2025-06-15T22:59:00
permalink Post: 11902936
TCMA Logic
Retired RAF avionics technician, PPL / Glider pilot with ~ 700 hrs. VC10 double EFATO survivor.
The TCMA system should be inhibited when Air / Ground logic is in Air mode.
I understand that it has Inputs from RadAlt, Weight on Wheels, etc.
This airframe was reported to have had a history of significant electrical / electronic problems, including on the prior inbound flight.
There may have been water ingress in the E&E bay, likely causing corrosion or other damage.
Chafed or damaged wiring / cable insulation within looms is possible. Including the landing gear microswitches.
The landing gear may have been interrupted in the cycle.
BOTH engines are reported to have shut down, so whatever happened is a system common to both engines.
TCMA failing at the moment of gear retraction appears to fit with the available evidence.
The TCMA system should be inhibited when Air / Ground logic is in Air mode.
I understand that it has Inputs from RadAlt, Weight on Wheels, etc.
This airframe was reported to have had a history of significant electrical / electronic problems, including on the prior inbound flight.
There may have been water ingress in the E&E bay, likely causing corrosion or other damage.
Chafed or damaged wiring / cable insulation within looms is possible. Including the landing gear microswitches.
The landing gear may have been interrupted in the cycle.
BOTH engines are reported to have shut down, so whatever happened is a system common to both engines.
TCMA failing at the moment of gear retraction appears to fit with the available evidence.
Last edited by kit344; 15th Jun 2025 at 23:03 . Reason: they there replacement
3 users liked this post.
2025-06-15T23:04:00
permalink Post: 11902942
I fully understand how that is coded, thanks to Tdracer for going in detail of DAL -A certified. However IMHO considering the unusual event, a bug on that piece of code should not be discounted.
2025-06-15T23:16:00
permalink Post: 11902947
What happens if the inputs are erroneous because of a mechanical or maintenance failure?
2025-06-15T23:28:00
permalink Post: 11902958
2025-06-15T23:33:00
permalink Post: 11902963
What tdracer told us was how TCMA works on a 747 and I believe he specifically stated that he wasn't aware how it worked on a 787.
2 users liked this post.
2025-06-15T23:45:00
permalink Post: 11902976
FrequentSLF: I would be more suspicious of the hardware that feeds TCMA. Rad Alt sensing could be in error, but possibly more likely is the hardware that senses weight on wheels. May be position sensing microswitches, or perhaps gear oil pressure, but would assume redundancy, eg: two sensors per leg, then some sort of voting logic on the sensor set to find faulty hardware.and make a decision. Doubt if the software is at fault, but is there a delay between sensor output, and command to shutdown the engines ?. Alluded to doubts upthread, but I think the post was deleted. Question: Should TCMA really have the absolute power to auto shutdown engines at all, without some sort of confirmation ?.
3 users liked this post.
2025-06-15T23:48:00
permalink Post: 11902978
unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground ....
2025-06-15T23:50:00
permalink Post: 11902982
DO-178 unless propulsion systems are for some reason different from displays and flight controls.
I have been on the fringes of dissimilar hardware and dissimilar software designs (MD-11 flight controls). Sometimes it is necessary but there is a huge overhead in both development and test.
Edit to add - Even with dissimilar processor and software the requirements for both will trace up to some common high level system requirements specification. There is a non zero probability that those top level requirement were inadequate or included an error.
I have been on the fringes of dissimilar hardware and dissimilar software designs (MD-11 flight controls). Sometimes it is necessary but there is a huge overhead in both development and test.
Edit to add - Even with dissimilar processor and software the requirements for both will trace up to some common high level system requirements specification. There is a non zero probability that those top level requirement were inadequate or included an error.
I doubt the issue would be in top level requirements - those are pretty simple and straightforward. It's the devil of the details where an error might have occurred.
