Posts about: "Fuel (All)" [Posts: 345 Pages: 18]

I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's not complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.

Hint, you might try going back a few pages and reading where all this has been posted previously.

The engine driven fuel pumps are regularly removed and overhauled - usually when the engines go through overhaul (somewhere in the 10-20,000 hour range). The results of these overhauls are monitored, and if there is evidence of unusual deterioration, etc., that will be reflected in the recommended maintenance/overhaul intervals (BTW, this is SOP for virtually every system on the aircraft, regardless of Boeing, Airbus, etc.).
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.

Correct. That was the original purpose of the calculation. In addition to the sound itself having the measurable harmonic signature from other rat videos.
What this plot also does however is tell you the speed if you know the height or height if you know the speed.

The iphone used to film this were pictured somewhere, knowing the iphone model, and thus the characteristics of the camera, and the dimensions of the airplane it wouldn't be impossible to calculate height from the video imo.

Just throwing it out there if anyone sees the use and feels the call.

My personal amateur speculation still centers around the cut off switches.
I have spilled coffee and sweet tea over complex electro/mechanical switches/panels before(large format audio consoles with 8000 buttons) and seen unexpected things happen.

I am sure the switches are spectacularly well built, but they are in close proximity and thus prone to the same external factors.
Does anyone know if these two cut-off switches in such close proximity has the exact same installation, or they differentiated in some way that makes a freak failure mode in one not neccesarily affect the other the same way?

I was not aware that we have granular ADS-B data from the a/c itself showing airspeed post rotation (rather than speed interpolated from GPS). Apologies if I have missed it. If it does show acceleration after takeoff I tend to agree with you.

In no particular order, here are some more thoughts on TCMA having caught up on the thread:

If you cut the fuel from two big engines at take-off power, there must be some delay before n2 decays below the threshold for generation (below idle n2), the generators disconnect and RAT deploys. GEnx have relatively long spool up/down times as the fan is so large (and would be exposed to 170+kts of ram air). Perhaps someone has a view on how long this would be, but I imagine it could easily be 10s or more between fuel cut off and RAT deployment. On AI171 the RAT appears to be already deployed at the beginning of the bystander video. That starts c. 13s before impact and around 17s after rotation. This does not prove anything except that the supposed shut down must have happened very close to rotation and could have happened just before rotation while the a/c was on the ground.

As a thought experiment, imagine if ANA985 in 2019 had decided to go around. The a/c rotates and is ~50 ft above the runway, suddenly both engines spooling down, very little runway left to land on and no reverse thrust available. I am struck by how similar this scenario is to AI171. This theory would require there to have been unexpected thrust lever movement in the moments before rotation - but plausibly one pilot moving to reject, followed by an overrule or change of heart - or even a simple human error such as the recent BA incident at LGW - could achieve this. This is perhaps more likely that any sensor fault that you would expect to only impact a single engine given the redundancy of systems.

Tdracer writes that a key requirement of TCMA is to identify an engine runaway in the event of an RTO, in order to allow the a/c to stop on the runway. This will have been tested extensively - it is a big leap to imagine a false activation could be triggered. It did happen on ANA985 but through a very unusual set of inputs including application of reverse (albeit this latter point may not be relevant if TCMA logic does not distinguish between the reverser being deployed or not).

Incidentally there is an assumption the TCMA software version in place on the ANA flight had already been patched and fixed on AI171. That probably is the case but I am not sure it is a known fact.

In summary I remain baffled by this tragic accident. I have not yet read anything that explicitly rules out TCMA activation and it remains a possibility due to the vanishingly small number of factors that could shut down two engines at apparently the exact same moment when they have fully redundant systems. Fuel contamination, for example, has typically impacted each engine a few minutes (at least) apart. I am also cautious (as others have pointed out) of a form of confirmation bias about Boeing software systems with four-letter acronyms.

