Posts about: "Fuel Cutoff Switches" [Posts: 802 Pages: 41]

Another hour spent sifting through the stuff since last night (my sympathies to the mods ). A few more comments:

"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.

Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).

As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.

Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).

The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.

Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.

In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.

I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's not complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.

Hint, you might try going back a few pages and reading where all this has been posted previously.

Correct. That was the original purpose of the calculation. In addition to the sound itself having the measurable harmonic signature from other rat videos.
What this plot also does however is tell you the speed if you know the height or height if you know the speed.

The iphone used to film this were pictured somewhere, knowing the iphone model, and thus the characteristics of the camera, and the dimensions of the airplane it wouldn't be impossible to calculate height from the video imo.

Just throwing it out there if anyone sees the use and feels the call.

My personal amateur speculation still centers around the cut off switches.
I have spilled coffee and sweet tea over complex electro/mechanical switches/panels before(large format audio consoles with 8000 buttons) and seen unexpected things happen.

I am sure the switches are spectacularly well built, but they are in close proximity and thus prone to the same external factors.
Does anyone know if these two cut-off switches in such close proximity has the exact same installation, or they differentiated in some way that makes a freak failure mode in one not neccesarily affect the other the same way?

I don't believe I owe you anything, I believe this is done adequately previously and has already taken up enough time on this thread. I am of the opinion that we have shown the RAT being deployed satisfactory enough to be of use for speculation in this thread. I find repeated comments about the bad video being the only evidence a bit disrespectful, though. Even from a mere physicist. It is based on a spectrogram over time. The source file shows audio up to about 16 kHz, it is unknown whether this limitation is in the file format (ie. 32kHz sampling rate) or microphone. Doesn't matter much. The frequencies above 16kHz is not important in this context as it is not where the sound energy is anyway. The audio will have been lossy data compressed, but it does not affect these prominent properties of the audio. It does make me hesitant to draw conclusions from the parts of the spectrum with more broadband noise and several intersecting sounds. Noise floor suggests 16 bit sampling depth. Spectral resolution? N/A All samples are included. The spectrogram covers the entire frequency range recorded, It shows comparatively the same overtones of the fundamental expected from the technical specifications of the 2 bladed RAT running at it's intended RPM, the doppler characteristics fits completely with a reasonable range of passing speeds and distance to the passing source plotted out. Compareatively, All the harmonics are identical both in pitch and seperation to a recording of a known B787 landing with RAT deployed, while the Doppler fall shows a longer time frame in the landing video taken from a further distance. As expected. The overtones easily discernable in this recording falls in the 220-2700Hz range. Below that, there is other noise centered around 150Hz, which gradually fades towards the end of the recording. This, as far as I can find in available information, fits with an idling or even windmilling B787 engine, but this is not conclusive. This falls in a range of the spectrum where there are other noise sources and the signal/noise is low and of a broader band characteristic, these masking frequencies is where the lossy data compression might play tricks, so I do not weigh that heavily. Recordings of landing B787 without the RAT, shows none off the same characteristics, and completely lack the tonal components and exact overtones shown with the RAT deployed. More importantly, compared to videos of B787s taking off with normal take off thrust, the latter shows distinct tonal elements, but with very different overtones,, both in separation and composition, again possible to relate to known quantities of the rotational speed and elements of the engine at high power. The AI recording shows none of this.

The latest techniques let us separate such things as reverbration from the source, when superimposing the reverberation/ambience and background noise of the AI crash urban environment on the clean, dead open field recording of the known B787 w/rat, they do indeed sound exactly the same to this very skilled and experienced listener. Although this is not courtesy of the computer analysis. It is just another angle of confirmation.

All in all, i think this source audio is excellent. The source is an iphone, their mems based microphones, although noisy shows great spectral balance and is comparable to basic measurement microphones of professional application. There is plenty of information to analyse from in this sample.

And again, I can't see it in the video either, and until I put on some really expensive headphones and fired up the software I was of a different opinion. I bowed to the science.

