumps may capitate and reduce the available fuel feed resulting in a lower thrust level.

Refer page 12.20.02 in the TBC's B787 FCTM, or search for "SUCTION FEED".

At sea level, full thrust will be achieved without any boost pump on the aircraft. Recall that the CWT boost pumps are known as Override boost pumps, they are feeding from the CWT when there is fuel and they are running, as the output pressure is higher from these pumps than the 2 wing boost pumps. Whether there is fuel in the CWT or not, or the CWT pumps are energised, is immaterial to whether fuel will be supplied to the engine driven fuel pumps.

Note that with BA038, the fundamental problem was blockage of wax/ice formed in the piping that blocked the FOHE, and that will cause a problem with those engines that have such architecture, but is not associated with the availability of the boost pumps themselves. Even then, the engines did not technically fail, as they have both done simultaneously with the B788 of AI 171, BA's engines were running but not able to provide significant thrust due to the FOHE blockages.

Under a complete electrical failure all electrically powered fuel pumps will fail, but the engine driven mechanical pumps will not fail, but according to information in my manual and what I\x92ve seen online, the engine driven pumps can only suction feed the engines from the main tanks. The 787 will burn fuel from the center tanks first, because they provide a greater pressure than the main fuel tank pumps.

Hoover from the generally respected Pilot Debrief channel put up his analysis.

He analyses the point of rotation looking at the airport layout and using the video with the shack showing the aircraft rotate behind it, in that case the aircraft rotates at a reasonably normal place. That being the case what is the "cloud of particles" that appear to the left of the aircraft ?

He discounts electrical failure affecting both engines due 787 design, and fuel contamination due both engines fed from separate tanks unlikely to affect both engines at the same time.

The possibility that one engine failure occurred at a critical point in the take off and that possibly the wrong engine fuel cutoff switch was pulled.


camera angle with shack and suggested point of rotation



whats this..

All of which has been discussed and for the wing vortices and the fuel feed has been explained quite comprehensively, along with the fuel cut offs: have you not read these posts only made recently?

I repeat, do NOT post repeats of discussions already had unless there is something of value which may change or enhance previous posts. This is a prime example of a post which should be vetted and dismissed before pressing Submit Reply 🙈

It\x92s a possibility (as is virtually anything that doesn\x92t break the laws of physics) but all the training, practicing and checking would have been to emphasise SOPs, which are to leave all the engine controls where they are until you have done a proper interactive diagnosis at a safe height with the flightpath assured.

Where the meme has come from that jet pilots have to shut down engines as quickly as possible I don\x92t know but it is incorrect. If you left a failed engine without securing it for 5 minutes, little to no harm would come of it. Even if it was on fire (which is not necessarily flames, just higher than normal temperatures inside the nacelle) they are certified to be in this condition for some considerable time before it becomes a problem. Yes, I think the phrase \x93without undue delay\x94 could be used for a fire indication but that\x92s a minimum of 400\x92AGL in Boeings and does not absolve you of all the cross-checking and CRM that should happen with an engine shutdown. This is practiced/checked at the least every 6 months in EASA land and any attempt to rush a shutdown at low level would lead to a debrief and more training/checking.

To put it this way, control of the aeroplane and lateral/vertical navigation is far more important than doing stuff with a failed power plant. Something like an ET should be absolutely prioritised over engine drills.

Agreed, my brevity in reply doesn't tell the whole story.
What I mean is that with engines running, fuel shut off valve(S) open, if there is a loss of electrical power the valves will remain open.
This is standard design on all the gas turbine engines I have worked on.

I don\x92t really know what you are talking about. I\x92m current 787 and have flown many types including airbus prior to this. EFATO is normally an SOP handling exercise, not a memory item in itself. Memory items on nearly all types cover the specific drill for the engine only in all regimes of flight\x85ie severe damage/separation, engine limit exceedance/surge, engine fire. ie you\x92d never say \x93I\x92ll take the memory items for an engine failure after takeoff\x94.

EFATO handling is similar on most types too\x85in essence, contain any yaw, rotate, get the gear up and either trim it out or (787) let the aircraft trim it out\x85.AP in and once safely climbing away at a defined altitude diagnose followed by memory items if applicable. 787 you don\x92t action any drills until above 400ft so it would be extremely unlikely this crew actually got the stage of touching a fuel control switch.

I am only asking about an engine failure memory item. Fire, separation or severe damage being a different beast.

Are you confirming that there is no specific engine failure memory item? When safe run the QRH?

​​​​​​​I completely agree.

