Most active commenters
  • cosmicgadget(5)
  • ExoticPearTree(3)
  • michaelmrose(3)

←back to thread

Preliminary report into Air India crash released

(www.bbc.co.uk)
314 points cjr | 55 comments | 11 Jul 25 20:23 UTC | HN request time: 4.659s | source | bottom
Show context
decimalenough ◴[11 Jul 25 21:24 UTC] No.44536914[source]
> The aircraft achieved the maximum recorded airspeed of 180 Knots IAS at about 08:08:42 UTC and immediately thereafter, the Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position one after another with a time gap of 01 sec. The Engine N1 and N2 began to decrease from their take-off values as the fuel supply to the engines was cut off.

So the fuel supply was cut off intentionally. The switches in question are also built so they cannot be triggered accidentally, they need to be unlocked first by pulling them out.

> In the cockpit voice recording, one of the pilots is heard asking the other why did he cutoff. The other pilot responded that he did not do so.

And both pilots deny doing it.

It's difficult to conclude anything other than murder-suicide.

replies(25): >>44536947 #>>44536950 #>>44536951 #>>44536962 #>>44536979 #>>44537027 #>>44537520 #>>44537554 #>>44538264 #>>44538281 #>>44538337 #>>44538692 #>>44538779 #>>44538814 #>>44538840 #>>44539178 #>>44539475 #>>44539507 #>>44539508 #>>44539530 #>>44539532 #>>44539749 #>>44539950 #>>44540178 #>>44541039 #
1. alephnerd ◴[11 Jul 25 21:30 UTC] No.44536951[source]
> It's difficult to conclude anything other than murder-suicide.

Is it possible it could have been an accident or a mistake by one of the pilots? How intention-proofed are engine cutoffs?

replies(2): >>44537006 #>>44537365 #
2. ummonk ◴[11 Jul 25 21:38 UTC] No.44537006[source]
You have to pull the switches out (against a spring) to be able to move them over a notch and flip them. Not really something you can just mistake for another switch or bump into by accident.

I'd liken it to turning off the ignition by turning the key while driving your car. Possibly something that could happen if you're really fatigued, but requires quite a mental lapse.

replies(3): >>44537116 #>>44538841 #>>44539256 #
3. joezydeco ◴[11 Jul 25 21:51 UTC] No.44537116[source]
Report says the switches went to cutoff one second apart from each other. Can a human do the physical operation on two switches that quickly?
replies(2): >>44537174 #>>44537341 #
4. snypher ◴[11 Jul 25 21:57 UTC] No.44537174{3}[source]
There's a good photo of them here; https://theaircurrent.com/aviation-safety/ai171-investigatio...

You can do them both with one hand.

replies(5): >>44537551 #>>44537762 #>>44538586 #>>44539777 #>>44539820 #
5. heisenbit ◴[11 Jul 25 22:19 UTC] No.44537341{3}[source]
The timing is really curious.

08:08:35 Vr

08:08:39 Liftoff

08:08:42 Engine 1 cut-off

08:08:42 Engine 2 cut-off

08:08:47 minimum idel speed reached

?? One pilot to other: why cut-off. Other: Did not do it

08:08:52 Engine 1 run

08:08:52 Engine 2 run

1 second to switch them both off and then 4 seconds to switch them both on. No one admitted to switch them off. They are probably going with fine comb over the audio and also the remains of the chared switches.

Looks like the engines react very quickly to cut-off so it is not clear whether the question about the cut-off is prompted by a glance to the switches or the feel of the airplane.

The big question is whether the switches were moved or something made it seem as if the switches were moved.

replies(2): >>44537660 #>>44539629 #
6. xenadu02 ◴[11 Jul 25 22:23 UTC] No.44537365[source]
It could be defective switch springs, fatigue-induced muscle memory error, or something else. The pilot who did it saying he did not may not have realized what he did. It's pretty common under high workload when you flip the wrong switch or move a control the wrong way to think that you did what you intended to do, not what you actually did.

