Posts by user "ignorantAndroid" [Posts: 18 Total up-votes: 72 Pages: 1]

That's why the regulations require separation between high-voltage and low-voltage wiring.

I'm honestly mystified by the obsession with TCMA. The FADECs control almost every aspect of the engines, so there must be numerous ways they could cause a failure or uncommanded shutdown. So, even if we assume that the engines failed due to faults in the FADECs, why assume that TCMA would be involved? Surely it's more logical to simply posit that some unspecified bug in the FADEC software caused the failure. That bug could be related to TCMA, but it could just as easily involve any one of the dozens of other subroutines that likely exist.

Various posters seem to assume that all it takes is an incorrect air/ground signal, and the engines would shut down. But in fact it would also require the FADECs to read the thrust levers as being at or near idle... AND the engines failing to respond to closure of the fuel metering valve. I've read the entirety of both threads, and I haven't seen anyone even attempt to explain how a malfunction within the airframe could cause both of those things to occur on both engines (or even one engine!).

None of the flight controls can be powered by the battery. Both the stabilizer motors and the electrically-actuated spoilers require high-voltage DC which is only available with at least one engine-driven generator or APU generator working. They cannot be powered by the RAT generator either.

The direct wiring you're referring to is intended to provide minimal control in case of a complete failure of all ACEs. It allows for control signals but does not provide power.

TCMA is simply a bit of software in the FADECs, so it has the same separation as everything else. There's no inter-engine interaction when it comes to TCMA.

This is technically possible, but of course the FADECs would have the ability to shut down the engines anyway, even if TCMA didn't exist. If there's a software bug, it could involve TCMA but it could easily be somewhere else.

Like I mentioned above, there's no communication between engines wrt TCMA. Therefore a software bug is plausible, but any kind of transient hardware malfunction can be essentially ruled out.

TCMA can't be disabled electrically. It's just software, and all of the hardware involved serves other functions which are still needed while in the air. For example, the FADECs would command the HPSOV closed in case of N2 overspeed. That would have the exact same effect as TCMA.

There is no static inverter on the 787. All essential flight instruments use 28 VDC, so they can be powered directly from the batteries.

Boeing added such a comparator to the NG circa 2005. The 737 in the Turkish accident was manufactured prior to that.

I don't have any direct knowledge, but yes, that's my understanding based primarily on tdracer's comments. It also just makes sense. I'm pretty confident that all the necessary hardware already existed because of the need for N2 overspeed protection. A failure in one FADEC channel could drive the FMV fully open, leading to an overspeed and uncontained engine failure. For regulatory purposes, it would be unacceptable to have a single point of failure with catastrophic consequences, so it would be necessary to make the inactive FADEC channel capable of cutting off fuel in that case.

The air/ground signal would've already been present as well. It would be needed for switching between ground idle, flight idle, and approach idle. Tdracer has discussed that as well, in past threads.

In general, we can classify computer errors into 3 categories:

1. Errors in system design, specifications, or algorithms. These are cases where the computer does exactly what it was designed to do, but the design itself was flawed or inadequate, or had unforeseen consequences. This would include things like MCAS on the 737 MAX.
2. Software errors. These are cases where the computer does exactly what the code tells it to do, but not what the designers wanted it to do. This results from mistakes in writing the actual code, and this is usually what we'd refer to as a "bug." This includes things like race conditions, loops that fail to terminate, incorrect type conversion, etc.
3. Hardware malfunctions. These are cases where the computer does something different from what the code instructs. It can involve memory corruption or data bus corruption. It can result in a system that appears to work, but returns incorrect outputs, e.g. a calculator saying 2+2=5. It can also cause the computer to execute valid instructions, but at an inappropriate time. It can result from manufacturing defects in components, cosmic rays (SEU or SEE), radiofrequency interference (HIRF), moisture ingress, failed solder joints, and numerous other things.

As I said previously, I think we can rule out category 3 in this case. Hardware malfunctions are essentially random events. They're inherently unpredictable since there's little to no relationship between what the system was supposed to do and what it actually does. It would be astronomically improbable for the same failure to occur on both engines at the same moment.

Categories 1 and 2 would be common to both engines, so they both remain plausible. For category 2, it would be impossible to identify the issue without analyzing the complete source code. Since we don't have access to that code, this is a dead end. It could be the cause, but we won't be able to figure it out. Looking at how the FADECs are designed to work isn't going to be very useful here, since by definition, they'd be doing something they weren't supposed to.

Category 1 is a bit different. There are 2 functions we know of that can close the fuel shutoff valve: TCMA and N2 overspeed protection. We don't have the complete specifications, but the basic logic of both functions has been described. If we assume that one of these was the cause, then the conditions for one of those functions must have been met.

The conditions for TCMA, at least as it's been described in this thread, are:

• Airplane on ground
• Thrust higher than commanded by thrust lever angle (TLA) for some period of time

It's reasonable to assume that the first condition is common to both engines. But that still leaves the second. To my knowledge, there's no plausible scenario that would cause that condition to be met on both engines simultaneously. Each thrust lever has 2 resolvers which are wired directly to the corresponding FADECs. That means the signals don't pass through any common component. An incorrect reading from one resolver could conceivably trigger TCMA, but I don't see any reason why that would happen to both engines simultaneously.

