Posts about: "Fuel Pumps" [Posts: 151 Pages: 8]

The engine driven fuel pumps are regularly removed and overhauled - usually when the engines go through overhaul (somewhere in the 10-20,000 hour range). The results of these overhauls are monitored, and if there is evidence of unusual deterioration, etc., that will be reflected in the recommended maintenance/overhaul intervals (BTW, this is SOP for virtually every system on the aircraft, regardless of Boeing, Airbus, etc.).
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.

I was not aware that we have granular ADS-B data from the a/c itself showing airspeed post rotation (rather than speed interpolated from GPS). Apologies if I have missed it. If it does show acceleration after takeoff I tend to agree with you.

In no particular order, here are some more thoughts on TCMA having caught up on the thread:

If you cut the fuel from two big engines at take-off power, there must be some delay before n2 decays below the threshold for generation (below idle n2), the generators disconnect and RAT deploys. GEnx have relatively long spool up/down times as the fan is so large (and would be exposed to 170+kts of ram air). Perhaps someone has a view on how long this would be, but I imagine it could easily be 10s or more between fuel cut off and RAT deployment. On AI171 the RAT appears to be already deployed at the beginning of the bystander video. That starts c. 13s before impact and around 17s after rotation. This does not prove anything except that the supposed shut down must have happened very close to rotation and could have happened just before rotation while the a/c was on the ground.

As a thought experiment, imagine if ANA985 in 2019 had decided to go around. The a/c rotates and is ~50 ft above the runway, suddenly both engines spooling down, very little runway left to land on and no reverse thrust available. I am struck by how similar this scenario is to AI171. This theory would require there to have been unexpected thrust lever movement in the moments before rotation - but plausibly one pilot moving to reject, followed by an overrule or change of heart - or even a simple human error such as the recent BA incident at LGW - could achieve this. This is perhaps more likely that any sensor fault that you would expect to only impact a single engine given the redundancy of systems.

Tdracer writes that a key requirement of TCMA is to identify an engine runaway in the event of an RTO, in order to allow the a/c to stop on the runway. This will have been tested extensively - it is a big leap to imagine a false activation could be triggered. It did happen on ANA985 but through a very unusual set of inputs including application of reverse (albeit this latter point may not be relevant if TCMA logic does not distinguish between the reverser being deployed or not).

Incidentally there is an assumption the TCMA software version in place on the ANA flight had already been patched and fixed on AI171. That probably is the case but I am not sure it is a known fact.

In summary I remain baffled by this tragic accident. I have not yet read anything that explicitly rules out TCMA activation and it remains a possibility due to the vanishingly small number of factors that could shut down two engines at apparently the exact same moment when they have fully redundant systems. Fuel contamination, for example, has typically impacted each engine a few minutes (at least) apart. I am also cautious (as others have pointed out) of a form of confirmation bias about Boeing software systems with four-letter acronyms.

In my mind the cause could equally well be something completely different to anything suggested on this thread, that will only become clear with more evidence. All of the above also incorporates a number of theories, i.e. that there was an engine shutdown - that are not conclusively known.

Thank you to the mods for an excellent job.

We have two donks individual fuel supply cut simultaneous in split seconds. There is no rudder activity visible for any thrust asymmetry during this timeframe. TCMA is implemented via the FADECs which are independent for each engine with their own power source from each engine. TCMA is designed to shut down its engine if its power lever is in retard position and the engine is still powering with too much thrust. In addition the airplanes ground sensors must indicate that it is on the ground. For each thrust leaver there are two independent position sensors. It is similar redundant designed as in modern car acceleration pedals. A dual redundancy in each thrust leaver. For TCMA to shut down two fuel supplies within split seconds we have to assume that 4 thrust leaver sensors malfunctioned and the ground sensing logic failed at the same time. The probability that this happens is nil (may be 1 in every 10exp15 hours) which would be about 10 times the age of our universe.
Unless there is a software error in the FADEC TCMA system which only came to light on this flight. But there seem to be nothing special on this flight until rotation. If there is a software error I expect, that we get false single engine shut downs first. And that would already made the news if it happened during rotation.

Actually the engines are fed by all tanks during take off. (L engine: L wing tank + Center tank (if filled) / R engine: R wing tank + Center tank (if filled)).

Due to the fuel pressures of the feed pumps (that are all running) the center tank fuel is used first. In case the pump in the center tank fails or the center tank is empty the fuel from the wing will be used w/o any switch over taking place as the wing feed pumps are already running.

Thanks for the clarification.

Surely that's not quite right? If the center tank has fuel, both engines will be fed from the center tank. Only once/if the center tank doesn't have fuel, will the engines be fed from their respective wing tanks.

