Posts about: "Fuel (All)" [Posts: 1005 Pages: 51]

OK, I promised some informed speculation when I got back, so here goes:
Disclaimer: never worked the 787, so my detailed knowledge is a bit lacking.

First off, this is perplexing - especially if the RAT was deployed. There is no 'simple' explanation that I can come up with.

GEnx-1B engines have been exceptionally reliable, and the GE carbon composite fan blades are very robust and resistant to bird strike damage (about 15 years after the GE90 entry into service, I remember a GE boast that no GE90 (carbon composite) fan blades had needed to be scrapped due to damage (birdstrike, FOD, etc. - now that was roughly another 15 years ago, so is probably no longer true, but it shows just how robust the carbon composite blades are - far better than the more conventional titanium fan blades).

Not saying it wasn't somehow birdstrike related, just that is very unlikely (then again, all the other explanations I can come up with are also very unlikely ).

Using improper temp when calculating TO performance - after some near misses, Boeing added logic that cross-compares multiple total temp probes - aircraft TAT (I think the 787 uses a single, dual element probe for aircraft TAT, but stand to be corrected) and the temp measured by the engine inlet probes - and puts up a message if they disagree by more than a few degree tolerance - so very, very unlikely.

N1 power setting is somewhat less prone to measurement and power setting errors than EPR (N1 is a much simpler measurement than Rolls EPR) - although even with EPR, problems on both engines at the same time is almost unheard of.

The Auto Thrust (autothrottle) function 'falls asleep' at 60 knots - and doesn't unlock until one of several things happens - 250 knots, a set altitude AGL is exceeded (I'm thinking 3,000 ft. but the memory is fuzzy), thrust levers are moved more than a couple of degrees, or the mode select is changed (memory says that last one is inhibited below 400 ft. AGL). So an Auto Thrust malfunction is also extremely unlikely. Further, a premature thrust lever retard would not explain a RAT deployment.

TO does seem to be very late in the takeoff role - even with a big derate, you still must accelerate fast enough to reach V1 with enough runway to stop - so there is still considerable margin if both engines are operating normally. That makes me wonder if they had the correct TO power setting - but I'm at a loss to explain how they could have fouled that up with all the protections that the 787 puts on that.

If one engine did fail after V1, it's conceivable that they shut down the wrong engine - but since this happened literally seconds after takeoff, it begs the question why they would be in a big hurry to shut down the engine. Short of an engine fire, there is nothing about an engine failure that requires quick action to shut it down - no evidence of an engine fire, and even with an engine fire, you normally have minutes to take action - not seconds.

The one thing I keep thinking about is someone placing both fuel switches to cutoff immediately after TO. Yes, it's happened before (twice - 767s in the early 1980s), but the root causes of that mistake are understood and have been corrected. Hard to explain how it could happen (unless, God forbid, it was intentional).

Not 757 - it was a 767. Second time it happened in about 12 months.

Determined to be an ergonomics problem with the switch layout in the flightdeck.

Early 767s (JT9D and CF6-80A) had a supervisory "EEC" (Electronic Engine Control - Boeing still uses "EEC" to identify what most people call the FADEC on modern engines). The procedure if an EEC 'failed' was to switch both EECs off (to prevent excessive throttle stagger - unlike FADEC, the engine could operate just fine with a supervisory EEC failed).

Problem was that the EEC ON/OFF switch was located on the aisle stand - right above the fuel cutoff switches. Turned out 'muscle memory' was when the pilot reached down there, it was usually to turn the fuel ON or OFF - which is what they did. Fortunately realizing what he'd done wrong, the pilot quickly restored the switches to RUN and both engines recovered. And yes, they continued on to their destination (RAT was still deployed since there is no way to retract it in-flight).

Previous event was with JT9D engines (United IIRC). In that case, only one engine recovered (second engine went into an unrecoverable stall), they simply came back around and did a single engine landing.

Realizing the ergonomic issue, the EECs were relocated to the pilot's overhead (retrofit by AD).

To the best of my knowledge, there hasn't been a repeat of an inadvertent dual engine shutdown since the EEC switches were relocated. It's also very difficult to 'accidentally' move the switches as there is a locking detent - the switch must be pulled out slightly before it can be moved to CUTOFF.

