> The aircraft achieved the maximum recorded airspeed of 180 Knots IAS at about 08:08:42 UTC and immediately thereafter, the Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position one after another with a time gap of 01 sec. The Engine N1 and N2 began to decrease from their take-off values as the fuel supply to the engines was cut off.
So the fuel supply was cut off intentionally. The switches in question are also built so they cannot be triggered accidentally, they need to be unlocked first by pulling them out.
> In the cockpit voice recording, one of the pilots is heard asking the other why did he cutoff. The other pilot responded that he did not do so.
And both pilots deny doing it.
It's difficult to conclude anything other than murder-suicide.
well hold your horses there... from the FAA in their 2019 report linked above:
> The Boeing Company (Boeing) received reports from operators of Model 737 airplanes that the fuel control switches were installed with the locking feature disengaged. The fuel control switches (or engine start switches) are installed on the control stand in the flight deck and used by the pilot to supply or cutoff fuel to the engines. The fuel control switch has a locking feature to prevent inadvertent operation that could result in unintended switch movement between the fuel supply and fuel cutoff positions. In order to move the switch from one position to the other under the condition where the locking feature is engaged, it is necessary for the pilot to lift the switch up while transitioning the switch position. If the locking feature is disengaged, the switch can be moved between the two positions without lifting the switch during transition, and the switch would be exposed to the potential of inadvertent operation. Inadvertent operation of the switch could result in an unintended consequence, such as an in-flight engine shutdown. Boeing informed the FAA that the fuel control switch design, including the locking feature, is similar on various Boeing airplane models. The table below identifies the affected airplane models and related part numbers (P/Ns) of the fuel control switch, which is manufactured by Honeywell.
> If the locking feature is disengaged, the switch can be moved between the two positions without lifting the switch during transition, and the switch would be exposed to the potential of inadvertent operation. Inadvertent operation of the switch could result in an unintended consequence, such as an in-flight engine shutdown
Both of these extremely-experienced pilots say that there was near zero chance that the fuel switches were unintentionally moved. They were switched off within one second of each other, which rules out most failure scenarios.
If it was an issue with the switches, we also would have seen an air worthiness directive being issued. But they didn’t, because this was a mass murder.
Maybe as the PIC was guarding the lower end of the throttle he rested the rest of his hand on the panel cover below the throttle and, while pushing forward on the throttle, let the side of his hand slide down right onto the switches, the likeliness of which would have been exacerbated by a rough runway or a large bump. It's unlikely the left and right part of his hand would have contacted the cutoff switches at the same time, hence the delay between the two switches being actuated. Of course this relies on the safety locks not working properly, which is something that hand been reported.
Nope. First of all, the FO was the “pilot flying” and thusly controls the throttle. The fuel shutoffs are on the left side, well clear of the range of motion throttle operation for the right seat.
If the Captain were controlling throttles, it for some reason he could contort his wrist to accidentally open the red cutoff switch guards, the switches themselves move in the opposite direction of the pivot of the switch guard. And to have that happen to both switches — one second apart. That would be astronomically (not to mention anatomically) improbable: you can’t have your hand on the throttle and also be dragging your arm on the switches unless the pilot has an extra elbow.
Further more, the 787 has auto throttles, at takeoff the pilot advances the throttles to N1, then all the way through climb out the auto throttles control the throttle unless manually disengaged.
Also a “bumpy runway” wouldn’t do anything because if those switches were activated on the roll out, the engines would shut down almost immediately: that’s the point of those switches to kill fuel flow immediately not minutes later.
And no there isn’t a report of the safety locks not working properly on the 787. The report to which you are referring was in 2018 and that was an issue with a very few 737 switches that were improperly installed. The switches didn’t fail after use, they were bad at install time. Exceedingly unlikely that a 787 was flying for 12 years with faulty switches. (Notwithstanding the fact they they are completely different part numbers.)
The 787 that crashed had been in service since 2013 which means if that were a problem in that plane, however unlikely, with hundreds of thousands of flight hours, inspections, and the 2018 Airworthiness Bulletin — that problem would have been detected and corrected years ago.
You are wrong. The fuel shutoff switches are directly beneath the throttle levers, and they move down to cutoff, which is exactly the direction a hand beneath the throttle would move to accidentally switch them to cutoff.
