2025-06-20T13:49:00
permalink Post: 11906988
Hi
This got me thinking, looking at the engine mounted shutoff valve (HPSOV) in ATA 76, I see that its operated by three sources
Looking at ATA26 the engine fire control panel is energized by the hot battery bus (HOT BB). Is it credible that a failure of the hot battery bus (for example due to damage or liquid ingress in the P300 panel ) could lead to this situation?
- FADEC, as discussed in a number of posts above
- RUN / CUTOFF switch
- engine fire control panel
- engine fuel spar and high-pressure valves would be cutoff (obviously)
- hydraulics pump would be depressurized and shutoff from the circuit
- electrical generators would be disconnected
Looking at ATA26 the engine fire control panel is energized by the hot battery bus (HOT BB). Is it credible that a failure of the hot battery bus (for example due to damage or liquid ingress in the P300 panel ) could lead to this situation?
Last edited by oyaji-fr; 20th Jun 2025 at 14:07 .
2025-06-21T23:11:00
permalink Post: 11908143
I read the whole threads, keeping my hands on the mousewheel so far since I'm not a pilot, just a EE / safety / systems engineer.
The hamsterwheel ist spinning a lot here, and of course it could be anything including some VHDL FPGA code line or a broken RAM cell in a cheap memory bar within the computer it was compiled with. Anything is possible, but to be honest: development processes, if followed, are usually pushing the probability to a level where it becomes pure theory. BOSCH uses FPGA+\xb5C on the brake control box of cars. They sold 100 millions of those, used 4000h each (car lifetime) without error, with less strict development process. Most errors are made on requirement level, not code.
Also, so far there is no evidence I've seen regarding the 'chicken-egg' problem, did the engines fall below idle (fuel, stall...) and this caused an electrical blackout (-> battery, RAT...) or did an EE problem cause the engines to reduce thrust (FADEC, SW bug...). And where is the common cause in all this?
There has to be a systematic error common to both engines, an external failure affecting both or a dependent fault with one affecting the other within seconds. This is the only thing I think everyone agrees here. And I refuse to beleave the external failure or dependent fault was sitting in the cockpit.
I think it is something not common to every aircraft type for the last 50 years.
So I started searching and found a candidate.
I read myself into the EE architecture of this unique 'bleed-less' design and it's megawatt powergrid since this is the part where I may be able to contribute (and I'm most curious about). Generators on the 787 are >250kW instead of <100kW each and there are two per engine instead of just one. In fact, they can go up to 516 kW and shear off the gearbox at >2200Nm (equal to >2 MW, per generator).
https://www.easa.europa.eu/en/downloads/7641/en (page 11)
So while on any other aircraft the generator is more like the dynamo on your bicycle, those generators are massive (x10).
The gearbox is connected to the HP shaft (N2) on the GEnx. I learned from Wikipedia that RR moved this gearbox to the IP shaft on the Trend 1000. And RR is happy that the A330neo Trend 7000 uses bleed air and less load on the gearbox, since this maintains stability on the HP shaft at light load (also Wikipedia).
Those generators are not in phase and frequency sync, or in other words: If you parallel them, they fight each other, it's like a short. They will almost block if this is not handled by the control box if possible (or some melting fuse blows at some point).
787 electrical system - variable frequency generators?
Somehow I find it hard to believe that they are not able to disturb the engines despite that everyone here so far is claiming that there is no way an electrical problem could influence them because FADEC has it's own supply. I read that one is sufficent to start the engine, usually both are used.
In my mind I find lot's of ways this could influence both engines simultanously. If just the BTBs on the 230V grid got some humidity (hot, no AC, water cooling...) and went up in one big arc (I think they made them semiconductor relays, too).
Could those gearboxes and engines handle 4500Nm / almost 5 MW on each HP shaft, applied within a fraction of a second without any problem?
Or if the engines were in a condition not far from compressor stall, one was stalling and 400kW load jumped from one engines generators to the other...
I did some rough estimation and one of the generators could push N2 below idle in a second or less without fuel just with its normal 250kW load (just inertia).
This is one point which is unique to this airplane model, so maybe worth a closer look.
