Posts by user "tdracer" [Posts: 58 Total up-votes: 525 Pages: 3]

Just sorted through the 20 pages - with an unfortunate amount of rubbish (is it really too much to ask that people read through at least the preceding few pages before posting something that is simply a repeat of something that's been posted a dozen times previously?)
I have to leave in a couple of minutes - I'll post some somewhat informed speculation when I get back. But in the meantime - since there is so much speculation regarding a multiple engine power loss, does anyone know which engine Air India has on the 787s (GE or Rolls?).

OK, I promised some informed speculation when I got back, so here goes:
Disclaimer: never worked the 787, so my detailed knowledge is a bit lacking.

First off, this is perplexing - especially if the RAT was deployed. There is no 'simple' explanation that I can come up with.

GEnx-1B engines have been exceptionally reliable, and the GE carbon composite fan blades are very robust and resistant to bird strike damage (about 15 years after the GE90 entry into service, I remember a GE boast that no GE90 (carbon composite) fan blades had needed to be scrapped due to damage (birdstrike, FOD, etc. - now that was roughly another 15 years ago, so is probably no longer true, but it shows just how robust the carbon composite blades are - far better than the more conventional titanium fan blades).

Not saying it wasn't somehow birdstrike related, just that is very unlikely (then again, all the other explanations I can come up with are also very unlikely ).

Using improper temp when calculating TO performance - after some near misses, Boeing added logic that cross-compares multiple total temp probes - aircraft TAT (I think the 787 uses a single, dual element probe for aircraft TAT, but stand to be corrected) and the temp measured by the engine inlet probes - and puts up a message if they disagree by more than a few degree tolerance - so very, very unlikely.

N1 power setting is somewhat less prone to measurement and power setting errors than EPR (N1 is a much simpler measurement than Rolls EPR) - although even with EPR, problems on both engines at the same time is almost unheard of.

The Auto Thrust (autothrottle) function 'falls asleep' at 60 knots - and doesn't unlock until one of several things happens - 250 knots, a set altitude AGL is exceeded (I'm thinking 3,000 ft. but the memory is fuzzy), thrust levers are moved more than a couple of degrees, or the mode select is changed (memory says that last one is inhibited below 400 ft. AGL). So an Auto Thrust malfunction is also extremely unlikely. Further, a premature thrust lever retard would not explain a RAT deployment.

TO does seem to be very late in the takeoff role - even with a big derate, you still must accelerate fast enough to reach V1 with enough runway to stop - so there is still considerable margin if both engines are operating normally. That makes me wonder if they had the correct TO power setting - but I'm at a loss to explain how they could have fouled that up with all the protections that the 787 puts on that.

If one engine did fail after V1, it's conceivable that they shut down the wrong engine - but since this happened literally seconds after takeoff, it begs the question why they would be in a big hurry to shut down the engine. Short of an engine fire, there is nothing about an engine failure that requires quick action to shut it down - no evidence of an engine fire, and even with an engine fire, you normally have minutes to take action - not seconds.

The one thing I keep thinking about is someone placing both fuel switches to cutoff immediately after TO. Yes, it's happened before (twice - 767s in the early 1980s), but the root causes of that mistake are understood and have been corrected. Hard to explain how it could happen (unless, God forbid, it was intentional).

About the only way that could happen would be some catastrophic software 'hole' in the GEnx-1B FADEC software. By design, the only thing the engine control really needs to adequately the engine is:
1) Fuel
2) Thrust lever position
Everything else is 'goodness'. The FADEC has its own dedicated (gearbox mounted) electrical generator (actually alternator), so even a 100% aircraft power loss wouldn't affect the FADECs ability to control the engine. It was right at takeoff - 'suction feed' would be more than sufficient if the aircraft fuel pumps failed, FMC and other aircraft inputs have only a secondary effect on the thrust setting, it's primarily determined the thrust lever position.
So there is no known way that a fault in the engine/aircraft interface could cause a large loss of thrust.

FDR, that particular failure mode was engineered out of the logic long ago - there is no exception to the A/T takeoff lockout logic unless one of the 'unlock' conditions is true (and overboost isn't one of them).

That post is simply wrong - if all aircraft electrical power is lost, the engines will keep running just fine (suction feed is demonstrated to be sufficient in the entire takeoff envelope, so even losing boost pumps wouldn't cut engine power).

Not 757 - it was a 767. Second time it happened in about 12 months.

