Posts by user "Lead Balloon" [Posts: 36 Total up-votes: 80 Pages: 2]

You make an important point. While it may be perfectly true to say that X and Y will not happen unless conditions A and B exist on aircraft type and model 0-44, that conclusion is based on the assumption that the system/s measuring A and B is/are working properly and controlling X and Y correctly. Lots of really weird things happen when a wire connected to system Z shorts with a wire connected to entirely unrelated system Q, or water or fuel or hyd oil is leaking into a connector with conductors that go to inputs to and outputs from systems B, C, G, H and I and earth.

I'm not saying that any of that happened in the case of this tragedy, other than to say that I have difficulty in believing that even the most discombobulated of crews would not have done as Capt Bloggs has suggested - balls to the wall - after a Hotel Sierra Mike, or that an aircraft fitted with serviceable engines connected to an open supply of flammable motion lotion would not have provided 'lots' of thrust in response.

If there are any electro-mechanical components anywhere in the fuel system or power/thrust control system for any engine, there are many and varied ways in which things can go wrong. The probabilities of those things going wrong? That's a different question that should be answered by the certifiers and their certification processes.

Re the RAT, Icarus, what are your thoughts on this:

FIFY But your original text is likely to be correct in the specific circumstances of this tragedy.

"plausible": Adjective. superficially fair, reasonable, or valuable but often deceptively so .

Just sayin'.

I preface this post by acknowledging all the previous posts in this, and the now-closed thread, about the TCMA, in particular the excellent posts by tdracer. (Ditto the noise analyses by Kraftstoffvondesibel and First Principal.)

I also note that the primary source of the information on which I’m basing my post is the content of Boeing’s patent application which, of course, does not contain any of the actual wiring diagrams or modification details of the TCMA, even assuming it has been implemented. (I understand from the now-closed thread, that there is an unresolved question as to whether a petition for an exemption from the TCMA requirement had been successful.)

The point of my post is to get other’s thoughts on one of the design principles of the TCMA system proposed in the patent application.

The ostensibly simple and elegant concept is described in the schematic of the system at figure 1 of the patent application. A copy of figure 1 is below.

The TCMA is the part of the schematic inside the dotted box numbered 16 , sitting with the EEC (others would call it the FADEC) in the solid box numbered 18 .

The heart of the TCMA comprises two switch relays, numbered 22 and 28 in the schematic, wired in series. Each of those switch relays is controlled by its own, dedicated engine control malfunction software, identified as the blobs numbered 130 . (The patent application identifies component 34 as a dedicated processor and 32 as the diode connected to the switch relays, but that is evidently a mistake. Component 34 is the diode and I can’t find a component number 32 anywhere in the schematics.)

Each relay switch and its controlling software is described as a ‘channel’, one A and one B. Both channels run continuously, monitoring throttle position (36 in the schematic) versus engine data fed from ARINC data bus lines (46 in the schematic) and “dedicated input sensors” not shown in the schematic. Those sensors presumably detect things like weight on wheels and perhaps RADALT.

This design is said to achieve redundancy, because if only one ‘channel’ detects the engine is producing excessive thrust while the throttle is set to idle, that channel will set its switch relay to CUTOFF and that is enough to change the state of the high pressure fuel shut off valve (58 in the schematic). No more motion lotion. In the words of the patent application: Both channels are “always actively monitoring engine function and independently have the capability of shutting down the engine.”

That arrangement wrinkled my crusty old avtech brow. In my mind – and this is why I’m seeking other’s thoughts – the advantage of redundancy arising from the two channels, either or both of which can shut the engine down, is not without risk. If it is possible for one of the channels to have some ‘glitch’ or hardware failure such that it does not detect an actual out of envelope condition justifying immediate shut down, with the other channel detecting the condition and shutting the engine down, it inexorably follows – does it not – that it is possible for one (or both) of the channels to have a ‘glitch’ or hardware failure that results in a shut down when there is no out of envelope condition?