All that being said, I have a hard time with the idea that TCMA activated without a big thrust lever movement (even if you assume an issue with the air/ground indication) - and there is absolutely no reason why the thrust levers would be moved right after rotation.
tdracer has let us know that TCMA relies on inputs from three radio altimeters and two WoW switches and that at least one from each set must report on-ground.
1 user liked this post.
2025-06-16T00:01:00
permalink Post: 11902989
FrequentSLF: I would be more suspicious of the hardware that feeds TCMA. Rad Alt sensing could be in error, but possibly more likely is the hardware that senses weight on wheels. May be position sensing microswitches, or perhaps gear oil pressure, but would assume redundancy, eg: two sensors per leg, then some sort of voting logic on the sensor set to find faulty hardware.and make a decision. Doubt if the software is at fault, but is there a delay between sensor output, and command to shutdown the enigines ?. Alluded to doubts upthread, but I think the post was deleted. Question: Should TCMA really have the absolute power to auto shutdown engines at all, without some sort of confirmation ?.
The reason we used both Radio Alt and WoW is that both can give erroneous indications on certain conditions - RA can be 'fooled' by dense rain or even really dense fog (the signals bounce off the water and falsely indicate on-ground), the prox sensor system can subject to HIRF/Lightning interference.
TCMA acts quickly, but it does require some persistence, so an input glitch won't activate it (mainly N1, which is measured every 15 milliseconds).
What sort of 'confirmation' do you have in mind - the regulator mandate that resulted in TCMA basically says we can't take credit for the flight crew.
2 users liked this post.
2025-06-16T00:11:00
permalink Post: 11902996
Can any 787 drivers confirm if TCMA would/could activate if a pilot were to inadvertently cause unusual and/or asymmetric thrust with the levers after V1 and through VR (before being airborne)?
I.e. if there was some hesitation in aborting TO, could a few seconds at high power with somewhat asymmetric levers have caused TCMA to activate?
I.e. if there was some hesitation in aborting TO, could a few seconds at high power with somewhat asymmetric levers have caused TCMA to activate?
2025-06-16T00:52:00
permalink Post: 11903015
Petition for Time Limited Exemption to 14 CFR 25.901(c) at Amendment level 25-46 and 25-126 and 25.1309{b) at Amendment Level 25-41 and 25-123 for General Electric GEnx-1 B Thrust Control Malfunction Accommodation - 787 787-8, 787-9
https://downloads.regulations.gov/FA...tachment_1.pdf
Grant of exemption:
https://downloads.regulations.gov/FA...tachment_1.pdf
I'll keep looking to find out what they actually did.
1 user liked this post.
2025-06-16T00:53:00
permalink Post: 11903016
The TCMA patent application is at:
https://patents.google.com/patent/US6704630B2/en
Quite a simple system (not)
What gets your attention is the fact that you can continue to operate the aircraft without an MMEL entry when one of the two systems (per EEC) that shadow each other... is unserviceable.
As it says: "Typically the aircraft is allowed to operate for a limited period of time with just a single operative processing subsystem."
That 787 was not long out of maintenance.
Quite a simple system (not)
What gets your attention is the fact that you can continue to operate the aircraft without an MMEL entry when one of the two systems (per EEC) that shadow each other... is unserviceable.
As it says: "Typically the aircraft is allowed to operate for a limited period of time with just a single operative processing subsystem."
That 787 was not long out of maintenance.
1 user liked this post.
2025-06-16T00:57:00
permalink Post: 11903018
Inlet compliance is tested at max takeoff power settings, at AOA up to stall. This is done by performing something called a 'wind-up turn' - with the engine at max TO power and constant altitude, they keep pulling the turn tighter until the wing stalls and the aircraft falls out of the turn.
If the engine doesn't continue normal operation, that's considered a 'fail'. Plus, the engine reaction of an over-rotated inlet (inlet separation) is a surge - accompanied by big bang and a ball of flame out the back.
Nothing we know about this accident supports an over-rotation and related engine stall/surge.
