FADEC issues - are there any?
Administrator
Joined: Apr 2015
Aviation Qualifications: Military
Posts: 2,975
Likes: 1,620
From: The Gulf Coast
A much better thread than that another one, very useful info. Thanks to all. 
I had forgotten about the A400 3 engine loss event, may read up on it again. Sorry to hear that RR/AB kept mum about that.
I had forgotten about the A400 3 engine loss event, may read up on it again. Sorry to hear that RR/AB kept mum about that.
Joined: May 2024
Aviation Qualifications: CPL
Posts: 379
Likes: 36
From: Kaupuala
Grounding
There was a great deal of Pprune input after the fleet was grounded (sic).... The focus was on the aft E+E Bay, and the architecture of the Lithium Ion (Yuasa designed/built) batts.
It was thought that the batteries spontaneously went into thermal runaway, I don't recall discussion about generators or the "Generator Control Units". In any case Boeing at some stage installed the Thales batteries, they had a new feature, the patent on "inflection point"... Which made them the clear choice.... Battery fires were patent, I think the EEbays, fore and aft, may have had summat part in this crash.... The APU door suggests it had been selected in some form or fashion... Did it come on line??
It was thought that the batteries spontaneously went into thermal runaway, I don't recall discussion about generators or the "Generator Control Units". In any case Boeing at some stage installed the Thales batteries, they had a new feature, the patent on "inflection point"... Which made them the clear choice.... Battery fires were patent, I think the EEbays, fore and aft, may have had summat part in this crash.... The APU door suggests it had been selected in some form or fashion... Did it come on line??
Joined: Feb 2006
Aviation Qualifications: LAME
Posts: 36,145
Likes: 5,739
From: Falling off the end of the thread
There was a Diamond twin star had a fadec shut down. Smaller yes, but just as pertinent
https://www.defensedaily.com/sudden-...uncategorized/
.
https://download.aopa.org/epilot/200...0diamondsb.pdf
https://www.defensedaily.com/sudden-...uncategorized/
.
https://download.aopa.org/epilot/200...0diamondsb.pdf
Joined: Jul 2013
Aviation Qualifications: Non-Aircrew
Posts: 5,683
Likes: 3,356
From: Everett, WA
There was a Diamond twin star had a fadec shut down. Smaller yes, but just as pertinent
https://www.defensedaily.com/sudden-...uncategorized/
.
https://download.aopa.org/epilot/200...0diamondsb.pdf
https://www.defensedaily.com/sudden-...uncategorized/
.
https://download.aopa.org/epilot/200...0diamondsb.pdf
There was another bizjet crash 10 or 15 years ago when the pilots somehow managed to move the thrust levers 'too far' during takeoff and the thrust lever resolvers went 'out of range' high, so the FADECs defaulted to idle. We immediately had to demonstrate to the Feds why that would never happen on a Boeing. Thrust lever resolvers are normally designed to operate between about 5 and 85 degrees (since the resolver basically works by comparing 'sine' and 'cosine' to determine the angle - so the resolution gets lousy near zero and 90.
For Boeing installed FADECs, we don't have the resolver go 'out of range' if exceeds the maximum angle - rather we keep it valid, and if goes past 90 it just goes down the back side of the sine/cosine curve.
Joined: Dec 2002
Aviation Qualifications: ATP+Mil
Posts: 3,985
Likes: 568
From: Where the Quaboag River flows, USA
The Diamond is not bizjet, it’s a light piston twin with FADECs. I’d love the details on that bizjet event. The GE Passports and RR Pearl engines (Global Express 7500 and 6500, respectively) should meet FAR 33 and 25 specs. They both operate the same as other Part 25 FADECs , off a PMA after start. Those engines did the new high thrust, high altitude shutdown tests.
Joined: Jun 2025
Posts: 9
Likes: 10
From: Switzerland
What I find interesting is that at least in the patent of the TCMA, the TCMA copies running on channels A and channel B of the FADEC can trigger the fuel cut-off independently.
Do we know how the throttle position input looks like? There must be at least two sensors (potentiometers? resolvers?) per throttle lever. Do channels A and B of the FADEC receive both (or all) throttle inputs and validate them? Or is a sensor fault expected to be handled by the two FADEC channels disagreeing?
If for some reason each channel gets only one input, or TCMA is a separate process and does not use the validated throttle position but rather one of the raw inputs, then a single throttle sensor fault could trigger the fuel cutoff. It is still very unlikely that it happens to both engines simultaneously, unless indeed there is some short-circuit.
If the TCMA only activates if the throttle is at idle, it further requires that one of the throttle sensors shorts to what would be the idle position. If the rest of the FADEC detects a disagreement, the final command to the engine might not be idle (but e.g. keep current thrust), so at some point the TCMA will trigger as you hit the ceiling of the falling thrust contour.
