Someone Somewhere
July 01, 2025, 10:19:00 GMT
permalink Post: 11914164

Quote:

Originally Posted by adfad

We know (from the 248-day bug) that full AC power failure is possible and we see from the RAT and landing gear orientation that full AC power failure was likely within ~10 seconds of leaving the ground.

I believe that particular bug is fixed, though it's always possible there's other issues causing a total AC loss.

Not really relevant to what you quoted though, as the scenario in question requires:

Engines running on centre tank fuel during takeoff while the aircraft is operating normally
- We don't know for certain if this is the case. It seems to be but it's not something that happens on other families.
Then, total AC failure stopping fuel boost pumps.
Engines suction feed from contaminated/full-of-water wing tanks.

Quote:

I also don't see any evidence that engine driven fuel pumps alone must be able to handle this scenario: provide enough fuel flow for takeoff and climb, even while the pitch is rotating, even in a hot environment with significant weight, even while the gear is stuck down.

I know that the engine driven pumps have documented limitations and that the regulations allow for some limitations. I know that at least one of these limitation is high altitude and I _suspect_ that the design intends for this unlikely scenario (engine driven fuel pumps alone with no AC pumps) to guarantee enough fuel flow to get to an airport and land. I also suspect that the APU is expected to solve loss of all AC generators - and as we know, there wasn't enough time for it to start in this scenario.

The aircraft has two engines and should be able to climb out on one, plus it dropped like a rock . 'Significantly degraded' thrust isn't really compatible with what we saw. You'd also expect the engines to recover pretty quickly as it leveled off.

The limitations at high altitude are primarily air/volatiles degassing out of the fuel. That's not going to be much of an issue at sea level, even if the engines are a bit higher up during rotation.
APU is a nice-to-have; it's on the MEL. If you lose all four generators, it's because of some major carnage in the electrical software/hardware and chances of putting the APU on line even if it's operating are very slim.

adfad
July 01, 2025, 12:55:00 GMT
permalink Post: 11914255

Quote:

Originally Posted by Someone Somewhere

I believe that particular bug is fixed, though it's always possible there's other issues causing a total AC loss.

Not really relevant to what you quoted though, as the scenario in question requires:

Engines running on centre tank fuel during takeoff while the aircraft is operating normally
- We don't know for certain if this is the case. It seems to be but it's not something that happens on other families.
Then, total AC failure stopping fuel boost pumps.
Engines suction feed from contaminated/full-of-water wing tanks.

As an electronics and software engineer who has read the AD and related materials on the 248 day bug my understanding is that:

The specific 248-day integer overflow was patched, and before the fix was rolled out, the AD required this system to by power cycled every 120 days to prevent overflow
The PCU software still has the functional requirement to be able to command all AC GCUs to enter failsafe mode, this means that while the initial bug was fixed, the ability for this particular software system to command the same result is still a functional part of the architecture - presumably for safety management of the AC system
This was not the first or last "software overflow error" issue in Boeing or even in the 787

Although I'm not qualified in aviation engineering I do believe from an engineering safety standpoint that this architecture creates a rare but entirely feasible scenario in which the aircraft would be without AC power for at least 30 seconds until the APU could restore it.

I do agree that the engine driven pumps should be able to provide fuel alone, the whole point of these pumps is to keep the plane flying within some limitations, high altitude is one of those limitations, I propose that there may be others based on the following:

Some more knowledgable people here have proposed or countered vapour lock, fuel contamination and automatic fuel cut-off theories to various degrees - even if these are not enough on their own, loss of electrical during rotation at high temperature could combine with these in a way we have not yet considered
Thrust is nonlinear, and while I'm not qualified to say how much loss of fuel flow or loss of thrust would be critical in this scenario we do know that it was a hot takeoff with significant weight and gear remaining down - I know others here have run sims but I don't think anyone has focused on specific thrust / fuel flow params
While electric fuel pumps might not be physically necessary for takeoff, my final point is: why are they required for takeoff? Is it not to mitigate cavitation, fuel sloshing at rotation, or any other kind of problem that might be relevant here?

TURIN
July 13, 2025, 17:02:00 GMT
permalink Post: 11921451

Quote:

Originally Posted by flyingchanges

If the guards to the stab trim switches were left open by maintenance, I could see a situation in which muscle memory might lead to closing the adjacent fuel control switches. This would also explain the "I didn't do it response", as he believed he was merely closing the guards instead.

