Most active commenters
  • cosmicgadget(3)
  • bombcar(3)

←back to thread

Preliminary report into Air India crash released

(www.bbc.co.uk)
314 points cjr | 21 comments | 11 Jul 25 20:23 UTC | HN request time: 0.001s | source | bottom
Show context
decimalenough ◴[11 Jul 25 21:24 UTC] No.44536914[source]
> The aircraft achieved the maximum recorded airspeed of 180 Knots IAS at about 08:08:42 UTC and immediately thereafter, the Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position one after another with a time gap of 01 sec. The Engine N1 and N2 began to decrease from their take-off values as the fuel supply to the engines was cut off.

So the fuel supply was cut off intentionally. The switches in question are also built so they cannot be triggered accidentally, they need to be unlocked first by pulling them out.

> In the cockpit voice recording, one of the pilots is heard asking the other why did he cutoff. The other pilot responded that he did not do so.

And both pilots deny doing it.

It's difficult to conclude anything other than murder-suicide.

replies(25): >>44536947 #>>44536950 #>>44536951 #>>44536962 #>>44536979 #>>44537027 #>>44537520 #>>44537554 #>>44538264 #>>44538281 #>>44538337 #>>44538692 #>>44538779 #>>44538814 #>>44538840 #>>44539178 #>>44539475 #>>44539507 #>>44539508 #>>44539530 #>>44539532 #>>44539749 #>>44539950 #>>44540178 #>>44541039 #
lazystar ◴[11 Jul 25 21:31 UTC] No.44536962[source]
https://ad.easa.europa.eu/ad/NM-18-33

well hold your horses there... from the FAA in their 2019 report linked above:

> The Boeing Company (Boeing) received reports from operators of Model 737 airplanes that the fuel control switches were installed with the locking feature disengaged. The fuel control switches (or engine start switches) are installed on the control stand in the flight deck and used by the pilot to supply or cutoff fuel to the engines. The fuel control switch has a locking feature to prevent inadvertent operation that could result in unintended switch movement between the fuel supply and fuel cutoff positions. In order to move the switch from one position to the other under the condition where the locking feature is engaged, it is necessary for the pilot to lift the switch up while transitioning the switch position. If the locking feature is disengaged, the switch can be moved between the two positions without lifting the switch during transition, and the switch would be exposed to the potential of inadvertent operation. Inadvertent operation of the switch could result in an unintended consequence, such as an in-flight engine shutdown. Boeing informed the FAA that the fuel control switch design, including the locking feature, is similar on various Boeing airplane models. The table below identifies the affected airplane models and related part numbers (P/Ns) of the fuel control switch, which is manufactured by Honeywell.

> If the locking feature is disengaged, the switch can be moved between the two positions without lifting the switch during transition, and the switch would be exposed to the potential of inadvertent operation. Inadvertent operation of the switch could result in an unintended consequence, such as an in-flight engine shutdown

replies(11): >>44536982 #>>44537000 #>>44537463 #>>44537519 #>>44537557 #>>44537793 #>>44538056 #>>44538109 #>>44538902 #>>44539136 #>>44541478 #
barbazoo ◴[11 Jul 25 21:34 UTC] No.44536982[source]
Same manufacturer, Air India 171 was a 787-8 though.
replies(1): >>44537026 #
shoghicp ◴[11 Jul 25 21:39 UTC] No.44537026[source]
The affected table includes these models as well: 787-8, -9, and -10
replies(2): >>44537064 #>>44537121 #
1. ggreer ◴[11 Jul 25 21:51 UTC] No.44537121[source]
The only affected models were 737s with the 766AT613-3D fuel control switch. The bulletin recommended that other models be inspected and any defects reported. It's unclear if any 787s were discovered to have the issue. Also the preliminary report mentions that the switches were replaced in 2019 and 2023, after the 2018 bulletin.
replies(1): >>44537490 #
2. lazystar ◴[11 Jul 25 22:39 UTC] No.44537490[source]
still, it at least shows that there's been issues with the locking mechanism in the past. inadvertently bumping something that was assumed to be locked is a simpler theory; i find it hard to believe that a murder suicider would take this route, when the china nosedive option is easier, faster, and has a higher chance of success.
replies(2): >>44537569 #>>44538077 #
3. cosmicgadget ◴[11 Jul 25 22:49 UTC] No.44537569[source]
Cutting fuel just after takeoff leaves almost zero time for the other pilot to recover.
replies(1): >>44537825 #
4. bombcar ◴[11 Jul 25 23:25 UTC] No.44537825{3}[source]
It's interesting to try to imagine a device that would prevent that, without causing more issues.

My preliminary idea is a "fuel bladder" for take-off that inflates with enough fuel to get the plane to a recoverable altitude, maybe a few thousand feet?

replies(3): >>44538093 #>>44539196 #>>44539757 #
5. ggreer ◴[12 Jul 25 00:07 UTC] No.44538077[source]
The preliminary report says the switches were triggered a second apart, so it would have to have been faulty switches and two inadvertent bumps. That seems unlikely to me.
replies(2): >>44538871 #>>44539125 #
6. cosmicgadget ◴[12 Jul 25 00:09 UTC] No.44538093{4}[source]
I think engine fires are still more common than suicidal pilots and inadvertant fuel shutoff activations.
replies(1): >>44538312 #
7. bombcar ◴[12 Jul 25 00:49 UTC] No.44538312{5}[source]
The idea would be something that is ONLY operational after V₁ and until some safe height.

Or maybe a design that prevents both switches being off (flip flop?) for X minutes after wheel weight is removed?

Again, it’s probably pointless but it’s an interesting thought exercise.