In my mind the cause could equally well be something completely different to anything suggested on this thread, that will only become clear with more evidence. All of the above also incorporates a number of theories, i.e. that there was an engine shutdown - that are not conclusively known.

Thank you to the mods for an excellent job.

If you read the thread, you would know:

The RAT was almost certainly deployed. 4 different sources.
The Flaps were not retracted. Visible at the accident site plus many other sources agreeing they were indeed down.
APU will autostart when all engine power is lost. Potentially explaining why the inlet door was open or partially open at the accident site. Mentioned in several previous posts
On a 787-8, the main bogies tilt as the 1st action of the gear retract sequence. As stated in previous posts. I don't think this happens unless gear is selected up. So the conclusion was, gear was selected up. One caveat, IIRC, there was some discussion around a failure could have caused the bogies to tilt without Gear up being selected but I don't recall the outcome.
As for the Air France remark, un-necessary IMHO. Let's respect the crews please.

Something that occurred to me after I went to bed last night: My assumption that the FDR readouts would rapidly reveal the cause may be flawed.

Let me explain.

The consensus is that both engines quit shortly after liftoff (that assumes that the RAT did in fact deploy). At least one of the data recorders has battery backup, so it should have kept functioning when all aircraft power was lost.

However...

Over the years, I've looked at lots and lots of digital flight data recorder outputs when investigating some sort of incident or other engine anomaly, So I have become rather familiar with some of the interesting characteristics of DFDR data.

On the 767 and 747-400, when you shutdown an engine and the IDG goes offline, there is a momentary 'glitch' in the electrical power system as it reconfigures for the available power source - this is why you see the flight deck displays flicker and return, and the cabin lights momentarily flicker. As a result, most of the avionics boxes 'reset' - this is quick, but it's not instantaneous. This shows up in the FDR data - sometimes as 'no valid data' for a few seconds, or as garbage readings of zero or 'full scale'. Now, looking at the FDR data, it's easy to simply disregard the data, so normally no big deal.

Starting with the 777 (and on the 787 and 747-8), this electrical power glitch was 'fixed' - there is slight delay (~quarter of a second IIRC) before the fuel cutoff signal is sent to the engine - during which the electrical system reconfiguration takes place so no more 'glitch' during a normal engine shutdown...Except whatever happened to these engines wasn't 'normal'.

If there is a fuel cut at high power, the engine spools down incredibly rapidly - a second or two from max power to sub-idle. Assuming the fuel cut wasn't commanded by the flight deck fuel switches, the electrical system won't know it's coming, so it can't reconfigure until after the engine generators drop offline - and you're going to get that power glitch. Nearly every avionics box on the aircraft will reset due to this electrical glitch, and the FDR isn't going to get useful data for a few seconds (and then, only from the stuff that's on the battery bus).

Whatever happened, happened quickly - it's quite possible that whatever initiated the high-power fuel cut didn't get recorded.

True, I would bet that the voltage regulating architecture of the voice recorder at least will give useful information for a short time around the loss of power, as it did for the Lockerbie CVR using far less sophisticated recorder systems. That was sufficient to show the pressure pulse in the fuselage and to give a fairly good idea of where the explosion had emanated from. TWA was similar, a bigger bang though. Would be listening for any mechanical noises related to the fuel switches, and frankly I doubt that they existed, but they would be recorded.

If the cause is what I have suggested it will dificult to get direct evidence of that case, as it was for the QFA072 event as well. Like icing cases, a water ingress into the avionics is going to be a tough investigation, water would have been sprayed all over the wreckage in the aftermath. Dousing the E/E bay with 20 or 30 gallons of water will be an expensive investigative exercise to do in a real plane, with engines running. Would not want to be observing up close.

I preface this post by acknowledging all the previous posts in this, and the now-closed thread, about the TCMA, in particular the excellent posts by tdracer. (Ditto the noise analyses by Kraftstoffvondesibel and First Principal.)

