Page Links: First Previous 1 2 3 4 Last Index Page
Aerospace101
2025-06-19T14:11:00 permalink Post: 11906054 |
It does not follow that MCAS malfunction is a software malfunction.
As far as I know, the software functioned exactly as it was specified/required to function. The problem did not lie in the quality of the software, as you suggest. It lay in the functional requirements for the function, and the hazard analysis of those requirements, and those are manufacturer tasks. In a total electrical failure, when the system switches to emergency battery power, how are input variables like rad alt and wow switches processed? (these were inputs someone mentioned on the 747-8, have the TCMA inputs been identified yet?) I speculate the gear truck forward tilt is a symptom of a C hydraulic failure caused by a total electrical failure around the time of VR. Once they got 10 deg nose up on the rotation, with a total electrical failure, could the FADEC receive erroneous rad alt or wow inputs, and how would TCMA handle these inputs in the transition from ground to air logic? What is baffling is the simultaneous nature of the suspected dual engine shutdown. There is no obvious asymmetry, with the flight path or rudder movements. If the engine fuel control switches had been manually cut one at a time, there should have been some visible flightpath change or flight control response. Something happened to both engines at exactly the same time. 2 users liked this post. |
user989
2025-06-19T23:26:00 permalink Post: 11906480 |
Summary of main theories
DISCLAIMER: Poster (a) is one of the (apparently quite numerous) lawyers following this thread; (b) a long-time forum lurker and aviation enthusiast who loves studying FCOMs for fun (to each his own, I guess); (c) has followed and read this thread from the start.
What I cannot do is add new theories or uncover any new facts the actual experts have not already thought of. However, since summarizing and structuring information is one thing lawyers tend to regularly do (and sometimes even do well), here is my attempt at a useful contribution to this thread: an attempt to summarize the main theories discussed here since day one (which I think hasn't been done for quite some time) in the hope that a birds-eye view will be helpful to those who have not read everything since the beginning or might even trigger some new flash of inspiration for someone more knowledgable than me. I have focused on the cons since there does not seem to be enough evidence to come to any positive conclusion. I shall try to be concise and to refrain from personal evaluations of my own. Of course, no disrespect whatsoever is intended towards all those who have contributed to this thread and to the individual theories, one or combinations of which may turn out to have led to this tragic outcome. That arguments can be made against every single theory that has been propagated seems to be the result of the highly improbable and unusual nature of this deplorable event and certainly not due to any lack of knowledge or reasoning skills in this forum. DEAR MODS: If I have distorted anything or if, meaning well, should have achieved the opposite \x96 I guess you know where the delete button is\x85 Anyway, here goes: A. Misconfiguration or wrong takeoff data Widely refuted, since
Still brought up from time to time. However, widely disregarded due to
It should be pointed out that the question of "RAT in or out" was for a while the most contentious in this thread. C. Low-altitude capture Still argued, even if refuted by many since
Various possible reasons for this have been discussed: I. Bird strike/FOD
1. Loss of electric fuel pumps
Suction feed would have provided sufficient fuel pressure.
2. Fuel contamination
No other aircraft affected, no measures taken at airport. Simultaneous flameout due to contaminated fuel very unlikely.
3. Vapour lock
Unlikely to occur in this scenario. Even if (momentarily) no sufficient fuel pressure from the center tank, the engines would have been fed by the wing tanks.
III. Improper maintenance
Unclear which maintenance measures could possibly have been performed that would have resulted in simultaneous loss of both engines. No apparent relationships between malfunctions reported by previous passengers and essential systems. IV. Large-scale electrical fault (e.g. due to water in E&E bay) The engines will continue to run if electrical power is lost. FADECs are powered independently. V. Shutdown of engines by TCMA A parallel is drawn to the ANA incident. However, this would require not only a fault in the air/ground logic but also a sensed discrepancy between T/L position (not necessarily idle) and thrust output on both engines simultaneously. VI. (Inadvertent) shutdown by flight crew
1. Spontaneous execution of memory items (fuel control switches OFF, then ON; deploy RAT) due to assumed engine malfunction
In contrast to mistakenly shutting down the wrong engine after having correctly diagnosed the problem as per SOP, this would require not only a simple error in execution but a counter-intuitive unilateral action immediately after takeoff against basic principles of SOP or CRM.
2. No indications whatsoever of an intentional shutdown for nefarious reasons
(Would also be inconsistent with the content of the alleged mayday call.)
VII.
Malfunction/mishandling of the fuel cutoff switches (most recent)
1.
Wear or improper operation of the switches, so that they do not lock but can shift back into the OFF position.