Another hour spent sifting through the stuff since last night (my sympathies to the mods ). A few more comments:

"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.

Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).

As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.

Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).

The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.

Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.

In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.

The engine driven fuel pump is literally driven off the engine gearbox (driven by a mechanical connection to the N2 shaft) - if the engine's running, the gearbox is turning (baring a major mechanical fault). The engine driven fuel pump is a two-stage pump - a centrifugal pump that draws the fuel into the pump (i.e. 'suction feed'), and a gear pump which provides the high-pressure fuel to the engine and as muscle pressure to drive things like the Stator Vane and Bleed Valve actuators. It takes a minimum of ~300 PSI to run the engine - the HPSOV is spring loaded closed and it takes approximately 300 psi to overcome that spring.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.

As I've repeatedly posted, even a 100% aircraft power failure would not explain both engines quitting, at least without several other existing faults. Again, never say never, but you can only combine so many 10-9 events before it becomes ridiculous...

TCMA doesn't know what V1 is - it's active whenever the air/ground logic says the aircraft is on-ground.

A flight test (at least one - it's often duplicated) is performed as a basic part of aircraft/engine certification. One engine with all boost pumps off and on 'suction' feed - the other engine with normal aircraft boost pump operation (for what should be obvious reasons). Start, taxi, takeoff, and climb in that configuration until the test engine quits due to fuel starvation as a result of the engine fuel pump cavitation (done using "unweathered" fuel - once fuel has been at altitude for a period of time (hours or more - i.e. 'weathered'), most of the dissolved gases in the fuel have vented off, and suction feed works far better - often up to cruise altitudes).
I don't think this test is ever done during normal operations or maintenance (at least not on purpose) as it is very abusive to the engine driven fuel pump - the sort of cavitation that this causes rapidly erodes the pumping surfaces (it's SOP to replace the engine driven fuel pump after such a test).

I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's not complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.

Hint, you might try going back a few pages and reading where all this has been posted previously.

The engine driven fuel pumps are regularly removed and overhauled - usually when the engines go through overhaul (somewhere in the 10-20,000 hour range). The results of these overhauls are monitored, and if there is evidence of unusual deterioration, etc., that will be reflected in the recommended maintenance/overhaul intervals (BTW, this is SOP for virtually every system on the aircraft, regardless of Boeing, Airbus, etc.).
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.

I have seen your previous posts about this, and I happen to agree. Visually, as a lay man non visuals expert, I am in your \xabcamp.\xbb

However, the rat is small, and the artifacts are plentiful. Small sensor, compressed video, compressed upload, zoom, it is in short an awful source.

However, the RAT is a much better noisemaker, and the audio signature is much more obvious than it’s visual appearance in this case, and though the recording isn’t fantastic quality, there was more than enough information there to objectively conclude the RAT is out. And that is my professional, on the weekend, opinion.

I want to ask a pretty frank question for all of you, and I hope it is ok, from an audio specialist non-pilot:
Provided the engines spooled down. Provided the RAT is out. (There are no explosions, no bird strikes.)
Isn’t software and previous electrical failures a red herring too?Would anything but a complete fuel shut off lead to this result? That still leaves everything from the Fate is the Hunter plot, to Airbus A350 center consoles and Alaska 2059 open as root causes.

Correct. That was the original purpose of the calculation. In addition to the sound itself having the measurable harmonic signature from other rat videos.
What this plot also does however is tell you the speed if you know the height or height if you know the speed.

The iphone used to film this were pictured somewhere, knowing the iphone model, and thus the characteristics of the camera, and the dimensions of the airplane it wouldn't be impossible to calculate height from the video imo.

Just throwing it out there if anyone sees the use and feels the call.

My personal amateur speculation still centers around the cut off switches.
I have spilled coffee and sweet tea over complex electro/mechanical switches/panels before(large format audio consoles with 8000 buttons) and seen unexpected things happen.