I know that those engines are burning at >100MW at full power, but how fragile in the balance between compressor load and this one turbine stage on the HP shaft / N2, without the inertia of a 2.8 meter fan? This is just out of my background, any thermodynamic expert here?
Of course I also have no insight in SW and communication within the control boxes, how much they are talking to each other, delaying/ramping load redistribution etc. If FADEC recognizes a flameout, could it instantly command the generators to cut the load, even above idle rpm?
I would assume that some fuel contamination, valve blockade, even compressor stall would pop up slower. But such a generator could kick in within milliseconds.
As a safety guy I learned that one tends to look first at things one is familiar with (SW, HW, mechanics, pilot behaviour, maintainance, depending on one's profession) and in the end it's often the interface and dependent faults within which are not carefully considered (e.g. takeoff situation vs. thermodynamics vs. mechanics vs. power generation vs. humidity vs. generator control...) together with transient behaviour. It was the same with MCAS (safety culture vs. pilot training vs. SW design (repeated action) vs. single AOA input vs. bird strike probability close to ground vs. trim loading/blockade vs. stickshaker noise/distraction).
In fact, I was trying to find information on all those systems and directly found slides on how the engines and generators could be simulated and the power grid tested in a HIL (hardware in the loop) environment. My experience from automotive is that such simulated environments are often far from reality and HIL environment programming finished after the product is already at the customer. But of course its far easier and cheaper to apply and test faults there. But then, some programmer programms what he thinks the reaction of the engine would be.
This 'bleed-less' design was some massive change in airplane EE architecture with hugh consequences on the whole airplane design and extremely hard to fully analyze.
I'm just asking questions and hope that we all learn a lot and this was fully considered or just not an issue. It's just an aspect I found worth mentioning and not only spinning the wheel.
PS: I doubt it was TCMA. The air/ground decision is done in a different box, evaluating 5 inputs in a 1/3 and 1/2 decision according to this discussion. This is then safely sent to the FADEC (as one input) and combined with the thrust lever position and N2. But if the thrust lever position is sensed (redundant and direct) close to idle, you do not need TCMA or ground mode to expect reduced thrust.
The hamsterwheel ist spinning a lot here, and of course it could be anything including some VHDL FPGA code line or a broken RAM cell in a cheap memory bar within the computer it was compiled with. Anything is possible, but to be honest: development processes, if followed, are usually pushing the probability to a level where it becomes pure theory. BOSCH uses FPGA+\xb5C on the brake control box of cars. They sold 100 millions of those, used 4000h each (car lifetime) without error, with less strict development process. Most errors are made on requirement level, not code.
Also, so far there is no evidence I've seen regarding the 'chicken-egg' problem, did the engines fall below idle (fuel, stall...) and this caused an electrical blackout (-> battery, RAT...) or did an EE problem cause the engines to reduce thrust (FADEC, SW bug...). And where is the common cause in all this?
There has to be a systematic error common to both engines, an external failure affecting both or a dependent fault with one affecting the other within seconds. This is the only thing I think everyone agrees here. And I refuse to beleave the external failure or dependent fault was sitting in the cockpit.
I think it is something not common to every aircraft type for the last 50 years.
So I started searching and found a candidate.
I read myself into the EE architecture of this unique 'bleed-less' design and it's megawatt powergrid since this is the part where I may be able to contribute (and I'm most curious about). Generators on the 787 are >250kW instead of <100kW each and there are two per engine instead of just one. In fact, they can go up to 516 kW and shear off the gearbox at >2200Nm (equal to >2 MW, per generator).
https://www.easa.europa.eu/en/downloads/7641/en (page 11)
So while on any other aircraft the generator is more like the dynamo on your bicycle, those generators are massive (x10).
The gearbox is connected to the HP shaft (N2) on the GEnx. I learned from Wikipedia that RR moved this gearbox to the IP shaft on the Trend 1000. And RR is happy that the A330neo Trend 7000 uses bleed air and less load on the gearbox, since this maintains stability on the HP shaft at light load (also Wikipedia).
