Posts about: "Fuel Cutoff" [Posts: 302 Pages: 16]

Spot on, there's so much fuel being sucked at that power setting, it would be super quick and presumably at near enough to the exact same time.

I assume (rightly so) that you're focused on what could cause them to fail at what appears to be the exact same time given the absence of yaw and any correcting rudder input.

One the face of it, it could only be throttle or fuel supply, with fuel supply only being able to be cut off by valves so abruptly. Any kind of blockage or similar wouldn't give such a result, even if there was a low fuel condition, short of the pickups being exactly right next to each other, presumably that wouldn't give the outcome we've seen.

tdracer explained that earlier: T/O power to sub idle on fuel shutoff only takes 1s, at most 2s.

Slamming the throttles back is a lot slower as the FCU (on a traditional engine)/FADEC spins down the engine slowly - I suppose to make sure that the airflow through the engine remains stable.

Regarding the momentum: As the first few seconds of the climb were normal compared to previous T/Os of the same flight (speed & altitude, confirmed by comparison of the RAW ADS-B data) I don't believe the engine failure happened before or on lift-off.

@syseng68k
Consensus here is, that both engines where stopped by a closing fuel cut off valve, wich yields a fast loss of N2. The generators then shut down very quick as does the thrust in a few seconds. This is supported by the quick RAT extension which allowed the crew to control the flight. The APU did autostart too. A thrust changed with the thrust leaver to idle is much slower and would not result in the dramatic change in performance. Thrust set to idle will not engage the RAT since the electric generators would still work. So a thrust leaver changed to idle or any intervention by Autothrust (AT) would not yield to the RAT extension. Something or someone activated a fuel cut off. How and why that happened is the big question, the investigators have to answer.

A naive glider pilot question: if fuel cut off was (inconceivably) selected, would both fuel control levers have been flipped downwards from Run to Cutoff? And if they were then immediately flipped back to the Run position, how much time would have been needed to achieve enough thrust to maintain altitude?

The fuel cutoff switches can't be "flipped" in either direction; they have to be lifted over a detent and then moved, a very positive action.

The simplest answer: Lo Lvl Alt Cap; Thrust to Idle; Startle Factor; Inappropriate Memory Items : ( RAT deployed; insufficient time for Eng relight.

The 787-8 landing gear retraction is primarily hydraulic, using the center hydraulic system for the main operation. However, the alternate gear extension system utilizes a dedicated electric pump to pressurize fluid from the center hydraulic system for gear extension. Obviously due its size and weight and staged retraction, the effort required to raise and stow the gear greatly exceeds that required for extension.

The main gear retraction/extension is controlled by the center hydraulic system.

It is apparent that the hydraulics failed when the engines shut down after breaking the down-locks and leaving the Main Landing gear bogeys in the tilt position, ready for a next step internal stowage and door closure (that was now never to happen). It is therefore apparent that the dual engine failure and consequent automated RAT extension was precipitated by this gear selection or retraction cycle and thus likely to be either WoW micro-switch or 5G Radar altimeter-effect associated. Due to accumulator depletion, the electric pump load would have spiked to replenish it. This may have precipitated the dual engine shutdown due to an unfiltered electrical surge affecting the Ground/Air microswitches (or a local 5G transmission affecting the RADALT) and resetting the TCMA.

The RADALT? Another plausibility? Because of the furore over a spasticated frequency allocation by the US FCC, the US FAA had finally “bought in” and declared that individual nations and their airline operators were responsible for their own 5G frequency spectrum allocations and for taking essential steps to ensure mitigation of the interference effects upon aircraft automated landings and other critical systems caused by their own national approved 5G spectrum decisions. It was admittedly a situation calling for extensive modifications to (and shielding for) the three radar altimeters fitted for redundancy considerations to all modern airliners... for Category 3 ILS approach and landing in zero/zero visibility conditions. The RADALT also features in many air-ground sensing applications. (eg the 747-8).