I am sure the switches are spectacularly well built, but they are in close proximity and thus prone to the same external factors.
Does anyone know if these two cut-off switches in such close proximity has the exact same installation, or they differentiated in some way that makes a freak failure mode in one not neccesarily affect the other the same way?

I don't believe I owe you anything, I believe this is done adequately previously and has already taken up enough time on this thread. I am of the opinion that we have shown the RAT being deployed satisfactory enough to be of use for speculation in this thread. I find repeated comments about the bad video being the only evidence a bit disrespectful, though. Even from a mere physicist. It is based on a spectrogram over time. The source file shows audio up to about 16 kHz, it is unknown whether this limitation is in the file format (ie. 32kHz sampling rate) or microphone. Doesn't matter much. The frequencies above 16kHz is not important in this context as it is not where the sound energy is anyway. The audio will have been lossy data compressed, but it does not affect these prominent properties of the audio. It does make me hesitant to draw conclusions from the parts of the spectrum with more broadband noise and several intersecting sounds. Noise floor suggests 16 bit sampling depth. Spectral resolution? N/A All samples are included. The spectrogram covers the entire frequency range recorded, It shows comparatively the same overtones of the fundamental expected from the technical specifications of the 2 bladed RAT running at it's intended RPM, the doppler characteristics fits completely with a reasonable range of passing speeds and distance to the passing source plotted out. Compareatively, All the harmonics are identical both in pitch and seperation to a recording of a known B787 landing with RAT deployed, while the Doppler fall shows a longer time frame in the landing video taken from a further distance. As expected. The overtones easily discernable in this recording falls in the 220-2700Hz range. Below that, there is other noise centered around 150Hz, which gradually fades towards the end of the recording. This, as far as I can find in available information, fits with an idling or even windmilling B787 engine, but this is not conclusive. This falls in a range of the spectrum where there are other noise sources and the signal/noise is low and of a broader band characteristic, these masking frequencies is where the lossy data compression might play tricks, so I do not weigh that heavily. Recordings of landing B787 without the RAT, shows none off the same characteristics, and completely lack the tonal components and exact overtones shown with the RAT deployed. More importantly, compared to videos of B787s taking off with normal take off thrust, the latter shows distinct tonal elements, but with very different overtones,, both in separation and composition, again possible to relate to known quantities of the rotational speed and elements of the engine at high power. The AI recording shows none of this.

The latest techniques let us separate such things as reverbration from the source, when superimposing the reverberation/ambience and background noise of the AI crash urban environment on the clean, dead open field recording of the known B787 w/rat, they do indeed sound exactly the same to this very skilled and experienced listener. Although this is not courtesy of the computer analysis. It is just another angle of confirmation.

All in all, i think this source audio is excellent. The source is an iphone, their mems based microphones, although noisy shows great spectral balance and is comparable to basic measurement microphones of professional application. There is plenty of information to analyse from in this sample.

And again, I can't see it in the video either, and until I put on some really expensive headphones and fired up the software I was of a different opinion. I bowed to the science.

Edit: I took an extra look, I am prepared to say the fall off at slightly above 16kHz is from the original recording, this is probably a limitation in the microphone, as it is not a hard cut-off before a 16kHz Nyquist frequency as it would be with a 32kHz sampling rate, there is dither noise from 16-20kHz fitting with the source being 16 bit.

On item 1, the TCMA issue should have been fixed, it does fit the sort of issue that occurred here. TDRACER can talk to that, and has done in 2019 and again in post 792. As to flap auto retraction, the B787 like all Boeings has a gated flap lever, and the flaps are only able to move independent of the lever by flap load relief. That would not have caused a loss of thrust, and in this case it is evident that the event is a thrust loss not a CL loss.

On item 2, the video shows no asymmetry at any time, so there is only a symmetric failure of the engines possible. Back on a B747 classic, you could chop all 4 engines at the same time with one hand, on a B737, also, not so much on a B777 or B787. I would doubt that anyone used two hands to cut the fuel at screen height. Note, there was a B744 that lost one engine in cruise when a clip board fell off the coaming. Didn't happen twice, and it only happened to one engine.


