Posts by user "adfad" [Posts: 14 Total up-votes: 0 Pages: 1]

Page Links: Index Page

adfad
June 15, 2025, 16:31:00 GMT
permalink Post: 11902614
Can anyone help with my theory - I'm an electronics and software engineer, but not a pilot.
My understanding of the infamous and previously fixed 787 issue was that the PCU software would trigger a shutdown of all AC generators (or rather their respective control units) after 248 days of continuous power due to an overflow of a software counter, and that this was fixed in software alone.

Hypothetically , if the PCU software triggered this state during takeoff, what would happen? I know the engines may continue running with engine-driven fuel pumps, but I also understand this doesn't work in all situations and perhaps during rotation with a high fuel demand and fuel tanks not horizontal this could be an issue? What does everyone here think it would look like if all AC generators were shut down, in terms of engine performance - would you expect there to be a reduction in thrust? With the gear stuck down would that be serious enough?

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All)  Generators/Alternators

adfad
June 15, 2025, 17:16:00 GMT
permalink Post: 11902645
Originally Posted by Screamliner
When we see the video, the airplane is still climbing / flying straight and level (not losing altitude), yet we hear what we think might be the RAT, I can't imagine that they had the kinetic energy to do this with no engines. if they had dual engine failure, they would have been a brick, Hot and High, no thrust, flaps 5, zero chance.
How long does it take for an engine to fail in terms of thrust output - what does thrust over time look like for various failure scenarios - e.g., no electrically powered fuel pumps, or contaminated fuel, or thrust set to idle or other issues?

The original mobile video (not the copy from someones phone screen) clearly sounds like a RAT but what does the engine itself sound like - is it idle or reduced in some way?

What is the minimum amount of thrust that would need to be lost to stop climbing and sink back down - it took 30 seconds from leaving the ground to impact from the CCTV and the first 15 was climbing.

I would look carefully at the fact that the PCU still has the technical ability to tell all AC generator control units to turn off via software, as proven in the documented and fixed 248-day software issue.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): CCTV  Dual Engine Failure  Engine Failure (All)  Fuel (All)  Generators/Alternators  RAT (All)

adfad
June 15, 2025, 21:51:00 GMT
permalink Post: 11902879
Originally Posted by FlyingCroc
Anyone knows more about this reset evert 52 weeks?
It is similar to the 248-day continuous power software bug on the 787. In both cases a counter in the software would overflow after an amount of time that would be proportional to something like the number of seconds, milliseconds or other unit.

The 248 day bug would cause the PCU to trigger ALL 4 AC generator control units to shut down. The fact that this is even possible in software alone is remarkable and should make any engineer concerned. The fact that this was only fixed in software with no redundant physical system (e.g. 1 or more AC units being independent of this system) is concerning. The fact that Boeing had a second software overflow error causing the 51 day directive should really have everyone discussing software as a possible cause for this crash.

People may say that the engine driven pumps / suction feed / gravity feed would continue to power the engines but my understanding is the aircraft attitude and high fuel flow at takeoff could potentially mean less thrust than was needed if all 4 AC generators disconnected and stopped all AC fuel pumps during rotation.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All)  Generators/Alternators

adfad
June 18, 2025, 18:18:00 GMT
permalink Post: 11905444
Originally Posted by skwdenyer
To my mind, this points to a potential software issue. 787s have already suffered from 2 separate software issues in which the passage of time causes a major and possibly catastrophic failure - the need to reboot systems before 51 days and 248 days have elapsed, due to poorly-written software. Given that history, the probability of there being a third, previously-unidentified but broadly similar in nature software issue seems surprisingly high. They aren't independent variables.

Such a passage-of-time software issue wouldn't show up in most (or possibly any) testing scenarios. It is the sort of issue that robust QA and static code analysis are designed to catch. But in at least two separate systems on the 787 it has not been caught prior to software shipping. Meanwhile, every new technical post demonstrates the myriad ways in which non-software potential causes are mitigated by redundant design.

The odds of two (or more) redundant mechanical systems failing in precisely the same way at precisely the same moment are very, very small. The odds of identical software on two (or more) redundant systems reaching a passage-of-time bug at precisely the same moment are, by contrast, very much higher. True redundancy would require different software on each redundant sub-system.
I am a software engineer, I find it alarming that the power control unit had the ability to command all AC generator control units to effectively shut down - regardless of that being the side-effect of a bug, or an ability of the system to call on in appropriate scenarios.

Integer overflow is a specific type of issue common to many systems, but like you said - it is something that should be found with robust QA and analysis. The ability to shut down all generators at once from a single source seems like a risky design decision to me and I agree with your point about different software on 2 or more redundant sub systems.