Secondly, while the FO was flying the airplane and thus would have control of the throttles during rollout, the captain would certainly have his hand beneath the throttles in an observer position during at least part of the takeoff. And during takeoff, procedure would have the captain take over control of the throttle levers until rotation while the FO handled the yoke with both hands.
blancolirio[0] has two excellent video examples of 787 takeoffs within the cockpit showing FO-pilot takeoffs and both officers' actions during takeoff.
Page 10 of the Air India preliminary report[1] shows a picture of the fuel cutoff switches -- clearly labeled "FUEL CONTROL" with "RUN" in the up position and "CUTOFF" in the down position -- directly beneath the throttle levers.
This. There are no flip-covers on the switches in any of the photos I've seen. Additionally, it looks like the side guards are only on the left and right sides of the pair of cutoff switches, not in-between the two switches. So if one bumped one switch, seems like it would be very easy to bump them both.
There's a metal nib on the switch and switch housing preventing it from being bumped. There's also a spring holding it down so it can't bounce up. The distance and required force makes switching them at the same time impossible, thus the 1 second difference. This was absolutely an intentional act.
One can easily switch them with two fingers at the same time.
I tried (with similar switches.): Works. If the locking mechanism fails, even unintentionally.
Getting loose, wristworn jewlery snatched and then pull: Works.
My question to Boeing is:
Why did you cover the neighbouring (stabilizer cut-off, IIRC) switches with red springloaded flip-covers, but not the fuel cut-off switches?
please. pilot puts everyone to sleep but himself, turns everything off, then does a flyby of his hometown and then puts himself to sleep? the only one more obvious is the german one.
It feels quite uncomfortable to me. I remember using this exact example of why the changes after the German wings crash wouldn't prevent a murder suicide in the future.
The issue with the 737 MAX became evident within months of the plane's launch. By contrast, the Dreamliner has accumulated over a decade of flying history across over 1000 aircraft with precisely zero fatal accidents.
The fact that the pilots denied that they had shut the switch (one asking the other why they had done so and the other denying it), and that they restarted the engines should be taken into account. Ok, murder suicide is definitely on the table but I would want to see some other reasons for believing that this is so.
Sorry to nitpick, but for a good Bayesian, absence if evidence is evidence of absence. If you want the aphorism to be technically correct, you should say "absence of proof is not proof of absence".
A note on the terminology: "evidence" is a piece of data that suggests a conclusion, while not being conclusive by itself. Whereas "proof" is a piece of data that is conclusive by itself.
For a long time my wife refused to accept that Tree Kangaroos existed and insisted that I'd made them up. When the internet came along she looked them up and treated me strangely for a while.
What things that you have never seen do you not believe in?
(not the OP) Giant isopods. They're not real. I know there are pictures of what are supposed to be giant isopods but they are not real animals, instead they're clearly fake models of made-up animals.
A few years ago I was working at a company that used a robotic arm when an accident occurred. The robot was powered off for maintenance but suddenly turned on, pinned a worker's arm, and threw him against a wall. His arm had numerous fractures and he had severe head injuries but survived.
The other worker in the building was in absolute shambles and couldn't understand what had happened. The CCTV footage was then checked and showed that worker looking at the other while reaching for the power switch and turning on the machine. The switch was not locked out and tagged out, but it was the only switch like it on the whole panel, large and required significant force to turn. No way to accidentally bump it, and the video showed him clearly turning the handle.
He was obviously fired, but no criminal charges were ever brought against him. He had no plausible motive for wanting the other man dead, was severely distraught over the incident. It was simultaneously obvious that he had turned the lever deliberately and had not meant to turn the leaver. A near-lethal combination of muscle memory and a confusion caused the accident. If the lever had been locked and tagged out, that probably would have interrupted his muscle memory and prevented the accident, but it wasn't.
Point is, something can be simultaneously impossible to do inadvertently, but still done mistakenly. A switch designed to never be accidentally bumped, to require specific motions to move it, can still be switched by somebody making a mistake.
My buddy says the same, he’s a 787 captain for United. Essentially impossible to accidentally turn off those switches. My buddy isn’t “evidence” of course, but actual airline captains are all saying similar things.