Determined to be an ergonomics problem with the switch layout in the flightdeck.

Early 767s (JT9D and CF6-80A) had a supervisory "EEC" (Electronic Engine Control - Boeing still uses "EEC" to identify what most people call the FADEC on modern engines). The procedure if an EEC 'failed' was to switch both EECs off (to prevent excessive throttle stagger - unlike FADEC, the engine could operate just fine with a supervisory EEC failed).

Problem was that the EEC ON/OFF switch was located on the aisle stand - right above the fuel cutoff switches. Turned out 'muscle memory' was when the pilot reached down there, it was usually to turn the fuel ON or OFF - which is what they did. Fortunately realizing what he'd done wrong, the pilot quickly restored the switches to RUN and both engines recovered. And yes, they continued on to their destination (RAT was still deployed since there is no way to retract it in-flight).

Previous event was with JT9D engines (United IIRC). In that case, only one engine recovered (second engine went into an unrecoverable stall), they simply came back around and did a single engine landing.

Realizing the ergonomic issue, the EECs were relocated to the pilot's overhead (retrofit by AD).

To the best of my knowledge, there hasn't been a repeat of an inadvertent dual engine shutdown since the EEC switches were relocated. It's also very difficult to 'accidentally' move the switches as there is a locking detent - the switch must be pulled out slightly before it can be moved to CUTOFF.

Sorry but you are wrong. The RAT was basic on the 767 - every single 767 built has one. The Gimli glider deployed the RAT (1982), and the Delta dual engine shutdown out of LAX deployed the RAT.

OK, another hour spent going through all the posts since I was on last night...
I won't quote the relevant posts as they go back ~15 pages, but a few more comments:

TAT errors affecting N1 power set: The FADEC logic (BTW, this is pretty much common on all Boeing FADEC) will use aircraft TAT if it agrees with the dedicated engine inlet temp probe - but if they differ it will use the engine probe . The GE inlet temp probe is relatively simple and unheated, so (unlike a heated probe) a blocked or contaminated probe will still read accurately - just with greater 'lag' to actual temperature changes.

TCMA - first off, I have to admit that this does look rather like an improper TCMA activation, but that is very, very unlikely. For those who don't know, TCMA is a system to shutdown a runaway engine that's not responding to the thrust lever - basic logic is an engine at high power with the thrust lever at/near idle, and the engine not decelerating. However, TCMA is only active on the ground (unfamiliar with the 787/GEnx TCMA air/ground logic - on the 747-8 we used 5 sources of air/ground - three Radio Altimeters and two Weight on Wheels - at least one of each had to indicate ground to enable TCMA). TCMA will shutdown the engine via the N2 overspeed protection - nearly instantaneous. For this to be TCMA, it would require at least two major failures - improper air ground indication or logic, and improper TCMA activation logic (completely separate software paths in the FADEC). Like I said, very, very unlikely.

Fuel contamination/filter blockage: The fuel filters have a bypass - if the delta P across the filter becomes excessive, the filter bypasses and provides the contaminated fuel to the engine. Now this contaminated fuel could easy foul up the fuel metering unit causing a flameout, but to happen to two engines at virtually the same time would be tremendous unlikely.

Auto Thrust thrust lever retard - the TO lockup in the logic makes this very unlikely (it won't unlock below (IIRC) 400 ft., and even that requires a separate pilot action such as a mode select change or thrust lever movement). And if it did somehow happen, all the pilot needs to do is push the levers back up.

Engine parameters on the FDR: I don't know what exactly is on the 787 FDR with regards to engine parameters, but rest assured that there is plenty of engine data that gets recorded - most at one/second. Getting the FDR readout from a modern FDR is almost an embarrassment of riches. Assuming the data is intact, we'll soon have a very good idea of what the engines were doing

Since TCMA keeps getting discussed, let me add a bit more of what I know:

There were two on-ground events - as noted one each Rolls and GE. My understanding is that both events involved rapid thrust lever movements into/out-of reverse selection (i.e. reverse - forward - reverse in rapid succession). This rapid thrust lever movement - combined with the engine trying it's best to react to those movements - tricked the TCMA logic into thinking the engine was accelerating uncontrollably. There are two key points here - on-ground, and rapid thrust lever movements. There is absolutely no reason why the thrust levers should be moving at all during this event, and it doesn't appear to have occurred while the aircraft was still on the ground.