My theory is that this was an accepted risk because the engine-driven fuel pumps would be more than enough in most phases of flight to keep the engines running, and you would still have 2 engines for redundancy. The APU would also restore AC power in lets say 30 seconds and you would then have electric fuel pumps as well.

I think there are several factors that could explain how loss of all AC power during takeoff could lead to a crash:
  • The crash happened within 30 seconds - possibly too short for the APU to start, and the RAT doesn't power the AC electric fuel pumps
  • The engine driven fuel pumps even if sufficient in level flight may have struggled during rotation - has Boeing tested an actual takeoff with only EDP feeding the engine while the fuel tanks are rotating and in extreme environments, or, have they only tested this statically?
  • The takeoff was hot and heavy - combined with the landing gear stuck down and reduced thrust from loss of electric fuel pumps could this be enough?
Last edited by adfad; 18th June 2025 at 18:36 .

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): APU  Fuel (All)  Generators/Alternators  RAT (All)

adfad
June 22, 2025, 11:43:00 GMT
permalink Post: 11908475
Originally Posted by Musician
MCAS wasn't "under the radar". The designers thought:
* all MCAS can do is affect the trim
* if something goes wrong with the trim, the crew works the "runaway trim" checklist
* this cuts MCAS off from the trim
* therefore, MCAS failure of any sort is going to be contained

It just turned out that if a crew is stuck, shortly after takeoff, in an aircraft that wants to go down, and they have no clue why because "AOA disagree" indicators are considered a luxury item for Boeing and Boeing also did not want to train crews for this, the crew may not be in the right mindset to prioritise that checklist.
Today, everyone is aware, so it's no longer an issue.
There is a bigger issue here. The general public are more and more concerned that Boeing is cutting corners, and perhaps that is debatable and a complex balance of "how much do you want to pay for a plane ticket" vs "how absurdly close to diminishing returns can statistical probability get when dealing with some of the most complex machines and industries humanity has ever created".

What isn't debatable is that MCAS was part of an initiative to save on regulatory and training costs. It was designed entirely because a regulatory environment existed where you could extend the fuselage to the point where you needed to mount engines in a way that would essentially make this no longer the same type, and probably not something that any aircraft designer would design fresh. Boeing, like everyone else, played within that framework, but Boeing didn't execute properly and the public optics are that they cut corners on top of cutting corners.

I agree that engineering is all about tradeoffs but I don't think anything is "no longer an issue" because we had 2 disasters within a couple of years and learned from mistakes. There is an issue somewhere, maybe a systemic corporate issue, a PR issue, or just a Boeing issue - the Air India crash has the potential to make it far bigger.

Subjects: None
adfad
June 30, 2025, 15:49:00 GMT
permalink Post: 11913716
Originally Posted by silverelise
India's Minister of State for Civil Aviation appears to be confirming in this interview that the cause of the accident was a dual engine failure. Which is, I think, the first vaguely official confirmation of what happened that has been released? He also confirmed that all the data from the recorders has been downloaded and is being processed by the Indian AAIB, no boxes have been sent abroad.
The 30 day deadline for the preliminary report is July 12th.
It's hard to find a full and reliable translation of his statement but here is another snippet from Yahoo (I can't post links sorry)

The minister called the crash a \x93rare case\x94 and, referring to claims by veteran pilots and experts that a dual-engine failure may have led to the crash, said: \x93It has never happened that both engines have shut down together.\x94 \x93Once the report comes, we will be able to ascertain if it was an engine problem or fuel supply issue or why both engines had stopped functioning.
I think it's very important to define "engine failure" vs e.g., reduced thrust - BA38 for example was described as "restricted fuel flow when thrust was demanded" and there was no evidence of engine driven generator power stopping as the engines were still running at idle at impact. It's pretty clear from the available evidence that Air India lost electrical power within 20 seconds of leaving the ground, and based on the landing gear orientation theories that time may be significantly shorter <10 seconds.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): AAIB (All)  AAIB (India)  Dual Engine Failure  Engine Failure (All)  Fuel (All)  Generators/Alternators  Preliminary Report

adfad
July 01, 2025, 09:32:00 GMT
permalink Post: 11914147
Originally Posted by Someone Somewhere
...Once both engines are running and the four VFSGs are online, I would not expect any load shedding and certainly not of flight loads like fuel pumps...
We know (from the 248-day bug) that full AC power failure is possible and we see from the RAT and landing gear orientation that full AC power failure was likely within ~10 seconds of leaving the ground.