I'm not disagreeing with you I think this was manually done
But here's the thing a "near zero chance" when we are talking about an actual event changes the math
Maybe there's a combination of vibration and manufacturing defect or assembly fault or "hammer this until it works" that can cause the switches to flip. Very unlikely? Yes. Still close to 0% but much more likely in the scenario of an accident
Of course AAIB/NTSB etc didn't have any time to investigate the mechanical aspects of this failure
So yeah it was probably done intentionally but the "switches turning off by themselves" should not be excluded
We could also suggest that aliens in the cockpit did it — about the same probability. Two switches, on independent circuits, both failing within one second of each other in the exact same way?
Perhaps there are more qualifying statements that you meant to include? The certification and type rating requirements certainly differ between agencies, but in terms of raw number of flight hours it’s easy to find that this statement is false.
These switches are operated at startup and shutdown. So pretty much daily. By pilots and likely maintenance crews. Such a defect with not to unnoticed for long
What is "01 second" as quoted above? If it's 1 second, you could possibly conclude that it was intentional. If it's 0.1 second you might think it was an accident and the lock was disengaged.
There is no electronic lock as far as I know, as many people seem to assume. It's a mechanical notch that you have to physically pull the switch past to operate it. The lock failures described in the air worthiness directive was about this mechanical stop or notch not being installed.
Many systems log samples at an intervale of one sample per second. I could easily envision a transition event where a bump or brush of something sufficiently toggles one switch and then a fraction of a second later the other.
You don’t inadvertently turn off both switches. The linked SAIB was in 2018 and addresses faulty installations, not a failure after use. And preflight over thousands of flights would have detected if the switches had a failed locking mechanism. And for both to fail at once? Practically impossible. Also the recommended inspection — that was almost 7 years ago. If a major airline didn’t comply with the SAIB, that’s on them, not Boeing. There hasn’t been a single reported instance of fuel switches being accidentally switched off on any Boeing airliner — in 320 million flight hours over the past 10 years.
The switches are spring-loaded, notched in place, and have a rubber knob on the top. A pilot must squeeze the knob, remove the switch from its ON notch, press the switch, click it into the OFF notch, then release the knob.
They were moved back to the run position 10 seconds after being switched off, and the engines were in the very early stages of restarting by the time of the crash. It was too late.
at least one of the pilots did. according to the preliminary report, the switches were only in the cutoff position for 10 seconds before being switched back to the run position and the engines started to spin up again
More like 30 seconds. Just throttling an already running engine up from idle (which is quite a bit above zero throttle in most respects) takes seconds.
The only affected models were 737s with the 766AT613-3D fuel control switch. The bulletin recommended that other models be inspected and any defects reported. It's unclear if any 787s were discovered to have the issue. Also the preliminary report mentions that the switches were replaced in 2019 and 2023, after the 2018 bulletin.
Here is the full SAIB on the Boeing fuel control switches. This report lists the part 4TL837-3D as the switch used on 787s, and is the part mentioned in the preliminary report on the accident.
The SAIB does single out the part 766AT613-3D, but that's for suggesting a replacement for it as 766AT614-3D.
Per the Honeywell catalog for 4TL837-3D, if is a Snap Action toggle switch. The base model doesn't have a locking mechanism, which is available as an option
still, it at least shows that there's been issues with the locking mechanism in the past. inadvertently bumping something that was assumed to be locked is a simpler theory; i find it hard to believe that a murder suicider would take this route, when the china nosedive option is easier, faster, and has a higher chance of success.
The preliminary report says the switches were triggered a second apart, so it would have to have been faulty switches and two inadvertent bumps. That seems unlikely to me.
Within a second apart. If I read the report right. The time resolution of the recorder?
And yes, it does sound like it was probably intentional. I would still like to see an engineering review of the switch system. Are they normally open or normally closed, In the end the switch instructs the FADEC to cut the fuel, but where does the wiring go in the meantime? what software is in the path? would the repair done before the flight be in that area?(pilot defect report for message STABS POS XCDR), and perhaps compromised the wires?
It's interesting to try to imagine a device that would prevent that, without causing more issues.