Without going round the hamsterwheel again does anyone have an actual reference for this? Because I've gone back through each of tdracer's very informative posts about this see here and there is a discrepancy in the two points he makes below in adjacent posts. Is tdracer talking about the same HPSOV valves? Can anyone confirm that with both AC power loss and and a temporary DC power loss there are no critical engine related shutoff valves that will fail safe (unpowered) in a closed position?

The spring loaded valve he is talking about is surely behind (in sequence) the engine driven fuel pump. It assures that no fuel is leaking into the engine while the engine isn't running.
However, it could easily have different modes of operation (closed, electrically actuated), activated (electrically actuated), open (transition from activated + fuel pressure > 300psi).

Further to the (logical in my view) points you make in response to AAKEE's ostensibly logical conclusion that the commencement of undercarriage retraction (if it did commence) is conclusive of the aircraft being 'in the air' for aircraft systems purposes, including TCMA purposes, I make the following points:

First, whilst it may be that every system that monitors and makes decisions about whether the aircraft is 'in the air' does so on the basis of exactly the same sensor inputs, that may not be true and I'd appreciate someone with the expert knowledge on the 78 to confirm or refute the correctness of the assumption, particularly in relation to, for example, FADEC functions compared with undercarriage control functions.

Secondly and probably more importantly, what happens if one of the sensors being used to determine 'in air' versus 'on ground' gives an erroneous 'on ground' signal after - maybe just seconds after - every one of those sensors has given the 'in air' signal?

Reference was made earlier in this thread to a 'latched' in air FADEC condition that resulted in engine shut downs after the aircraft involved landed and was therefore actually on the ground. But what if some sensor failure had resulted in the aircraft systems believing that the aircraft was now on the ground when it was not? I also note that after the 2009 B737-800 incident at Schiphol – actually 1.5 kms away, where the aircraft crashed in a field during approach - the investigation ascertained that a RADALT system suddenly sent an erroneous minus 8’ height reading to the automatic throttle control system.

The conceptual description of the TCMA says that the channels monitor the “position of thrust lever” – no surprises there – “engine power level” – no surprises there – and “several other digital inputs via digital ARINC data buses”.

WoW should of course be one of those "digital inputs" and be a 1 or 0. But I haven't seen any authoritative post about whether the change in state on the 78 requires only one sensor to signal WoW or if, as is more likely, there are (at least) two sensors – one on each MLG leg – both of which have to be ‘weight off’ before a weight off wheels state signal is sent. Maybe a sensor on each leg sends inputs to the ARINC data and the systems reading the data decide what to do about the different WoW signals, as between 00, 01, 10 and 11.

There is authoritative information to the effect that RADALT is also one of the “digital inputs” to the TCMA. The RADALTs presumably output height data (that is of course variable with height) and I don’t know whether the RADALT hardware involved has a separate 1 or 0 output that says that, so far as the RADALT is concerned, the aircraft to which it is strapped is, in fact, ‘in the air’ at ‘some’ height, with the actual height being so high as to be irrelevant to the systems using that input (if that input is in fact generated and there are, in fact, systems that use that 1 or 0).

If we now consider the ‘worst case scenario will be preferred’ concept that apparently applies to the TCMA design so as to achieve redundancy, the number of sensor inputs it’s monitoring to decide whether, and can change its decision whether, the aircraft is on the ground, becomes a very important matter. The TCMA is only supposed to save the day on the ground, if the pilots select idle thrust on a rejected take off but one or both of the engines fail to respond. In the ‘worst case’ (in my view) scenario, both TCMA channels on both engines will be monitoring/affected by every WoW sensor output and every RADALT output data and, if any one of them says ‘on ground’, that will result in both engines’ TCMAs being enabled to command fuel shut off, even though the aircraft may, in fact, be in the air.

Of course it’s true that the TCMA’s being enabled is not, of itself, sufficient to cause fuel cut off to an engine. That depends on a further glitch or failure in the system or software monitoring engine power and thrust lever position, or an actual ‘too much thrust compared to thrust lever position’ situation. But I can’t see why, on balance, it’s prudent to increase the albeit extraordinarily remote risk of an ‘in air’ TCMA commanded engine or double engine shut down due to multiple sensor failure – just one in-air / on-ground sensor and one of either the thrust lever sensor/s or engine power sensor/s – or, in the case of an actual in air ‘too much thrust compared to thrust lever position situation’, why that ‘problem’ could not be handled by the crew shutting down the engine when the crew decides it’s necessary. Once in the air, too much thrust than desired is a much better problem to have than no thrust. The latter is precisely what would happen if all ‘on ground / in air’ sensors were functioning properly and some ‘too much thrust’ condition occurred.

Hopefully the design processes, and particularly the DO-178B/C software design processes done by people with much bigger brains than mine, have built in enough sanity checking and error checking into the system, followed by exhaustive testing, so as to render my thoughts on the subject academic.