Do we know how the throttle position input looks like? There must be at least two sensors (potentiometers? resolvers?) per throttle lever. Do channels A and B of the FADEC receive both (or all) throttle inputs and validate them? Or is a sensor fault expected to be handled by the two FADEC channels disagreeing?
If for some reason each channel gets only one input, or TCMA is a separate process and does not use the validated throttle position but rather one of the raw inputs, then a single throttle sensor fault could trigger the fuel cutoff. It is still very unlikely that it happens to both engines simultaneously, unless indeed there is some short-circuit.
If the TCMA only activates if the throttle is at idle, it further requires that one of the throttle sensors shorts to what would be the idle position. If the rest of the FADEC detects a disagreement, the final command to the engine might not be idle (but e.g. keep current thrust), so at some point the TCMA will trigger as you hit the ceiling of the falling thrust contour.
Joined: Sep 2003
Aviation Qualifications: ATPL
Posts: 956
Likes: 68
From: away from home
Timmy
I began working engine controls in 1984, and did little else until I retired near the end of 2016. When I started out, my boss decided he wanted me to be a 'hydromechanical guru' (I have really good mechanical aptitude) and made sure I got lots of training on the details and subtleties of hydromechanical controls. But within a few years, it became quite obvious that FADEC was taking over and doing strictly hydro stuff was a dead end, so I soon expanded into FADEC.
The last big commercial turbofan engine that wasn't FADEC was the CF6-80C2 - and even that was turned into a FADEC control when Boeing told GE they wouldn't put throttle cables in the 747-400, so if they wanted on, they needed to create a FADEC version.
ETOPS was becoming a big thing about the same time - and the full FADEC PW4000 and CF6-80C2 engines were being certified for use on the 767. Hydro controls tend to give warnings that something is 'wearing out' - electronics don't generally do that, they either work or the don't, so the impact of FADEC on the shutdown rates was exhaustively worked. As a starting point, we looked at the historical rates of hydro control caused shutdowns and Loss of Thrust Control (LOTC), and targeted reliabilities that would mirror those rates for FADEC with necessary shutdown/LOTC rates to meet the ETOPS requirements. But as it turned out, FADEC was way, way more reliable - which contributed in no small way to the impressive engine reliability that has allowed up to 330 minute ETOPS (engine shutdown rates are so low, that now days, more attention is given to impact of ETOPS on the rest of the aircraft than to the engines themselves.
The reliability of the FADEC electronics is so good that they've implemented "Time Limited Dispatch" - which allows extended dispatch with certain 'loss of redundancy' faults - up to and including losing a complete FADEC channel. The hardware is tested and certified for high levels of electromagnetic interference (e.g. radar) and lightning effects.
Software is developed to DO-178 standards as "Level A" - i.e. flight critical. Yes, sometimes s/w errors get through, but most of those are really requirements errors, not coding errors as such.
There have been a few issues that came up over the years. As the newer generations of integrated circuits have gotten smaller and more powerful, something called "Single Event Upset" became a concern - this is where a high energy cosmic particle hits a CPU or memory chip and causes a bit to change state. Now these particles are so small that they can pass right through the earth without hitting something, and with the older circuitry hardware the electrical charges were strong enough that even if a particle hit, it wouldn't have enough energy to change the bit state - but the newer stuff occasionally had an issue that could cause an LOTC. So the newer FADECs run constant checksum type checks - looking for SEU caused discrepancies and if one is detected, the channel automatically resets.
To date (with the jury still out on the recent 787 crash), no major incidents or accidents have been traced to a FADEC engine control system issue since FADEC became widespread over 35 years ago. Yes, there is the odd shutdown or LOTC event due to a FADEC problem, but the rate is much lower than it was with the older hydromechanical control systems.
I began working engine controls in 1984, and did little else until I retired near the end of 2016. When I started out, my boss decided he wanted me to be a 'hydromechanical guru' (I have really good mechanical aptitude) and made sure I got lots of training on the details and subtleties of hydromechanical controls. But within a few years, it became quite obvious that FADEC was taking over and doing strictly hydro stuff was a dead end, so I soon expanded into FADEC.
The last big commercial turbofan engine that wasn't FADEC was the CF6-80C2 - and even that was turned into a FADEC control when Boeing told GE they wouldn't put throttle cables in the 747-400, so if they wanted on, they needed to create a FADEC version.
ETOPS was becoming a big thing about the same time - and the full FADEC PW4000 and CF6-80C2 engines were being certified for use on the 767. Hydro controls tend to give warnings that something is 'wearing out' - electronics don't generally do that, they either work or the don't, so the impact of FADEC on the shutdown rates was exhaustively worked. As a starting point, we looked at the historical rates of hydro control caused shutdowns and Loss of Thrust Control (LOTC), and targeted reliabilities that would mirror those rates for FADEC with necessary shutdown/LOTC rates to meet the ETOPS requirements. But as it turned out, FADEC was way, way more reliable - which contributed in no small way to the impressive engine reliability that has allowed up to 330 minute ETOPS (engine shutdown rates are so low, that now days, more attention is given to impact of ETOPS on the rest of the aircraft than to the engines themselves.