My preliminary idea is a "fuel bladder" for take-off that inflates with enough fuel to get the plane to a recoverable altitude, maybe a few thousand feet?
It’s a pointless exercise though - if one of the pilots wants to crash the plane, there’s almost nothing that can possibly be done. Only if someone can physically restrain them and remove them from the controls.
There’s always going to be many ways they could crash the plane, such a feature wouldn’t help. The pilots are the only people you can’t avoid fully trusting on the plane.
It's only pointless if we assume crashing was the intended result of the pilot. If the switches failed, or the pilot activated the switches by mistake, it's worth considering options for handling the inputs.
There's a balance of accidents to be found, I think. There are likely cases where fuel does need to be cut off to both engines, and preventing that would lead to accidents that might have been recoverable. This case shows that cutting off fuel to both engines during takeoff is likely unrecoverable. There have been cases where fuel is cutoff to the wrong engine, leading to accidents. Status quo might be the right answer, too.
So basically we need software that can 100% autonomously fly a plane. Software that is extremely reliable and trustworthy, basically. Software with multiple fallback options. Multiple AI agents verifying every action this software takes. Plus, ground-based teams monitoring the agents and the autonomous flight software.
> Again, it’s probably pointless but it’s an interesting thought exercise.
Coming up with ad-hoc solutions is easy, especially the less you know about a complex system and its constraints. I'd say it's not an interesting exercise unless you consider why a solution might not exist already, and what its trade-offs and failure modes are. Otherwise, all you're doing is throwing pudding against a wall, which can of course be fun.
That’s the whole fun part - come up with an “obvious” solution and the try to figure out the problems or risks it would cause.
For example, an obvious solution is that the switch can't be changed from "RUN" to "CUTOFF" when the throttle isn't at idle - this could be done with a mechanical detent because they're right next to each other. Simple!
But now you've introduced additional failure modes - throttle sticks wide open and the engine is vibrating and needs to be shut down - so maybe you make it that the shutdown switch can work for ONE engine at any throttle position, but if TWO get turned off, both throttles have to be off, but that introduces ...
Or you simply interlock the engine cutoff with the thrust lever position, any position other than idle prevents shutdown. This all goes through the flight computers already.
If there’s a fire or similar problem the fire handles will cut off fuel without the normal shutdown procedure, but the normal switches only need to be used at idle thrust.
I wonder if Airbus has this logic, since their philosophy is to override the pilot commands if they’d endanger the aircraft (which has its own issues of course) where’s Boeing will alert the pilots and still perform the action. I don’t have access to that information.
According to AI, Airbus places these switches on the overhead panel, so that alone would make it harder to inadvertently move them. Apparently, Airbus "protections do not extend to mechanical or FADEC‑controlled systems like the engine‑fuel shutoff valves. If you deliberately pull and flip the ENG MASTER lever to OFF, the FADEC will immediately close the LP and HP fuel valves and the engine will flame out. If you then return the lever to RUN (and you meet relight conditions), it will automatically relight."
As another commenter said the Airbus engine start/stop controls are located behind the thrust levers, and according to the A350 operations manual which I got my hands on there are two conditions required for the FADEC to command engine shut down: Run switch to off, thrust lever to idle.
So if that's correct on an Airbus aircraft you can't just switch off the engines when they're commanded to produce thrust. This also seems to be backed up by the difference in the guards for those controls in the Airbus cockpits.
The wings hosts the engine and a good portion of the fuel is quite a bit back from the nose in a big plane like 787. The engines lost power and hit just 180 knots just 4 seconds after the plan lifted off. The plane could have just easily broken up differently where the nose crashed in a different spot than where the fire would likely start.
At such a slow speed and altitude they could even have well crashed inside the airport perimeter and got a quicker/ better emergency response from the fire units at the airport.
Attempting this during takeoff or landing when the pilot monitoring is fully engaged and closely observing would be most difficult to execute .
Yes, the S.A.I.B. was about the switch, which is used in many airplanes,
and _should_ be checked and replaced. But they didn't. Because it wasn't mandatory. So my guess is those 50-70€ per switch were too expensive for the airline?
They reported that they replaced the whole middle console twice, so I cannot accept the 'it's pricey' or 'it's non-mandantory' as an excuse.
