The furore around the Air India tragedy has me tinking about the reliability of current FADEC systems and having been out of the saddle for a few years now, maybe some current pilots/engineers will have a view?

Can a modern jet lose all thrust due to an electrical problem? We know that the RAF Heli crash on The Mull raised some issues but that was quite a time ago now and aircraft such as the B787 and latest generation Airbus will be different but the debate about the AI event makes me wonder.

Electrical failures may cause all sort of issues depending on their nature but for a fault to cause total loss seems pretty worrying to say the least.

FADEC has been a thing since Concorde, and digital FADEC has been a thing since way before the 787, indeed was a thing on the “good old” 747-400 and 767/757. It is very well proven technology and barring some sort of coding issue (which I know nothing about as I am a very simple man but would be the only area I’d even begin to consider a potential weakness/source of failure) the power supply to the FADEC in any airliner is incredibly robust, with literally any of the power sources on the aircraft able to power it, which would only be necessary if the permanent magnet alternator that normally powers it failed. For that to happen simultaneously to both engines is such a remote likelihood that we may as well worry about meteorite strikes.

Thanks, so it is the power supply to it we need to worry about rather than the system itself?

I think Speed_Trim_Fail said the exact opposite.......

Power.

Timmy
I began working engine controls in 1984, and did little else until I retired near the end of 2016. When I started out, my boss decided he wanted me to be a 'hydromechanical guru' (I have really good mechanical aptitude) and made sure I got lots of training on the details and subtleties of hydromechanical controls. But within a few years, it became quite obvious that FADEC was taking over and doing strictly hydro stuff was a dead end, so I soon expanded into FADEC.
The last big commercial turbofan engine that wasn't FADEC was the CF6-80C2 - and even that was turned into a FADEC control when Boeing told GE they wouldn't put throttle cables in the 747-400, so if they wanted on, they needed to create a FADEC version.
ETOPS was becoming a big thing about the same time - and the full FADEC PW4000 and CF6-80C2 engines were being certified for use on the 767. Hydro controls tend to give warnings that something is 'wearing out' - electronics don't generally do that, they either work or the don't, so the impact of FADEC on the shutdown rates was exhaustively worked. As a starting point, we looked at the historical rates of hydro control caused shutdowns and Loss of Thrust Control (LOTC), and targeted reliabilities that would mirror those rates for FADEC with necessary shutdown/LOTC rates to meet the ETOPS requirements. But as it turned out, FADEC was way, way more reliable - which contributed in no small way to the impressive engine reliability that has allowed up to 330 minute ETOPS (engine shutdown rates are so low, that now days, more attention is given to impact of ETOPS on the rest of the aircraft than to the engines themselves.

The reliability of the FADEC electronics is so good that they've implemented "Time Limited Dispatch" - which allows extended dispatch with certain 'loss of redundancy' faults - up to and including losing a complete FADEC channel. The hardware is tested and certified for high levels of electromagnetic interference (e.g. radar) and lightning effects.

Software is developed to DO-178 standards as "Level A" - i.e. flight critical. Yes, sometimes s/w errors get through, but most of those are really requirements errors, not coding errors as such.

There have been a few issues that came up over the years. As the newer generations of integrated circuits have gotten smaller and more powerful, something called "Single Event Upset" became a concern - this is where a high energy cosmic particle hits a CPU or memory chip and causes a bit to change state. Now these particles are so small that they can pass right through the earth without hitting something, and with the older circuitry hardware the electrical charges were strong enough that even if a particle hit, it wouldn't have enough energy to change the bit state - but the newer stuff occasionally had an issue that could cause an LOTC. So the newer FADECs run constant checksum type checks - looking for SEU caused discrepancies and if one is detected, the channel automatically resets.

To date (with the jury still out on the recent 787 crash), no major incidents or accidents have been traced to a FADEC engine control system issue since FADEC became widespread over 35 years ago. Yes, there is the odd shutdown or LOTC event due to a FADEC problem, but the rate is much lower than it was with the older hydromechanical control systems.

Would be interesting to know if there are any common nodes that both left and right throttle angles and ARINC busses encounter from the cockpit to the individual FADECs. There certainly is major redundancy designed in but something seems to have powered down both engines. Makes one think it is not a FADEC issue but somewhere in the overall system.

As I understand the potential, this is a .25 Megawatt system. The third loss of (two) generators melted the Emergency Batteries in the aft EEBay., with arcing present.

Dunno any more than that... (From PPRune 12 Dec. 2012)

In that thread the Captain had more to say. Worth a read.