That said Boeing could take a page out of the Garmin GI275. When power is removed it pops up a "60s to shutdown dialog" that you can cancel. Even if you accidentally press SHUTDOWN it only switches to a 10s countdown with a "CANCEL" button.

They could insert a delay if weight on wheels is off. First engine can shutdown when commanded but second engine goes on 60s delay with EICAS warning countdown. Or just always insert a delay unless the fire handle is pulled.

Still... that has its own set of risks and failure modes to consider.

replies(4): >>44537836 #>>44538111 #>>44538204 #>>44541826 #
7. zihotki ◴[11 Jul 25 22:45 UTC] No.44537551{4}[source]
Are you completely sure you can considering that they are spring loaded and they are like 7-10cm apart judging by the size of other controls?
replies(1): >>44537692 #
8. cosmicgadget ◴[11 Jul 25 23:01 UTC] No.44537660{4}[source]
Well in the murder-suicide scenario it makes sense for the culprit to turn them off as quickly as possible. The longer time to turn them on could plausibly be a struggle or simply needing to fly the plane while reaching for each switch individually.
replies(1): >>44538889 #
9. snypher ◴[11 Jul 25 23:04 UTC] No.44537692{5}[source]
I don't understand your question. I have done this myself, am I completely sure?
replies(1): >>44537990 #
10. ajb ◴[11 Jul 25 23:15 UTC] No.44537762{4}[source]
If you do them both with one hand, would they not be moved at the same instant rather than 1 second apart?
replies(1): >>44537877 #
11. rogerrogerr ◴[11 Jul 25 23:26 UTC] No.44537836[source]
Delay is probably worse - now you're further disassociating the effect of the action from the action itself, breaking the usual rule: if you change something, and don't like the effect, change it back.
replies(1): >>44539803 #
12. lazide ◴[11 Jul 25 23:31 UTC] No.44537877{5}[source]
They require a per-switch motion, so unlikely.
13. cosmicgadget ◴[11 Jul 25 23:50 UTC] No.44537990{6}[source]
Did you mean to say you can activate the switches with one hand simultaneously? That is probably what the above commenter assumed you meant. Since lifting and twisting two switches simultaneously with one hand seems challenging.
replies(2): >>44538143 #>>44538454 #
14. aerospace83 ◴[12 Jul 25 00:14 UTC] No.44538111[source]
Armchair safety/human factors engineering, gotta love HN.
replies(2): >>44538342 #>>44539173 #
15. mvdtnz ◴[12 Jul 25 00:21 UTC] No.44538143{7}[source]
It didn't happen simultaneously so this is irrelevant.
replies(1): >>44538268 #
16. pixl97 ◴[12 Jul 25 00:30 UTC] No.44538204[source]
When your engine catches on fire/blows apart on takeoff you want to cut fuel as fast as possible.
replies(3): >>44538267 #>>44538687 #>>44538730 #
17. OneMorePerson ◴[12 Jul 25 00:39 UTC] No.44538267{3}[source]
Was thinking this same thing. A minute feels like a long time to us (using a Garmin as the example said) but a decent number of airplane accidents only take a couple minutes end to end between everything being fine and the crash. Building an insulation layer between the machine and the experts who are supposed to be flying it only makes it less safe by reducing control.
18. cosmicgadget ◴[12 Jul 25 00:40 UTC] No.44538268{8}[source]
It is relevant to the interaction I replied to.
replies(2): >>44538646 #>>44539131 #
19. zahlman ◴[12 Jul 25 00:55 UTC] No.44538342{3}[source]
This is a place that puts "Hacker" in the name despite the stigma in the mainstream. Given the intended meaning of the term, I would naturally expect this to be a place where people can speculate and reason from first principles, on the information available to them, in search of some kind of insight, without being shamed for it.