I also note that the primary source of the information on which I’m basing my post is the content of Boeing’s patent application which, of course, does not contain any of the actual wiring diagrams or modification details of the TCMA, even assuming it has been implemented. (I understand from the now-closed thread, that there is an unresolved question as to whether a petition for an exemption from the TCMA requirement had been successful.)

The point of my post is to get other’s thoughts on one of the design principles of the TCMA system proposed in the patent application.

The ostensibly simple and elegant concept is described in the schematic of the system at figure 1 of the patent application. A copy of figure 1 is below.

The TCMA is the part of the schematic inside the dotted box numbered 16 , sitting with the EEC (others would call it the FADEC) in the solid box numbered 18 .

The heart of the TCMA comprises two switch relays, numbered 22 and 28 in the schematic, wired in series. Each of those switch relays is controlled by its own, dedicated engine control malfunction software, identified as the blobs numbered 130 . (The patent application identifies component 34 as a dedicated processor and 32 as the diode connected to the switch relays, but that is evidently a mistake. Component 34 is the diode and I can’t find a component number 32 anywhere in the schematics.)

Each relay switch and its controlling software is described as a ‘channel’, one A and one B. Both channels run continuously, monitoring throttle position (36 in the schematic) versus engine data fed from ARINC data bus lines (46 in the schematic) and “dedicated input sensors” not shown in the schematic. Those sensors presumably detect things like weight on wheels and perhaps RADALT.

This design is said to achieve redundancy, because if only one ‘channel’ detects the engine is producing excessive thrust while the throttle is set to idle, that channel will set its switch relay to CUTOFF and that is enough to change the state of the high pressure fuel shut off valve (58 in the schematic). No more motion lotion. In the words of the patent application: Both channels are “always actively monitoring engine function and independently have the capability of shutting down the engine.”

That arrangement wrinkled my crusty old avtech brow. In my mind – and this is why I’m seeking other’s thoughts – the advantage of redundancy arising from the two channels, either or both of which can shut the engine down, is not without risk. If it is possible for one of the channels to have some ‘glitch’ or hardware failure such that it does not detect an actual out of envelope condition justifying immediate shut down, with the other channel detecting the condition and shutting the engine down, it inexorably follows – does it not – that it is possible for one (or both) of the channels to have a ‘glitch’ or hardware failure that results in a shut down when there is no out of envelope condition?

Further, even if there are completely separate, duplicated sensors telling each channel things like the position of the throttle and whether or not there is weight on wheels, there remains the possibility of a combination of sensor failures/disconnects resulting in one channel being ‘convinced’ that an out of envelope condition exists, with a consequential cutoff of fuel to the engine.

I of course acknowledge the valid observations made about the remote probabilities of these kinds of glitches and failures.

I’ve heard rumours that there was much resistance to the mandating of TCMA systems. Having seen many, many strange faults caused by random shorts, open circuits, liquid ingress and other foreign objects, I can understand why there was that resistance. Every time you add something to a system and that added thing has electronic components and software and electrical connections and data inputs, you add risk of that thing malfunctioning or working perfectly but with erroneous inputs. In this case, there are effectively two added new things: two channels, each one of which has the ability to shut off the motion lotion to the engine to which they are strapped.

I make no comment on whether TCMA systems, if fitted, have anything to do with this tragedy.

My profound condolences to the families and friends of those killed or injured. My thoughts also go out to the many people who will be agonising over the potential causes and responsibility for it. And thanks to those who are working out the causes.

...

Thanks as always TDR for your excellent professional input. It is therefore so much more perplexing that even you cant logic our way out of this impasse. That is, the assumption that the aircraft experienced a double engine failure (supported by a reasonably convincing argument that the RAT deployed), and yet no plausible reason (that we can see) for such an event. So some then collectively slip into the tired and lazy theories of intentional or unintentional crew actions that 1. beggar belief (intentional), 2. defy physics (flaps instead of gear despite clear evidence to the contrary) and call into question the professionalism of a very experienced Captain and crew as well as the aircraft manufacturer (because...well its Boeing so it must be software ).