Edit: I took an extra look, I am prepared to say the fall off at slightly above 16kHz is from the original recording, this is probably a limitation in the microphone, as it is not a hard cut-off before a 16kHz Nyquist frequency as it would be with a 32kHz sampling rate, there is dither noise from 16-20kHz fitting with the source being 16 bit.

On item 1, the TCMA issue should have been fixed, it does fit the sort of issue that occurred here. TDRACER can talk to that, and has done in 2019 and again in post 792. As to flap auto retraction, the B787 like all Boeings has a gated flap lever, and the flaps are only able to move independent of the lever by flap load relief. That would not have caused a loss of thrust, and in this case it is evident that the event is a thrust loss not a CL loss.

On item 2, the video shows no asymmetry at any time, so there is only a symmetric failure of the engines possible. Back on a B747 classic, you could chop all 4 engines at the same time with one hand, on a B737, also, not so much on a B777 or B787. I would doubt that anyone used two hands to cut the fuel at screen height. Note, there was a B744 that lost one engine in cruise when a clip board fell off the coaming. Didn't happen twice, and it only happened to one engine.


​​​​​
Neila83 is correct, the gear tilt pre retraction is rear wheels low, and at the commencement of the selection of the retraction cycle (generally), the first thing that happens is the inboard MLG doors start to open below the wheel well and then the bogie is driven to front wheels low. (There is also an option that the inboard gear doors start to open early as a result of WOW sensing to improve the SSL climb limit). [my bad, for the B788 Capt Bloggs informs us the gear door sequence is after the tilt, not before, the B789 has the before tilt, the option for the door open at rotate is separate]

The inboard doors do not appear to have opened in this case, yet, the gear is forward wheels down. This appears to be out of sequence. TD may have better knowledge on the options that exist with the B788, but this is not looking good at this time.

There is enough in the way of anomalies here to end up with regulatory action, and airlines themselves should/will be starting to pore over their systems and decide if they are comfortable with the airworthiness of the aircraft at this moment. A latent single point of failure is not a comfortable place to be. Inhibiting TCMA might be a good interim option, that system could have been negated by having the ATR ARM switches....(Both)... ARM deferred to the before takeoff checks. The EAFR recovery should result in action within the next 24-48 hours. Boeing needs to be getting their tiger teams warmed up, they can ill afford to have a latent system fault discovered that is not immediately responded to, and the general corporate response of "blame the pilots" is not likely to win any future orders.

I think we are about to have some really busy days for the OEM.


Not sure that Neila83 is that far off the mark at all.

I agree with your analysis about RAT. The source is usable, although far from the original quality.

The cut-off at 16 kHz is typically caused by lossy audio compressions (AAC), not the microphone. In this case, the audio was compressed two times (first the iPhone, then the Twitter). A microphone does not simply cut all frequencies above the certain point.

Also, this audio content is Mono (the same signal on both channels) - an additional loss of information, if the original recording was Stereo.

I was not aware that we have granular ADS-B data from the a/c itself showing airspeed post rotation (rather than speed interpolated from GPS). Apologies if I have missed it. If it does show acceleration after takeoff I tend to agree with you.

In no particular order, here are some more thoughts on TCMA having caught up on the thread:

If you cut the fuel from two big engines at take-off power, there must be some delay before n2 decays below the threshold for generation (below idle n2), the generators disconnect and RAT deploys. GEnx have relatively long spool up/down times as the fan is so large (and would be exposed to 170+kts of ram air). Perhaps someone has a view on how long this would be, but I imagine it could easily be 10s or more between fuel cut off and RAT deployment. On AI171 the RAT appears to be already deployed at the beginning of the bystander video. That starts c. 13s before impact and around 17s after rotation. This does not prove anything except that the supposed shut down must have happened very close to rotation and could have happened just before rotation while the a/c was on the ground.