I was in this business long enough to know that you 'never say never', it would take a pretty gross error in the TCMA logic for it to have activated without a large thrust lever movement.

TCMA is on both the Trent 1000 and GEnx-1B 'basic' - it was required for certification. There is no reason for TCMA to be listed in the MMEL as the only 'functional' portion is the via the electronic overspeed protection system (which is required for dispatch - no MEL relief) - the rest is software resident in the FADEC.

Another hour spent sifting through the stuff since last night (my sympathies to the mods ). A few more comments:

"Real time engine monitoring" is typically not 'real time' - it's recorded and sent in periodic bursts. Very unlikely anything was sent from the event aircraft on this flight.

Commanded engine cutoff - the aisle stand fuel switch sends electrical signals to the spar valve and the "High Pressure Shutoff Valve" (HPSOV) in the Fuel Metering Unit, commanding them to open/close using aircraft power. The HPSOV is solenoid controlled, and near instantaneous. The solenoid is of a 'locking' type that needs to be powered both ways (for obvious reasons, you wouldn't want a loss of electrical power to shut down the engine). The fire handle does the same thing, via different electrical paths (i.e. separate wiring).

As I've noted previously, a complete loss of aircraft electrical power would not cause the engines to flameout (or even lose meaningful thrust) during takeoff. In the takeoff altitude envelope, 'suction feed' (I think Airbus calls it 'gravity feed') is more than sufficient to supply the engine driven fuel pumps. It's only when you get up to ~20k ft. that suction feed can become an issue - and this event happened near sea level.

Not matter what's happening on the aircraft side - pushing the thrust levers to the forward stop will give you (at least) rated takeoff power since the only thing required from the aircraft is fuel and thrust lever position (and the thrust lever position resolver is powered by the FADEC).

The TCMA logic is designed and scrubbed so as to be quite robust - flight test data of the engine response to throttle slams is reviewed to insure there is adequate margin between the TCMA limits and the actual engine responses to prevent improper TCMA activation. Again, never say never, but a whole lot would have had to go wrong in the TCMA logic for it to have activated on this flight.

Now, if I assume the speculation that the RAT deployed is correct, I keep coming up with two potential scenarios that could explain what's known regarding this accident:
1) TCMA activation shutdown the engines
or
2) The fuel cutoff switches were activated.
I literally can come up with no other plausible scenarios.

In all due respect to all the pilots on this forum, I really hope it wasn't TCMA. It wouldn't be the first time a mandated 'safety system' has caused an accident (it wouldn't just be Boeing and GE - TCMA was forced by the FAA and EASA to prevent a scenario that had never caused a fatal accident) - and there would be a lot embarrassing questions for all involved. But I personally know many of the people who created, validated, and certified the GEnx-1B TCMA logic - and can't imagine what they would be going through if they missed something (coincidentally, one of them was at my birthday party last weekend and inevitably we ended up talking about what we used to do at Boeing (he's also retired)). Worse, similar TCMA logic is on the GEnx-2B (747-8) - which I was personally responsible for certifying - as well as the GE90-115B and the 737 MAX Leap engine - the consequences of that logic causing this accident would be massive.

The engine driven fuel pump is literally driven off the engine gearbox (driven by a mechanical connection to the N2 shaft) - if the engine's running, the gearbox is turning (baring a major mechanical fault). The engine driven fuel pump is a two-stage pump - a centrifugal pump that draws the fuel into the pump (i.e. 'suction feed'), and a gear pump which provides the high-pressure fuel to the engine and as muscle pressure to drive things like the Stator Vane and Bleed Valve actuators. It takes a minimum of ~300 PSI to run the engine - the HPSOV is spring loaded closed and it takes approximately 300 psi to overcome that spring.
Engine driven fuel pump failures are very rare, but have happened (usually with some 'precursor' symptoms that were ignored or mis-diagnosed by maintenance). It would be unheard of for engine driven fuel pumps to fail on both engines on the same flight.

As I've repeatedly posted, even a 100% aircraft power failure would not explain both engines quitting, at least without several other existing faults. Again, never say never, but you can only combine so many 10-9 events before it becomes ridiculous...

TCMA doesn't know what V1 is - it's active whenever the air/ground logic says the aircraft is on-ground.

The only aircraft inputs to TCMA is air/ground and thrust lever positions - everything else is the FADEC and its sensors (primarily N1). Even if air/ground was compromised somehow, it would take other issues before TCMA could possibly be activated. Possible on one engine (although remote) - but two engines at the same time - almost literally imposssible (unless of course it's software error).
The 'good' news is that even a cursory check of the FDR will indicate if TCMA activated, so we'll soon know.