The reliability of the FADEC electronics is so good that they've implemented "Time Limited Dispatch" - which allows extended dispatch with certain 'loss of redundancy' faults - up to and including losing a complete FADEC channel. The hardware is tested and certified for high levels of electromagnetic interference (e.g. radar) and lightning effects.
Software is developed to DO-178 standards as "Level A" - i.e. flight critical. Yes, sometimes s/w errors get through, but most of those are really requirements errors, not coding errors as such.
There have been a few issues that came up over the years. As the newer generations of integrated circuits have gotten smaller and more powerful, something called "Single Event Upset" became a concern - this is where a high energy cosmic particle hits a CPU or memory chip and causes a bit to change state. Now these particles are so small that they can pass right through the earth without hitting something, and with the older circuitry hardware the electrical charges were strong enough that even if a particle hit, it wouldn't have enough energy to change the bit state - but the newer stuff occasionally had an issue that could cause an LOTC. So the newer FADECs run constant checksum type checks - looking for SEU caused discrepancies and if one is detected, the channel automatically resets.
To date (with the jury still out on the recent 787 crash), no major incidents or accidents have been traced to a FADEC engine control system issue since FADEC became widespread over 35 years ago. Yes, there is the odd shutdown or LOTC event due to a FADEC problem, but the rate is much lower than it was with the older hydromechanical control systems.
Thread Starter
Joined: Aug 2015
Aviation Qualifications: ATPL
Posts: 455
Likes: 302
From: The South
Timmy
I began working engine controls in 1984, and did little else until I retired near the end of 2016. When I started out, my boss decided he wanted me to be a 'hydromechanical guru' (I have really good mechanical aptitude) and made sure I got lots of training on the details and subtleties of hydromechanical controls. But within a few years, it became quite obvious that FADEC was taking over and doing strictly hydro stuff was a dead end, so I soon expanded into FADEC.
The last big commercial turbofan engine that wasn't FADEC was the CF6-80C2 - and even that was turned into a FADEC control when Boeing told GE they wouldn't put throttle cables in the 747-400, so if they wanted on, they needed to create a FADEC version.
ETOPS was becoming a big thing about the same time - and the full FADEC PW4000 and CF6-80C2 engines were being certified for use on the 767. Hydro controls tend to give warnings that something is 'wearing out' - electronics don't generally do that, they either work or the don't, so the impact of FADEC on the shutdown rates was exhaustively worked. As a starting point, we looked at the historical rates of hydro control caused shutdowns and Loss of Thrust Control (LOTC), and targeted reliabilities that would mirror those rates for FADEC with necessary shutdown/LOTC rates to meet the ETOPS requirements. But as it turned out, FADEC was way, way more reliable - which contributed in no small way to the impressive engine reliability that has allowed up to 330 minute ETOPS (engine shutdown rates are so low, that now days, more attention is given to impact of ETOPS on the rest of the aircraft than to the engines themselves.
The reliability of the FADEC electronics is so good that they've implemented "Time Limited Dispatch" - which allows extended dispatch with certain 'loss of redundancy' faults - up to and including losing a complete FADEC channel. The hardware is tested and certified for high levels of electromagnetic interference (e.g. radar) and lightning effects.
Software is developed to DO-178 standards as "Level A" - i.e. flight critical. Yes, sometimes s/w errors get through, but most of those are really requirements errors, not coding errors as such.
There have been a few issues that came up over the years. As the newer generations of integrated circuits have gotten smaller and more powerful, something called "Single Event Upset" became a concern - this is where a high energy cosmic particle hits a CPU or memory chip and causes a bit to change state. Now these particles are so small that they can pass right through the earth without hitting something, and with the older circuitry hardware the electrical charges were strong enough that even if a particle hit, it wouldn't have enough energy to change the bit state - but the newer stuff occasionally had an issue that could cause an LOTC. So the newer FADECs run constant checksum type checks - looking for SEU caused discrepancies and if one is detected, the channel automatically resets.
To date (with the jury still out on the recent 787 crash), no major incidents or accidents have been traced to a FADEC engine control system issue since FADEC became widespread over 35 years ago. Yes, there is the odd shutdown or LOTC event due to a FADEC problem, but the rate is much lower than it was with the older hydromechanical control systems.
I began working engine controls in 1984, and did little else until I retired near the end of 2016. When I started out, my boss decided he wanted me to be a 'hydromechanical guru' (I have really good mechanical aptitude) and made sure I got lots of training on the details and subtleties of hydromechanical controls. But within a few years, it became quite obvious that FADEC was taking over and doing strictly hydro stuff was a dead end, so I soon expanded into FADEC.