Suicidal pilots are apparently more common than we’d want.

replies(3): >>44538386 #>>44538672 #>>44541454 #
8. cosmicgadget ◴[12 Jul 25 01:03 UTC] No.44538386{6}[source]
The flip flop thing is a neat idea since a single engine can typically maintain level flight and two burning engines is rare.
9. stephen_g ◴[12 Jul 25 02:01 UTC] No.44538672{6}[source]
It’s a pointless exercise though - if one of the pilots wants to crash the plane, there’s almost nothing that can possibly be done. Only if someone can physically restrain them and remove them from the controls.

There’s always going to be many ways they could crash the plane, such a feature wouldn’t help. The pilots are the only people you can’t avoid fully trusting on the plane.

replies(2): >>44539446 #>>44539958 #
10. somat ◴[12 Jul 25 02:44 UTC] No.44538871{3}[source]
Within a second apart. If I read the report right. The time resolution of the recorder?

And yes, it does sound like it was probably intentional. I would still like to see an engineering review of the switch system. Are they normally open or normally closed, In the end the switch instructs the FADEC to cut the fuel, but where does the wiring go in the meantime? what software is in the path? would the repair done before the flight be in that area?(pilot defect report for message STABS POS XCDR), and perhaps compromised the wires?

11. ◴[12 Jul 25 03:48 UTC] No.44539125{3}[source]
12. sugarpimpdorsey ◴[12 Jul 25 04:02 UTC] No.44539196{4}[source]
> My preliminary idea is a "fuel bladder" for take-off that inflates

Will the bladder be marketed by Kramerica Industries?

13. winter_blue ◴[12 Jul 25 05:04 UTC] No.44539446{7}[source]
So basically we need software that can 100% autonomously fly a plane. Software that is extremely reliable and trustworthy, basically. Software with multiple fallback options. Multiple AI agents verifying every action this software takes. Plus, ground-based teams monitoring the agents and the autonomous flight software.
replies(1): >>44539856 #
14. sitharus ◴[12 Jul 25 06:12 UTC] No.44539757{4}[source]
Or you simply interlock the engine cutoff with the thrust lever position, any position other than idle prevents shutdown. This all goes through the flight computers already.

If there’s a fire or similar problem the fire handles will cut off fuel without the normal shutdown procedure, but the normal switches only need to be used at idle thrust.

I wonder if Airbus has this logic, since their philosophy is to override the pilot commands if they’d endanger the aircraft (which has its own issues of course) where’s Boeing will alert the pilots and still perform the action. I don’t have access to that information.

replies(1): >>44539946 #
15. Scarblac ◴[12 Jul 25 06:37 UTC] No.44539856{8}[source]
Not AI, AI is less trustworthy than normal software almost by definition.

Formally verified traditional algorithms.

16. 0_-_0 ◴[12 Jul 25 06:56 UTC] No.44539946{5}[source]
According to AI, Airbus places these switches on the overhead panel, so that alone would make it harder to inadvertently move them. Apparently, Airbus "protections do not extend to mechanical or FADEC‑controlled systems like the engine‑fuel shutoff valves. If you deliberately pull and flip the ENG MASTER lever to OFF, the FADEC will immediately close the LP and HP fuel valves and the engine will flame out. If you then return the lever to RUN (and you meet relight conditions), it will automatically relight."
replies(2): >>44540068 #>>44540251 #
17. toast0 ◴[12 Jul 25 07:02 UTC] No.44539958{7}[source]
It's only pointless if we assume crashing was the intended result of the pilot. If the switches failed, or the pilot activated the switches by mistake, it's worth considering options for handling the inputs.

There's a balance of accidents to be found, I think. There are likely cases where fuel does need to be cut off to both engines, and preventing that would lead to accidents that might have been recoverable. This case shows that cutting off fuel to both engines during takeoff is likely unrecoverable. There have been cases where fuel is cutoff to the wrong engine, leading to accidents. Status quo might be the right answer, too.

18. Gare ◴[12 Jul 25 07:31 UTC] No.44540068{6}[source]
Well, AI is plain wrong. Fuel cutoff switches on Airbus are in the same position as in Boeing planes, below the throttle.
19. sitharus ◴[12 Jul 25 08:16 UTC] No.44540251{6}[source]
And that's why you don't trust AI.

As another commenter said the Airbus engine start/stop controls are located behind the thrust levers, and according to the A350 operations manual which I got my hands on there are two conditions required for the FADEC to command engine shut down: Run switch to off, thrust lever to idle.

So if that's correct on an Airbus aircraft you can't just switch off the engines when they're commanded to produce thrust. This also seems to be backed up by the difference in the guards for those controls in the Airbus cockpits.

20. dxdm ◴[12 Jul 25 11:59 UTC] No.44541454{6}[source]
> Again, it’s probably pointless but it’s an interesting thought exercise.

Coming up with ad-hoc solutions is easy, especially the less you know about a complex system and its constraints. I'd say it's not an interesting exercise unless you consider why a solution might not exist already, and what its trade-offs and failure modes are. Otherwise, all you're doing is throwing pudding against a wall, which can of course be fun.

replies(1): >>44541582 #
21. bombcar ◴[12 Jul 25 12:26 UTC] No.44541582{7}[source]
That’s the whole fun part - come up with an “obvious” solution and the try to figure out the problems or risks it would cause.

For example, an obvious solution is that the switch can't be changed from "RUN" to "CUTOFF" when the throttle isn't at idle - this could be done with a mechanical detent because they're right next to each other. Simple!

But now you've introduced additional failure modes - throttle sticks wide open and the engine is vibrating and needs to be shut down - so maybe you make it that the shutdown switch can work for ONE engine at any throttle position, but if TWO get turned off, both throttles have to be off, but that introduces ...