Note that a TCMA failure is not an engine failure.
You'd only notice the TCMA failure as a crew if there was an UHT, and in that case the failure only means that the crew have to shut the engine down themselves.

https://aviation.stackexchange.com/a/82860

I don't get why we're still talking about TCMA at takeoff. TCMA is not supposed to be active at takeoff because the thrust lever is not at idle. I expect that takeoff is not a high-risk scenario for UHT because the imbalance isn't going to be as severe when the other engine is producing thrust (derated or not), and there's sufficient rudder authority from a point early on in the takeoff run.

TCMA is designed to shut the engine off when the aircraft is on the runway, slowing down, when one engine is idle and the other puts out high thrust while the crew set it to idle.

Which they would have had to do, in the absence of any TCMA system, in the first place.

Precisely, and the exemption notes that.
And TCMA would still be active; Boeing merely noted that there is one specific UHT scenario that TCMA should catch but doesn't, it still works otherwise.

So what this exemption does is Boeing saying, "we've found a rare scenario where TCMA should trigger but doesn't, and we're going to fix it with the next planned FADEC update. We're letting you know so our ass is covered." And the FAA says, "makes sense, go ahead". It's an absolute nothingburger.

But you keep side-stepping the reason for this thread persisting. There may be a “rare scenario” where TCMA should NOT “trigger” but DOES, and that’s a big fat ugly ‘burger’.

Exactly!

Who knows this could stem from the actually quite recent Boeing s/w update TMF block point 4.1 (FAA mandated only less than a year ago). This update was intended to address erroneous A/T behaviour and spurious LRRA readings. But who knows what this update in itself opened up in terms of possible glitches on other (sub) functions.

We’ll hopefully get more clues soon, as I read the AAIB team just now has submitted its preliminary report to the ministry and other authorities.

AD effective date: 23 October 2024. Compliance deadline: 6 months: by 23 April 2025. Actually not really that long ago before 12 June....

And aliens "may" have zapped both engines.
There is equal evidence for both.

The reason this thread started was to see if there are existing FADEC issues.
It persists because you are not looking for issues, but rather prefer to speculate about non-existent issues.

If you want to look at it that way, the FADEC concept is a single point failure since normally both FADECs run exactly the same software. So if there is any software bug that can cause the engine to surge and/or quit, it's likely to affect both engines exactly the same way.

Back in the early days of FADEC, there was a lot of concern and handwringing over exactly that scenario. That's why FADEC software is DAL A - the same as any other flight critical s/w (e.g. fly-by-wire).

In the 40+ years since FADEC was first introduced onto commercial aircraft (PW2000 on the 757), the incorporation of FADEC has resulted in a massive improvement in the reliability of engine control systems, and concern and handwringing has pretty much gone away.
However there is still the possibility of a FADEC s/w error can cause an uncommanded shutdown - potentially both engines at the same time. There are countless ways a s/w error could result in an uncommanded shutdown - TCMA is simply one more.

I was not involved with the initial 777 development and certification but I was involved in AIMS-2 development and test. More than once I walked into a meeting of system experts and said "I observed your system do (some unexpected behavior)". "No that can't happen you must be mistaken". "Take a look at this data". "Oh shi..".

I found several issues that had been in the system since the initial certification of AIMS-1. None were safety critical but they had hidden under their various rocks for a long time and some aspects of the system had never worked the way they were intended to work.

The fact that a system issue has not been found does not mean it cannot exist.

To include an important disagree alert warning. Known to be inop. MCAS. It remains a standoff. Interface.

Yes.
The point is, you found issues.
You didn't just guess at them.

There's no reason to expect that an issue that someone imagined actually exists (unless we're talking about a very well informed imagination).
If it did, then AI171 would've crashed from half a dozen different causes.

Eiii, Musician, I admire many of your clearly informed posts, but certainly not this one. In an obviously very, very rare mishap witnessed on 12 June, it could be very well an issue and I can't understand why under some of the in my opinion reasonable options brought forward, you would be warranted to label these informed speculations at this stage a "non-existent issue".

