2025-06-14T22:33:00
permalink Post: 11901909
2025-06-14T22:34:00
permalink Post: 11901910
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
Am I right in saying, from a mathmatical perspective, that dual engine flame out due biocide overdose would be more likely than a TCMA activation shutting down the engines? Considering we have examples of engines reducing to idle within seconds of each other in the past, but we have no examples of airborne TCMA issues I would have thought this to be the case. Likewise, nefarious intent also appears more likely statistically than a TCMA issue.
I have high-school level statistics under my belt so I pose that as a question for people much smarter than myself.
2025-06-14T22:43:00
permalink Post: 11901915
I've seen nothing to confirm if or when the engines stopped providing thrust, but if you assume that it happened and that it came after the wheels left the ground then you'd also have to assume there was a pretty serious design flaw in the WOW system for it to falsely indicate weight on the wheels just because there was an issue raising the gear. It feels like kinda the same thing as assuming a serious flaw in the overall TCMA system.
1 user liked this post.
2025-06-14T22:46:00
permalink Post: 11901919
I’d like to give you another option to consider in what must be a worrying time;
Am I right in saying, from a mathmatical perspective, that dual engine flame out due biocide overdose would be more likely than a TCMA activation shutting down the engines? Considering we have examples of engines reducing to idle within seconds of each other in the past, but we have no examples of airborne TCMA issues I would have thought this to be the case. Likewise, nefarious intent also appears more likely statistically than a TCMA issue.
I have high-school level statistics under my belt so I pose that as a question for people much smarter than myself.
Am I right in saying, from a mathmatical perspective, that dual engine flame out due biocide overdose would be more likely than a TCMA activation shutting down the engines? Considering we have examples of engines reducing to idle within seconds of each other in the past, but we have no examples of airborne TCMA issues I would have thought this to be the case. Likewise, nefarious intent also appears more likely statistically than a TCMA issue.
I have high-school level statistics under my belt so I pose that as a question for people much smarter than myself.
Entirely valid to opine on the relative probability of different causes of course, just to note that by definition we are looking at an incredibly unlikely sequence of events.
7 users liked this post.
2025-06-14T23:05:00
permalink Post: 11901941
I am curious to learn what power source drives the high-pressure fuel pumps in the engine. If there is such a thing, I suppose there would.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Gearbox? This is at odds with a possible cascading electric failure that (might have) caused a loss of engine fuel feed.
To my understanding on my ancient plane and engine design, the HP pumps that feed the nozzles are driven mechanically, which enables gravity feeding among other scenarios, but also assures the fuel supply is independent of whatever happens upstream of the nacelle. Except for LP/fire shut-off cocks.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.
As I've repeatedly posted, even a 100% aircraft power failure would not explain both engines quitting, at least without several other existing faults. Again, never say never, but you can only combine so many 10-9 events before it becomes ridiculous...
TCMA doesn't know what V1 is - it's active whenever the air/ground logic says the aircraft is on-ground.
16 users liked this post.
2025-06-14T23:20:00
permalink Post: 11901949
... The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.
Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.
In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) ...
5 users liked this post.
2025-06-14T23:54:00
permalink Post: 11901974
From tdracer
However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.
However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.
Of course you can have two or three systems that are coded by different teams, using different languages, running in different hardware, even if they are fed from the same sensors, as long as you have many sensors (as tdracer has indicated, 5 inputs on the 747 for instance - although only needing 2 to be true does seem to reduce that margin for error somewhat).
If these two or three systems all have to send independent signals to the downstream hardware (the engine in this case) and the engine requires more than one signal to take the dangerous action like shutdown, then you're more protected, but that doesn't seem to be how the 787 works from the descriptions here by the experts like td and fdr. But please correct me if I'm wrong on that.
Its hard to imagine how else you could simultaneously cut both engines any other way, as tdracer said, other than human action or by software command. And software command means software failure. So information and discussion about exactly how redundant the software that takes this decision is would seem a good direction to move this discussion in. Is it truly only redundant 'internally' to itself, the module that sends this message to the engines? We heard about the 32 bit overflow bug that can shutdown engines - is it really that hard to believe that it has no other similar bugs when that one slipped through the testing?
2025-06-15T00:08:00
permalink Post: 11901978
Lull
Consider losing one engine on the Dream. If it is a generator that's failed let's say #2 . Do the electric fuel pumps lose power? Only in #2? Does the mechanical pump start feeding right away? If so, is there a lull? Are both engines fuel pumps supplied off one Gen?