Those generators are not in phase and frequency sync, or in other words: If you parallel them, they fight each other, it's like a short. They will almost block if this is not handled by the control box if possible (or some melting fuse blows at some point).
787 electrical system - variable frequency generators?
Somehow I find it hard to believe that they are not able to disturb the engines despite that everyone here so far is claiming that there is no way an electrical problem could influence them because FADEC has it's own supply. I read that one is sufficent to start the engine, usually both are used.
In my mind I find lot's of ways this could influence both engines simultanously. If just the BTBs on the 230V grid got some humidity (hot, no AC, water cooling...) and went up in one big arc (I think they made them semiconductor relays, too).
Could those gearboxes and engines handle 4500Nm / almost 5 MW on each HP shaft, applied within a fraction of a second without any problem?
Or if the engines were in a condition not far from compressor stall, one was stalling and 400kW load jumped from one engines generators to the other...
I did some rough estimation and one of the generators could push N2 below idle in a second or less without fuel just with its normal 250kW load (just inertia).
This is one point which is unique to this airplane model, so maybe worth a closer look.
I know that those engines are burning at >100MW at full power, but how fragile in the balance between compressor load and this one turbine stage on the HP shaft / N2, without the inertia of a 2.8 meter fan? This is just out of my background, any thermodynamic expert here?
Of course I also have no insight in SW and communication within the control boxes, how much they are talking to each other, delaying/ramping load redistribution etc. If FADEC recognizes a flameout, could it instantly command the generators to cut the load, even above idle rpm?
I would assume that some fuel contamination, valve blockade, even compressor stall would pop up slower. But such a generator could kick in within milliseconds.
As a safety guy I learned that one tends to look first at things one is familiar with (SW, HW, mechanics, pilot behaviour, maintainance, depending on one's profession) and in the end it's often the interface and dependent faults within which are not carefully considered (e.g. takeoff situation vs. thermodynamics vs. mechanics vs. power generation vs. humidity vs. generator control...) together with transient behaviour. It was the same with MCAS (safety culture vs. pilot training vs. SW design (repeated action) vs. single AOA input vs. bird strike probability close to ground vs. trim loading/blockade vs. stickshaker noise/distraction).
In fact, I was trying to find information on all those systems and directly found slides on how the engines and generators could be simulated and the power grid tested in a HIL (hardware in the loop) environment. My experience from automotive is that such simulated environments are often far from reality and HIL environment programming finished after the product is already at the customer. But of course its far easier and cheaper to apply and test faults there. But then, some programmer programms what he thinks the reaction of the engine would be.
This 'bleed-less' design was some massive change in airplane EE architecture with hugh consequences on the whole airplane design and extremely hard to fully analyze.
I'm just asking questions and hope that we all learn a lot and this was fully considered or just not an issue. It's just an aspect I found worth mentioning and not only spinning the wheel.
PS: I doubt it was TCMA. The air/ground decision is done in a different box, evaluating 5 inputs in a 1/3 and 1/2 decision according to this discussion. This is then safely sent to the FADEC (as one input) and combined with the thrust lever position and N2. But if the thrust lever position is sensed (redundant and direct) close to idle, you do not need TCMA or ground mode to expect reduced thrust.
4 users liked this post.
2025-06-21T23:39:00
permalink Post: 11908153
Re the
SAFRAN FADEC Gen 3
: It was used on the CFM56-5B and -7B and some CF6s amongst others. Unless those engines were re-FADECed later (seems unlikely), the FADEC dates to at least the early 90s.
Safran has some pictures that looks suitably early-90s high tech:
(I wouldn't be too certain that the second image shown is this generation FADEC, as it's also shown on the Gen 4 (LEAP) FADEC page).
(I recognise that soldering iron... Metcal makes good stuff).
There is some limited detail on the air/ground system here . It shows two truck tilt and two strut compression sensors on each of the two MLGs, 8 sensors total. Truck tilt sensors give 'fast' A/G detection; truck tilt + struts gives 'slow' A/G detection. Two systems but no mention of exactly how voting works. No mention of radalt but that could be handled separately before being provided to the FADECs.
I am also now thoroughly satisfied that the FADECs have their own alternators, and that these are separate to the flight control alternators integrated into each VFSG.