​​​​​
Neila83 is correct, the gear tilt pre retraction is rear wheels low, and at the commencement of the selection of the retraction cycle (generally), the first thing that happens is the inboard MLG doors start to open below the wheel well and then the bogie is driven to front wheels low. (There is also an option that the inboard gear doors start to open early as a result of WOW sensing to improve the SSL climb limit). [my bad, for the B788 Capt Bloggs informs us the gear door sequence is after the tilt, not before, the B789 has the before tilt, the option for the door open at rotate is separate]

The inboard doors do not appear to have opened in this case, yet, the gear is forward wheels down. This appears to be out of sequence. TD may have better knowledge on the options that exist with the B788, but this is not looking good at this time.

There is enough in the way of anomalies here to end up with regulatory action, and airlines themselves should/will be starting to pore over their systems and decide if they are comfortable with the airworthiness of the aircraft at this moment. A latent single point of failure is not a comfortable place to be. Inhibiting TCMA might be a good interim option, that system could have been negated by having the ATR ARM switches....(Both)... ARM deferred to the before takeoff checks. The EAFR recovery should result in action within the next 24-48 hours. Boeing needs to be getting their tiger teams warmed up, they can ill afford to have a latent system fault discovered that is not immediately responded to, and the general corporate response of "blame the pilots" is not likely to win any future orders.

I think we are about to have some really busy days for the OEM.


Not sure that Neila83 is that far off the mark at all.

Sometimes complex sequences can have very simple causalities. A lot of complex speculation in this thread so far focused on highly technical things. Yet the basic fundamentals of powered flight have not changed (despite our attempts to do so) over the past 100 years.

1. As a general rule it is a bad idea to run out of either altitude or airspeed or both.
2. If you try to maintain altitude without sufficient thrust you will eventually run out of airspeed.
3. If you have sufficient thrust you can maintain your altitude at a given airspeed, and if you have excess thrust you can maintain your airspeed and increase your altitude. If you have lots of excess thrust you can increase your altitude and increase your airspeed.
4. If you try to increase your altitude by pitching the nose up, and without sufficient excess thrust, your speed will decay quickly, up to the point of stall, at which point you will lose any small amount of altitude you have gained and begin descending.

So…

Fact 1: The airplane stopped going up because it lacked excess thrust necessary to sustain the climb, and;

Fact 2: The airplane’s airspeed decreased constantly because they were trying to maintain either altitude or the climb, but lacked the thrust to do so, and;

Fact 3: If they had prematurely raised the flaps, the climb rate would have decreased/possibly turned negative, but the airplane would have continued to accelerate.

So where did the thrust go?

Fact 4: There is no adverse yaw seen in any of the videos, so wherever it went the loss of thrust occurred (nearly) simultaneously in both engines.

Fact 5: The only way to stop a jet engine from thrusting (sorry) is by either blowing it up or removing the fuel supply. If it blows up- like from birds trying to become a fuel source, there will be evidence. (See Jeju Air for a good example.)

Fact 6: There is (so far) no evidence of either engine blowing up. (I’m deliberately using highly technical terms here…)

Fact 7: There is unmistakably clear audible evidence of the RAT being deployed on the raw video from the right rear quarter of the airplane. Near supersonic propellor blades are an unmistakable sound- the RAT was definitively deployed no matter how much people want to argue to the contrary.

Fact 8: In the same video there is silence from the engines when they should be thundering at full (or nearly full) power. (Yes, I know that isn’t a thing- I am a simple man alas.)

Thus the only possible conclusions are (cringes as he waits for fdr to rip him a new ah):

1. The engines stopped burning, at nearly the same moment in time.
2. As a result, the airplane stopped climbing and also began to lose airspeed in an attempt to maintain altitude.
3. The RAT being deployed so quickly means that the ‘puters believed both engines were dead donks. (They were.)
4. If both engines ceased burning it meant the fuel supply was interrupted. We aren’t talking flight idle here- it was lights out for both.
5. (I am quoting someone else here) There is enough suction for the fuel to feed even if the fuel pumps are inop.
6. The engines stopped being provided with fuel. Because something physical was placed between the tanks and the burners. And they flamed out.

The $64,000 question here (remember when that was a lot of money??!!) is simply: What stopped both engines from getting fuel?

