I’m not sure where you’re getting various descriptors, this time “serious hazard”.

I trust the investigators will assume everything’s possible - albeit with different probabilities - until each possibility is ruled out by credible data like the recorder data.

This is a thread about FADEC. TCMA is part of FADEC. And I have yet to see or find authoritative evidence as to, for example, how the RADALT/s ‘vote’ count in the ‘in the air’ or ‘on the ground’ decision on the 787.

A thrust limiter to TOGA/100% wouldn't fix the problem, because an engine delivering TOGA thrust on touchdown or RTO is still potentially a catastrophic situation if the crew don't react appropriately. The difference between 100% and 120% thrust is not significant when you want idle or reverse.

The problems involved in getting mechanical parts to limit thrust accurately and reliably are also a big part of why the industry moved to FADECs in the first place.

The next generation of engines might be designed with tougher protections against UHT in the first place, making TCMA unnecessary - it sounds like the need for TCMA cropped up relatively late in the design cycle. It sounds like that means, at minimum, replacing the high pressure fuel valve with something different.

• Two valves in series or parallel, so that if one sticks open, the other can close and limit fuel flow to any amount or ~50%. Still vulnerable to contamination affecting both valves.
• Two parallel valves, each in series with a shutoff valve. Still vulnerable to contamination affecting each metering valve, but at least the shutoff valves can limit it to 50%, or less if valve sizing is unequal. For the combustors with separate idle/full power fuel nozzles, you could perhaps valve off the full power nozzles separately. Now we have four valves...
• Replace the engine driven fuel pump with a variable displacement pump allowing you to eliminate the valve. Now the pump can get stuck in the full flow position instead.
• Replace the engine driven fuel pump with one or two variable speed electric ones, and modulate the speed instead of the valve position. Now you need many more kW of critical power, and you can't really use fueldraulics in the rest of the engine so easily.

It was me who said: "It includes RADALTs, which are, as I gather, even more unreliable than squat switches."

The case in point was another Air India flight. Air India 101. 9/11/18 [US Format]. 777 into NYC in cloud. Two (or three, possibly) out of three RADALTs were out, so they couldn't do ILS. A lot of things were going wrong, and they were almost out of fuel...

From that, I gathered RADALTs weren't too reliable. Or maybe it's AI?

My thinking is "the problem" is not giving the crew the chance to override the software. If it were to be made impossible to go very far above takeoff rated thrust, say with iron stops or fuel flow restrictors, then Vmca and Vmcg would still be valid, no? Crews would be trained to do the appropriate thing, avoiding catastrophe the same as always in everything else that they do.

So, if this tragedy falls on FADEC/TCMA I hope the pendulum swings back the other way — toward supporting a flight crew's experience, knowledge and situational awareness and away from autonomous pre-canned snap (knee-jerk) reactions. FWIW IMHO.

I know this is Off Topic, but my original comment was only an aside which others have taken up. Having had a wee think, I truly can't see the point of using RADALT outputs in the Air/Ground system. Like TD says, they can also be fooled... And they can give errors... And, back in 2009-18 at least, it sounds like they were pretty unreliable. From the

25 February 2009, Boeing 737-800 (PH-BGK) Turkish Airlines on approach to Amsterdam crash report:

"The Captain’s apparent lack of concern at this malfunction may have been a consequence of the regularity of radio altimeter faults on the aircraft type at the operator concerned. The Investigation was unable to establish why the malfunction and in particular the false altitude reading had occurred. However, it was noted that the relatively poor overall reliability of this equipment on the aircraft type was true of both approved OEMs - Smiths, as installed on the accident aircraft and Rockwell Collins."

Surely, a pair of hefty MLGs can be hooked up to produce half a dozen reliable outputs each. No doubt, RADALTs are better now, but why add less reliable complexity?

Found this... Don't know how authoritative, but looks very interesting. A little disturbing, actually.

System Interconnection and Fault Pathways

In the Boeing 787, the Low Range Radio Altimeter (LRRA), autothrottle, and FADEC are part of an integrated avionics and propulsion control system, but they do not form a direct linear command chain. Each system plays a specific role, and their interaction is governed by flight control logic and redundancy mechanisms.

System Roles:

1. Low Range Radio Altimeter (LRRA):

• Measures height above ground (AGL), typically up to 2,500 feet.
• Feeds data to systems like flight directors, autoland, EGPWS, and autothrottle logic in certain flight modes.
• Faulty LRRA data can trigger inappropriate automation behavior.

2. Autothrottle (A/T):

• Uses inputs from multiple sensors, including air data, FMC, mode logic, and in some cases LRRA, to determine appropriate thrust settings.
• It is not designed to rely solely on LRRA for climbout thrust. However, in some modes (e.g., TOGA reversion or approach logic), false LRRA readings may cause the autothrottle to engage incorrect thrust modes.

3. FADEC (Full Authority Digital Engine Control):

• Receives thrust commands from the autothrottle (or pilot) and controls engine parameters to deliver the required power.
• FADEC includes protection logic but will execute thrust commands within its validated limits, even if the command was based on faulty upstream data.

