June 20, 2025, 13:49:00 GMT
permalink Post: 11906988
Hi
This got me thinking, looking at the engine mounted shutoff valve (HPSOV) in ATA 76, I see that its operated by three sources
Looking at ATA26 the engine fire control panel is energized by the hot battery bus (HOT BB). Is it credible that a failure of the hot battery bus (for example due to damage or liquid ingress in the P300 panel ) could lead to this situation?
- FADEC, as discussed in a number of posts above
- RUN / CUTOFF switch
- engine fire control panel
- engine fuel spar and high-pressure valves would be cutoff (obviously)
- hydraulics pump would be depressurized and shutoff from the circuit
- electrical generators would be disconnected
Looking at ATA26 the engine fire control panel is energized by the hot battery bus (HOT BB). Is it credible that a failure of the hot battery bus (for example due to damage or liquid ingress in the P300 panel ) could lead to this situation?
Last edited by oyaji-fr; 20th June 2025 at 14:07 .
June 20, 2025, 17:12:00 GMT
permalink Post: 11907144
tdracer posted - "
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring)."
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
June 20, 2025, 17:18:00 GMT
permalink Post: 11907146
tdracer posted - "
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring)."
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
June 20, 2025, 23:51:00 GMT
permalink Post: 11907396
Wouldn't "fail safe open" imply that the valves would open on loss of control signals or power. They don't. They stay just where they were before loss of power or control signal. If I understood tdracer's description of the HPSOV it can only be open or closed. That's not true of the spar valves which are motor driven and can stop in any intermediate position if power is lost.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
June 21, 2025, 08:13:00 GMT
permalink Post: 11907564
Wouldn't "fail safe open" imply that the valves would open on loss of control signals or power. They don't. They stay just where they were before loss of power or control signal. If I understood tdracer's description of the HPSOV it can only be open or closed. That's not true of the spar valves which are motor driven and can stop in any intermediate position if power is lost.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
What I mean is that with engines running, fuel shut off valve(S) open, if there is a loss of electrical power the valves will remain open.
This is standard design on all the gas turbine engines I have worked on.
June 21, 2025, 12:15:00 GMT
permalink Post: 11907698
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power.
The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine)
. The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
.
.
The engine driven fuel pump is a two-stage pump - a centrifugal pump that draws the fuel into the pump (i.e. 'suction feed'), and a gear pump which provides the high-pressure fuel to the engine and as muscle pressure to drive things like the Stator Vane and Bleed Valve actuators. It takes a minimum of ~300 PSI to run the engine -
the HPSOV is spring loaded closed and it takes approximately 300 psi to overcome that spring
.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
June 21, 2025, 12:30:00 GMT
permalink Post: 11907705
Without going round the hamsterwheel again does anyone have an actual reference for this? Because I've gone back through each of tdracer's very informative posts about this
see here
and there is a discrepancy in the two points he makes below in adjacent posts. Is tdracer talking about the same HPSOV valves? Can anyone confirm that with both AC power loss and and a temporary DC power loss there are no critical engine related shutoff valves that will fail safe (unpowered) in a closed position?
However, it could easily have different modes of operation (closed, electrically actuated), activated (electrically actuated), open (transition from activated + fuel pressure > 300psi).
June 21, 2025, 13:01:00 GMT
permalink Post: 11907727
Without going round the hamsterwheel again does anyone have an actual reference for this? Because I've gone back through each of tdracer's very informative posts about this
see here
and there is a discrepancy in the two points he makes below in adjacent posts. Is tdracer talking about the same HPSOV valves? Can anyone confirm that with both AC power loss and and a temporary DC power loss there are no critical engine related shutoff valves that will fail safe (unpowered) in a closed position?
Hopefully tdracer will provide more detail if/when he re-joins the discussion.
June 21, 2025, 20:40:00 GMT
permalink Post: 11908039
Without going round the hamsterwheel again does anyone have an actual reference for this? Because I've gone back through each of tdracer's very informative posts about this
see here
and there is a discrepancy in the two points he makes below in adjacent posts. Is tdracer talking about the same HPSOV valves? Can anyone confirm that with both AC power loss and and a temporary DC power loss there are no critical engine related shutoff valves that will fail safe (unpowered) in a closed position?