Safran has some pictures that looks suitably early-90s high tech:
(I wouldn't be too certain that the second image shown is this generation FADEC, as it's also shown on the Gen 4 (LEAP) FADEC page).
(I recognise that soldering iron... Metcal makes good stuff).
There is some limited detail on the air/ground system here . It shows two truck tilt and two strut compression sensors on each of the two MLGs, 8 sensors total. Truck tilt sensors give 'fast' A/G detection; truck tilt + struts gives 'slow' A/G detection. Two systems but no mention of exactly how voting works. No mention of radalt but that could be handled separately before being provided to the FADECs.
I am also now thoroughly satisfied that the FADECs have their own alternators, and that these are separate to the flight control alternators integrated into each VFSG.
3 users liked this post.
2025-06-22T01:41:00
permalink Post: 11908217
That wouldn't happen. Loads are preemptively shed before the busses are paralleled.
5 users liked this post.
2025-06-22T01:56:00
permalink Post: 11908221
Originally Posted by
JustusW
if ( happy == true ) {
print("I'm happy!"
}
if ( happy == true ) {
print("I'm happy!"
}
Over on reddit in /r/FPGA there are numerous complaints of tools producing incorrect outputs for FPGA and the observation that one cannot examine the state of an FPGA while it is operating; simulators are OK, but cannot reproduce slight timing variation related problems. At least with C one can, relatively easily, match 1:1 non-optimized compiled assembler output to the original input to see if the compiler is translating things correctly.
I expect FPGA if used are used for initial signal processing rather than logic. One can check that the processing is stable with signal generators and noise injection. The decision part is much more readable in C or Ada for people to decide if the logic is right and the test cases available can be used to verify that the compiler/linker is working OK, plus the aforementioned direct examination of the intermediate results, plus active debuggers to examine the state of the more conventional microprocessor.
4 users liked this post.
2025-06-22T06:28:00
permalink Post: 11908303
Thanks for those two quotes. I had only used the first one in my previous reference to HPSOV operation. I have only been involved with Boeing spar valves and not any HPSOV. However, I do not see that spring shutoff when less than 300 psi is in conflict with staying open if electrical power is lost.
Hopefully tdracer will provide more detail if/when he re-joins the discussion.
Hopefully tdracer will provide more detail if/when he re-joins the discussion.
LPSOVs are motor driven sliding gate valves 28V DC from a hot battery bus.
1 user liked this post.
2025-06-22T11:09:00
permalink Post: 11908450
2 MW break on the HP shaft
I like the theory introduced by
TryingToLearn
where a short in the BTB in a few milliseconds puts so much load on the HP rotor that it reduces its rpm until it suffocates. However, isn\x92t it that even with the BTB welded into a solid piece of copper that each generator can still shed all load through its own GCU/GPC almost instantly on sensing the short? Wouldn\x92t this scenario then also require at least one GCU per engine to fail as well?
Last edited by MatthiasC172; 22nd Jun 2025 at 11:20 . Reason: Typo: sending -> sensing
2 users liked this post.
2025-06-22T11:27:00
permalink Post: 11908463
I like the theory introduced by
TryingToLearn
where a short in the BTB in a few milliseconds puts so much load on the HP rotor that it reduces its rpm until it suffocates. However, isn\x92t it that even with the BTB welded into a solid piece of copper that each generator can still shed all load through its own GCU/GPC almost instantly on sensing the short? Wouldn\x92t this scenario then also require at least one GCU per engine to fail as well?
Also generator drive shafts are designed to shear under heavy load to stop them damaging the gearbox and 'stopping' the engine core shaft from running.
https://www.amtechinternational.com/...t/quill-shaft/
5 users liked this post.
2025-06-22T13:40:00
permalink Post: 11908547
So the main information gain would probably be: Did it stop after N2 falling below idle (generator disconnect) or before (electric failure). This single second would help in the investigation and indicate what came first.
The front recorder with it's own battery would track the status / data transmission capability of all control devices over time + recording some desperate voices in the cockpit.
