Posts about: "Fuel Cutoff Switches" [Posts: 802 Pages: 41]

I don't have any direct knowledge, but yes, that's my understanding based primarily on tdracer's comments. It also just makes sense. I'm pretty confident that all the necessary hardware already existed because of the need for N2 overspeed protection. A failure in one FADEC channel could drive the FMV fully open, leading to an overspeed and uncontained engine failure. For regulatory purposes, it would be unacceptable to have a single point of failure with catastrophic consequences, so it would be necessary to make the inactive FADEC channel capable of cutting off fuel in that case.

The air/ground signal would've already been present as well. It would be needed for switching between ground idle, flight idle, and approach idle. Tdracer has discussed that as well, in past threads.

Yes. I simplified. The point stands that the throttle needs to be pulled back, as it was in the ANA event, because that was a landing and not a take-off.

First, you posted a good summary. I'd have added "unanticipated hardware fault" and "unanticipated software fault" as generic causes.

Note that the thrust lever actuators are wired to the FADECs, and that the TCMA gets the T/L position from that. For TCMA to trigger, it has to determine that its FADEC (on that engine) failed to achieve a commanded reduction in thrust. So we're either looking at a weird, unprecedented edge case, or a FADEC failure, or both.

It has been mentioned before that this capability existed as part of the N2 overspeed protection: the FADEC would shut down a runaway engine by cutting its fuel before it disintegrates.
The thrust lever sensors are wired directly to the FADEC (and hence the TCMA). No data bus is involved with this item.

With a MCAS crash, it required a hardware problem with an AOA sensor, used as input to a correctly working MCAS, to cause the aircraft to behave erratically. With a correctly working TCMA, I believe it'd require two hardware problems to get TCMA to shut down the engine, as there'd have to be an implausible thrust lever reading, and a FADEC/engine failure to process it within the TCMA allowed range ("contour"?). On both engines, separately and simultaneously.

That leaves a software problem; it's not hard to imagine. The issue is, at this point it's just that: imagination. I could detail a possible software failure chain, but without examining the actual code, it's impossible to verify. We simply don't have the evidence.
I could just as well imagine a microwave gun frying the electronics on both engines. An escaped hamster under the floor peeing on important contacts. A timed device installed by a psychopathic mechanic. There's no evidence for that, either.

This process is a way to psychologically cope with the unexplained accident, but because it lacks evidence, it's not likely to identify the actual cause. We've run the evidence down to "most likely both engines failed or shut off close to rotation, and the cause for that is inside the aircraft". Since the take-off looked normal until that failure, we have no clues as to the cause hidden inside the aircraft. We need to rely on the official investigation to discover and analyse sufficient evidence. The post-crash fire is going to make that difficult.

"Both engines failed or shut off close to rotation" explains all of the evidence : it explains an unremarkable take-off roll, loss of lift, absence of pronounced yaw, loss of electrical power, loss of the ADS-B transponder, RAT deployment, the noise of the RAT banging into place and revving up, emergency signs lighting up, a possible mayday call reporting loss of thrust/power/lift, and a physically plausible glide from a little over 200 ft AAL to the crash site 50 feet (?) below aerodrome elevation .
It explains what we saw on the videos, what the witness reported, where the aircraft ended up, and the ensuing sudden catastrophe.

I don't believe we have evidence for anything else right now—I'd be happily corrected on that.

-----
Edit: the evidence of the crash photo with the open APU inlet door, and the main gear bogeys tilted forward, are also explained by the dual engine failure/shut off.

Engineer not a pilot. Experience in analog front ends, A2D and R2D conversion and embedded systems generally but no specific knowledge of the 787 or GEnx.

I like everyone else have no evidence that TMCA played a role but given that it is one of the few systems with the ability to cut fuel to the engines, here are some thoughts on how signal processing could have extended the window of when TMCA could bite. In particular, I'm looking at the time immediately after the nose lifts up when something may have physically shifted onboard.
I'll phrase it as a number of questions but realise that the few people who can answer may not be able to for now.

