Posts about: "Fuel Cutoff" [Posts: 181 Pages: 10]

It\x92s a possibility (as is virtually anything that doesn\x92t break the laws of physics) but all the training, practicing and checking would have been to emphasise SOPs, which are to leave all the engine controls where they are until you have done a proper interactive diagnosis at a safe height with the flightpath assured.

Where the meme has come from that jet pilots have to shut down engines as quickly as possible I don\x92t know but it is incorrect. If you left a failed engine without securing it for 5 minutes, little to no harm would come of it. Even if it was on fire (which is not necessarily flames, just higher than normal temperatures inside the nacelle) they are certified to be in this condition for some considerable time before it becomes a problem. Yes, I think the phrase \x93without undue delay\x94 could be used for a fire indication but that\x92s a minimum of 400\x92AGL in Boeings and does not absolve you of all the cross-checking and CRM that should happen with an engine shutdown. This is practiced/checked at the least every 6 months in EASA land and any attempt to rush a shutdown at low level would lead to a debrief and more training/checking.

To put it this way, control of the aeroplane and lateral/vertical navigation is far more important than doing stuff with a failed power plant. Something like an ET should be absolutely prioritised over engine drills.

Agreed, my brevity in reply doesn't tell the whole story.
What I mean is that with engines running, fuel shut off valve(S) open, if there is a loss of electrical power the valves will remain open.
This is standard design on all the gas turbine engines I have worked on.

I don\x92t really know what you are talking about. I\x92m current 787 and have flown many types including airbus prior to this. EFATO is normally an SOP handling exercise, not a memory item in itself. Memory items on nearly all types cover the specific drill for the engine only in all regimes of flight\x85ie severe damage/separation, engine limit exceedance/surge, engine fire. ie you\x92d never say \x93I\x92ll take the memory items for an engine failure after takeoff\x94.

EFATO handling is similar on most types too\x85in essence, contain any yaw, rotate, get the gear up and either trim it out or (787) let the aircraft trim it out\x85.AP in and once safely climbing away at a defined altitude diagnose followed by memory items if applicable. 787 you don\x92t action any drills until above 400ft so it would be extremely unlikely this crew actually got the stage of touching a fuel control switch.

I am only asking about an engine failure memory item. Fire, separation or severe damage being a different beast.

Are you confirming that there is no specific engine failure memory item? When safe run the QRH?

​​​​​​​I completely agree.

Without going round the hamsterwheel again does anyone have an actual reference for this? Because I've gone back through each of tdracer's very informative posts about this see here and there is a discrepancy in the two points he makes below in adjacent posts. Is tdracer talking about the same HPSOV valves? Can anyone confirm that with both AC power loss and and a temporary DC power loss there are no critical engine related shutoff valves that will fail safe (unpowered) in a closed position?

Further to the (logical in my view) points you make in response to AAKEE's ostensibly logical conclusion that the commencement of undercarriage retraction (if it did commence) is conclusive of the aircraft being 'in the air' for aircraft systems purposes, including TCMA purposes, I make the following points:

First, whilst it may be that every system that monitors and makes decisions about whether the aircraft is 'in the air' does so on the basis of exactly the same sensor inputs, that may not be true and I'd appreciate someone with the expert knowledge on the 78 to confirm or refute the correctness of the assumption, particularly in relation to, for example, FADEC functions compared with undercarriage control functions.

Secondly and probably more importantly, what happens if one of the sensors being used to determine 'in air' versus 'on ground' gives an erroneous 'on ground' signal after - maybe just seconds after - every one of those sensors has given the 'in air' signal?

Reference was made earlier in this thread to a 'latched' in air FADEC condition that resulted in engine shut downs after the aircraft involved landed and was therefore actually on the ground. But what if some sensor failure had resulted in the aircraft systems believing that the aircraft was now on the ground when it was not? I also note that after the 2009 B737-800 incident at Schiphol – actually 1.5 kms away, where the aircraft crashed in a field during approach - the investigation ascertained that a RADALT system suddenly sent an erroneous minus 8’ height reading to the automatic throttle control system.

