Posts about: "Fuel Cut Off Switches" [Posts: 33 Pages: 2]

Ok, thanks for clarifying. Of course, an overload will simply cause the hydraulic pressure relief valves to activate. There will be a moderate increase in motor current when bypassing, but the electrical side should be fully able to cope with that. Should be! I'm suggesting here that there was a fault somewhere in the electrical supplies that effectively derated some part of it, and that maybe the GearUp load was too much for it on this occasion.

Thanks for confirming the 4 gens. So there's probably quite a bit of switching required. Not sure how that's done, but I guess robust contactors are required. And even these can fail. Systems usually cannot tell that a contactor has failed on the open side until it's switched. So, a switchover may have been done, but a failed contact meant the backup generator wasn't connected. Who knows, so many possibilities.

Sure, I agree, absolutely shouldn't. Yeah, the A380... Possibly (I suggest likely), the A380 uses different logic from the B787. In the Airbus case, maybe they prioritised keeping the fuel on over shutting it off in emergency. So, severing the Airbus Cutoff signal leaves the fuel on. Boeing may use the opposite priority, that Emergency Shutdown takes precedence over Engine Running, so cutting the signal turns the engine off. I don't know, but don't think the Airbus incident necessarily applies here.

I don't think either of us was debating that. I accept it as a fact.

Okay! Many thanks for that! Of course, it very much complicates the picture, and I'm very puzzled as to how the Fuel Cutoff Switches and Valves operate. Apparently, the TCAM system shuts off an errant engine on the ground at least, but my concern is not with the software but the hardware. It obviously has an Output going into the Fuel Shutoff system. If the TCAM unit loses power, can that output cause the Cutoff process (powered by the engine-dedicated generator) to be activated? I guess that's the $64 billion question, but if MCAS is any example, then: Probably!

I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's not complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.

Hint, you might try going back a few pages and reading where all this has been posted previously.

This is a constant-pressure hydraulic system, not a little hydraulic ram on a logsplitter. While I assume there are some overpressure relief valves, they're not relevant here.

It uses a variable displacement pump to maintain 5000PSI constant pressure. The swashplate angle is varied to adjust pump output flow: more devices consuming fluid, more flow to keep the pressure up. If the pumps cannot deliver enough fluid, the swashplate reaches the full flow position and the output pressure decreases until flow consumed equals flow produced. Very much like a constant-current constant-voltage power supply.

Running in that area of maximum flow is 100% expected under some conditions, especially if an engine or EDP fails and the electric demand pump is supplying a whole hydraulic system sized for the larger EDP (although I think this would be less of an issue on the 787 as the L/R systems don't do much, but the same variable-displacement pump design has been around for a LONG time including on the 737).

And again, there's a VFD between the aircraft electrical bus and the pump motor, because the pump is 400Hz and the aircraft is wild-frequency. VFDs are very very good at isolating faults unless you are actually looking at a sustained overload on one of four generators .


Virtually every bus will have a feed and one or more cross-ties or back-feeds. A failed contactor is 100% designed for and with possibly the sole exception of RAT-only flight, entirely designed around. Plus, of course, flight on batteries only or PMGs.

No bus is essential on a modern aircraft.

Boeing treats everything electric as a black box but the A380 has this beautifully overkill drawing - given both have 4x generators, 2x APU generators, and a RAT, it should not be entirely dissimilar levels of redundancy:

Note that the reason for some links having two contactors in series (e.g. BTC5/6 or BTC7) is because this is spread across two separate units, so that a fire and total loss of one leaves ~half the aircraft powered and totally flyable.


As per TDR, built into the FADEC logic.

Power-open power-close is very common in commercial/situations where you don't want to be wasting energy 24/7 and don't have a defined position for the valve/damper in case of power loss. Done a bunch of them in ductwork and electrically operated windows - your car likely has them, for example.

Not 757 - it was a 767. Second time it happened in about 12 months.

Determined to be an ergonomics problem with the switch layout in the flightdeck.

Early 767s (JT9D and CF6-80A) had a supervisory "EEC" (Electronic Engine Control - Boeing still uses "EEC" to identify what most people call the FADEC on modern engines). The procedure if an EEC 'failed' was to switch both EECs off (to prevent excessive throttle stagger - unlike FADEC, the engine could operate just fine with a supervisory EEC failed).

Problem was that the EEC ON/OFF switch was located on the aisle stand - right above the fuel cutoff switches. Turned out 'muscle memory' was when the pilot reached down there, it was usually to turn the fuel ON or OFF - which is what they did. Fortunately realizing what he'd done wrong, the pilot quickly restored the switches to RUN and both engines recovered. And yes, they continued on to their destination (RAT was still deployed since there is no way to retract it in-flight).

Previous event was with JT9D engines (United IIRC). In that case, only one engine recovered (second engine went into an unrecoverable stall), they simply came back around and did a single engine landing.

