Posts about: "TCMA (All)" [Posts: 279 Pages: 14]

Repeating myself (again), but ALL the TCMA logic is resident in the FADEC. It takes aircraft inputs of air/ground (again, not familiar with the specifics of the air/ground logic used on the 787/GEnx-1B, so don't ask), thrust lever position, and what the engine is actually doing (mainly N1) to determine if the engine is 'out of control'.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.

And most of all, the SISO principle (#### in #### out) applies with regard to data from other systems, which are obviously processed in TCMA. Multiple transient faults may not be considered comprehensively e.g. in input processing and filtering.

Don't quote me but I think it closes the firewall shut off valves (wing root) not the high pressure shutoff valves (engine) and it sources it's information from the EEC

Yes. Thank you tdracer. All those postulating TCMA / FADEC faults please read and understand this clear explanation.

Then, ask yourselves which extraordinarily low probability bundle of previously unrevealed faults could spontaneously manifest themselves on both engines simultaneously.

Also ask yourselves why these faults manifested at that critical phase of flight and not during taxiing or take-off roll when some of the TCMA sensors would have been primed.

After reading tdracers informative post this morning, I too was musing: Why is all this attention being given to TCMA.

Of course, when the probable cause is profoundly unclear, our continuing distrust of latent technical systems comes to the fore .... as sadly, the shadow of MCAS still looms large in our imaginations

I was not aware that we have granular ADS-B data from the a/c itself showing airspeed post rotation (rather than speed interpolated from GPS). Apologies if I have missed it. If it does show acceleration after takeoff I tend to agree with you.

In no particular order, here are some more thoughts on TCMA having caught up on the thread:

If you cut the fuel from two big engines at take-off power, there must be some delay before n2 decays below the threshold for generation (below idle n2), the generators disconnect and RAT deploys. GEnx have relatively long spool up/down times as the fan is so large (and would be exposed to 170+kts of ram air). Perhaps someone has a view on how long this would be, but I imagine it could easily be 10s or more between fuel cut off and RAT deployment. On AI171 the RAT appears to be already deployed at the beginning of the bystander video. That starts c. 13s before impact and around 17s after rotation. This does not prove anything except that the supposed shut down must have happened very close to rotation and could have happened just before rotation while the a/c was on the ground.

As a thought experiment, imagine if ANA985 in 2019 had decided to go around. The a/c rotates and is ~50 ft above the runway, suddenly both engines spooling down, very little runway left to land on and no reverse thrust available. I am struck by how similar this scenario is to AI171. This theory would require there to have been unexpected thrust lever movement in the moments before rotation - but plausibly one pilot moving to reject, followed by an overrule or change of heart - or even a simple human error such as the recent BA incident at LGW - could achieve this. This is perhaps more likely that any sensor fault that you would expect to only impact a single engine given the redundancy of systems.

Tdracer writes that a key requirement of TCMA is to identify an engine runaway in the event of an RTO, in order to allow the a/c to stop on the runway. This will have been tested extensively - it is a big leap to imagine a false activation could be triggered. It did happen on ANA985 but through a very unusual set of inputs including application of reverse (albeit this latter point may not be relevant if TCMA logic does not distinguish between the reverser being deployed or not).

Incidentally there is an assumption the TCMA software version in place on the ANA flight had already been patched and fixed on AI171. That probably is the case but I am not sure it is a known fact.

In summary I remain baffled by this tragic accident. I have not yet read anything that explicitly rules out TCMA activation and it remains a possibility due to the vanishingly small number of factors that could shut down two engines at apparently the exact same moment when they have fully redundant systems. Fuel contamination, for example, has typically impacted each engine a few minutes (at least) apart. I am also cautious (as others have pointed out) of a form of confirmation bias about Boeing software systems with four-letter acronyms.

In my mind the cause could equally well be something completely different to anything suggested on this thread, that will only become clear with more evidence. All of the above also incorporates a number of theories, i.e. that there was an engine shutdown - that are not conclusively known.

Thank you to the mods for an excellent job.