A flight test (at least one - it's often duplicated) is performed as a basic part of aircraft/engine certification. One engine with all boost pumps off and on 'suction' feed - the other engine with normal aircraft boost pump operation (for what should be obvious reasons). Start, taxi, takeoff, and climb in that configuration until the test engine quits due to fuel starvation as a result of the engine fuel pump cavitation (done using "unweathered" fuel - once fuel has been at altitude for a period of time (hours or more - i.e. 'weathered'), most of the dissolved gases in the fuel have vented off, and suction feed works far better - often up to cruise altitudes).
I don't think this test is ever done during normal operations or maintenance (at least not on purpose) as it is very abusive to the engine driven fuel pump - the sort of cavitation that this causes rapidly erodes the pumping surfaces (it's SOP to replace the engine driven fuel pump after such a test).

I hate to disappoint you, but the people (like me) who design, test, and certify aircraft are not idiots. We design for failures. Yes, on rare occasion, something gets missed (e.g. MCAS), but we know that aircraft power systems sometimes fail (or suffer short term interuptions) and we design for that. EVERY VALVE IN THE FUEL SYSTEM MUST BE POWERED TO CHANGE STATE!!!! If electrical power is lost, they just stay where they are. The engine fuel valve must be powered open, and it must be powered closed. Same with the spar valve. The pilot moves a switch, that provides electrical signals to the spar valve and the engine fuel valve to open or close. It's not complicated and has been in use for decades.
TCMA (not TCAM) - Thrust Control Malfunction Accommodation - is a FADEC based system. It's resident in the engine FADEC (aka EEC) - the ONLY inputs from the aircraft that go into the TCMA is air/ground (to enable) and thrust lever position (to determine if the engine is doing what it's being commanded to do. The FADEC has the ability to shutdown the engine via the N2 overspeed protection system - this is separate from the aircraft run/cutoff signal, although it uses the same HPSOV to effect the shutdown. That same system is used by TCMA to shutoff fuel if it determines the engine is 'running away'.

Hint, you might try going back a few pages and reading where all this has been posted previously.

The engine driven fuel pumps are regularly removed and overhauled - usually when the engines go through overhaul (somewhere in the 10-20,000 hour range). The results of these overhauls are monitored, and if there is evidence of unusual deterioration, etc., that will be reflected in the recommended maintenance/overhaul intervals (BTW, this is SOP for virtually every system on the aircraft, regardless of Boeing, Airbus, etc.).
The portion of the engine driven fuel pump that is subject to wear is the high-pressure gear pump - and excessive deterioration will become apparent in the inability to reach max TO thrust. The centrifugal pump (that part responsible for the suction feed) is relatively lightly loaded and seldom experiences excessive wear or deterioration - even when exposed to severe suction feed events.
As I've posted several times, in this business you 'never say never' - but the chances that both engines fuel pumps were deteriorated to the point where they could not adequately provide suction feed fuel to keep the engines running is very, very remote.

Keeping track of this thread is tiring - again, my sympathies to the mods, as tiring as I find it, it must be far worse for them )
Apologies for a few terse posts last night, but a couple of inane posts (by a usual suspect) really set me off. I've never used the 'ignore' function, but I may need to revisit that.

I posted this previously, but it was about 70 pages ago, so I understand not going back that far, or forgetting that tidbit amongst all the noise.
In short, I'm not familiar with the specific air/ground logic on the 787/GEnx-1B - the logic I posted (3 radio altimeters, 2 Weight on Wheels, at least one of each must indicate 'on-ground) is for the 747-8 (which I'm intimately familiar with). I have a vague recollection of a discussion with my GEnx-1B counterpart 10 or more years ago that suggested that the 787 was not as complex as the 747-8, but I don't recall any details. Basic FADEC logic (BTW, as someone else noted - it's "Full Authority", not "Autonomous") is to default to 'air' if in doubt, as it's considered to be 'safer'.
The only real hardware in the TCMA system is the N2 overspeed shutdown system - which goes through a BITE style functional test on every engine start. Everything else is in software - with the only aircraft inputs being Air/Ground and thrust lever position.

