June 14, 2025, 20:48:00 GMT
permalink Post: 11901821
Another hour spent sifting through the stuff since last night (my sympathies to the mods
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
June 14, 2025, 21:27:00 GMT
permalink Post: 11901855
Another hour spent sifting through the stuff since last night (my sympathies to the mods
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
June 15, 2025, 02:36:00 GMT
permalink Post: 11902060
Difficult!? Maybe not. If very late the flaps were tagged stowed, and there was a simultaneous gear up command, with FlapDown command, the overload could have failed a GCS. Then it becomes a switching exercise. (Automatics).
Alarms Warnings Impacted EICAS, ETC. it happened long ago, but we know what happens when an engine driven generator quits ..first it bangs for awhile, then it burns itself up, then ...
Alarms Warnings Impacted EICAS, ETC. it happened long ago, but we know what happens when an engine driven generator quits ..first it bangs for awhile, then it burns itself up, then ...
Thanks for answering the question I hadn't yet asked but wanted to confirm!
I'm still sticking with "Major Electrical Fault" as my most likely cause, and this adds to my suspicions.
As I understand it, the landing gear is raised / retracted by electric motor-driven hydraulic pump (pumps?). This/these would create a significant electrical load.
If the plane's multi-redundant electrical system has a fault which is intermittent (the worst kind of electrical issue to diagnose), and which causes the redundancy controls to go haywire (as there are, of course, electronic controls to detect failures and drive the switching over of primary and backup electrical supplies), then this fault could to triggered by a large load coming on-line. It could even be as simple as a high current cable lug not having been tightened when a part was being replaced at some stage. The relevant bolt might be only finger-tight. Enough to work 99.99% of the time between then and now... But a little bit more oxidation, and particularly, a bit more heat (it was a hot day), and suddenly, a fault.
Having worked in electronics for years, I know that semi-conductors (and lots of other components, especially capacitors [and batteries]) can also degrade instead of failing completely. Electro-static discharges are great for causing computer chips to die, or go meta-stable - meaning they can get all knotted up and cease working correctly - until they are powered off for a while. They can also degrade in a way that means they work normally a low temperatures, but don't above a certain temperature.
Anyway, there MUST be ways that the redundant power supplies can be brought down, simply because, to have a critical bus powered from a number of independent sources, there must be "controls" of some sort. I don't know how it's done in the 787, but that's where I'd be looking.
As there is a lot of discussion already about how the bogies are hanging the wrong way suggesting a started but failed retraction operation, and it's now confirmed that the retraction would normally have taken place at about the point where the flight went "pear shaped", I'm going to suggest that the two things are connected. More than that: I'll suggest that the Gear Up command triggered the fault that caused both engines to shut down in very short succession. Nothing the pilots did wrong, and no way they could have known and prevented it.
It's going to be difficult to prove though.
I'm still sticking with "Major Electrical Fault" as my most likely cause, and this adds to my suspicions.
As I understand it, the landing gear is raised / retracted by electric motor-driven hydraulic pump (pumps?). This/these would create a significant electrical load.
If the plane's multi-redundant electrical system has a fault which is intermittent (the worst kind of electrical issue to diagnose), and which causes the redundancy controls to go haywire (as there are, of course, electronic controls to detect failures and drive the switching over of primary and backup electrical supplies), then this fault could to triggered by a large load coming on-line. It could even be as simple as a high current cable lug not having been tightened when a part was being replaced at some stage. The relevant bolt might be only finger-tight. Enough to work 99.99% of the time between then and now... But a little bit more oxidation, and particularly, a bit more heat (it was a hot day), and suddenly, a fault.
Having worked in electronics for years, I know that semi-conductors (and lots of other components, especially capacitors [and batteries]) can also degrade instead of failing completely. Electro-static discharges are great for causing computer chips to die, or go meta-stable - meaning they can get all knotted up and cease working correctly - until they are powered off for a while. They can also degrade in a way that means they work normally a low temperatures, but don't above a certain temperature.