As a thought experiment, imagine if ANA985 in 2019 had decided to go around. The a/c rotates and is ~50 ft above the runway, suddenly both engines spooling down, very little runway left to land on and no reverse thrust available. I am struck by how similar this scenario is to AI171. This theory would require there to have been unexpected thrust lever movement in the moments before rotation - but plausibly one pilot moving to reject, followed by an overrule or change of heart - or even a simple human error such as the recent BA incident at LGW - could achieve this. This is perhaps more likely that any sensor fault that you would expect to only impact a single engine given the redundancy of systems.

Tdracer writes that a key requirement of TCMA is to identify an engine runaway in the event of an RTO, in order to allow the a/c to stop on the runway. This will have been tested extensively - it is a big leap to imagine a false activation could be triggered. It did happen on ANA985 but through a very unusual set of inputs including application of reverse (albeit this latter point may not be relevant if TCMA logic does not distinguish between the reverser being deployed or not).

Incidentally there is an assumption the TCMA software version in place on the ANA flight had already been patched and fixed on AI171. That probably is the case but I am not sure it is a known fact.

In summary I remain baffled by this tragic accident. I have not yet read anything that explicitly rules out TCMA activation and it remains a possibility due to the vanishingly small number of factors that could shut down two engines at apparently the exact same moment when they have fully redundant systems. Fuel contamination, for example, has typically impacted each engine a few minutes (at least) apart. I am also cautious (as others have pointed out) of a form of confirmation bias about Boeing software systems with four-letter acronyms.

In my mind the cause could equally well be something completely different to anything suggested on this thread, that will only become clear with more evidence. All of the above also incorporates a number of theories, i.e. that there was an engine shutdown - that are not conclusively known.

Thank you to the mods for an excellent job.

If you read the thread, you would know:

The RAT was almost certainly deployed. 4 different sources.
The Flaps were not retracted. Visible at the accident site plus many other sources agreeing they were indeed down.
APU will autostart when all engine power is lost. Potentially explaining why the inlet door was open or partially open at the accident site. Mentioned in several previous posts
On a 787-8, the main bogies tilt as the 1st action of the gear retract sequence. As stated in previous posts. I don't think this happens unless gear is selected up. So the conclusion was, gear was selected up. One caveat, IIRC, there was some discussion around a failure could have caused the bogies to tilt without Gear up being selected but I don't recall the outcome.
As for the Air France remark, un-necessary IMHO. Let's respect the crews please.

Something that occurred to me after I went to bed last night: My assumption that the FDR readouts would rapidly reveal the cause may be flawed.

Let me explain.

The consensus is that both engines quit shortly after liftoff (that assumes that the RAT did in fact deploy). At least one of the data recorders has battery backup, so it should have kept functioning when all aircraft power was lost.

However...

Over the years, I've looked at lots and lots of digital flight data recorder outputs when investigating some sort of incident or other engine anomaly, So I have become rather familiar with some of the interesting characteristics of DFDR data.

On the 767 and 747-400, when you shutdown an engine and the IDG goes offline, there is a momentary 'glitch' in the electrical power system as it reconfigures for the available power source - this is why you see the flight deck displays flicker and return, and the cabin lights momentarily flicker. As a result, most of the avionics boxes 'reset' - this is quick, but it's not instantaneous. This shows up in the FDR data - sometimes as 'no valid data' for a few seconds, or as garbage readings of zero or 'full scale'. Now, looking at the FDR data, it's easy to simply disregard the data, so normally no big deal.

Starting with the 777 (and on the 787 and 747-8), this electrical power glitch was 'fixed' - there is slight delay (~quarter of a second IIRC) before the fuel cutoff signal is sent to the engine - during which the electrical system reconfiguration takes place so no more 'glitch' during a normal engine shutdown...Except whatever happened to these engines wasn't 'normal'.

If there is a fuel cut at high power, the engine spools down incredibly rapidly - a second or two from max power to sub-idle. Assuming the fuel cut wasn't commanded by the flight deck fuel switches, the electrical system won't know it's coming, so it can't reconfigure until after the engine generators drop offline - and you're going to get that power glitch. Nearly every avionics box on the aircraft will reset due to this electrical glitch, and the FDR isn't going to get useful data for a few seconds (and then, only from the stuff that's on the battery bus).

