FrequentSLF
June 15, 2025, 22:08:00 GMT
permalink Post: 11902892

Quote:

Originally Posted by tdracer

What Alty posted is correct. There have always been single faults in the engine control systems that could cause uncommanded high thrust (UHT) - and such failures were considered in the safety analysis (e.g. FMEA) with the note that it wasn't unsafe as the pilot would shutdown the affected engine. Then there was a 737-200 event (JT8D engines) (1999 sounds about right - I'm thinking it was either an Egyptian operator or it happened in Egypt, but don't hold me to that) - the JT8D had an issue with excessive wear of the splined shaft that provided the N2 input into the hydromechanical fuel control. In this event, that splined shaft started slipping - causing the fuel control to think the N2 was below idle, and it keep adding fuel to try to get the N2 back above idle. This caused the engine to accelerate uncontrollably - the pilots pulled back the throttle and performed an RTO, but the engine didn't respond, and they went off the runway at low speed. Everyone evacuated safely, but the aircraft was destroyed by fire.

The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT

. A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.

I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.

FLS here with engineering background, a simple question, how the TCMA software is coded, multiple designers, on different hardware and redundant? Can be a bug on that system definetevely impossible?

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): FAA

FrequentSLF
June 15, 2025, 23:04:00 GMT
permalink Post: 11902942

Quote:

Originally Posted by EDML

Most of these systems are very simple. They are not running on a fancy OS. Mostly we are talking about a couple Kilobytes of code.

The TCMA doesn't do a lot. That makes it a lot easier to make sure that it works correclty.

That is how most embedded systems work.

I fully understand how that is coded, thanks to Tdracer for going in detail of DAL -A certified. However IMHO considering the unusual event, a bug on that piece of code should not be discounted.

Subjects: None

FrequentSLF
June 17, 2025, 23:16:00 GMT
permalink Post: 11904752

Still FLS with some decent engineering background,

Said so my apologies if is not pertinent to the discussion.

I am puzzled by the TCMA logic, as shown on the patent, which of course could have nothing to do with final design, but clearly in my understanding the two FADEC channels are acting in series, therefore by design they do not need to concur to shut down the engine. Am I wrong?

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): FADEC

FrequentSLF
June 20, 2025, 23:56:00 GMT
permalink Post: 11907397

SLF here,

With what might be a stupid question, however let me ask.
Why the ground logic does not incorporate the wheel up command?

Subjects: None

FrequentSLF
June 21, 2025, 22:31:00 GMT
permalink Post: 11908118

Could the testing of TCMA logic less robust for the portion that works only when is not armed (i.e. not on ground)? I am asking this because from previous posts the ground logic needs only one signal (WoW, radio altimeter) to be true, if so is correct a faulty sensor could have armed the TCMA? That would have removed a safety layer on the system.

Subjects: None

FrequentSLF
June 22, 2025, 00:08:00 GMT
permalink Post: 11908168

Quote:

Originally Posted by BrogulT

What boggles my mind (if my understanding is correct) is that you have redundant systems that use that redundancy not to make sure that they never accidentally shut down an engine improperly but rather to make sure they never fail to shut down an engine if even one channel thinks it should. AFAIK engines not returning to idle have not killed anyone yet (the engine can typically be just turned off or the fire handle pulled once the crew decides they want the engine to die) but engines shutting off at a bad time are an obvious hazard.

Not on specif type but the Trent 1000 description says this, disclaimer got from the net

Subjects: None

FrequentSLF
July 11, 2025, 22:22:00 GMT
permalink Post: 11919906

I found interesting and worth of consideration the carefully wording... the report says switches 'transitioned' not 'moved' hence it does not imply a deliberate action.

Subjects: None

FrequentSLF
July 12, 2025, 00:06:00 GMT
permalink Post: 11920026

Quote:

Originally Posted by lateott

Respectfully, your explanation is invented from your personal experience. It does not cleanly fit the facts as provided in the report, and in fact must assume the report authors intentionally omitted all description of cycling/fiddling. It also assumes spilling and shorting that are not described anywhere.

A more straightforward explanation is that the controls were manually moved to CUTOFF. Then, seconds later they were manually and individually moved to RUN. According to the report, expected effects occurred with each "transition."