Originally Posted by MaybeItIs
...\xa7 25.903(b) includes the words: "in at least one configuration,"

It doesn't, that I can see, state that that configuration must be used during takeoff, though common sense would say it should.
I also don't see any evidence that engine driven fuel pumps alone must be able to handle this scenario: provide enough fuel flow for takeoff and climb, even while the pitch is rotating, even in a hot environment with significant weight, even while the gear is stuck down.

I know that the engine driven pumps have documented limitations and that the regulations allow for some limitations. I know that at least one of these limitation is high altitude and I _suspect_ that the design intends for this unlikely scenario (engine driven fuel pumps alone with no AC pumps) to guarantee enough fuel flow to get to an airport and land. I also suspect that the APU is expected to solve loss of all AC generators - and as we know, there wasn't enough time for it to start in this scenario.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): APU  Fuel (All)  Generators/Alternators  RAT (All)  RAT (Deployment)

adfad
July 01, 2025, 12:55:00 GMT
permalink Post: 11914255
Originally Posted by Someone Somewhere
I believe that particular bug is fixed, though it's always possible there's other issues causing a total AC loss.

Not really relevant to what you quoted though, as the scenario in question requires:
  • Engines running on centre tank fuel during takeoff while the aircraft is operating normally
    • We don't know for certain if this is the case. It seems to be but it's not something that happens on other families.
  • Then, total AC failure stopping fuel boost pumps.
  • Engines suction feed from contaminated/full-of-water wing tanks.

The aircraft has two engines and should be able to climb out on one, plus it dropped like a rock . 'Significantly degraded' thrust isn't really compatible with what we saw. You'd also expect the engines to recover pretty quickly as it leveled off.

The limitations at high altitude are primarily air/volatiles degassing out of the fuel. That's not going to be much of an issue at sea level, even if the engines are a bit higher up during rotation.
APU is a nice-to-have; it's on the MEL. If you lose all four generators, it's because of some major carnage in the electrical software/hardware and chances of putting the APU on line even if it's operating are very slim.
As an electronics and software engineer who has read the AD and related materials on the 248 day bug my understanding is that:
  1. The specific 248-day integer overflow was patched, and before the fix was rolled out, the AD required this system to by power cycled every 120 days to prevent overflow
  2. The PCU software still has the functional requirement to be able to command all AC GCUs to enter failsafe mode, this means that while the initial bug was fixed, the ability for this particular software system to command the same result is still a functional part of the architecture - presumably for safety management of the AC system
  3. This was not the first or last "software overflow error" issue in Boeing or even in the 787
Although I'm not qualified in aviation engineering I do believe from an engineering safety standpoint that this architecture creates a rare but entirely feasible scenario in which the aircraft would be without AC power for at least 30 seconds until the APU could restore it.

I do agree that the engine driven pumps should be able to provide fuel alone, the whole point of these pumps is to keep the plane flying within some limitations, high altitude is one of those limitations, I propose that there may be others based on the following:
  • Some more knowledgable people here have proposed or countered vapour lock, fuel contamination and automatic fuel cut-off theories to various degrees - even if these are not enough on their own, loss of electrical during rotation at high temperature could combine with these in a way we have not yet considered
  • Thrust is nonlinear, and while I'm not qualified to say how much loss of fuel flow or loss of thrust would be critical in this scenario we do know that it was a hot takeoff with significant weight and gear remaining down - I know others here have run sims but I don't think anyone has focused on specific thrust / fuel flow params
  • While electric fuel pumps might not be physically necessary for takeoff, my final point is: why are they required for takeoff? Is it not to mitigate cavitation, fuel sloshing at rotation, or any other kind of problem that might be relevant here?

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): APU  Air Worthiness Directives  Centre Tank  Fuel (All)  Fuel Cutoff  Fuel Cutoff Switches  Generators/Alternators  MEL

adfad
July 01, 2025, 13:36:00 GMT
permalink Post: 11914278
Originally Posted by Someone Somewhere
Thrust is non-linear and complex. Reaction engines (i.e. fans, props) are generally most efficient at minimum power - lowest excess velocity. Turbine engines are generally most efficient at high power. These cancel out somewhere in the middle. With two engines at low power, you also don't have the drag from the dead engine or the drag from the rudder countering yaw.

Cavitating destroys pumps rapidly - someone upthread said replacing the fuel pump immediately is SOP if it has suction fed. Expect end of life in tens of hours rather than tens of thousands.

Some aircraft have switched to using jet/venturi pumps powered by returned fuel, like the A220. The electric boost pumps there are mainly for redundancy and are shut down in cruise; only one in each wing tank. Some A320s replace the centre override pumps with venturi transfer pumps.
Thanks for the clarifications

My question is then: what is the minimum loss of thrust in both engines (perhaps more relevantly expressed as a % in fuel flow reduction from expected) that could produce the profile we saw. I appreciate this is a figure with many variables including timing and rate of loss.