Whatever happened, happened quickly - it's quite possible that whatever initiated the high-power fuel cut didn't get recorded.

True, I would bet that the voltage regulating architecture of the voice recorder at least will give useful information for a short time around the loss of power, as it did for the Lockerbie CVR using far less sophisticated recorder systems. That was sufficient to show the pressure pulse in the fuselage and to give a fairly good idea of where the explosion had emanated from. TWA was similar, a bigger bang though. Would be listening for any mechanical noises related to the fuel switches, and frankly I doubt that they existed, but they would be recorded.

If the cause is what I have suggested it will dificult to get direct evidence of that case, as it was for the QFA072 event as well. Like icing cases, a water ingress into the avionics is going to be a tough investigation, water would have been sprayed all over the wreckage in the aftermath. Dousing the E/E bay with 20 or 30 gallons of water will be an expensive investigative exercise to do in a real plane, with engines running. Would not want to be observing up close.

I preface this post by acknowledging all the previous posts in this, and the now-closed thread, about the TCMA, in particular the excellent posts by tdracer. (Ditto the noise analyses by Kraftstoffvondesibel and First Principal.)

I also note that the primary source of the information on which I’m basing my post is the content of Boeing’s patent application which, of course, does not contain any of the actual wiring diagrams or modification details of the TCMA, even assuming it has been implemented. (I understand from the now-closed thread, that there is an unresolved question as to whether a petition for an exemption from the TCMA requirement had been successful.)

The point of my post is to get other’s thoughts on one of the design principles of the TCMA system proposed in the patent application.

The ostensibly simple and elegant concept is described in the schematic of the system at figure 1 of the patent application. A copy of figure 1 is below.

The TCMA is the part of the schematic inside the dotted box numbered 16 , sitting with the EEC (others would call it the FADEC) in the solid box numbered 18 .

The heart of the TCMA comprises two switch relays, numbered 22 and 28 in the schematic, wired in series. Each of those switch relays is controlled by its own, dedicated engine control malfunction software, identified as the blobs numbered 130 . (The patent application identifies component 34 as a dedicated processor and 32 as the diode connected to the switch relays, but that is evidently a mistake. Component 34 is the diode and I can’t find a component number 32 anywhere in the schematics.)

Each relay switch and its controlling software is described as a ‘channel’, one A and one B. Both channels run continuously, monitoring throttle position (36 in the schematic) versus engine data fed from ARINC data bus lines (46 in the schematic) and “dedicated input sensors” not shown in the schematic. Those sensors presumably detect things like weight on wheels and perhaps RADALT.

This design is said to achieve redundancy, because if only one ‘channel’ detects the engine is producing excessive thrust while the throttle is set to idle, that channel will set its switch relay to CUTOFF and that is enough to change the state of the high pressure fuel shut off valve (58 in the schematic). No more motion lotion. In the words of the patent application: Both channels are “always actively monitoring engine function and independently have the capability of shutting down the engine.”

That arrangement wrinkled my crusty old avtech brow. In my mind – and this is why I’m seeking other’s thoughts – the advantage of redundancy arising from the two channels, either or both of which can shut the engine down, is not without risk. If it is possible for one of the channels to have some ‘glitch’ or hardware failure such that it does not detect an actual out of envelope condition justifying immediate shut down, with the other channel detecting the condition and shutting the engine down, it inexorably follows – does it not – that it is possible for one (or both) of the channels to have a ‘glitch’ or hardware failure that results in a shut down when there is no out of envelope condition?

Further, even if there are completely separate, duplicated sensors telling each channel things like the position of the throttle and whether or not there is weight on wheels, there remains the possibility of a combination of sensor failures/disconnects resulting in one channel being ‘convinced’ that an out of envelope condition exists, with a consequential cutoff of fuel to the engine.

I of course acknowledge the valid observations made about the remote probabilities of these kinds of glitches and failures.