"P1 Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position"
"Engine 1 fuel cutoff switch transitioned from CUTOFF to RUN"
"Engine 2 fuel cutoff switch also transitions from CUTOFF to RUN"

Exactly, the report said transitioned, not moved. The report just says the recording shows change of status, it does not imply deliberate action to change it.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All) Fuel Cutoff Fuel Cutoff Switches RUN/CUTOFF

FrequentSLF June 15, 2025, 22:08:00 GMT permalink Post: 11902892	Quote: Originally Posted by tdracer What Alty posted is correct. There have always been single faults in the engine control systems that could cause uncommanded high thrust (UHT) - and such failures were considered in the safety analysis (e.g. FMEA) with the note that it wasn't unsafe as the pilot would shutdown the affected engine. Then there was a 737-200 event (JT8D engines) (1999 sounds about right - I'm thinking it was either an Egyptian operator or it happened in Egypt, but don't hold me to that) - the JT8D had an issue with excessive wear of the splined shaft that provided the N2 input into the hydromechanical fuel control. In this event, that splined shaft started slipping - causing the fuel control to think the N2 was below idle, and it keep adding fuel to try to get the N2 back above idle. This caused the engine to accelerate uncontrollably - the pilots pulled back the throttle and performed an RTO, but the engine didn't respond, and they went off the runway at low speed. Everyone evacuated safely, but the aircraft was destroyed by fire. The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT . A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR. I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options. BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy. FLS here with engineering background, a simple question, how the TCMA software is coded, multiple designers, on different hardware and redundant? Can be a bug on that system definetevely impossible? Subjects (links are to this post in the relevant subject page so that this post can be seen in context): FAA
FrequentSLF June 15, 2025, 23:04:00 GMT permalink Post: 11902942	Quote: Originally Posted by EDML Most of these systems are very simple. They are not running on a fancy OS. Mostly we are talking about a couple Kilobytes of code. The TCMA doesn't do a lot. That makes it a lot easier to make sure that it works correclty. That is how most embedded systems work. I fully understand how that is coded, thanks to Tdracer for going in detail of DAL -A certified. However IMHO considering the unusual event, a bug on that piece of code should not be discounted. Subjects: None
FrequentSLF June 17, 2025, 23:16:00 GMT permalink Post: 11904752	Still FLS with some decent engineering background, Said so my apologies if is not pertinent to the discussion. I am puzzled by the TCMA logic, as shown on the patent, which of course could have nothing to do with final design, but clearly in my understanding the two FADEC channels are acting in series, therefore by design they do not need to concur to shut down the engine. Am I wrong? Subjects (links are to this post in the relevant subject page so that this post can be seen in context): FADEC
FrequentSLF June 20, 2025, 23:56:00 GMT permalink Post: 11907397	SLF here, With what might be a stupid question, however let me ask. Why the ground logic does not incorporate the wheel up command? Subjects: None
FrequentSLF June 21, 2025, 22:31:00 GMT permalink Post: 11908118	Could the testing of TCMA logic less robust for the portion that works only when is not armed (i.e. not on ground)? I am asking this because from previous posts the ground logic needs only one signal (WoW, radio altimeter) to be true, if so is correct a faulty sensor could have armed the TCMA? That would have removed a safety layer on the system. Subjects: None
FrequentSLF June 22, 2025, 00:08:00 GMT permalink Post: 11908168	Quote: Originally Posted by BrogulT What boggles my mind (if my understanding is correct) is that you have redundant systems that use that redundancy not to make sure that they never accidentally shut down an engine improperly but rather to make sure they never fail to shut down an engine if even one channel thinks it should. AFAIK engines not returning to idle have not killed anyone yet (the engine can typically be just turned off or the fire handle pulled once the crew decides they want the engine to die) but engines shutting off at a bad time are an obvious hazard. Not on specif type but the Trent 1000 description says this, disclaimer got from the net Subjects: None
FrequentSLF July 11, 2025, 22:22:00 GMT permalink Post: 11919906	I found interesting and worth of consideration the carefully wording... the report says switches 'transitioned' not 'moved' hence it does not imply a deliberate action. Subjects: None
FrequentSLF July 12, 2025, 00:06:00 GMT permalink Post: 11920026	Quote: Originally Posted by lateott Respectfully, your explanation is invented from your personal experience. It does not cleanly fit the facts as provided in the report, and in fact must assume the report authors intentionally omitted all description of cycling/fiddling. It also assumes spilling and shorting that are not described anywhere. A more straightforward explanation is that the controls were manually moved to CUTOFF. Then, seconds later they were manually and individually moved to RUN. According to the report, expected effects occurred with each "transition." "P1 Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position" "Engine 1 fuel cutoff switch transitioned from CUTOFF to RUN" "Engine 2 fuel cutoff switch also transitions from CUTOFF to RUN" Exactly, the report said transitioned, not moved. The report just says the recording shows change of status, it does not imply deliberate action to change it. Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All) Fuel Cutoff Fuel Cutoff Switches RUN/CUTOFF

Posts by user "FrequentSLF" [Posts: 8 Total up-votes: 0 Pages: 1]