The conceptual description of the TCMA says that the channels monitor the “position of thrust lever” – no surprises there – “engine power level” – no surprises there – and “several other digital inputs via digital ARINC data buses”.

WoW should of course be one of those "digital inputs" and be a 1 or 0. But I haven't seen any authoritative post about whether the change in state on the 78 requires only one sensor to signal WoW or if, as is more likely, there are (at least) two sensors – one on each MLG leg – both of which have to be ‘weight off’ before a weight off wheels state signal is sent. Maybe a sensor on each leg sends inputs to the ARINC data and the systems reading the data decide what to do about the different WoW signals, as between 00, 01, 10 and 11.

There is authoritative information to the effect that RADALT is also one of the “digital inputs” to the TCMA. The RADALTs presumably output height data (that is of course variable with height) and I don’t know whether the RADALT hardware involved has a separate 1 or 0 output that says that, so far as the RADALT is concerned, the aircraft to which it is strapped is, in fact, ‘in the air’ at ‘some’ height, with the actual height being so high as to be irrelevant to the systems using that input (if that input is in fact generated and there are, in fact, systems that use that 1 or 0).

If we now consider the ‘worst case scenario will be preferred’ concept that apparently applies to the TCMA design so as to achieve redundancy, the number of sensor inputs it’s monitoring to decide whether, and can change its decision whether, the aircraft is on the ground, becomes a very important matter. The TCMA is only supposed to save the day on the ground, if the pilots select idle thrust on a rejected take off but one or both of the engines fail to respond. In the ‘worst case’ (in my view) scenario, both TCMA channels on both engines will be monitoring/affected by every WoW sensor output and every RADALT output data and, if any one of them says ‘on ground’, that will result in both engines’ TCMAs being enabled to command fuel shut off, even though the aircraft may, in fact, be in the air.

Of course it’s true that the TCMA’s being enabled is not, of itself, sufficient to cause fuel cut off to an engine. That depends on a further glitch or failure in the system or software monitoring engine power and thrust lever position, or an actual ‘too much thrust compared to thrust lever position’ situation. But I can’t see why, on balance, it’s prudent to increase the albeit extraordinarily remote risk of an ‘in air’ TCMA commanded engine or double engine shut down due to multiple sensor failure – just one in-air / on-ground sensor and one of either the thrust lever sensor/s or engine power sensor/s – or, in the case of an actual in air ‘too much thrust compared to thrust lever position situation’, why that ‘problem’ could not be handled by the crew shutting down the engine when the crew decides it’s necessary. Once in the air, too much thrust than desired is a much better problem to have than no thrust. The latter is precisely what would happen if all ‘on ground / in air’ sensors were functioning properly and some ‘too much thrust’ condition occurred.

Hopefully the design processes, and particularly the DO-178B/C software design processes done by people with much bigger brains than mine, have built in enough sanity checking and error checking into the system, followed by exhaustive testing, so as to render my thoughts on the subject academic.

Is this something that you train for in your airline? Am I correct that to do this requires making the needed switch selections on the overhead panel?

Further up the thread one of the posters mentions that it is very unlikely that any crew action (checklist, QRH) would have got anywhere near to changing a fuel pump switch position.

I would take that post by Crossky with a grain of salt. No part of his post made sense and I can only assume he is not a 787 pilot despite claiming to be. "Fuel starvation if pumps aren't turned off, not in my manual but I read about a procedure on the Internet", it's loony stuff.

Your comment:
Is correct. As commented by Sailvi767, only after the jet is cleaned-up, away from the ground and ATC sorted out would any "normal" defect that didn't require a Memory/Recall item be attended-to. Now, if both engines stopped 7 seconds after liftoff, that's different; there is no published procedure for that.

My understanding of the 78 fuel system is it\x92s very similar to the 777; assuming center tank fuel all pumps are turned on for takeoff (the center tank override pumps are at higher pressure than wings so it feeds first). If all electrical power is lost at lower altitudes engines suction feed just fine (probably from the wing tanks).

I don't think ‘worst case scenario will be preferred’ is the philosophy they use. The way tdracer explained it, there can't be any single failure that leads to uncommanded high thrust on the ground. Presumably, each FADEC channel is treated as a single 'fault isolation area.' That's why the inactive channel has to be able to effect a shutdown in case the active channel causes a runaway.