This was an unusual FAA “passing of the buck” to manufacturers such as Honeywell etc. (to sort out with client operators). But then again, it was not the US FCC’s right to dictate the specific 5G frequencies internationally. These spectrum allocations now vary over the wide selection of 5G phones available (and also nationally). 5G Radar Altimeters constitute a part of the ground/Air sensing that changes the TCMA from ground mode (able to fuel-chop engines) to the air mode (inhibited from doing so)... Ground activation is acceptable ...where fuel chopping of uncommanded thrust can prevent runway sideways excursions or runway length overruns. The question now becomes: “Is it more (or less) safe having an automated fuel-chopping capability on BOTH your left and right, rather than leaving it to the pilot to react via his center console fuel cut-off switches... in the unlikely event of a runaway engine after landing (or during an abandoned take-off)?

5G Frequency Variations

The frequencies of 5G phones vary nationally based on the frequency bands allocated and used by different carriers in each country. In the United States, for example, carriers such as AT&T, Verizon, T-Mobile, and others use a combination of low-band, mid-band, and high-band 5G frequencies. Low-band 5G frequencies typically range from 600 MHz to 1 GHz, mid-band 5G frequencies range from 1.7 GHz to 2.5 GHz, and high-band 5G (mmWave) frequencies start at 24 GHz and go up to 40 GHz . These frequencies are allocated by regulatory bodies such as the Federal Communications Commission (FCC) and can vary between countries based on spectrum availability and regulatory decisions. In other countries, the specific frequency bands used for 5G may differ, leading to variations in the frequencies supported by 5G phones. Additionally, the deployment of 5G networks can also influence the frequencies used, with some countries focusing more on sub-6 GHz bands while others prioritize mmWave technology.

5G interference? It may be an avenue worth exploring?

I\x92m sure this is wrong; was looking for confirmation. I read somewhere that the 787 keeps the fuel valve open by an electric driven actuator, and closes it by spring force.

I seem to remember Fred Dibner talking about how railway cars brake by draining the piston not by pressurising it, so trains will stop when supply lines break.

The electrical system updates to 787s for ADs and SBs - do any of these include software updates? For example the integer overflow causing GCU failsafe rectified under AD 2018-20-15. If so, who is writing and implementing these software updates? The original engineers? Their apprentices who had years long handovers? Or have they been outsourced and offshored? When these updates occur, does the entire system get tested and ratified or just the bit the bug fix is meant to fix? Because I\x92ve seen new bugs introduced by bug fixes in areas seemingly nothing to do with the original problem.

There were simultaneous engine failures, but those were due to massive birdstrikes ( US1549 ) or due to epidemic engine failures on Il-62s of various versions (like LOT 007 or LOT 5055 ).

Fuel related total engine failures like Aeroflot 366 or Air Transat 236 at least had the decency to have the engines starve one after another as the fuel in the individual tanks depleted.

But all those are probably highly irrelevant when considering the Air India accident. An engine disintegration or a heavy birdstrike would have been visible on the videos, a sizeable bird would have left some remains. And gradual fuel starvation would have shown some yaw.

As much as I despise the thought, the issue that got AI171 must have come from within the aircraft, although this most decidedly does not infer any wrongdoing by any crewmember.

Shutting down the wrong engine is not extremely rare:

1. GoAir320 at Delhi
2. Transasia AT72 at Taipei
3. Alitalia A332 at Seoul
4. SA Airlink JS41 at Durban

Not saying it happened here!

It would surely be nice to get clarified. Does the FADEC control the fuel cut-off valves? Isn't that messing up the hierarcy somewhat? And wouldn't/shouldn't these be separate from everything else?
If so , the likelyhood of this having anything to do with the switches, their harness, or connectors drops way down. (although most theories are dealing with statistical "impossibilities", what better time than after decades for such to occur.)

The switches are double on's or 4 pole, that means they are (can be) connected to 2 different systems individually. Anyone know how that system looks? Why 2 signals?