You don't have to like that culture and you also don't have to participate in it. Making a throwaway account to complain about it is not eusocial behaviour, however. If you know something to be wrong with someone else's reasoning, the expected response is to highlight the flaw.

replies(3): >>44538912 #>>44538954 #>>44538958 #
20. lanna ◴[12 Jul 25 01:15 UTC] No.44538454{7}[source]
Above commenter said _quickly_, not simultaneously
replies(1): >>44539161 #
21. arp242 ◴[12 Jul 25 01:42 UTC] No.44538586{4}[source]
Is there just one set of switches? Or do both pilots have their own set?
replies(1): >>44539582 #
22. ◴[12 Jul 25 01:56 UTC] No.44538646{9}[source]
23. p1mrx ◴[12 Jul 25 02:04 UTC] No.44538687{3}[source]
Proposed algorithm: If the flight computer thinks the engine looks "normal", then blare an alarm for x seconds before cutting the fuel.

I wonder if there have been cases where a pilot had to cut fuel before the computer could detect anything abnormal? I do realize that defining "abnormal" is the hardest part of this algorithm.

replies(3): >>44539457 #>>44539593 #>>44539663 #
24. SJC_Hacker ◴[12 Jul 25 02:13 UTC] No.44538730{3}[source]
If its both engines you're fucked anyway if its shortly after takeoff.

But I'm an advocate of KISS. At a certain point you have to trust the pilot is not going to something extremely stupid/suicidal. Making overly complex systems to try to protect pilots from themselves leads to even worse issues, such as the faulty software in the Boeing 737-MAX.

25. magicalhippo ◴[12 Jul 25 02:39 UTC] No.44538841[source]
Is it possible to rest the switch on the notch? Does the switch make contact if the switch is in the RUN position but the switch is not completely down?

That is, is it possible they flipped the switches over to RUN but did not seat the switches properly, and instead leaving them on top of the notch, with later vibration causing the switches to disengage?

Just trying to think of some semi-plausible non-active causes.

26. XorNot ◴[12 Jul 25 02:48 UTC] No.44538889{5}[source]
Assuming the person trying to kill themselves and a plane load of people would respond in an expected way to inquiry is also just a mistake.

It's not a rational decision, so there's no reason to expect rational decision making or explanation on the output.

replies(1): >>44539826 #
27. macintux ◴[12 Jul 25 02:53 UTC] No.44538912{4}[source]
For me it's mainly about intent/unearned confidence.

If someone is speculating about how such a problem might be solved while not trying to conceal their lack of direct experience, I'm fine with it, but not everyone is.

If someone is accusing the designers of being idiots, with the fix "obvious" because reasons, well, yeah, that's unhelpful.

replies(1): >>44539691 #
28. sdgsdgssdg ◴[12 Jul 25 03:05 UTC] No.44538954{4}[source]
(Different user here) Hacker News' "culture" is one of VC tech bros trying to identify monopolies to exploit, presumably so they can be buried with all their money when they die. There's less critical thinking here than you'd find in comments sections for major newspapers.
replies(1): >>44539565 #
29. aerospace83 ◴[12 Jul 25 03:05 UTC] No.44538958{4}[source]
> That said Boeing could take a page out of the Garmin GI275

This is not "reasoning from first principles". In fact, I don't think there is any reasoning in the comment.

There is an implication that an obvious solution exists, and then a brief description of said solution.

I am all for speculation and reasoning outside of one's domain, but not low quality commentary like "ugh can't you just do what garmin did".

This is not a throwaway, I'm a lurker, but was compelled to comment. IMHO HN is not the place for "throwaway" ad hominems.

replies(1): >>44540314 #
30. ryandrake ◴[12 Jul 25 03:49 UTC] No.44539131{9}[source]
You’re the only one who said “simultaneously.”
replies(1): >>44539209 #
31. cosmicgadget ◴[12 Jul 25 03:56 UTC] No.44539161{8}[source]
Jesus...

joey: Can you switch them quickly?

snypher: You can do them with one hand. [Ed. This is ambiguous and could be read as "one hand, simultaneously". In fact, doing it with one hand non-simultaneously would be a weird claim to make of a simple knob. See also ajb's comment below.]

zihotki: Really? They are not close together and have a spring mechanism. [Ed. Seems to believe snypher is claiming simultaneous operation.]

snypher: I am confused by the response.