Thank you td for a detailed explanation. Buy may I ask again, please:
- only about the condition "N1 too big" (forget for a moment about the other condition, a/c on ground)
- how major would be "pretty major"
- I would assume, and expect, that for such a powerful component (TCMA which has the ability to shut off an engine) there must be a continuous monitoring in place, to be able to, offline, examine how often the "N1 too big" condition was close to be triggered. Like, a distribution/histogram showing normal operation, and the shut-off threshold so many standard deviations away, with a very clean "empty zone". Can you confirm that this is indeed the case? Have you seen such data?

OK, another hour spent going through all the posts since I was on last night...
I won't quote the relevant posts as they go back ~15 pages, but a few more comments:

TAT errors affecting N1 power set: The FADEC logic (BTW, this is pretty much common on all Boeing FADEC) will use aircraft TAT if it agrees with the dedicated engine inlet temp probe - but if they differ it will use the engine probe . The GE inlet temp probe is relatively simple and unheated, so (unlike a heated probe) a blocked or contaminated probe will still read accurately - just with greater 'lag' to actual temperature changes.

TCMA - first off, I have to admit that this does look rather like an improper TCMA activation, but that is very, very unlikely. For those who don't know, TCMA is a system to shutdown a runaway engine that's not responding to the thrust lever - basic logic is an engine at high power with the thrust lever at/near idle, and the engine not decelerating. However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.

Fuel contamination/filter blockage: The fuel filters have a bypass - if the delta P across the filter becomes excessive, the filter bypasses and provides the contaminated fuel to the engine. Now this contaminated fuel could easy foul up the fuel metering unit causing a flameout, but to happen to two engines at virtually the same time would be tremendous unlikely.

Auto Thrust thrust lever retard - the TO lockup in the logic makes this very unlikely (it won't unlock below (IIRC) 400 ft., and even that requires a separate pilot action such as a mode select change or thrust lever movement). And if it did somehow happen, all the pilot needs to do is push the levers back up.

Engine parameters on the FDR: I don't know what exactly is on the 787 FDR with regards to engine parameters, but rest assured that there is plenty of engine data that gets recorded - most at one/second. Getting the FDR readout from a modern FDR is almost an embarrassment of riches. Assuming the data is intact, we'll soon have a very good idea of what the engines were doing

On item 1, the TCMA issue should have been fixed, it does fit the sort of issue that occurred here. TDRACER can talk to that, and has done in 2019 and again in post 792. As to flap auto retraction, the B787 like all Boeings has a gated flap lever, and the flaps are only able to move independent of the lever by flap load relief. That would not have caused a loss of thrust, and in this case it is evident that the event is a thrust loss not a CL loss.

On item 2, the video shows no asymmetry at any time, so there is only a symmetric failure of the engines possible. Back on a B747 classic, you could chop all 4 engines at the same time with one hand, on a B737, also, not so much on a B777 or B787. I would doubt that anyone used two hands to cut the fuel at screen height. Note, there was a B744 that lost one engine in cruise when a clip board fell off the coaming. Didn't happen twice, and it only happened to one engine.


​​​​​
Neila83 is correct, the gear tilt pre retraction is rear wheels low, and at the commencement of the selection of the retraction cycle (generally), the first thing that happens is the inboard MLG doors start to open below the wheel well and then the bogie is driven to front wheels low. (There is also an option that the inboard gear doors start to open early as a result of WOW sensing to improve the SSL climb limit). [my bad, for the B788 Capt Bloggs informs us the gear door sequence is after the tilt, not before, the B789 has the before tilt, the option for the door open at rotate is separate]

The inboard doors do not appear to have opened in this case, yet, the gear is forward wheels down. This appears to be out of sequence. TD may have better knowledge on the options that exist with the B788, but this is not looking good at this time.