That status message is quite common.
When trouble shooting, it normally resets through a BITE test. I don't remember ever having to touch the stab cut off switches as part of line trouble shooting. The aircraft is on a turnaround, if the test doesn't clear the message further trouble shooting may be lengthy, most airlines would want the aircraft dispatched in accordance with the MEL.
Deactivating the relevant transducer involves entering the stab bay, disconnecting a plug and writing up the deferral.
If it's true, as someone above suggested, that the aircraft was signed off an hour before departure, that is not last minute by the way, then I would guess that the BITE test cleared the message.

nrunning24
July 14, 2025, 19:59:00 GMT
permalink Post: 11922466

Quote:

Originally Posted by Dani

If you think everything is said...

Breaking News:
On Jul 14th 2025 India's DGCA instructed airlines to check the fuel switches on the Boeing 787 and Boeing 737 aircraft as used by Air India Group, Indigo and Spicejet for possible disengagement of the fuel control switch locking feature according to the SAIB released by the FAA on Dec 17th 2018. The checks have to be completed by Jul 21st 2025.

Source: Avherald.com

This also could be in the sake of thoroughness from the governing body, and frankly its low intrusiveness to the operation and can at least rule out random theorized possibilities. I would probably advise the same.

Realize this is a pilots forum, and its always easier to blame the engineers (me), but I'm surprised at the amount of people grasping at (at least what I think) straws to try and make this not a case of pilot error (either intentional or unintentional). I get lots of parts frequently break and pilots do frequently see things on MEL etc. I know our partner airline engineering teams would love to see increased reliability of certain components, but the certification scrutiny of flight critical items is very intense including isolation from each other.

The likelihood of two flight critical components which are isolated from each other failing instantaneously is so small its basically impossible. Especially when you consider they also turn back on 10 secs later.

Last edited by T28B; 14th July 2025 at 20:57 . Reason: pulled out the bottom line with formatting

D Bru
July 15, 2025, 17:41:00 GMT
permalink Post: 11923115

Hamster wheel diversification (at least an attempt): 787 core system hacking

Inspired by the mention in the PR about a MEL on the \x91core network\x92, I came across the polemics between Boeing and IOActive a few years ago about the alleged vulnerability of 787 core systems to outside interference (hacker attack from within a/c and/or ground), including the highly sensitive CDN module, from where also the fuel cut-off module can be accessed. It\x92s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially \x93outshine\x94 intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, moreover it seems to be Honeywell &GE code anyhow, but who knows where we are 6 years on.

https://www.wired.com/story/boeing-7...ecurity-flaws/

Last edited by D Bru; 15th July 2025 at 18:10 .

Engineless
July 15, 2025, 17:56:00 GMT
permalink Post: 11923129

Quote:

Originally Posted by D Bru

Googling, inspired by the mention in the PR about a MEL on the \x91core network\x92, I came across the polemics between Boeing and IOActive a few years ago about the vulnerability of 787 core systems to outside interference (hacker attack), including the FCO module. It\x92s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially \x93outshine\x94 intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, but who knows where we are 6 years on.

https://www.wired.com/story/boeing-7...ecurity-flaws/

Interesting.
From the article:

Quote:

Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multi!stage attack that starts in the plane\x92s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.

Passengers on the previous flight complained that the cabin aircondiioning was not working and neither were the seet-back screens. On the previous sector the pilots reported the STAB POS XDCR message in the tech log, which was troubleshooted with no problem found immediately prior to the fateful flight. On the one hand this doesn't bare thinking about but on the other hand I'm surprised it's not already happened.

EXDAC
July 15, 2025, 18:07:00 GMT
permalink Post: 11923145

Quote:

Originally Posted by D Bru

Inspired by the mention in the PR about a MEL on the \x91core network\x92, I came across the polemics between Boeing and IOActive a few years ago about the alleged vulnerability of 787 core systems to outside interference (hacker attack from within a/c and/or ground), including the highly sensitive CDN module, from where also the fuel cut-off module can be accessed. It\x92s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially \x93outshine\x94 intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, but who knows where we are 6 years on.

https://www.wired.com/story/boeing-7...ecurity-flaws/

I cannot read the linked article. Would you please describe what you mean by "the fuel cut-off module", preferably with reference to the related aircraft schematics showing the signal paths between the fuel switches, spar valves, and engine HPSOV.

