2025-06-15T21:35:00
permalink Post: 11902865
It was assumed for decades that in the event of uncontrollable high thrust (UHT) that the pilot would cut the fuel. Until there was a UHT event (1999?) on the takeoff roll and the crew - in an RTO - rode it all the way down and off the runway without cutting fuel. TCMA is primarily about the RTO scenario (throttle back to idle), and after that fleet event it became a requirement for FAA Part 25 certification.
The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT
. A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.
I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.
23 users liked this post.
2025-06-15T22:08:00
permalink Post: 11902892
What Alty posted is correct. There have always been single faults in the engine control systems that could cause uncommanded high thrust (UHT) - and such failures were considered in the safety analysis (e.g. FMEA) with the note that it wasn't unsafe as the pilot would shutdown the affected engine. Then there was a 737-200 event (JT8D engines) (1999 sounds about right - I'm thinking it was either an Egyptian operator or it happened in Egypt, but don't hold me to that) - the JT8D had an issue with excessive wear of the splined shaft that provided the N2 input into the hydromechanical fuel control. In this event, that splined shaft started slipping - causing the fuel control to think the N2 was below idle, and it keep adding fuel to try to get the N2 back above idle. This caused the engine to accelerate uncontrollably - the pilots pulled back the throttle and performed an RTO, but the engine didn't respond, and they went off the runway at low speed. Everyone evacuated safely, but the aircraft was destroyed by fire.
The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT
. A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.
I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.
The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT
. A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.
I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.
2 users liked this post.
2025-06-15T23:48:00
permalink Post: 11902978
unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground ....
2025-06-15T23:50:00
permalink Post: 11902982
DO-178 unless propulsion systems are for some reason different from displays and flight controls.
I have been on the fringes of dissimilar hardware and dissimilar software designs (MD-11 flight controls). Sometimes it is necessary but there is a huge overhead in both development and test.
Edit to add - Even with dissimilar processor and software the requirements for both will trace up to some common high level system requirements specification. There is a non zero probability that those top level requirement were inadequate or included an error.
I have been on the fringes of dissimilar hardware and dissimilar software designs (MD-11 flight controls). Sometimes it is necessary but there is a huge overhead in both development and test.
Edit to add - Even with dissimilar processor and software the requirements for both will trace up to some common high level system requirements specification. There is a non zero probability that those top level requirement were inadequate or included an error.
I doubt the issue would be in top level requirements - those are pretty simple and straightforward. It's the devil of the details where an error might have occurred.
All that being said, I have a hard time with the idea that TCMA activated without a big thrust lever movement (even if you assume an issue with the air/ground indication) - and there is absolutely no reason why the thrust levers would be moved right after rotation.
tdracer has let us know that TCMA relies on inputs from three radio altimeters and two WoW switches and that at least one from each set must report on-ground.
1 user liked this post.
2025-06-16T00:52:00
permalink Post: 11903015
Petition for Time Limited Exemption to 14 CFR 25.901(c) at Amendment level 25-46 and 25-126 and 25.1309{b) at Amendment Level 25-41 and 25-123 for General Electric GEnx-1 B Thrust Control Malfunction Accommodation - 787 787-8, 787-9
https://downloads.regulations.gov/FA...tachment_1.pdf
Grant of exemption:
https://downloads.regulations.gov/FA...tachment_1.pdf
I'll keep looking to find out what they actually did.
1 user liked this post.
2025-06-16T06:21:00
permalink Post: 11903132
Where does the logic block that takes the WoW and other inputs to generate the singe air/ground indication live? Is it somewhere that would be affected by the aircraft power systems? Could a failure in the aircraft power cause a false ground indication to be sent to the FADECs?
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
15 users liked this post.
2025-06-16T08:03:00
permalink Post: 11903225
TCMA / FADEC
Repeating myself (again), but ALL the TCMA logic is resident in the FADEC. It takes aircraft inputs of air/ground (again, not familiar with the specifics of the air/ground logic used on the 787/GEnx-1B, so don't ask), thrust lever position, and what the engine is actually doing (mainly N1) to determine if the engine is 'out of control'.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
Then, ask yourselves which extraordinarily low probability bundle of previously unrevealed faults could spontaneously manifest themselves on both engines simultaneously.