The HPSOV is made up of 2 parts which I'll call the main valve and the pilot valve. The pilot valve is actuated by a solenoid and supplied with fuel from the high-pressure side. The main valve is held shut by a spring. As long as the pilot valve is open and the high-pressure fuel pump is operating, fuel flows through the pilot valve, then pushes and holds the main valve open. The pilot valve and solenoid are 'latching,' i.e. they maintain their position until electrical power is applied. However, a certain pressure still has to be provided by the pump in order to hold the main valve open. Note that when I say 'high-pressure fuel pump,' I'm referring to the one that's mechanically driven by the engine's high-pressure shaft, not any of the electric pumps.
Note: The HPSOV is mistakenly labeled as 'PSOV' in this diagram.
June 22, 2025, 06:28:00 GMT
permalink Post: 11908303
Thanks for those two quotes. I had only used the first one in my previous reference to HPSOV operation. I have only been involved with Boeing spar valves and not any HPSOV. However, I do not see that spring shutoff when less than 300 psi is in conflict with staying open if electrical power is lost.
Hopefully tdracer will provide more detail if/when he re-joins the discussion.
Hopefully tdracer will provide more detail if/when he re-joins the discussion.
LPSOVs are motor driven sliding gate valves 28V DC from a hot battery bus.
June 30, 2025, 13:59:00 GMT
permalink Post: 11913644
There are several ways that the HPSOV can close:
An EEC (engine ECU) can close the upstream Fuel Metering Valve (FMV) electronically, so the HPSOV will lose its opening pressure.
The HPSOV can be acted on by a Shutoff Solenoid Valve (which directs fuel pressure in an opposite manner to the pressure coming from the Fuel Metering Valve).
Unfortunately, the diagram I am using is truncated, and I can't see if the Shutoff Solenoid Valve is magnetically latched in its last commanded position like typical fuel shutoff valves. Nor can I see what controls it. I suspect things like the respective cockpit fire handle and fuel cutoff lever, but also EEC commands.
There is probably a copyright on the diagram, so I won't post it here. Perhaps someone can fill in the gaps for me?
July 11, 2025, 00:34:00 GMT
permalink Post: 11919310
This has all been answered in previous posts, but I'll repeat it for those you don't want to look back through something like 150 pages:
Thrust Lever Angle (TLA) is measured directly by the FADEC, using a resolver hardwired to and excited by the FADEC. Both FADEC channels have their own resolver input - on most Boeing aircraft it's a common resolver with two sets of electrically isolated windings, however on the 787 it actually uses two mechanically separate resolvers. The resolver is basically read as "sine" and "cosine" which is converted in the angle. This also makes error detection easy, using the sine squared + cosine squared relationship. Any other aircraft systems that use TLA use the TLA signal relayed back to the aircraft by the FADEC.
The fuel control switch is a two-position multiple pole 'latching' switch - you have to pull it out slightly over detent to move it between the RUN and CUTOFF positions (on other aircraft there is an interposing relay for some of the functions. not sure about the implementation on the 787). Moving the switch to cutoff sends a DC signal to both the High Pressure ShutOff Valve (HPSOV) in the fuel control and the spar valve commanding them to close. HPSOV is solenoid actuated and is near instantaneous, Spar Valve takes ~one second to change positions (yes, this is different than some other airframers that only send the signal to one valve or the other, but it's been standard Boeing design practice since the early 1970s). Both the HPSOV solenoid and the Spar Valve are designed to stay in their last commanded position if airframe power is lost. Moving the switch to CUTOFF also sends a 'reset' signal to the FADEC - meaning the FADEC will be offline for roughly one second. On the 787 (and 777 and 747-8), there is a brief pause (~0.25 seconds) before the shutdown signal is sent to the engine to allow the electrical system to reconfigure to prevent a brief interrupt of electrical power to the rest of the aircraft.
Pulling the Fire Handle does the same thing as the fuel condition switch - via separate wiring (physically isolated from the fuel switch wiring to help protect from things like rotor burst damage), with the exception of the FADEC reset (since there is no requirement to be able to restart the engine after a Fire Handle shutdown).