The reason I think this question is relevant is because we pretty much have 2 prevailing theories at this point:
  1. A failure, or reduction of thrust (below idle, indicated by loss of AC generators), that somehow impacted both engines, within 20s of rotation (explaining the RAT and gear orientation)
  2. Somehow a loss of all AC power, leading somehow to a reduction of thrust or failure of engines (both engines impacted identically is assumed in this scenario since all AC is lost), and was of course below the minimum thrust needed to fly with gear down at this weight and temperature
I agree that if it is completely infeasible that loss of all AC power could do anything but cause thrust reduction of X where thrust minus X is not enough, even with gear down in high temperature and significant weight at the critical moment of takeoff to cause the profile we saw, then theory 2 is invalidated. I would love to invalidate any of the theories here but I do think some specific calculations, simulations or test data is needed

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All)  Generators/Alternators  RAT (All)

adfad
July 10, 2025, 13:18:00 GMT
permalink Post: 11919024
Originally Posted by Sailvi767
The data recorder has all the information most are questioning. They already know if the fuel control switches were selected to cutoff and they know if this happened before or after the loss of thrust. Perhaps the sequence of events will be more clear tomorrow. I can tell you that from aircraft rotation to loss of thrust was a very short time period. Perhaps 8 seconds. I simply won’t believe in that time period the crew were taking any non deliberate actions that would have shut the motors down.
Assuming the 2nd/3rd-hand 'leaked' info about fuel switches is even accurate the scenarios of what they know (investigators / leaker) would be:
  1. They know exactly 1 fuel switch was cut off, perhaps implying single engine failure + wrong engine shutdown
  2. They know 1 or both switches were cycled off then on, implying a last-ditch attempt at some sort reset at any point up to say ~30s
  3. They know both fuel switches were cut off, and remained off, implying sabotage
Working logically through these:
  1. If the cut off happened within 20s of leaving the ground perhaps it could explain why CCTV shows the initial climb then level for ~10s before descent. It could also explain the RAT and gear trucks perhaps if gear up was delayed? However, in this scenario they must know that the engine failed, that information would be clearly recorded and surely the leak would lead with that info? Also 'switches' is plural implying both, the radio call didn't mention single engine failure and like you say its quite hasty, even within 20s.
  2. Again assuming switches plural, this implies either of the prevailing theories of dual engine failure leading to loss of AC or loss of AC leading to reduced thrust or engine failure. However, it also seems strange to lead with that info rather than the state of the engines or electrical systems in any flight data, unless someone can explain how the data would be impacted?
  3. If this was the case then it would imply that there is no voice or engine data to explain the cut off, nothing was said and the engines were normal up until that point

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): CCTV  Dual Engine Failure  Engine Failure (All)  Engine Shutdown  Fuel (All)  Fuel Cutoff Switches  MAYDAY  RAT (All)

adfad
July 13, 2025, 09:03:00 GMT
permalink Post: 11921160
Originally Posted by CharlieMike
Hadn\x92t even thought of that, but the fact there was no motion of the gear at all when positive rate was achieved makes me believe there is more evidence to suggest action-slip.
I don't see any evidence here. The report doesn't mention any callout of positive rate or request for gear up. The cutoff switches were moved ~3 seconds after wheels leaving the ground which would have been just before or at roughly the same time as the callout. The report did not say "pilot flying requested gear up and then the switches were moved to cutoff". There is also no evidence of a 3rd person and I'm not even sure how that would make a difference.

I see 3 meaningful explanations roughly by order of probability
  1. Switches moved deliberately - evidenced by the specific question "why did you cutoff" and circumstanced by this being the most vulnerable phase of flight to do such a thing
  2. Switches moved accidentally eg., 'action-slip' - is there a precedent for not 1 but both switches of this type in any similar aircraft being cut off during routine operations?
  3. Switches failed mechanically or electronically - the recovered switches were in the position consistent with flight data, timing data is consistent with manual 1-by-1 movement

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All)  Fuel Cutoff Switches  Pilot "Why did you cut off"

adfad
July 13, 2025, 11:13:00 GMT
permalink Post: 11921238
Originally Posted by CharlieMike
I\x92d counter that order of likelihood by suggesting

(1) It\x92s still a likely response to ask that question if your colleague had just switched them off by action-slip.
(2) See my post above. Routine use of these switches is in one \x93event\x94\x85below OAT 40C you start both simultaneously and at shutdown you operate one straight after another.
(3) The interim report seems to leave out all information on verbal exchanges not specifically involved with a response to the abnormal situation.