There are a very finite number of possibilities to that answer- and I do have my suspicions, but I lack the qualification to opine on that one.

I’ll leave the rest to the more experienced folk here.

Warm regards-

dce

I’m not a 787 driver so for fear of looking dumb in front of those that are this still confuses me. Even IF they’ve mis-selected the flap setting (I still don’t think it’s been cemented on here that there is in fact a FMS/flap setting disagreement warning but i believe there is), had the wrong de-rated take off settings, selected flaps instead of gear up the 787 with massive high bypass engines, FBW and full envelope protections surely cannot let itself be put in such a low energy/high alpha regime as we saw in the videos IF it has both fans functioning normally, surely?

the pilots may have messed up royally and numerous times so those holes lined up but the plane is the final block in the chain and a 21st century all digital entirely clean sheet design was sold as being immune to such catastrophic outcomes from a few minor (consequential yes) and fairly common errors- aren’t all the protections and our procedures designed after decades of mistakes?

im having a hard time squaring how a fully functioning modern bird like this could allow for this outcome and almost whatever the pilots did outside of unbelievable inputs and the pilots are are a bit of a red herring IMO

I agree with your analysis about RAT. The source is usable, although far from the original quality.

The cut-off at 16 kHz is typically caused by lossy audio compressions (AAC), not the microphone. In this case, the audio was compressed two times (first the iPhone, then the Twitter). A microphone does not simply cut all frequencies above the certain point.

Also, this audio content is Mono (the same signal on both channels) - an additional loss of information, if the original recording was Stereo.

I was not aware that we have granular ADS-B data from the a/c itself showing airspeed post rotation (rather than speed interpolated from GPS). Apologies if I have missed it. If it does show acceleration after takeoff I tend to agree with you.

In no particular order, here are some more thoughts on TCMA having caught up on the thread:

If you cut the fuel from two big engines at take-off power, there must be some delay before n2 decays below the threshold for generation (below idle n2), the generators disconnect and RAT deploys. GEnx have relatively long spool up/down times as the fan is so large (and would be exposed to 170+kts of ram air). Perhaps someone has a view on how long this would be, but I imagine it could easily be 10s or more between fuel cut off and RAT deployment. On AI171 the RAT appears to be already deployed at the beginning of the bystander video. That starts c. 13s before impact and around 17s after rotation. This does not prove anything except that the supposed shut down must have happened very close to rotation and could have happened just before rotation while the a/c was on the ground.

As a thought experiment, imagine if ANA985 in 2019 had decided to go around. The a/c rotates and is ~50 ft above the runway, suddenly both engines spooling down, very little runway left to land on and no reverse thrust available. I am struck by how similar this scenario is to AI171. This theory would require there to have been unexpected thrust lever movement in the moments before rotation - but plausibly one pilot moving to reject, followed by an overrule or change of heart - or even a simple human error such as the recent BA incident at LGW - could achieve this. This is perhaps more likely that any sensor fault that you would expect to only impact a single engine given the redundancy of systems.

Tdracer writes that a key requirement of TCMA is to identify an engine runaway in the event of an RTO, in order to allow the a/c to stop on the runway. This will have been tested extensively - it is a big leap to imagine a false activation could be triggered. It did happen on ANA985 but through a very unusual set of inputs including application of reverse (albeit this latter point may not be relevant if TCMA logic does not distinguish between the reverser being deployed or not).

Incidentally there is an assumption the TCMA software version in place on the ANA flight had already been patched and fixed on AI171. That probably is the case but I am not sure it is a known fact.

In summary I remain baffled by this tragic accident. I have not yet read anything that explicitly rules out TCMA activation and it remains a possibility due to the vanishingly small number of factors that could shut down two engines at apparently the exact same moment when they have fully redundant systems. Fuel contamination, for example, has typically impacted each engine a few minutes (at least) apart. I am also cautious (as others have pointed out) of a form of confirmation bias about Boeing software systems with four-letter acronyms.

In my mind the cause could equally well be something completely different to anything suggested on this thread, that will only become clear with more evidence. All of the above also incorporates a number of theories, i.e. that there was an engine shutdown - that are not conclusively known.