DISCLAIMER: Poster (a) is one of the (apparently quite numerous) lawyers following this thread; (b) a long-time forum lurker and aviation enthusiast who loves studying FCOMs for fun (to each his own, I guess); (c) has followed and read this thread from the start.

What I cannot do is add new theories or uncover any new facts the actual experts have not already thought of. However, since summarizing and structuring information is one thing lawyers tend to regularly do (and sometimes even do well), here is my attempt at a useful contribution to this thread: an attempt to summarize the main theories discussed here since day one (which I think hasn't been done for quite some time) in the hope that a birds-eye view will be helpful to those who have not read everything since the beginning or might even trigger some new flash of inspiration for someone more knowledgable than me. I have focused on the cons since there does not seem to be enough evidence to come to any positive conclusion.

I shall try to be concise and to refrain from personal evaluations of my own. Of course, no disrespect whatsoever is intended towards all those who have contributed to this thread and to the individual theories, one or combinations of which may turn out to have led to this tragic outcome. That arguments can be made against every single theory that has been propagated seems to be the result of the highly improbable and unusual nature of this deplorable event and certainly not due to any lack of knowledge or reasoning skills in this forum.

DEAR MODS: If I have distorted anything or if, meaning well, should have achieved the opposite \x96 I guess you know where the delete button is\x85

Anyway, here goes:

A. Misconfiguration or wrong takeoff data
Widely refuted, since

• rotation, takeoff and initial climb seem normal;
• likely extreme errors would have been required to have such tragic effect (the fuel tanks should have been only about half full, so not close to MTOW);
• there is strong evidence that at least some flaps were extended for takeoff (post-crash photo, perhaps also visible in video from behind)

B. Flaps retracted post-takeoff instead of gear
Still brought up from time to time. However, widely disregarded due to

• the fact that with two working engines an inadvertent flap retraction should easily be recoverable, even with gear down;
• strong indications that hydraulic and electric power were lost (audible/visible indications of RAT extension, survivor statement, lack of engine noise, position of MLG bogies).

For a while, the forward tilt of the bogies as first part of the retraction cycle was seen as additional evidence that the gear had been selected up. However, it has been pointed out that the forward tilt and the opening of the gear doors occur almost simultaneously so that it seems unlikely that hydraulic power was lost in the split second between bogie tilt and gear door actuation. It is now assumed the forward tilt of the bogies was merely a consequence of the hydraulic power loss.
It should be pointed out that the question of "RAT in or out" was for a while the most contentious in this thread.

C. Low-altitude capture
Still argued, even if refuted by many since

• inconsistent with apparent loss of hydraulic/electric power;
• PF would have been flying manually (however, A/T reaction would have been unexpected for the PF);
• should have been recoverable (unless one assumes that the crew (a) remained unaware of the changed FMA annunciations although alerted by the unexpected FD commands; and (b) was so startled that an A/T thrust reduction was not noticed and corrected, even though the PF was apparently sufficiently alert not to follow the FD commands).

D. Loss of both engines at or shortly after rotation
Various possible reasons for this have been discussed:

I. Bird strike/FOD

• Would have to have occurred simultaneously due to lack of rudder/aileron input indicating symmetric thrust.
• No remains/traces on runway, no visual indications (flocks of birds, flames, structural engine damage).

II. Fuel-related III. Improper maintenance
Unclear which maintenance measures could possibly have been performed that would have resulted in simultaneous loss of both engines. No apparent relationships between malfunctions reported by previous passengers and essential systems.

IV. Large-scale electrical fault (e.g. due to water in E&E bay)
The engines will continue to run if electrical power is lost. FADECs are powered independently.

V. Shutdown of engines by TCMA
A parallel is drawn to the ANA incident. However, this would require not only a fault in the air/ground logic but also a sensed discrepancy between T/L position (not necessarily idle) and thrust output on both engines simultaneously.