See I think there was no simultaneous loss of both 1, 2.
The odds give me a migraine. I still wonder if TCMA knows the difference between parked, rolling, rotated brakes and stowed. Only parenthetically, it didn't do this
See I think there was no simultaneous loss of both 1, 2.
The odds give me a migraine. I still wonder if TCMA knows the difference between parked, rolling, rotated brakes and stowed. Only parenthetically, it didn't do this
2025-06-15T00:30:00
permalink Post: 11901992
The 'good' news is that even a cursory check of the FDR will indicate if TCMA activated, so we'll soon know.
8 users liked this post.
2025-06-15T00:34:00
permalink Post: 11901995
TCMA independently monitors each engine and automatically reduces engine power when it detects the failure of an aircraft engine to throttle down when idle or low thrust is selected. TCMA will only cut fuel to an engine if the aircraft is on the ground and it detects an anomaly between the high power condition of the aircraft's engine when the thrust levers are set for idle or low thrust. There is no evidence in the video of the takeoff roll for AI171 to indicate that its thrust levers were set at idle or low thrust.
2025-06-15T00:50:00
permalink Post: 11902002
777 Driver for a legacy here.
This is a 10 hr ish sector. Would there not be a 3rd crew on this? There definitely is in my outfit for that length.
I was of the belief of flap mis-selection as I have seen in the past. However, with video fly past noise, the sound spectral analysis, I am happy to be convinced that the RAT was out.
There are only a few scenarios where this happens - electrical malfunction would not cause the engine to shutdown. However the engines shutting down would cause the electric malfucntion depowering the BUS' which activates the RAT. This is a billion to one chance. Can't see it happening.
This is a 10 hr ish sector. Would there not be a 3rd crew on this? There definitely is in my outfit for that length.
I was of the belief of flap mis-selection as I have seen in the past. However, with video fly past noise, the sound spectral analysis, I am happy to be convinced that the RAT was out.
There are only a few scenarios where this happens - electrical malfunction would not cause the engine to shutdown. However the engines shutting down would cause the electric malfucntion depowering the BUS' which activates the RAT. This is a billion to one chance. Can't see it happening.
Does TCMA understand WoW prior to taxi!? Taxiing, accelerating? Rotation, Braking, Stowed? Does the software? Does the subset? Who designed it's Contours?
2025-06-15T00:54:00
permalink Post: 11902008
I think it needs to be said again that pretty much anything can happen to the aircraft systems and the engines will carry on running - this is by design as they have independent FADEC and power supplies and at sea level fuel will get through without boost pumps. You could almost saw the wing off the fuselage and the engine would still produce thrust, TCMA notwithstanding.
Anyway, the thing I'm looking at is how the fuel cutoff switch function could have been activated in some other way. To me, it seems obvious that there are wires that run between the engine fuel shutoff valves and the cockpit / flight control panel (no doubt with relays etc in between). I don't know where those shutoff valves are located, but logic says they should be located in the fuselage, not out at the engines. I also don't know how those valves operate - are they solenoid valves or electro-mechanically driven? Nor do I know where the power to activate those valves comes from, but using my logic, if those valves close when powered off, such as solenoid valves typically do, then the power cannot exclusively come from the engine-dedicated generators. If it did, you'd never be able to start the engines so they could supply their own power to hold those valves open. So, there must be some power (appropriately) fed from the main aircraft control bus to activate those valves - if the rest of what I'm assuming is correct. Anyway, like I say, I don't know enough about the details at this point, but there are many more ways to activate or deactivate a circuit than by flicking a switch. Killing the relevant power supply, for example. A screwdriver across some contacts (for example), another. Shorting a wire to Chassis, maybe. Just trying to contribute what I can.
You raise another interesting point: "TCMA notwithstanding". Could you elaborate, please? What will happen if the TCMA system, which apparently also has some degree of engine control, loses power? The problem with interlinked circuits and systems is that sometimes, unexpected things can happen when events that were not considered actually happen. If one module, reporting to another, loses power or fails, sometimes it can "tell" the surviving module something that isn't true... My concern is where does the power to the Fuel Cutoff switches come from? Are there relays or solid-state switches (or what?) between the Panel Switches and the valves? If so, is the valve power derived from a different source, and if so, where? Are the valves solenoids, open when power applied, or something else? What is the logic involved, between switch and valve?