Anyway, there MUST be ways that the redundant power supplies can be brought down, simply because, to have a critical bus powered from a number of independent sources, there must be "controls" of some sort. I don't know how it's done in the 787, but that's where I'd be looking.
As there is a lot of discussion already about how the bogies are hanging the wrong way suggesting a started but failed retraction operation, and it's now confirmed that the retraction would normally have taken place at about the point where the flight went "pear shaped", I'm going to suggest that the two things are connected. More than that: I'll suggest that the Gear Up command triggered the fault that caused both engines to shut down in very short succession. Nothing the pilots did wrong, and no way they could have known and prevented it.
It's going to be difficult to prove though.
In addition, the 787 has four main generators and I believe the switching is segregated into at least two controllers, on top of the four separate generator control units.
And again, electrical failure should not cause engine failure - consider QF32 where the wiring to the engine was mostly severed and they had to drown it with a fire truck.
Best post until now in my view. We will find out very soon I think. Gear up command triggered the instant lack of fuel to both engines. I'm not sure on how the fuel flow is dependant on the power supplies on the 787 but I genuinely believe you are very very close to what might have happened here.
Yes, thanks, I've seen a few comments to this effect, and I have to accept most of what you say. I understand that they have their own dedicated generators and local independent FADECs (or EECs), but I'm trying to use what I do know to attempt to figure this out. I know that there are Fuel Cutoff switches in the cockpit. Somehow, if switched to Off, these will cut off the fuel to the engines, "no matter what". Of course, even that's not true, as the Qantas A380 engine burst apparently (comment in this thread) showed.
Anyway, the thing I'm looking at is how the fuel cutoff switch function could have been activated in some other way. To me, it seems obvious that there are wires that run between the engine fuel shutoff valves and the cockpit / flight control panel (no doubt with relays etc in between). I don't know where those shutoff valves are located, but logic says they should be located in the fuselage, not out at the engines. I also don't know how those valves operate - are they solenoid valves or electro-mechanically driven? Nor do I know where the power to activate those valves comes from, but using my logic, if those valves close when powered off, such as solenoid valves typically do, then the power cannot exclusively come from the engine-dedicated generators. If it did, you'd never be able to start the engines so they could supply their own power to hold those valves open. So, there must be some power (appropriately) fed from the main aircraft control bus to activate those valves - if the rest of what I'm assuming is correct. Anyway, like I say, I don't know enough about the details at this point, but there are many more ways to activate or deactivate a circuit than by flicking a switch. Killing the relevant power supply, for example. A screwdriver across some contacts (for example), another. Shorting a wire to Chassis, maybe. Just trying to contribute what I can.
You raise another interesting point: "TCMA notwithstanding". Could you elaborate, please? What will happen if the TCMA system, which apparently also has some degree of engine control, loses power? The problem with interlinked circuits and systems is that sometimes, unexpected things can happen when events that were not considered actually happen. If one module, reporting to another, loses power or fails, sometimes it can "tell" the surviving module something that isn't true... My concern is where does the power to the Fuel Cutoff switches come from? Are there relays or solid-state switches (or what?) between the Panel Switches and the valves? If so, is the valve power derived from a different source, and if so, where? Are the valves solenoids, open when power applied, or something else? What is the logic involved, between switch and valve?
Would you mind answering these questions so I can ponder it all further, please? If I'm wrong, I'll happily say so.
Anyway, the thing I'm looking at is how the fuel cutoff switch function could have been activated in some other way. To me, it seems obvious that there are wires that run between the engine fuel shutoff valves and the cockpit / flight control panel (no doubt with relays etc in between). I don't know where those shutoff valves are located, but logic says they should be located in the fuselage, not out at the engines. I also don't know how those valves operate - are they solenoid valves or electro-mechanically driven? Nor do I know where the power to activate those valves comes from, but using my logic, if those valves close when powered off, such as solenoid valves typically do, then the power cannot exclusively come from the engine-dedicated generators. If it did, you'd never be able to start the engines so they could supply their own power to hold those valves open. So, there must be some power (appropriately) fed from the main aircraft control bus to activate those valves - if the rest of what I'm assuming is correct. Anyway, like I say, I don't know enough about the details at this point, but there are many more ways to activate or deactivate a circuit than by flicking a switch. Killing the relevant power supply, for example. A screwdriver across some contacts (for example), another. Shorting a wire to Chassis, maybe. Just trying to contribute what I can.