TURIN
July 15, 2025, 19:54:00 GMT
permalink Post: 11923218

Quote:

Originally Posted by MikeSnow

SLF here, but I did read all 3 threads. To me, this doesn't seem likely. But it got me thinking, what about the fuel switches being partially cross-connected left to right and right to left? If each of the 8 channels (4 for each switch) has its own connector, it could be possible. From what I understood from earlier posts, from the 4 channels of each switch, there are 2 can shut down an engine. If that's the case, assuming some cross-connection, a single switch movement might be able to affect both engines.

But, even if this were possible, there are problems with this hypothesis too. The problem would most likely be discovered during engine startup, if the engines are started one by one, not at the same time, as they probably wouldn't start unless both switches are set to RUN. And not sure how this would fit the various delays recorded on the FDR. And you still need something/somebody to move at least one of the switches after rotation to trigger the issue. Both switches being moved by the pilots still seems much more likely to me than some technical issue.

"Software faults" do not usually come out of the blue, for no particular reason. Just because it's recorded by software it doesn't mean that it's not something hardware related that triggers it. In a previous reply, not sure if in this thread, it was mentioned that the message meant that there was implausible data coming from those STAB cutoff switches, if I remember correctly. Something like a channel showing both on and off at the same time, or the other way around, or some other inconsistency. That could have been an intermittent issue, that might indeed not be reproducible with a BITE test, and just be cleared. But if the STAB cutoff switches did indeed have a problem, or one was suspected due to recurring reports, is it really so unlikely that they might try to look for some hardware issues, such as a loose connector? For the Lion Air accident involving MCAS, after repeated issues during previous flights, they did exactly that: disconnected and reconnected some connectors to check for issues, among other things.

Software faults, or non correlated maintenance messages can be induced by other factors other than a hardware fault.
EG. GPS faults are common among aircraft that fly around Turkey and other troublesome areas of the world due to GPS 'spoofing' or jamming. The problem is known and a procedure to reset the fault and verify that there is no 'hard' fault hidden in the hardware is used every day.

As I posted earlier in this thread, the Stab Trim (Posn) XDCR status message can be deferred under the MEL with a maintenance procedure that does not involve touching those switches.

Last edited by TURIN; 17th July 2025 at 11:59 .

EDML
July 15, 2025, 22:08:00 GMT
permalink Post: 11923307

Quote:

Originally Posted by Engineless

After all the analysis on PPRuNE, fuel switch failure (well, dual switch failure, at practically the same time) seems so unlikely it's no longer worthy of consideration. However, I'm still open to the idea of a failure elsewhere that may have signalled the fuel switches had transistioned from Run to Cutoff wthout physical movement of either switch. Why? Firstly, because of this (taken from the preliminary report)

There would have been multiple similar failures in different locations. The data for the EAFR is completely separated from the wiring and circuitry for the HP fuel valves. - And that on both engines.

Quote:

Originally Posted by D Bru

Inspired by the mention in the PR about a MEL on the ‘core network’, I came across the polemics between Boeing and IOActive a few years ago about the alleged vulnerability of 787 core systems to outside interference (hacker attack from within a/c and/or ground), including the highly sensitive CDN module, from where also the fuel cut-off module can be accessed. It’s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially “outshine” intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, moreover it seems to be Honeywell &GE code anyhow, but who knows where we are 6 years on.

https://www.wired.com/story/boeing-7...ecurity-flaws/

That is nonsense. There is no "fuel cut-off module". The fuel cut-off HP valves are operated directly by the cut-off switches through simple latching solenoids. No computer involved, not part of any communication network of the plane. The FADECs (which itself are totally separated from the rest of the aircraft) only get information on the status of the switches; e.g. to faciliate engine restart.