Also ask yourselves why these faults manifested at that critical phase of flight and not during taxiing or take-off roll when some of the TCMA sensors would have been primed.
2 users liked this post.
2025-06-13T18:41:00
permalink Post: 11903417
OK, another hour spent going through all the posts since I was on last night...
I won't quote the relevant posts as they go back ~15 pages, but a few more comments:
TAT errors affecting N1 power set: The FADEC logic (BTW, this is pretty much common on all Boeing FADEC) will use aircraft TAT if it agrees with the dedicated engine inlet temp probe - but if they differ it will use the engine probe . The GE inlet temp probe is relatively simple and unheated, so (unlike a heated probe) a blocked or contaminated probe will still read accurately - just with greater 'lag' to actual temperature changes.
TCMA - first off, I have to admit that this does look rather like an improper TCMA activation, but that is very, very unlikely. For those who don't know, TCMA is a system to shutdown a runaway engine that's not responding to the thrust lever - basic logic is an engine at high power with the thrust lever at/near idle, and the engine not decelerating. However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.
Fuel contamination/filter blockage: The fuel filters have a bypass - if the delta P across the filter becomes excessive, the filter bypasses and provides the contaminated fuel to the engine. Now this contaminated fuel could easy foul up the fuel metering unit causing a flameout, but to happen to two engines at virtually the same time would be tremendous unlikely.
Auto Thrust thrust lever retard - the TO lockup in the logic makes this very unlikely (it won't unlock below (IIRC) 400 ft., and even that requires a separate pilot action such as a mode select change or thrust lever movement). And if it did somehow happen, all the pilot needs to do is push the levers back up.
Engine parameters on the FDR: I don't know what exactly is on the 787 FDR with regards to engine parameters, but rest assured that there is plenty of engine data that gets recorded - most at one/second. Getting the FDR readout from a modern FDR is almost an embarrassment of riches. Assuming the data is intact, we'll soon have a very good idea of what the engines were doing
I won't quote the relevant posts as they go back ~15 pages, but a few more comments:
TAT errors affecting N1 power set: The FADEC logic (BTW, this is pretty much common on all Boeing FADEC) will use aircraft TAT if it agrees with the dedicated engine inlet temp probe - but if they differ it will use the engine probe . The GE inlet temp probe is relatively simple and unheated, so (unlike a heated probe) a blocked or contaminated probe will still read accurately - just with greater 'lag' to actual temperature changes.
TCMA - first off, I have to admit that this does look rather like an improper TCMA activation, but that is very, very unlikely. For those who don't know, TCMA is a system to shutdown a runaway engine that's not responding to the thrust lever - basic logic is an engine at high power with the thrust lever at/near idle, and the engine not decelerating. However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.
Fuel contamination/filter blockage: The fuel filters have a bypass - if the delta P across the filter becomes excessive, the filter bypasses and provides the contaminated fuel to the engine. Now this contaminated fuel could easy foul up the fuel metering unit causing a flameout, but to happen to two engines at virtually the same time would be tremendous unlikely.
Auto Thrust thrust lever retard - the TO lockup in the logic makes this very unlikely (it won't unlock below (IIRC) 400 ft., and even that requires a separate pilot action such as a mode select change or thrust lever movement). And if it did somehow happen, all the pilot needs to do is push the levers back up.
Engine parameters on the FDR: I don't know what exactly is on the 787 FDR with regards to engine parameters, but rest assured that there is plenty of engine data that gets recorded - most at one/second. Getting the FDR readout from a modern FDR is almost an embarrassment of riches. Assuming the data is intact, we'll soon have a very good idea of what the engines were doing
3 users liked this post.
2025-06-13T22:13:00
permalink Post: 11903712
At this stage, at least two scenarios seem highly plausible:
1. Technical issue
Airliners rely on air/ground logic , which is fundamental to how systems operate.
There have been numerous crashes and serious incidents linked to this logic functioning incorrectly.