Understood the batteries are in a titanium closet now, but the current and load must-have been sumthin

Regards, bb. ( Somewhat curious )

Re AI171, if the APU started, when and how long to regain flight controls and instruments? Quickly enough to power up and climb???? I don't believe that was flare....would Fadec have come in on standby power???? If the Emergency Batteries burned up here as in United/New Orleans, the APU won't start.... Is Fadec in any way APU reliant. Sorry for all the questions ....when one knows little, he has many too many questions??

FADEC has its own Permanent Magnet Alternator to power it, so it runs if there’s NO other power available, it’s all internal to the FADEC. tdracer has covered this several times.

IF the RAT was deployed, flight controls are powered, there is no appreciable switchover time from the normal hydraulics. It deploys in a second. I’ve done in-flight RAT checks on three types and the transition is imperceptible. Note, much older designs, so it’s likely to be better in the 787.

What powers (turns) the alternator?? If the generator(s) go off line, and the emergency batteries (Thales) are inop, how does the APU start? The batteries were destroyed when two generators failed in the United incident. Panel? EICAS??

Isn't the RAT intended to support descent and safe landing??
Not save a TO?
How resilient is the RAT to overload when in flow with arcing and shorting in the Main Generation system??
.
Thanks GF

TDRACER May have to answer these,I’m just a pilot, but here goes.

The PMA is driven off the engine’s accessory gearbox. During engine start, there’s little rotation, so it’s powered by A/C or a dedicated battery. Once the started, it shifts to the gearbox driven PMA. Yes, it’s unpowered IF the gearbox fails but the engine won’t run for other reasons like no oil pressure, no fuel pressure, high or low.

i can’t say for the 787, but the APU usually has a dedicated start battery near the APU to power the APU FADEC during start, and the APU starter.

The RAT is for anytime it’s needed by the emergency conditions causing its deployment. As long as the airspeed is sufficient, it matters not if it TO, climbing, descending or landing. They’re certfied to provide the needed services. Usually when the speed decays, the electrical drops off giving priority to hydraulics to power the flight controls. That’s all specific to the design. There’s lots of configurations for the RAT, just hydraulics, hydraulics and a generator, just a generator that is large enough to drive an aircraft pump for flight controls. If you have serious arcing on the buses powered by the RAT, well it just isn’t your day. Usually, the RAT only powers the essential AC & DC buses and is separated from the Main load buses.

As I said somewhere in this dreary vale of tears, loss of all generators and loss of all engines will look much the same. Especially in a dark simulator. The first thing to look for is what is the engine indications and feel like. Loss of all engines means loss of all generators, but not vice versa.

If a RAT-equipped plane lost all electrics but will hand thrust (or one inop) on lift-off the RAT is required to enable a return. Admittedly, the crew will have a job of work, need to be smooth as the flight controls are not as responsive esp OEI, but they’ll be flight controls, avionics on the captain’s side, comms.

If you're going to quote a post, it would be nice to have a link to the original for context.

On the face of it, it reads as... rubbish.

Generally speaking the loads on the batteries are tightly specified; the capacity of the full system is irrelevant because most loads are shed, not moved to the battery. Only the various standby/battery buses get moved to the battery, and the battery is designed to handle them. It's not a ~10kW battery suddenly being loaded to 750kW. (edit: just because a battery is designed for a load does not mean it will never fail at that load... but it doesn't mean that a generator failure causes a battery to operate outside its certified limits)

The A320 manual claims "about 8 seconds" for emergency electrical, but that includes sequentially:

• deploying the RAT
• the RAT spinning up in airflow
• pressurising the blue hydraulics enough to open the priority valve (i.e. flight controls are satisfied)
• spinning up the hydraulic EMER GEN
• Generator controller being satisfied and putting the EMER GEN on line

During that time, batteries and static inverter power the flight computer(s?) and hydraulic pressure is probably somewhat available from a winding down or windmilling engine (on green and/or yellow) and the accumulators.

787 should be faster because the generator is directly on the RAT shaft.

I haven't seen a figure for the cutout speed on the 787 flight control PMGs - it seems possible that they're comparable to FADEC alternators and work down to 10-15%. If so, the airplane is likely controllable on windmilling alone with windmilling L/R hydraulics and PMGs, but I think you would need RAT or batteries for instruments beyond standby or any radios.

Boeing 787 Makes Emergency Landing

Only thirty four posts

There is one crash, when the FADECs on an A400 military transporter switched off three of four engines.

Looks entirely unrelated to batteries. Without seeing an incident report, I would say parallel arcing fault, and inadequately designed protection. Lack of differential protection alluded to in the last comment probably doesn't help, though it shouldn't really be necessary if you can make everything soft start and your circuits are small relative to the generator. It might not interact well with the DC portion of the large motor systems, depending on how that's implemented. Unfortunately, all the Boeing drawings are just big-black-box.