VI. (Inadvertent) shutdown by flight crew VII. Malfunction/mishandling of the fuel cutoff switches (most recent)

The TCMAs will not 'activate' - trigger fuel shut off - on a rejected take off if the engines do what they are told when the thrust levers are set to idle. The software monitoring the engine parameters v throttle position is quite sophisticated, for obvious reasons.

Just so I have this clear, are you saying that the implementation of the TCMA functionality involved no new components being added to the pre-existing FADEC? Are you saying, in effect, that the two switch relays described in the TCMA patent application, which relays and their configuration achieves the described two channel redundancy, were already there as components or are mere depictions of what the software does itself?

I am not suggesting you are wrong and, as I've said before, the descriptions and schematic in the patent application are just 'big hands / small maps' concepts. However, if TCMA functionality "is simply a bit of software in the FADECs", merely sending a 1 or 0 or other signal into a point in the pre-existing FADEC that already had control over fuel cutoff (with the TCMA software merely monitoring data busses, rather than direct sensor outputs, to work out thrust lever position and whether or not the aircraft is 'on the ground' for TCMA purposes) I for one would really like to know that for sure and get my head around the implications.

That is the implication I have heard all along, particularly from tdracer's posts.

It uses existing thrust-lever-angle inputs, existing N1 inputs, and (presumably) existing WoW inputs, does software stuff inside the ECU, and if necessary uses the existing overspeed cutout outputs to stop the engine.

I don't have any direct knowledge, but yes, that's my understanding based primarily on tdracer's comments. It also just makes sense. I'm pretty confident that all the necessary hardware already existed because of the need for N2 overspeed protection. A failure in one FADEC channel could drive the FMV fully open, leading to an overspeed and uncontained engine failure. For regulatory purposes, it would be unacceptable to have a single point of failure with catastrophic consequences, so it would be necessary to make the inactive FADEC channel capable of cutting off fuel in that case.

The air/ground signal would've already been present as well. It would be needed for switching between ground idle, flight idle, and approach idle. Tdracer has discussed that as well, in past threads.

Yes. I simplified. The point stands that the throttle needs to be pulled back, as it was in the ANA event, because that was a landing and not a take-off.

First, you posted a good summary. I'd have added "unanticipated hardware fault" and "unanticipated software fault" as generic causes.

Note that the thrust lever actuators are wired to the FADECs, and that the TCMA gets the T/L position from that. For TCMA to trigger, it has to determine that its FADEC (on that engine) failed to achieve a commanded reduction in thrust. So we're either looking at a weird, unprecedented edge case, or a FADEC failure, or both.

It has been mentioned before that this capability existed as part of the N2 overspeed protection: the FADEC would shut down a runaway engine by cutting its fuel before it disintegrates.
The thrust lever sensors are wired directly to the FADEC (and hence the TCMA). No data bus is involved with this item.

With a MCAS crash, it required a hardware problem with an AOA sensor, used as input to a correctly working MCAS, to cause the aircraft to behave erratically. With a correctly working TCMA, I believe it'd require two hardware problems to get TCMA to shut down the engine, as there'd have to be an implausible thrust lever reading, and a FADEC/engine failure to process it within the TCMA allowed range ("contour"?). On both engines, separately and simultaneously.

That leaves a software problem; it's not hard to imagine. The issue is, at this point it's just that: imagination. I could detail a possible software failure chain, but without examining the actual code, it's impossible to verify. We simply don't have the evidence.
I could just as well imagine a microwave gun frying the electronics on both engines. An escaped hamster under the floor peeing on important contacts. A timed device installed by a psychopathic mechanic. There's no evidence for that, either.

This process is a way to psychologically cope with the unexplained accident, but because it lacks evidence, it's not likely to identify the actual cause. We've run the evidence down to "most likely both engines failed or shut off close to rotation, and the cause for that is inside the aircraft". Since the take-off looked normal until that failure, we have no clues as to the cause hidden inside the aircraft. We need to rely on the official investigation to discover and analyse sufficient evidence. The post-crash fire is going to make that difficult.