Not saying you aren\x92t correct, but it doesn\x92t change the order of likelihood in my mind.
(1) is true I give you that, but there is no followup "I didn't.. oh crap", denial is a reasonable response if you truly haven't registered doing something, but it is also a reasonable response if you want to confuse to delay

By precedent in routine operations I mean: is there a single example of these switches being cut off at takeoff like this? There is precedent for the wrong engine being shut down in a fire sure, and there is perhaps precedent for mishaps with the fuel switches in other cockpit layouts - but in the case of this layout, with this model of switch or even this 'style' of switch and placement, I cannot find a single example that would come close to the level of catastrophic action slip of pulling out and setting to cutoff both switches one by one.

I think the preliminary report is supposed to present all factual information - they could have left out "why did you cutoff / I did not" - I could understand if they left out sounds that could be ambiguous, perhaps indicating a struggle but not clear enough to present as fact. However, "positive rate / gear up" followed by 2 switches instead of gear handle is completely factual and relevant information, to exclude it makes no sense.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Action slip  Engine Failure (All)  Fuel (All)  Fuel Cutoff Switches  Pilot "Why did you cut off"  Preliminary Report

adfad
July 13, 2025, 13:01:00 GMT
permalink Post: 11921309
Originally Posted by sabenaboy
On the fourth day after the crash, with the evidence we had at that time, I was already pretty sure that the crash was caused by a deliberate action from one of the pilots putting the fuel cut off switches to OFF. ...
I agree there was a general feeling in threads that whatever happened was highly unusual even in the realm of accidents / Swiss-cheese model, and that deliberate action was unthinkable yet entirely possible. Many elaborate theories were proposed, I myself proposed a precedent for software architecture taking all 4 AC generators offline leading to a struggle for engine driven fuel pumps to deliver - a theory I have now obviously abandoned.

The fact is the moment the report was released all other previous theories were all but invalidated and deliberate action became 2nd or 1st most probable.
  • Could a wiring fault / short circuit explain the cutoff without switch movement - someone posted the pinouts above, these are not single-pole switches, the wiring architecture is designed to mitigate such faults. If the switches didn't move but cutoff was acknowledged then they either self-resolved 10s later, or they were then cycled to cutoff and back to run. Improbable but possible, but the report doesn't support this and there is no precedent for it, even for a single switch not resulting in accident
  • Could these be the previously mentioned switches without the locking mechanism - even if that were the case, nobody has presented a report in over half a decade that could align precedent with such a failure - where is the report of even 1 of these switches being bumped accidentally, or due to turbulence, or on landing impact? The probability that the first manifestation of these inadequate switches was this particular 1-by-1 sequence 3 seconds after takeoff, after several years, not at any other phase, it seems quite low
I would argue that your version of how it happened is highly speculative though. I agree that the pilot monitoring is the more likely one to do it but its just as likely that the other pilot saw in their periphery, or heard, or otherwise deduced the switch movement and that the pilot who did it denied it - either because they genuinely believed they had not done it (psychological episode or oops), or because they wanted to delay reaction. It's also possible that the other pilot moved them back to run, perhaps with a slight struggle - again I'm speculating as well.

I do agree that at this point deliberate action is the most likely cause, followed by extreme psychological episode. Casual accidental movement if it was remotely probable would surely have been detected in decades of operation and mitigated with a redesign.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All)  Fuel Cutoff  Fuel Cutoff Switches  Generators/Alternators

adfad
July 13, 2025, 18:46:00 GMT
permalink Post: 11921525
Originally Posted by hec7or
If the intent was suicide, in order to make the situation unrecoverable, pulling both fire handles would be the next item to ensure the engines would not restart in the time available, therefore if only the run/cutoff switches were moved to cut off, then the situation was not foreseeably unrecoverable and can only questionably be construed as a suicide.
To be honest this is the best argument against suicide I have seen here - but human psychology can appear illogical and half-hearted. I can't imagine it is easy to go through with such a thing and must take every ounce to force it, with self questioning and doubt throughout. Also I was under the impression that pushing a fire handle back in would allow an engine to be restarted if the fuel switch was set / cycled to run - can anyone confirm or deny?

The evidence shows 2-3 extraordinary possibilities all full of caveats, and since nothing else has been issued it seems incredibly unlikely that anyone involved in the investigation is concerned that there is a chance of accidental cutoff from the switch, electronics, software or cockpit design.

Subjects (links are to this post in the relevant subject page so that this post can be seen in context): Fuel (All)  Fuel Cutoff Switches  Relight

Page Links: Index Page