You raise another interesting point: "TCMA notwithstanding". Could you elaborate, please? What will happen if the TCMA system, which apparently also has some degree of engine control, loses power? The problem with interlinked circuits and systems is that sometimes, unexpected things can happen when events that were not considered actually happen. If one module, reporting to another, loses power or fails, sometimes it can "tell" the surviving module something that isn't true... My concern is where does the power to the Fuel Cutoff switches come from? Are there relays or solid-state switches (or what?) between the Panel Switches and the valves? If so, is the valve power derived from a different source, and if so, where? Are the valves solenoids, open when power applied, or something else? What is the logic involved, between switch and valve?
Would you mind answering these questions so I can ponder it all further, please? If I'm wrong, I'll happily say so.
The valves are located in the spar (hence being called 'spar valves'. The fuel tank is immediately above the engine so it is a very short pipe for suction feeding. Tail mount engines are potentially a different story...
What\x92s the usual time frame for the release of preliminary data and report from the FDR and CVR? Is it around 6 months?
I guess if no directives come from Boeing or the FAA in the next 2 weeks, it can be presumed that a systems failure from which recovery was impossible was unlikely.
I guess if no directives come from Boeing or the FAA in the next 2 weeks, it can be presumed that a systems failure from which recovery was impossible was unlikely.
June 15, 2025, 04:00:00 GMT
permalink Post: 11902086
I accept it as a fact.
I believe the valves are almost all bi-stable power-open power-close. When not powered, they remain in the last commanded position.
The valves are located in the spar (hence being called 'spar valves'. The fuel tank is immediately above the engine so it is a very short pipe for suction feeding. Tail mount engines are potentially a different story...
The valves are located in the spar (hence being called 'spar valves'. The fuel tank is immediately above the engine so it is a very short pipe for suction feeding. Tail mount engines are potentially a different story...
June 15, 2025, 04:19:00 GMT
permalink Post: 11902094
Okay! Many thanks for that! Of course, it very much complicates the picture, and I'm very puzzled as to how the Fuel Cutoff Switches and Valves operate. Apparently, the TCAM system shuts off an errant engine on the ground at least, but my concern is not with the software but the hardware. It obviously has an Output going into the Fuel Shutoff system. If the TCAM unit loses power, can that output cause the Cutoff process (powered by the engine-dedicated generator) to be activated? I guess that's the $64 billion question, but if MCAS is any example, then: Probably!
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.
Hint, you might try going back a few pages and reading where all this has been posted previously.
June 15, 2025, 06:47:00 GMT
permalink Post: 11902155
I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's
not
complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.
Hint, you might try going back a few pages and reading where all this has been posted previously.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.
Hint, you might try going back a few pages and reading where all this has been posted previously.
I hope I never suggested you guys are idiots! I very much doubt that indeed. You cannot be idiots. Planes fly, very reliably. That's evidence enough.
Maybe my analysis is simplistic, but for someone who knows as little about the nuts and bolts that are your profession, I think I'm not doing too badly.
I believe I have made a number of worthy contributions to this thread. Maybe I'm deluded. Too bad. Fact is, over the history of modern aviation, there have been a number of serious design stuff ups that "shouldn't have happened". As far as I'm concerned, the crash of AF447 is bloody good evidence of not considering a very simple, fundamental failure, and should NEVER have happened. The thing is, that would have been sooo easy to avoid. So please, don't get on too high a horse over this.
Thanks for your information about all the fuel control valves. That's cool. Yes, my cars have numerous such systems, from the radiator grilles backward.
And you misunderstand what I meant about "complicates things". Was that deliberate? What I meant was it complicates understanding how a major electrical failure could cause the Fuel Cutoff valves to close, that's all. The valves don't close if unpowered, but if the control is via the FADEC, then what could have caused them to close?
