The long and short of your reply confirms my assumption that Boeing’s “787 electrical power systems safety analysis” document will definitely not be integrally shared with AAIB India at any point of their investigation, but that like in the Brazilian PT-MUG report, Boeing might be obliged to cite certain aspects from the said document in the near future. This as such could leave a real gap in identifying the root cause of the “other” accident.

I would like to join this discussion, if I may? I will try not to be a nuisance or make inane and pointless comments, and hope that you learned gents will allow me to join the discussion and comment. Despite my lack of Aviation-related qualifications, I have some Electronic knowledge and design experience, and sincerely believe that I can make some worthwhile contributions. Please allow me to demonstrate...

I would love to offer my thoughts. Likewise, I'm happy to cop the flack...

I too have studied the Patent documents - not yet in full depth but enough, I believe, to make some comment. I plan to make a comprehensive study, but time is the issue for me.

To be honest, I cannot agree with the suggestion of elegance! Ostensibly, YES!

I agree entirely - those two relay switches are indeed (probably) the key components of the system.

I pulled this definition of Redundancy off the net:

Definition from Google "AI" (which seems adequate here):As I see it, on the basis of the information provided in the Patent Application, and as you have alluded to, there is NO redundancy at all in this design.

In my analysis of the key circuits, what has been created is simply a duplication of two identical systems, 130 & 22 and 130 & 28. As you've pointed out, these two are wired in series (and parallel, on the CUTOFF Side), and as you say, either one can cause Fuel Cutoff. This is not redundancy - but merely an illusion of it - and in fact, all this duplication achieves (IMHO) is a doubling of the more dangerous failure risk (i.e Fuel Cutoff). (The failure of the less dangerous risk (no Cutoff) is of negligible consequence, given that genuine cases for TCMA activation are extremely few and far between.) A failure in either one of these systems could result in a Fuel Cutoff, leaving the other, potentially perfectly functional system to "go down with the ship". This is not the switching out of a faulty system and replacing it with the still working one, and doesn't result in the continuation of fault-free operation, so by definition, is not redundancy.

Of course, it's unknown which way an electronic failure will go. It could be "innocent" and do nothing, leaving its own output relay as it is, thus leaving the other duplicate subsystem to continue its work alone. Or it could be the exact opposite. The result of the wrong kind of fault in either subsystem is Fuel Cutoff, regardless of the fact that the other subsystem may be working just fine.

There's another very real possibility to consider. Either of these two duplicate subsystems could fail silently. In other words, the internal circuitry fails, but by some lucky fluke, it does not switch its output relay. Outwardly, everything continues as before. The problem is, on the basis of the patented design, there is apparently no way to tell that one subsystem is dead. So, the aircraft could continue operating indefinitely, without anyone knowing that one TCMA subsystem was dead. It's entirely possible that the other subsystem, the other half of the pair, could also fail in exactly the same way due to the same inherent design weakness, and there would be no TCMA protection whatsoever. Again, clearly, there is no redundancy, but that likely wouldn't be discovered during the life of the engine.

On the subject of faults in the schematic diagram - Following the circuit traces from Relay contact 22 (armature) backwards (to the left), they are connected to the trace running from the RUN contact of contacts 102 to the OPEN Coil 118 (at the Upper Junction Dot.). Likewise, following the circuit from the (fixed) RUN contact of Relay 28 to the right (labelled 124), it also connects to the same trace as above, that running from the RUN contact of contacts 102 to the OPEN Coil 118, this time, at the lower junction Dot.

I guess you see the problem? Both ends of this circuit connect to the same trace. In other words, it shows a "short circuit" wired between both ends of the pair of series-connected Relays' RUN contacts. In other words, these two sets of contacts are wired to do absolutely nothing. Haha! This, in fact, appears to be the only redundancy built into this device.

This is clearly another error (how many does there have to be!?), and the circuit evidently should not include the two dots, one above the other in the centre of the drawing, nor should the link joining them exist. This part of the circuit (series-connected RUN contacts) is there to ensure that the power is removed from the OPEN Coil before power is applied to the "CLOSED" (Yet another mistake - it should be CLOSE) Coil during the Fuel Cutoff operation. Otherwise there will be a conflict between the OPEN and CLOSE inputs to the HPSOV, and I have no idea how that would work out.