As I've posted previously, the FADEC is powered by a dedicated Permanant Magnet Alternator (PMA) - aircraft power is used only as a backup for starting or if the PMA fails. If the FADEC determines it is running on aircraft power with engine running (i.e. the PMA has failed), it sets a 'No Dispatch" fault message.

What Alty posted is correct. There have always been single faults in the engine control systems that could cause uncommanded high thrust (UHT) - and such failures were considered in the safety analysis (e.g. FMEA) with the note that it wasn't unsafe as the pilot would shutdown the affected engine. Then there was a 737-200 event (JT8D engines) (1999 sounds about right - I'm thinking it was either an Egyptian operator or it happened in Egypt, but don't hold me to that) - the JT8D had an issue with excessive wear of the splined shaft that provided the N2 input into the hydromechanical fuel control. In this event, that splined shaft started slipping - causing the fuel control to think the N2 was below idle, and it keep adding fuel to try to get the N2 back above idle. This caused the engine to accelerate uncontrollably - the pilots pulled back the throttle and performed an RTO, but the engine didn't respond, and they went off the runway at low speed. Everyone evacuated safely, but the aircraft was destroyed by fire.

The FAA pointed to this accident and said we couldn't depend on crew action to shutdown a runway engine, and therefore any single failure that could result in uncontrollable high thrust was not compliant with 25.901(c) (basically says no single fault can result in an unsafe condition). This basically made every commercial airliner flying non-compliant as every turbine engine control system at that time had single faults that could cause UHT . A consequence of this was everyone was effectively prevented from certifying any further engine control changes since we couldn't show compliance with 25.901(c) (even if the change actually improved safety). The FAA and EASA were forced to issue partial exemptions for all existing aircraft/engine combinations, with the stipulation that they wouldn't certify any new engines that didn't address UHT. A working group was put together at Boeing to come up with some way to comply - and they eventually came up with TCMA , only active on the ground since UHT was only considered unsafe when on the ground - first incorporated on the GE90-115B/777-300ER/200LR.

I've never been 100% comfortable with TCMA (for reasons that should be all to obvious right now), but the regulators gave us few options.
BTW, during the early development of the 747-8, we didn't have a robust way of providing air/ground to the FADECs - which the FAA immediately found objectionable since they never wanted the risk of TCMA being active in-flight. I eventually came up with a design change that would provide a robust air/ground indication (it solved several issues we were confronting at the time), so that concern went away - which made the FAA very happy.

I'm not familiar with the details of how the FADEC s/w is coded (it's the responsibility of the engine manufacturer - in this case GE). Boeing provides specific requirements as to the aircraft/engine interface (documented in an "Interface Control Document" - ICD).
My understanding is that GE uses an automated coding system that takes logic diagrams of what we want the s/w to do and turns that into the s/w code - again don't know details (my expertise is engine control and engine/aircraft interface - not s/w development).
The FADEC is a dual channel device (most of the sensors are also duplicated between channels), but both channels use the same s/w (Rolls did a thing many years ago where the channels used different s/w - it was mess and caused all sort of problems - I don't think anyone else has tried that since).

FADEC software is classified as "Design Assurance Level A" (aka DAL 'A') - flight critical - same thing as FBW software. There are specific requirements for the creation, testing, and certification of DAL A software and it's quite exhaustive (those requirements are documented in an FAA/EASA approved s/w requirements document (DO-160 IIRC). Yes, it is possible for something designed and certified to DAL A to have 'bugs' (and yes it has happened), although those 'bugs' have nearly always been traced to requirements errors - not the actual incorporation of those requirements.
It's also worth noting that the GEnx-1B has millions of hours of operation. Nothing is 'impossible' - even a 10-9 event will happen given enough opportunities - but the odds are very low of it happening.
Then again, all of the plausible explanations for dual engine power loss that would explain this accident are of a very low probability.

Yea, I think you're right - DO-178 is aviation software - now that I think about it, DO-160 might be electro-magnetic effects (i.e. HIRF/Lightning). It's not something I need to worry about anymore so it's not something I make a point of remembering

I doubt the issue would be in top level requirements - those are pretty simple and straightforward. It's the devil of the details where an error might have occurred.

All that being said, I have a hard time with the idea that TCMA activated without a big thrust lever movement (even if you assume an issue with the air/ground indication) - and there is absolutely no reason why the thrust levers would be moved right after rotation.

No, what I posted was the logic for the 747-8 - I simply don't know (or at least don't remember) what the TCMA air/ground logic looks like for the 787/GEnx-1B.