The last big commercial turbofan engine that wasn't FADEC was the CF6-80C2 - and even that was turned into a FADEC control when Boeing told GE they wouldn't put throttle cables in the 747-400, so if they wanted on, they needed to create a FADEC version.
ETOPS was becoming a big thing about the same time - and the full FADEC PW4000 and CF6-80C2 engines were being certified for use on the 767. Hydro controls tend to give warnings that something is 'wearing out' - electronics don't generally do that, they either work or the don't, so the impact of FADEC on the shutdown rates was exhaustively worked. As a starting point, we looked at the historical rates of hydro control caused shutdowns and Loss of Thrust Control (LOTC), and targeted reliabilities that would mirror those rates for FADEC with necessary shutdown/LOTC rates to meet the ETOPS requirements. But as it turned out, FADEC was way, way more reliable - which contributed in no small way to the impressive engine reliability that has allowed up to 330 minute ETOPS (engine shutdown rates are so low, that now days, more attention is given to impact of ETOPS on the rest of the aircraft than to the engines themselves.
The reliability of the FADEC electronics is so good that they've implemented "Time Limited Dispatch" - which allows extended dispatch with certain 'loss of redundancy' faults - up to and including losing a complete FADEC channel. The hardware is tested and certified for high levels of electromagnetic interference (e.g. radar) and lightning effects.
Software is developed to DO-178 standards as "Level A" - i.e. flight critical. Yes, sometimes s/w errors get through, but most of those are really requirements errors, not coding errors as such.
There have been a few issues that came up over the years. As the newer generations of integrated circuits have gotten smaller and more powerful, something called "Single Event Upset" became a concern - this is where a high energy cosmic particle hits a CPU or memory chip and causes a bit to change state. Now these particles are so small that they can pass right through the earth without hitting something, and with the older circuitry hardware the electrical charges were strong enough that even if a particle hit, it wouldn't have enough energy to change the bit state - but the newer stuff occasionally had an issue that could cause an LOTC. So the newer FADECs run constant checksum type checks - looking for SEU caused discrepancies and if one is detected, the channel automatically resets.
To date (with the jury still out on the recent 787 crash), no major incidents or accidents have been traced to a FADEC engine control system issue since FADEC became widespread over 35 years ago. Yes, there is the odd shutdown or LOTC event due to a FADEC problem, but the rate is much lower than it was with the older hydromechanical control systems.
Joined: Nov 2001
Posts: 6,157
Likes: 1,274
From: Australia/India
FWIW and I'm happy to cop flack on any mistakes made, I posted this on the Air India 787 thread, with some deletions of material irrelevant to this thread:
I ... note that the primary source of the information on which I’m basing my post is the content of Boeing’s patent application which, of course, does not contain any of the actual wiring diagrams or modification details of the TCMA, even assuming it has been implemented. ...
The point of my post is to get other’s thoughts on one of the design principles of the TCMA system proposed in the patent application.
The ostensibly simple and elegant concept is described in the schematic of the system at figure 1 of the patent application. A copy of figure 1 is below.
The TCMA is the part of the schematic inside the dotted box numbered 16, sitting with the EEC (others would call it the FADEC) in the solid box numbered 18.
The heart of the TCMA comprises two switch relays, numbered 22 and 28 in the schematic, wired in series. Each of those switch relays is controlled by its own, dedicated engine control malfunction software, identified as the blobs numbered 130. (The patent application identifies component 34 as a dedicated processor and 32 as the diode connected to the switch relays, but that is evidently a mistake. Component 34 is the diode and I can’t find a component number 32 anywhere in the schematics.)
Each relay switch and its controlling software is described as a ‘channel’, one A and one B. Both channels run continuously, monitoring throttle position (36 in the schematic) versus engine data fed from ARINC data bus lines (46 in the schematic) and “dedicated input sensors” not shown in the schematic. Those sensors presumably detect things like weight on wheels and perhaps RADALT.
This design is said to achieve redundancy, because if only one ‘channel’ detects the engine is producing excessive thrust while the throttle is set to idle, that channel will set its switch relay to CUTOFF and that is enough to change the state of the high pressure fuel shut off valve (58 in the schematic). No more motion lotion. In the words of the patent application: Both channels are “always actively monitoring engine function and independently have the capability of shutting down the engine.”
That arrangement wrinkled my crusty old avtech brow. In my mind – and this is why I’m seeking other’s thoughts – the advantage of redundancy arising from the two channels, either or both of which can shut the engine down, is not without risk. If it is possible for one of the channels to have some ‘glitch’ or hardware failure such that it does not detect an actual out of envelope condition justifying immediate shut down, with the other channel detecting the condition and shutting the engine down, it inexorably follows – does it not – that it is possible for one (or both) of the channels to have a ‘glitch’ or hardware failure that results in a shut down when there is no out of envelope condition?