Someone Somewhere July 01, 2025, 10:19:00 GMT permalink Post: 11914164	Quote: Originally Posted by adfad We know (from the 248-day bug) that full AC power failure is possible and we see from the RAT and landing gear orientation that full AC power failure was likely within ~10 seconds of leaving the ground. I believe that particular bug is fixed, though it's always possible there's other issues causing a total AC loss. Not really relevant to what you quoted though, as the scenario in question requires: Engines running on centre tank fuel during takeoff while the aircraft is operating normally We don't know for certain if this is the case. It seems to be but it's not something that happens on other families. Then, total AC failure stopping fuel boost pumps. Engines suction feed from contaminated/full-of-water wing tanks. Quote: I also don't see any evidence that engine driven fuel pumps alone must be able to handle this scenario: provide enough fuel flow for takeoff and climb, even while the pitch is rotating, even in a hot environment with significant weight, even while the gear is stuck down. I know that the engine driven pumps have documented limitations and that the regulations allow for some limitations. I know that at least one of these limitation is high altitude and I _suspect_ that the design intends for this unlikely scenario (engine driven fuel pumps alone with no AC pumps) to guarantee enough fuel flow to get to an airport and land. I also suspect that the APU is expected to solve loss of all AC generators - and as we know, there wasn't enough time for it to start in this scenario. The aircraft has two engines and should be able to climb out on one, plus it dropped like a rock . 'Significantly degraded' thrust isn't really compatible with what we saw. You'd also expect the engines to recover pretty quickly as it leveled off. The limitations at high altitude are primarily air/volatiles degassing out of the fuel. That's not going to be much of an issue at sea level, even if the engines are a bit higher up during rotation. APU is a nice-to-have; it's on the MEL. If you lose all four generators, it's because of some major carnage in the electrical software/hardware and chances of putting the APU on line even if it's operating are very slim.
adfad July 01, 2025, 12:55:00 GMT permalink Post: 11914255	Quote: Originally Posted by Someone Somewhere I believe that particular bug is fixed, though it's always possible there's other issues causing a total AC loss. Not really relevant to what you quoted though, as the scenario in question requires: Engines running on centre tank fuel during takeoff while the aircraft is operating normally We don't know for certain if this is the case. It seems to be but it's not something that happens on other families. Then, total AC failure stopping fuel boost pumps. Engines suction feed from contaminated/full-of-water wing tanks. The aircraft has two engines and should be able to climb out on one, plus it dropped like a rock . 'Significantly degraded' thrust isn't really compatible with what we saw. You'd also expect the engines to recover pretty quickly as it leveled off. The limitations at high altitude are primarily air/volatiles degassing out of the fuel. That's not going to be much of an issue at sea level, even if the engines are a bit higher up during rotation. APU is a nice-to-have; it's on the MEL. If you lose all four generators, it's because of some major carnage in the electrical software/hardware and chances of putting the APU on line even if it's operating are very slim. As an electronics and software engineer who has read the AD and related materials on the 248 day bug my understanding is that: The specific 248-day integer overflow was patched, and before the fix was rolled out, the AD required this system to by power cycled every 120 days to prevent overflow The PCU software still has the functional requirement to be able to command all AC GCUs to enter failsafe mode, this means that while the initial bug was fixed, the ability for this particular software system to command the same result is still a functional part of the architecture - presumably for safety management of the AC system This was not the first or last "software overflow error" issue in Boeing or even in the 787 Although I'm not qualified in aviation engineering I do believe from an engineering safety standpoint that this architecture creates a rare but entirely feasible scenario in which the aircraft would be without AC power for at least 30 seconds until the APU could restore it. I do agree that the engine driven pumps should be able to provide fuel alone, the whole point of these pumps is to keep the plane flying within some limitations, high altitude is one of those limitations, I propose that there may be others based on the following: Some more knowledgable people here have proposed or countered vapour lock, fuel contamination and automatic fuel cut-off theories to various degrees - even if these are not enough on their own, loss of electrical during rotation at high temperature could combine with these in a way we have not yet considered Thrust is nonlinear, and while I'm not qualified to say how much loss of fuel flow or loss of thrust would be critical in this scenario we do know that it was a hot takeoff with significant weight and gear remaining down - I know others here have run sims but I don't think anyone has focused on specific thrust / fuel flow params While electric fuel pumps might not be physically necessary for takeoff, my final point is: why are they required for takeoff? Is it not to mitigate cavitation, fuel sloshing at rotation, or any other kind of problem that might be relevant here?