Argued to be impossible due to robust switch design, preventing switch release in any other than a locked position.
Actuation of the switches by an item placed before them which was pushed onto the switches by retarding thrust levers seems equally unlikely due to force required to pull the switches out of the locked position.
2.
Spilled drink leading to short in the wiring
Hardly conceivable that before takeoff open liquid containers would be placed anywhere where they could spill onto the pedestal.
29 users liked this post. |
Aerospace101
2025-06-21T00:41:00 permalink Post: 11907411 |
10 users liked this post. |
MaybeItIs
2025-06-21T01:21:00 permalink Post: 11907432 |
For those postulating the RAT was not deployed, what counter explanations do you have for the following clues?
1 user liked this post. |
Aerospace101
2025-06-21T02:18:00 permalink Post: 11907446 |
1. During rotation all 4 main wheels on each gear truck stay on the runway, the gear acts as a pivot point for the rotation. Effectively the gear truck is in a forward tilt as it is no longer parallel to the fuselage. 2. 3. When the pilot commands gear up, the gear retraction sequence begins, specific to the 787-8, the gear trucks tilt forwards first, instantly followed by the gear doors opening. See this post which discusses the forward tilt is either caused by process (1) or process (3). I suggest (1) is more likely than (3). Last edited by Aerospace101; 21st Jun 2025 at 08:31 . Reason: Not perpendicular, meant parallel. Updated language after feedback 6 users liked this post. |
AAKEE
2025-06-21T06:00:00 permalink Post: 11907507 |
This probably makes the theory of the TCMA halt a little? Gear up would be inhibited from not being in air. 1 user liked this post. |
Aerospace101
2025-06-21T08:56:00 permalink Post: 11907591 |
The issues with the "they shut down the wrong engine" theory:
1. No asymmetry evidence with flight path deviation. No roll, no yaw effects 2. No rudder inputs visible. 3. No crew should be doing memory items below 400ft. Boeing requires each crew member confirm together memory item switch/control selections. 4. Non-normal gear truck tilt position, a one engine failure should not affect the C hydraulics. As per (3) gear would be selected Up before any memory actions. The evidence so far is an almost simultaneous dual engine failure, which rules out alot of other theories. 7 users liked this post. |
Aerospace101
2025-06-21T09:08:00 permalink Post: 11907595 |
7 users liked this post. |
Lead Balloon
2025-06-21T13:25:00 permalink Post: 11907749 |
The gear tilt position is not definitive evidence crew had selected gear up. I've speculated another cause for this non-normal gear tilt is that C hydraulics failed around time of rotation. This would explain the gear remaining in the forward tilt position. There are reasons why the crew may have not selected gear up,
see earlier post.
Therefore we cannot determine wow or air/ground logic from an assumed gear retraction.
First, whilst it may be that every system that monitors and makes decisions about whether the aircraft is 'in the air' does so on the basis of exactly the same sensor inputs, that may not be true and I'd appreciate someone with the expert knowledge on the 78 to confirm or refute the correctness of the assumption, particularly in relation to, for example, FADEC functions compared with undercarriage control functions. Secondly and probably more importantly, what happens if one of the sensors being used to determine 'in air' versus 'on ground' gives an erroneous 'on ground' signal after - maybe just seconds after - every one of those sensors has given the 'in air' signal? Reference was made earlier in this thread to a 'latched' in air FADEC condition that resulted in engine shut downs after the aircraft involved landed and was therefore actually on the ground. But what if some sensor failure had resulted in the aircraft systems believing that the aircraft was now on the ground when it was not? I also note that after the 2009 B737-800 incident at Schiphol – actually 1.5 kms away, where the aircraft crashed in a field during approach - the investigation ascertained that a RADALT system suddenly sent an erroneous minus 8’ height reading to the automatic throttle control system. The conceptual description of the TCMA says that the channels monitor the “position of thrust lever” – no surprises there – “engine power level” – no surprises there – and “several other digital inputs via digital ARINC data buses”. WoW should of course be one of those "digital inputs" and be a 1 or 0. But I haven't seen any authoritative post about whether the change in state on the 78 requires only one sensor to signal WoW or if, as is more likely, there are (at least) two sensors – one on each MLG leg – both of which have to be ‘weight off’ before a weight off wheels state signal is sent. Maybe a sensor on each leg sends inputs to the ARINC data and the systems reading the data decide what to do about the different WoW signals, as between 00, 01, 10 and 11. There is authoritative