Some engineering tests require the air/ground switch to be set in a particular mode. If it's inadvertently left in engineering mode—or if the system misinterprets the mode—this can cause significant problems.
2. Pilot misselection of fuel control switches to cutoff
This is still a very real possibility. If it occurred, the pilot responsible may not have done it consciously—his mindset could have been in a different mode.
There’s precedent: an A320 pilot once inadvertently shut down both engines over Paris. Fortunately, the crew managed to restart them. Afterward, the pilot reportedly couldn’t explain his actions.
If something similar happened here, then when the pilots realized the engines had stopped producing thrust, pushing the levers forward would have had no effect. It’s easy to overlook that the fuel switches are in the wrong position—they're far from the normal scan pattern. And with the ground rushing up, the view outside would’ve been far more commanding.
Speaking personally, when I shut down engines at the end of a flight, I consciously force myself to operate each fuel switch independently and with full attention. I avoid building muscle memory that might lead to switching off both engines in a fast, well-practiced habit.
If this is a technical issue, I assume we’ll know soon enough.
1. Technical issue
Airliners rely on air/ground logic , which is fundamental to how systems operate.
There have been numerous crashes and serious incidents linked to this logic functioning incorrectly.
Some engineering tests require the air/ground switch to be set in a particular mode. If it's inadvertently left in engineering mode—or if the system misinterprets the mode—this can cause significant problems.
-
On the ground
, if the aircraft is incorrectly in
air mode
, some systems may be unavailable—such as wheel brakes, reverse thrust, or ground spoilers.
-
In the air
, if the aircraft is mistakenly in
ground mode
, flaps might auto-retract, and various layers of system protection may be disabled.
2. Pilot misselection of fuel control switches to cutoff
This is still a very real possibility. If it occurred, the pilot responsible may not have done it consciously—his mindset could have been in a different mode.
There’s precedent: an A320 pilot once inadvertently shut down both engines over Paris. Fortunately, the crew managed to restart them. Afterward, the pilot reportedly couldn’t explain his actions.
If something similar happened here, then when the pilots realized the engines had stopped producing thrust, pushing the levers forward would have had no effect. It’s easy to overlook that the fuel switches are in the wrong position—they're far from the normal scan pattern. And with the ground rushing up, the view outside would’ve been far more commanding.
Speaking personally, when I shut down engines at the end of a flight, I consciously force myself to operate each fuel switch independently and with full attention. I avoid building muscle memory that might lead to switching off both engines in a fast, well-practiced habit.
If this is a technical issue, I assume we’ll know soon enough.
On item 2, the video shows no asymmetry at any time, so there is only a symmetric failure of the engines possible. Back on a B747 classic, you could chop all 4 engines at the same time with one hand, on a B737, also, not so much on a B777 or B787. I would doubt that anyone used two hands to cut the fuel at screen height. Note, there was a B744 that lost one engine in cruise when a clip board fell off the coaming. Didn't happen twice, and it only happened to one engine.
Yes indeed, the moment they pulled the gear lever, as we see the gear begin the retraction process, and then suddenly stop. Almost as if they suddenly lost power.
We can see the landing gear retraction process begin. We see the bogies tilted in the second video. We can hear the RAT. We can see the RAT. We can see the flaps extended in the video and at the crash site. There isn't actually a single piece of evidence the flaps were raised, it's just a conclusion people jumped too before evidence began to emerge.
The crazy thing is, when the report comes out and there is no mention of flaps none of the people who have been pushing the flap theory will self reflect or learn anything. They'll think those of us who didn't buy into it were just lucky, rather than it being down to use of fairly simple critical thinking.
We can see the landing gear retraction process begin. We see the bogies tilted in the second video. We can hear the RAT. We can see the RAT. We can see the flaps extended in the video and at the crash site. There isn't actually a single piece of evidence the flaps were raised, it's just a conclusion people jumped too before evidence began to emerge.
The crazy thing is, when the report comes out and there is no mention of flaps none of the people who have been pushing the flap theory will self reflect or learn anything. They'll think those of us who didn't buy into it were just lucky, rather than it being down to use of fairly simple critical thinking.
