Yes, got it, thanks. Exactly. We're on the same page, believe it or not. ;)

Hauling around a spare engine isn't viable an option. Nor is having one undergo "RUD" as I think they call in in rocketland. :{ Multiple small ECUs are the way to go.

I have many questions about redundancy per se, but a bit tired for that right now. Will come back to it, tomorrow I hope..


Now that explains a lot. Many thanks, makes total sense. Though I suspect the lawyers that did the TCMA Patent work were the budget variety. Looks like Boeing bought it off a Russian guy and his mates...

I agree 50%! Yes, what you say is correct. But as I see it, if you're going to consider that type of situation, you also have to consider its opposite / converse? To rehash your line, changing other to B-channel and the first to A-channel - since, as I understand it, they are exact copies of each other:

... is because the 'cause' of the problem could very well be CPU in the A-channel failing in an unexpected way (going crazy if you will), and deciding that a perfectly normal, non-hazardous rotor speed is "overspeed" and dangerous, Cutting Off fuel to the engine as a result.

Meanwhile, the other engine (opposite wing) is failing, surging, having compressor stalls or whatever and is not developing sufficient power to maintain flight by itself. This, I submit, is potentially even more catastrophic, and arguably could end with both engines destroyed, the plane destroyed and all aboard killed. I'm not suggesting that you should, in your example, just allow the first engine to overspeed and explosively disintegrate, but before you allow an opaque and autonomous system to suddenly shut down an engine, wouldn't you want to be very, very confident that this action is correct, justified? Not a pilot, but very sure I would. What do pilots say?

As I see it, there needs to be some reliable way by which correctness can be assured. As I see it, simply letting two duplicate systems run in tandem until one of them goes off the rails and takes wrong actions, without knowing which one is right and which one is wrong, is about the same as deciding on the toss of a very expensive coin.

Am I wrong? I think it really depends so much on the design of the hardware and software, so that when it does fail, it fails "Safe". But how can we know that, when there is apparently no "cross-checking" of the two channels before the fearsome action gets taken? Maybe there is, in the real system, but from other posts, it sounds like it didn't work. A plane stuck on a runaway with two engines shutdown and non-restartable doesn't sound like a successful intervention. Can't find much about it - anyone know the cause?

Possibly relevant?
https://www.pprune.org/accidents-clo...l#post11903844 Good post either way.

Talking about Boeing patent US6704630, the wiring diagram is really showing the obvious. The secret sauce to making TCMA work is in how to determine the deceleration contour, and the patent is entirely silent on that. They didn't patent the method to set that contour, because anyone else who found one would infringe the patent if they wanted to apply it.

Note also that the Bombardier/A220 implementation (initially) had the feature where TCMA could detect UHT in the air, not do anything about it except to display a throttle fail message (because UHT is not deemed dangerous in the air), and then shut the concerned engine(s) off as a precaution the moment the aircraft touched down (Air Baltic, Copenhagen, July 11th 2021). That's not in that patent either.

I submit that this is precisely what transport category aircraft do. From V1 onward (and from before if the runway is long enough and the aircraft is light enough), the aircraft could fly safely with one engine less than it has. That's the spare engine that is designed into them.


And here you have two independent improbable failures, a risk the FAA is happy to certify. It's the single failure they're worried about.

The problem is—and this has been shown in studies as well as in Saudi Arabia (Sep 6, 1997)—that UHT can really mess you up when you need to hit that runway centerline. That's a single cause failure that can total the aircraft.

I think you're missing my point on this. Sure, the aircraft can fly on one engine, slowly. That's akin to limp "home" mode, and I don't imagine many twin (or 4?) engine planes fly past intermediate airports to reach their intended destination, once one engine has failed. The definition of redundant design that I posted earlier:

Redundant design involves adding duplicate or backup components or systems that can take over when the primary ones fail.

is what I'm talking about. Is that incorrect? Think aircraft alternators. There's nothing to "take over" from the failed engine, and the flight no longer "operates" as a scheduled flight to its destination. It becomes an emergency situation, where the flight is given priority to make an unscheduled landing ahead of other traffic etc, because it's now at higher risk. Flights that have EFATO always attempt to immediately return and land asap, no?

Don't takeoffs with engine failures before V1 get rejected and don't take off at all? So that "redundant" single engine isn't really it?

Anyway, if you're trying to persuade me to find somewhere else to go, just let me know straight. I'll certainly oblige.

Not a pilot, but as I understand it, there is no in between. Either a) operate the shut-down valve, or b) do not operate the shut down valve. There is no time to ask the pilots. There is no way to force the engine to idle, because speed control has clearly been lost. I suspect the monitoring channel attempts to seize control before it reaches the shutdown threshold (not exactly sure how the logic works), but if that fails, the engine will overspeed and burst.

Think of it this way:

Engine 1 fails (coughing and spluttering or whatever) while you're somewhere over the mid pacific. You divert.