Since this damaged front recorder is the one thing which could solve the miracle of this crash, I would think twice before I would like to give it to a new lab as the first thing to play with.
2 users liked this post.
2025-06-22T17:50:00
permalink Post: 11908714
SLF here. Mods - please delete summarily if this does not contribute to the discussion, I have no wish to waste anyones time. No 'AI' was used in the preparation of this post.
My understanding is that, as you say, the CAM has a preamp. That preamp can be powered by the RIPS that accompanies the forward EAFR.
In addition, I believe there is a single analogue connection from the CAM+preamp to the aft EAFR in addition to the analogue connection from the CAM+preamp to the forward EAFR. I believe, but am not sure,that the other flight-deck audio (headsets) is carried digitally over the fibre-optic network to the aft EAFR. The network may or may not be in operation in the event of an electrical failure: I simply don't know.
The publicly available information I can find is not stunningly clear about this.
AEROSAFETY WORLD, January 2008 - https://flightsafety.org/asw/jan08/a...47-48.pdf?dl=1
GE Aviation: Consolidate and increase recording power with the 3254F EAFR. - https://www.geaerospace.com/sites/de...rder-3254F.pdf
As for power, this NTSB document describes the power set-up for the EAFRs
https://data.ntsb.gov/Docket/Documen...ort-Master.PDF
So the forward EAFR is powered from the left 28V DC bus with the possibility of being powered by the RIPS, and the aft EAFR is powered from the right 28 V DC bus.
What I have been unable to determine is whether the right and/or left 28 V DC buses are powered from the main battery in case of failure of the AC power supply. To my untrained eye, it looks like the Captain's flight displays are powered from the main battery in extremis (28 V DC - C1), but that there are various circuit breakers, that could be automated, that may or may not allow or prevent other loads (such as the F/O's flight displays (28 V DC - C2), or the aft EAFR, being supplied by the main battery, (See link to diagram). There could well be very drastic automated load shedding.
https://kb.skyhightex.com/wp-content...l-1024x640.png
If the right 28 V DC bus was unpowered for any period, it follows that the aft EAFR was not recording for that period. This would make the forward EAFR important in case of a power failure that prevented the right 28 V DC bus from providing power.
All the information that is unclear to me will be transparently clear to the crash investigators. But it seems to me that the aft EAFR will not hold data for any period that the right 28 V DC bus is not operating. Whether that applies to this incident is an open question.
My understanding is that, as you say, the CAM has a preamp. That preamp can be powered by the RIPS that accompanies the forward EAFR.
In addition, I believe there is a single analogue connection from the CAM+preamp to the aft EAFR in addition to the analogue connection from the CAM+preamp to the forward EAFR. I believe, but am not sure,that the other flight-deck audio (headsets) is carried digitally over the fibre-optic network to the aft EAFR. The network may or may not be in operation in the event of an electrical failure: I simply don't know.
The publicly available information I can find is not stunningly clear about this.
AEROSAFETY WORLD, January 2008 - https://flightsafety.org/asw/jan08/a...47-48.pdf?dl=1
GE Aviation: Consolidate and increase recording power with the 3254F EAFR. - https://www.geaerospace.com/sites/de...rder-3254F.pdf
As for power, this NTSB document describes the power set-up for the EAFRs
https://data.ntsb.gov/Docket/Documen...ort-Master.PDF
So the forward EAFR is powered from the left 28V DC bus with the possibility of being powered by the RIPS, and the aft EAFR is powered from the right 28 V DC bus.
What I have been unable to determine is whether the right and/or left 28 V DC buses are powered from the main battery in case of failure of the AC power supply. To my untrained eye, it looks like the Captain's flight displays are powered from the main battery in extremis (28 V DC - C1), but that there are various circuit breakers, that could be automated, that may or may not allow or prevent other loads (such as the F/O's flight displays (28 V DC - C2), or the aft EAFR, being supplied by the main battery, (See link to diagram). There could well be very drastic automated load shedding.
https://kb.skyhightex.com/wp-content...l-1024x640.png
If the right 28 V DC bus was unpowered for any period, it follows that the aft EAFR was not recording for that period. This would make the forward EAFR important in case of a power failure that prevented the right 28 V DC bus from providing power.
