Posts by user "tdracer" [Posts: 84 Total up-votes: 0 Pages: 5]

Yea, I think you're right - DO-178 is aviation software - now that I think about it, DO-160 might be electro-magnetic effects (i.e. HIRF/Lightning). It's not something I need to worry about anymore so it's not something I make a point of remembering

I doubt the issue would be in top level requirements - those are pretty simple and straightforward. It's the devil of the details where an error might have occurred.

All that being said, I have a hard time with the idea that TCMA activated without a big thrust lever movement (even if you assume an issue with the air/ground indication) - and there is absolutely no reason why the thrust levers would be moved right after rotation.

No, what I posted was the logic for the 747-8 - I simply don't know (or at least don't remember) what the TCMA air/ground logic looks like for the 787/GEnx-1B.

On the 747, Weight on Wheels (WoW) depends on prox sensors on the landing gear (i.e. gear compression). I don't know how that's done on the 787.
The reason we used both Radio Alt and WoW is that both can give erroneous indications on certain conditions - RA can be 'fooled' by dense rain or even really dense fog (the signals bounce off the water and falsely indicate on-ground), the prox sensor system can subject to HIRF/Lightning interference.

TCMA acts quickly, but it does require some persistence, so an input glitch won't activate it (mainly N1, which is measured every 15 milliseconds).

What sort of 'confirmation' do you have in mind - the regulator mandate that resulted in TCMA basically says we can't take credit for the flight crew.

Inlet compliance is tested at max takeoff power settings, at AOA up to stall. This is done by performing something called a 'wind-up turn' - with the engine at max TO power and constant altitude, they keep pulling the turn tighter until the wing stalls and the aircraft falls out of the turn.
If the engine doesn't continue normal operation, that's considered a 'fail'. Plus, the engine reaction of an over-rotated inlet (inlet separation) is a surge - accompanied by big bang and a ball of flame out the back.
Nothing we know about this accident supports an over-rotation and related engine stall/surge.

As I noted previously, the FADEC is a dual channel device. It's long been the case that dispatch is allowed with a single FADEC channel failed (this goes back to the original PW4000/CF6-80C2 as installed on the 747-400 and 767.
The MMEL says something like "4 installed, 3 required" (referring to individual FADEC channels) - so you can dispatch for a short time with one FADEC channel failed. Yes, if the remaining channel of faulted FADEC fails, the engine will fail - but the FADEC reliability is such that the probability of losing the remaining channel (and hence the engine) is sufficiently small as to be acceptable.

Both channels can operate TCMA, so a single channel failure has not overall effect on the system.

Again, 'channel out' dispatch is nothing new - it's been the case since 1989 (when the PW4000/767 entered service).

No, it doesn't.
There are already 'dual-path power redundancy for FADEC' - dedicated engine driven FADEC power supply, and aircraft supplied 'backup' power. Again, there is no known way that an aircraft issue could cause the FADEC to lose power.

I'd rack this up to more AI generated nonsense.

Edited to add - others have beat me to the punch...

Have to admit, that made me chuckle

Repeating myself (again), but ALL the TCMA logic is resident in the FADEC. It takes aircraft inputs of air/ground (again, not familiar with the specifics of the air/ground logic used on the 787/GEnx-1B, so don't ask), thrust lever position, and what the engine is actually doing (mainly N1) to determine if the engine is 'out of control'.
The thrust lever inputs are hardwired (resolvers connected to the thrust levers, powered by the FADEC), other aircraft communications on the 787 are on an ethernet based network. Default mode for the FADEC if aircraft inputs are lost or invalid is "Air", as that is generally considered to be the 'safe' choice.
But even assuming some aircraft fault caused the FADECs to falsely believe the aircraft was 'on-ground', it would still take a pretty major error in the TCMA logic for it to actually trigger and shutdown the engine (especially lacking an associated thrust lever movement to idle). Never say never, but we're getting pretty far out on the probability tree for all these things to happen.

Something that occurred to me after I went to bed last night: My assumption that the FDR readouts would rapidly reveal the cause may be flawed.

Let me explain.

The consensus is that both engines quit shortly after liftoff (that assumes that the RAT did in fact deploy). At least one of the data recorders has battery backup, so it should have kept functioning when all aircraft power was lost.

However...

Over the years, I've looked at lots and lots of digital flight data recorder outputs when investigating some sort of incident or other engine anomaly, So I have become rather familiar with some of the interesting characteristics of DFDR data.