Me: [Tries to facilitate clarification]

replies(1): >>44539261 #
32. mitthrowaway2 ◴[12 Jul 25 03:59 UTC] No.44539173{3}[source]
Yeah, people shouldn't bat ideas around and read replies from other people about why those ideas wouldn't work. Somebody might learn something, and that would be bad.
33. cosmicgadget ◴[12 Jul 25 04:05 UTC] No.44539209{10}[source]
See above.
34. ◴[12 Jul 25 04:16 UTC] No.44539256[source]
35. JumpCrisscross ◴[12 Jul 25 04:18 UTC] No.44539261{9}[source]
> This is ambiguous and could be read as "one hand, simultaneously"

Not within the context of the thread.

replies(1): >>44539315 #
36. ra7 ◴[12 Jul 25 04:29 UTC] No.44539315{10}[source]
Context is both these switches being turned off with a 1 second gap. Doing it with one hand simultaneously would possibly explain it, otherwise it doesn’t seem relevant.
37. lxgr ◴[12 Jul 25 05:07 UTC] No.44539457{4}[source]
If the computer could tell perfectly whether the engine “looks normal” or not, there wouldn’t be any need for a switch. If it can’t, the switch most likely needs to work without delay in at least some situations.

In safety-critical engineering, you generally either automate things fully (i.e. to exceed human capabilities in all situations, not just most), or you keep them manual. Half-measures of automation kill people.

replies(2): >>44539682 #>>44541579 #
38. dale_huevo ◴[12 Jul 25 05:30 UTC] No.44539565{5}[source]
If Boeing only had the foresight to hire an army of HN webshitters to design the cockpit, this disaster could have been averted.

All the controls would be on a giant touchscreen, with the fuel switches behind a hamburger button (that responded poorly and erratically to touch gestures). Even a suicidal pilot wouldn't be able to activate it.

39. ExoticPearTree ◴[12 Jul 25 05:33 UTC] No.44539582{5}[source]
Only one set.
40. OneMorePerson ◴[12 Jul 25 05:37 UTC] No.44539593{4}[source]
The incident with Sully landing in the Hudson is an interesting one related to this. They had a dual birdstrike and both engines were totally obliterated and had no thrust at all, but it came up later in the hearing that the computer data showed that one engine still had thrust due to a faulty sensor, so that type of sensor input can't really be trusted in a true emergency/edge case, especially if a sensor malfunctions while an engine is on fire or something.

As a software engineer myself I think it's interesting that we feel software is the true solution when we wouldn't accept that solution ourselves. For example typically in a company you do code reviews and have a release gating process but also there's some exception process for quickly committing code or making adjustments when theres an outage or something. Could you imagine if the system said "hey we aren't detecting an outage, you sure about that? why don't you go take a walk and get a coffee, if you still think there's an outage in 15 minutes from now we will let you make that critical change".

41. ExoticPearTree ◴[12 Jul 25 05:45 UTC] No.44539629{4}[source]
> Looks like the engines react very quickly to cut-off so it is not clear whether the question about the cut-off is prompted by a glance to the switches or the feel of the airplane.

The workload is pretty high during the takeoff phase. The engines react right away when fuel flow is stopped. The engine displays can have some lag before data is updated.

Relighting an engine at low speed is not feasible - most need 230-250kts IAS before attempting the operation. Maybe you could do it if the APU was still running and could provide compressed air, but it takes about 20-30 seconds to start up amd then probably 5-10 more to spool up to full thrust. I am speculating here a bit, but the pilot did not have enough time to save the plane even if he did everyting right and as fast as humanly possible.