Would you mind answering these questions so I can ponder it all further, please? If I'm wrong, I'll happily say so.
We don\x92t know yet what actually triggered the RAT from the relatively short list but every item on it means there is a serious/critical failure(s). The flight path suggests that it was a double engine failure or shutdown (commanded or uncommanded) as anything else should have left the aeroplane in a poor state but able to climb away.
1 user liked this post.
2025-06-15T01:21:00
permalink Post: 11902026
I can buy the AC power loss, but TCMA activation as well - That\x92s a stretch. TCMA is available on the ground and on approach and will activate if the engine thrust doesn\x92t follow the Thrust Lever command. On the ground it will shut the engine down (think RTO with engine stuck at T/O). On approach it will reduce the thrust if the engine doesn\x92t respond to the Thrust Lever command ala Cathay Pacific A330 (CMB - HKG) with the fuel contamination incident.
5 users liked this post.
2025-06-15T01:43:00
permalink Post: 11902040
MELs?
From tdracer
However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.
However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.
2025-06-15T01:53:00
permalink Post: 11902043
Also a newcomer here, but an experienced private pilot, Software Engineer with a degree in Aerospace Computer Science and former Head of Quality for Satellites and Interplanetary Missions. We have already seen bad software solutions and the results thereof in the 737 MAX accidents, which makes me wonder, if the TCMA can reach a state, where unintended engine shutdown is possible.
There is one system implemented in the 787, that has the authority to shut down the engines, based on software subsystem decision. Interestingly - according to the description in the patent below - the same TCMA software package determines the shutdown decision, in both redundant subsystems.
Excerpt from the Patent:
"Malfunctions in aircraft power plant thrust control systems can result in uncontrollable high engine power levels that are potentially hazardous or catastrophic for aircraft operation. A particularly hazardous situation is when a thrust control system failure results in one of the aircraft's engines continuing to operate at a high power condition and not responding to a throttle command to reduce power during takeoff, approach or landing. Typically, when this failure mode occurs, the actual thrust either increases to a significantly higher than commanded thrust and/or remains at a high level when the thrust levers are set for low thrust....
In one preferred embodiment the present invention is directed to a system and method for detecting and correcting a thrust control malfunction in an aircraft engine. The system includes an electronic engine control (EEC) unit that includes a first processing subsystem and a second processing subsystem, and a thrust control malfunction accommodation (TCMA) circuit included in the first processing subsystem and the second processing subsystem. Additionally, the system includes a TCMA software package executed by the first processing subsystem and the second processing subsystem, thereby providing redundant execution of the TCMA software package.
The method of the present invention compares the engine's actual power level with a threshold contour defined by the TCMA software package. When the TCMA software package determines that a thrust control malfunction has occurred, based on the engine's power level exceeding the threshold contour, the engine is shut down by the TCMA circuit.
The present invention is still further directed to an electronic engine control (EEC) unit configured to detect and correct an aircraft engine thrust control malfunction using an active-active functionality. The EEC includes a first processing subsystem for unilaterally monitoring engine operation and shutting down the engine when a thrust control malfunction occurs, and a second processing subsystem for unilaterally monitoring engine operation and shutting down the engine when a thrust control malfunction occurs."
Just my 20 cents
There is one system implemented in the 787, that has the authority to shut down the engines, based on software subsystem decision. Interestingly - according to the description in the patent below - the same TCMA software package determines the shutdown decision, in both redundant subsystems.
Excerpt from the Patent:
"Malfunctions in aircraft power plant thrust control systems can result in uncontrollable high engine power levels that are potentially hazardous or catastrophic for aircraft operation. A particularly hazardous situation is when a thrust control system failure results in one of the aircraft's engines continuing to operate at a high power condition and not responding to a throttle command to reduce power during takeoff, approach or landing. Typically, when this failure mode occurs, the actual thrust either increases to a significantly higher than commanded thrust and/or remains at a high level when the thrust levers are set for low thrust....
In one preferred embodiment the present invention is directed to a system and method for detecting and correcting a thrust control malfunction in an aircraft engine. The system includes an electronic engine control (EEC) unit that includes a first processing subsystem and a second processing subsystem, and a thrust control malfunction accommodation (TCMA) circuit included in the first processing subsystem and the second processing subsystem. Additionally, the system includes a TCMA software package executed by the first processing subsystem and the second processing subsystem, thereby providing redundant execution of the TCMA software package.