Hackers gona hack, so I'd like to get my hands on those switches, or better the whole fuel control panel. The pictures don't let me see or feel if a loose front panel could lift those shiny glowy locking knobs up by, say, 2.3mm and therefore unlock those switches, for example.
Only picture I could find online about this malfunctioning switch:
which looks like a really nasty 'mechanical inadequacy': half of the locking mechanism is the shiny glowy knobs. And they could _turn_. WTHolyF!? What where they smoking when designing or reviewing this?
In this fine post here, if you can read chinese or click the translation button on your browser:
(CAVE: I'm not inside boeing's tech support system so I cannot verify this from the original maintainance manual, since they seem to be practically guarded as trade secrets...)
I tried to order some of those switches (766AT613-3D and 766AT614-3D) and hope they get delivered ... this year. Anyone here got their hands on those switches to test their feel when handling or their resiliency?
(My hypothesis is:
Hand on throttle, Hand pushes throttle full forward to start, Hand rests on throttle while accellerating, then pilot does the routine rotate and plane takes of and all is fine and Hand lets go of throttle, Hand falls on both switches directy behind the throttle: Click-click-WTF?-BOOM.)
Of Course almost anyone involved in the airplane industry would prefer this to be a clear-cut case of 'pilot error' or 'Terrorism/Insanity' - but that doesn't exnorate the manufacturer or owner of building and flying an airplane where the engines can be shut off while taking off, IMHO.
As an aside, I especially like the disclaimers on the last page of Honeywells catalogue (this one: https://www.farnell.com/datasheets/2604543.pdf)
- don't use it for anything safety-of-live related.
- if it breaks because we delivered junk, we'll replace the switch - nothing else.
(I'm paraphrasing. Some laywers migth find a way to get out of this. I hope Boeing doesn't.).
Correction, I quoted the wrong price:
Honeywell's 4TL837-3D, which is the switch in the 787s according to the SAIB "EASA_SIB_NM-18-33_1-1.pdf", costs about 1300€. MIL-spec &c. certifications are costly.
Still cheap enough to not risk killing hundreds of people with the flick of a wrist.
Sorry about that.
And yet the preliminary report for the incident in question includes reference to that bulletin, indicates that the switches in the accident aircraft were of a very similar design and subject to advisory inspections:
"The FAA issued Special Airworthiness Information Bulletin (SAIB ) No. NM -18-33 on
December 17, 2018, regarding the potential disengagement ofthe fuel control switch locking
feature. This SAIB was issued based on reports from operators of Model 737 airplanes that
the fuel control switches were installed with the locking feature disengaged. The airworthiness
concern was not considered an unsafe condition that would warrant airworthiness directive
(AD) by the FAA. The fuel control switch design , including the locking feature, is similar on
various Boeing airplane models including part number 4TL837-3D which is fitted in B787-8
aircraft VT-ANB. As per the information from Air India, the suggested inspections were not
carried out asthe SAIB was advisory and not mandatory. The scrutiny ofmaintenance records
revealed that the throttle control module was replaced on VT-ANB in 2019 and 2023.
However, the reason for the replacement was not linked to the fuel control switch. There has
been no defect reported pertaining to the fuel control switch since 2023 on VT-ANB."
So while I agree that this being the cause sounds unlikely, referencing the switch issue is something relevant enough for the report itself.
There Is a connection: The same type and make of switches, which already where officially found to be prone to subtle malfunction and ought to be checked and replaced. Read the SAIB.
Look at the switches. https://www.xuefeiji.org/public/uploads/weixin_mpimgs/e3/e36...
Your argument of being "totally different" flight decks or fordy ignition switches aside (ignoring that one is allowed to to drive both mentioned cars using the same license, but not two different generations of airplanes, ignoring that the biological concept of generation implies kinship), this affair reminds me of https://en.m.wikipedia.org/wiki/General_Motors_ignition_swit...
> It's difficult to conclude anything other than murder-suicide.
You're leaping into the minds of others and drawing conclusions of their intent. One of them moved the levers. It could've been an unplanned reaction, a terrible mistake, or it could've been intentional. We may never know the intention even with a comprehensive and complete investigation. To claim otherwise is arrogance.
