Exceptions most often end up in the type certificate as ”Special conditions” vs a specific rule where the manufacturer has shown an alternate way that is as safe or safer. So the risk assessment is showing safe enough solution.

In the case above it is due to fact that UHT has been found to not be coped with as easy as earlier thought. And (as I read it) virtually all aircraft engine has a single control unit for thrust. You would need to either show that that single failure doesn’t end up in a catastrophic scenario by being able to recognize the situation and also to control the aircraft, OR not have the single failure that can end up there OR get an exempt just as several other types has.

For the case of the TCMA I couldn’t find any exemptions in the Type Certificate coupled to TCMA or gear position sensors.

I wouldn’t think it is possible to get an exempt from “no single failure” and “extremely improbable” criteria for using one single sensor for the TCMA as you would need to show that your solution is as safe as the rule states.

The sensor showing wrong value, is this risk at 10^-9 or less? No it is clearly not.
Adding several sensors to the logic might take us to the 10^-9 level, and if we find the unsafe scenario to be to be in the air but the logic states “on ground” we can safe by adding the logic “if unsure - consider being in air. A logic that inhibits the shut down of a engine if the other one already was shut down could also be incorporated.

I’m sure the Boeing and GE engineers is as smart as it takes, so the single sensor question would not have been overlooked.

I linked the examption in my previous post.

First, TCMA was not a problem in this incident, because even if it caused both engines to shut off, the pilots controlled the aircraft, and it never left the runway. It didn't make the aircraft unsafe.

Secondly, for TCMA to fail in the air, there must be two failures: the air/ground logic must fail, and TCMA must erroneously detect an UHT condition: that's two improbable failures.

The exemption is about this:The part that I bolded is the Thrust Control Malfunction Accomodation system. TCMA does not work in the seconds before touchdown, when an UHT-type failure could make the aircraft fail the landing. That's what the exemption is for.

Exactly.

Wouldn’t the same type of thrust lever management* together with a single WoW-sensor failure be able to command the shut down?

(I know that use of thrust levers is not very probable, but anyway).

Yes, thats very clear from the text and the exempt feels safe so no problem with that. :-)

Just like my basic thought, no problem with the TCMA.

I don't understand what you are referring to.

The aircraft uses multiple sensors to ascertain "on the ground" status.
TCMA does not affect the thrust levers. It closes the high pressure shutoff valve (HPSOV) when it (1) detects UHT (2) on the ground.
You can find more details in the patent linked in post #9.

We agree, I think.

As the other threads are closed I will stay within the scope of this one.

Thanks for the answers. :)

Forgive me if I’m missing something here, but if the original driver for the TCMA solution was a mechanical problem, ie: possible fretting corrosion on a splined shaft, would not a simpler solution have been to address that alone, by either redesigning the spline coupling, and / or by testing, then limiting lifetime hours for that component, well within safe limits ?. Instead, it seems that we have a complex software solution, depending on several sensor pathways, that can only increase the possibility of failure, due to the increase in complexity ?.

I suspect that the move to FADECs probably eliminated that specific cause - the N2 sensor is going to be a much lower mechanical load of just a magnet going past a pickup. It's probably possible to also measure the rotation speed of the FADEC alternator by measuring the frequency it produces, though that might not actually be done.

However, the spline shaft is a known single point of failure, and just happens to be the one that failed in 1997. Others exist - Cathay 780 had fuel contamination that caused fuel valves to jam, for example. And tdracer has implied that there are numerous other possible causes.

I believe this is saying "if another crew threw the thrust levers into/out of reverse at the exact moment a WoW sensor failed", the engines would behave the same.

• Hopefully, the ANA incident we're discussing caused all engine vendors (presumably the same logic exists in the LEAP and GTF, for example) to re-examine their TCMA logic especially around reverse thrust and snap throttle movements
• Few crews are going to be using reverse at or after Vrotate.

It seems to me that the specifications are tighter than necessary if the requirement is only to match a human noticing the high thrust and activating a switch, but if it can be done reliably, there's no reason it can't be better than that.

There was no problem in the first case as the TCMA did function just at it was designed?

You can't be serious.

Any situation in which all engines on an aircraft do something unexpected and unintended creates a safety risk. What if the pilots had decided, just after touching down, that they needed to immediately take off again? What if they needed reverse thrust at a point on the runway after the engines had shut down?

They couldn't restart the engines. They were on the runway.

Then it would have been a problem. They did not attempt to go around, so it was not.

I also note that all major manufacturers say that "Thrust Reverser Selection Means Full-Stop". Attempting to go around after deploying reversers has caused some pretty nasty incidents/accidents if they fail to stow.

TCMA shouldn't have activated because the engines hadn't failed, including loss of thrust control as a 'failure'. The over-sensitivity needs to be dealt with. That doesn't mean it's completely useless.

If the engines had both 'failed', and were wobbling around 70-80% N1 as CX780 saw, consider the implications:

• You're attempting a go-around with no thrust control and potentially insufficient thrust. How well do you expect that to go? What if engine control degrades further, and the engine either rolls back closer to idle, or accelerates further and N2 overspeed protection kicks in, shutting the engine down to prevent a rotor burst?
• You can't deploy reverse because the engines aren't at idle. So while you're trying to pull the levers through the reverse gate, you're still eating up runway with thrust applied - thrust that wouldn't be present if the engines had been shut down when they started to run away.

A properly functioning TCMA wouldn't intervene on all engines unless all engines were already doing something unexpected and unintended - that's its whole purpose.