Your explanation of how the Fuel Valves are controlled is rather simplistic too. "The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close." Seriously? Am I an idiot then? Is it a single pole, single throw switch? Is the valve driven by a stepper motor, or what? A DC Motor and worm drive? Does it have an integral controller? How does the valve drive know when to stop at end of travel? Would you mind elaborating, please?
June 14, 2025, 20:48:00 GMT
permalink Post: 11903420
Another hour spent sifting through the stuff since last night (my sympathies to the mods
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
). A few more comments:
"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
June 15, 2025, 04:19:00 GMT
permalink Post: 11903424
Okay! Many thanks for that! Of course, it very much complicates the picture, and I'm very puzzled as to how the Fuel Cutoff Switches and Valves operate. Apparently, the TCAM system shuts off an errant engine on the ground at least, but my concern is not with the software but the hardware. It obviously has an Output going into the Fuel Shutoff system. If the TCAM unit loses power, can that output cause the Cutoff process (powered by the engine-dedicated generator) to be activated? I guess that's the $64 billion question, but if MCAS is any example, then: Probably!
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.
Hint, you might try going back a few pages and reading where all this has been posted previously.
June 17, 2025, 17:17:00 GMT
permalink Post: 11904484
Having gone through every possible way the aircraft (or those in it) can shut down both engines, thought it would be helpful to look at what investigators have looked at/for in a somewhat similar case. Perhaps it will move the discussion to more unplowed ground.
Going through AAIB Bulletin10/2008 from the British AAIB in the BA 38 case. Before finding the exact cause, they had investigated the following with findings in quotes:
1. General aircraft examination - "no pre‑existing defects with the electrical systems, hydraulics, autoflight systems, navigation systems or the flying controls."
2. Spar valves - "Extensive testing to induce an uncommanded movement, that remained unrecorded, could not identify any such failure modes."
3. High Intensity Radiated Field (HIRF) and Electro- Magnetic Interference(EMI) - "There is therefore no evidence to suggest that HIRF or EMI played any part in this accident."
4. Fuel System - "The examination and testing found no faults in the aircraft fuel system that could have restricted the fuel flow to the engines."
5. Engines - "No pre‑existing defects or evidence of abnormal operation were found with the exception of signs of abnormal cavitation erosion on the delivery side of both HP pumps. Some small debris was recovered from the left FOHE inlet chamber but this would not have restricted the fuel flow."
6. Fuel Loading/Fuel Testing - "No evidence of contamination was found." "The properties of the sampled fuel were also consistent with the parameters recorded in the quality assurance certificate for the bulk fuel loaded onto G‑YMMM at Beijing."
7. Water in Fuel - "It is estimated that the fuel loaded at Beijing would have contained up to 3 ltr (40 parts per million (ppm)) of dissolved water and a maximum of 2 ltr (30 ppm) of undissolved water (entrained or free). These quantities of water are considered normal for aviation turbine fuel."
Knowing the history of this flight, the previous flights and the climate that day, I left out all the discussion in the report of fuel waxing/ice. That seems as irrelevant as 'vapor lock'.
I too am beginning to think this will be, as an earlier poster termed it, a "unicorn" event.
Source: Bulletin_10-2008.pdf
Going through AAIB Bulletin10/2008 from the British AAIB in the BA 38 case. Before finding the exact cause, they had investigated the following with findings in quotes:
1. General aircraft examination - "no pre‑existing defects with the electrical systems, hydraulics, autoflight systems, navigation systems or the flying controls."
2. Spar valves - "Extensive testing to induce an uncommanded movement, that remained unrecorded, could not identify any such failure modes."
3. High Intensity Radiated Field (HIRF) and Electro- Magnetic Interference(EMI) - "There is therefore no evidence to suggest that HIRF or EMI played any part in this accident."
4. Fuel System - "The examination and testing found no faults in the aircraft fuel system that could have restricted the fuel flow to the engines."
