Page Links: First Previous 1 2 Last Index Page
| CloudChasing
2025-06-19T18:05:00 permalink Post: 11906239 |
Fuel valves and TCMA software updates?
Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).
As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level. Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC). The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight. Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident: 1) TCMA activation shutdown the engines or 2) The fuel cutoff switches were activated. I literally can come up with no other plausible scenarios. In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive. I seem to remember Fred Dibner talking about how railway cars brake by draining the piston not by pressurising it, so trains will stop when supply lines break. The electrical system updates to 787s for ADs and SBs - do any of these include software updates? For example the integer overflow causing GCU failsafe rectified under AD 2018-20-15. If so, who is writing and implementing these software updates? The original engineers? Their apprentices who had years long handovers? Or have they been outsourced and offshored? When these updates occur, does the entire system get tested and ratified or just the bit the bug fix is meant to fix? Because I\x92ve seen new bugs introduced by bug fixes in areas seemingly nothing to do with the original problem. |
| lighttwin2
2025-06-21T15:46:00 permalink Post: 11907858 |
TCMA continues to be one of the few (very unlikely) causes of/contributors to simultaneous shutdown of both engines. So far, though, I don't think we've seen a credible scenario explaining the possibility that TCMA was triggered in this accident. I'm not sure I understand your speculation.
In the scenario you are considering, it's clear that the air/ground state would be wrongly "understood" by the TCMA function. But we don't have, AFAIK , a credible theory for how that might happen. Surely it would have to result from either incorrect signals from the relevant sensors or a failure of the related logic in the FADEC TCMA function, or a combination of those. Indeed, I don't think we yet know exactly which sensor readings that logic depends on or how those readings are fed to the FADEC. Does your speculation include any thoughts about this? Also, the FADEC TCMA function has to "believe" that the engine is operating at high power and not responding to thrust lever operation. In your proposed scenario, is this also a logic failure — in both FADECs? Or false inputs from both TLs? Or are both engines actually operating at higher than commanded power levels? Or do I misunderstand your post?
Q: Would the a/c have enough kinetic energy a 184kts to climb to 100-150ft agl and then reach its final position if the engines had failed at, or just, before rotation? A: Theoretically possible - see calculation here . NB, the a/c actually flew 1.5km from the end of the runway and 2.3km from the likely point of rotation. Q: Doesn't the forward position of the gear mean that power failed after the pilots had selected gear up? A: Inconclusive - had hydraulic power had been lost prior to rotation, the gear could also be in this position - explanation here Q: If the throttle levers were brought to idle during take-off, would the A/C have applied autobrake, reversers and speedbrake? A: Yes, although there is a built in delay before reverser and speedbrake actually deploy - see here . Q: Is the ADS-B data consistent with this scenario? A: Yes, e.g. the Flightradar data shows the aircraft decelerating rapidly (12 knots in 4.2 seconds) from close to rotation. However, it's not clear how accurate this data is. For one, the altitude data is +/- 25 feet, second, while I was under the impression FR would have received airspeed data from the a/c sensors, this post suggests maybe not. Q: Does TCMA activation require the thrust levers to be at idle or does it function when the thrust levels are above idle, but where the actual thrust is above that commanded? A: No, the latter is true (i.e. idle is not required) - confirmed here - there are of course many protections against false activation Q. Did AI171 have the same software version / logic paths as NH-985 A. Unknown. That a/c had Trent 1000s so to some extent the software is different, but we understand the TCMA logic is broadly the same regardless of engine. I have not seen a post clarifying whether the TCMA software has been updated /changed via SB since 2019 to account for this incident. Be grateful if posters could refrain from speculative responses "e.g. I think this is unlikely because I feel x". I am not opining on how likely this sequence of events is, simply trying to summarise whether or not this theory has been ruled in or out. I also recommend this post for a summary to read before posting. . Last edited by lighttwin2; 21st Jun 2025 at 16:13 . |
| FrequentSLF
2025-06-21T22:31:00 permalink Post: 11908118 |
Could the testing of TCMA logic less robust for the portion that works only when is not armed (i.e. not on ground)? I am asking this because from previous posts the ground logic needs only one signal (WoW, radio altimeter) to be true, if so is correct a faulty sensor could have armed the TCMA? That would have removed a safety layer on the system.
|
| AAKEE
2025-06-22T07:08:00 permalink Post: 11908310 |
The gear tilt position is not definitive evidence crew had selected gear up. I've speculated another cause for this non-normal gear tilt is that C hydraulics failed around time of rotation. This would explain the gear remaining in the forward tilt position. There are reasons why the crew may have not selected gear up,
see earlier post.
Therefore we cannot determine wow or air/ground logic from an assumed gear retraction.
Another point pointing to that the aircraft did consider itself being \x94In Air\x94 is the ADS-B data sending Altitude from the first 575 feet at 08:08:46.55 until at least 08:50.87\x85? I would think the sub systems like TCMA would use the same In Air / On Ground logic as the aircraft normally use? I come from an FBW aircraft with a Air/Ground logic that seems rather bullet proof and would guess the 787 wouldn\x92t use a less solid logic which probably, in doubt would consider it being \x94In Air\x94? It would be \x94logic\x94 for the TCMA to use this logic? 5 users liked this post. |
| AAKEE
2025-06-22T11:24:00 permalink Post: 11908460 |
MCAS wasn't "under the radar". The designers thought:
* all MCAS can do is affect the trim * if something goes wrong with the trim, the crew works the "runaway trim" checklist * this cuts MCAS off from the trim * therefore, MCAS failure of any sort is going to be contained Anyway, I think we agree here. I cannot se TCMA logic flying under the Boeing radar in this case? TCMA is a logic nuilt in the EEC/FADEC by the Engine manufacturer I guess? TCMA was motivated by a similar observation: that crews can fail to shut down an engine that no longer follows command input. So the FAA requires aircraft to detect that condition and do it automatically when on the ground, where an engine running at significant thrust is a danger to people and movable objects in the vicinity. The safety consideration here is, if you're on the ground and the thrust reverser is not deployed, you're not going to need the engine that badly. (I think there are actually two more conditions that I don't remember right now.) In safety, you kinda need to weigh the consequences of having this system (with a chance that it might malfunction) vs not having it. Also consider that the benefit of having it, all of the occasions where it correctly shuts an engine off, don't get reported in the press. If a TCMA bug caused this accident, the investigation will find out. But right now, we don't have any evidence that that's what happened. With extremely little data for us to use I think people are grabbing anything as a cause. TCMA as a cause has been interresting, learning. But it should be designed safe. Can we find a data point that takes us away from TCMA or can\x92t we? |