Yet, the answer must be simpler and staring us in the face since logic and experience (everything you have offered TDR), tell us that modern airliner engines generally do not just suddenly quit flying at the same time. In this regard we can recall several instances of double engine failure associated with bird strikes generally involving large birds or large flocks or both. But it seems we have discounted this theory very early in discussion. Why? Because we cant see any birds, or flocks of birds or engine flames/surges or puffs of smokes from the engines which would support this. Really?

I have read all the 100's of posts (sadly) and while some very early posters tried to analyze the imagery, I suspect the very poor quality eventually discouraged most from seeing anything of interest. However, smattered throughout this discussion from the beginning to the end there have about four posts that describe seeing something where others have not. At least two of these were related to possible smoke but which were probably just the dust blown outwards by the wingtip vortices. Two others however have mentioned possible flames and puffs of smoke.

The video of course is very poor. There should be a special place in hell for people who subject us to looking at a video with continuous zooming in and out, inability to retain focus on the subject (it was just a CCTV monitor, not the actual aircraft they had to focus on) and constant camera shake. A video of a video, and then the resolution probably reduced for social media upload. This all results in a very unwatchable record of the aircrafts departure. The only immediate information gleaned seems to be some idea of how far down the runway the aircraft was at takeoff and the parabolic curve as it very clearly described the aircrafts flight path.




Air India Flight 171 on departure
But take a look at this frame. The right engine shows an artifact (pixelation if you like) that might represent a surge flame. I can almost see a puff of smoke just inboard of the aileron that may be associated with that too.

Am I just seeing distortion? Am I just seeing some smoke because that's where I would expect to see it?
We are all very used to seeing everything in 4K today but back in the day when everything was low res we used to join the dots. If pixels existed then something was there. If they didn't, it wasn't.
So if it's just pixels caused by distortion then they have coincidentally appeared in the tailpipe of an aircraft that crashed shortly after takeoff with a presumed double engine failure.

But surely we would see the birds? Well, not in this video. You cant even see the registration number on the side of the aircraft and that is much bigger than a bird. Haze, distortion, focus and low res, and each individual bird wouldn't even make up a pixel.

So make of this what you will, but this problem may have started on the ground. Birds strikes are very common according to Some AI pilots who interviewed for this following article but I have no idea of the authenticity of this report:

https://www.rediff.com/news/report/a...h/20250613.htm "The Air India pilots also added that Ahmedabad airport has long been known for bird activity near the runway, which could have contributed to the incident.

"This issue (of the excessive presence of birds) has been flagged multiple times," a third Air India pilot said, asking not to be named."
Of course, a single engine failure would not have brought this aircraft down, nor would it have deployed the RAT, but we can't see what happened on the left engine when the aircraft slipped behind the radio antenna building.

While these high bypass engines are designed and certified to keep running after experiencing certain types of bird strike, the effect on two engines concerns have been voiced about the contribution of certification to the mitigation of the risk hazardous bird strike in the two engine case.

This from Sky Library:
https://skybrary.aero/articles/aircr...nue%20to%20fly .

" A number of concerns have been quite widely voiced about the contribution of certification to the mitigation of the risk of hazardous bird strikes:

• The case of bird ingestion into more than one engine at the same time is not addressed directly and it is clearly extremely difficult to meaningfully estimate the probability of such an occurrence. However, it has been observed that, since some of the current standards only require that a damaged engine can be safely shut down, this circumstance should be more fully considered when determining the acceptable outcome of ingestion into single engines, especially for the twin engine case.
• It has been noted that the potential effects of bird strikes on modern electronic flight control systems and flight deck instrument displays have not yet been fully assessed.

Maybe someone can do some video enhancing of this image as others have done with the audio enhancement to give strong probability of RAT deployment.

If my suggestion can be corroborated at all, then the question of what happened next becomes somewhat easier to answer. Perhaps neither engine stopped running but they did so with limited thrust? If anything from the pilots mayday call can believed, it wasn't engines shut down..it was no thrust. So why did the RAT deploy? Cant answer that. And, I cant imagine it would be manually deployed if both engines were still running.
However, TDR did say.

"On the 767 and 747-400, when you shutdown an engine and the IDG goes offline, there is a momentary 'glitch' in the electrical power system as it reconfigures for the available power source - this is why you see the flight deck displays flicker and return, and the cabin lights momentarily flicker."

Startle factor that electrically systems were about to fail? Manually deploy RAT?

Edit: I might add, they would have found remains on the runway if this did indeed happen. But we have heard anything from anybody?

Pretty much what I was thinking. Maybe someone turned off the fuel switches, or a rare software glitch. Guys I have been working with have suggested fuel contamination which I have thought unlikely. Or maybe a structural failure upon wing loading that caused fuel lines to rupture.

Hopefully the route cause will be found, and I would not be surprised one bit if it is something totally left field that no one had considered, simple or complex.

There is at least one thing common to the TCMA on each engine: The TCMA software.

My recollection may be inaccurate, but wasn't there something in the software for 787 generator control units that would cause generator shut down if the aircraft was 'powered up' for a continuous 248 days? Same software, so all 4 generators would shut down. Is my recollection inaccurate?

What we do know, for sure, is that the TCMAs have the same 'authority' and effect as the fuel cut-off switches. The difference is that the crew control the latter.

We have two donks individual fuel supply cut simultaneous in split seconds. There is no rudder activity visible for any thrust asymmetry during this timeframe. TCMA is implemented via the FADECs which are independent for each engine with their own power source from each engine. TCMA is designed to shut down its engine if its power lever is in retard position and the engine is still powering with too much thrust. In addition the airplanes ground sensors must indicate that it is on the ground. For each thrust leaver there are two independent position sensors. It is similar redundant designed as in modern car acceleration pedals. A dual redundancy in each thrust leaver. For TCMA to shut down two fuel supplies within split seconds we have to assume that 4 thrust leaver sensors malfunctioned and the ground sensing logic failed at the same time. The probability that this happens is nil (may be 1 in every 10exp15 hours) which would be about 10 times the age of our universe.
Unless there is a software error in the FADEC TCMA system which only came to light on this flight. But there seem to be nothing special on this flight until rotation. If there is a software error I expect, that we get false single engine shut downs first. And that would already made the news if it happened during rotation.

Thank you for confirming.

This is not only happening to the FDR but to any reciever on the data busses. And likely not only when the engine spools down and power supply switches but also when power busses come offline and bus bar breakers activate or in any severe fault in the electrical system involving large currents, possibly arching shorts.
Hence my comments on SISO and input filtering and verification in the closed thread.

I'm pretty sure the software is written independently. Same as Airbus, you don't want the same software error on duplicate critical systems.

So, also as an outsider when it comes to cockpit engineering, there is one commmon "system" in the sense of the very close physical location, the two engine systems have in common, and that is the physical cut off switches and their behind the panel connections.

It wouldn't take a kids pool of liquid to intefere with those?
(I asked this question previuously, in the middle of a long text, but the discussion had a very different direction then.)

What are possible ways of a common failure/triggering of these contact points somewhere in their physical installation in the cockpit?
Remember when the A350 had to be modified only 5 years ago to not allow coffee spill to turn off engines.
What about the same location in the B787?
What are the actual switches? Are they purely traditional electromechanical contact switches? How do they make contact, ie. what are the actual gaps and dimensions? Are they digital in some sense? How are they protected? Are both installed the exact same way, or are they installed with different physical screening/protection/orientation as so to make the failure modes different? How are they physically kept apart, isolated from each other to avoid interaction and/or common failure. What is the physical distance involved there? What about the cables and connectors to them? separate or bundled in the same wiring harness? Or even in Mil or D-sub connectors? I find one description of them as a common(both in one box) line replaceable unit with quick connects. Both of them in the same unit with a common connector? Sounds wild if so!
Just had to ask, and hope it doesn't disturb the great discussion too much.

Actually the engines are fed by all tanks during take off. (L engine: L wing tank + Center tank (if filled) / R engine: R wing tank + Center tank (if filled)).

Due to the fuel pressures of the feed pumps (that are all running) the center tank fuel is used first. In case the pump in the center tank fails or the center tank is empty the fuel from the wing will be used w/o any switch over taking place as the wing feed pumps are already running.

Thanks for the clarification.

Surely that's not quite right? If the center tank has fuel, both engines will be fed from the center tank. Only once/if the center tank doesn't have fuel, will the engines be fed from their respective wing tanks.

I think you may be inferring something that isn't actually true. It certainly isn't true in my case. Wanting to explore the details of a function known to be designed to shut down engines, in a case where unexplained shutdown of engines appears to be a likely cause or contributing factor, doesn't suggest that we are assuming TCMA is involved. It's just exploring the details of a a function that is designed to do that and doesn't put on a light, smoke and sound show, or produce obvious debris and residue, when it does.

I think those of us who are persistently trying to learn the details of the sensor inputs to and logic of TCMA (I prefer that characterization to "obsessed with") understand quite well the points you make here — at least those of us whose interest survives in this new thread. However, I at least, and I believe others as well, have also come to the tentative conclusions that (a) the accident aircraft had engines providing little to no useful thrust from nearly the first moments after rotation, and (b) the only possible reasons for that which have been considered here so far involve the sudden and approximately simultaneous shutdown of those engines, most likely by interruption of fuel flow (because that's one of the very few things we know that can do that without producing big bangs, flames and smoke, etc.).

I don't agree that it's more logical to posit that something we don't know about has shut down the engines rather than something that we do know about that is intended to shut down engines. Do you know of other routines/subroutines in the FADEC that shut down fuel supply?

I certainly don't assume that and I haven't seen posts from others (that I consider serious and reasonably well-informed) that "seem to assume" that.

Yes, we know that.

Right, and you won't see a serious attempt to do that until we know, at least, what specific sensor inputs the TCMA function uses to determine the air/ground state of the aircraft and the logic that uses those to make the determination.

Many years ago I maintained a Hawker 1000 business jet equipped with PW305 engines with FADEC. The fuel control did not have a separate switch to control fuel flow to shut down the engines. Shutdown was accomplished by pressing a release on the power levers allowing the lever to be pulled past the idle stop all the way to the cutoff position.

One day upon returning from a flight, the crew pulled both power levers to cutoff. The right engine shutdown immediately as expected, but the left engine kept running. By the time we in maintenance got out to the airplane, the engine finally shutdown by itself.

Troubleshooting found the cause of the problem. The cutoff position of the power lever closed a micro switch that sent a ground to the FADEC. That ground went through two discrete wires. One went directly to one input on the FADEC. The other went through a squat switch on the main gear leg to a second input on the FADEC. The engine would only shutdown immediately if both inputs went to ground simultaneously. If only one input went to ground, the FADEC would delay shutdown for 30 seconds. This was to protect against an inadvertent movement of the power lever to the cutoff position in flight causing an immediate shutdown.

The squat switch on the left gear leg had failed in the open position, causing the problem.

I am wondering if more modern FADEC engines have similar protections against immediate shutdown in the air? I can see why the designers of the Hawker implemented the system the way they did, because the shutdown command was integral to the power lever, and it potentially could be pulled to the cutoff position in flight by an inadvertent release of the locking mechanism that would normally prevent it from going past the idle stop, whereas modern FADEC engines like found on the 787 have a discrete locking switch.

But, if a similar protection against immediate shutdown does exist in the 787, would the engines keep running for a period of time (in the air) even if the fuel control switch was accidentally or deliberately moved to \x93off\x94?