I’ve heard rumours that there was much resistance to the mandating of TCMA systems. Having seen many, many strange faults caused by random shorts, open circuits, liquid ingress and other foreign objects, I can understand why there was that resistance. Every time you add something to a system and that added thing has electronic components and software and electrical connections and data inputs, you add risk of that thing malfunctioning or working perfectly but with erroneous inputs. In this case, there are effectively two added new things: two channels, each one of which has the ability to shut off the motion lotion to the engine to which they are strapped.

I make no comment on whether TCMA systems, if fitted, have anything to do with this tragedy.

My profound condolences to the families and friends of those killed or injured. My thoughts also go out to the many people who will be agonising over the potential causes and responsibility for it. And thanks to those who are working out the causes.

...

Thanks as always TDR for your excellent professional input. It is therefore so much more perplexing that even you cant logic our way out of this impasse. That is, the assumption that the aircraft experienced a double engine failure (supported by a reasonably convincing argument that the RAT deployed), and yet no plausible reason (that we can see) for such an event. So some then collectively slip into the tired and lazy theories of intentional or unintentional crew actions that 1. beggar belief (intentional), 2. defy physics (flaps instead of gear despite clear evidence to the contrary) and call into question the professionalism of a very experienced Captain and crew as well as the aircraft manufacturer (because...well its Boeing so it must be software ).

Yet, the answer must be simpler and staring us in the face since logic and experience (everything you have offered TDR), tell us that modern airliner engines generally do not just suddenly quit flying at the same time. In this regard we can recall several instances of double engine failure associated with bird strikes generally involving large birds or large flocks or both. But it seems we have discounted this theory very early in discussion. Why? Because we cant see any birds, or flocks of birds or engine flames/surges or puffs of smokes from the engines which would support this. Really?

I have read all the 100's of posts (sadly) and while some very early posters tried to analyze the imagery, I suspect the very poor quality eventually discouraged most from seeing anything of interest. However, smattered throughout this discussion from the beginning to the end there have about four posts that describe seeing something where others have not. At least two of these were related to possible smoke but which were probably just the dust blown outwards by the wingtip vortices. Two others however have mentioned possible flames and puffs of smoke.

The video of course is very poor. There should be a special place in hell for people who subject us to looking at a video with continuous zooming in and out, inability to retain focus on the subject (it was just a CCTV monitor, not the actual aircraft they had to focus on) and constant camera shake. A video of a video, and then the resolution probably reduced for social media upload. This all results in a very unwatchable record of the aircrafts departure. The only immediate information gleaned seems to be some idea of how far down the runway the aircraft was at takeoff and the parabolic curve as it very clearly described the aircrafts flight path.




Air India Flight 171 on departure
But take a look at this frame. The right engine shows an artifact (pixelation if you like) that might represent a surge flame. I can almost see a puff of smoke just inboard of the aileron that may be associated with that too.

Am I just seeing distortion? Am I just seeing some smoke because that's where I would expect to see it?
We are all very used to seeing everything in 4K today but back in the day when everything was low res we used to join the dots. If pixels existed then something was there. If they didn't, it wasn't.
So if it's just pixels caused by distortion then they have coincidentally appeared in the tailpipe of an aircraft that crashed shortly after takeoff with a presumed double engine failure.

But surely we would see the birds? Well, not in this video. You cant even see the registration number on the side of the aircraft and that is much bigger than a bird. Haze, distortion, focus and low res, and each individual bird wouldn't even make up a pixel.

So make of this what you will, but this problem may have started on the ground. Birds strikes are very common according to Some AI pilots who interviewed for this following article but I have no idea of the authenticity of this report:

https://www.rediff.com/news/report/a...h/20250613.htm "The Air India pilots also added that Ahmedabad airport has long been known for bird activity near the runway, which could have contributed to the incident.

"This issue (of the excessive presence of birds) has been flagged multiple times," a third Air India pilot said, asking not to be named."
Of course, a single engine failure would not have brought this aircraft down, nor would it have deployed the RAT, but we can't see what happened on the left engine when the aircraft slipped behind the radio antenna building.