Further, even if there are completely separate, duplicated sensors telling each channel things like the position of the throttle and whether or not there is weight on wheels, there remains the possibility of a combination of sensor failures/disconnects resulting in one channel being ‘convinced’ that an out of envelope condition exists, with a consequential cutoff of fuel to the engine.
I of course acknowledge the valid observations made about the remote probabilities of these kinds of glitches and failures.
I’ve heard rumours that there was much resistance to the mandating of TCMA systems. Having seen many, many strange faults caused by random shorts, open circuits, liquid ingress and other foreign objects, I can understand why there was that resistance. Every time you add something to a system and that added thing has electronic components and software and electrical connections and data inputs, you add risk of that thing malfunctioning or working perfectly but with erroneous inputs. In this case, there are effectively two added new things: two channels, each one of which has the ability to shut off the motion lotion to the engine to which they are strapped.
I make no comment on whether TCMA systems, if fitted, have anything to do with this tragedy.
....
I ... note that the primary source of the information on which I’m basing my post is the content of Boeing’s patent application which, of course, does not contain any of the actual wiring diagrams or modification details of the TCMA, even assuming it has been implemented. ...
The point of my post is to get other’s thoughts on one of the design principles of the TCMA system proposed in the patent application.
The ostensibly simple and elegant concept is described in the schematic of the system at figure 1 of the patent application. A copy of figure 1 is below.
The TCMA is the part of the schematic inside the dotted box numbered 16, sitting with the EEC (others would call it the FADEC) in the solid box numbered 18.
The heart of the TCMA comprises two switch relays, numbered 22 and 28 in the schematic, wired in series. Each of those switch relays is controlled by its own, dedicated engine control malfunction software, identified as the blobs numbered 130. (The patent application identifies component 34 as a dedicated processor and 32 as the diode connected to the switch relays, but that is evidently a mistake. Component 34 is the diode and I can’t find a component number 32 anywhere in the schematics.)
Each relay switch and its controlling software is described as a ‘channel’, one A and one B. Both channels run continuously, monitoring throttle position (36 in the schematic) versus engine data fed from ARINC data bus lines (46 in the schematic) and “dedicated input sensors” not shown in the schematic. Those sensors presumably detect things like weight on wheels and perhaps RADALT.
This design is said to achieve redundancy, because if only one ‘channel’ detects the engine is producing excessive thrust while the throttle is set to idle, that channel will set its switch relay to CUTOFF and that is enough to change the state of the high pressure fuel shut off valve (58 in the schematic). No more motion lotion. In the words of the patent application: Both channels are “always actively monitoring engine function and independently have the capability of shutting down the engine.”
That arrangement wrinkled my crusty old avtech brow. In my mind – and this is why I’m seeking other’s thoughts – the advantage of redundancy arising from the two channels, either or both of which can shut the engine down, is not without risk. If it is possible for one of the channels to have some ‘glitch’ or hardware failure such that it does not detect an actual out of envelope condition justifying immediate shut down, with the other channel detecting the condition and shutting the engine down, it inexorably follows – does it not – that it is possible for one (or both) of the channels to have a ‘glitch’ or hardware failure that results in a shut down when there is no out of envelope condition?
Further, even if there are completely separate, duplicated sensors telling each channel things like the position of the throttle and whether or not there is weight on wheels, there remains the possibility of a combination of sensor failures/disconnects resulting in one channel being ‘convinced’ that an out of envelope condition exists, with a consequential cutoff of fuel to the engine.
I of course acknowledge the valid observations made about the remote probabilities of these kinds of glitches and failures.
I’ve heard rumours that there was much resistance to the mandating of TCMA systems. Having seen many, many strange faults caused by random shorts, open circuits, liquid ingress and other foreign objects, I can understand why there was that resistance. Every time you add something to a system and that added thing has electronic components and software and electrical connections and data inputs, you add risk of that thing malfunctioning or working perfectly but with erroneous inputs. In this case, there are effectively two added new things: two channels, each one of which has the ability to shut off the motion lotion to the engine to which they are strapped.
I make no comment on whether TCMA systems, if fitted, have anything to do with this tragedy.
....
Joined: May 2024
Aviation Qualifications: CPL
Posts: 379
Likes: 36
From: Kaupuala
Yaw/FBW
The first video showed Yaw right. Later, the video was chopped and the Yaw was missing . FBW has OEI recovery.
Another poster disagreed and offered as evidence no visible Rudder input. Assuming some manner of auto flight response, wouldn't that demonstrate operable FADEC? Thinking I occupy no more than a seat in the tenth percentile of posters, I think personally there is clutching at straws. The procuring cause of loss of engine power had to be loss of electrical power. The possibilities are patent beginning in P100 with a fire, in flight test. Then six on board fires, an occurrence the FAA at the time required a single fire onboard was one in one billion for the fleet. I personally believe the emergency batteries ran away due some charging issue.