The method of the present invention compares the engine's actual power level with a threshold contour defined by the TCMA software package. When the TCMA software package determines that a thrust control malfunction has occurred, based on the engine's power level exceeding the threshold contour, the engine is shut down by the TCMA circuit.
The present invention is still further directed to an electronic engine control (EEC) unit configured to detect and correct an aircraft engine thrust control malfunction using an active-active functionality. The EEC includes a first processing subsystem for unilaterally monitoring engine operation and shutting down the engine when a thrust control malfunction occurs, and a second processing subsystem for unilaterally monitoring engine operation and shutting down the engine when a thrust control malfunction occurs."
Just my 20 cents
2 users liked this post.
2025-06-15T01:56:00
permalink Post: 11902046
I've seen nothing to confirm if or when the engines stopped providing thrust, but if you assume that it happened and that it came after the wheels left the ground then you'd also have to assume there was a pretty serious design flaw in the WOW system for it to falsely indicate weight on the wheels just because there was an issue raising the gear. It feels like kinda the same thing as assuming a serious flaw in the overall TCMA system.
The donks were dead....
3 users liked this post.
2025-06-15T02:24:00
permalink Post: 11902058
Consider losing one engine on the Dream. If it is a generator that's failed let's say #2 . Do the electric fuel pumps lose power? Only in #2? Does the mechanical pump start feeding right away? If so, is there a lull? Are both engines fuel pumps supplied off one Gen?
See I think there was no simultaneous loss of both 1, 2.
The odds give me a migraine. I still wonder if TCMA knows the difference between parked, rolling, rotated brakes and stowed. Only parenthetically, it didn't do this
See I think there was no simultaneous loss of both 1, 2.
The odds give me a migraine. I still wonder if TCMA knows the difference between parked, rolling, rotated brakes and stowed. Only parenthetically, it didn't do this
The Thrust Control Malfunction Accommodation TCMA shuts down an engine when an idle asymmetry is detected . On the ground . With thrust levers at idle . The engine in question triggers the condition when it is above idle and not decelerating normally . That is multiple failure conditions that need to have occurred in the system to allow that to occur. It is nearly as wild a circumstance as the QFA 072 suspected cosmic bit flip, except that these are supposed to be independent systems. This does have the authority when the conditions exist to turn off the noise. That is the only reason it is a subject of interest.
The Thrust Asymmetry Protection gives a limited authority to reduce thrust on the surviving engine to maintain control. It would not trigger the conditions that the engines have gone silent, and hydraulics/electrics have been mussed up. That puts a spotlight on what has to go wrong on TCMA to get it to trigger outside of the conditions that it is intended to.
No yaw input, no roll input, no asymmetry. That leaves either both engines running at normal TO thrust or both having a simultaneous bad day out. Giving car keys to HAL 9000 can have some issues, and cosmic radiation is around a lot.
9 users liked this post.
2025-06-15T02:36:00
permalink Post: 11902060
Difficult!? Maybe not. If very late the flaps were tagged stowed, and there was a simultaneous gear up command, with FlapDown command, the overload could have failed a GCS. Then it becomes a switching exercise. (Automatics).
Alarms Warnings Impacted EICAS, ETC. it happened long ago, but we know what happens when an engine driven generator quits ..first it bangs for awhile, then it burns itself up, then ...
Alarms Warnings Impacted EICAS, ETC. it happened long ago, but we know what happens when an engine driven generator quits ..first it bangs for awhile, then it burns itself up, then ...
Thanks for answering the question I hadn't yet asked but wanted to confirm!
I'm still sticking with "Major Electrical Fault" as my most likely cause, and this adds to my suspicions.
As I understand it, the landing gear is raised / retracted by electric motor-driven hydraulic pump (pumps?). This/these would create a significant electrical load.
If the plane's multi-redundant electrical system has a fault which is intermittent (the worst kind of electrical issue to diagnose), and which causes the redundancy controls to go haywire (as there are, of course, electronic controls to detect failures and drive the switching over of primary and backup electrical supplies), then this fault could to triggered by a large load coming on-line. It could even be as simple as a high current cable lug not having been tightened when a part was being replaced at some stage. The relevant bolt might be only finger-tight. Enough to work 99.99% of the time between then and now... But a little bit more oxidation, and particularly, a bit more heat (it was a hot day), and suddenly, a fault.