While these high bypass engines are designed and certified to keep running after experiencing certain types of bird strike, the effect on two engines concerns have been voiced about the contribution of certification to the mitigation of the risk hazardous bird strike in the two engine case.

This from Sky Library:
https://skybrary.aero/articles/aircr...nue%20to%20fly .

" A number of concerns have been quite widely voiced about the contribution of certification to the mitigation of the risk of hazardous bird strikes:

• The case of bird ingestion into more than one engine at the same time is not addressed directly and it is clearly extremely difficult to meaningfully estimate the probability of such an occurrence. However, it has been observed that, since some of the current standards only require that a damaged engine can be safely shut down, this circumstance should be more fully considered when determining the acceptable outcome of ingestion into single engines, especially for the twin engine case.
• It has been noted that the potential effects of bird strikes on modern electronic flight control systems and flight deck instrument displays have not yet been fully assessed.

Maybe someone can do some video enhancing of this image as others have done with the audio enhancement to give strong probability of RAT deployment.

If my suggestion can be corroborated at all, then the question of what happened next becomes somewhat easier to answer. Perhaps neither engine stopped running but they did so with limited thrust? If anything from the pilots mayday call can believed, it wasn't engines shut down..it was no thrust. So why did the RAT deploy? Cant answer that. And, I cant imagine it would be manually deployed if both engines were still running.
However, TDR did say.

"On the 767 and 747-400, when you shutdown an engine and the IDG goes offline, there is a momentary 'glitch' in the electrical power system as it reconfigures for the available power source - this is why you see the flight deck displays flicker and return, and the cabin lights momentarily flicker."

Startle factor that electrically systems were about to fail? Manually deploy RAT?

Edit: I might add, they would have found remains on the runway if this did indeed happen. But we have heard anything from anybody?

Pretty much what I was thinking. Maybe someone turned off the fuel switches, or a rare software glitch. Guys I have been working with have suggested fuel contamination which I have thought unlikely. Or maybe a structural failure upon wing loading that caused fuel lines to rupture.

Hopefully the route cause will be found, and I would not be surprised one bit if it is something totally left field that no one had considered, simple or complex.

There is at least one thing common to the TCMA on each engine: The TCMA software.

My recollection may be inaccurate, but wasn't there something in the software for 787 generator control units that would cause generator shut down if the aircraft was 'powered up' for a continuous 248 days? Same software, so all 4 generators would shut down. Is my recollection inaccurate?

What we do know, for sure, is that the TCMAs have the same 'authority' and effect as the fuel cut-off switches. The difference is that the crew control the latter.

Thank you for confirming.

This is not only happening to the FDR but to any reciever on the data busses. And likely not only when the engine spools down and power supply switches but also when power busses come offline and bus bar breakers activate or in any severe fault in the electrical system involving large currents, possibly arching shorts.
Hence my comments on SISO and input filtering and verification in the closed thread.

I'm pretty sure the software is written independently. Same as Airbus, you don't want the same software error on duplicate critical systems.

So, also as an outsider when it comes to cockpit engineering, there is one commmon "system" in the sense of the very close physical location, the two engine systems have in common, and that is the physical cut off switches and their behind the panel connections.

It wouldn't take a kids pool of liquid to intefere with those?
(I asked this question previuously, in the middle of a long text, but the discussion had a very different direction then.)

What are possible ways of a common failure/triggering of these contact points somewhere in their physical installation in the cockpit?
Remember when the A350 had to be modified only 5 years ago to not allow coffee spill to turn off engines.
What about the same location in the B787?
What are the actual switches? Are they purely traditional electromechanical contact switches? How do they make contact, ie. what are the actual gaps and dimensions? Are they digital in some sense? How are they protected? Are both installed the exact same way, or are they installed with different physical screening/protection/orientation as so to make the failure modes different? How are they physically kept apart, isolated from each other to avoid interaction and/or common failure. What is the physical distance involved there? What about the cables and connectors to them? separate or bundled in the same wiring harness? Or even in Mil or D-sub connectors? I find one description of them as a common(both in one box) line replaceable unit with quick connects. Both of them in the same unit with a common connector? Sounds wild if so!
Just had to ask, and hope it doesn't disturb the great discussion too much.