Fault containment on ground switchboards is heavy. I doubt the situation is too different on an aircraft. Steel or distance to segregate different portions of the switchboard so that a fault in one part cannot cause a fault in the other. Aircraft have long had separate left/right electrical panels because of this.

(edit: energy released from arc flash is almost entirely due to power available and the operation time of the protection; connected load is irrelevant)

You also often have reclosers set to reset 3-5x then not further close into a fault, but that doesn't seem to be a thing in aviation

You won't start an APU without a battery or large AC power (i.e. not RAT). This is part of why the 737 must have the APU running when in ETOPS conditions, because otherwise loss of two generators or engine+offside generator means you are relying on ~30min battery. Combined reliability of cold-soaked already-loaded battery + APU start is not great. A RAT negates this because you have instruments/radios indefinitely.

The general design of electrical systems is simply to isolate energy from faults. If there is a major bus fault, the generator and bus-ties to that bus should disconnect clearing the fault. You can't really do this internally to a battery which is why battery fires are harder to deal with.

The emergency bus(es) don't backfeed into the normal buses, so if a fault is present in a normal bus, switching the emergency bus to an alternate source of supply (offside or RAT/EMER GEN) will physically disconnect it from the original faulty supply.

If the fault exists in the emergency bus, you shed the emergency bus and rely on the redundancies present in the other two+ buses of that type.

For reference, here's the relatively simple setup on the A320:

"If the fault exists in the emergency bus, you shed the emergency bus and rely on the redundancies present in the other two+ buses of that type."

The Emergency bus fault is what got the Yuasas to thermal runaway, and eliminate the APU from being started...the New Orleans diversion started with "Battery Fire" on the panel. In. 2013, the fleet was grounded. Then the Stainless box and Titanium belly hot remnant dump. We don't know how many fires aloft there were. Boeing had to own at least three. This thread adds three, and further Boeing secrecy. In AI 171, we will find out if the generator fail And loss of the Electrical system and/or the two engines loss brought her down....a quarter of a million watts. Yikes

"Bang", cabin lights flashing, no aircon, etc etc....likely none of this is software... The Batteries are now made by Thales. Like the pitots were on 447....

Design? Spec sheet? QA? Bean counters? The Dream is the most beautiful aircraft, she has issues ....

That is the sort of thing I was wondering. In the Air India case, could a cascade of problems cause someting like that?

The "arcing" comments above are alarming.

The A400M crash was caused by incorrect software installation. That airframe was a trials aircraft, so a rather different scenario than a certificated in-service civil airliner.

The PMG is the primary source of power to the FADEC, ship power as a backup or during engine start / ground operations.

After the A400M crash, we got some urgent inquiries from the FAA and a few operators as to how we make sure the same thing didn't happen on a Boeing FADEC airliner.
I basically responded that - until/unless Airbus and Rolls release details - it was impossible to answer the question since we don't know what they did wrong. I then included a brief outline of the steps that Boeing takes to validate that software is 'airworthy'. **
At least at the time I'd retired, Rolls/Airbus had not released anything public indicating how the FADEC s/w error occurred (my suspicion was that it was a silly QA type error, and they were too embarrassed to make it public - not unlike the Alaska 737MAX Door incident).
Does anyone know if a proper accident report was ever released?

** Boeing has specific procedures for FADEC software before it's used for flight. First off, the new software is checked in our Propulsion Integration Lab (aka "PIL") using a standard battery of tests - plus specific conditions intended to test whatever new logic or functionality is included in the new s/w. Assuming it checks out in the PIL, it's installed on one engine for an actual aircraft flight test. After a normal flight cycle has been successful completed, it can be installed 'cross wing' for subsequent flights.
There is also the capability to 'trim' software for specific flight test purposes - for example to raise the max N1 limits to allow testing at power settings above the normal max ratings, or in the specific case of TCMA, it's routinely disabled during the initial flight testing of a new engine type until we have adequate 'real world' data to validate the TCMA limits. Software trims are treated the same as new software loads - tested in the PIL, then installed on a single engine for a flight, before it can be installed cross-wing.

Note that FADEC s/w is also certified Part 33 - which includes all the DO-178 testing and validations - normally before we install it on an aircraft. During a flight test program, sometimes we get FADEC s/w that hasn't been formally Part 33 certified, but has gone through all the necessary validations and testing for Part 33, it just hasn't been signed off (there are some other specific steps when that happens). FADEC software should never, ever appear on a revenue passenger flight until it has both Part 33 and Part 25 certifications.

BTW, a number of 'checksum' checks are performed during the FADEC software (or trim) loading to ensure the s/w load isn't somehow corrupted.