2025-06-14T16:02:00
permalink Post: 11901606
Once the fuel LP and HP Shutoff valves are open, they stay there until commanded otherwise so an AC power failure will have no affect. They will remain in the last position at the time of the loss. They will then be on suction feed which, by design, should enable the engines to maintain their selected thrust level. They ‘should’ not suffer any loss of thrust.
Edit note: the engines have their own engine driven fuel pumps which can deliver anywhere up to and above 1,100 psi.
1 user liked this post.
2025-06-14T20:48:00
permalink Post: 11901821
Another hour spent sifting through the stuff since last night (my sympathies to the mods
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
67 users liked this post.
2025-06-14T21:27:00
permalink Post: 11901855
Another hour spent sifting through the stuff since last night (my sympathies to the mods
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
5 users liked this post.
2025-06-14T23:05:00
permalink Post: 11901941
I am curious to learn what power source drives the high-pressure fuel pumps in the engine. If there is such a thing, I suppose there would.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
As I've repeatedly posted, even a 100% aircraft power failure would not explain both engines quitting, at least without several other existing faults. Again, never say never, but you can only combine so many 10-9 events before it becomes ridiculous...
TCMA doesn't know what V1 is - it's active whenever the air/ground logic says the aircraft is on-ground.
16 users liked this post.
2025-06-15T04:04:00
permalink Post: 11902089
I don't think this test is ever done during normal operations or maintenance (at least not on purpose) as it is very abusive to the engine driven fuel pump - the sort of cavitation that this causes rapidly erodes the pumping surfaces (it's SOP to replace the engine driven fuel pump after such a test).
12 users liked this post.
2025-06-15T04:56:00
permalink Post: 11902104
I don't think this test is ever done during normal operations or maintenance (at least not on purpose) as it is
very
abusive to the engine driven fuel pump - the sort of cavitation that this causes rapidly erodes the pumping surfaces (it's SOP to replace the engine driven fuel pump after such a test).
2025-06-15T05:35:00
permalink Post: 11902117
In that case, I would think that it is not beyond the realm of remote possibility that for whatever reason there might be at least some of these in the field that will not actually function in the suction mode. And if we are talking about simultaneous dual-flameouts then we're already in the "realm of remote possibility", so they should be looking at these unlikely causes. If they're never tested, it's simply an unknown. Discussions so far just assume that this feature works. From what you say it would not be simple to test all of the in-service engines since the test itself is destructive. Perhaps there is some way to test without grinding up the pumps.
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.
11 users liked this post.
2025-06-15T06:13:00
permalink Post: 11902137
The engine driven fuel pumps are regularly removed and overhauled - usually when the engines go through overhaul (somewhere in the 10-20,000 hour range). The results of these overhauls are monitored, and if there is evidence of unusual deterioration, etc., that will be reflected in the recommended maintenance/overhaul intervals (BTW, this is SOP for virtually every system on the aircraft, regardless of Boeing, Airbus, etc.).
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.
Of course, those should be trivial to bench test.
1 user liked this post.
2025-06-15T13:09:00
permalink Post: 11902451
A flight test (at least one - it's often duplicated) is performed as a basic part of aircraft/engine certification. One engine with all boost pumps off and on 'suction' feed - the other engine with normal aircraft boost pump operation (for what should be obvious reasons). Start, taxi, takeoff, and climb in that configuration until the test engine quits due to fuel starvation as a result of the engine fuel pump cavitation (done using "unweathered" fuel - once fuel has been at altitude for a period of time (hours or more - i.e. 'weathered'), most of the dissolved gases in the fuel have vented off, and suction feed works far better - often up to cruise altitudes).
I don't think this test is ever done during normal operations or maintenance (at least not on purpose) as it is very abusive to the engine driven fuel pump - the sort of cavitation that this causes rapidly erodes the pumping surfaces (it's SOP to replace the engine driven fuel pump after such a test).
I don't think this test is ever done during normal operations or maintenance (at least not on purpose) as it is very abusive to the engine driven fuel pump - the sort of cavitation that this causes rapidly erodes the pumping surfaces (it's SOP to replace the engine driven fuel pump after such a test).
Carried out as part of a 12k check.
Fuel level in the wing tanks made to be between 3100 kg & 3400kg. Engines are started, APU shut down and boost pumps are selected off.
As long as the engines keep running, it\x92s test passed. (Just have to remember to fire the APU back up before shutting the engines down!)
4 users liked this post.
2025-06-15T20:06:00
permalink Post: 11902782
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
So I wouldn't vouch for the FADECs if there was catastrophic problem with the power distribution in the aircraft.
1 user liked this post.