There is absolutely no TLA input into either the fuel conditions switch or the Fire Handle - you can shutdown the engine via either regardless of Thrust Lever Angle.
All this is standard Boeing design practice (and except for the no-break electrical power transfer) has been for at least 50 years. This is enforced by the Boeing "Design Requirements and Objectives" - DR&O - compliance with is demonstrated by an audit after the final design freeze.
Thrust Lever Angle (TLA) is measured directly by the FADEC, using a resolver hardwired to and excited by the FADEC. Both FADEC channels have their own resolver input - on most Boeing aircraft it's a common resolver with two sets of electrically isolated windings, however on the 787 it actually uses two mechanically separate resolvers. The resolver is basically read as "sine" and "cosine" which is converted in the angle. This also makes error detection easy, using the sine squared + cosine squared relationship. Any other aircraft systems that use TLA use the TLA signal relayed back to the aircraft by the FADEC.
The fuel control switch is a two-position multiple pole 'latching' switch - you have to pull it out slightly over detent to move it between the RUN and CUTOFF positions (on other aircraft there is an interposing relay for some of the functions. not sure about the implementation on the 787). Moving the switch to cutoff sends a DC signal to both the High Pressure ShutOff Valve (HPSOV) in the fuel control and the spar valve commanding them to close. HPSOV is solenoid actuated and is near instantaneous, Spar Valve takes ~one second to change positions (yes, this is different than some other airframers that only send the signal to one valve or the other, but it's been standard Boeing design practice since the early 1970s). Both the HPSOV solenoid and the Spar Valve are designed to stay in their last commanded position if airframe power is lost. Moving the switch to CUTOFF also sends a 'reset' signal to the FADEC - meaning the FADEC will be offline for roughly one second. On the 787 (and 777 and 747-8), there is a brief pause (~0.25 seconds) before the shutdown signal is sent to the engine to allow the electrical system to reconfigure to prevent a brief interrupt of electrical power to the rest of the aircraft.
Pulling the Fire Handle does the same thing as the fuel condition switch - via separate wiring (physically isolated from the fuel switch wiring to help protect from things like rotor burst damage), with the exception of the FADEC reset (since there is no requirement to be able to restart the engine after a Fire Handle shutdown).
There is absolutely no TLA input into either the fuel conditions switch or the Fire Handle - you can shutdown the engine via either regardless of Thrust Lever Angle.
All this is standard Boeing design practice (and except for the no-break electrical power transfer) has been for at least 50 years. This is enforced by the Boeing "Design Requirements and Objectives" - DR&O - compliance with is demonstrated by an audit after the final design freeze.
July 12, 2025, 02:02:00 GMT
permalink Post: 11920093
Consider
this post
with a picture of the switches in question:
They must be lifted over the detent (if installed correctly) in each direction.
Far more than double pole - I think it's 4-8 ish. See the number of wires in the above picture. A previous post in one of the earlier thread indicated that it was essentially one pole per function - HPSOV, LPSOV, FADEC signal, generator etc. I'm not sure which one the EAFR reads. If it was a single contact failure, you would expect to see disagreement between the various systems controlled by the switch. I think that's very unlikely given both 'failed' in the same way near simultaneously and 'recovered' when switched.
For reference, it's pretty common for industrial emergency stop buttons to have 2-3 poles: redundant poles for the actual fault switching (legislative requirement above certain hazard levels), plus an additional pole for monitoring.
Depends on when they identified the SB and how obvious the lack of or incorrect fitting of detents is.
They must be lifted over the detent (if installed correctly) in each direction.
For reference, it's pretty common for industrial emergency stop buttons to have 2-3 poles: redundant poles for the actual fault switching (legislative requirement above certain hazard levels), plus an additional pole for monitoring.
Depends on when they identified the SB and how obvious the lack of or incorrect fitting of detents is.
July 13, 2025, 17:40:00 GMT
permalink Post: 11921477
Hi,
I have a couple of questions. Forgive me for being late into this thread if any of them is already discussed:
1) I just read this in a Boeing manual:
2) Looking at the incident timeline, one of the pilots takes corrective action to reswitch to RUN position 10 seconds after maximum air speed is reached and 5 seconds after RAT is deployed. Is this normal?