There is enough in the way of anomalies here to end up with regulatory action, and airlines themselves should/will be starting to pore over their systems and decide if they are comfortable with the airworthiness of the aircraft at this moment. A latent single point of failure is not a comfortable place to be. Inhibiting TCMA might be a good interim option, that system could have been negated by having the ATR ARM switches....(Both)... ARM deferred to the before takeoff checks. The EAFR recovery should result in action within the next 24-48 hours. Boeing needs to be getting their tiger teams warmed up, they can ill afford to have a latent system fault discovered that is not immediately responded to, and the general corporate response of "blame the pilots" is not likely to win any future orders.

I think we are about to have some really busy days for the OEM.


Not sure that Neila83 is that far off the mark at all.

Since TCMA keeps getting discussed, let me add a bit more of what I know:

There were two on-ground events - as noted one each Rolls and GE. My understanding is that both events involved rapid thrust lever movements into/out-of reverse selection (i.e. reverse - forward - reverse in rapid succession). This rapid thrust lever movement - combined with the engine trying it's best to react to those movements - tricked the TCMA logic into thinking the engine was accelerating uncontrollably. There are two key points here - on-ground, and rapid thrust lever movements. There is absolutely no reason why the thrust levers should be moving at all during this event, and it doesn't appear to have occurred while the aircraft was still on the ground.

I was in this business long enough to know that you 'never say never', it would take a pretty gross error in the TCMA logic for it to have activated without a large thrust lever movement.

TCMA is on both the Trent 1000 and GEnx-1B 'basic' - it was required for certification. There is no reason for TCMA to be listed in the MMEL as the only 'functional' portion is the via the electronic overspeed protection system (which is required for dispatch - no MEL relief) - the rest is software resident in the FADEC.

Another hour spent sifting through the stuff since last night (my sympathies to the mods ). A few more comments:

"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.

Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).

As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.

Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).

The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.

Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.

In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.

The engine driven fuel pump is literally driven off the engine gearbox (driven by a mechanical connection to the N2 shaft) - if the engine's running, the gearbox is turning (baring a major mechanical fault). The engine driven fuel pump is a two-stage pump - a centrifugal pump that draws the fuel into the pump (i.e. 'suction feed'), and a gear pump which provides the high-pressure fuel to the engine and as muscle pressure to drive things like the Stator Vane and Bleed Valve actuators. It takes a minimum of ~300 PSI to run the engine - the HPSOV is spring loaded closed and it takes approximately 300 psi to overcome that spring.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.

As I've repeatedly posted, even a 100% aircraft power failure would not explain both engines quitting, at least without several other existing faults. Again, never say never, but you can only combine so many 10-9 events before it becomes ridiculous...

TCMA doesn't know what V1 is - it's active whenever the air/ground logic says the aircraft is on-ground.

The only aircraft inputs to TCMA is air/ground and thrust lever positions - everything else is the FADEC and its sensors (primarily N1). Even if air/ground was compromised somehow, it would take other issues before TCMA could possibly be activated. Possible on one engine (although remote) - but two engines at the same time - almost literally imposssible (unless of course it's software error).
The 'good' news is that even a cursory check of the FDR will indicate if TCMA activated, so we'll soon know.

I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's not complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.

Hint, you might try going back a few pages and reading where all this has been posted previously.

Keeping track of this thread is tiring - again, my sympathies to the mods, as tiring as I find it, it must be far worse for them )
Apologies for a few terse posts last night, but a couple of inane posts (by a usual suspect) really set me off. I've never used the 'ignore' function, but I may need to revisit that.

I posted this previously, but it was about 70 pages ago, so I understand not going back that far, or forgetting that tidbit amongst all the noise.
In short, I'm not familiar with the specific air/ground logic on the 787/GEnx-1B - the logic I posted (3 radio altimeters, 2 Weight on Wheels, at least one of each must indicate 'on-ground) is for the 747-8 (which I'm intimately familiar with). I have a vague recollection of a discussion with my GEnx-1B counterpart 10 or more years ago that suggested that the 787 was not as complex as the 747-8, but I don't recall any details. Basic FADEC logic (BTW, as someone else noted - it's "Full Authority", not "Autonomous") is to default to 'air' if in doubt, as it's considered to be 'safer'.
The only real hardware in the TCMA system is the N2 overspeed shutdown system - which goes through a BITE style functional test on every engine start. Everything else is in software - with the only aircraft inputs being Air/Ground and thrust lever position.