The car equivalent is being on a highway and "mistakenly" pulling the hand brakes, except that there are 2 hand brakes and you need to first unlock both of them.
That's very hard to do by panic and mistake, if not impossible by design.
On pprune there is a professional pilot that says they had multiple instances of inadverent switching off fuel switches. They do it every startup, shutdown and training captains (the captain on this flight was pilot not flying, he had >10k hours) do it all the time in the sim to trigger engine out scenario during training
You moved the goalposts from "do something catastrophic by doing something completely unrelated to what you were trying to do" to "press the wrong pedal or button in a car or elsewhere"
We're talking about taking an action in a different place in the cockpit controls that has safeties built in to prevent accidental use... like pulling a handbrake by accident while the car is moving when you meant to put your wipers on
Nope, I strongly disagree with that comparison. One doesn't need to pull up a big stick in hand using elbow and shoulder to flip this fuel switch _down_. Would a car's hand brake stop your engine if it's thumb-push-button lock failed silently and you happen to let something fall on it, like a hand? no. But this little fuel switch would.
Bad analogy because pilots are trained and rehearse and practice memory items until they are instinctual.
> impossible by design.
Deflecting that the human is the weakest part of the system. One or other may have panicked and made a mistake, made a mistake unintentionally, went crazy and doomed the flight, or intentionally doomed the flight for some socioeconomic reasons. These are speculative possibilities that we don't know yet, and may never know; we only know what has definitely happened from the evidence per the investigation. It's standing way out over one's feet to declare from an armchair that it was "definitely" X or Y before the investigation is complete.
It was done. Yes. There is no way to determine from the evidence why it was done, how much conscious or not thought was put into it, or the thought process behind it.
> One of them moved the levers. It could've been an unplanned reaction, a terrible mistake, or it could've been intentional.
Fuel levers are designed to only be moved deliberately; they cannot be mistaken for something else by a professional pilot. It's literally their job to know where these buttons are, what they do, and when to (not) push them.
It's not arrogance to assume the most likely conclusion is true, despite how uncomfortable that outcome may be.
Pilot are trained until actions are instinctual and certain memory items are almost unconscious. But pilots are still people and people are fallible and make mistakes, and sometimes act unreasonably. Intent cannot be determined without clear evidence or statements because that's now how thoughts locked away in people's minds work.
> It's not arrogance to assume the most likely conclusion is true
You don't know this. This is beyond the capability to know and is therefore pure speculation. That is the definition of arrogance.
> sometimes act unreasonably. Intent cannot be determined without clear evidence or statements because that's now how thoughts locked away in people's minds work.
By this logic it would be impossible to ever find anyone guilty of murder (or any other nefarious action) with intent unless they explicitly state that it was in fact their intent.
Obviously this is not how justice works anywhere, because at some point you have to assume that the overwhelmingly most likely reason for doing an action was the true reason.
If someone pulls out a gun, cock it, aim it at someone and pull the trigger, killing the other person, should we hold off any judgement because they might have done it purely mechanically while in their head thinking about the lasagna they are going to cook tonight and not realizing what they were doing ?
The fuel cut off switches have a unique design, texture and sequence of action that need to be taken to actuate them, they don’t behave like any other switch.
Pilot are also absolutely not trained to engage with those particular switches until it’s instinctual.
Courts do not seek to establish the truth. They aim for a reasonable balance between false positives (innocents convicted of crimes they didn't commit) and false negatives (criminals allowed to go free). In practice, the false positive rate is probably around 5%, and innocents go to prison all the time.
Air accident investigations mostly deal with one-in-a-billion freak occurrences. Commercial aviation so safe and reliable that major accidents rarely happen without a truly extraordinary cause.
That's not what Occam's razor means. It means that after you have exhausted all options to rule out competing hypotheses, you choose the simplest one that remains, for the time being.
Consider some explanations that are consistent with the evidence presented so far. And remember that the purpose of the investigation is to come up with actionable conclusions.
1. One of the pilots randomly flipped and crashed the plane for no reason. In this case, nothing can be done. It could have happened to anyone at any time, and we were extraordinarily unlucky that the person in question was in position to inflict massive casualties.
2. Something was not right with one of the pilots, the airline failed to notice it, and the pilot decided to commit a murder-suicide. If this was the case, signs of the situation were probably present, and changes in operating procedures may help to avoid similar future accidents.