For the sake of argument, imagine if every air/ground sensor had to say 'ground' to enable TCMA. That should still meet the 'no single failure' requirement since you'd need at least 2 failures to get a runaway engine: the original thrust control problem, and a faulty air/ground sensor.

IIRC, he said that the 747-8 looks at weight on wheels, gear truck tilt, and radio altimeters. At least one of each has to say 'ground' for TCMA to be enabled.

SLF Engineer (electrical - not aerospace) so no special knowledge

Perceived wisdom may be applicable in normal circumstances but not when all the holes line up.

For example I've seen it quoted many times that the engine FADECs are self powered
by the engines, the TCMAs-whether part of the FADEC or a separate unit, similarly self contained
within the engine. The perceived wisdom seems to be that there is no common single fault
which can take out both engines.

And yet we're also told that the TCMA function can only function in ground mode and receives ground-air
signals from a combination of inputs from Rad Alts and WOW sensors.
There is therefore a connection from the central EE bay to the engine.

Yes I'm sure the Rad/Alt and WOW sensor processing will use different sensors for each side and powered from different
low voltage buses.
However as an analogy, in your house your toaster in the kitchen may be on a separate circuit from the water heater in
the bathroom, each protected by a fuse at the main switchboard. In normal operation a fault in one cannot affect the other.
However a lightning strike outside the house can send much higher voltages than normal operation throughout the entire
system and trash every electrical appliance not physically disconnected at the time.

Now I'm not suggesting the aircraft was hit by lightning but FDR has proposed a single event, buildup from a water leak entering
one of the EE bays at rotate. It would be possible for one or more of the HV electrical buses to short so that all the low voltage
buses go high voltage. I have no knowledge of how the FADEC / TCMA systems connect to or process the Ground-Air signals but
there is a single fault mechanism whereby high voltage could be simultaneously and inappropriately applied to both engine control systems.
It would be unfortunate if this failure mechanism did cause power to be applied to drive the fuel shut off valve closed.

Since the likelihood is that we're looking at a low probability event then perceived wisdom about normal operations and fault modes
might not be applicable.

The equipment on RAT/battery is limited:


(from the online 2010 FCOM)


(from the maintenance training )

The 787 battery fire report says the two recorders are on the left and right 28VDC buses. I don't think those get powered on RAT by the looks of it. I would wager you get whatever is on the 235VAC 'backup bus', plus the captain's and F/O's instrument buses via C1/C2 TRUs. You won't get all of that (like the F/O's screens) because the 787 energises/de-energises specific bits of equipment, not just whole buses.

Losing recorder power looks entirely expected.


400VAC/540VDC (+-270V) is not really known for blowing past input protection in the same way as actual HV or lightning. I would expect some optocouplers and/or transformers to be both present and adequate. There's definitely some big MOVs scattered around the main 235VAC buses.

Weight on wheels appears to go into data concentrators that go into the common core system (i.e. data network).

Presumably there is a set of comms buses between the FADECs and the CCS to allow all the pretty indicators and EICAS alerts in the cockpit to work. The WoW sensors might flow back via that, or via dedicated digital inputs from whatever the reverse of a data concentrator is called (surely they have need for field actuators other than big motors?). Either way, left and right engine data should come from completely different computers, that are in the fwd e/e bay (or concentrators/repeaters in the wings, maybe) rather than in with the big power stuff in the aft e/e bay.

This has also been touched upon earlier in the thread, but it rather seems the cut-off switches are in the same LRU, in close proximity, using the same connector and goes through the same wiring harness. No one was able to say whether it works purely by digital signaling, and goes through any common software, or if it is duplicated by purely direct signaling. There might be numerous failure modes of the cut-off switch design, it is obviously very, very robust and overall sound, since dual failures here have never happened, but this is alredy an outlier event.

Again, disclaimer that my direct knowledge of the 787 specifics is limited, standard Boeing design practice is that all engine wiring is segregated between engines (and were practical, between FADEC channels).
The fuel switches are located adjacent to each other; however all the wiring would be separate.