Many years ago I maintained a Hawker 1000 business jet equipped with PW305 engines with FADEC. The fuel control did not have a separate switch to control fuel flow to shut down the engines. Shutdown was accomplished by pressing a release on the power levers allowing the lever to be pulled past the idle stop all the way to the cutoff position.

One day upon returning from a flight, the crew pulled both power levers to cutoff. The right engine shutdown immediately as expected, but the left engine kept running. By the time we in maintenance got out to the airplane, the engine finally shutdown by itself.

Troubleshooting found the cause of the problem. The cutoff position of the power lever closed a micro switch that sent a ground to the FADEC. That ground went through two discrete wires. One went directly to one input on the FADEC. The other went through a squat switch on the main gear leg to a second input on the FADEC. The engine would only shutdown immediately if both inputs went to ground simultaneously. If only one input went to ground, the FADEC would delay shutdown for 30 seconds. This was to protect against an inadvertent movement of the power lever to the cutoff position in flight causing an immediate shutdown.

The squat switch on the left gear leg had failed in the open position, causing the problem.

I am wondering if more modern FADEC engines have similar protections against immediate shutdown in the air? I can see why the designers of the Hawker implemented the system the way they did, because the shutdown command was integral to the power lever, and it potentially could be pulled to the cutoff position in flight by an inadvertent release of the locking mechanism that would normally prevent it from going past the idle stop, whereas modern FADEC engines like found on the 787 have a discrete locking switch.

But, if a similar protection against immediate shutdown does exist in the 787, would the engines keep running for a period of time (in the air) even if the fuel control switch was accidentally or deliberately moved to \x93off\x94?

Given the number of times I reviewed DFDR data supplied by an operator after some sort of event/incident, I think most major operators have access to the equipment needed to download a healthy data recorder. So I'd be a bit surprised if Air India does not have this capability. OldnGrounded has also posted that the Indian AAIB also has that ability.

Usually when I hear of data recorders going back to the US NTSB or the recorder manufacturer, it's because the crash damage is such that specialized equipment is needed to download the data. The recorder in the tail would likely have little damage.
While the AAIB may have held off on downloading the recorders until all the major players are present, it's been several days - I'd expect everyone who matters is already there. So I think it is reasonable to believe that the investigators have done a download and have had at least a preliminary look at the data. If there is a smoking gun, they probably already know (and the longer we don't hear something regarding the rest of the 787 fleet, or at least the GEnx powered fleet, the less likely it is that they suspect a systemic problem with the aircraft and/or engine). However the proviso that I posted earlier about potential data loss/corruption due to a sudden shutdown still applies - so maybe the data simply isn't on the recorder.

As has already been posted, EMI is highly unlikely - the current cert requirements for HIRF are quite high, and due to the composite airframe construction of the 787, the lighting requirements are much higher than for conventional aluminum aircraft (the higher resistance of the composite airframe results is higher lightning induced currents).

FDR has suggested a large slug of water hitting critical aircraft electronics at rotation - it is possible that resultant electrical short circuits could falsely signal the engines that the switches are in cutoff. Highly unlikely that it would do that to both engines, but possible.
Then again, all the other plausible explanations are highly unlikely, so...

BTW, I do have a life outside PPRuNe - and I'm going to be traveling the next several days, with limited to non-existent internet access. So don't be surprised if I'm not responding posts or PMs.

Spot on, there's so much fuel being sucked at that power setting, it would be super quick and presumably at near enough to the exact same time.

I assume (rightly so) that you're focused on what could cause them to fail at what appears to be the exact same time given the absence of yaw and any correcting rudder input.

One the face of it, it could only be throttle or fuel supply, with fuel supply only being able to be cut off by valves so abruptly. Any kind of blockage or similar wouldn't give such a result, even if there was a low fuel condition, short of the pickups being exactly right next to each other, presumably that wouldn't give the outcome we've seen.