I think you may be inferring something that isn't actually true. It certainly isn't true in my case. Wanting to explore the details of a function known to be designed to shut down engines, in a case where unexplained shutdown of engines appears to be a likely cause or contributing factor, doesn't suggest that we are assuming TCMA is involved. It's just exploring the details of a a function that is designed to do that and doesn't put on a light, smoke and sound show, or produce obvious debris and residue, when it does.

I think those of us who are persistently trying to learn the details of the sensor inputs to and logic of TCMA (I prefer that characterization to "obsessed with") understand quite well the points you make here — at least those of us whose interest survives in this new thread. However, I at least, and I believe others as well, have also come to the tentative conclusions that (a) the accident aircraft had engines providing little to no useful thrust from nearly the first moments after rotation, and (b) the only possible reasons for that which have been considered here so far involve the sudden and approximately simultaneous shutdown of those engines, most likely by interruption of fuel flow (because that's one of the very few things we know that can do that without producing big bangs, flames and smoke, etc.).

I don't agree that it's more logical to posit that something we don't know about has shut down the engines rather than something that we do know about that is intended to shut down engines. Do you know of other routines/subroutines in the FADEC that shut down fuel supply?

I certainly don't assume that and I haven't seen posts from others (that I consider serious and reasonably well-informed) that "seem to assume" that.

Yes, we know that.

Right, and you won't see a serious attempt to do that until we know, at least, what specific sensor inputs the TCMA function uses to determine the air/ground state of the aircraft and the logic that uses those to make the determination.

Many years ago I maintained a Hawker 1000 business jet equipped with PW305 engines with FADEC. The fuel control did not have a separate switch to control fuel flow to shut down the engines. Shutdown was accomplished by pressing a release on the power levers allowing the lever to be pulled past the idle stop all the way to the cutoff position.

One day upon returning from a flight, the crew pulled both power levers to cutoff. The right engine shutdown immediately as expected, but the left engine kept running. By the time we in maintenance got out to the airplane, the engine finally shutdown by itself.

Troubleshooting found the cause of the problem. The cutoff position of the power lever closed a micro switch that sent a ground to the FADEC. That ground went through two discrete wires. One went directly to one input on the FADEC. The other went through a squat switch on the main gear leg to a second input on the FADEC. The engine would only shutdown immediately if both inputs went to ground simultaneously. If only one input went to ground, the FADEC would delay shutdown for 30 seconds. This was to protect against an inadvertent movement of the power lever to the cutoff position in flight causing an immediate shutdown.

The squat switch on the left gear leg had failed in the open position, causing the problem.

I am wondering if more modern FADEC engines have similar protections against immediate shutdown in the air? I can see why the designers of the Hawker implemented the system the way they did, because the shutdown command was integral to the power lever, and it potentially could be pulled to the cutoff position in flight by an inadvertent release of the locking mechanism that would normally prevent it from going past the idle stop, whereas modern FADEC engines like found on the 787 have a discrete locking switch.

But, if a similar protection against immediate shutdown does exist in the 787, would the engines keep running for a period of time (in the air) even if the fuel control switch was accidentally or deliberately moved to \x93off\x94?

Having gone through every possible way the aircraft (or those in it) can shut down both engines, thought it would be helpful to look at what investigators have looked at/for in a somewhat similar case. Perhaps it will move the discussion to more unplowed ground.

Going through AAIB Bulletin10/2008 from the British AAIB in the BA 38 case. Before finding the exact cause, they had investigated the following with findings in quotes:

1. General aircraft examination - "no pre‑existing defects with the electrical systems, hydraulics, autoflight systems, navigation systems or the flying controls."
2. Spar valves - "Extensive testing to induce an uncommanded movement, that remained unrecorded, could not identify any such failure modes."
3. High Intensity Radiated Field (HIRF) and Electro- Magnetic Interference(EMI) - "There is therefore no evidence to suggest that HIRF or EMI played any part in this accident."
4. Fuel System - "The examination and testing found no faults in the aircraft fuel system that could have restricted the fuel flow to the engines."
5. Engines - "No pre‑existing defects or evidence of abnormal operation were found with the exception of signs of abnormal cavitation erosion on the delivery side of both HP pumps. Some small debris was recovered from the left FOHE inlet chamber but this would not have restricted the fuel flow."
6. Fuel Loading/Fuel Testing - "No evidence of contamination was found." "The properties of the sampled fuel were also consistent with the parameters recorded in the quality assurance certificate for the bulk fuel loaded onto G‑YMMM at Beijing."
7. Water in Fuel - "It is estimated that the fuel loaded at Beijing would have contained up to 3 ltr (40 parts per million (ppm)) of dissolved water and a maximum of 2 ltr (30 ppm) of undissolved water (entrained or free). These quantities of water are considered normal for aviation turbine fuel."

Knowing the history of this flight, the previous flights and the climate that day, I left out all the discussion in the report of fuel waxing/ice. That seems as irrelevant as 'vapor lock'.