TURIN July 13, 2025, 17:02:00 GMT permalink Post: 11921451	Quote: Originally Posted by flyingchanges If the guards to the stab trim switches were left open by maintenance, I could see a situation in which muscle memory might lead to closing the adjacent fuel control switches. This would also explain the "I didn't do it response", as he believed he was merely closing the guards instead. That status message is quite common. When trouble shooting, it normally resets through a BITE test. I don't remember ever having to touch the stab cut off switches as part of line trouble shooting. The aircraft is on a turnaround, if the test doesn't clear the message further trouble shooting may be lengthy, most airlines would want the aircraft dispatched in accordance with the MEL. Deactivating the relevant transducer involves entering the stab bay, disconnecting a plug and writing up the deferral. If it's true, as someone above suggested, that the aircraft was signed off an hour before departure, that is not last minute by the way, then I would guess that the BITE test cleared the message.
nrunning24 July 14, 2025, 19:59:00 GMT permalink Post: 11922466	Quote: Originally Posted by Dani If you think everything is said... Breaking News: On Jul 14th 2025 India's DGCA instructed airlines to check the fuel switches on the Boeing 787 and Boeing 737 aircraft as used by Air India Group, Indigo and Spicejet for possible disengagement of the fuel control switch locking feature according to the SAIB released by the FAA on Dec 17th 2018. The checks have to be completed by Jul 21st 2025. Source: Avherald.com This also could be in the sake of thoroughness from the governing body, and frankly its low intrusiveness to the operation and can at least rule out random theorized possibilities. I would probably advise the same. Realize this is a pilots forum, and its always easier to blame the engineers (me), but I'm surprised at the amount of people grasping at (at least what I think) straws to try and make this not a case of pilot error (either intentional or unintentional). I get lots of parts frequently break and pilots do frequently see things on MEL etc. I know our partner airline engineering teams would love to see increased reliability of certain components, but the certification scrutiny of flight critical items is very intense including isolation from each other. The likelihood of two flight critical components which are isolated from each other failing instantaneously is so small its basically impossible. Especially when you consider they also turn back on 10 secs later. Last edited by T28B; 14th July 2025 at 20:57 . Reason: pulled out the bottom line with formatting
D Bru July 15, 2025, 17:41:00 GMT permalink Post: 11923115	Hamster wheel diversification (at least an attempt): 787 core system hacking Inspired by the mention in the PR about a MEL on the \x91core network\x92, I came across the polemics between Boeing and IOActive a few years ago about the alleged vulnerability of 787 core systems to outside interference (hacker attack from within a/c and/or ground), including the highly sensitive CDN module, from where also the fuel cut-off module can be accessed. It\x92s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially \x93outshine\x94 intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, moreover it seems to be Honeywell &GE code anyhow, but who knows where we are 6 years on. https://www.wired.com/story/boeing-7...ecurity-flaws/ Last edited by D Bru; 15th July 2025 at 18:10 .
Engineless July 15, 2025, 17:56:00 GMT permalink Post: 11923129	Quote: Originally Posted by D Bru Googling, inspired by the mention in the PR about a MEL on the \x91core network\x92, I came across the polemics between Boeing and IOActive a few years ago about the vulnerability of 787 core systems to outside interference (hacker attack), including the FCO module. It\x92s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially \x93outshine\x94 intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, but who knows where we are 6 years on. https://www.wired.com/story/boeing-7...ecurity-flaws/ Interesting. From the article: Quote: Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multi!stage attack that starts in the plane\x92s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors. Passengers on the previous flight complained that the cabin aircondiioning was not working and neither were the seet-back screens. On the previous sector the pilots reported the STAB POS XDCR message in the tech log, which was troubleshooted with no problem found immediately prior to the fateful flight. On the one hand this doesn't bare thinking about but on the other hand I'm surprised it's not already happened.