Neila83 is correct, the gear tilt pre retraction is rear wheels low, and at the commencement of the selection of the retraction cycle (generally),
There is enough in the way of anomalies here to end up with regulatory action, and airlines themselves should/will be starting to pore over their systems and decide if they are comfortable with the airworthiness of the aircraft at this moment. A latent single point of failure is not a comfortable place to be. Inhibiting TCMA might be a good interim option, that system could have been negated by having the ATR ARM switches....(Both)... ARM deferred to the before takeoff checks. The EAFR recovery should result in action within the next 24-48 hours. Boeing needs to be getting their tiger teams warmed up, they can ill afford to have a latent system fault discovered that is not immediately responded to, and the general corporate response of "blame the pilots" is not likely to win any future orders.
I think we are about to have some really busy days for the OEM.
Not sure that Neila83 is that far off the mark at all.
2025-06-14T23:05:00
permalink Post: 11903421
I am curious to learn what power source drives the high-pressure fuel pumps in the engine. If there is such a thing, I suppose there would.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
As I've repeatedly posted, even a 100% aircraft power failure would not explain both engines quitting, at least without several other existing faults. Again, never say never, but you can only combine so many 10-9 events before it becomes ridiculous...
TCMA doesn't know what V1 is - it's active whenever the air/ground logic says the aircraft is on-ground.
4 users liked this post.
2025-06-15T00:30:00
permalink Post: 11903422
The 'good' news is that even a cursory check of the FDR will indicate if TCMA activated, so we'll soon know.
3 users liked this post.
2025-06-15T04:19:00
permalink Post: 11903424
Okay! Many thanks for that! Of course, it very much complicates the picture, and I'm very puzzled as to how the Fuel Cutoff Switches and Valves operate. Apparently, the TCAM system shuts off an errant engine on the ground at least, but my concern is not with the software but the hardware. It obviously has an Output going into the Fuel Shutoff system. If the TCAM unit loses power, can that output cause the Cutoff process (powered by the engine-dedicated generator) to be activated? I guess that's the $64 billion question, but if MCAS is any example, then: Probably!
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.
Hint, you might try going back a few pages and reading where all this has been posted previously.
1 user liked this post.
2025-06-15T21:03:00
permalink Post: 11903426
Would be interesting to understand more about the exact definition of TCMA’s “on the ground“ and some more detailed insight into its implementation (only one or more WoW’s or multiple sensing?… is there a switch on the gear added? …is there an ALT/AGL check?.. how is implementation split over HW/FW/SW? … ).
Also, how could external factors impact that sequence to run.
Appreciating your previous answers (as usual).
Also, how could external factors impact that sequence to run.
Appreciating your previous answers (as usual).
)
Apologies for a few terse posts last night, but a couple of inane posts (by a usual suspect) really set me off. I've never used the 'ignore' function, but I may need to revisit that.
I posted this previously, but it was about 70 pages ago, so I understand not going back that far, or forgetting that tidbit amongst all the noise.
In short, I'm not familiar with the specific air/ground logic on the 787/GEnx-1B - the logic I posted (3 radio altimeters, 2 Weight on Wheels, at least one of each must indicate 'on-ground) is for the 747-8 (which I'm intimately familiar with). I have a vague recollection of a discussion with my GEnx-1B counterpart 10 or more years ago that suggested that the 787 was not as complex as the 747-8, but I don't recall any details. Basic FADEC logic (BTW, as someone else noted - it's "Full Authority", not "Autonomous") is to default to 'air' if in doubt, as it's considered to be 'safer'.
The only real hardware in the TCMA system is the N2 overspeed shutdown system - which goes through a BITE style functional test on every engine start. Everything else is in software - with the only aircraft inputs being Air/Ground and thrust lever position.
As I've posted previously, the FADEC is powered by a dedicated Permanant Magnet Alternator (PMA) - aircraft power is used only as a backup for starting or if the PMA fails. If the FADEC determines it is running on aircraft power with engine running (i.e. the PMA has failed), it sets a 'No Dispatch" fault message.
2 users liked this post.