On the 767 and 747-400, when you shutdown an engine and the IDG goes offline, there is a momentary 'glitch' in the electrical power system as it reconfigures for the available power source - this is why you see the flight deck displays flicker and return, and the cabin lights momentarily flicker. As a result, most of the avionics boxes 'reset' - this is quick, but it's not instantaneous. This shows up in the FDR data - sometimes as 'no valid data' for a few seconds, or as garbage readings of zero or 'full scale'. Now, looking at the FDR data, it's easy to simply disregard the data, so normally no big deal.

Starting with the 777 (and on the 787 and 747-8), this electrical power glitch was 'fixed' - there is slight delay (~quarter of a second IIRC) before the fuel cutoff signal is sent to the engine - during which the electrical system reconfiguration takes place so no more 'glitch' during a normal engine shutdown...Except whatever happened to these engines wasn't 'normal'.

If there is a fuel cut at high power, the engine spools down incredibly rapidly - a second or two from max power to sub-idle. Assuming the fuel cut wasn't commanded by the flight deck fuel switches, the electrical system won't know it's coming, so it can't reconfigure until after the engine generators drop offline - and you're going to get that power glitch. Nearly every avionics box on the aircraft will reset due to this electrical glitch, and the FDR isn't going to get useful data for a few seconds (and then, only from the stuff that's on the battery bus).

Whatever happened, happened quickly - it's quite possible that whatever initiated the high-power fuel cut didn't get recorded.

Something for everyone to keep in mind (especially in light of the apparently AI created 'news releases' that were posted in the old thread):
During an accident investigation, everyone (and I mean everyone !) associated with the investigation is under what's basically a 'gag order'. They are not to discuss what they know with anyone outside the investigation (been there, done that, hated it but obeyed).
Any and all releases of information regarding the investigation are to come from the primary investigating agency (in this case the Indian investigators).
In today's 24-hour news cycle and constant demand for information, people don't like this, but it's done for good reasons - including protecting the impartiality of the investigation.
In short, if it doesn't originate with the Indian investigation team, it's probably not worth reading.

You'd be half right (or if you prefer, half wrong). Each channel of the FADEC has its own thrust lever position resolver. In other Boeing aircraft, there is a single resolver per engine, with dual electrical coils (i.e. electrically isolated but mechanically connected). But in order to go for full compliance with a (in my opinion) rather extreme FAA position regarding 'single failures' and 25.901(c), the 787 thrust lever actually has dual load paths, feeding to different thrust lever resolvers for each channel.

The wiring between the two (per engine) FADEC channels is separate and isolated from each other. In the areas potentially subject to cross engine rotor burst damage, that wiring is physically separated by a considerable distance. About the only place where the Channel A and B thrust lever resolver wiring is close proximity is in the thrust lever quadrant. We've been designing FADEC aircraft for 40 years - and the requirements for isolation are detailed and well understood.

I've repeatedly posted I don't know the details of the 787/GEnx-1B FADEC air/ground logic - and I know even less about the 787 air/ground system architecture. That being said, I think the whole air/ground is a bit of a red herring - even with a false air/ground indication, it's going to take a very major flaw in the FADEC logic for TCMA to activate without several other things happening (such as the thrust levers being moved to idle - which all by itself is going to make for a bad day if it's done at rotation).

Given the number of times I reviewed DFDR data supplied by an operator after some sort of event/incident, I think most major operators have access to the equipment needed to download a healthy data recorder. So I'd be a bit surprised if Air India does not have this capability. OldnGrounded has also posted that the Indian AAIB also has that ability.

Usually when I hear of data recorders going back to the US NTSB or the recorder manufacturer, it's because the crash damage is such that specialized equipment is needed to download the data. The recorder in the tail would likely have little damage.
While the AAIB may have held off on downloading the recorders until all the major players are present, it's been several days - I'd expect everyone who matters is already there. So I think it is reasonable to believe that the investigators have done a download and have had at least a preliminary look at the data. If there is a smoking gun, they probably already know (and the longer we don't hear something regarding the rest of the 787 fleet, or at least the GEnx powered fleet, the less likely it is that they suspect a systemic problem with the aircraft and/or engine). However the proviso that I posted earlier about potential data loss/corruption due to a sudden shutdown still applies - so maybe the data simply isn't on the recorder.

As has already been posted, EMI is highly unlikely - the current cert requirements for HIRF are quite high, and due to the composite airframe construction of the 787, the lighting requirements are much higher than for conventional aluminum aircraft (the higher resistance of the composite airframe results is higher lightning induced currents).

FDR has suggested a large slug of water hitting critical aircraft electronics at rotation - it is possible that resultant electrical short circuits could falsely signal the engines that the switches are in cutoff. Highly unlikely that it would do that to both engines, but possible.
Then again, all the other plausible explanations are highly unlikely, so...