Having worked in electronics for years, I know that semi-conductors (and lots of other components, especially capacitors [and batteries]) can also degrade instead of failing completely. Electro-static discharges are great for causing computer chips to die, or go meta-stable - meaning they can get all knotted up and cease working correctly - until they are powered off for a while. They can also degrade in a way that means they work normally a low temperatures, but don't above a certain temperature.
Anyway, there MUST be ways that the redundant power supplies can be brought down, simply because, to have a critical bus powered from a number of independent sources, there must be "controls" of some sort. I don't know how it's done in the 787, but that's where I'd be looking.
As there is a lot of discussion already about how the bogies are hanging the wrong way suggesting a started but failed retraction operation, and it's now confirmed that the retraction would normally have taken place at about the point where the flight went "pear shaped", I'm going to suggest that the two things are connected. More than that: I'll suggest that the Gear Up command triggered the fault that caused both engines to shut down in very short succession. Nothing the pilots did wrong, and no way they could have known and prevented it.
It's going to be difficult to prove though.
I'm still sticking with "Major Electrical Fault" as my most likely cause, and this adds to my suspicions.
As I understand it, the landing gear is raised / retracted by electric motor-driven hydraulic pump (pumps?). This/these would create a significant electrical load.
If the plane's multi-redundant electrical system has a fault which is intermittent (the worst kind of electrical issue to diagnose), and which causes the redundancy controls to go haywire (as there are, of course, electronic controls to detect failures and drive the switching over of primary and backup electrical supplies), then this fault could to triggered by a large load coming on-line. It could even be as simple as a high current cable lug not having been tightened when a part was being replaced at some stage. The relevant bolt might be only finger-tight. Enough to work 99.99% of the time between then and now... But a little bit more oxidation, and particularly, a bit more heat (it was a hot day), and suddenly, a fault.
Having worked in electronics for years, I know that semi-conductors (and lots of other components, especially capacitors [and batteries]) can also degrade instead of failing completely. Electro-static discharges are great for causing computer chips to die, or go meta-stable - meaning they can get all knotted up and cease working correctly - until they are powered off for a while. They can also degrade in a way that means they work normally a low temperatures, but don't above a certain temperature.
Anyway, there MUST be ways that the redundant power supplies can be brought down, simply because, to have a critical bus powered from a number of independent sources, there must be "controls" of some sort. I don't know how it's done in the 787, but that's where I'd be looking.
As there is a lot of discussion already about how the bogies are hanging the wrong way suggesting a started but failed retraction operation, and it's now confirmed that the retraction would normally have taken place at about the point where the flight went "pear shaped", I'm going to suggest that the two things are connected. More than that: I'll suggest that the Gear Up command triggered the fault that caused both engines to shut down in very short succession. Nothing the pilots did wrong, and no way they could have known and prevented it.
It's going to be difficult to prove though.
In addition, the 787 has four main generators and I believe the switching is segregated into at least two controllers, on top of the four separate generator control units.
And again, electrical failure should not cause engine failure - consider QF32 where the wiring to the engine was mostly severed and they had to drown it with a fire truck.
Best post until now in my view. We will find out very soon I think. Gear up command triggered the instant lack of fuel to both engines. I'm not sure on how the fuel flow is dependant on the power supplies on the 787 but I genuinely believe you are very very close to what might have happened here.
Yes, thanks, I've seen a few comments to this effect, and I have to accept most of what you say. I understand that they have their own dedicated generators and local independent FADECs (or EECs), but I'm trying to use what I do know to attempt to figure this out. I know that there are Fuel Cutoff switches in the cockpit. Somehow, if switched to Off, these will cut off the fuel to the engines, "no matter what". Of course, even that's not true, as the Qantas A380 engine burst apparently (comment in this thread) showed.
Anyway, the thing I'm looking at is how the fuel cutoff switch function could have been activated in some other way. To me, it seems obvious that there are wires that run between the engine fuel shutoff valves and the cockpit / flight control panel (no doubt with relays etc in between). I don't know where those shutoff valves are located, but logic says they should be located in the fuselage, not out at the engines. I also don't know how those valves operate - are they solenoid valves or electro-mechanically driven? Nor do I know where the power to activate those valves comes from, but using my logic, if those valves close when powered off, such as solenoid valves typically do, then the power cannot exclusively come from the engine-dedicated generators. If it did, you'd never be able to start the engines so they could supply their own power to hold those valves open. So, there must be some power (appropriately) fed from the main aircraft control bus to activate those valves - if the rest of what I'm assuming is correct. Anyway, like I say, I don't know enough about the details at this point, but there are many more ways to activate or deactivate a circuit than by flicking a switch. Killing the relevant power supply, for example. A screwdriver across some contacts (for example), another. Shorting a wire to Chassis, maybe. Just trying to contribute what I can.