2025-06-15T21:35:00
permalink Post: 11903427
It was assumed for decades that in the event of uncontrollable high thrust (UHT) that the pilot would cut the fuel. Until there was a UHT event (1999?) on the takeoff roll and the crew - in an RTO - rode it all the way down and off the runway without cutting fuel. TCMA is primarily about the RTO scenario (throttle back to idle), and after that fleet event it became a requirement for FAA Part 25 certification.
The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT
. A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.
I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.
2025-06-15T23:50:00
permalink Post: 11903429
DO-178 unless propulsion systems are for some reason different from displays and flight controls.
I have been on the fringes of dissimilar hardware and dissimilar software designs (MD-11 flight controls). Sometimes it is necessary but there is a huge overhead in both development and test.
Edit to add - Even with dissimilar processor and software the requirements for both will trace up to some common high level system requirements specification. There is a non zero probability that those top level requirement were inadequate or included an error.
I have been on the fringes of dissimilar hardware and dissimilar software designs (MD-11 flight controls). Sometimes it is necessary but there is a huge overhead in both development and test.
Edit to add - Even with dissimilar processor and software the requirements for both will trace up to some common high level system requirements specification. There is a non zero probability that those top level requirement were inadequate or included an error.
I doubt the issue would be in top level requirements - those are pretty simple and straightforward. It's the devil of the details where an error might have occurred.
All that being said, I have a hard time with the idea that TCMA activated without a big thrust lever movement (even if you assume an issue with the air/ground indication) - and there is absolutely no reason why the thrust levers would be moved right after rotation.
tdracer has let us know that TCMA relies on inputs from three radio altimeters and two WoW switches and that at least one from each set must report on-ground.
1 user liked this post.
2025-06-16T06:21:00
permalink Post: 11903434
Where does the logic block that takes the WoW and other inputs to generate the singe air/ground indication live? Is it somewhere that would be affected by the aircraft power systems? Could a failure in the aircraft power cause a false ground indication to be sent to the FADECs?
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
2025-06-16T08:03:00
permalink Post: 11903748
TCMA / FADEC
Repeating myself (again), but ALL the TCMA logic is resident in the FADEC. It takes aircraft inputs of air/ground (again, not familiar with the specifics of the air/ground logic used on the 787/GEnx-1B, so don't ask), thrust lever position, and what the engine is actually doing (mainly N1) to determine if the engine is 'out of control'.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
Then, ask yourselves which extraordinarily low probability bundle of previously unrevealed faults could spontaneously manifest themselves on both engines simultaneously.
Also ask yourselves why these faults manifested at that critical phase of flight and not during taxiing or take-off roll when some of the TCMA sensors would have been primed.
1 user liked this post.
2025-06-16T08:03:00
permalink Post: 11903688
TCMA / FADEC
Repeating myself (again), but ALL the TCMA logic is resident in the FADEC. It takes aircraft inputs of air/ground (again, not familiar with the specifics of the air/ground logic used on the 787/GEnx-1B, so don't ask), thrust lever position, and what the engine is actually doing (mainly N1) to determine if the engine is 'out of control'.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.
Then, ask yourselves which extraordinarily low probability bundle of previously unrevealed faults could spontaneously manifest themselves on both engines simultaneously.
Also ask yourselves why these faults manifested at that critical phase of flight and not during taxiing or take-off roll when some of the TCMA sensors would have been primed.
2025-06-17T03:34:00
permalink Post: 11903943
Thanks. Do we know that these are monitored by TCMA for air/ground state and if so, do we know the logic used to make a determination based on those inputs? Alternatively, do you know where we should be looking for those answers?
2 users liked this post.
2025-06-17T03:57:00
permalink Post: 11903950
Most pundits have identified the gear-tilt as evidence that only the centre electrically-driven pump can do the gear-tilt if the engines' other two hyd systems are suddenly both in QUIT mode (which accords also with the instant RAT deployment and loud noise heard by the sole survivor) - and an ensuing transition from climb-out to a deadly sinking and commensurate attitude change for speed maint.
No idea. I only got that info from the Master MEL on the FAA website. According to the MMEL the aircraft can be dispatched as long as there is one of each type sensor working on each main gear. (AIs MEL could be more restrictive)