As for the overspeed protection, as far as I know, there's only one condition: N2 greater than a certain value. That reading comes from sensors that are inside each engine and wired directly to the FADECs. I don't see any way this could affect both engines simultaneously either, but it still seems a bit more likely than something involving TCMA since it only requires 2 separate, simultaneous failures rather than 3 or more.

For the sake of accuracy, I should also note that not everything fits neatly into one of my 3 categories. For example, let's say we have a machine that's programmed to shut down if any one of 3 parameters goes above a certain value. If one of those values gets corrupted by a faulty memory chip, the machine could shut down unnecessarily. If we add more parameters to the list, the probability of an inadvertent shutdown increases since there are more critical areas in memory. As another example, consider a case where corruption of the CPU's program counter causes it to inadvertently jump to a particular subroutine. If we add more subroutines that can trigger a shutdown, we make the machine more vulnerable, albeit to a very small degree. Changes like these are sometimes referred to as "increasing the surface area."

Due to those types of scenario, I will admit that the existence of something like TCMA probably makes an engine ever-so-slightly more likely to fail. Whether the benefit is worth the cost could be debated. In any case, I still find it pretty unlikely that any of this will turn out to have been a factor in this accident.

It is a battery, not a supercapacitor. Most commonly nickel-cadmium, because that chemistry has been used in aircraft for decades. They're safe and readily accepted by regulators. Li-ion can be used, but a "special condition" from the regulators is needed, plus the weight savings would be negligible.

The 10-minute limit has nothing to do with the battery capacity. It's to prevent the recorder from continuing to operate after an accident and thus overwriting the audio of interest. There's a timer in the RIPS module. It will stop providing power after exactly 10 minutes, regardless of state of charge.

When it stops receiving power from the aircraft. The RIPS sits between aircraft power and the CVR. It pretty much works just like an uninterruptible power supply that you'd use with your PC.

Boeing specifications say that the RAT will provide hydraulic power within 6 seconds and electrical power within 10 seconds. That would be the worst-case scenario, so it should usually be a bit less than that. Almost everything that gets electrical power from the RAT can also be powered by the main battery. So you don't have to wait for the RAT to spin up before you have instruments.

The engine-driven hydraulic pumps should still work for at least a few seconds after flameout. There's also a small amount of stored energy in the hydraulic systems even after the pumps stop. So even with that 6-second delay for the RAT, there shouldn't be any significant interruption in hydraulic power for the primary flight controls.

I don't think ‘worst case scenario will be preferred’ is the philosophy they use. The way tdracer explained it, there can't be any single failure that leads to uncommanded high thrust on the ground. Presumably, each FADEC channel is treated as a single 'fault isolation area.' That's why the inactive channel has to be able to effect a shutdown in case the active channel causes a runaway.

For the sake of argument, imagine if every air/ground sensor had to say 'ground' to enable TCMA. That should still meet the 'no single failure' requirement since you'd need at least 2 failures to get a runaway engine: the original thrust control problem, and a faulty air/ground sensor.

IIRC, he said that the 747-8 looks at weight on wheels, gear truck tilt, and radio altimeters. At least one of each has to say 'ground' for TCMA to be enabled.

There's actually no discrepancy.

The HPSOV is made up of 2 parts which I'll call the main valve and the pilot valve. The pilot valve is actuated by a solenoid and supplied with fuel from the high-pressure side. The main valve is held shut by a spring. As long as the pilot valve is open and the high-pressure fuel pump is operating, fuel flows through the pilot valve, then pushes and holds the main valve open. The pilot valve and solenoid are 'latching,' i.e. they maintain their position until electrical power is applied. However, a certain pressure still has to be provided by the pump in order to hold the main valve open. Note that when I say 'high-pressure fuel pump,' I'm referring to the one that's mechanically driven by the engine's high-pressure shaft, not any of the electric pumps.



Note: The HPSOV is mistakenly labeled as 'PSOV' in this diagram.

The BTBs are traditional electromechanical contactors, and they're not water-cooled. Solid-state switches are used for some of the smaller loads, but not BTBs.

That wouldn't happen. Loads are preemptively shed before the busses are paralleled.

It appears that photo is showing one of the very first 787 fuselage sections ever built, back when the manufacturing process was still being developed.

Those are two drastically different things. I've encountered software engineers who astound me with their knowledge of programming, but most of them are dumbfounded as soon as they see a soldering iron or oscilloscope.

That's not quite right. First of all, the AOA DISAGREE warning was supposed to be basic (standard). It was linked with the AOA indicator by mistake, and that bug was already being fixed before the first crash.

The AOA indicators themselves weren't considered 'luxury items' either. The only reason they exist is that they're mandatory in Russia. When Russian airlines started buying western-built aircraft in the 90s, both Boeing and Airbus had to add them as options. I've never been able to confirm whether the AOA indicator was even an added-cost option or not. There are several similar options that can be configured by maintenance at no cost.

They stay off until engine start because of load shedding. Once both engines are running, the pumps should be running too.