It's not clear however that whether their conversation is after or before the RAT is deployed.
(No visual or auditory cues in the cockpit for a critical fuel switch action? Not hearing the engines shutting down?)
3) The same pilot that turns on Engine 1's fuel switch, turns on Engine 2's switch 4 whole seconds later. Why not consecutively, right one after the other, just like they were turned off one second apart?
If only he had done so the second engine might have recovered in time as well.
4) This aircraft's TCM has been replaced in 2019 and 2023, not related to a fuel switch issue. And there had been no fuel switch defect reports since 2023. One begs to ask if there had been a fuel switch defect report back in 2023 and what was the nature of it?
Are TCM's replaced as a whole, including the switches, twice? If so, why wouldn't they install a TCM version at least in 2023 with redesigned switches (w/ enhanced locking mechanism) mentioned in the FAA SAIB? Have they installed old/used TCM's manufactured prior to 2018 SAIB?
Please note that the RH and LH GE engines of the aircraft were only installed in March 2025 and May 2025 respectively, but they were used and dating from 2013 and 2012. Is this normal for a 12 year old Boeing aircraft to change so many mission critical components?
Electronic parts somehow, but how durable are those GE engines?
Thanks,
C.A.
I have a couple of questions. Forgive me for being late into this thread if any of them is already discussed:
1) I just read this in a Boeing manual:
The fuel control switches send signals to open or close fuel valves to operate or shutdown the engines.
- They send signals to the remote data concentrators (RDC) and the spar valve start switch relays.
- The spar valve start switch relays use these signals to control the spar valve and the high pressure shut off valve (HPSOV) in the fuel metering unit (FMU).
- The RDCs send the signals to the common data network (CDN) and then to the electronic engine control (EEC) to operate the FMU fuel valves (FMV and HPSOV).
The fuel control switches have 2 positions:
- RUN
- CUTOFF.
You must pull the switch out of a detent to select a position.
There seems to be RDC's (remote data concentrators) and CDN (common data network) between those fuel switches and the fuel valves. Is there any possibility that there may have been an electronic control module or sensor fault to generate such a signal rather than mechanical switch movements?
- They send signals to the remote data concentrators (RDC) and the spar valve start switch relays.
- The spar valve start switch relays use these signals to control the spar valve and the high pressure shut off valve (HPSOV) in the fuel metering unit (FMU).
- The RDCs send the signals to the common data network (CDN) and then to the electronic engine control (EEC) to operate the FMU fuel valves (FMV and HPSOV).
The fuel control switches have 2 positions:
- RUN
- CUTOFF.
You must pull the switch out of a detent to select a position.
2) Looking at the incident timeline, one of the pilots takes corrective action to reswitch to RUN position 10 seconds after maximum air speed is reached and 5 seconds after RAT is deployed. Is this normal?
It's not clear however that whether their conversation is after or before the RAT is deployed.
(No visual or auditory cues in the cockpit for a critical fuel switch action? Not hearing the engines shutting down?)
3) The same pilot that turns on Engine 1's fuel switch, turns on Engine 2's switch 4 whole seconds later. Why not consecutively, right one after the other, just like they were turned off one second apart?
If only he had done so the second engine might have recovered in time as well.
4) This aircraft's TCM has been replaced in 2019 and 2023, not related to a fuel switch issue. And there had been no fuel switch defect reports since 2023. One begs to ask if there had been a fuel switch defect report back in 2023 and what was the nature of it?
Are TCM's replaced as a whole, including the switches, twice? If so, why wouldn't they install a TCM version at least in 2023 with redesigned switches (w/ enhanced locking mechanism) mentioned in the FAA SAIB? Have they installed old/used TCM's manufactured prior to 2018 SAIB?
Please note that the RH and LH GE engines of the aircraft were only installed in March 2025 and May 2025 respectively, but they were used and dating from 2013 and 2012. Is this normal for a 12 year old Boeing aircraft to change so many mission critical components?
Electronic parts somehow, but how durable are those GE engines?
Thanks,
C.A.