Realizing the ergonomic issue, the EECs were relocated to the pilot's overhead (retrofit by AD).

To the best of my knowledge, there hasn't been a repeat of an inadvertent dual engine shutdown since the EEC switches were relocated. It's also very difficult to 'accidentally' move the switches as there is a locking detent - the switch must be pulled out slightly before it can be moved to CUTOFF.

Another hour spent sifting through the stuff since last night (my sympathies to the mods ). A few more comments:

"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.

Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).

As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.

Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).

The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.

Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.

In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.

I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's not complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.

Hint, you might try going back a few pages and reading where all this has been posted previously.

There is at least one thing common to the TCMA on each engine: The TCMA software.

My recollection may be inaccurate, but wasn't there something in the software for 787 generator control units that would cause generator shut down if the aircraft was 'powered up' for a continuous 248 days? Same software, so all 4 generators would shut down. Is my recollection inaccurate?

What we do know, for sure, is that the TCMAs have the same 'authority' and effect as the fuel cut-off switches. The difference is that the crew control the latter.

I'm pretty sure the software is written independently. Same as Airbus, you don't want the same software error on duplicate critical systems.

The fuel cutoff switches can't be "flipped" in either direction; they have to be lifted over a detent and then moved, a very positive action.

The 787-8 landing gear retraction is primarily hydraulic, using the center hydraulic system for the main operation. However, the alternate gear extension system utilizes a dedicated electric pump to pressurize fluid from the center hydraulic system for gear extension. Obviously due its size and weight and staged retraction, the effort required to raise and stow the gear greatly exceeds that required for extension.

The main gear retraction/extension is controlled by the center hydraulic system.

It is apparent that the hydraulics failed when the engines shut down after breaking the down-locks and leaving the Main Landing gear bogeys in the tilt position, ready for a next step internal stowage and door closure (that was now never to happen). It is therefore apparent that the dual engine failure and consequent automated RAT extension was precipitated by this gear selection or retraction cycle and thus likely to be either WoW micro-switch or 5G Radar altimeter-effect associated. Due to accumulator depletion, the electric pump load would have spiked to replenish it. This may have precipitated the dual engine shutdown due to an unfiltered electrical surge affecting the Ground/Air microswitches (or a local 5G transmission affecting the RADALT) and resetting the TCMA.

The RADALT? Another plausibility? Because of the furore over a spasticated frequency allocation by the US FCC, the US FAA had finally “bought in” and declared that individual nations and their airline operators were responsible for their own 5G frequency spectrum allocations and for taking essential steps to ensure mitigation of the interference effects upon aircraft automated landings and other critical systems caused by their own national approved 5G spectrum decisions. It was admittedly a situation calling for extensive modifications to (and shielding for) the three radar altimeters fitted for redundancy considerations to all modern airliners... for Category 3 ILS approach and landing in zero/zero visibility conditions. The RADALT also features in many air-ground sensing applications. (eg the 747-8).

This was an unusual FAA “passing of the buck” to manufacturers such as Honeywell etc. (to sort out with client operators). But then again, it was not the US FCC’s right to dictate the specific 5G frequencies internationally. These spectrum allocations now vary over the wide selection of 5G phones available (and also nationally). 5G Radar Altimeters constitute a part of the ground/Air sensing that changes the TCMA from ground mode (able to fuel-chop engines) to the air mode (inhibited from doing so)... Ground activation is acceptable ...where fuel chopping of uncommanded thrust can prevent runway sideways excursions or runway length overruns. The question now becomes: “Is it more (or less) safe having an automated fuel-chopping capability on BOTH your left and right, rather than leaving it to the pilot to react via his center console fuel cut-off switches... in the unlikely event of a runaway engine after landing (or during an abandoned take-off)?

5G Frequency Variations

The frequencies of 5G phones vary nationally based on the frequency bands allocated and used by different carriers in each country. In the United States, for example, carriers such as AT&T, Verizon, T-Mobile, and others use a combination of low-band, mid-band, and high-band 5G frequencies. Low-band 5G frequencies typically range from 600 MHz to 1 GHz, mid-band 5G frequencies range from 1.7 GHz to 2.5 GHz, and high-band 5G (mmWave) frequencies start at 24 GHz and go up to 40 GHz . These frequencies are allocated by regulatory bodies such as the Federal Communications Commission (FCC) and can vary between countries based on spectrum availability and regulatory decisions. In other countries, the specific frequency bands used for 5G may differ, leading to variations in the frequencies supported by 5G phones. Additionally, the deployment of 5G networks can also influence the frequencies used, with some countries focusing more on sub-6 GHz bands while others prioritize mmWave technology.

5G interference? It may be an avenue worth exploring?

I\x92m sure this is wrong; was looking for confirmation. I read somewhere that the 787 keeps the fuel valve open by an electric driven actuator, and closes it by spring force.

