Page Links: Index Page
| adfad
2025-06-15T16:31:00 permalink Post: 11902614 |
Can anyone help with my theory - I'm an electronics and software engineer, but not a pilot.
My understanding of the infamous and previously fixed 787 issue was that the PCU software would trigger a shutdown of all AC generators (or rather their respective control units) after 248 days of continuous power due to an overflow of a software counter, and that this was fixed in software alone. Hypothetically , if the PCU software triggered this state during takeoff, what would happen? I know the engines may continue running with engine-driven fuel pumps, but I also understand this doesn't work in all situations and perhaps during rotation with a high fuel demand and fuel tanks not horizontal this could be an issue? What does everyone here think it would look like if all AC generators were shut down, in terms of engine performance - would you expect there to be a reduction in thrust? With the gear stuck down would that be serious enough? Subjects: Fuel (All) Fuel Pumps Generators/Alternators |
| adfad
2025-06-15T17:16:00 permalink Post: 11902645 |
When we see the video, the airplane is still climbing / flying straight and level (not losing altitude), yet we hear what we think might be the RAT, I can't imagine that they had the kinetic energy to do this with no engines. if they had dual engine failure, they would have been a brick, Hot and High, no thrust, flaps 5, zero chance.
The original mobile video (not the copy from someones phone screen) clearly sounds like a RAT but what does the engine itself sound like - is it idle or reduced in some way? What is the minimum amount of thrust that would need to be lost to stop climbing and sink back down - it took 30 seconds from leaving the ground to impact from the CCTV and the first 15 was climbing. I would look carefully at the fact that the PCU still has the technical ability to tell all AC generator control units to turn off via software, as proven in the documented and fixed 248-day software issue. Subjects: CCTV Dual Engine Failure Engine Failure (All) Fuel (All) Fuel Pumps Generators/Alternators RAT (All) 1 user liked this post. |
| adfad
2025-06-15T21:51:00 permalink Post: 11902879 |
It is similar to the 248-day continuous power software bug on the 787. In both cases a counter in the software would overflow after an amount of time that would be proportional to something like the number of seconds, milliseconds or other unit.
The 248 day bug would cause the PCU to trigger ALL 4 AC generator control units to shut down. The fact that this is even possible in software alone is remarkable and should make any engineer concerned. The fact that this was only fixed in software with no redundant physical system (e.g. 1 or more AC units being independent of this system) is concerning. The fact that Boeing had a second software overflow error causing the 51 day directive should really have everyone discussing software as a possible cause for this crash. People may say that the engine driven pumps / suction feed / gravity feed would continue to power the engines but my understanding is the aircraft attitude and high fuel flow at takeoff could potentially mean less thrust than was needed if all 4 AC generators disconnected and stopped all AC fuel pumps during rotation. Subjects: Fuel (All) Fuel Pumps Generators/Alternators 3 users liked this post. |
| adfad
2025-06-18T18:18:00 permalink Post: 11905444 |
To my mind, this points to a potential software issue. 787s have already suffered from 2 separate software issues in which the passage of time causes a major and possibly catastrophic failure - the need to reboot systems before 51 days and 248 days have elapsed, due to poorly-written software. Given that history, the probability of there being a third, previously-unidentified but broadly similar in nature software issue seems surprisingly high. They aren't independent variables.
Such a passage-of-time software issue wouldn't show up in most (or possibly any) testing scenarios. It is the sort of issue that robust QA and static code analysis are designed to catch. But in at least two separate systems on the 787 it has not been caught prior to software shipping. Meanwhile, every new technical post demonstrates the myriad ways in which non-software potential causes are mitigated by redundant design. The odds of two (or more) redundant mechanical systems failing in precisely the same way at precisely the same moment are very, very small. The odds of identical software on two (or more) redundant systems reaching a passage-of-time bug at precisely the same moment are, by contrast, very much higher. True redundancy would require different software on each redundant sub-system. Integer overflow is a specific type of issue common to many systems, but like you said - it is something that should be found with robust QA and analysis. The ability to shut down all generators at once from a single source seems like a risky design decision to me and I agree with your point about different software on 2 or more redundant sub systems. My theory is that this was an accepted risk because the engine-driven fuel pumps would be more than enough in most phases of flight to keep the engines running, and you would still have 2 engines for redundancy. The APU would also restore AC power in lets say 30 seconds and you would then have electric fuel pumps as well. I think there are several factors that could explain how loss of all AC power during takeoff could lead to a crash:
Last edited by adfad; 18th Jun 2025 at 18:36 . Subjects: APU Fuel (All) Fuel Pump (Engine Driven) Fuel Pumps Gear Retraction Generators/Alternators RAT (All) 1 user liked this post. |
| adfad
2025-06-22T11:43:00 permalink Post: 11908475 |
MCAS wasn't "under the radar". The designers thought:
* all MCAS can do is affect the trim * if something goes wrong with the trim, the crew works the "runaway trim" checklist * this cuts MCAS off from the trim * therefore, MCAS failure of any sort is going to be contained It just turned out that if a crew is stuck, shortly after takeoff, in an aircraft that wants to go down, and they have no clue why because "AOA disagree" indicators are considered a luxury item for Boeing and Boeing also did not want to train crews for this, the crew may not be in the right mindset to prioritise that checklist. Today, everyone is aware, so it's no longer an issue. What isn't debatable is that MCAS was part of an initiative to save on regulatory and training costs. It was designed entirely because a regulatory environment existed where you could extend the fuselage to the point where you needed to mount engines in a way that would essentially make this no longer the same type, and probably not something that any aircraft designer would design fresh. Boeing, like everyone else, played within that framework, but Boeing didn't execute properly and the public optics are that they cut corners on top of cutting corners. I agree that engineering is all about tradeoffs but I don't think anything is "no longer an issue" because we had 2 disasters within a couple of years and learned from mistakes. There is an issue somewhere, maybe a systemic corporate issue, a PR issue, or just a Boeing issue - the Air India crash has the potential to make it far bigger. Subjects: None 2 users liked this post. |
| adfad
2025-06-30T15:49:00 permalink Post: 11913716 |
India's Minister of State for Civil Aviation appears to be confirming in this interview that the cause of the accident was a dual engine failure. Which is, I think, the first vaguely official confirmation of what happened that has been released? He also confirmed that all the data from the recorders has been downloaded and is being processed by the Indian AAIB, no boxes have been sent abroad.