Thanks to tdracer's explanation on TMCA (albeit 747 not 787), we know that TMCA is a logic block within the FADEC whose only external inputs are a logic signal fron the aircraft that indicates whether it is on the ground or not and throttle position as determined by two independent resolvers per throttle side.

The logic would seem to be something of the form
If (G AND (N2>A OR N2>B)) Then CutOffFuel()
where G is true when the aircraft is on the ground,
A is an envelope defined by throttle resolver channel A and
B is an envelope defined by throttle resolver channel B

Q1: Am I correct in that assumption that when on the ground, overspeed with respect to EITHER resolver A OR resolver B can trigger TMCA?

We have been told that the logic (ie true or false) signal G is determined from the Weight-on-wheels sensors and the RadALT. It is reasonable to suppose that the designers still wanted TMCA to function after a hard landing where some landing gear components had failed.

Q2: When the nosewheel lifts off but the MLG is still on the ground and RadALT is close to ground, will G still be true?

Next, it is common when data fusing multiple inputs that there is a desire to clean up a signal before it is sampled digitally. This can remove effects such as switch bounce. The inclusion of low pass filters or hysteresis will generally add a propogation delay.

Q3: Is there a slow filter (Tc>=1s) in the ground/air logic which could have caused a slight delay before G became false after takeoff further extending the opportunity of TMCA to activate?

Q4: Does TMCA act almost instantly or does it wait for the fault condition to stay asserted for a period of time before acting?

At that point, the total energy of the system would have comprised of the kinetic energy of the aircraft travelling at Vr, the rotational inertia of the engines and the potential energy of whatever fuel is beyond the cutoff valves.

Q5: Would this total energy have been sufficient to get the aircraft 100ft into the air?

It would still need a mechanism for at least one throttle input to each FADEC to misbehave at the same time. Resolvers are fed with an excitation signal to the rotor and take back two orthogonal signals (Cos and Sin) from stator windings. Usually, the excitation comes directly from the resolver-to-digital (R2D) circuit but sometimes an external signal source is used. I would hope that in an aircraft system, each channel would be kept independent of everything else.

Q6: Does the excitation signal for the 4 throttle resolvers (2 per side) come from 4 independent (internal) sources?

My last thought for a single point of failure between both throttles would be a short between two wires or connection points carrying resolver signals, one from each side. Whether this could be caused by swarf wearing within a wiring loom, a foreign object moving about, crushed wires or even stretching of adjacent wires, I have absolutely no idea.

Q7: Do resolver signals from left or right, either channel A or B, run next to each other in a loom at any point?

Assume an object travels at 200 knots and its speed decays to 120 knots (100m/s to 60m/s). The kinetic energy lost thereby suffices to elevate that object by ~1000 ft. (320m) in a vacuum, i.e. disregarding drag. In other words, if 75% of the kinetic energy was lost through air resistance (drag), the aircraft could still climb more than 200 feet.

Ahah! Logic raises the questions.

What happens when the 2 disparate processes that form TCMA disagree?

Let me try to answer the questions about which I have some knowledge, as an aerospace engineer:
(I am not sufficiently informed to answer Q4,6 and 7, at the moment)

Yes, overspeed on either resolver channel A or B alone will trip the TMCA fuel-cut logic


G is a single Boolean that FADEC derives from Weight-On-Wheels (MLG and NW) and radio-altimeter. Iit stays \x93ground\x94 until all WOW sensors go inactive (i.e. every wheel is off the runway) and the RadALT exceeds its airborne threshold.


That's very unlikely. Ground/air logic uses small hysteresis (tens to a few hundred ms), but not in the multi-second range



Let's do the math very quickly:
Kinetic energy with a weight of 200,000kg, at Vr = 150kn = 77m/s: E_kin = 600MJ
Rotational energy of a GEnX engine is hard to calculate as I don't find reliable values for the rotary inertia. I found some for a GE90 and could roughly estimate 100MJ of rotational energy for each engine. However, I seriously doubt that this energy could be effectively used to gain thrust, as the thrust will drop very quicjkly after the fuel is cut off.
the required potential energy for a 100ft climb of a 200,000kg 787 is around 70MJ.