I seem to remember Fred Dibner talking about how railway cars brake by draining the piston not by pressurising it, so trains will stop when supply lines break.

The electrical system updates to 787s for ADs and SBs - do any of these include software updates? For example the integer overflow causing GCU failsafe rectified under AD 2018-20-15. If so, who is writing and implementing these software updates? The original engineers? Their apprentices who had years long handovers? Or have they been outsourced and offshored? When these updates occur, does the entire system get tested and ratified or just the bit the bug fix is meant to fix? Because I\x92ve seen new bugs introduced by bug fixes in areas seemingly nothing to do with the original problem.

DISCLAIMER: Poster (a) is one of the (apparently quite numerous) lawyers following this thread; (b) a long-time forum lurker and aviation enthusiast who loves studying FCOMs for fun (to each his own, I guess); (c) has followed and read this thread from the start.

What I cannot do is add new theories or uncover any new facts the actual experts have not already thought of. However, since summarizing and structuring information is one thing lawyers tend to regularly do (and sometimes even do well), here is my attempt at a useful contribution to this thread: an attempt to summarize the main theories discussed here since day one (which I think hasn't been done for quite some time) in the hope that a birds-eye view will be helpful to those who have not read everything since the beginning or might even trigger some new flash of inspiration for someone more knowledgable than me. I have focused on the cons since there does not seem to be enough evidence to come to any positive conclusion.

I shall try to be concise and to refrain from personal evaluations of my own. Of course, no disrespect whatsoever is intended towards all those who have contributed to this thread and to the individual theories, one or combinations of which may turn out to have led to this tragic outcome. That arguments can be made against every single theory that has been propagated seems to be the result of the highly improbable and unusual nature of this deplorable event and certainly not due to any lack of knowledge or reasoning skills in this forum.

DEAR MODS: If I have distorted anything or if, meaning well, should have achieved the opposite \x96 I guess you know where the delete button is\x85

Anyway, here goes:

A. Misconfiguration or wrong takeoff data
Widely refuted, since

• rotation, takeoff and initial climb seem normal;
• likely extreme errors would have been required to have such tragic effect (the fuel tanks should have been only about half full, so not close to MTOW);
• there is strong evidence that at least some flaps were extended for takeoff (post-crash photo, perhaps also visible in video from behind)

B. Flaps retracted post-takeoff instead of gear
Still brought up from time to time. However, widely disregarded due to

• the fact that with two working engines an inadvertent flap retraction should easily be recoverable, even with gear down;
• strong indications that hydraulic and electric power were lost (audible/visible indications of RAT extension, survivor statement, lack of engine noise, position of MLG bogies).

For a while, the forward tilt of the bogies as first part of the retraction cycle was seen as additional evidence that the gear had been selected up. However, it has been pointed out that the forward tilt and the opening of the gear doors occur almost simultaneously so that it seems unlikely that hydraulic power was lost in the split second between bogie tilt and gear door actuation. It is now assumed the forward tilt of the bogies was merely a consequence of the hydraulic power loss.
It should be pointed out that the question of "RAT in or out" was for a while the most contentious in this thread.

C. Low-altitude capture
Still argued, even if refuted by many since

• inconsistent with apparent loss of hydraulic/electric power;
• PF would have been flying manually (however, A/T reaction would have been unexpected for the PF);
• should have been recoverable (unless one assumes that the crew (a) remained unaware of the changed FMA annunciations although alerted by the unexpected FD commands; and (b) was so startled that an A/T thrust reduction was not noticed and corrected, even though the PF was apparently sufficiently alert not to follow the FD commands).

D. Loss of both engines at or shortly after rotation
Various possible reasons for this have been discussed:

I. Bird strike/FOD

• Would have to have occurred simultaneously due to lack of rudder/aileron input indicating symmetric thrust.
• No remains/traces on runway, no visual indications (flocks of birds, flames, structural engine damage).

II. Fuel-related III. Improper maintenance
Unclear which maintenance measures could possibly have been performed that would have resulted in simultaneous loss of both engines. No apparent relationships between malfunctions reported by previous passengers and essential systems.

IV. Large-scale electrical fault (e.g. due to water in E&E bay)
The engines will continue to run if electrical power is lost. FADECs are powered independently.

V. Shutdown of engines by TCMA
A parallel is drawn to the ANA incident. However, this would require not only a fault in the air/ground logic but also a sensed discrepancy between T/L position (not necessarily idle) and thrust output on both engines simultaneously.

VI. (Inadvertent) shutdown by flight crew VII. Malfunction/mishandling of the fuel cutoff switches (most recent)

If we are to take the TCMA patent at face value, the fuel cut-off switches are directly-acting, not some sort of signalling protocol.

That's a pretty big "if" but here's the patent drawing: