Posts by user "Lead Balloon" [Posts: 36 Total up-votes: 80 Pages: 2]

Thanks Capn Bloggs and BuzzBox . My apologies Shep69 . I'm recalibrated re the minimum autopilot engagement height.

The discussion about the fuel control switch design is interesting so far as it goes, but I'm more interested in the physical arrangements under the bracket to which they're fitted and the associated connection and wiring arrangements. No doubt the arrangements are designed so as to reduce to 'vanishingly small' the probabilities of any common shorts to the wrong places, but who knows, for sure, how the switches and connections and wiring were installed in the accident aircraft, or whether there was a piece of swarf or other FOD that ended up somewhere that it should not have been (i.e. anywhere on the aircraft) during manufacture or maintenance.

The TCMAs will not 'activate' - trigger fuel shut off - on a rejected take off if the engines do what they are told when the thrust levers are set to idle. The software monitoring the engine parameters v throttle position is quite sophisticated, for obvious reasons.

Just so I have this clear, are you saying that the implementation of the TCMA functionality involved no new components being added to the pre-existing FADEC? Are you saying, in effect, that the two switch relays described in the TCMA patent application, which relays and their configuration achieves the described two channel redundancy, were already there as components or are mere depictions of what the software does itself?

I am not suggesting you are wrong and, as I've said before, the descriptions and schematic in the patent application are just 'big hands / small maps' concepts. However, if TCMA functionality "is simply a bit of software in the FADECs", merely sending a 1 or 0 or other signal into a point in the pre-existing FADEC that already had control over fuel cutoff (with the TCMA software merely monitoring data busses, rather than direct sensor outputs, to work out thrust lever position and whether or not the aircraft is 'on the ground' for TCMA purposes) I for one would really like to know that for sure and get my head around the implications.

That is interesting. I'll wait for ignorantA's or tdracer's confirmation (though not suggesting you are wrong, Someone Somewhere). The 'bottom line' would nonetheless seem to remain that the TCMA software, at least, is common to both TCMA 'channels' in the FADEC on both of the engines. Not one piece of software, but presumably two (or four?) identical copies of the same software. Of course, given the stringency of the DO-170B and C software development process and the brains that work on this stuff, the probabilities of the TCMA software directing a shutdown when the conditions for it do not exist are extraordinarily remote.

I see the logic. If the N2 exceedance functionality in the FADEC already included authority to shut off fuel in some circumstances, might as well 'piggyback' TMCA output onto that part of the FADEC functionality.

Re air/ground input to the TMCA, I am more interested in whether that is hardwired from the sensors / systems involved or - as appears to be the case just based upon what I've read here - read from ARINC or other format data.

Not quite. It was software for generator controllers. That bug, glitch or whatever it was accurately described to be was not the cause of any engine failures (so far as I am aware).

Very grateful for that background. Your last sentence is an excellent SITREP!

It depends on how often the engine monitoring data is transmitted, and how.

Recall that the various search 'arcs' for MH370 were calculated on the basis of attempts by the engine monitoring systems to transmit data via satellite. The system involved did not transmit the data continuously. Maybe that's changed, but if it has not, I wonder how often any data would have been transmitted after the engines started on the (very) short AI 171 flight.

We have an authoritative answer to that question, but only if the TCMA implemented in the FADEC used on the 787 engines functions in the way described in conceptual documents: If one of the two TCMA 'channels' for an engine 'thinks' the shut off criteria are satisfied but the other channel doesn't, the channel which 'thinks' the shut off criteria are satisfied 'wins' and the fuel shut off valve for that engine is therefore given a shut off signal.

You'll hopefully not be surprised to learn that there are many, many people asking the same questions at the moment.

Yours is very good logic, as far as it goes.

But I'd posit these points (without making any assertions about the probabilities of the scenarios).

There is a flaw in the logic arising from the categorical assertion that the 'aircraft on ground' signal 'would have been correct' during the take off roll: "Regardless of whether the ‘aircraft on ground’ signal was incorrect after rotation it would have been correct during the takeoff roll. IF there was an unrevealed fault in a thrust lever position signal THEN why didn’t TCMA activate during taxiing or the takeoff roll?"

What IF the 'aircraft on ground' signal into the TCMA systems was INcorrect during taxi and the take off roll, thus disabling the TCMA functionality during that phase of the flight, making no difference in any event because the engines were operating normally in accordance with the thrust lever settings? In that case, any error in, for example, the thrust lever signals and engine signals to the TCMAs would not have had any consequence. Maybe the signal reversed and stayed INcorrect after take-off. Of course, that's why we are all craving to find out from what source/s the TCMAs get the 'on ground/in air' input/s and what other systems use the same source/s.

And I reiterate the point that the TCMA is "just software". I haven't seen anyone dispute the suggestion that the thing 'common' to all 4 channels of the TCMA is 4 copies of software.

In the earlier thread there was a statement about the 'obsession' of some with TCMA. I'm not 'obsessed' with it, but confess a prejudice towards trying to find a cause that is not a result of crew error. I therefore also have an attraction towards fuel contamination, but have difficulty in believing that fuel contamination would result in such a 'clean', immediate and simultaneous reduction in thrust from both engines after they'd operated normally during the take off roll.

Further to the (logical in my view) points you make in response to AAKEE's ostensibly logical conclusion that the commencement of undercarriage retraction (if it did commence) is conclusive of the aircraft being 'in the air' for aircraft systems purposes, including TCMA purposes, I make the following points:

First, whilst it may be that every system that monitors and makes decisions about whether the aircraft is 'in the air' does so on the basis of exactly the same sensor inputs, that may not be true and I'd appreciate someone with the expert knowledge on the 78 to confirm or refute the correctness of the assumption, particularly in relation to, for example, FADEC functions compared with undercarriage control functions.

Secondly and probably more importantly, what happens if one of the sensors being used to determine 'in air' versus 'on ground' gives an erroneous 'on ground' signal after - maybe just seconds after - every one of those sensors has given the 'in air' signal?

Reference was made earlier in this thread to a 'latched' in air FADEC condition that resulted in engine shut downs after the aircraft involved landed and was therefore actually on the ground. But what if some sensor failure had resulted in the aircraft systems believing that the aircraft was now on the ground when it was not? I also note that after the 2009 B737-800 incident at Schiphol – actually 1.5 kms away, where the aircraft crashed in a field during approach - the investigation ascertained that a RADALT system suddenly sent an erroneous minus 8’ height reading to the automatic throttle control system.

The conceptual description of the TCMA says that the channels monitor the “position of thrust lever” – no surprises there – “engine power level” – no surprises there – and “several other digital inputs via digital ARINC data buses”.

WoW should of course be one of those "digital inputs" and be a 1 or 0. But I haven't seen any authoritative post about whether the change in state on the 78 requires only one sensor to signal WoW or if, as is more likely, there are (at least) two sensors – one on each MLG leg – both of which have to be ‘weight off’ before a weight off wheels state signal is sent. Maybe a sensor on each leg sends inputs to the ARINC data and the systems reading the data decide what to do about the different WoW signals, as between 00, 01, 10 and 11.

There is authoritative information to the effect that RADALT is also one of the “digital inputs” to the TCMA. The RADALTs presumably output height data (that is of course variable with height) and I don’t know whether the RADALT hardware involved has a separate 1 or 0 output that says that, so far as the RADALT is concerned, the aircraft to which it is strapped is, in fact, ‘in the air’ at ‘some’ height, with the actual height being so high as to be irrelevant to the systems using that input (if that input is in fact generated and there are, in fact, systems that use that 1 or 0).

If we now consider the ‘worst case scenario will be preferred’ concept that apparently applies to the TCMA design so as to achieve redundancy, the number of sensor inputs it’s monitoring to decide whether, and can change its decision whether, the aircraft is on the ground, becomes a very important matter. The TCMA is only supposed to save the day on the ground, if the pilots select idle thrust on a rejected take off but one or both of the engines fail to respond. In the ‘worst case’ (in my view) scenario, both TCMA channels on both engines will be monitoring/affected by every WoW sensor output and every RADALT output data and, if any one of them says ‘on ground’, that will result in both engines’ TCMAs being enabled to command fuel shut off, even though the aircraft may, in fact, be in the air.

Of course it’s true that the TCMA’s being enabled is not, of itself, sufficient to cause fuel cut off to an engine. That depends on a further glitch or failure in the system or software monitoring engine power and thrust lever position, or an actual ‘too much thrust compared to thrust lever position’ situation. But I can’t see why, on balance, it’s prudent to increase the albeit extraordinarily remote risk of an ‘in air’ TCMA commanded engine or double engine shut down due to multiple sensor failure – just one in-air / on-ground sensor and one of either the thrust lever sensor/s or engine power sensor/s – or, in the case of an actual in air ‘too much thrust compared to thrust lever position situation’, why that ‘problem’ could not be handled by the crew shutting down the engine when the crew decides it’s necessary. Once in the air, too much thrust than desired is a much better problem to have than no thrust. The latter is precisely what would happen if all ‘on ground / in air’ sensors were functioning properly and some ‘too much thrust’ condition occurred.

Hopefully the design processes, and particularly the DO-178B/C software design processes done by people with much bigger brains than mine, have built in enough sanity checking and error checking into the system, followed by exhaustive testing, so as to render my thoughts on the subject academic.

Perhaps my earlier post was incredible and that's what prompted the SLF's question.

Let us assume a simple, hypothetical WoW sensor arrangement: One sensor per main landing gear.

One of those sensors is indicating weight OFF wheels and the other is indicating weight ON wheels. What does the TCMA in each engine interpret that ostensibly contradictory sensor information to mean? (Note: For the time being, ignore the question whether the information is erroneous. It may be true.)

Are both engine TCMA's in the 'in the air' state, are both 'on the ground', or is one 'on the ground' and the other 'in the air'?

Given the purpose of the TCMA, I would have thought that any 'doubt' in this case would be resolved in favour of the 'on ground' state for both TCMAs.

But maybe it's the other way around. Maybe any 'doubt' would be resolved in favour of both TCMA's being in the 'in the air' state.

I have difficulty in envisaging any advantage in the TCMA system being designed such that one engine's TCMA is in the 'in the air' state and the engine's 'on the ground'.

Whichever the design and outcome, there will be benefits and there will be risks.

Thanks Chernobyl. I had understood trdracer's posts to be qualified on the basis of experience on types other than the 78, but I may be mistaken and, in any event, the 78 design may be exactly the same as those types.

I will suggest some amendments to your last sentence, though: Based on this, both engines will should get the same air/ground indication from the aircraft and hence will should always make the same TCMA decisions (subject to their individual throttle positions and thrust outputs).

Let's not lose sight of the fact that a 787 has had a TCMA 'commanded' double engine shut down, luckily only during the landing roll. That double shut down was not in circumstances of a rejected take-off where one or both engines delivered 'too much' thrust despite thrust levers being set to idle or 'low power'. Some might say incredible. But it's fact.

The best designed systems and software sometimes do strange, unexpected things even when everything is working 'properly', and even stranger things when some defect or damage occurs.

That's kind of you to say. However, I have to concede that my surmising that any one sensor failure in the 'on the ground' versus 'in the air' logic would result in an 'on the ground' state in both TCMA was waaaay off track.