In the Boeing 787, a false LRRA reading can mislead the autothrottle logic, causing it to command idle thrust under the mistaken assumption that the aircraft is landing. The FADEC, receiving this command, executes it within its safety envelope, potentially causing a dangerous loss of climb performance.

......

3. Mode Confusion or Pilot Error

Incorrect mode selection or double-pressing TOGA can reset autothrottle modes, causing sudden thrust or pitch changes. Failure to monitor thrust modes has led to improper climbs (SKYbrary - Autothrottle).

Link: https://www.linkedin.com/pulse/toga-...r-during-ouxpf

The engine on the A319neo is mechanically identical to the engine on the A321neo. Both are designed to produce ~33,000lbf at takeoff thrust, and a mechanical stop probably couldn't be put below ~36,000lbf. tdracer has implied this is already how the engine is designed: a wide-open fuel valve at sea level delivers just a bit less overboost than is necessary to trip N2 overspeed. You probably cannot bring the mechanical stop on the fuel valve back further without making the engine slower to go from idle to full rated thrust.

The exact same engine, fitted to an A319neo, delivers a maximum of ~24,000lbf.

If an A319neo gets 36,000lbf for a few seconds on one side, I suspect there is almost nothing a crew can do. Vmc starts becoming a significant problem. What's your reaction time to shut down a runaway engine (and shut down the correct engine)?

If this tragedy falls on TCMA, I would argue it's probably a similar situation (though less blatant) to MCAS: doing a quick and dirty if-this-then-that fix rather than throwing serious design and testing at it.

Jeju Air at Muan, gear-up landing, the jury's still out on whether they deployed the thrust reversers, but if they did, it would've been enabled by the radio altimeter telling the system it was safe.

From a fault tolerance perspective, it's always good if you have completely different systems that can accomplish the same thing. The designers just need to consider very well what is supposed to happen when there's a partial failure.

Like, is it safe to assume that the crew will recognize uncommanded high thrust and promptly shut off the engine? Until 1997, they thought it was.
It is safe to assume that a crew will recognize an uncommanded thrust reduction to idle within 40 seconds, and shove the levers forward? You can argue that the 2009 Turkish Airlines crash in Amsterdam proves it's not.

So you do want to provide a system that is safe even when a competent crew has a bad day, but the added safety systems can't create more problems than they solve. And it's at that point where the issues stop being black and white, and instead you need to do the engineering and statistics and weigh the risks. There's fear attached to both options, do and don't, so arguing from fear will not lead you to the safest system. (Arguing from incredulity even less so.)

Here a fairly recent example that on the 78 it's not necessarily so much the Low Range Radio Altimeter (LRRA) as such being unreliable, but more that the introduction of design changes included in the thrust management operation software (so-called “Flight Management Function (FMF)/Thrust Management Function (TMF) Block Point (BP) 4.0”) led to erroneous readings of the LRRA under certain circumstances. Interesting detail is that FAA postponed AD action until Boeing came three years on with a TMF update BP 4.1 which addressed certain aspects of the unsafe issue (including erroneous LRRA readings).

https://www.federalregister.gov/docu...pany-airplanes

More in general on the FADEC and integrated systems, it's not only about software issues, but also about degrading hardware, as the AD related to the mandatory replacement of a so-called MN4 circuit module shows. This was about a risk of UHT on 78 GEnX engines, which even led to certain conditions excluded from being MEL'd:

https://www.govinfo.gov/content/pkg/...2021-25491.pdf

TLA being throttle lever angle, FMV fuel metering valve, FSV flow splitting valve

I remember that AD coming out.
Saw the EICAS msg a few times but never had an issue with dispatch as the maintenance msgs were never present.
This is a very normal thing to happen during the life of an aircraft
Bathtub curve etc etc.

This link below is to a key AI 171 related regulatory document depicting an FAA exemption for a longer term planned rectification of a known TCMA flaw in the 787-8's GEnx-1B engines. It relates to failures in the thrust-control module in the FADEC (and a planned retrofit). Petitioner Boeing says (inter alia): " and ..."....however, it was recently found that some failures of the thrust control module are not correctly accommodated for the GEnx-lB engine installation." Given the low rate of thrust control module failures and the very limited exposure time on the ground when the failure is potentially uncontrollable, a catastrophic event caused by a UHT due to un-accommodated thrust module failures is not anticipated during the next 2.5 years. "

Request to Waive Publication and Comment

Boeing requests a waiver of public comment.

https://downloads.regulations.gov/FA...tachment_1.pdf

Seeing as there was a 5G tower emitter 2.1kms upwind of the upwind threshold at Ahmedabad, it may well have been an induced LRRA minus error (per the Turkish 737 at Schiphol) that told the TCMA that it was on the ground at excessive thrust (= simultaneous shutdown of both engines). However, the LGEU's six WOW switches would had to have been in oleo-extension hiatus momentarily (due to the main gear's tilt pause) for this to occur on AI 171... as it rose into the Line of Sight of that 5G tower (but TLA?)
Can you get a minus RADALT error simply due to the 5G tower being higher than the 787 was (just after getting airborne)?