BTW, I do have a life outside PPRuNe - and I'm going to be traveling the next several days, with limited to non-existent internet access. So don't be surprised if I'm not responding posts or PMs.

Actually that's not quite true. Thrust far higher than what's being commanded by the thrust lever - it doesn't have to be at idle. But even with a CPU failure commanding high thrust (relative to TL position), the odds of that happening to two engines at the same time is astronomical.
BTW, I don't know if there is any 'crosstalk' of TCMA activation between engines on the 787. I know we don't do any crosstalk of other engines info on the 747-8, but the 787 is far more integrated, and the amount of data that can put on that ethernet based data bus is massive.
My knee jerk is that they wouldn't crosstalk TCMA status between engines, but the reality is I really don't know.

The gag rule is pretty much the first thing you're told when you get drawn into an investigation - and you can get in big trouble for violating it (even if inadvertent).
A Boeing management type got his hand slapped pretty hard not to long ago when he made the mistake of answering a reporter's question regarding the Alaska door plug blowout.
I was tempted to contact my friend who was my counterpart during the 787/GEnx-1B development, but I suspect he's already been contacted and is considered to be part of the investigation - so he couldn't talk to me about it anyway.

Satisfying the public demand for instant informational gratification is not their job - determining what happened, why, and how to prevent a future occurrence is. There is a process that they should follow, and indications are they are following it.
About the only thing you can assume from the lack of release of information is that they have not yet found anything that would suggest a systemic threat to other 787 aircraft that would require immediate corrective action or an aircraft grounding.

Every commercial airliner I've ever been on - with the exception of a short-range regional jet (only lav in the back) - has at least one lav immediately aft of the flight deck. Especially post 9/11, putting the most forward lav any further back would become a nightmare when the pilots need to relieve themselves (presumably, they expect the pilot to be able to 'hold it' on a short range regional jet).
And every commercial airliner I'm familiar with has the prime electronics bay below the flight deck - for what should be obvious reasons.

There is absolutely nothing unusual about the 787 arrangement in this regard.

So how are you going to allow the pilot to relieve themselves - while maintaining post 9/11 security - without a lav up front?

Again, disclaimer that my direct knowledge of the 787 specifics is limited, standard Boeing design practice is that all engine wiring is segregated between engines (and were practical, between FADEC channels).
The fuel switches are located adjacent to each other; however all the wiring would be separate.

Engine isolation means just that. No common wire bundles, no common connectors. You can move the fuel levers at any time - there is no lockout of any kind with respect to thrust lever position (imagine dropping something into the lever linkage that jams the thrust lever at max power - then being unable to shut that engine down?)
Obviously, since the thrust levers are placed next to each other - the separation that's available in the center console is limited, but as soon as the wiring exits that constrained area, the separation increases. Furthermore, the same engine-to-engine wiring separation also applies to channel A/B FADEC channels, as well as the fuel switch/fire handle wiring.
All these requirements are documented in the Boeing DR&O (Design Requirements and Objectives) - and there is an audit done late in the design process to insure compliance.
In short, you're barking up a tree stump - there is nothing there.

Muscle memory is a strange and (usually) wonderous thing. It allows us as humans to perform amazing things without actually thinking about what we are doing. Professional Athletes have perfected this to a high art, but the rest of us do things using muscle memory on a regular basis. Back when I was still racing, I happened to look down at my hands on the steering wheel in fast, bumpy corner, and I was simply amazed at the large, rapid steering inputs that I was making to compensate for the bumps - with absolutely zero conscious thought. Muscle memory at its best.

However, it can also bite us. The Delta dual engine shutdown during takeoff from LA (referenced way back when in the 1st accident thread) was caused by muscle memory - the pilot reached down to set the EEC switches (located near the fuel On-Off switches) but muscle memory caused him to do something else - set both fuel switches to OFF. Fortunately, he quickly recognized his error, placing the switches back to RUN and the engines recovered in time to prevent a water landing (barely).

It is conceivable that a pilot - reaching down to the center console to adjust something unrelated - could have muscle memory cause him to turn the fuel off to both engines. While all new engines are tested for "Quick Windmill Relight" - i.e. the fuel switch is set to CUTOFF with the engine at high power - and the engine must recover and produce thrust withing a specified time (memory says 60 or 90 seconds) - it takes a finite amount of time for the engines to recover (spool down after a power cut at high power is incredibly fast - plus moving the switch to CUTOFF causes a FADEC reset, which means it won't do anything for ~ 1 second). Doing that at a couple hundred feet and the chance that an engine will recover and start producing thrust before ground impact is pretty much zero

I'm thinking radio - agreed there is no reason why you'd make such an adjustment right after rotation, but there is nothing normal or usual about both engines quitting right after rotation.