2025-06-14T20:48:00
permalink Post: 11903420
Another hour spent sifting through the stuff since last night (my sympathies to the mods
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
7 users liked this post.
2025-06-14T23:05:00
permalink Post: 11903421
I am curious to learn what power source drives the high-pressure fuel pumps in the engine. If there is such a thing, I suppose there would.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
As I've repeatedly posted, even a 100% aircraft power failure would not explain both engines quitting, at least without several other existing faults. Again, never say never, but you can only combine so many 10-9 events before it becomes ridiculous...
TCMA doesn't know what V1 is - it's active whenever the air/ground logic says the aircraft is on-ground.
4 users liked this post.
2025-06-15T04:04:00
permalink Post: 11903423
I don't think this test is ever done during normal operations or maintenance (at least not on purpose) as it is very abusive to the engine driven fuel pump - the sort of cavitation that this causes rapidly erodes the pumping surfaces (it's SOP to replace the engine driven fuel pump after such a test).
1 user liked this post.
2025-06-15T05:35:00
permalink Post: 11903425
In that case, I would think that it is not beyond the realm of remote possibility that for whatever reason there might be at least some of these in the field that will not actually function in the suction mode. And if we are talking about simultaneous dual-flameouts then we're already in the "realm of remote possibility", so they should be looking at these unlikely causes. If they're never tested, it's simply an unknown. Discussions so far just assume that this feature works. From what you say it would not be simple to test all of the in-service engines since the test itself is destructive. Perhaps there is some way to test without grinding up the pumps.
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.
2025-06-18T18:18:00
permalink Post: 11905444
To my mind, this points to a potential software issue. 787s have already suffered from 2 separate software issues in which the passage of time causes a major and possibly catastrophic failure - the need to reboot systems before 51 days and 248 days have elapsed, due to poorly-written software. Given that history, the probability of there being a third, previously-unidentified but broadly similar in nature software issue seems surprisingly high. They aren't independent variables.
Such a passage-of-time software issue wouldn't show up in most (or possibly any) testing scenarios. It is the sort of issue that robust QA and static code analysis are designed to catch. But in at least two separate systems on the 787 it has not been caught prior to software shipping. Meanwhile, every new technical post demonstrates the myriad ways in which non-software potential causes are mitigated by redundant design.
The odds of two (or more) redundant mechanical systems failing in precisely the same way at precisely the same moment are very, very small. The odds of identical software on two (or more) redundant systems reaching a passage-of-time bug at precisely the same moment are, by contrast, very much higher. True redundancy would require different software on each redundant sub-system.
Such a passage-of-time software issue wouldn't show up in most (or possibly any) testing scenarios. It is the sort of issue that robust QA and static code analysis are designed to catch. But in at least two separate systems on the 787 it has not been caught prior to software shipping. Meanwhile, every new technical post demonstrates the myriad ways in which non-software potential causes are mitigated by redundant design.
The odds of two (or more) redundant mechanical systems failing in precisely the same way at precisely the same moment are very, very small. The odds of identical software on two (or more) redundant systems reaching a passage-of-time bug at precisely the same moment are, by contrast, very much higher. True redundancy would require different software on each redundant sub-system.
Integer overflow is a specific type of issue common to many systems, but like you said - it is something that should be found with robust QA and analysis. The ability to shut down all generators at once from a single source seems like a risky design decision to me and I agree with your point about different software on 2 or more redundant sub systems.
My theory is that this was an accepted risk because the engine-driven fuel pumps would be more than enough in most phases of flight to keep the engines running, and you would still have 2 engines for redundancy. The APU would also restore AC power in lets say 30 seconds and you would then have electric fuel pumps as well.
I think there are several factors that could explain how loss of all AC power during takeoff could lead to a crash:
- The crash happened within 30 seconds - possibly too short for the APU to start, and the RAT doesn't power the AC electric fuel pumps
- The engine driven fuel pumps even if sufficient in level flight may have struggled during rotation - has Boeing tested an actual takeoff with only EDP feeding the engine while the fuel tanks are rotating and in extreme environments, or, have they only tested this statically?
- The takeoff was hot and heavy - combined with the landing gear stuck down and reduced thrust from loss of electric fuel pumps could this be enough?
Last edited by adfad; 18th Jun 2025 at 18:36 .
1 user liked this post.
2025-06-19T18:05:00
permalink Post: 11906239
Fuel valves and TCMA software updates?
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
I seem to remember Fred Dibner talking about how railway cars brake by draining the piston not by pressurising it, so trains will stop when supply lines break.