The exemption is from 2016. It extends only to 2018, because Boeing planned to have the problem fixed by then. That was 6½ years ago.

It pertains to a failure possibly resulting in UHT. "The conditions under which a UHT failure may jeopardize the safe operation of the airplane are limited to specific aborted takeoff or approach-and-landing scenarios." It has nothing to do with engine shutdown during a normal takeoff.

I mentioned in the AI171 thread that the Air India 787 fleet has had new, 5G-safe altimeters for years.

5G towers!!!!!
Really, we're going there now?

Additional comment on this: even if you fitted different fuel control units to A319/A320/A321 engines instead of just a thrust rating plug, crews often use derated takeoffs to reduce Vmc by further reducing 'rated' thrust on the engine. If a fuel flow restrictor was used as the basis for asserting that the engine can't exceed expected thrust and Vmc is valid, then this would potentially put an end to using derates to reduce Vmc.

If we are calling on crew to take extreme irreversible actions (shutting down an engine) in a second or three, at <100ft, barely leaving time for the other pilot to confirm... is that not exactly what the alternative hypothesis for AI171 is?

A good chunk of aircraft design is focused on ensuring pilots don't need to make snap emergency decisions especially at low altitude, other than the briefed-for RTO/continue and go-arounds. Because decisions made in a split second tend to be poor.

At the time the FAA and EASA determined that single failures that could result in UHT were not complaint with 25.901(c), it was suggested that we simply train the crews for the type of engine runaway that was of concern - after all, the failure mode is nothing new, and aside from one 737-200 hull loss - it's never resulted in an accident because all the other flight crews reacted in an appropriate and timely fashion.
Their response was that the rate of UHT was so low (~1 per 10 million flight hours) that it wouldn't be an acceptable use of simulator training time, but then reiterated that the 737-200 hull loss was proof that we couldn't count on flight crew to react in a timely manner.

Now, my opinion has long been that the regulators overreacted to the threat - and in some cases their reaction has bordered on the irrational. There are all sorts of aircraft system failures that we depend on appropriate crew action to mitigate the threat - one of the definitions of a "Hazardous" failure is that the failure - combined with inappropriate crew action - can become catastrophic, and taken to an extreme, any single engine failure on a twin is potentially catastrophic if the crew shuts down the wrong engine (something that we know happens on rare occasion), yet we normally don't consider benign engine failures as any worse than Major.

Note that it's not just the FAA - EASA has taken the same position (although with a somewhat more reasonable interpretation of 25.1309) - and when we pitched the 747-8 to other regulators not associated with the FAA or EASA, they always had an outsized interest in the Uncontrollable High Thrust threat and how we were complying with 25.901(c) and 25.1309.

Substitute "Uncommanded" for "Uncontrollable" and, in an FMEA, UCT would appear to be a no greater hazard than other failures for which flight crew mitigation is acceptable.

Was this whole mess caused by an inappropriate name?

Short answer:
NO!
It's not simply terminology - as previously noted, we've always failures that could result in uncommanded high thrust. Those failures were properly identified in failure analysis type documents, with the proviso that - if needed - the crew could shut down the offending engine - and no failures were ever identified that could affect multiple engines.
The problem was that certain individuals at the regulating agencies dictated that a single hull loss accident proved we weren't complaint with a regulation. There was plenty of arguments subsequent to that between the regulators and the airframers, but it became a case of the regulators not only made the rules, they got to interpreted them as well - and their interpretation was that we were not compliant.

[QUOTE=Someone Somewhere;11917510] ...crews often use derated takeoffs to reduce Vmc by further reducing 'rated' thrust on the engine.[/qoute]
Not in my experience. Using an assumed higher than actual temperature for computing thrust settings allows for longer engine life while still able to meet runway length and climb gradient requirements. If what you state is true, I'd appreciate a reference to bring me up to date.

I'm saying the engine should be made so that there is a limit to how much thrust it can output. If a reduced power takeoff experienced a "runaway" engine, it would default to the maximum rated limit, imo, therefore no snap decision would be required.

It is a fascinating paradox.

If a 787 e.g. suffers a tyre blow out before V1 and the crew decides to reject the take off, but one engine fails to return to idle on command and both TCMA channels for that engine fail to shut it down …

I’m guessing the probabilities of the triple failure scenario are calculated to be so remote as to not justify any sim practise.

From the FAA waiver: (note the plurality):
"...however, it was recently found that some failures of the thrust control module are not correctly accommodated for the GEnx-lB engine installation."
If this waiver was nulled out by a subsequent GE "fix", the newer modified retrofitted FADECS would have been incorporated by a Service bulletin. Have not found that (or any reference to it - yet). The FAILURES are not specified nor proscriptive. I find this very strange in a generic waiver request' pleading.
You only got the two engines - and inducing a common single-point failure is an anathema to the concept of safety.