SomeoneSomewhere:

Thanks, so what you are saying is that TCMA is designed to address an broader range of problems than just mechanical failure. Older systems might have used a mechanical governor and spill valve flow control, but even FADEC control still has a variable flow rate mechanical valve at some point in the chain. A potential single point of failure, so some sort of second order solution does seem necessary.

I still can't believe I'm reading some of this stuff.Let's hope the 'over sensitivity' is 'dealt with' before a 787 hull loss or other bad outcome due to that "over-sensitivity". I'm not sure that having a system with authority to shut down engines without pilot intervention is a good idea, merely because the system is not "completely useless".

Question.
the post by Musician provided the background for the exemption pertinent to this discussion. Part of that background states, "Previous engineering simulations have shown that the 787 airplane is controllable for detected failures that cause UHT; however, it was recently observed that a combination of a high crosswind and UHT may not be controllable for operations on or very near the ground...."

In the 2019-2020 progress of the thread, tdracer referenced an incident involving perhaps an aircraft in Egypt(Jan. 21 2019, 04:38). Also, however, an incident with a Saudi Arabian Airlines 737-200 (Sept. 6, 1997) was referenced, also referring to NTSB A-98-67-70 (Aug. 11, 1998).

So the question - which I'm hoping justifies interrupting the qualified professionals' discussion because the background to the exemption could become relevant to efforts to reform FAA certification processes - is this: was it the incident involving the Saudi Arabian Airlines aircraft that had been, quote, recently observed, unquote? Maybe the timing of the incident on one hand, and the request for the exemption, do not align in the relevant way. For that or any other reason, if the "recently observed" datum was from something else, what was it?

It's not just the single failure of the N2 splined shaft - fixing that shaft still leaves single failures. Every fuel control has a single fuel metering valve - and if that fuel metering valve fails and goes full open, you have UHT. Whenever there is a single valve controlling fuel flow, there are single failures that can cause that valve to do other than what's wanted/expected. Going to FADEC changes the nature of those single failures, but the single failures are still there.
I investigated several FADEC UHT events while I was still working - one was pretty much a worst case scenario: 747-400 during takeoff (PW4000 engines). On thrust lever advance, the fuel metering valve on an outboard engine went full open and the engine greatly exceeded the EPR power set. Crew RTO's at about 60 knots, engine stayed at very high power, the shutdown the engine, and the aircraft never got more than about 5 ft. from runway centerline. In short, the crew reacted perfectly. But the regulators have ruled that we can't depend on the flight crews reacting perfectly - hence the need for TCMA.
BTW, the operator had the even Fuel Metering Unit overhauled before Pratt and Boeing were even notified of the event - destroying any possible evidence of what went wrong - so we were never able to determine the root cause.

In my work (desired hi-rel electronics) there is sometimes the dilemma, how complicated to make something, by adding protections / alternate control paths. The answer is not easy, as protections are more complicated to analyze and come with lots of potential other problems. I tend to prefer to make sure that the simplest design stays and remains robust. I seem to observe that for some who do not wish to go into details, it appears easier to recommend some extra layers be added.

​​
I'm fairly certain that @tdracer simply misremembered the country, because the details fit, and the Saudi event is referenced everywhere while the Egyptian event is not (and its details don't fit).
​​​​​There are several assumptions here that are not warranted, "qualified professional" first and foremost ;)
"It was recently observed" does not imply an event; it could be a study like "Research on Risk Assessment with Uncontrollable High Thrust for Civil Airplane" (but not this exact one as it came out later). As far as I could ascertain, the Saudi event occurred in 1997, the NTSB issued a recommendation in 1998 (also quoted by me, albeit hidden by spoiler), and the FAA then started to enforce the existing "single point of failure" regulations with regard to UHT for type certifications from some point on forward, which led to the aircraft manufacturers requesting these exemptions. I don't have an exact timeline on that.

I can confirm that the Saudi event is the one that started this whole UHT mess (not sure why my memory had an Egyptian connection, but at least I had the correct region of the world :O).

The FAA was a little startled when we told them that if they were going to hold to that strict 25.901(c) interpretation, we'd never be able to show compliance to that regulation for future improvements to the engine fuel control systems - even those that were specifically intended to address UHT causes. So Boeing had to request the partial exemption for all aircraft models - which was quickly adopted. Unintended consequences at work.

At some point in the future, I was working a new FADEC s/w cert for a 767/747-400 engine when it was determined that the exemption had not been FAA approved for one of those aircraft models (I don't remember now if it was the 767 or 747-400 - I think it was the 767 but don't hold me to that). I quickly raised this problem with the FAA, and the exemption was extended within days.

“Over-engineering” or a “solution for one issue that constitutes another potential issue which could be of more grave consequences” comes to mind in the (Boeing) TCMA case. I got really concerned to learn that by design TCMA at least on Boeing 787 is armed and actively monitoring parameters below FL150 and 200kts. Of course it’s only supposed to actually deploy with WOW. One wonders if and if so, how this was addressed in Boeing’s 787 electrical power systems safety analysis in terms of hazard/risk assessment and probability of failure

See, and I thought "good idea" when I learned TCMA would never trigger under these conditions, no matter what else might go wrong.

And where did you find these conditions? I know I saw them, too, but now I can no longer find where.
The old FCOM example I found doesn't have them.

Update: source is https://www.pprune.org/accidents-clo...l#post11908168 , thank you D Bru !

Folks... Is TCMA fitted to the 787 GEnx engine? The 787-8 Master MEL I have shows TCMA MEL's are applicable only to the RR (Trent 1000).

Does GE call it something else?

The ANA incident aircraft had Trents.

Thanks.