5. Engines - "No pre‑existing defects or evidence of abnormal operation were found with the exception of signs of abnormal cavitation erosion on the delivery side of both HP pumps. Some small debris was recovered from the left FOHE inlet chamber but this would not have restricted the fuel flow."
6. Fuel Loading/Fuel Testing - "No evidence of contamination was found." "The properties of the sampled fuel were also consistent with the parameters recorded in the quality assurance certificate for the bulk fuel loaded onto G‑YMMM at Beijing."
7. Water in Fuel - "It is estimated that the fuel loaded at Beijing would have contained up to 3 ltr (40 parts per million (ppm)) of dissolved water and a maximum of 2 ltr (30 ppm) of undissolved water (entrained or free). These quantities of water are considered normal for aviation turbine fuel."
Knowing the history of this flight, the previous flights and the climate that day, I left out all the discussion in the report of fuel waxing/ice. That seems as irrelevant as 'vapor lock'.
I too am beginning to think this will be, as an earlier poster termed it, a "unicorn" event.
Source: Bulletin_10-2008.pdf
June 19, 2025, 18:05:00 GMT
permalink Post: 11906239
Fuel valves and TCMA software updates?
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.
Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).
The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.
I seem to remember Fred Dibner talking about how railway cars brake by draining the piston not by pressurising it, so trains will stop when supply lines break.
The electrical system updates to 787s for ADs and SBs - do any of these include software updates? For example the integer overflow causing GCU failsafe rectified under AD 2018-20-15. If so, who is writing and implementing these software updates? The original engineers? Their apprentices who had years long handovers? Or have they been outsourced and offshored? When these updates occur, does the entire system get tested and ratified or just the bit the bug fix is meant to fix? Because I\x92ve seen new bugs introduced by bug fixes in areas seemingly nothing to do with the original problem.
June 19, 2025, 18:48:00 GMT
permalink Post: 11906263
June 20, 2025, 02:46:00 GMT
permalink Post: 11906545
tdracer addressed the shutoff valve operation earlier: "the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous.
The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine).
"
June 20, 2025, 11:20:00 GMT
permalink Post: 11906855
There are numerous pictures ot the outside of B787 centre tanks on the net. Does anyone one have any internal pictures, showing the tank floor and fuel pump pick ups?
We know the engines lost power in the initial climb, shortly after rotation. If there was water sitting between the tank lower skin stringers, the rotation would have been the point that the water could tumble over the stringers that were previously preventing its movement. accumulate at the back of the tank and enter both pumps more or less simultaneously.
We know the engines lost power in the initial climb, shortly after rotation. If there was water sitting between the tank lower skin stringers, the rotation would have been the point that the water could tumble over the stringers that were previously preventing its movement. accumulate at the back of the tank and enter both pumps more or less simultaneously.
In a well designed boat, you'd have each engine feeding from a different tank for the utmost in redundancy, but seemingly not so in all aircraft.
June 20, 2025, 11:29:00 GMT
permalink Post: 11906865
I had been wondering the same until I read that there is a forward and a rear pickup within the tank. Each pump in the centre tank draws from it's own pickup and is piped to the spar valves and then onto the engines.
In a well designed boat, you'd have each engine feeding from a different tank for the utmost in redundancy, but seemingly not so in all aircraft.
In a well designed boat, you'd have each engine feeding from a different tank for the utmost in redundancy, but seemingly not so in all aircraft.
June 20, 2025, 11:51:00 GMT
permalink Post: 11906889
I perfectly understand that there is much talking about TCMA here.
There is no direct evidence of what caused the crash but several indirect evidences point towards a near simultaneous shutdown of both engines without any visual clue of a catastrophic mechanical mishap. This leads to suspecting near simultaneous fuel starvation of both engines.
As the purpose of TCMA is shutting down the High Pressure Shut-Off Valve (HPSOV) and thus the fuel feed of an engine, it's normal to collect information on TCMA, on how it works, and on what data feeds it.
However, I hardly understand why there is no similar discussion about the spar valves and the systems that control their opening and closure.