This ignores aerodynamic drag, still, 100 ft of climb remains energetically feasible.
However, it as been pointed out several times that the actual climb was higher than 100ft. Already for 200ft I would doubt the validity of my statement above.

I'd agree, without expert knowledge there would have to be big assumptions, but I expect that Aircraft Flight Engineers could do it. Probably already have.

Sure, actual data is usually more accurate than eyeballed stuff. But not always. In fact, it's often the eye that determines that something measured or calculated is "Off". How accurate is ADS-B data? I've seen FR24 tracks go way off course then suddenly get corrected / interpolated, frequently. The erroneous data seems to be "removed" by their algorithm, but where are the errors arising? Why this inaccuracy, and therefore, how accurate are the datagrams referred to? I know there were no datagrams received during the backtrack that I accept actually occurred, but that's completely different from receiving erroneous ADS-B data.

Sure, the CCTV footage I've seen is very poor, a video, moved about and zoomed, of the CCTV screen. Not easy to judge, but still useful and could be analysed frame-by-frame to compensate for all the extraneous input. Anyway, it's obvious to me that the rate of climb dropped abruptly just before the flight attained its apex, as if thrust was suddenly cut off. Knowing the momentum to altitude conversion, it might be possible to estimate whether that's true or not. The evident RAT deployment supports engine shutdown, not just engines to Idle, doesn't it? In that case, it would be useful to know at what altitude the engine shutdown took place.

Okay, didn't know that, I guess suggests means it's uncertain? Can you tell me from what height to what height it suggests this?

And why all the wrong figures for the height attained, quoted in previous thread? Can't all be the atmospheric conditions.

Haha! Even a stone (the right shape) can do that, and I'm not disputing that kinetic energy can be converted to altitude. Wings are useful for that... Just curious to get an idea of how much in this case.

To be honest, i believe that taking a lot of the evidence into consideration, it is possible to arrive at a limited number of scenarios for what is most likely to have happened.

One fact that alters things substantially is whether the survivor's impression is correct that possibly the engines started to spool up again just before impact. If that's the case then what does that do to the possibility or otherwise that the TMCA system caused a dual engine shutdown?

To me, since the world seems to be watching this forum, and we are getting no feedback from the authorities, what is posted here might be useful in helping the investigators look at things they might not have considered. Besides, as Icarus2001 has kindof suggested, it's probably a very good thing that there are clearly lots of keen eyes on this.

Thank you for your reply! There's a lot we agree on; unfortunately, I'll be cutting that from my response here.
Right. ADS-B is transmitted via radio, so reception can be patchy, or obstructed by someone else transmitting on the same frequency (e.g. other aircraft), so not every datagram that the aircraft sends gets received. When that happens, the live display of FR24 assumes the aircraft kept doing what it did, and when another datagram eventually comes in, it corrects the position. It also connects the locations of these datagrams, regardless of whether the aircraft actually went there. For example, in the AI171 there's a 4-minute gap between a datagram sent on the taxiway, and the next datagram sent when the aircraft was off the ground towards the departure end of the taxiway. FR24 then connected these points via the shortest route; but we know that the aircraft actually used the intervening 4 minutes to taxi to the approach end of the runway, where it then started its take-off run. So that was false. (Another source of errors is when different FR24 receivers don't have synchronised clocks, so a mixture of data from these can have weird artifacts as a result.)
However, the datagrams that FR24 actually received were correct. They contain the GPS position of AI171 and its unadjusted barometric altitude, as determined by its onboard instruments. This data is as reliable as the instruments themselves are. (An example here is that the NTSB wasn't sure that the altimeter on the Blackhawk that crashed at Washington-Reagan was accurate; if that is the case, the ADS-B data would also be affected.)

On their blog post at https://www.flightradar24.com/blog/f...rom-ahmedabad/ , FR24 have published the data that they actually received.

Have you ever seen a parabolic trajectory from "the short end"?
Yes.