All the information that is unclear to me will be transparently clear to the crash investigators. But it seems to me that the aft EAFR will not hold data for any period that the right 28 V DC bus is not operating. Whether that applies to this incident is an open question.
Having two combined recorders is already more backup than what had previously been the norm, in addition theres the independently powered area mic going analog to the front recorder.
The common models I have checked the sheets for also provides a digital output (which is probably sent to the aft recorder via normal busses.
Having a seperate analog line going to the aft recorder would be several Kg of extra weight, and probably a substantial amount of loom design and paperwork for what is then a backup to an already redundant system.
Hence, imho why this signal only goes to the forward recorder. It is already a \xabbonus\xbb.
The power for microphone and preamp is in the >1watt range range, completely insignificant.
I am still interested in reliable information as to what is expected to be on the recorder of an aircraft which has lost the generators, what about the battery powered prinary instruments? Does some systems and the aft recorder come online with the RAT or would everything be down to the one cockpit mic? Surely not?
2025-06-22T22:57:00
permalink Post: 11908879
It has 2 bugs. 3 if one expects anything to show up on a terminal, at least it used to be the case that print statements were buffered until encountering \n or \r. The first two problems would be caught by most compilers. Fortunately all three will beat up a programmer pretty good in the first day or two so they stop doing that.
Over on reddit in /r/FPGA there are numerous complaints of tools producing incorrect outputs for FPGA and the observation that one cannot examine the state of an FPGA while it is operating; simulators are OK, but cannot reproduce slight timing variation related problems. At least with C one can, relatively easily, match 1:1 non-optimized compiled assembler output to the original input to see if the compiler is translating things correctly.
I expect FPGA if used are used for initial signal processing rather than logic. One can check that the processing is stable with signal generators and noise injection. The decision part is much more readable in C or Ada for people to decide if the logic is right and the test cases available can be used to verify that the compiler/linker is working OK, plus the aforementioned direct examination of the intermediate results, plus active debuggers to examine the state of the more conventional microprocessor.
Over on reddit in /r/FPGA there are numerous complaints of tools producing incorrect outputs for FPGA and the observation that one cannot examine the state of an FPGA while it is operating; simulators are OK, but cannot reproduce slight timing variation related problems. At least with C one can, relatively easily, match 1:1 non-optimized compiled assembler output to the original input to see if the compiler is translating things correctly.
I expect FPGA if used are used for initial signal processing rather than logic. One can check that the processing is stable with signal generators and noise injection. The decision part is much more readable in C or Ada for people to decide if the logic is right and the test cases available can be used to verify that the compiler/linker is working OK, plus the aforementioned direct examination of the intermediate results, plus active debuggers to examine the state of the more conventional microprocessor.
1 user liked this post.
2025-06-28T12:21:00
permalink Post: 11912467
NYT illustrated the story, drawing the same conclusions as this thread so far:
https://www.nytimes.com/interactive/...ash-cause.html
https://www.nytimes.com/interactive/...ash-cause.html
The analysis suggests that the plane likely extended its wing flaps and slats before takeoff, used adequate runway distance, and took off from a typical point with a relatively normal initial ascent.
Within seconds of takeoff, however, the landing gear retraction process appears to have failed, and the plane’s emergency power generator was likely deployed....
“You don’t see any kind of indication of asymmetric thrust. You don’t see yawing, you don’t see rudder deflection, you don’t see smoke, or puffs of flame from either engine,” said Jeff Guzzetti, a former accident investigator for the Federal Aviation Administration. “That all adds up to me to be a symmetrical loss of power.”
Within seconds of takeoff, however, the landing gear retraction process appears to have failed, and the plane’s emergency power generator was likely deployed....
“You don’t see any kind of indication of asymmetric thrust. You don’t see yawing, you don’t see rudder deflection, you don’t see smoke, or puffs of flame from either engine,” said Jeff Guzzetti, a former accident investigator for the Federal Aviation Administration. “That all adds up to me to be a symmetrical loss of power.”