EXDAC July 15, 2025, 18:07:00 GMT permalink Post: 11923145	Quote: Originally Posted by D Bru Inspired by the mention in the PR about a MEL on the \x91core network\x92, I came across the polemics between Boeing and IOActive a few years ago about the alleged vulnerability of 787 core systems to outside interference (hacker attack from within a/c and/or ground), including the highly sensitive CDN module, from where also the fuel cut-off module can be accessed. It\x92s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially \x93outshine\x94 intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, but who knows where we are 6 years on. https://www.wired.com/story/boeing-7...ecurity-flaws/ I cannot read the linked article. Would you please describe what you mean by "the fuel cut-off module", preferably with reference to the related aircraft schematics showing the signal paths between the fuel switches, spar valves, and engine HPSOV.
TURIN July 15, 2025, 19:54:00 GMT permalink Post: 11923218	Quote: Originally Posted by MikeSnow SLF here, but I did read all 3 threads. To me, this doesn't seem likely. But it got me thinking, what about the fuel switches being partially cross-connected left to right and right to left? If each of the 8 channels (4 for each switch) has its own connector, it could be possible. From what I understood from earlier posts, from the 4 channels of each switch, there are 2 can shut down an engine. If that's the case, assuming some cross-connection, a single switch movement might be able to affect both engines. But, even if this were possible, there are problems with this hypothesis too. The problem would most likely be discovered during engine startup, if the engines are started one by one, not at the same time, as they probably wouldn't start unless both switches are set to RUN. And not sure how this would fit the various delays recorded on the FDR. And you still need something/somebody to move at least one of the switches after rotation to trigger the issue. Both switches being moved by the pilots still seems much more likely to me than some technical issue. "Software faults" do not usually come out of the blue, for no particular reason. Just because it's recorded by software it doesn't mean that it's not something hardware related that triggers it. In a previous reply, not sure if in this thread, it was mentioned that the message meant that there was implausible data coming from those STAB cutoff switches, if I remember correctly. Something like a channel showing both on and off at the same time, or the other way around, or some other inconsistency. That could have been an intermittent issue, that might indeed not be reproducible with a BITE test, and just be cleared. But if the STAB cutoff switches did indeed have a problem, or one was suspected due to recurring reports, is it really so unlikely that they might try to look for some hardware issues, such as a loose connector? For the Lion Air accident involving MCAS, after repeated issues during previous flights, they did exactly that: disconnected and reconnected some connectors to check for issues, among other things. Software faults, or non correlated maintenance messages can be induced by other factors other than a hardware fault. EG. GPS faults are common among aircraft that fly around Turkey and other troublesome areas of the world due to GPS 'spoofing' or jamming. The problem is known and a procedure to reset the fault and verify that there is no 'hard' fault hidden in the hardware is used every day. As I posted earlier in this thread, the Stab Trim (Posn) XDCR status message can be deferred under the MEL with a maintenance procedure that does not involve touching those switches. Last edited by TURIN; 17th July 2025 at 11:59 .
EDML July 15, 2025, 22:08:00 GMT permalink Post: 11923307	Quote: Originally Posted by Engineless After all the analysis on PPRuNE, fuel switch failure (well, dual switch failure, at practically the same time) seems so unlikely it's no longer worthy of consideration. However, I'm still open to the idea of a failure elsewhere that may have signalled the fuel switches had transistioned from Run to Cutoff wthout physical movement of either switch. Why? Firstly, because of this (taken from the preliminary report) There would have been multiple similar failures in different locations. The data for the EAFR is completely separated from the wiring and circuitry for the HP fuel valves. - And that on both engines. Quote: Originally Posted by D Bru Inspired by the mention in the PR about a MEL on the ‘core network’, I came across the polemics between Boeing and IOActive a few years ago about the alleged vulnerability of 787 core systems to outside interference (hacker attack from within a/c and/or ground), including the highly sensitive CDN module, from where also the fuel cut-off module can be accessed. It’s definitely not my specialty, but I thought to flag it in case someone has more informed ideas about this. To my mind it could potentially “outshine” intentional crew action. Boeing at the time denied such options, of course. Obviously also in good faith, moreover it seems to be Honeywell &GE code anyhow, but who knows where we are 6 years on. https://www.wired.com/story/boeing-7...ecurity-flaws/ That is nonsense. There is no "fuel cut-off module". The fuel cut-off HP valves are operated directly by the cut-off switches through simple latching solenoids. No computer involved, not part of any communication network of the plane. The FADECs (which itself are totally separated from the rest of the aircraft) only get information on the status of the switches; e.g. to faciliate engine restart.

Posts about: "MEL" [Posts: 29 Pages: 2]