Engine isolation means just that. No common wire bundles, no common connectors. You can move the fuel levers at any time - there is no lockout of any kind with respect to thrust lever position (imagine dropping something into the lever linkage that jams the thrust lever at max power - then being unable to shut that engine down?)
Obviously, since the thrust levers are placed next to each other - the separation that's available in the center console is limited, but as soon as the wiring exits that constrained area, the separation increases. Furthermore, the same engine-to-engine wiring separation also applies to channel A/B FADEC channels, as well as the fuel switch/fire handle wiring.
All these requirements are documented in the Boeing DR&O (Design Requirements and Objectives) - and there is an audit done late in the design process to insure compliance.
In short, you're barking up a tree stump - there is nothing there.

If we are to take the TCMA patent at face value, the fuel cut-off switches are directly-acting, not some sort of signalling protocol.

That's a pretty big "if" but here's the patent drawing:

Searching the web, I found out that regulations concerning new FDR require parameter 35g "fuel cut-off lever position" to be recorded. I also found that for a 2003 event with a 757, this was recorded (as was fuel flow).

I expect that this is also true for the 787. Can anyone confirm this?

Have the spring loaded Fuel Shut Off Valves been examined by GE on both engines???

Why would spring loaded valves fail on both engines? The final valve in the GEnx Fuel Metering Unit (FMU) before the fuel flow meter and things like the fuel nozzles, is called the HPSOV and is spring loaded to closed, but fuel from the Fuel Metering Valve (FMV) can keep it open with minimal pressure (certainly enough presssure for engine start). Tank electric pumps and the engine-mounted, mechanically-driven two-stage pump supply fuel to the Fuel Metering Valve. During main tank pump failure, the engine mounted pump suction feeds the engine. There are altitude limitations during climb (according to the FCOM).

There are several ways that the HPSOV can close:
An EEC (engine ECU) can close the upstream Fuel Metering Valve (FMV) electronically, so the HPSOV will lose its opening pressure.
The HPSOV can be acted on by a Shutoff Solenoid Valve (which directs fuel pressure in an opposite manner to the pressure coming from the Fuel Metering Valve).

Unfortunately, the diagram I am using is truncated, and I can't see if the Shutoff Solenoid Valve is magnetically latched in its last commanded position like typical fuel shutoff valves. Nor can I see what controls it. I suspect things like the respective cockpit fire handle and fuel cutoff lever, but also EEC commands.

There is probably a copyright on the diagram, so I won't post it here. Perhaps someone can fill in the gaps for me?

As an electronics and software engineer who has read the AD and related materials on the 248 day bug my understanding is that:

1. The specific 248-day integer overflow was patched, and before the fix was rolled out, the AD required this system to by power cycled every 120 days to prevent overflow
2. The PCU software still has the functional requirement to be able to command all AC GCUs to enter failsafe mode, this means that while the initial bug was fixed, the ability for this particular software system to command the same result is still a functional part of the architecture - presumably for safety management of the AC system
3. This was not the first or last "software overflow error" issue in Boeing or even in the 787

Although I'm not qualified in aviation engineering I do believe from an engineering safety standpoint that this architecture creates a rare but entirely feasible scenario in which the aircraft would be without AC power for at least 30 seconds until the APU could restore it.

I do agree that the engine driven pumps should be able to provide fuel alone, the whole point of these pumps is to keep the plane flying within some limitations, high altitude is one of those limitations, I propose that there may be others based on the following:

• Some more knowledgable people here have proposed or countered vapour lock, fuel contamination and automatic fuel cut-off theories to various degrees - even if these are not enough on their own, loss of electrical during rotation at high temperature could combine with these in a way we have not yet considered
• Thrust is nonlinear, and while I'm not qualified to say how much loss of fuel flow or loss of thrust would be critical in this scenario we do know that it was a hot takeoff with significant weight and gear remaining down - I know others here have run sims but I don't think anyone has focused on specific thrust / fuel flow params
• While electric fuel pumps might not be physically necessary for takeoff, my final point is: why are they required for takeoff? Is it not to mitigate cavitation, fuel sloshing at rotation, or any other kind of problem that might be relevant here?