"Both engines failed or shut off close to rotation" explains all of the evidence : it explains an unremarkable take-off roll, loss of lift, absence of pronounced yaw, loss of electrical power, loss of the ADS-B transponder, RAT deployment, the noise of the RAT banging into place and revving up, emergency signs lighting up, a possible mayday call reporting loss of thrust/power/lift, and a physically plausible glide from a little over 200 ft AAL to the crash site 50 feet (?) below aerodrome elevation .
It explains what we saw on the videos, what the witness reported, where the aircraft ended up, and the ensuing sudden catastrophe.

I don't believe we have evidence for anything else right now—I'd be happily corrected on that.

-----
Edit: the evidence of the crash photo with the open APU inlet door, and the main gear bogeys tilted forward, are also explained by the dual engine failure/shut off.

Let me try to answer the questions about which I have some knowledge, as an aerospace engineer:
(I am not sufficiently informed to answer Q4,6 and 7, at the moment)

Yes, overspeed on either resolver channel A or B alone will trip the TMCA fuel-cut logic


G is a single Boolean that FADEC derives from Weight-On-Wheels (MLG and NW) and radio-altimeter. Iit stays \x93ground\x94 until all WOW sensors go inactive (i.e. every wheel is off the runway) and the RadALT exceeds its airborne threshold.


That's very unlikely. Ground/air logic uses small hysteresis (tens to a few hundred ms), but not in the multi-second range



Let's do the math very quickly:
Kinetic energy with a weight of 200,000kg, at Vr = 150kn = 77m/s: E_kin = 600MJ
Rotational energy of a GEnX engine is hard to calculate as I don't find reliable values for the rotary inertia. I found some for a GE90 and could roughly estimate 100MJ of rotational energy for each engine. However, I seriously doubt that this energy could be effectively used to gain thrust, as the thrust will drop very quicjkly after the fuel is cut off.
the required potential energy for a 100ft climb of a 200,000kg 787 is around 70MJ.

This ignores aerodynamic drag, still, 100 ft of climb remains energetically feasible.
However, it as been pointed out several times that the actual climb was higher than 100ft. Already for 200ft I would doubt the validity of my statement above.

We have an authoritative answer to that question, but only if the TCMA implemented in the FADEC used on the 787 engines functions in the way described in conceptual documents: If one of the two TCMA 'channels' for an engine 'thinks' the shut off criteria are satisfied but the other channel doesn't, the channel which 'thinks' the shut off criteria are satisfied 'wins' and the fuel shut off valve for that engine is therefore given a shut off signal.

I perfectly understand that there is much talking about TCMA here.
There is no direct evidence of what caused the crash but several indirect evidences point towards a near simultaneous shutdown of both engines without any visual clue of a catastrophic mechanical mishap. This leads to suspecting near simultaneous fuel starvation of both engines.
As the purpose of TCMA is shutting down the High Pressure Shut-Off Valve (HPSOV) and thus the fuel feed of an engine, it's normal to collect information on TCMA, on how it works, and on what data feeds it.

However, I hardly understand why there is no similar discussion about the spar valves and the systems that control their opening and closure.

I understand that the B787 spar valves are located in the MLG well, or at least are maintained from within that well.
If the engine shutdown happened when the gear retraction was commanded, that's a location commonality (although it's very unlikely that a mechanical problem happened in both wells at the same time).
Also I understand that there are several systems that command the opening or closing of the spar valves:
- opening: "Engine control panel switch" set to "START", or "Fuel control switch" set to "RUN"
- closing: "Engine fire handle" pulled out. (I wonder if "Fuel control switch" set to "CUTOFF" also closes the spar valve).
Are there direct wires running from these controls to the valves or is there a pair of control units receiving these signals and controlling the valve actuators?
If the latter is true, where are these control units? I guess that the likely location is the aft EE bay. Are they beside each other?