An hour later, the remaining engine detects an overspeed. Not knowing whether it's real or not, would you rather:

a) Instantly shut the engine down, forcing you to do a ditching based on RAT/APU with lots of time to prepare and maybe attempt to restart one or both engines, or

b) Not shut the engine down, potentially resulting in a rotor burst knocking out a hydraulic system or two (the one supplied by the RAT?), emptying a fuel tank, and resulting in you possibly not having flight controls for your ditching?

On modern engines, in-flight shut downs are in the one per million hours range, including those caused by FADEC malfunctions. We still haven't seen an actual dual in-flight shutdown caused by different causes in the modern era.

There will be significant logic safeguards inside the individual FADEC channels. Hardware watchdog timers, ECC memory, designs that mean outputs fail to the 'safe' state (which probably won't be an engine shutdown) if the CPU locks up etc. I'm familiar with other safety designs set up so that e.g. a square wave from the MCU is required to power the relay; an output stuck high or stuck low results in the relay being off, and of course there would be N relays in series/parallel. I wouldn't be surprised to find two CPUs or a dual-core CPU inside each FADEC channel.

With a design failure, it wouldn't matter if you had four engines and three FADEC channels per engine - drop them all into reverse then back out as you land (or whatever the exact sequence is), and all 12 channels will command a shutdown.

I wouldn't be surprised to find that N2 overspeed and TCMA set a flag that maintenance is required before they'll allow a restart. You don't want to start an engine only for it to immediately slam up to full thrust and bounce you over your chocks.

Redundancy does not necessarily mean you can continue at full capacity or that there are no operational impacts. Loss of an aircraft generator might mean you have to shed IFE or galleys.

Nope, never heard of it - and quite frankly would be very surprised if such a thing exists (at least as you're probably thinking of it). Yes, there are failure conditions that will cause the engine to default to idle, but the only one on the aircraft side would be losing both thrust lever position resolver inputs.
Educated guess is that it's an invention of someone unrelated to the 787...

Oh, one other clarification:
In the takeoff envelope, a fuel metering valve that's failed 'wide open' will not - by itself - result in an N2 overspeed - at lower altitudes, the aero forces on the engine are high enough that N2 simply won't go that high (you can get a heck of an overboost though). At high altitude, it's a different story. Hence the need for TCMA...
Now, there are potential multiple faults - that can still cause an N2 overspeed near sea level. We inadvertently discovered one about 15 years ago on PW4000 when part of the Fuel Metering Unit lost 'muscle' pressure - this allowed the fuel metering valve to drift open at the same time the stator vanes were near closed. This unloaded the N2 shaft (with the vanes closed, N1 hardly changed) - and that same failure disabled the N2 overspeed protection (it used the same muscle pressure that was lost). Fortunately, the turbine started shedding blades at about 126% which caused the engine to surge and quit before it came apart. A rather frightening failure mode that went undetected during the design and Part 33 cert stage - since rectified and the fix was AD'd.

I may have misunderstood, but I thought TCMA was only supposed to work on the ground.
Or do you mean high altitude airfields such as Denver or Mexico City?

Yes.
If the turbine went into overspeed on the ground, overspeed protection would shut it off.
But the air is too dense down there, so overspeed protection does not trigger.
Hence, you need another device to shut the turbine down when it speeds up uncommanded.

TCMA is needed on the ground because N2 overspeed protection may not trigger on the ground.
(If I understood tdracer correctly.)

TCMA only works on the ground, N2 overspeed is active all the time.
However (at least on the GEnx), TCMA uses the N2 overspeed to perform the shutdown.
Based on some simulator testing we did during the 747-8 cert, we were able to trip the N2 overspeed on a very hot day at a very high altitude airport (the concern was a UHT event during the final 100 ft. prior to landing - engine starts to runaway, pilot reacts to thrust asymmetry, then the N2 overspeed shuts down the offending engine suddenly taking away the thrust asymmetry - was it still controllable - it was but the pilot needed to be paying attention...). But that was very much a corner point condition.

Okay, there's the rub. I've posted a definition of redundant design, which I believe is correct. From that I think it's possible to work out what redundancy means. I think it's fairly specific.

In the example we discussed above of a single engine failure (thereby requiring an urgent landing), to me at least, the conditions indicated by the definition, that the equipment can continue to "operate" are no longer met. The plane can no longer fly at 35,000 ft at the speed it normally would. It can no longer safely (or by law?) carry its passengers and luggage to their destination as scheduled. It's only able to fly in limp mode, until it can land and be repaired. This is not my understanding of redundancy, where a redundant item can be switched in / take over the functions of the failed one, as follows:

"... the practice of incorporating backup components or systems to ensure continued functionality in case of a failure."

Does partial functionality = continued functionality? You seem to have a different understanding of what redundancy means. Can you elaborate for me, please?


I proposed the aircraft alternators* as a practical example of genuinely redundant design. Have I got this wrong?

Considering a typical large twin-engine jet, it has two alternators on each power plant, a Primary and a Backup. I.e. One redundant alternator per power plant. Two engines, one APU, giving six alternators in total.

If you need three to run everything, then you'd need four to fail before you have to start load shedding. If you only need two, then four failing would mean you still have enough power to run everything. (Assuming, I guess, they are on different power plants, but even that may not be correct?) Another failure would leave just one, and definite load shedding. [I never intended to mention 171 in this thread, but that now suddenly seems like a very relevant question.]