When reading any of the data when it comes out, pay some attention to the sampling rate of the data being provided, it is quite possible to make erroneous assumptions where that is not taken into consideration. The data buses used to get data from the aircraft system to the recorder, and the recorders themselves use sequential sentences, and varyious rates.
IMHO.
July 13, 2025, 17:45:00 GMT
permalink Post: 11921482
- They send signals to the remote data concentrators (RDC) and the spar valve start switch relays.
- The spar valve start switch relays use these signals to control the spar valve and the high pressure shut off valve (HPSOV) in the fuel metering unit (FMU).
(snip)
There seems to be RDC's (remote data concentrators) and CDN (common data network) between those fuel switches and the fuel valves. Is there any possibility that there may have been an electronic control module or sensor fault to generate such a signal rather than mechanical switch movements?
- The spar valve start switch relays use these signals to control the spar valve and the high pressure shut off valve (HPSOV) in the fuel metering unit (FMU).
(snip)
"They send signals to the remote data concentrators (RDC) and the spar valve start switch relays."
Nothing in what you quoted says or implies that the RDC is in the fuel valve control path.
Edit to add - The RDC is in the path that feeds fuel switch position to the flight data recorder. Any error in that path could make the recorded switch position disagree with the actual switch position. It cannot change the state of the fuel valves and it cannot cause the engines to stop producing thrust.
July 15, 2025, 18:07:00 GMT
permalink Post: 11923145
Inspired by the mention in the
PR
about a MEL on the \x91core network\x92, I came across the polemics between Boeing and IOActive a few years ago about the alleged vulnerability of 787 core systems to outside interference (hacker attack from within a/c and/or ground), including the highly sensitive CDN module, from where also the fuel cut-off module can be accessed. It\x92s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially \x93outshine\x94 intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, but who knows where we are 6 years on.
https://www.wired.com/story/boeing-7...ecurity-flaws/
https://www.wired.com/story/boeing-7...ecurity-flaws/
July 15, 2025, 19:51:00 GMT
permalink Post: 11923215
It's never too late for any of us to learn something new about the fuel valve control architecture and sometimes facts may be hard to separate from the hamster droppings.
July 17, 2025, 00:16:00 GMT
permalink Post: 11924069
tdracer excellently summarised. But I'll confirm.
The switch is directly connected to the coils of a latching relay. That latching relay is directly connected to the coils of the spar valve. There is no digital logic device in the way,
The position of the switch is monitored (through a different set of contacts) by the EAFR (twice). The position of the spar valve is monitored by the EAFR.
Thus the recorder sees (twice) that the switch is moved, and that the valve moved in response.
The switch is directly connected to the coils of a latching relay. That latching relay is directly connected to the coils of the spar valve. There is no digital logic device in the way,
The position of the switch is monitored (through a different set of contacts) by the EAFR (twice). The position of the spar valve is monitored by the EAFR.
Thus the recorder sees (twice) that the switch is moved, and that the valve moved in response.
July 17, 2025, 04:18:00 GMT
permalink Post: 11924121
Two more questions for
tdracer
;-)
Are the FADECs able to drive the fuel shutoff valves as well? I would guess that this might be used for N2 overspeed protection (and therefore TCMA as well). If there is an overspeed there would be a good chance, that the fuel control/metering doesn't work as it should.
I am not asking to revive the switch discussion - I am just curious.
And one more question: Are the fuel shutoff valves powered by the PMG for the FADECs? I know the valves are latching so that a power failure of any kind wouldn't change their position.
Are the FADECs able to drive the fuel shutoff valves as well? I would guess that this might be used for N2 overspeed protection (and therefore TCMA as well). If there is an overspeed there would be a good chance, that the fuel control/metering doesn't work as it should.
I am not asking to revive the switch discussion - I am just curious.
And one more question: Are the fuel shutoff valves powered by the PMG for the FADECs? I know the valves are latching so that a power failure of any kind wouldn't change their position.
The HPSOV is driven by the aircraft using 28 Vdc power from the battery bus. The FADEC isn't involved - although it does get an indication of the fuel condition switch position, but that's not used except during starting. A 'false' fuel condition switch input of Cutoff will not cause the FADEC to do anything once the engine is running.