FWIW, the purpose of the diode appears to me at first glance to be redundant, unnecessary and poor design, and was probably inserted to "correct" the 'conflict' caused purely by the "two dots and link" drafting error in the schematic. (To prevent "reverse" current flowing from the CUTOFF (Coil) side of the circuit back through the now closed CUTOFF relay contacts and causing the both OPEN and CLOSE situation referred to above.) I admit to calling this thing a contraption in my last point in the AI171 thread, and stand by my comment.

Another possible issue that I have identified but lack sufficient information on, is if activated in mid-air (through an Air/Ground signal fault and high turbine RPM at idle thrust settings e.g. rapid descent) how does a pilot RESET the TCMA system to restore fuel to the engines - since the FADEC/TCMA system is then powered by the windmilling-engine-driven PMG?

One of the big problems with this system is that there is no easy way to work out when a failure in the TCMA system has occurred. In my view, the difficulties posed are not worth the effort to remedy. Pilot training is all that seems necessary to me.

Boeing must have designed a TCMA system monitoring/alerting because TCMA appears in the MEL. ENG TCMA is a status message.

Not clear if that alerting differentiates between a failure in the "first and second processing subsystems" though...

Interesting. Wonder how that works...

That's only true for the Trent engine - there is no separate TCMA entry for the GEnx engine. GEnx the TCMA function contained entirely to the engine control FADEC, single channel FADEC inop is allowed for a short time per the MEL.
I don't know enough about the Trent architecture to know why it needs a dedicated entry in the MEL.

Apologies I was not referring to a specific engine type. But TCMA ENG status and MEL is true for the GE90-115b on 777-3 and RR on 787. Not sure about the GEnx though. Curious that it appears for some eng types and not others....

Thanks gents.

Could anyone point me to some more information on the Fuel Cutoff valves, please? Or should I start a fresh thread? Searched the 'Net with very little useful information turned up.

I now understand that the HPSOV on the B787 GEnx engine is actually a (fast acting) lock-open (Power Open, Power Closed) solenoid valve. Do all current (large) engines use this type of valve for HPSO, or are there others?

Also glean that the typical LPSOVs / Spar Valves are (motor?) driven (gate?) valves. Can anyone provide / direct me to more detail, please?

An important point to take into consideration is that the 'schematic' and description in the patent application are just a 'big hands; small maps' conceptual materials that bear little-to-no semblance to actual components or wiring added to the FADECs in this case. Someone with expertise in the subject - tdracer - has pointed out that TCMA is "simply software".

That software monitors measured thrust lever position - a pre-existing input to the EEC/FADEC - versus measured engine thrust - another pre-existing input to the EEC/FADEC and, when the measured thrust is 'too high' for 'too long' compared with the measured thrust lever position, the TCMA will command fuel shut off to the engine - using pre-existing circuitry connected to the shut off valves - if the aircraft is in the 'on the ground' state - yet another pre-existing input to the EEC/FADEC. (There may be other inputs like measured thrust reverser position, as indicated by the Osaka incident, and RADALT, but I have no authoritative information about how, precisely, they affect TCMA.) What's 'too high' a delta and for 'how long' is in the hands of the designers and software engineers who build that envelope and contours into the software.

You are not alone in being of the opinion that the system may entail risks without much reward. The Fuel Cut Off switch for each engine is there and can be used at any time. Same with the Fire Handle for each engine. However, the FAA insisted on a system that would operate autonomously.