3. One of the pilots accidentally switched the engines off. The controls are designed to prevent that, but it's possible that improper training taught the pilot to override the safeties instinctively. In this case, changes to training and/or cockpit design could prevent similar accidents in the future.
Because further investigation may shed light on hypotheses 2 and 3, it's premature to make conclusions.
Extremely unlikely, since we can hear the other pilot ask why he turned the fuel switches. If it was an electrical glitch, he wouldn’t be able to see that they are in the cutoff position.
All we know is the pilot flying is only asking whether the pilot monitoring if he cut off
- We don't know if he meant the switch specifically at all. He could also have meant engines or thrust in general. There are many other visual signals and UX indicators to know if engines are spinning down. Thrust levels, to RPM to falling speed, change in angle of attack, rate of climb, even engine noise, vibrations you expect at full thrust etc.
- We also don't know if the switch was physically in cut off position in the first place or even if was the pilot noticed that specific visual signal and meant that when he spoke.
If it was a software issue, it is possible the switch was properly positioned, and software issue cut engine was cutoff, the display screens and other lights would show that.
In such a scenario, the pilot(s) would have likely checked with each other first if they did something as in the audio and manually tried restarting the engine as they seem to have done.
I am not saying it is a bug or any specific fault scenario, Just that it too early, we don't yet have enough information to say what is likely at all.
I think there are a couple of factors that disprove these theories:
- The specific mention of "cut off" in the CVR is very telling. If both pilots were genuinely surprised, you'd expect they'd say something like "engine failure" or "loss of thrust" first. Noone thinks the engines have been shut down as a knee-jerk reaction to a sudden loss of thrust.
- If investigators had the slightest indication there's a software or hardware bug out there that randomly causes dual engine failures, an emergency airworthiness directive would have been issued by now. This hasn't happened.
> an emergency airworthiness directive would have been issued by now. This hasn't happened.
737 Max incidents proved it isn’t always the case.
This is also not the NTSB or FAA doing direct investigation . Without certainty no one is issuing a directive, at this stage it is simply too early and only a possibility
I wouldn’t read so much intent during high stress part of takeoff from two non native speakers
> 737 Max incidents proved it isn’t always the case.
> This is also not the NTSB or FAA doing direct investigation . Without certainty no one is issuing a directive, at this stage it is simply too early and only a possibility
You are mistaken. The first MAX crash resulted in emergency directives being issued barely a week after the crash. That investigation was conducted by the Indonesian authorities, not US ones.
Emergency directives aren't issued when there's complete certainty, quite the opposite. Hence the "emergency" bit.
> I wouldn’t read so much intent during high stress part of takeoff from two non native speakers
I agree there's some fuzziness since the exact transcription wasn't provided. But "why did you cut out the engines" is by no means a normal question when facing sudden thrust loss.
Yeah and the other pilot flipped the switches back on and one of the engines started spooling up but it was too late.
Murder-suicide looks like the likely conclusion, given that flipping the cutoff switches requires a very deliberate action. That said, it's not entirely impossible that due to stress or fatigue the pilot had some kind of mental lapse and post-flight muscle memory (of shutting off the engines) kicked in when the aircraft lifted off.
The report shows 0 flight hours during the prior 24 hours for both pilots, and 7 hours and 6 hours each for the previous 7 days. It seems they were both fresh pilots for this flight.
However, the only relevant evidence that exists suggests they had enough rest. You don't build verdicts on suppositions, you build them on proven facts.
This does not guarantee you will reach the truth, but it's miles better than admitting every baseless hypothesis that comes up.
Aren't you the one building on suppositions? We know that they don't have flight hours. We cannot conclude what condition they were in aside from that.
to jump from "they could be tired or hungover" to "yeah or aliens" is very dishonest. Especially for a very fresh matter where we know very little, all our assumptions are just that, and nothing we writes has any bearing on anything.
0.1% of airline pilots fly intoxicated, and probably many more fly hangover which is an undetectable condition.