Further, even if there are completely separate, duplicated sensors telling each channel things like the position of the throttle and whether or not there is weight on wheels, there remains the possibility of a combination of sensor failures/disconnects resulting in one channel being ‘convinced’ that an out of envelope condition exists, with a consequential cutoff of fuel to the engine.

I of course acknowledge the valid observations made about the remote probabilities of these kinds of glitches and failures.

I’ve heard rumours that there was much resistance to the mandating of TCMA systems. Having seen many, many strange faults caused by random shorts, open circuits, liquid ingress and other foreign objects, I can understand why there was that resistance. Every time you add something to a system and that added thing has electronic components and software and electrical connections and data inputs, you add risk of that thing malfunctioning or working perfectly but with erroneous inputs. In this case, there are effectively two added new things: two channels, each one of which has the ability to shut off the motion lotion to the engine to which they are strapped.

I make no comment on whether TCMA systems, if fitted, have anything to do with this tragedy.

My profound condolences to the families and friends of those killed or injured. My thoughts also go out to the many people who will be agonising over the potential causes and responsibility for it. And thanks to those who are working out the causes.

...

This is one of the reasons for the valid theoretical points about probabilities not necessarily being valid as a matter of practicality. It's entirely reasonable to argue that, for example, the probabilities of a weight on wheels sensor failing at the same time as a throttle position sensor are vanishingly remote. But try predicting what will happen if a cup of coffee is spilt over a control console, or a piece of loose swarf in a connector shorts unrelated system wires or...

The scenarios are nearly infinite and it is impossible to predict the consequences of all of them.

Back to the subject of the TCMA, in order for the four channels (A and B for engine 1 and A and B for engine 2) to be truly independent, there would have to be, for example, four, separate weight on wheels sensors and two, separate throttle position sensors per throttle. I would be extraordinarily surprised if that's what has been implemented, but will happily stand corrected.

Thanks tdracer and EXDAC for the info re the throttle position resolvers (and I'm aware of what is " well understood by those who specify, design, test, and certify critical aircraft systems", EXDAC). But do the separate resolver outputs involve physically separated wiring through separate looms and connectors and, if there are any earths or power connections involved, are they at separate points and, in the case of power connections, on separate busses? Duplicated, supposedly completely independent, "designed, tested and certified critical aircraft systems" occasionally have a common, single point of failure, not as a consequence of bad theoretical design but, rather, physical implementation.

And what of the weight on wheel sensor inputs to the 4 TCMA channels (2 per engine)? 4 separate sensors with 4 separated sets of wiring in different looms through different connectors?

There is at least one thing common to the TCMA on each engine: The TCMA software.

My recollection may be inaccurate, but wasn't there something in the software for 787 generator control units that would cause generator shut down if the aircraft was 'powered up' for a continuous 248 days? Same software, so all 4 generators would shut down. Is my recollection inaccurate?

What we do know, for sure, is that the TCMAs have the same 'authority' and effect as the fuel cut-off switches. The difference is that the crew control the latter.

I'm not sure I've understood what you're saying, TURIN. Are you saying that the software that controls the TCMA A and B channel relays on one engine is written by someone different from whoever writes the software that controls the TCMA A and B channel relays on the other engine? If so, I've learned something very important today.

Thanks for that, Luc Lion .

What are the probabilities of a crew member spilling a cup of coffee over the centre console, causing a current path between the instrument lighting buss and the trim up command wire from the control column trim thumbswitch and the ARINC connector to the FMS controller, and what will the effects of those current paths be ? (It is for this reason, among others, that 'fluid spill' protection has been built into some instrument consoles.) It's the second bit - the almost completely unpredictable range of effects - that presents the more substantial challenge.

Could someone post an authoritative list of the inputs to the EAFR\x92s? By \x93authoritative\x94, I mean the actual wiring diagram excerpt of the aircraft model and engine configuration (and hopefully mod state...), that labels each input.