That is essentially correct - every large turbofan engine I'm familiar with uses the solenoid to control the HPSOV. The entire Fuel Metering Units operate using high pressure fuel - with a special valve that supplies a regulated reference pressure a set difference lower than the inlet pump pressure, and a 'body' pressure that is basically referenced to the (much lower) engine driven LP pump outlet pressure. When the solenoid commands "RUN", it ports the fuel 'behind' the HPSOV to 'body' pressure - there is spring that keeps the HPSOV in the closed position unless the high pressure fuel (from the HP engine driven pump) is ~300 psi above the 'body' pressure - at which time the HPSOV moves open. This ~300 psi threshold insures there is adequate muscle pressure to operate the Fuel Metering Unit, as well as to control things like stator vanes and bleed valves. The HP fuel pump is capable of providing that ~300 psi pressure at about 8% N2 (a real good new pump can do that much lower N2, but fuel pumps naturally deteriorate in service so this gives adequate margin for pump deterioration.) When the solenoid commands "Shutoff", it ports that high inlet pressure fuel to the backside of the HPSOV - combined with the spring - it almost immediately moves the HPSOV to closed.

I can't speak for Airbus, but all Boeing aircraft use a motor driven actuator to control the spar valve - the valve must be electrically driven both ways, so like the HPSOV solenoid, if electrical power is lost, it stays were it is.

Thanks and understood. The patented concept could have been much improved, and the patent details probably bear little resemblance to those of the final product.

Ok, thanks again. I did see that in the main thread somewhere, but didn't interpret it quite the same. I understood that all the hardware used already existed and so was merely "utilised", but I didn't interpret it as I do now.

If this TCMA is purely software, then are the relay contacts (as shown in concept) in the patent's wiring diagram connected as they were before the addition of the TCMA software? I can see that the Fire Lever and the Pilots' Engine Cutoff switch (per engine, that is), (and presumably the "ELMS" relay), must be typical if not standard and that the patent doesn't cover those. They are shown for context.

But... IF the wiring of the two FADEC Output relays is as original (and as per the patent's wiring), then doesn't the same weakness apply regardless? I hope not, but I'm really left wondering if the Dual Channel FADECs are truly any more redundant than what the patent detail would suggest - that in certain faults, one will dominate, wrongly.

Thanks thrice! Yes, I have to add that the entire concept of completely and suddenly Cutting Off an engine without the pilots' input and, by the sound of things, any direct warning or knowledge, runs entirely contrary to all the hard work that has been put in to make sure that almost nothing else that happens while airborne can stop the engines. QF32 was mentioned as a good example of this.

So my next question which no one has touched on that I can see, is, is it possible to cancel a TCMA engine shutdown?

The short answer to your last question appears, from the Osaka incident, to be: Not from the cockpit. On my reading of the reports of the incident, the aircraft had to be towed off the runway because the pilots could not restart the engines. But maybe there's been some revision or modification post-Osaka to change that or I overlooked something. (I've separately asked someone - who's 'in the know' - whether there are any TCMA-specific failure actions that are trained and checked. I’m guessing that if during a rejected take off an engine continues to provide ‘too much’ thrust despite the thrust levers being set to idle (and TCMA failing), crews would do what they would have done pre-TCMA: hit the fuel switches (and maybe the fire handles if the fuel switches don’t work.) An in-air TCMA directed shut-down? Who knows whether it's possible to do a restart. I'm hoping to find that out.)

Thanks TD!

I'm going to have to read that first paragraph a few times. It's a great idea to use fuel (pressure) for hydraulic purposes. You mentioned / described the HPSOV earlier (main thread and I thought I got the idea then...) It sounded like the HPSOV spring forced an increased pump outlet pressure in order to drive the hydraulics (and the FMU / FMV) but I'll try to get it straight in my head. By the sound of it, the solenoid valve is much like any other, except for the addition of the back pressure spring and the locking open mechanism.

A couple more small questions re the spar valves if I may? One bi-directional DC? motor (per valve), with some control logic? Separately powered, such that the Open & Close signals are just that? What is the Power voltage, typical current, and source, please? And, I guess the valve itself is basically a simple (high quality) gate valve? Do you know typical Open & Close times?

Yes, I have a very good reason for asking all these questions, and of course, I'll let you know if my idea looks realistic. Oh, sorry, lastly, what happens if both Open & Close signals are applied together, please? Simultaneously? In a sequence? I'm sure there will be some fail-proof logic for that - such as either, Close, Open, or Stop?