This bird has switching and glitching issues...
Survivor 11A::: "There was a bang, we felt like we were suspended, the engines began racing, then we hit
Something... " I believe him... His observations suggest our crew managed an attempt at climb, but ran out of room.
Another poster disagreed and offered as evidence no visible Rudder input. Assuming some manner of auto flight response, wouldn't that demonstrate operable FADEC? Thinking I occupy no more than a seat in the tenth percentile of posters, I think personally there is clutching at straws. The procuring cause of loss of engine power had to be loss of electrical power. The possibilities are patent beginning in P100 with a fire, in flight test. Then six on board fires, an occurrence the FAA at the time required a single fire onboard was one in one billion for the fleet. I personally believe the emergency batteries ran away due some charging issue.
This bird has switching and glitching issues...
Survivor 11A::: "There was a bang, we felt like we were suspended, the engines began racing, then we hit
Something... " I believe him... His observations suggest our crew managed an attempt at climb, but ran out of room.
Joined: Jan 2025
Aviation Qualifications: Non-Aircrew
Posts: 640
Likes: 782
From: New Zealand
Another poster disagreed and offered as evidence no visible Rudder input. Assuming some manner of auto flight response, wouldn't that demonstrate operable FADEC?
The procuring cause of loss of engine power had to be loss of electrical power.
The batteries are basically not used while engine(s) are running.
I can't comment on presence/absence of yaw.
Joined: Nov 2001
Posts: 6,157
Likes: 1,274
From: Australia/India
FADEC has nothing to do with flight controls.
Total loss of electrical power should not result in the engines shutting down (absent some other defect like the fuel suction pumps not working).
The consensus of publicly-expressed ostensibly-expert opinion is that there is no asymmetric power-related yaw after take-off but, even if there were due to one engine not delivering 'sufficient' thrust, the other engine should have been capable of delivering enough thrust for the aircraft to climb away.
The consensus of publicly-expressed ostensibly-expert opinion is that the bang and revving heard by the survivor was likely the RAT deploying and revving up.
Everything points to the immediate cessation of motion lotion to both engines, shortly after take-off. If that happened, the question of course resolves to: Why?
And a PS to my earlier post about the schematic in the TCMA patent application: Apparently the TCMA can be triggered even when the thrust lever is not set to idle. There's an envelope of engine thrust delivered compared with thrust lever position, outside of which envelope - 'too much' thrust delivered compared with thrust lever position - the TCMA is designed to trigger fuel shut off to the engine to which it is fitted, provided the aircraft is not in the air. There remains uncertainty as to how TCMA decides whether the aircraft is not in the air. My understanding is that there's a combination of sensor inputs, like the obvious weight on/off wheels as well as RADALT, but I can't find any authoritative statement of what those are and whether just one or both (or all have) to be in the 'in air' or 'not in the air' state to disable or enable the TCMA function.
Total loss of electrical power should not result in the engines shutting down (absent some other defect like the fuel suction pumps not working).
The consensus of publicly-expressed ostensibly-expert opinion is that there is no asymmetric power-related yaw after take-off but, even if there were due to one engine not delivering 'sufficient' thrust, the other engine should have been capable of delivering enough thrust for the aircraft to climb away.
The consensus of publicly-expressed ostensibly-expert opinion is that the bang and revving heard by the survivor was likely the RAT deploying and revving up.
Everything points to the immediate cessation of motion lotion to both engines, shortly after take-off. If that happened, the question of course resolves to: Why?
And a PS to my earlier post about the schematic in the TCMA patent application: Apparently the TCMA can be triggered even when the thrust lever is not set to idle. There's an envelope of engine thrust delivered compared with thrust lever position, outside of which envelope - 'too much' thrust delivered compared with thrust lever position - the TCMA is designed to trigger fuel shut off to the engine to which it is fitted, provided the aircraft is not in the air. There remains uncertainty as to how TCMA decides whether the aircraft is not in the air. My understanding is that there's a combination of sensor inputs, like the obvious weight on/off wheels as well as RADALT, but I can't find any authoritative statement of what those are and whether just one or both (or all have) to be in the 'in air' or 'not in the air' state to disable or enable the TCMA function.
Joined: May 2024
Aviation Qualifications: CPL
Posts: 379
Likes: 36
From: Kaupuala
The fuselage was headed directly away from the camera on the video. The camera was biased to the runway by some angle. The heading therefore would reflect the same angle.