information to the effect that RADALT is also one of the “digital inputs” to the TCMA. The RADALTs presumably output height data (that is of course variable with height) and I don’t know whether the RADALT hardware involved has a separate 1 or 0 output that says that, so far as the RADALT is concerned, the aircraft to which it is strapped is, in fact, ‘in the air’ at ‘some’ height, with the actual height being so high as to be irrelevant to the systems using that input (if that input is in fact generated and there are, in fact, systems that use that 1 or 0). If we now consider the ‘worst case scenario will be preferred’ concept that apparently applies to the TCMA design so as to achieve redundancy, the number of sensor inputs it’s monitoring to decide whether, and can change its decision whether, the aircraft is on the ground, becomes a very important matter. The TCMA is only supposed to save the day on the ground, if the pilots select idle thrust on a rejected take off but one or both of the engines fail to respond. In the ‘worst case’ (in my view) scenario, both TCMA channels on both engines will be monitoring/affected by every WoW sensor output and every RADALT output data and, if any one of them says ‘on ground’, that will result in both engines’ TCMAs being enabled to command fuel shut off, even though the aircraft may, in fact, be in the air. Of course it’s true that the TCMA’s being enabled is not, of itself, sufficient to cause fuel cut off to an engine. That depends on a further glitch or failure in the system or software monitoring engine power and thrust lever position, or an actual ‘too much thrust compared to thrust lever position’ situation. But I can’t see why, on balance, it’s prudent to increase the albeit extraordinarily remote risk of an ‘in air’ TCMA commanded engine or double engine shut down due to multiple sensor failure – just one in-air / on-ground sensor and one of either the thrust lever sensor/s or engine power sensor/s – or, in the case of an actual in air ‘too much thrust compared to thrust lever position situation’, why that ‘problem’ could not be handled by the crew shutting down the engine when the crew decides it’s necessary. Once in the air, too much thrust than desired is a much better problem to have than no thrust. The latter is precisely what would happen if all ‘on ground / in air’ sensors were functioning properly and some ‘too much thrust’ condition occurred. Hopefully the design processes, and particularly the DO-178B/C software design processes done by people with much bigger brains than mine, have built in enough sanity checking and error checking into the system, followed by exhaustive testing, so as to render my thoughts on the subject academic. Last edited by Lead Balloon; 21st Jun 2025 at 14:02 . 4 users liked this post. |
lpvapproach
2025-06-21T13:50:00 permalink Post: 11907770 |
The issues with the "they shut down the wrong engine" theory:
1. No asymmetry evidence with flight path deviation. No roll, no yaw effects 2. No rudder inputs visible. 3. No crew should be doing memory items below 400ft. Boeing requires each crew member confirm together memory item switch/control selections. 4. Non-normal gear truck tilt position, a one engine failure should not affect the C hydraulics. As per (3) gear would be selected Up before any memory actions. The evidence so far is an almost simultaneous dual engine failure, which rules out alot of other theories. |
ignorantAndroid
2025-06-21T19:33:00 permalink Post: 11908002 |
If we now consider the ‘worst case scenario will be preferred’ concept that apparently applies to the TCMA design so as to achieve redundancy, the number of sensor inputs it’s monitoring to decide whether, and can change its decision whether, the aircraft is on the ground, becomes a very important matter. The TCMA is only supposed to save the day on the ground, if the pilots select idle thrust on a rejected take off but one or both of the engines fail to respond. In the ‘worst case’ (in my view) scenario, both TCMA channels on both engines will be monitoring/affected by
every
WoW sensor output and
every
RADALT output data and, if
any one of them
says ‘on ground’, that will result in
both
engines’ TCMAs being enabled to command fuel shut off, even though the aircraft may, in fact, be in the air.
For the sake of argument, imagine if every air/ground sensor had to say 'ground' to enable TCMA. That should still meet the 'no single failure' requirement since you'd need at least 2 failures to get a runaway engine: the original thrust control problem, and a faulty air/ground sensor. IIRC, he said that the 747-8 looks at weight on wheels, gear truck tilt, and radio altimeters. At least one of each has to say 'ground' for TCMA to be enabled. 1 user liked this post. |
Someone Somewhere
2025-06-21T23:39:00 permalink Post: 11908153 |
Re the
SAFRAN FADEC Gen 3
: It was used on the CFM56-5B and -7B and some CF6s amongst others. Unless those engines were re-FADECed later (seems unlikely), the FADEC dates to at least the early 90s.