Thank you to the mods for an excellent job.

If you read the thread, you would know:

The RAT was almost certainly deployed. 4 different sources.
The Flaps were not retracted. Visible at the accident site plus many other sources agreeing they were indeed down.
APU will autostart when all engine power is lost. Potentially explaining why the inlet door was open or partially open at the accident site. Mentioned in several previous posts
On a 787-8, the main bogies tilt as the 1st action of the gear retract sequence. As stated in previous posts. I don't think this happens unless gear is selected up. So the conclusion was, gear was selected up. One caveat, IIRC, there was some discussion around a failure could have caused the bogies to tilt without Gear up being selected but I don't recall the outcome.
As for the Air France remark, un-necessary IMHO. Let's respect the crews please.

Something that occurred to me after I went to bed last night: My assumption that the FDR readouts would rapidly reveal the cause may be flawed.

Let me explain.

The consensus is that both engines quit shortly after liftoff (that assumes that the RAT did in fact deploy). At least one of the data recorders has battery backup, so it should have kept functioning when all aircraft power was lost.

However...

Over the years, I've looked at lots and lots of digital flight data recorder outputs when investigating some sort of incident or other engine anomaly, So I have become rather familiar with some of the interesting characteristics of DFDR data.

On the 767 and 747-400, when you shutdown an engine and the IDG goes offline, there is a momentary 'glitch' in the electrical power system as it reconfigures for the available power source - this is why you see the flight deck displays flicker and return, and the cabin lights momentarily flicker. As a result, most of the avionics boxes 'reset' - this is quick, but it's not instantaneous. This shows up in the FDR data - sometimes as 'no valid data' for a few seconds, or as garbage readings of zero or 'full scale'. Now, looking at the FDR data, it's easy to simply disregard the data, so normally no big deal.

Starting with the 777 (and on the 787 and 747-8), this electrical power glitch was 'fixed' - there is slight delay (~quarter of a second IIRC) before the fuel cutoff signal is sent to the engine - during which the electrical system reconfiguration takes place so no more 'glitch' during a normal engine shutdown...Except whatever happened to these engines wasn't 'normal'.

If there is a fuel cut at high power, the engine spools down incredibly rapidly - a second or two from max power to sub-idle. Assuming the fuel cut wasn't commanded by the flight deck fuel switches, the electrical system won't know it's coming, so it can't reconfigure until after the engine generators drop offline - and you're going to get that power glitch. Nearly every avionics box on the aircraft will reset due to this electrical glitch, and the FDR isn't going to get useful data for a few seconds (and then, only from the stuff that's on the battery bus).

Whatever happened, happened quickly - it's quite possible that whatever initiated the high-power fuel cut didn't get recorded.

True, I would bet that the voltage regulating architecture of the voice recorder at least will give useful information for a short time around the loss of power, as it did for the Lockerbie CVR using far less sophisticated recorder systems. That was sufficient to show the pressure pulse in the fuselage and to give a fairly good idea of where the explosion had emanated from. TWA was similar, a bigger bang though. Would be listening for any mechanical noises related to the fuel switches, and frankly I doubt that they existed, but they would be recorded.

If the cause is what I have suggested it will dificult to get direct evidence of that case, as it was for the QFA072 event as well. Like icing cases, a water ingress into the avionics is going to be a tough investigation, water would have been sprayed all over the wreckage in the aftermath. Dousing the E/E bay with 20 or 30 gallons of water will be an expensive investigative exercise to do in a real plane, with engines running. Would not want to be observing up close.

I preface this post by acknowledging all the previous posts in this, and the now-closed thread, about the TCMA, in particular the excellent posts by tdracer. (Ditto the noise analyses by Kraftstoffvondesibel and First Principal.)

I also note that the primary source of the information on which I’m basing my post is the content of Boeing’s patent application which, of course, does not contain any of the actual wiring diagrams or modification details of the TCMA, even assuming it has been implemented. (I understand from the now-closed thread, that there is an unresolved question as to whether a petition for an exemption from the TCMA requirement had been successful.)