The electrical system updates to 787s for ADs and SBs - do any of these include software updates? For example the integer overflow causing GCU failsafe rectified under AD 2018-20-15. If so, who is writing and implementing these software updates? The original engineers? Their apprentices who had years long handovers? Or have they been outsourced and offshored? When these updates occur, does the entire system get tested and ratified or just the bit the bug fix is meant to fix? Because I\x92ve seen new bugs introduced by bug fixes in areas seemingly nothing to do with the original problem.
2025-06-19T22:23:00
permalink Post: 11906444
ONCE AGAIN: I don't think that is what happened - it's just an example of a chain of events triggered by worn out and/or older equipment. Both failures would never happen on a new aircraft.
2 users liked this post.
2025-06-21T01:04:00
permalink Post: 11907425
Hello, this is my first post on pprune; as a 787 pilot I\x92m also puzzled by this accident. All seem to agree that for some reason there was a complete electrical failure and RAT deployment. With a complete electrical failure all six main fuel pumps fail. Each engine also has two mechanically driven fuel pumps. On takeoff, if there is fuel in the center tank, it will be used first, pumped by the two center tank pumps.
My airline\x92s manuals don\x92t go into much detail, but I read on another site that if both the center tank pumps fail, the engine driven pumps aren\x92t able to suction feed well enough from the center tanks to sustain engine operation. If there was fuel in the center tanks, a complete electrical failure would soon lead to center tank fuel pumps failure (all fuel pumps failure as stated previously) and fuel starvation of both engines. A rescue from this situation would be an immediate selection of both center tank fuel pumps OFF (not if my airline\x92s non-normal checklists) and waiting for successful suction feed from the L and R main tanks to occur, this would take a number of seconds.
My airline\x92s manuals don\x92t go into much detail, but I read on another site that if both the center tank pumps fail, the engine driven pumps aren\x92t able to suction feed well enough from the center tanks to sustain engine operation. If there was fuel in the center tanks, a complete electrical failure would soon lead to center tank fuel pumps failure (all fuel pumps failure as stated previously) and fuel starvation of both engines. A rescue from this situation would be an immediate selection of both center tank fuel pumps OFF (not if my airline\x92s non-normal checklists) and waiting for successful suction feed from the L and R main tanks to occur, this would take a number of seconds.
If you go and chat to the engineers, have a look in the IPC or MM I Ch 28, you should find a good description of the fuel boost pumps. It's been a while but I recall they are Eaton designs, the general arrangement is similar to the B777. They both have a suction feed that permits fuel feed in the event of a loss of all boost pumps. The only impact of that arises at high altitude and high thrust levels, where the engine driven fuel boost pumps may capitate and reduce the available fuel feed resulting in a lower thrust level.
Refer page 12.20.02 in the TBC's B787 FCTM, or search for "SUCTION FEED".
At sea level, full thrust will be achieved without any boost pump on the aircraft. Recall that the CWT boost pumps are known as Override boost pumps, they are feeding from the CWT when there is fuel and they are running, as the output pressure is higher from these pumps than the 2 wing boost pumps. Whether there is fuel in the CWT or not, or the CWT pumps are energised, is immaterial to whether fuel will be supplied to the engine driven fuel pumps.
Note that with BA038, the fundamental problem was blockage of wax/ice formed in the piping that blocked the FOHE, and that will cause a problem with those engines that have such architecture, but is not associated with the availability of the boost pumps themselves. Even then, the engines did not technically fail, as they have both done simultaneously with the B788 of AI 171, BA's engines were running but not able to provide significant thrust due to the FOHE blockages.
4 users liked this post.
2025-06-21T12:15:00
permalink Post: 11907698
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power.
The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine)
. The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
.
.
The engine driven fuel pump is a two-stage pump - a centrifugal pump that draws the fuel into the pump (i.e. 'suction feed'), and a gear pump which provides the high-pressure fuel to the engine and as muscle pressure to drive things like the Stator Vane and Bleed Valve actuators. It takes a minimum of ~300 PSI to run the engine -
the HPSOV is spring loaded closed and it takes approximately 300 psi to overcome that spring
.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
2025-06-21T12:30:00
permalink Post: 11907705
Without going round the hamsterwheel again does anyone have an actual reference for this? Because I've gone back through each of tdracer's very informative posts about this
see here
and there is a discrepancy in the two points he makes below in adjacent posts. Is tdracer talking about the same HPSOV valves? Can anyone confirm that with both AC power loss and and a temporary DC power loss there are no critical engine related shutoff valves that will fail safe (unpowered) in a closed position?
However, it could easily have different modes of operation (closed, electrically actuated), activated (electrically actuated), open (transition from activated + fuel pressure > 300psi).
4 users liked this post.