As I've posted previously, the FADEC is powered by a dedicated Permanant Magnet Alternator (PMA) - aircraft power is used only as a backup for starting or if the PMA fails. If the FADEC determines it is running on aircraft power with engine running (i.e. the PMA has failed), it sets a 'No Dispatch" fault message.

What Alty posted is correct. There have always been single faults in the engine control systems that could cause uncommanded high thrust (UHT) - and such failures were considered in the safety analysis (e.g. FMEA) with the note that it wasn't unsafe as the pilot would shutdown the affected engine. Then there was a 737-200 event (JT8D engines) (1999 sounds about right - I'm thinking it was either an Egyptian operator or it happened in Egypt, but don't hold me to that) - the JT8D had an issue with excessive wear of the splined shaft that provided the N2 input into the hydromechanical fuel control. In this event, that splined shaft started slipping - causing the fuel control to think the N2 was below idle, and it keep adding fuel to try to get the N2 back above idle. This caused the engine to accelerate uncontrollably - the pilots pulled back the throttle and performed an RTO, but the engine didn't respond, and they went off the runway at low speed. Everyone evacuated safely, but the aircraft was destroyed by fire.

The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT . A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.

I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.

I'm not familiar with the details of how the FADEC s/w is coded (it's the responsibility of the engine manufacturer - in this case GE). Boeing provides specific requirements as to the aircraft/engine interface (documented in an "Interface Control Document" - ICD).
My understanding is that GE uses an automated coding system that takes logic diagrams of what we want the s/w to do and turns that into the s/w code - again don't know details (my expertise is engine control and engine/aircraft interface - not s/w development).
The FADEC is a dual channel device (most of the sensors are also duplicated between channels), but both channels use the same s/w (Rolls did a thing many years ago where the channels used different s/w - it was mess and caused all sort of problems - I don't think anyone else has tried that since).

FADEC software is classified as "Design Assurance Level A" (aka DAL 'A') - flight critical - same thing as FBW software. There are specific requirements for the creation, testing, and certification of DAL A software and it's quite exhaustive (those requirements are documented in an FAA/EASA approved s/w requirements document (DO-160 IIRC). Yes, it is possible for something designed and certified to DAL A to have 'bugs' (and yes it has happened), although those 'bugs' have nearly always been traced to requirements errors - not the actual incorporation of those requirements.
It's also worth noting that the GEnx-1B has millions of hours of operation. Nothing is 'impossible' - even a 10-9 event will happen given enough opportunities - but the odds are very low of it happening.
Then again, all of the plausible explanations for dual engine power loss that would explain this accident are of a very low probability.

Yea, I think you're right - DO-178 is aviation software - now that I think about it, DO-160 might be electro-magnetic effects (i.e. HIRF/Lightning). It's not something I need to worry about anymore so it's not something I make a point of remembering

I doubt the issue would be in top level requirements - those are pretty simple and straightforward. It's the devil of the details where an error might have occurred.

All that being said, I have a hard time with the idea that TCMA activated without a big thrust lever movement (even if you assume an issue with the air/ground indication) - and there is absolutely no reason why the thrust levers would be moved right after rotation.

No, what I posted was the logic for the 747-8 - I simply don't know (or at least don't remember) what the TCMA air/ground logic looks like for the 787/GEnx-1B.

On the 747, Weight on Wheels (WoW) depends on prox sensors on the landing gear (i.e. gear compression). I don't know how that's done on the 787.
The reason we used both Radio Alt and WoW is that both can give erroneous indications on certain conditions - RA can be 'fooled' by dense rain or even really dense fog (the signals bounce off the water and falsely indicate on-ground), the prox sensor system can subject to HIRF/Lightning interference.

TCMA acts quickly, but it does require some persistence, so an input glitch won't activate it (mainly N1, which is measured every 15 milliseconds).

What sort of 'confirmation' do you have in mind - the regulator mandate that resulted in TCMA basically says we can't take credit for the flight crew.