I understand that the B787 spar valves are located in the MLG well, or at least are maintained from within that well.
If the engine shutdown happened when the gear retraction was commanded, that's a location commonality (although it's very unlikely that a mechanical problem happened in both wells at the same time).
Also I understand that there are several systems that command the opening or closing of the spar valves:
- opening: "Engine control panel switch" set to "START", or "Fuel control switch" set to "RUN"
- closing: "Engine fire handle" pulled out. (I wonder if "Fuel control switch" set to "CUTOFF" also closes the spar valve).
Are there direct wires running from these controls to the valves or is there a pair of control units receiving these signals and controlling the valve actuators?
If the latter is true, where are these control units? I guess that the likely location is the aft EE bay. Are they beside each other?
There is no direct evidence of what caused the crash but several indirect evidences point towards a near simultaneous shutdown of both engines without any visual clue of a catastrophic mechanical mishap. This leads to suspecting near simultaneous fuel starvation of both engines.
As the purpose of TCMA is shutting down the High Pressure Shut-Off Valve (HPSOV) and thus the fuel feed of an engine, it's normal to collect information on TCMA, on how it works, and on what data feeds it.
However, I hardly understand why there is no similar discussion about the spar valves and the systems that control their opening and closure.
I understand that the B787 spar valves are located in the MLG well, or at least are maintained from within that well.
If the engine shutdown happened when the gear retraction was commanded, that's a location commonality (although it's very unlikely that a mechanical problem happened in both wells at the same time).
Also I understand that there are several systems that command the opening or closing of the spar valves:
- opening: "Engine control panel switch" set to "START", or "Fuel control switch" set to "RUN"
- closing: "Engine fire handle" pulled out. (I wonder if "Fuel control switch" set to "CUTOFF" also closes the spar valve).
Are there direct wires running from these controls to the valves or is there a pair of control units receiving these signals and controlling the valve actuators?
If the latter is true, where are these control units? I guess that the likely location is the aft EE bay. Are they beside each other?
Last edited by Luc Lion; 20th June 2025 at 12:57 .
June 20, 2025, 17:12:00 GMT
permalink Post: 11907144
tdracer posted - "
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring)."
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
June 20, 2025, 17:18:00 GMT
permalink Post: 11907146
tdracer posted - "
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring)."
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
Search this thread for "HPSOV" if you need confirmation of the quote.
Note there are two shut off fuel valves per engine - the HPSOV and the Spar valve. Both stay where they are if power is lost.
June 20, 2025, 23:51:00 GMT
permalink Post: 11907396
Wouldn't "fail safe open" imply that the valves would open on loss of control signals or power. They don't. They stay just where they were before loss of power or control signal. If I understood tdracer's description of the HPSOV it can only be open or closed. That's not true of the spar valves which are motor driven and can stop in any intermediate position if power is lost.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
June 21, 2025, 08:13:00 GMT
permalink Post: 11907564
Wouldn't "fail safe open" imply that the valves would open on loss of control signals or power. They don't. They stay just where they were before loss of power or control signal. If I understood tdracer's description of the HPSOV it can only be open or closed. That's not true of the spar valves which are motor driven and can stop in any intermediate position if power is lost.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
The only way this is relevant to the accident is if the shut off valves had been commanded closed and then power had been lost. The valves would not open.
What I mean is that with engines running, fuel shut off valve(S) open, if there is a loss of electrical power the valves will remain open.
This is standard design on all the gas turbine engines I have worked on.
June 21, 2025, 12:15:00 GMT
permalink Post: 11907698
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power.
The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine)
. The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
.
.
The engine driven fuel pump is a two-stage pump - a centrifugal pump that draws the fuel into the pump (i.e. 'suction feed'), and a gear pump which provides the high-pressure fuel to the engine and as muscle pressure to drive things like the Stator Vane and Bleed Valve actuators. It takes a minimum of ~300 PSI to run the engine -
the HPSOV is spring loaded closed and it takes approximately 300 psi to overcome that spring
.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.