The point of my post is to get other’s thoughts on one of the design principles of the TCMA system proposed in the patent application.

The ostensibly simple and elegant concept is described in the schematic of the system at figure 1 of the patent application. A copy of figure 1 is below.

The TCMA is the part of the schematic inside the dotted box numbered 16 , sitting with the EEC (others would call it the FADEC) in the solid box numbered 18 .

The heart of the TCMA comprises two switch relays, numbered 22 and 28 in the schematic, wired in series. Each of those switch relays is controlled by its own, dedicated engine control malfunction software, identified as the blobs numbered 130 . (The patent application identifies component 34 as a dedicated processor and 32 as the diode connected to the switch relays, but that is evidently a mistake. Component 34 is the diode and I can’t find a component number 32 anywhere in the schematics.)

Each relay switch and its controlling software is described as a ‘channel’, one A and one B. Both channels run continuously, monitoring throttle position (36 in the schematic) versus engine data fed from ARINC data bus lines (46 in the schematic) and “dedicated input sensors” not shown in the schematic. Those sensors presumably detect things like weight on wheels and perhaps RADALT.

This design is said to achieve redundancy, because if only one ‘channel’ detects the engine is producing excessive thrust while the throttle is set to idle, that channel will set its switch relay to CUTOFF and that is enough to change the state of the high pressure fuel shut off valve (58 in the schematic). No more motion lotion. In the words of the patent application: Both channels are “always actively monitoring engine function and independently have the capability of shutting down the engine.”

That arrangement wrinkled my crusty old avtech brow. In my mind – and this is why I’m seeking other’s thoughts – the advantage of redundancy arising from the two channels, either or both of which can shut the engine down, is not without risk. If it is possible for one of the channels to have some ‘glitch’ or hardware failure such that it does not detect an actual out of envelope condition justifying immediate shut down, with the other channel detecting the condition and shutting the engine down, it inexorably follows – does it not – that it is possible for one (or both) of the channels to have a ‘glitch’ or hardware failure that results in a shut down when there is no out of envelope condition?

Further, even if there are completely separate, duplicated sensors telling each channel things like the position of the throttle and whether or not there is weight on wheels, there remains the possibility of a combination of sensor failures/disconnects resulting in one channel being ‘convinced’ that an out of envelope condition exists, with a consequential cutoff of fuel to the engine.

I of course acknowledge the valid observations made about the remote probabilities of these kinds of glitches and failures.

I’ve heard rumours that there was much resistance to the mandating of TCMA systems. Having seen many, many strange faults caused by random shorts, open circuits, liquid ingress and other foreign objects, I can understand why there was that resistance. Every time you add something to a system and that added thing has electronic components and software and electrical connections and data inputs, you add risk of that thing malfunctioning or working perfectly but with erroneous inputs. In this case, there are effectively two added new things: two channels, each one of which has the ability to shut off the motion lotion to the engine to which they are strapped.

I make no comment on whether TCMA systems, if fitted, have anything to do with this tragedy.

My profound condolences to the families and friends of those killed or injured. My thoughts also go out to the many people who will be agonising over the potential causes and responsibility for it. And thanks to those who are working out the causes.

...

Thanks as always TDR for your excellent professional input. It is therefore so much more perplexing that even you cant logic our way out of this impasse. That is, the assumption that the aircraft experienced a double engine failure (supported by a reasonably convincing argument that the RAT deployed), and yet no plausible reason (that we can see) for such an event. So some then collectively slip into the tired and lazy theories of intentional or unintentional crew actions that 1. beggar belief (intentional), 2. defy physics (flaps instead of gear despite clear evidence to the contrary) and call into question the professionalism of a very experienced Captain and crew as well as the aircraft manufacturer (because...well its Boeing so it must be software ).

Yet, the answer must be simpler and staring us in the face since logic and experience (everything you have offered TDR), tell us that modern airliner engines generally do not just suddenly quit flying at the same time. In this regard we can recall several instances of double engine failure associated with bird strikes generally involving large birds or large flocks or both. But it seems we have discounted this theory very early in discussion. Why? Because we cant see any birds, or flocks of birds or engine flames/surges or puffs of smokes from the engines which would support this. Really?