It's uncertain because the 787 rounds all altitudes it sends to the nearest multiple of 25. The altitudes sent were from 575 ft to 625 ft., but that's MSL and not adjusted for the weather: low air pressure makes that number higher than the actual altitude. FR24 adjusted this to 21ft climbing to 71 ft, but it could've been 30 to 60 or maybe 10 to 80, as it's rounded. I think it's fairly close to 50 feet of climb, though.

1) people taking the MSL altitude literally (625 ft)
2) people adjusting for airport elevation (189 ft), but not for pressure: 437 ft
3) people adjusting for pressure, some adjusting for temperature, get 71 to ~100 feet for the last recorded altitude.
But while ADS-B reception was lost then (or the transmitter lost power), the aircraft continued climbing; examine the cctv video, knowing the wingspan is ~200 feet, we see that the aircraft reached 200 feet but not much more.

The survivor likened the sound to a car engine revving up. If you've listened to a good version of the phone video, you'll have noticed the "vroom" sound at the start that some likened to a motorcycle. That sound is the RAT in action, and you can imagine what that would sound like when it rapidly spins up: like a driver stepping on the throttle with their car engine in neutral. The RAT deploying is a consequence of a dual engine shutdown. It says nothing about whether the TMCA was involved.

[Now I just hope your post is still there as I post this. ]

Hi

This got me thinking, looking at the engine mounted shutoff valve (HPSOV) in ATA 76, I see that its operated by three sources

• FADEC, as discussed in a number of posts above
• RUN / CUTOFF switch
• engine fire control panel

I have a hard time believing the pilots would have touched the engine fire controls under such conditions (obviously they are highly trained for engine failure before Vr), but am I correct when I say that the behavior of the plane systems closely resembles what would happen if the engine fire signal was triggered?

• engine fuel spar and high-pressure valves would be cutoff (obviously)
• hydraulics pump would be depressurized and shutoff from the circuit
• electrical generators would be disconnected

We wouldn't be talking about this flight had this occured on a single engine, so I believe this should had happened on both at about the same time.

Looking at ATA26 the engine fire control panel is energized by the hot battery bus (HOT BB). Is it credible that a failure of the hot battery bus (for example due to damage or liquid ingress in the P300 panel ) could lead to this situation?

Disclaimer: the numbers I mention are from publicly available sources, namely Wiki (for the ZFW weight calculation) and a Boeing FCOM dated 2010, and my own estimations.

IMO, if those engines failed just after rotation, there is no way that jet would have got anywhere near 200ft, especially if the fuel was "cut off", as opposed to back to Idle.

At 420k lbs (310k lb ZFW+110k lb Fuel), the (takeoff) V2 Flap 5 is 157kts. The (landing) Vref for Flap 5 I estimate to be at least 160kts (the FCOM I have has no figures for Flap 5 landings; F20 Vref is 154; the manoeuvre speed for Flap 5 is 189). Typically, you'd probably be at V2+15 when you get established in the climb after rotation.

No. With a pitch attitude of around 15\xb0, that's quite a bit of weight being supported not only by the wings but by the engine thrust vector. Cut that and you stop going up very quickly. Note Sailvi's comment above.

ANY reduction in pitch attitude would cause the climb to cease immediately. These aircraft are going so slowly, relatively, and the drag is so high that any small change in pitch attitude will cause an increase in descent rate with very little increase in speed (or no lessening of deceleration).

Not IMO. Basically, the only reason this jet is flying is because of the whopping long thrust vector out the back. It's already almost back at minimum speed anyway for flap 5 so there is very speed to trade. In this case, I wouldn't be trading anything, because the speed reduction rate would be too fast.

My estimate is around 200ft (one wingspan) and I hypothesise the engines were producing plenty of thrust until about 7 seconds, before it stops climbing at around 12 seconds after liftoff.

@Brace , I think you're exaggerating the residual thrust effect at lower RPMs. Of course 70% would get you round the pattern but you're at a much lower drag config and you're going much faster, again less drag. And are improved-climb takeoffs in the 787-8 even a thing? I can't see a two-stage rotation.