If the engine doesn't continue normal operation, that's considered a 'fail'. Plus, the engine reaction of an over-rotated inlet (inlet separation) is a surge - accompanied by big bang and a ball of flame out the back.
Nothing we know about this accident supports an over-rotation and related engine stall/surge.
Going back to your prior comments on FADEC and TCMA; these are independent systems to each engine, however the event indicates a symmetric loss, and the potential of water ingress from a failed E/E sealing from the main cabin services remains a single causation that could result in multiple failures at the same moment. The last time I assessed issues in the E/E bay related to unauthorised inflight access to the fwd E/E of a B777 it was sobering how many irreversible conditions could arise. The B744 water inundation cases I was involved in were both on TO, the QF event was during deceleration. We are looking at vectors that come from outside of the normal assumptions in the SSA's, water fits that bill.
6 users liked this post.
2025-06-16T01:07:00
permalink Post: 11903022
Adding to your response TD, there is no time in this event where a high AOA arose prior to the final moments, around 13 seconds after the problem has occurred. AOA, intake separation is not a factor.
Going back to your prior comments on FADEC and TCMA; these are independent systems to each engine, however the event indicates a symmetric loss, and the potential of water ingress from a failed E/E sealing from the main cabin services remains a single causation that could result in multiple failures at the same moment. The last time I assessed issues in the E/E bay related to unauthorised inflight access to the fwd E/E of a B777 it was sobering how many irreversible conditions could arise. The B744 water inundation cases I was involved in were both on TO, the QF event was during deceleration. We are looking at vectors that come from outside of the normal assumptions in the SSA's, water fits that bill.
Going back to your prior comments on FADEC and TCMA; these are independent systems to each engine, however the event indicates a symmetric loss, and the potential of water ingress from a failed E/E sealing from the main cabin services remains a single causation that could result in multiple failures at the same moment. The last time I assessed issues in the E/E bay related to unauthorised inflight access to the fwd E/E of a B777 it was sobering how many irreversible conditions could arise. The B744 water inundation cases I was involved in were both on TO, the QF event was during deceleration. We are looking at vectors that come from outside of the normal assumptions in the SSA's, water fits that bill.
2025-06-16T01:15:00
permalink Post: 11903025
FrequentSLF: I would be more suspicious of the hardware that feeds TCMA. Rad Alt sensing could be in error, but possibly more likely is the hardware that senses weight on wheels. May be position sensing microswitches, or perhaps gear oil pressure, but would assume redundancy, eg: two sensors per leg, then some sort of voting logic on the sensor set to find faulty hardware.and make a decision. Doubt if the software is at fault, but is there a delay between sensor output, and command to shutdown the engines ?. Alluded to doubts upthread, but I think the post was deleted. Question: Should TCMA really have the absolute power to auto shutdown engines at all, without some sort of confirmation ?.
2025-06-16T01:19:00
permalink Post: 11903028
The TCMA patent application is at:
https://patents.google.com/patent/US6704630B2/en
Quite a simple system (not)
What gets your attention is the fact that you can continue to operate the aircraft without an MMEL entry when one of the two systems (per EEC) that shadow each other... is unserviceable.
As it says: "Typically the aircraft is allowed to operate for a limited period of time with just a single operative processing subsystem."
That 787 was not long out of maintenance.
Quite a simple system (not)
What gets your attention is the fact that you can continue to operate the aircraft without an MMEL entry when one of the two systems (per EEC) that shadow each other... is unserviceable.
As it says: "Typically the aircraft is allowed to operate for a limited period of time with just a single operative processing subsystem."
That 787 was not long out of maintenance.
I note that, unless I missed it, the patent application doesn't address a mechanism for determining whether an aircraft is actually on the ground. I suppose that will depend on some of those "several other digital inputs."
Via the execution of software package
130
, each of the processing subsystems
20
a
and
20
b
monitors the position of thrust lever
36
, engine power level,
and several other digital inputs provided from the aircraft
via digital ARINC data buses
46
.
