Rather than argue about what redundancy means perhaps refer to AC 25.1309 which states -

"t. REDUNDANCY--The existence of more than one independent means of accomplishing a given function."

The whole AC is well worth a read for those who have not been exposed to aircraft system design requirements.

Thanks SS, for that valuable additional info. I've d/ld the 777 Electrical System doc. Very interesting, especially about the IDGs, No-Break Power Transfer and "governor trimming." I want to know more, will see what I can find.

I guess there isn't one for the 787...? I previously Googled Boeing etc, got some Boeing marketing spiel about the Electrical System, but that didn't say anything useful.

Very succinct, spot on, Love it! Thanks

I guess this may be another question for tdracer.

I know there are many possible relevant scenarios to consider, and I don't know which would represent the worst case (least time), but...

Can you suggest what would be the minimum time for an otherwise normally functioning engine at GA Power (in flight, rejected approach) [or, whatever worst-case scenario] to reach the safe N2 speed limit from a sudden application of Maximum Fuel from the FMU? How much time is there to react, in other words? Less than 1 second, maybe?

How much time to React to N2 overspeed? Shouldn't you ask FADEC? Faster than you I bet....

I had a bit of a dig and couldn't actually find an obvious answer, but a second or less seems feasible. Turbine engine responsiveness generally improves at higher power levels, so as a very rough guess, if it takes two seconds to get from 80 to 100% N2, expect less than that for 100 to 120% N2.

Turbine overspeed due to shaft failure is also a possibility. That's usually going to affect only the LP spool because unpowering the HP compressor is probably going to cause the engine to run-down immediately, but QF32 showed that an IP spool failure can leave the engine operating on the HP compressor only, and in a three-spool engine, I wouldn't be surprised to find that an HP shaft failure could result in HP turbine overspeed, with the combustion air supplied only by the IP compressor/turbine). The T1000/T7000 start the engine through the IP spool, not HP spool.

It took four seconds for the QF32 IP disc to burst, and that was with it rubbing on the structure behind it instead of supported by thrust bearings.

You're certainly not going to have time to dig out the QRH or read ECAM, and the cockpit instruments you have will be no better (worse, probably) than what the FADEC has access to.

Trent7, Top of Climb, Oil Fire. Would be an interesting exercise to compute N2 just at the release of the IPT into space through the shattered case .... Not allowed to call it an explosion by Rolls, but ........ "Uncontained" then.

HaHaHa!!! Without even an atom of doubt about that.

As for asking FADEC, I'll probably have something to say on that, later... I'm not sure I'd know which of him to ask. And he might not be in a good mood... He's Bi-Polar, and has a Split Personality, you know?

Great answer SS. Thanks for taking the time to have a look, and for the info you've given. It is appreciated.

Is there a fault/situation that could make the systems "think" the a/c was still on the ground? Apologies if this has been asked before. T

Yes. It would be true to say that TCMA is designed to be active only on the ground, but it relies on the Air/Ground signal, which could be subject to a fault.

Can such a fault happen? Yes. If you read this article to the end, you'll find out a lot more. Of course, this relates to a very old design, but the point is that faults and subtle design flaws can/do happen.

https://admiralcloudberg.medium.com/...2-38c457a28512

MD-80s used landing gear squat switches, entirely different than the 787 or every other modern plane. The squat switches is subject to damage as it is exposed on the landing gear and is a mechanical switch. As has been posted here, the 787 uses several “voting” indications including RADALT to determine air/ground position. The redundancy should prevent erroneous A/G sending and needing several indications eliminates single point of tailure.

Sorry, I think you're missing my point. I guess you didn't read the full story.

I know very well, and as I said, that it was a very old design. It's different now. It includes RADALTs, which are, as I gather, even more unreliable than squat switches. That doesn't matter. Nothing is 100% reliable. As discussed in that article, there were hidden complexities in the implementation and apparently, at least one under-rated relay that was prone to failure. My point was, of course, Failure is possible. Anywhere.

It actually had nothing at all to do with the squat switches, so that is entirely a Red Herring in that accident. As for eliminating a "single point of [f]ailure", is there really any such thing? Is a wire from A to B (say, carrying the Air/Ground signal), not a "single point of failure"? If I snip it, or short it to ground with some drilling swarf, or by a screw through some sheet metal into it, or short it to any other wire by any means you can think of, don't we have a single point (probably double, if inter-cable connection) failure? Likewise, if there is a connector, and I introduce some contaminant into it, and it becomes open circuit, or intermittent, or just higher resistance, the same?

As someone who spent years working in electrical and electronic design and servicing, I can say this is not hypothetical speculation. In one important case, I went to a house which had the chassis of a refrigerator "live" - connected to the phase supply. When I brushed the back of my hand against the side of it, it was buzzing. Luckily for me and the people who lived there, it was painted. Two things had happened. Because the circuit kept tripping the breaker, some idiot has disconnected the Earth wire inside the Switchboard! (highly illegal), making the chassis sometimes live. How? At some time previously, someone had fired a brad (small gun-driven nail) through a panel out in the garage. The brad also penetrated the cable (which was on the same circuit), right through the Earth wire and touched the Phase wire. It must have been intermittent, but the point was, it could have killed someone. Unexpected things (failures) happen.

There are ways around that.