I have read all the 100's of posts (sadly) and while some very early posters tried to analyze the imagery, I suspect the very poor quality eventually discouraged most from seeing anything of interest. However, smattered throughout this discussion from the beginning to the end there have about four posts that describe seeing something where others have not. At least two of these were related to possible smoke but which were probably just the dust blown outwards by the wingtip vortices. Two others however have mentioned possible flames and puffs of smoke.

The video of course is very poor. There should be a special place in hell for people who subject us to looking at a video with continuous zooming in and out, inability to retain focus on the subject (it was just a CCTV monitor, not the actual aircraft they had to focus on) and constant camera shake. A video of a video, and then the resolution probably reduced for social media upload. This all results in a very unwatchable record of the aircrafts departure. The only immediate information gleaned seems to be some idea of how far down the runway the aircraft was at takeoff and the parabolic curve as it very clearly described the aircrafts flight path.




Air India Flight 171 on departure
But take a look at this frame. The right engine shows an artifact (pixelation if you like) that might represent a surge flame. I can almost see a puff of smoke just inboard of the aileron that may be associated with that too.

Am I just seeing distortion? Am I just seeing some smoke because that's where I would expect to see it?
We are all very used to seeing everything in 4K today but back in the day when everything was low res we used to join the dots. If pixels existed then something was there. If they didn't, it wasn't.
So if it's just pixels caused by distortion then they have coincidentally appeared in the tailpipe of an aircraft that crashed shortly after takeoff with a presumed double engine failure.

But surely we would see the birds? Well, not in this video. You cant even see the registration number on the side of the aircraft and that is much bigger than a bird. Haze, distortion, focus and low res, and each individual bird wouldn't even make up a pixel.

So make of this what you will, but this problem may have started on the ground. Birds strikes are very common according to Some AI pilots who interviewed for this following article but I have no idea of the authenticity of this report:

https://www.rediff.com/news/report/a...h/20250613.htm "The Air India pilots also added that Ahmedabad airport has long been known for bird activity near the runway, which could have contributed to the incident.

"This issue (of the excessive presence of birds) has been flagged multiple times," a third Air India pilot said, asking not to be named."
Of course, a single engine failure would not have brought this aircraft down, nor would it have deployed the RAT, but we can't see what happened on the left engine when the aircraft slipped behind the radio antenna building.

While these high bypass engines are designed and certified to keep running after experiencing certain types of bird strike, the effect on two engines concerns have been voiced about the contribution of certification to the mitigation of the risk hazardous bird strike in the two engine case.

This from Sky Library:
https://skybrary.aero/articles/aircr...nue%20to%20fly .

" A number of concerns have been quite widely voiced about the contribution of certification to the mitigation of the risk of hazardous bird strikes:

• The case of bird ingestion into more than one engine at the same time is not addressed directly and it is clearly extremely difficult to meaningfully estimate the probability of such an occurrence. However, it has been observed that, since some of the current standards only require that a damaged engine can be safely shut down, this circumstance should be more fully considered when determining the acceptable outcome of ingestion into single engines, especially for the twin engine case.
• It has been noted that the potential effects of bird strikes on modern electronic flight control systems and flight deck instrument displays have not yet been fully assessed.

Maybe someone can do some video enhancing of this image as others have done with the audio enhancement to give strong probability of RAT deployment.

If my suggestion can be corroborated at all, then the question of what happened next becomes somewhat easier to answer. Perhaps neither engine stopped running but they did so with limited thrust? If anything from the pilots mayday call can believed, it wasn't engines shut down..it was no thrust. So why did the RAT deploy? Cant answer that. And, I cant imagine it would be manually deployed if both engines were still running.
However, TDR did say.

"On the 767 and 747-400, when you shutdown an engine and the IDG goes offline, there is a momentary 'glitch' in the electrical power system as it reconfigures for the available power source - this is why you see the flight deck displays flicker and return, and the cabin lights momentarily flicker."

Startle factor that electrically systems were about to fail? Manually deploy RAT?

Edit: I might add, they would have found remains on the runway if this did indeed happen. But we have heard anything from anybody?