I too am beginning to think this will be, as an earlier poster termed it, a "unicorn" event.

Source: Bulletin_10-2008.pdf

Spot on, there's so much fuel being sucked at that power setting, it would be super quick and presumably at near enough to the exact same time.

I assume (rightly so) that you're focused on what could cause them to fail at what appears to be the exact same time given the absence of yaw and any correcting rudder input.

One the face of it, it could only be throttle or fuel supply, with fuel supply only being able to be cut off by valves so abruptly. Any kind of blockage or similar wouldn't give such a result, even if there was a low fuel condition, short of the pickups being exactly right next to each other, presumably that wouldn't give the outcome we've seen.

I am a software engineer, I find it alarming that the power control unit had the ability to command all AC generator control units to effectively shut down - regardless of that being the side-effect of a bug, or an ability of the system to call on in appropriate scenarios.

Integer overflow is a specific type of issue common to many systems, but like you said - it is something that should be found with robust QA and analysis. The ability to shut down all generators at once from a single source seems like a risky design decision to me and I agree with your point about different software on 2 or more redundant sub systems.

My theory is that this was an accepted risk because the engine-driven fuel pumps would be more than enough in most phases of flight to keep the engines running, and you would still have 2 engines for redundancy. The APU would also restore AC power in lets say 30 seconds and you would then have electric fuel pumps as well.

I think there are several factors that could explain how loss of all AC power during takeoff could lead to a crash:

• The crash happened within 30 seconds - possibly too short for the APU to start, and the RAT doesn't power the AC electric fuel pumps
• The engine driven fuel pumps even if sufficient in level flight may have struggled during rotation - has Boeing tested an actual takeoff with only EDP feeding the engine while the fuel tanks are rotating and in extreme environments, or, have they only tested this statically?
• The takeoff was hot and heavy - combined with the landing gear stuck down and reduced thrust from loss of electric fuel pumps could this be enough?

Actually, according to tdracer , each channel of the FADEC gets just one throttle resolver input, as the two resolvers are on separate wiring looms. So, the FADEC is using the dual channel feature to handle erroneous throttle position inputs. However, according to the patent at least, each channel can trigger TCMA and cut the fuel supply independently. So now we're down to only needing only one erroneous throttle signal per engine. Or one wrong interpretation of a signal, e.g. value clipping where you shouldn't (shortcircuit -> idle), some integer overflow etc.

So, from my understanding, if there is an issue with some of the throttle position sensors, the FADECs will detect a disagreement and keep the high thrust -> assume safe is "fly", whereas one of the TCMA channels might read or misinterpret throttle position close to idle. As the thrust doesn't decrease, at some point the upper bound of the falling TCMA thrust contour will be breached and the engine will be shut down.

I have read most of the thread (old and new). As a lawyer working in forensic investigations, I am constantly involved in problem-solving. My field of work also includes complex investigations related to insolvencies, which almost always require an analysis of the causes behind a specific, established outcome. In doing so, I naturally also have to deal with probabilities. However, it often turns out that the most likely or plausible explanation does not reflect what actually happened.

Many of the considerations I’ve read fail because the simultaneous failure of both engines is extremely unlikely, leading to a constant search for higher-order causes. It was suggested that an incorrect altitude setting led to an early thrust reduction. However, this would not explain the deployment of the RAT (Ram Air Turbine), especially since the thrust could have been readjusted. FADEC and TCAM are highly redundant systems, and TCAM failure is unlikely due to WOW (Weight on Wheels) logic, making a simultaneous engine failure after VR equally improbable.

With that said, and with regard to my question concerning the AD that relates to the fuel control switches (FCS), my thought—and it was nothing more than that—was that their activation becomes more probable if it can occur accidentally. That’s how I came across SAIB: NM-18-33.

Another user then brought up an iPhone. That notion would, of course, be dramatic—but how unlikely is it really that after approximately 10,000 actuations between December 2013 and June 2025, the two FCS no longer lock perfectly? Considering all of this, I find it quite conceivable that the A/T slightly reduced thrust in the first seconds after VR (e.g., if an incorrect target altitude had been entered) and that an object lying between the thrust levers and the FCS could have pushed the FCS into the “Off” position. Due to the buttons on top of the switches, which provide some resistance, it’s even possible that the object both pulled and pushed them.

But all of this is speculation. The investigation report will bring clarity.

Even if my theory is not confirmed, I still believe that the positioning and mechanism of the FCS are suboptimal. Switches of such critical importance should be better protected, and movements in the area in front of the switches (like reducing thrust) should not follow the same direction as shutting off the fuel supply. A different switching direction alone would provide more safety—especially considering that the FCS are protected laterally by metal plates.

It is probable that the switches are becoming easier to move across the gate after 10,000 operations. Something falling on them would be a possibility to cause that. And there is certainly an argument to be had whether down=on is a safer way for them to operate.