2025-06-29T20:45:00
permalink Post: 11913220
Some thrust from idle and up would normally keep generators online.
3 users liked this post.
2025-06-29T21:33:00
permalink Post: 11913248
Its possible that the RAT was deployed for other reasons, prior to the engines losing thrust. So, leaving the RAT out of the equation for a bit, do we think there is a sound of engines TRYING to run?
1 user liked this post.
2025-06-30T13:32:00
permalink Post: 11913628
Thank you for that answer, edge cases do abound in complex systems, but would not moving the throttles forward by hand (as the thrust was beginning to reduce {for that strange reason}) overcome that and restore thrust?
(As I don't fly the 787, I may be missing something basic on how the systems work).
(As I don't fly the 787, I may be missing something basic on how the systems work).
THRUST Asymmetry PROTECTION.
"For an engine-out condition, Thrust Asymmetry Protection (TAP) reduces thrust on the operating engine to ensure there is sufficient rudder for directional control. TAP reduces thrust when the airspeed decreases below approximately V2 on a takeoff or below approximately VREF on a go-around. Once speed is increased above V2/VREF, TAP increases thrust."
From what we know so far, it does seem the engines were not producing sufficient thrust, during a period when it would also be crucial to maintain electrical output for the electro-hydraulic systems and critical electrical loads.
Reduced electrical output could explain the failure of the gear to complete retraction, maybe caused by a generator failing at the worst possible moment.
If there was an EFATO, the ability of the remaining generators to provide sufficient power might become questionable, as is highlighted with the load shedding system.
Other features which are unique to the 787 could be contributing factors in explaining the accident.
It is known the 787 will generally employ an extended take-off roll, and a relatively higher V1 and Vr, and also climb out less steeply than other aircraft. Using more of the runway would reduce the margin for aborted take offs.
With the evident lack of thrust early in the climb out, and failure to retract the gear, if V2 had not been maintained, the TAP system would have reduced thrust even further. Manually increasing thrust will be inhibited.
2025-06-30T15:49:00
permalink Post: 11913716
India's Minister of State for Civil Aviation appears to be confirming in this interview that the cause of the accident was a dual engine failure. Which is, I think, the first vaguely official confirmation of what happened that has been released? He also confirmed that all the data from the recorders has been downloaded and is being processed by the Indian AAIB, no boxes have been sent abroad.
The 30 day deadline for the preliminary report is July 12th.
The 30 day deadline for the preliminary report is July 12th.
The minister called the crash a \x93rare case\x94 and, referring to claims by veteran pilots and experts that a dual-engine failure may have led to the crash, said: \x93It has never happened that both engines have shut down together.\x94 \x93Once the report comes, we will be able to ascertain if it was an engine problem or fuel supply issue or why both engines had stopped functioning.
2025-06-30T18:57:00
permalink Post: 11913849
I found descriptions on the systems of the 787 were easily discovered online, and while I have no hands-on experience of aircraft related matters, I do have experience in wider electrical theory and maintenance.
THRUST Asymmetry PROTECTION.
"For an engine-out condition, Thrust Asymmetry Protection (TAP) reduces thrust on the operating engine to ensure there is sufficient rudder for directional control. TAP reduces thrust when the airspeed decreases below approximately V2 on a takeoff or below approximately VREF on a go-around. Once speed is increased above V2/VREF, TAP increases thrust."
From what we know so far, it does seem the engines were not producing sufficient thrust, during a period when it would also be crucial to maintain electrical output for the electro-hydraulic systems and critical electrical loads.
Reduced electrical output could explain the failure of the gear to complete retraction, maybe caused by a generator failing at the worst possible moment.
If there was an EFATO, the ability of the remaining generators to provide sufficient power might become questionable, as is highlighted with the load shedding system.
Other features which are unique to the 787 could be contributing factors in explaining the accident.
It is known the 787 will generally employ an extended take-off roll, and a relatively higher V1 and Vr, and also climb out less steeply than other aircraft. Using more of the runway would reduce the margin for aborted take offs.
With the evident lack of thrust early in the climb out, and failure to retract the gear, if V2 had not been maintained, the TAP system would have reduced thrust even further. Manually increasing thrust will be inhibited.
