2025-06-15T22:08:00
permalink Post: 11902892
What Alty posted is correct. There have always been single faults in the engine control systems that could cause uncommanded high thrust (UHT) - and such failures were considered in the safety analysis (e.g. FMEA) with the note that it wasn't unsafe as the pilot would shutdown the affected engine. Then there was a 737-200 event (JT8D engines) (1999 sounds about right - I'm thinking it was either an Egyptian operator or it happened in Egypt, but don't hold me to that) - the JT8D had an issue with excessive wear of the splined shaft that provided the N2 input into the hydromechanical fuel control. In this event, that splined shaft started slipping - causing the fuel control to think the N2 was below idle, and it keep adding fuel to try to get the N2 back above idle. This caused the engine to accelerate uncontrollably - the pilots pulled back the throttle and performed an RTO, but the engine didn't respond, and they went off the runway at low speed. Everyone evacuated safely, but the aircraft was destroyed by fire.
The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT
. A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.
I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.
The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT
. A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.
I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.
Subjects: FAA TCMA (Air-ground Logic) TCMA (All)
2 users liked this post.
2025-06-15T23:04:00
permalink Post: 11902942
I fully understand how that is coded, thanks to Tdracer for going in detail of DAL -A certified. However IMHO considering the unusual event, a bug on that piece of code should not be discounted.
Subjects: EDML TCMA (All)
2025-06-17T23:16:00
permalink Post: 11904752
Still FLS with some decent engineering background,
Said so my apologies if is not pertinent to the discussion.
I am puzzled by the TCMA logic, as shown on the patent, which of course could have nothing to do with final design, but clearly in my understanding the two FADEC channels are acting in series, therefore by design they do not need to concur to shut down the engine. Am I wrong?
Said so my apologies if is not pertinent to the discussion.
I am puzzled by the TCMA logic, as shown on the patent, which of course could have nothing to do with final design, but clearly in my understanding the two FADEC channels are acting in series, therefore by design they do not need to concur to shut down the engine. Am I wrong?
Subjects: FADEC TCMA (All) TCMA (Logic)
2025-06-20T23:56:00
permalink Post: 11907397
SLF here,
With what might be a stupid question, however let me ask.
Why the ground logic does not incorporate the wheel up command?
With what might be a stupid question, however let me ask.
Why the ground logic does not incorporate the wheel up command?
Subjects: None
2025-06-21T22:31:00
permalink Post: 11908118
Could the testing of TCMA logic less robust for the portion that works only when is not armed (i.e. not on ground)? I am asking this because from previous posts the ground logic needs only one signal (WoW, radio altimeter) to be true, if so is correct a faulty sensor could have armed the TCMA? That would have removed a safety layer on the system.
Subjects: TCMA (All) TCMA (Logic)
2025-06-22T00:08:00
permalink Post: 11908168
What boggles my mind (if my understanding is correct) is that you have redundant systems that use that redundancy not to make sure that they never accidentally shut down an engine improperly but rather to make sure they never fail to shut down an engine if even one channel thinks it should.
AFAIK
engines not returning to idle have not killed anyone yet (the engine can typically be just turned off or the fire handle pulled once the crew decides they want the engine to die) but engines shutting off at a bad time are an obvious hazard.
Subjects: None
5 users liked this post.