I'm still looking for identification of the relevant inputs for TCMA on the GEnx-1B. If anyone has suggestions, please share.
2025-06-16T01:26:00
permalink Post: 11903031
The TCMA patent application is at:
https://patents.google.com/patent/US6704630B2/en
Quite a simple system (not)
What gets your attention is the fact that you can continue to operate the aircraft without an MMEL entry when one of the two systems (per EEC) that shadow each other... is unserviceable.
As it says: "Typically the aircraft is allowed to operate for a limited period of time with just a single operative processing subsystem."
That 787 was not long out of maintenance.
Quite a simple system (not)
What gets your attention is the fact that you can continue to operate the aircraft without an MMEL entry when one of the two systems (per EEC) that shadow each other... is unserviceable.
As it says: "Typically the aircraft is allowed to operate for a limited period of time with just a single operative processing subsystem."
That 787 was not long out of maintenance.
The MMEL says something like "4 installed, 3 required" (referring to individual FADEC channels) - so you can dispatch for a short time with one FADEC channel failed. Yes, if the remaining channel of faulted FADEC fails, the engine will fail - but the FADEC reliability is such that the probability of losing the remaining channel (and hence the engine) is sufficiently small as to be acceptable.
Both channels can operate TCMA, so a single channel failure has not overall effect on the system.
Again, 'channel out' dispatch is nothing new - it's been the case since 1989 (when the PW4000/767 entered service).
2025-06-16T01:28:00
permalink Post: 11903032
From six paragraphs down in the TCMA patent application.
" The method of the present invention compares the engine's actual power level with a threshold contour defined by the TCMA software package. When the TCMA software package determines that a thrust control malfunction has occurred, based on the engine's power level exceeding the threshold contour, the engine is shut down by the TCMA circuit."
" The method of the present invention compares the engine's actual power level with a threshold contour defined by the TCMA software package. When the TCMA software package determines that a thrust control malfunction has occurred, based on the engine's power level exceeding the threshold contour, the engine is shut down by the TCMA circuit."
2025-06-16T01:33:00
permalink Post: 11903033
From six paragraphs down in the TCMA patent application.
" The method of the present invention compares the engine's actual power level with a threshold contour defined by the TCMA software package. When the TCMA software package determines that a thrust control malfunction has occurred, based on the engine's power level exceeding the threshold contour, the engine is shut down by the TCMA circuit."
" The method of the present invention compares the engine's actual power level with a threshold contour defined by the TCMA software package. When the TCMA software package determines that a thrust control malfunction has occurred, based on the engine's power level exceeding the threshold contour, the engine is shut down by the TCMA circuit."
1 user liked this post.
2025-06-16T05:52:00
permalink Post: 11903115
On the 747, Weight on Wheels (WoW) depends on prox sensors on the landing gear (i.e. gear compression). I don't know how that's done on the 787.
The reason we used both Radio Alt and WoW is that both can give erroneous indications on certain conditions - RA can be 'fooled' by dense rain or even really dense fog (the signals bounce off the water and falsely indicate on-ground), the prox sensor system can subject to HIRF/Lightning interference.
TCMA acts quickly, but it does require some persistence, so an input glitch won't activate it (mainly N1, which is measured every 15 milliseconds).
What sort of 'confirmation' do you have in mind - the regulator mandate that resulted in TCMA basically says we can't take credit for the flight crew.
The reason we used both Radio Alt and WoW is that both can give erroneous indications on certain conditions - RA can be 'fooled' by dense rain or even really dense fog (the signals bounce off the water and falsely indicate on-ground), the prox sensor system can subject to HIRF/Lightning interference.
TCMA acts quickly, but it does require some persistence, so an input glitch won't activate it (mainly N1, which is measured every 15 milliseconds).
What sort of 'confirmation' do you have in mind - the regulator mandate that resulted in TCMA basically says we can't take credit for the flight crew.