All this aside is overshadowed by the limited amount of time the pilot flying (I would assume the captain in this case since there was only one ATPL pilot in the cockpit) had to troubleshoot the issue of a dual engine failure - as this is what would have felt to him - during takeoff.

replies(1): >>44541375 #
42. michaelmrose ◴[12 Jul 25 05:54 UTC] No.44539663{4}[source]
If engine_status == normal and last_activation greater than threshold time

    warn then shut off
Else Shut off immediately End

Override warning time by toggling again.

43. michaelmrose ◴[12 Jul 25 05:57 UTC] No.44539682{5}[source]
If the warning period is short enough is it possible it's always beneficial or is 2-3 seconds of additional fuel during a undetected fire more dangerous?
44. michaelmrose ◴[12 Jul 25 05:58 UTC] No.44539691{5}[source]
I don't think most think they know better but it's frankly fun to speculate and this is a casual space rather than the serious bodies tasked with actually chewing over this problem in earnest.
45. KaiMagnus ◴[12 Jul 25 06:17 UTC] No.44539777{4}[source]
I wonder if they could theoretically rest on top of the notch, not fully locked into either position and flip accidentally. No idea how the switches behave when not all the way up or down, but the notch looks pretty long and flat so it could be possible.
replies(1): >>44540070 #
46. Yokolos ◴[12 Jul 25 06:25 UTC] No.44539803{3}[source]
This makes me wonder. Is there no audible alarm when the fuel is set to cutoff?
47. sugarpimpdorsey ◴[12 Jul 25 06:28 UTC] No.44539820{4}[source]
Those switches are the size of a thumb. No one is moving those - separately, mind you - and not realize what is going on.
48. sugarpimpdorsey ◴[12 Jul 25 06:30 UTC] No.44539826{6}[source]
Too many are willing to accept the Bart Simpson excuse of "I didn't do it" at face value.
49. creato ◴[12 Jul 25 07:31 UTC] No.44540070{5}[source]
Something like this could maybe happen to one switch, it's unlikely but possible. But two independent switches at the same time?
replies(1): >>44540821 #
50. Mawr ◴[12 Jul 25 08:29 UTC] No.44540314{5}[source]
> This is not "reasoning from first principles".

It literally is. Accidental/malicious activation can be catastrophic, therefore it must be guarded against. First principles.

The shutoff timer screen given as an example is a valid way of accomplishing it. Not directly applicable to aircraft, but that's not the point.

> "ugh can't you just do what garmin did"

That's your dishonest interpretation of a post that offers reasonable, relevant suggestions. Don't tell me I need to start quoting that post to prove so. It's right there.

51. KaiMagnus ◴[12 Jul 25 10:06 UTC] No.44540821{6}[source]
Good point, that is very unlikely. I was just wondering if it's possible at all.
52. leetrout ◴[12 Jul 25 11:47 UTC] No.44541375{5}[source]
> I would assume the captain

The report states the FO was pilot flying.

replies(1): >>44542221 #
53. 7952 ◴[12 Jul 25 12:25 UTC] No.44541579{5}[source]
But humans can't tell perfectly either and would be responding to much of the same data that automation would be.

I wonder if they could have buttons that are about the situation rather than the technical action. Have a fire response button. Or a shut down on the ground button.

But it does seem like half measure automation could be a contributing factor in a lot of crashes. Reverting to a pilot in a stressful situation is a risk, as is placing too much faith in individual sensors. And in a sense this problem applies to planes internally or to the whole air traffic system. It is a mess of expiring data being consumed and produced by a mix of humans and machines. Maybe the missing part is good statistical modelling of that. If systems can make better predictions they can be more cautious in response.

54. yard2010 ◴[12 Jul 25 13:10 UTC] No.44541826[source]
I'm doing it all the time while rebasing commits or force pushing to my branch. Sometimes I would just click the wrong buttons and end up having to stay late to clean the mess. It's a great thing I'm not a pilot. I would be dead by now.
55. ExoticPearTree ◴[12 Jul 25 14:13 UTC] No.44542221{6}[source]
My bad. I assumed it was the captain since the report says the FO only has a CPL license. And I was a bit surprised he could fly on a comercial airplane with only that kind of license and not an ATPL one.