I feel supported in this by tdracer 's assertion a few posts above, at least where it's a s/w failure: single point failure, both fadecs, both engines

Respectfully, I agree with Musician -- and beyond just evidence (or lack thereof), there're simple probabilities that need to be acknowledged. The funny thing about risk is that humans over-weight hazards that are "top of mind" (and that we perceive we have no control over). TCMA is now well known, and so much virtual ink has been spilt about its potential to misoperate. Why aren't we discussing other algorithms or systems that could also misoperate and cause a catastrophic failure? Obviously, because we don't know about them - but that doesn't mean they don't exist (if indeed they do).

Regardless, as tdracer himself has said, there's been 40+ years of successful FADEC-controlled flights (i.e., no other "mysterious dual engine shutdown" events). This must total, what -- tens of millions of flight hours? Hundreds of millions? That is an astonishing level of reliability. As such, the statistical likelihood that a dual engine shutdown could be caused by aliens zapping the engines OR a butterfly in Brazil flapping its wings OR a dual FADEC failure occurring are all exactly the same -- at least to the 8th or 9th decimal place!

About 35 million scheduled flights per year currently globally, so maybe 25 M on average over the last 40 years, and I would WAGuess about 75% SH @ 2hours average, 25% LH @10 hours average. That would be 1 billion flights, and 4 billion hours, and I think if anything it is higher. (fiscal year 2023 the USA had almost 27million flight hours in general aviation alone)

July 8 (Reuters) - A preliminary report into the deadly crash of an Air India jetliner in June is expected to be released by Friday, three sources with knowledge of the matter said, with one adding the probe had narrowed its focus to the movement of the plane's fuel control switches.

This post does a good job explaining it IMHO. Reducing maximum TOGA thrust (fixed derate) reduces Vmc which can allow you to get more MTOW on wet/short runways. An assumed temperature derate I believe gets overridden when you lose an engine; a fixed derate does not.

From the draft 787 FCOM:
Thrust Asymmetry Protection appears to more-or-less act as a dynamic fixed derate, allowing more thrust only at higher airspeed

The issue is that following an engine that suddenly experiences UHT during the takeoff roll, many crews have aborted. You get a sudden change in engine sound and indications, and sudden yaw. I expect it feels a lot like engine failure, and before V1, you abort for engine failure... but one side is still producing lots of thrust while you're hitting the brakes and spoilers.

I wouldn't expect TCMA to activate if the engine experienced UHT and the crew didn't abort: the thrust levers will still be near full thrust (even with a derate). Asymmetric thrust is an issue with 0lbf (or reverse) on one side and 36000lbf on the other, if the aircraft is built/operated for 20-24klbf engines. It's a lot less of an issue if you have 15-24klbf on the good engine and 36klbf on the UHT engine. That's a thrust imbalance at most the same as in a normal engine-out situation, just at 1.5x total thrust instead of 0.5x total thrust.

A fuel flow limit isn't a perfect absolute limit. Unless you want to take an infinite time to reach takeoff thrust, you need to apply more fuel than is required to maintain that thrust, because some of the fuel goes to accelerating the engine. Add various accessory loads, varying bleed air demand, varying altitude/temperature/airspeed etc, and I imagine a fixed orifice simply isn't all that accurate and can't be set closely. Especially as an overspeed core results in an overspeed pump, itself delivering more fuel to the wide-open valve...

True, but as each FADEC has two channels and each channel has independent analogue sensor inputs, the chance of each FADEC getting identical inputs from two engines with different hours and wear is infinitesimal. Going further, if you argue that both channels should be in agreement to shut an engine down, then the likelihood quarters again.

If that is true then the elephant in the room that no one wants to talk about just started stomp it's feet.

Exact values might matter if you're wanting to argue overflows and various other 'software' bugs.

Specification/design bugs (as the ANA 787 TCMA shutdown was) often crop up with just binary values and under/over X.

Both N2 and TCMA appear to operate when either channel detects the fault, because the potential consequences of not operating are catastrophic and the channel that's failing to control the engine could also be failing to detect the fault.

I'm not sure how many other shutdown routines there are in the FADECs that immediately command an engine shutdown without crew intervention, other than during start. I doubt there's many, and I expect they're either-channel for much the same reasons.