I've made up a YT combo video:

tdracer posted - " Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring)."

Search this thread for "HPSOV" if you need confirmation of the quote.

Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.

And that\x92s the only way it makes any sense.

Hoover from the generally respected Pilot Debrief channel put up his analysis.

He analyses the point of rotation looking at the airport layout and using the video with the shack showing the aircraft rotate behind it, in that case the aircraft rotates at a reasonably normal place. That being the case what is the "cloud of particles" that appear to the left of the aircraft ?

He discounts electrical failure affecting both engines due 787 design, and fuel contamination due both engines fed from separate tanks unlikely to affect both engines at the same time.

The possibility that one engine failure occurred at a critical point in the take off and that possibly the wrong engine fuel cutoff switch was pulled.


camera angle with shack and suggested point of rotation



whats this..

All of which has been discussed and for the wing vortices and the fuel feed has been explained quite comprehensively, along with the fuel cut offs: have you not read these posts only made recently?

I repeat, do NOT post repeats of discussions already had unless there is something of value which may change or enhance previous posts. This is a prime example of a post which should be vetted and dismissed before pressing Submit Reply 🙈

It\x92s a possibility (as is virtually anything that doesn\x92t break the laws of physics) but all the training, practicing and checking would have been to emphasise SOPs, which are to leave all the engine controls where they are until you have done a proper interactive diagnosis at a safe height with the flightpath assured.

Where the meme has come from that jet pilots have to shut down engines as quickly as possible I don\x92t know but it is incorrect. If you left a failed engine without securing it for 5 minutes, little to no harm would come of it. Even if it was on fire (which is not necessarily flames, just higher than normal temperatures inside the nacelle) they are certified to be in this condition for some considerable time before it becomes a problem. Yes, I think the phrase \x93without undue delay\x94 could be used for a fire indication but that\x92s a minimum of 400\x92AGL in Boeings and does not absolve you of all the cross-checking and CRM that should happen with an engine shutdown. This is practiced/checked at the least every 6 months in EASA land and any attempt to rush a shutdown at low level would lead to a debrief and more training/checking.

To put it this way, control of the aeroplane and lateral/vertical navigation is far more important than doing stuff with a failed power plant. Something like an ET should be absolutely prioritised over engine drills.

Without going round the hamsterwheel again does anyone have an actual reference for this? Because I've gone back through each of tdracer's very informative posts about this see here and there is a discrepancy in the two points he makes below in adjacent posts. Is tdracer talking about the same HPSOV valves? Can anyone confirm that with both AC power loss and and a temporary DC power loss there are no critical engine related shutoff valves that will fail safe (unpowered) in a closed position?

Further to the (logical in my view) points you make in response to AAKEE's ostensibly logical conclusion that the commencement of undercarriage retraction (if it did commence) is conclusive of the aircraft being 'in the air' for aircraft systems purposes, including TCMA purposes, I make the following points:

First, whilst it may be that every system that monitors and makes decisions about whether the aircraft is 'in the air' does so on the basis of exactly the same sensor inputs, that may not be true and I'd appreciate someone with the expert knowledge on the 78 to confirm or refute the correctness of the assumption, particularly in relation to, for example, FADEC functions compared with undercarriage control functions.

Secondly and probably more importantly, what happens if one of the sensors being used to determine 'in air' versus 'on ground' gives an erroneous 'on ground' signal after - maybe just seconds after - every one of those sensors has given the 'in air' signal?

Reference was made earlier in this thread to a 'latched' in air FADEC condition that resulted in engine shut downs after the aircraft involved landed and was therefore actually on the ground. But what if some sensor failure had resulted in the aircraft systems believing that the aircraft was now on the ground when it was not? I also note that after the 2009 B737-800 incident at Schiphol – actually 1.5 kms away, where the aircraft crashed in a field during approach - the investigation ascertained that a RADALT system suddenly sent an erroneous minus 8’ height reading to the automatic throttle control system.