Is your suggestion that one generator failing could require load shedding based on the plane taking off with three or four generators already failed? Things look very different now. It was a very hot day...

TBH, I feel that the hamster wheel is spooling up, and I don't really want to continue this debate, but I'd really like to know your definition of redundant, if you'd like to exercise your right of reply. :)

[*Using the terms generator and alternator interchangeably.]

It is case-specific. I would usually say that supply to the core functions is redundant, but some auxiliaries do not have secure supplies. Very little on an aircraft is completely redundant (in the sense of a spare unit sitting idle ready to completely replace the in service part, or two parts doing a job that could be done by one with no loss in capability or performance). Perhaps the fuel boost pumps in the main tanks.

Electrical grid operators often have very detailed publicly-available planning documentation and rules as to exactly what degree of continued operation is required in the case of a planned/unplanned single/double outage and under what level of load. Often this means that you have two transformers designed to run at up to about 60% load, 98% of the time. If there is a failure where they are past 50% loading, then the remaining transformer will be above rated load and load must be switched to other (hopefully non-degraded) substations. The amount that you can go above 50% is dependent on the local network's ability to relocate load to other subs, and if you are on the hottest day/coldest night of the year, the load may exceed what can be delivered and partial shedding will occur. Expect terms like 'contingent event', 'extended contingent event', 'n security' etc.

No-one is taking off in a 787 with multiple generators already failed. You can take off with one generator MELed, but only if the APU is serviceable and runs the whole flight to replace that generator.

The 787, A340, A350, and A380 have four primary generators, each supplying a primary AC bus. They have no large 'backup' generators (except, perhaps, the APU). Virtually all other aircraft have one generator per engine

If a generator is lost, there are no replacements sitting idle (other than the APU). Because you cannot move (much) load from one bus to another and you cannot parallel variable-frequency generators,* either one bus must be shed outright, or one of the remaining generators must supply two buses. This implies shedding some load from the two buses to be paralleled unless the generators were below 50% load - unusual, I imagine.

The 777 had 'backup' generators (one on each engine, sharing a single frequency converter). 20kVA for the backup supply vs 2x120kVA for the main IDGs. Backup generator is sufficient to run one fuel boost pump per tank and DC loads, but no hydraulic pumps. This gives a somewhat better situation in the event of all main generators failing.

This document goes into the 777 system in some detail: https://ia601802.us.archive.org/7/it...SYSTEM-pdf.pdf

Modern aircraft (hell, even the 737...) are entirely designed to cope with one or more generator failures. Progressive load shedding occurs from least critical (IFE, galleys, recirculation fans) to more critical (de-ice, cabin air compressors, hydraulic demand pumps, fuel boost pumps etc.) depending on the level of shortage. Galleys and IFE are a big part of the electrical demand, and cabin air and de-icing on the 787 are also large demands that can be shed with minimal risk for short periods. If you can start the APU, it will replace the lost generator and you can probably continue the flight, depending on ETOPS rules.

*VFGs inherently can't be paralleled. IDGs (on the A340) can, but this is not done in the modern day because a bus fault is more likely to take out multiple generators. The 727 and 747 operated with parallel generators.

A question for tdracer or someone with detailed knowledge of the TCMA implementation:

Assume a fully functional FADEC and airplane with no latent failure whatsoever.
I you wiggle both throttles simultaneously before rotation. Around or after V1 but aircraft still in ground mode. How much throttle wiggle for how long is sufficient, that the TCMA system latches off both engines?

Throttle movements - by themselves - should never trigger TCMA (the RR 787 event not withstanding). The TCMA limits are set and validated using the actual engine accel/decel response characteristics (with a fair amount of margin added).
The design intent is TCMA will never activate if the engine is operating and responding properly to thrust lever inputs. So any TCMA activation aside from an actual loss of engine control would be a 'design miss'.

In other words you can wiggle the throttles all you want from idle to max and back and the TCMA will never trigger as long as the engine revs within its design spec up and down?

That's the design intent, yes.
During the certification flight test phase, we did a lot of work validating the TCMA limits using actual engine responses to thrust lever movements (the initial TCMA limits are based on simulations and static engine ground testing). Any necessary changes to the TCMA limits are then incorporated into the final FADEC s/w before the aircraft and engines are certified.
The last thing we want is 'nuisance' TCMA activation out in the real world - and we work very hard to prevent that. Wasn't involved at all in the Trent 1000/787 - and the nuisance TCMA event happened after I retired - so I don't know the details of the TCMA 'miss' that caused that. But my understanding is it was a very odd 'forward-reverse-forward-reverse' thrust lever transient that managed to find a weakness in the TCMA limits. I'm also very confident that Rolls worked with Boeing to understand what happened, and the FADEC s/w was revised to correct it.

tdracer: we're so very fortunate to have direct access to your wealth of historical knowledge - thank you!

Hopefully, this puts to bed any lingering notions of "perhaps if I wiggle the thrust levers just so, I can get TCMA to shutdown both engines."