From the EASA type-certificate data sheet for GEnx series engines, document no. IM.E.102, issue 11, dated 22/11/22:
1.3 Fuel Inlet Temperature (C):
At engine fuel pump inlet:
GEnx‐1B Engine Series
Temperatures \xb0C
Minimum ‐ 53.8
Maximum 65.5

I think the mods are right to squelch vapor-lock theories because AFAIK there's no support for the notion that it would happen under these circumstances. I can provide a brief explanation but I don't know the operating parameters of a 787 fuel system so I can't speak authoritatively on that. I can speak authoritatively on modern automotive fuel systems where vapor lock on a running system is just not a thing, even though gasoline has much higher vapor pressures and cars can be operated in temperatures much higher than 43C with fuel temperatures to match.

This explanation comes with a money-back guarantee and if I'm wrong I'll send out refunds.

First, vapor lock is simply where a pump or other device becomes inoperative because it is designed to pump liquids but is presented with a gas (vapor) at it's inlet and thus cannot develop pressure and pump the fuel. Think of a very old car with a mechanical fuel pump on the engine block that draws fuel through a long tube from the fuel tank. If you shut the car off on a hot day, the residual heat may boil off the fuel in the lines and carburetor so that when you try to restart, there's no fuel anywhere and your pump has lost it's prime. It is key to note that even with a very crude system like this and volatile gasoline as a fuel, vapor lock usually only affects starting and not running engines. There are exceptions, of course.

The three key factors are the absolute pressure at a particular point in the fuel system, the vapor pressure of the fuel at whatever temperature it is at and system design. System design has all but eliminated vapor lock as a serious issue in the gasoline automotive world. At near sea level, the outside pressure is about 1 bar (15psi) and at 50C typical jet fuel will have a vapor pressure of perhaps 0.02 bar. So the only way to cause it to vaporize jet fuel, even at 50C+, would be to subject it to a very, very strong suction. AFAIK there are no vulnerable points where you'd have suction during normal operation because the fuel pumps are presumably (I don't actually know) immersed in fuel and the entire system has greater than 1 bar pressure all the way to the high pressure pumps. Even without the electric pumps, the inlet to the mechanical pump is below tank level. So absent some major fuel line restriction, there aren't any points where you'd have strong suction aka very low absolute pressure.

The discussions about fuel temperature also seem a big irrelevant to me--even at 60 or 70C the vapor pressure is still very low and I doubt you'd see significant vapors at all under 100C with any reasonable fuel system design and properly blended fuel . I'm assuming the fuel temperature limits are for other reasons, perhaps flash point or ignitabilty (TWA 800) or viscosity and lubricity concerns with the high pressure pump. Again, IDK, but vapor lock with Jet A seems very far fetched to me. I would note that improperly blended fuel could have a much higher vapor pressure and still work OK in most cases as long as positive pressure was maintained. So if the electrics and the pumps went offline and the fuel vapor pressure was way too high, I suppose there could be vapors formed in the suction line going to the mechanical pumps. But I don't have nearly enough knowledge to proclaim that as a possibility. I presume they've taken fuel samples at the source and tested them. Here's a paper on Jet A vapor pressure:

https://www.researchgate.net/publica...Kerosene_Jet_A

I\x92m sure this is wrong; was looking for confirmation. I read somewhere that the 787 keeps the fuel valve open by an electric driven actuator, and closes it by spring force.

I seem to remember Fred Dibner talking about how railway cars brake by draining the piston not by pressurising it, so trains will stop when supply lines break.

The electrical system updates to 787s for ADs and SBs - do any of these include software updates? For example the integer overflow causing GCU failsafe rectified under AD 2018-20-15. If so, who is writing and implementing these software updates? The original engineers? Their apprentices who had years long handovers? Or have they been outsourced and offshored? When these updates occur, does the entire system get tested and ratified or just the bit the bug fix is meant to fix? Because I\x92ve seen new bugs introduced by bug fixes in areas seemingly nothing to do with the original problem.

*On the ground* you get into a latched state, once TCMA deploys: after activation the relays stay latched to prevent a re-runaway. A full power reset of the affected EEC channel(s) and relay logic - normally done only at the gate - is required before fuel can flow again. So you can\x92t easily relight.

I rather think of more than one failure. For example (and I don't think that is what happened!): Some 11 year old contactor fails fatally in the central electrical equipment bay. This failure leads to a total electrical blackout. The engine driven fuel pumps, being older as well, don't do gravity feed anymore as they should.
ONCE AGAIN: I don't think that is what happened - it's just an example of a chain of events triggered by worn out and/or older equipment. Both failures would never happen on a new aircraft.

Thanks, makes sense.

Technically, then, if TCMA deployed erroneously during takeoff, there would be no way for the pilots to restart the engines?