Thanks! I Bet!!! Not knowing is worse, isn't it?

The modern FADEC Fuel Control Units work in a similar manner to how the old purely hydromechanical engine controls worked - only greatly simplified since all those tasks done with a 'mechanical computer' are now done with electrons (Rolls was a bit of an oddball in that regard - using a weird compressed air driven 'fluidic' system on the RB211-524, GE and Pratt used fuel pressure driven systems).

Spar valve is a little out of my expertise - but it's a 28 Vdc motor driven actuator. At least the ones I was familiar with would mechanically disconnect the 'open' command and enable the 'close' command when fully open - and visa-versa when closed. So if you powered both sides, it would just cycle between open and closed (don't know how universal that design was though). It takes a second or so to open or close (pre-EICAS, there were position disagree lights for the HPSOV and Spar Valve right about the fuel control switch - the HPSOV light would flicker for just an instant, the Spar Valve light would stay on for a second or so).

No sure what the HPSOV solenoid will do if both coils are energized - IIRC when I wrote the FMEA many decades ago, the result was 'indeterminate'. Someone posted that the coils on the 'RUN' side were designed to be stronger, so "RUN" would win - but I don't know if that's true or not.

Thanks again TD!

I'll be back...!

Uhhh! I guess you aren't familiar enough for this question... Anyone else able to answer, please?

Based on the changeover switch system described, which I imagine also turns must turn off (so cycles continuously) the motor at the end of each half cycle, that would mean that such a valve, once commanded to close, if stopped mid-flight (sorry! ), could only continue with closing before it could be reopened? Or has that mechanical switch system been superceded / eliminated?

The spar valves I have been exposed to will reverse direction in mid travel if the command is changed from open to close or from close to open.

The active command is only inhibited when the valve reaches the travel limit in the commanded direction. The command to go the other way is not inhibited.

PERFECT! Thanks EXDAC

Redundancy in protection systems always requires clarification.
Here, they are not talking about redundancy of the system being protected (the engine), but redundancy of the protection system (TCMA).

Same thing as N2 overspeed protection: it is redundant. If either FADEC channel detects that the engine is overspeed and in danger of rotor burst, that channel can shut the engine down regardless of what the remaining channel thinks. Both channels have redundant authority to command a shutdown.

This is presumably because an unnecessary EFATO or single-engine diversion and landing is much preferred than even the slim risk of a rotor burst from one FADEC channel not noticing the overspeed. Whether the same logic should apply to TCMA is a different question.

Note that because TCMA relies on some of the same sensors that the FADEC itself uses to control the engine, the TCMA in the active FADEC channel probably can't be considered 'independent'. There's probably some single failures that result in both a) the active FADEC channel receiving a request for full thrust, and b) TCMA in the active channel believing the request for full thrust is valid.

Therefore, you need the second channel to monitor and also have the authority to shut down the engine.

To have a channel erroneously command shutdown but the engine keep running, you would probably need 3+ channels and a voting system. It sounds like TCMA is a relatively 'quick fix' and an extra channel would be a major, major modification and recertification.

My understanding is that a significant amount of effort is put into most patents to make them:

• As broad as possible, for when you are trying to show that someone infringed them
• As useless as possible for anyone trying to reverse-engineer them into an actual product, whether because they don't respect the patent or it has expired

This results in patents being so disconnected from reality that the applicant often doesn't recognise it after it's been through the lawyers.

The reason why both channels have overspeed shutdown capability and TCMA shutdown capability is because the 'cause' of the problem could very well be CPU in the other channel failing in an unexpected way (going crazy if you will).
So basically if one channel unilaterally decides to command the fuel metering valve to go wide open, the opposite channel must be able to protect the engine (and hence the aircraft, since uncontained rotor bursts are potentially catastrophic).

Have you heard of the "FADEC Protect - Idle" mode, tdracer? I've seen some credible commentary to the effect that electrical failures or transient problems can put both FADECs on the 78 into 'Protect - Idle'.