Delivering the signal via a redundant checksummed bus is the most straightforward. Things like profinet rings are quite common in industrial automation for this reason. You can cut any one cable and the network self-heals. While ethernet itself has problems with rings/meshes, there are tools like Spanning Tree Protocol that disable links until required to ensure the network always looks like a perfect star topology.

It looks like WoW is delivered over the common core network on the 787 (AFDX?), which is I believe redundant (left/right systems).

Exactly how this interacts with the engines is not totally clear but my first instinct would be one AFDX link into each of the FADEC channels from each CCN.

You can also take the various approaches used by safety relays: two wires, each with a pulsed signal. If they are shorted to ground/common, to each other, or to a nominal 'on' voltage, the receiver detects a fault and reverts to the safe state - presumably airborne.

Seen much the same, in a school no less.

(Not aero engineer here)
Regarding Ground Inhibit (TCMA) I find it Interesting it was thought necessary as extra protection - against what exactly, assuming the N1 response was well calibrated and certified (i.e. nowhere near nuisance trigger). Surely you would not add complexity unless you know quite well what is to be gained?
But Air/Ground, to satisfy the requirement of being very reliable, I suppose has to go via some signal conditioning, both regarding the WoW component and the RadAlt component. And this seems to necessarily imply some latency. (Especially for the RadAlt component ?). So how many milliseconds or seconds, after the a/c is no longer on ground, does the signal 'Ground' go away?

Edit: sorry, I wrote "ground inhibit" while I meant "ground enable", thanks LB.

Now we're talking! Pardon the pun.
OMG! Yes, I've heard similar kinds of stories. Unbelievable, isn't it?

Given the scenario in which TCMA is designed to operate, the point of 'ground inhibit' as you describe it - but more accurately 'ground enabled' - part of the TCMA function is obvious: If an engine is delivering 'too much' thrust in the air, that's a problem almost invariably 'worth' having instead of the alternative. 'Too much' thrust in the air is a problem that can generally be managed with the luxury of time.

The TCMA is designed to operate when there's 'too much' thrust on the ground. TCMA is designed to shut an engine down when the crew selects low thrust on the ground and the engine continues to produce 'too much' thrust. The aim is to bring the aircraft to a safe stop, on the ground, during a rejected take off.

The short point is that even if the TCMA for both engines 'think' they are still on the ground when the aircraft is in fact in the air, the TCMA for each engine should not shut that engine down unless the delta between the measured thrust output from the engine compared with thrust lever position is too big. The chances of that happening, erroneously, for both engines are vanishingly small.

The 'in the air' versus 'not in the air' signal is determined by an 'assessment' of numerous sensors and, in the case of disagreement, which ones of them are most likely to be correct.

Where has this idea that RadAlt systems are unreliable come from?
Last time I had a serious rad alt fault to deal with was on a DC10 donkey's years ago.
It's one of the few systems on the 787 that I can honestly say has never given me any trouble. Same with the 777.
I think you are being a little pedantic regarding single point of failure.
When it comes to WOW signals, yes, if there was only one switch, one circuit, one pathway I would agree.
There isn't.
Often WOW isn't even sensed until wheel speed is showing greater than 80kts through the taco generators. Something to do with avoiding certain auto functions such as ground spoilers, reversers or auto brakes kicking in during a bounced landing.
Independent redundancy is built in to these systems to avoid the problems you describe in domestic settings. In addition, any part of a system that has been damaged will show as a fault in the CMC either as an EICAS/ECAM message if it requires attention before dispatch or as a lower level fault class if redundant systems have enough integrity left to continue normal operations.
The level of sophisticated diagnostics and pre warning of faults in modern generation aircraft is a very different beast to that of classic 737 or MD80 types.

MD-80 state transitions derived from main wheel spin up were independent of state transitions derived from nose gear squat switches. There was no "one size fits all" single air/ground or WOW signal.

I don't know the 787 but I would be surprised if auto ground spoilers required WOW rather than spin.

I've never heard of Radio Altimeters being described as 'unreliable', but they can be fooled. We've seen cases where in heavy rain (or even dense fog), the radar signal bounces off the water droplets and indicates incorrectly.

I referred to this previously on the Air India crash thread, but when we were doing preliminary design for the 747-8, there was no 'easy' way to be a robust air/ground signal to the engines, so I'd proposed a simple air/ground analog discrete (based on squat switch indication) to enable TCMA on the ground (it was pretty much a given that the FAA was going to insist on TCMA on the 747-8). When I presented this to the FAA, they were very concerned with the prospect of TCMA potentially being active in-flight due to a fault with that air/ground discrete. I'd proposed a simple 'reasonableness check' - based on airspeed (e.g. airspeed over 250 knots and on-ground 'true' would be flagged as failed, similarly airspeed less than 60 knots and in-air would be flagged as failed - this would limit the exposure to one flight, but the FAA still wasn't happy (there are two Prox sensor units on the 747, so we could have set it up such that a failed signal would only affect two engines, but that was the best I could come up with.
Later, to resolve a number of issues, I came up with design change that would provide much more information to the engines - including multiple sources of radio altimeter and weight on wheels - and managed to get it through the change board.
This made the FAA much, much happier since it gave us a very robust air/ground indication for enabling TCMA (and the thrust reversers).