The conceptual description of the TCMA says that the channels monitor the “position of thrust lever” – no surprises there – “engine power level” – no surprises there – and “several other digital inputs via digital ARINC data buses”.

WoW should of course be one of those "digital inputs" and be a 1 or 0. But I haven't seen any authoritative post about whether the change in state on the 78 requires only one sensor to signal WoW or if, as is more likely, there are (at least) two sensors – one on each MLG leg – both of which have to be ‘weight off’ before a weight off wheels state signal is sent. Maybe a sensor on each leg sends inputs to the ARINC data and the systems reading the data decide what to do about the different WoW signals, as between 00, 01, 10 and 11.

There is authoritative information to the effect that RADALT is also one of the “digital inputs” to the TCMA. The RADALTs presumably output height data (that is of course variable with height) and I don’t know whether the RADALT hardware involved has a separate 1 or 0 output that says that, so far as the RADALT is concerned, the aircraft to which it is strapped is, in fact, ‘in the air’ at ‘some’ height, with the actual height being so high as to be irrelevant to the systems using that input (if that input is in fact generated and there are, in fact, systems that use that 1 or 0).

If we now consider the ‘worst case scenario will be preferred’ concept that apparently applies to the TCMA design so as to achieve redundancy, the number of sensor inputs it’s monitoring to decide whether, and can change its decision whether, the aircraft is on the ground, becomes a very important matter. The TCMA is only supposed to save the day on the ground, if the pilots select idle thrust on a rejected take off but one or both of the engines fail to respond. In the ‘worst case’ (in my view) scenario, both TCMA channels on both engines will be monitoring/affected by every WoW sensor output and every RADALT output data and, if any one of them says ‘on ground’, that will result in both engines’ TCMAs being enabled to command fuel shut off, even though the aircraft may, in fact, be in the air.

Of course it’s true that the TCMA’s being enabled is not, of itself, sufficient to cause fuel cut off to an engine. That depends on a further glitch or failure in the system or software monitoring engine power and thrust lever position, or an actual ‘too much thrust compared to thrust lever position’ situation. But I can’t see why, on balance, it’s prudent to increase the albeit extraordinarily remote risk of an ‘in air’ TCMA commanded engine or double engine shut down due to multiple sensor failure – just one in-air / on-ground sensor and one of either the thrust lever sensor/s or engine power sensor/s – or, in the case of an actual in air ‘too much thrust compared to thrust lever position situation’, why that ‘problem’ could not be handled by the crew shutting down the engine when the crew decides it’s necessary. Once in the air, too much thrust than desired is a much better problem to have than no thrust. The latter is precisely what would happen if all ‘on ground / in air’ sensors were functioning properly and some ‘too much thrust’ condition occurred.

Hopefully the design processes, and particularly the DO-178B/C software design processes done by people with much bigger brains than mine, have built in enough sanity checking and error checking into the system, followed by exhaustive testing, so as to render my thoughts on the subject academic.

This has also been touched upon earlier in the thread, but it rather seems the cut-off switches are in the same LRU, in close proximity, using the same connector and goes through the same wiring harness. No one was able to say whether it works purely by digital signaling, and goes through any common software, or if it is duplicated by purely direct signaling. There might be numerous failure modes of the cut-off switch design, it is obviously very, very robust and overall sound, since dual failures here have never happened, but this is alredy an outlier event.

Again, disclaimer that my direct knowledge of the 787 specifics is limited, standard Boeing design practice is that all engine wiring is segregated between engines (and were practical, between FADEC channels).
The fuel switches are located adjacent to each other; however all the wiring would be separate.

Well, to be fair, the poster who posts next after this post did explain this with good clarity earlier on in the thread.

It may be work reading back before you post, but it's more work expecting posters to repeat what they have offered before. I know that this is a very long series of posts, but all technical topics have been touched on by now, so please do search back, and assure that what you're thinking to post is actually new information. The moderator team are now deleting posts which resurrect previously dispostioned theories, without providing any new thoughts - just to keep between the guardrails on this one.