If fuel starvation, one would predictably fail some time earlier than the other. The 777 from Beijing showed a similar close failure on the dry approach to LHR? Not trying to link FADEC to auto flight recovery from OEI. Perhaps the flow of fuel was somewhat intermittent. Perhaps the obstruction cleared at some point, allowing the engines to stop sputtering and regain thrust. Then again, perhaps the RAT was causing the "Racing" sound.... I think the answer is to be found in some simpler solution than cosmic rays, and "vanishingly small" goblins. Fuel starvation of some description...... Lack of fuel pressure, cavitation, blockage, or some more complex issue, of course. Fuel, Air, Compression, Thrust .....
Or, more precisely, Air, Compression, Fuel, Thrust (and Fan)
Complexity fosters Perplexity
If fuel starvation, one would predictably fail some time earlier than the other. The 777 from Beijing showed a similar close failure on the dry approach to LHR? Not trying to link FADEC to auto flight recovery from OEI. Perhaps the flow of fuel was somewhat intermittent. Perhaps the obstruction cleared at some point, allowing the engines to stop sputtering and regain thrust. Then again, perhaps the RAT was causing the "Racing" sound.... I think the answer is to be found in some simpler solution than cosmic rays, and "vanishingly small" goblins. Fuel starvation of some description...... Lack of fuel pressure, cavitation, blockage, or some more complex issue, of course. Fuel, Air, Compression, Thrust .....
Or, more precisely, Air, Compression, Fuel, Thrust (and Fan)
Complexity fosters Perplexity
Last edited by BugBear; 20th June 2025 at 01:51.
Joined: Dec 2004
Posts: 33
Likes: 24
From: Asia
Incident: LATAM B773 near Belo Horizonte on Dec 20th 2018, electrical failures
I think this is probably the only unthinkable total power loss on a Wide Body ETOPS Boeing Twin (not engine failure induced) that happened to a LATAM 777 - An amazing demonstration of airmanship from the crew, and a demonstrated design feat of the Boeing allowing the aircraft to continue flying at or near TO weight and then land (albeit heavy) even though they had lost all normal sources of electrical power, and then some ...
357 pax and crew safely disembarked without injury.
It is also worth noting that FADEC is a concept (or system) of many many independent and redundant engine control components from the EEC and Thrust Levers, to the Dedicated Alternators, FMU's, VSB/VBV actuators and so on. They are all independent of the aircraft power sources hence the engines will operate just fine even in a situation such as this.
Edited to add: Refer to the previous pprune forum (LATAM B773 complete electrical failure?)
I think this is probably the only unthinkable total power loss on a Wide Body ETOPS Boeing Twin (not engine failure induced) that happened to a LATAM 777 - An amazing demonstration of airmanship from the crew, and a demonstrated design feat of the Boeing allowing the aircraft to continue flying at or near TO weight and then land (albeit heavy) even though they had lost all normal sources of electrical power, and then some ...
357 pax and crew safely disembarked without injury.
It is also worth noting that FADEC is a concept (or system) of many many independent and redundant engine control components from the EEC and Thrust Levers, to the Dedicated Alternators, FMU's, VSB/VBV actuators and so on. They are all independent of the aircraft power sources hence the engines will operate just fine even in a situation such as this.
Edited to add: Refer to the previous pprune forum (LATAM B773 complete electrical failure?)
Last edited by aeo; 20th June 2025 at 03:07.
Joined: Feb 2025
Posts: 153
Likes: 248
From: Earth
It's been stated that the FADECs have nothing to do with the rudder. That is true for the 787, but it's not always true. The 777 will automatically apply rudder to correct for an engine failure, but only if it knows the engine has failed. It relies on the data coming from the FADEC. That might be the cause of the confusion.
The 787 will do the same but it does not rely on data from the FADEC. It uses the IRS to detect the yaw. In fact, it will correct for anything that causes uncommanded yaw, not just engine failure.
The 787 will do the same but it does not rely on data from the FADEC. It uses the IRS to detect the yaw. In fact, it will correct for anything that causes uncommanded yaw, not just engine failure.
Joined: May 2024
Aviation Qualifications: CPL
Posts: 379
Likes: 36
From: Kaupuala
It's been stated that the FADECs have nothing to do with the rudder. That is true for the 787, but it's not always true. The 777 will automatically apply rudder to correct for an engine failure, but only if it knows the engine has failed. It relies on the data coming from the FADEC. That might be the cause of the confusion.
The 787 will do the same but it does not rely on data from the FADEC. It uses the IRS to detect the yaw. In fact, it will correct for anything that causes uncommanded yaw, not just engine failure.
The 787 will do the same but it does not rely on data from the FADEC. It uses the IRS to detect the yaw. In fact, it will correct for anything that causes uncommanded yaw, not just engine failure.
DEI??
Joined: May 2010
Posts: 166
Likes: 102
From: SOF/LBSF
Incident: LATAM B773 near Belo Horizonte on Dec 20th 2018, electrical failures
I think this is probably the only unthinkable total power loss on a Wide Body ETOPS Boeing Twin (not engine failure induced) ....