Safran has some pictures that looks suitably early-90s high tech: ![]() ![]() (I wouldn't be too certain that the second image shown is this generation FADEC, as it's also shown on the Gen 4 (LEAP) FADEC page). (I recognise that soldering iron... Metcal makes good stuff). There is some limited detail on the air/ground system here . It shows two truck tilt and two strut compression sensors on each of the two MLGs, 8 sensors total. Truck tilt sensors give 'fast' A/G detection; truck tilt + struts gives 'slow' A/G detection. Two systems but no mention of exactly how voting works. No mention of radalt but that could be handled separately before being provided to the FADECs. I am also now thoroughly satisfied that the FADECs have their own alternators, and that these are separate to the flight control alternators integrated into each VFSG. 3 users liked this post. |
fdr
2025-06-22T00:10:00 permalink Post: 11908171 |
On departure at these weights the aircraft would have some assumed temperature thrust reduction from max available on the GEnx -1B70, Unless they were carrying lead, they were around 30,000 or more below the limit weight for a flaps 5 TO. At that weight, around 440k lbs, they would have had a fair OEI climb gradient on one engine, certainly a positive gradient with the gear down, so they lost more than 50% of total thrust. There is no yaw or roll, or inputs to counter a yaw or roll moment so the aircraft was symmetrical at all times, that means losing absolutely no less than 50% of total available thrust at that point on each engine. At 50% reduction. the aircraft would have continued a positive gradient with the gear down and the flaps at the TO setting. It did not, it decelerated at around 1meter sec, or 0.1g deceleration for just maintaining level flight, but it also had to descend and that was worth around 0.05g as well. Instead of having any positive thrust margin, the guys were needing to descend to balance the decrement in thrust of around 0.15g, and that means it has negligible to no thrust from the engines. The full analysis takes more effort as the AOA has increased over the 15-20 seconds to impact, which is increasing the drag of the aircraft rapidly towards the end. For the first 5-10 seconds however, it is not such a great change, but it is still increasing. In level flight, the aircraft would accelerate level at around 0.3-0.4g gear down with both engines running at max chuff. Lose one, and you are back to 0.05-0.1g or so. These guys had far less than one engine remaining, gravity was all that they had going for them. To that end, there is no requirement to have the EAFR readout of the N1, N2, FF, or EGT, the video shows they had no puff going worth a darn. That is basic back of the envelope physics and anyone who does aircraft performance testing would be able to get that answer straight from the video without using a calculator, by the time they had watched the video a couple of times in replay. I have no qualms on stating that the engines are not operating, the RAT, gear tilt are consistent with the dynamics of the aircraft. This is far simpler to determine the energy state than that of the B738W at Muan, the lack of early video required a couple of iterations of the kinetic energy of the aircraft at Muan to end up with a probable flight path, and most likely estimate of the thrust remaining for those most unfortunate souls. regards, FDR Last edited by fdr; 22nd Jun 2025 at 15:01 . 17 users liked this post. |
AAKEE
2025-06-22T07:08:00 permalink Post: 11908310 |
The gear tilt position is not definitive evidence crew had selected gear up. I've speculated another cause for this non-normal gear tilt is that C hydraulics failed around time of rotation. This would explain the gear remaining in the forward tilt position. There are reasons why the crew may have not selected gear up,
see earlier post.
Therefore we cannot determine wow or air/ground logic from an assumed gear retraction.
Another point pointing to that the aircraft did consider itself being \x94In Air\x94 is the ADS-B data sending Altitude from the first 575 feet at 08:08:46.55 until at least 08:50.87\x85? I would think the sub systems like TCMA would use the same In Air / On Ground logic as the aircraft normally use? I come from an FBW aircraft with a Air/Ground logic that seems rather bullet proof and would guess the 787 wouldn\x92t use a less solid logic which probably, in doubt would consider it being \x94In Air\x94? It would be \x94logic\x94 for the TCMA to use this logic? 5 users liked this post. |
NSEU
2025-06-30T13:14:00 permalink Post: 11913615 |
A maintenance engineer looked into the gear tilt issue. The 787 has no hydraulic sequencing valves like traditional Boeings, and the bogie tilt command is simply generated by gear lever movement. So, I suppose the doors dropping before or after the gear tilting may simply be who gets there first.
That is not to say loss of hydraulics also causes "toes down" because of bogie imbalance or aerodynamics (as previously mentioned). |
fdr
2025-06-30T23:39:00 permalink Post: 11913950 |
We know that the right-hand GEnx-1B was removed for overhaul and re-installed in March 2025 so it was at \x93zero time\x94 and zero cycles, meaning a performance asymmetry that the FADEC would have to manage every time maximum thrust is selected. If the old engine was still on the pre-2021 EEC build while the fresh engine carried the post-Service Bulletin software/hardware, a dual \x93commanded rollback\x94 is plausible. A latent fault on one channel with the mid-life core can prompt the other engine to match thrust to maintain symmetry, leading to dual rollback.
3 users liked this post. |