THRUST Asymmetry PROTECTION.
"For an engine-out condition, Thrust Asymmetry Protection (TAP) reduces thrust on the operating engine to ensure there is sufficient rudder for directional control. TAP reduces thrust when the airspeed decreases below approximately V2 on a takeoff or below approximately VREF on a go-around. Once speed is increased above V2/VREF, TAP increases thrust."
From what we know so far, it does seem the engines were not producing sufficient thrust, during a period when it would also be crucial to maintain electrical output for the electro-hydraulic systems and critical electrical loads.
Reduced electrical output could explain the failure of the gear to complete retraction, maybe caused by a generator failing at the worst possible moment.
If there was an EFATO, the ability of the remaining generators to provide sufficient power might become questionable, as is highlighted with the load shedding system.
Other features which are unique to the 787 could be contributing factors in explaining the accident.
It is known the 787 will generally employ an extended take-off roll, and a relatively higher V1 and Vr, and also climb out less steeply than other aircraft. Using more of the runway would reduce the margin for aborted take offs.
With the evident lack of thrust early in the climb out, and failure to retract the gear, if V2 had not been maintained, the TAP system would have reduced thrust even further. Manually increasing thrust will be inhibited.
2 users liked this post.
2025-07-01T06:48:00
permalink Post: 11914048
Hold your horses there
Bloggs
, I didn't say they did, I said centre tanks were typically turned on at that altitude (using a certain 737 operator as a guide). As the check list that you posted shows the centre pumps will automatically turn off because of load shedding once an engine is started.
Once both engines are running and the four VFSGs are online, I would not expect any load shedding and certainly not of flight loads like fuel pumps.
The Airbus manuals imply or clearly state that centre pumps are inhibited when the flaps are extended, so both engines draw from the wing/main tanks. I haven't seen anything clearly matching in the Boeing manuals.
2025-07-01T09:32:00
permalink Post: 11914147
I know that the engine driven pumps have documented limitations and that the regulations allow for some limitations. I know that at least one of these limitation is high altitude and I _suspect_ that the design intends for this unlikely scenario (engine driven fuel pumps alone with no AC pumps) to guarantee enough fuel flow to get to an airport and land. I also suspect that the APU is expected to solve loss of all AC generators - and as we know, there wasn't enough time for it to start in this scenario.
2025-07-01T10:19:00
permalink Post: 11914164
Not really relevant to what you quoted though, as the scenario in question requires:
-
Engines running on centre tank fuel during takeoff
while the aircraft is operating normally
- We don't know for certain if this is the case. It seems to be but it's not something that happens on other families.
- Then, total AC failure stopping fuel boost pumps.
- Engines suction feed from contaminated/full-of-water wing tanks.
I also don't see any evidence that engine driven fuel pumps alone must be able to handle this scenario: provide enough fuel flow for takeoff and climb, even while the pitch is rotating, even in a hot environment with significant weight, even while the gear is stuck down.
I know that the engine driven pumps have documented limitations and that the regulations allow for some limitations. I know that at least one of these limitation is high altitude and I _suspect_ that the design intends for this unlikely scenario (engine driven fuel pumps alone with no AC pumps) to guarantee enough fuel flow to get to an airport and land. I also suspect that the APU is expected to solve loss of all AC generators - and as we know, there wasn't enough time for it to start in this scenario.
I know that the engine driven pumps have documented limitations and that the regulations allow for some limitations. I know that at least one of these limitation is high altitude and I _suspect_ that the design intends for this unlikely scenario (engine driven fuel pumps alone with no AC pumps) to guarantee enough fuel flow to get to an airport and land. I also suspect that the APU is expected to solve loss of all AC generators - and as we know, there wasn't enough time for it to start in this scenario.
The limitations at high altitude are primarily air/volatiles degassing out of the fuel. That's not going to be much of an issue at sea level, even if the engines are a bit higher up during rotation.
APU is a nice-to-have; it's on the MEL. If you lose all four generators, it's because of some major carnage in the electrical software/hardware and chances of putting the APU on line even if it's operating are very slim.
1 user liked this post.