It is also worth noting that FADEC is a concept (or system) of many many independent and redundant engine control components from the EEC and Thrust Levers, to the Dedicated Alternators, FMU's, VSB/VBV actuators and so on. They are all independent of the aircraft power sources hence the engines will operate just fine even in a situation such as this.
I think this is probably the only unthinkable total power loss on a Wide Body ETOPS Boeing Twin (not engine failure induced) ....
It is also worth noting that FADEC is a concept (or system) of many many independent and redundant engine control components from the EEC and Thrust Levers, to the Dedicated Alternators, FMU's, VSB/VBV actuators and so on. They are all independent of the aircraft power sources hence the engines will operate just fine even in a situation such as this.
Coming back to AI171, it would be interesting if a similar power systems safety analysis report that Boeing must have produced for the 787 would have mapped an electrical failure that would have encompassed the loss of trust on both engines (as seems to have occurred to AI171) and if so what kind of risk assessment would have been allotted.
According to the FAA AC 25.1309-1B, at least the "Arsenal Draft" that Boeing referenced in it's 2004-2009 type certification programme for the 787, the condition as apparently shown by AI171 should have been classified as "catastrophic failure" (i.e. "failure conditions which would result in multiple fatalities, usually with the loss of the airplane") and by consequence be assessed as "Extremely improbable" (less than 1X10-9 (1 in 1 billion flight hours).
Given the "export restrictions" cited in the Brazilian 777 electrical failure incident, its IMO unlikely that the Indian AAIB will ever be able to lay its hands on Boeing's "787 Electrical Power Systems Safety Analysis Document"....
Last edited by D Bru; 24th June 2025 at 13:03. Reason: added a new last sentence + relevant passage from report
Joined: Feb 2002
Aviation Qualifications: AME
Posts: 4,184
Likes: 1,123
From: UK
It would seem the discussion has yawed away from a patent fault of some magnitude, a failing or failed generation system and a seemingly unsolved switching resolution. In an aircraft with a known history of failed generators, emergency landings and diversions, not to mention onboard fires, perhaps we are looking through a microscope at an elephant. Gnats eye view as it were ....Does the Rat not drop into the airstream for other than TEI ??
DEI??
DEI??
The other thread was closed due to ridiculous and frankly laughable posts from people who have no idea how complex aircraft systems work.
Let's not do that here eh.
Joined: Jul 2013
Aviation Qualifications: Non-Aircrew
Posts: 5,683
Likes: 3,356
From: Everett, WA
Have also stumbled across this one too in relation to AI171. The final report (https://sistema.cenipa.fab.mil.br/ce...DEZ18_Ing..pdf) contains IMO interesting details re Boeing not sharing it's "777 Electrical Power Systems Safety Analysis Document" integrally with the in this case Brazilian investigation due to export policy restrictions in force of the aircraft's State of Design. This document mapped failures of the electrical system and the probability of their occurrence. According to Boeing, the said document had an electrical failure of the kind in this incident assessed as "Class II Hazardous", while its probability was calculated as 9.6x10-8 (a little bit less than 1 in a billion of hours). The Brazilian investigation assessed that taking into account the level of risk, the probability of this type of failure should be less than 1x10-7 (a failure in 10 million flight hours).
Given the "export restrictions" cited in the Brazilian 777 electrical failure incident, its IMO unlikely that the Indian AAIB will ever be able to lay its hands on Boeing's "787 Electrical Power Systems Safety Analysis Document"....
Given the "export restrictions" cited in the Brazilian 777 electrical failure incident, its IMO unlikely that the Indian AAIB will ever be able to lay its hands on Boeing's "787 Electrical Power Systems Safety Analysis Document"....
I went to Shanghai as part of a team meeting with the Chinese CAAC regarding their approving the 747-8 for use by Chinese operators. We could show them pitch charts, and specify which documents were relevant, but we could not give them hard copies of the presentations or documents due to the export restrictions. Same thing with the Russian authorities (although they came to Seattle instead of our going to Moscow). In one case, they wanted to see a specific fault tree analysis - we were able to copy it from the document and display it on the screen, but couldn't provide them a hard copy (although I wouldn't be very surprised if someone took a discrete picture of the screen while it was being displayed.
In other another case, we provided a copy of the cert document to the Boeing cert office - they were supposed to scrub it as necessary before giving a copy to the foreign authority - but I stopped caring about it after we gave it to the cert people, so I don't know details.
Joined: Dec 2002
Aviation Qualifications: ATP+Mil
Posts: 3,985
Likes: 568
From: Where the Quaboag River flows, USA
Has there ever been a case of double engine failure of a Part 25 or CAR 4b design on takeoff or initial climb where system failure was the root cause? I can’t recall one.