The 30 day deadline for the preliminary report is July 12th.
The minister called the crash a \x93rare case\x94 and, referring to claims by veteran pilots and experts that a dual-engine failure may have led to the crash, said: \x93It has never happened that both engines have shut down together.\x94 \x93Once the report comes, we will be able to ascertain if it was an engine problem or fuel supply issue or why both engines had stopped functioning.
Subjects: AAIB (All) AAIB (IDGA) Dual Engine Failure Engine Failure (All) Fuel (All) Fuel Pumps Gear Retraction Generators/Alternators Preliminary Report |
| adfad
2025-07-01T09:32:00 permalink Post: 11914147 |
I know that the engine driven pumps have documented limitations and that the regulations allow for some limitations. I know that at least one of these limitation is high altitude and I _suspect_ that the design intends for this unlikely scenario (engine driven fuel pumps alone with no AC pumps) to guarantee enough fuel flow to get to an airport and land. I also suspect that the APU is expected to solve loss of all AC generators - and as we know, there wasn't enough time for it to start in this scenario. Subjects: APU Fuel (All) Fuel Pump (Engine Driven) Fuel Pumps Gear Retraction Generators/Alternators RAT (All) RAT (Deployment) |
| adfad
2025-07-01T12:55:00 permalink Post: 11914255 |
I believe that particular bug is fixed, though it's always possible there's other issues causing a total AC loss.
Not really relevant to what you quoted though, as the scenario in question requires:
The aircraft has two engines and should be able to climb out on one, plus it dropped like a rock . 'Significantly degraded' thrust isn't really compatible with what we saw. You'd also expect the engines to recover pretty quickly as it leveled off. The limitations at high altitude are primarily air/volatiles degassing out of the fuel. That's not going to be much of an issue at sea level, even if the engines are a bit higher up during rotation. APU is a nice-to-have; it's on the MEL. If you lose all four generators, it's because of some major carnage in the electrical software/hardware and chances of putting the APU on line even if it's operating are very slim.
I do agree that the engine driven pumps should be able to provide fuel alone, the whole point of these pumps is to keep the plane flying within some limitations, high altitude is one of those limitations, I propose that there may be others based on the following:
Subjects: APU Air Worthiness Directives Centre Tank Fuel (All) Fuel Contamination Fuel Cutoff Fuel Pumps Generators/Alternators MEL |
| adfad
2025-07-01T13:36:00 permalink Post: 11914278 |
Thrust is non-linear and complex. Reaction engines (i.e. fans, props) are generally most efficient at minimum power - lowest excess velocity. Turbine engines are generally most efficient at high power. These cancel out somewhere in the middle. With two engines at low power, you also don't have the drag from the dead engine or the drag from the rudder countering yaw.
Cavitating destroys pumps rapidly - someone upthread said replacing the fuel pump immediately is SOP if it has suction fed. Expect end of life in tens of hours rather than tens of thousands. Some aircraft have switched to using jet/venturi pumps powered by returned fuel, like the A220. The electric boost pumps there are mainly for redundancy and are shut down in cruise; only one in each wing tank. Some A320s replace the centre override pumps with venturi transfer pumps. My question is then: what is the minimum loss of thrust in both engines (perhaps more relevantly expressed as a % in fuel flow reduction from expected) that could produce the profile we saw. I appreciate this is a figure with many variables including timing and rate of loss. The reason I think this question is relevant is because we pretty much have 2 prevailing theories at this point:
Subjects: Fuel (All) Fuel Pumps Gear Retraction Generators/Alternators RAT (All) |
Page Links: Index Page