You raise another interesting point: "TCMA notwithstanding". Could you elaborate, please? What will happen if the TCMA system, which apparently also has some degree of engine control, loses power? The problem with interlinked circuits and systems is that sometimes, unexpected things can happen when events that were not considered actually happen. If one module, reporting to another, loses power or fails, sometimes it can "tell" the surviving module something that isn't true... My concern is where does the power to the Fuel Cutoff switches come from? Are there relays or solid-state switches (or what?) between the Panel Switches and the valves? If so, is the valve power derived from a different source, and if so, where? Are the valves solenoids, open when power applied, or something else? What is the logic involved, between switch and valve?
Would you mind answering these questions so I can ponder it all further, please? If I'm wrong, I'll happily say so.
Anyway, the thing I'm looking at is how the fuel cutoff switch function could have been activated in some other way. To me, it seems obvious that there are wires that run between the engine fuel shutoff valves and the cockpit / flight control panel (no doubt with relays etc in between). I don't know where those shutoff valves are located, but logic says they should be located in the fuselage, not out at the engines. I also don't know how those valves operate - are they solenoid valves or electro-mechanically driven? Nor do I know where the power to activate those valves comes from, but using my logic, if those valves close when powered off, such as solenoid valves typically do, then the power cannot exclusively come from the engine-dedicated generators. If it did, you'd never be able to start the engines so they could supply their own power to hold those valves open. So, there must be some power (appropriately) fed from the main aircraft control bus to activate those valves - if the rest of what I'm assuming is correct. Anyway, like I say, I don't know enough about the details at this point, but there are many more ways to activate or deactivate a circuit than by flicking a switch. Killing the relevant power supply, for example. A screwdriver across some contacts (for example), another. Shorting a wire to Chassis, maybe. Just trying to contribute what I can.
You raise another interesting point: "TCMA notwithstanding". Could you elaborate, please? What will happen if the TCMA system, which apparently also has some degree of engine control, loses power? The problem with interlinked circuits and systems is that sometimes, unexpected things can happen when events that were not considered actually happen. If one module, reporting to another, loses power or fails, sometimes it can "tell" the surviving module something that isn't true... My concern is where does the power to the Fuel Cutoff switches come from? Are there relays or solid-state switches (or what?) between the Panel Switches and the valves? If so, is the valve power derived from a different source, and if so, where? Are the valves solenoids, open when power applied, or something else? What is the logic involved, between switch and valve?
Would you mind answering these questions so I can ponder it all further, please? If I'm wrong, I'll happily say so.
The valves are located in the spar (hence being called 'spar valves'. The fuel tank is immediately above the engine so it is a very short pipe for suction feeding. Tail mount engines are potentially a different story...
What\x92s the usual time frame for the release of preliminary data and report from the FDR and CVR? Is it around 6 months?
I guess if no directives come from Boeing or the FAA in the next 2 weeks, it can be presumed that a systems failure from which recovery was impossible was unlikely.
I guess if no directives come from Boeing or the FAA in the next 2 weeks, it can be presumed that a systems failure from which recovery was impossible was unlikely.
1 user liked this post.
2025-06-15T04:19:00
permalink Post: 11902094
Okay! Many thanks for that! Of course, it very much complicates the picture, and I'm very puzzled as to how the Fuel Cutoff Switches and Valves operate. Apparently, the TCAM system shuts off an errant engine on the ground at least, but my concern is not with the software but the hardware. It obviously has an Output going into the Fuel Shutoff system. If the TCAM unit loses power, can that output cause the Cutoff process (powered by the engine-dedicated generator) to be activated? I guess that's the $64 billion question, but if MCAS is any example, then: Probably!
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.
Hint, you might try going back a few pages and reading where all this has been posted previously.
33 users liked this post.
2025-06-15T05:45:00
permalink Post: 11902127
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.
In software development, we always have the deadlock risk when we disable a function during a system mode shift. In case an erroneous decision was made just prior to this mode shift, it cant be correctedt as the function itself got disabled after mode shift. Normally we have a monitoring function alway active to correct this.