I\x92m confidently assuming that it will, for example, include an input monitoring the state of the input controlling the fuel shut off valves in the wing roots. But does it monitor, separately, each and every one of the switches and systems that can change the input controlling the fuel shut off valves? I'm hoping and assuming \x91yes\x92, but hope and assumptions can be unhelpful and misguided.

As we know, there are some things the pilots can do that will result in fuel shut off, but other things will result in fuel shut off without pilot intervention.

Of course, it may be that the recorded data will indicate that there was no change in the state of the inputs controlling the fuel shut off valves during the short flight. Hopefully \x96 yes hopefully \x96 that will be confirmed one way or other, soon. Along with another dozen questions....

I was struck by a comment in this or the earlier thread that I cannot now find. It was to the effect \x96 I\x92m paraphrasing \x96 that fuel shut off results in an almost immediate cessation of thrust. (Please correct my paraphrasing if I\x92m off track.) I was also struck by how quiet the aircraft was in the original video, except for the RAT. (Or was it a motorcycle? Sorry couldn\x92t resist. Just joking\x85)

Someone earlier asked how the aircraft could have kept climbing if both engines stopped very late in the take-off roll or shortly after take-off. My answer: Momentum. A bullet fired into the air loses thrust immediately after \x91take off\x92 but continues climbing for a while. And my understanding of the expert opinion on the available, reliable information is that the aircraft didn\x92t climb very far.

That is correct, at least if the designed and implemented system did what the patent application said it would do.

In the words of the patent application: Both channels are \x93always actively monitoring engine function and independently have the capability of shutting down the engine.\x94

Yet the (a?) patent application for the TCMA addition to the EEC was filed by Boeing.

I guess we'll eventually find out what bits were actually connected to the engines fitted to the accident aircraft, by whom and when.

Boeing's patent application says: My understanding is that "EEC" is Boeing for "FADEC".

But I have to reiterate, and as others have noted, that we don't know what actual TCMA systems, if any, were fitted where and how it was wired into the accident aircraft's engines, or whether the specific state of the TCMA systems, if any, were monitored by the flight recorders.

Though in fairness to Boeing, as I think I and others may have noted before, rumour has it that the FAA mandate for TCMA functionality was met with strong resistance (and I can understand why).

The "requirement" for TCMA was "specified" by the FAA. Manufacturers seeking certification of aeronautical products subject to the requirements then had no choice but to design and instal systems that met the FAA's certification requirements.

I'm pretty sure it's clear what "sources", other than TCMA systems if any, have "authority to issue an engine shutdown command", though it does depend on what you mean by "engine shutdown".

I assume you're asking this because of the odd 'link', identified by an earlier poster, in the schematic in Boeing's TCMA patent application? If so, I wouldn't take that schematic as being accurate. There's at least one (other?) error in the schematic: The numbering of the diode in TCMA compared with the text explanation.

A 'big hands / small maps' schematic in a patent application is not a version-controlled circuit diagram of the implemented system.

Excellent point.

No amount of statistical analysis and logic and design in the abstract will reveal and overcome the effects of, for example, an inadequate radome seal on a fleet of jets that allows water to run down a bulkhead and into plugs and along wiring looms into equipment racks and wherever else water finds itself, when the jet is parked in the rain. That kind of defect causes really weird, unrelated, differing, illogical and intermittent faults, the root cause of which takes a very long time and experienced eyes on the airframe and equipment, triple jointed wrists and arms up to the elbows and twisted backs and necks in the bowels of the airframe, and lots (and lots) of swearing, to work out. BTDT.

Not suggesting you are wrong, but are you sure it's not the other way around? 200' for the 777 and 400' for the 78? Maybe I've misinterpreted earlier posts on the subject.

I'll have to do a search. I thought I'd read a post by someone who tried, in the 78 sim, to engage the system below 400' AGL and 'the computer said no'. But I may well be mistaken. Standby.