There is speculation that in the Air France flight 447 that crashed into the ocean en route to Paris, one or the pilots only had 1h of rest because of partying the night before. Of course it’s all speculative, and however unlikely it is, eventually it’s bound to happen that we get pilots with poor mental clarity in charge of large Boeings with hundreds of lives on board. Unfortunately it only takes one lapse of judgement to compromise the flight profile of a large airliner, even if corrected after a few seconds.
At some point I think we need to accept more control from automation. The model where ultimate authority reverts to a single input is a cop out. That could be pilot input, sensor input or even direction from ATC. They will all provide false data on occasions. When that data contradicts 99% of the other data then the safest option is to ignore it. And that doesn't just mean with compromised humans but with normal human weakness. Fully understanding the aircraft, its state, its systems and the minds of its crew is impossible.
In this case I wonder if the fuel cut off switches could be replaced by buttons for particular situations. Have an engine fire button or a shut down whilst on the ground button. Let the pilot provide input on state and let the automation decide what to do with that. Obviously this is not a solution to suicidal or murderous behaviour. But it could be a solution to all the low probability edge cases.
> The aircraft achieved the maximum recorded airspeed of 180 Knots IAS at about 08:08:42 UTC and immediately thereafter, the Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position one after another with a time gap of 01 sec. The Engine N1 and N2 began to decrease from their take-off values as the fuel supply to the engines was cut off.
> As per the EAFR, the Engine 1 fuel cutoff switch transitioned from CUTOFF to RUN at about 08:08:52 UTC.
Damn. That's pretty quick to diagnose and take action.
Boeing's probably gonna have a big sigh of relief over this one.
> Boeing's probably gonna have a big sigh of relief over this one.
The 787 is 15 years old, and this particular plane was 10 years old. It always seemed unlikely to be a major, new issue. My money was actually on maintenance.
While unlikely, there have been issues before that took decades to surface (e.g. Aloha Airlines where a 737 manufactured more than a decade earlier became a cabriolet due to Boeing underestimating sea water corrosion and short flight cycles), or the 737 rudder issues where the planes were also 10+ years old.
I once worked with a software engineer who would do things and then bald face lie about it. This reminds me of that person.
Me: “The build is breaking right after you checked in. Why did you do that?”
Him:”I did not do so.”
Me: “The commit shows it as you. And when I rolled back everything builds.”
Him:”It must have been someone else.”
I’ve worked with some chronic liars. They would deny reality no matter how much evidence you had.
The weirdest thing was how often it worked for them. In each case their lying eventually caught up with them, but in some cases they’d get away with lying for years.
It’s amazing how often someone would have clear evidence against what they were saying, but the people in positions of authority just wanted to de-escalate the situation and move on. They could turn anything into an ambiguous he-said she-said situation, possibly make a scene, and then make everyone so tired of the drama that they just wanted to move on.
i worked in many companies but I always remember one , where during a public chat in the middle of an open office the programmer next to me (who was always conniving but I just ignored it ), said incorrectly something akin to " yes I know all about that source control its... based on locking " , the whole point was that although locking technically occurs, the SC would allow different coders to work on it at the same time. The non technical manager said correctly, "no the whole point is that the codebase isnt locked", to which the programmer replied " yeah thats what I mean".
In that moment I realised he was just bare faced lying right infront of everyone, about a technical subject, only HE should be the expert in, and to this day I am perplexed why his contract kept being renewed.
Eventually I was let go ( he possibly suggested I be let go ) for an incident that was unrelated to me.
This is all fine, but i learnt 5 years on he was still being paid a top 1% salary at the same company.
I promise the point isnt that I am jealous, its that this guy, who was a sub par coder and liar, somehow managed to keep his job whilst everyone else lost theirs and earnt untold amount in England ( where salaries are always low).
My goodness - I just remembered he was found by police driving a vehicle seemingly under the influence on a motorway, work found out after the police called them, and somehow he turned up the next day at work , lied about it, and STILL kept his job.
I am only mentioning this guy , because he was NOT a nepotist hire, he was just some guy who would lie and somehow people were ok with it. I still think of him often and wish I could have learnt more from his abilities just out of interest.
Does the Flight Data Recorder consider the physical position of the fuel switches or does it get the information from some fly-by-wire part that could be buggy?
The conversation would suggest that the switches were in CUTOFF position, but there is also a display that summarizes the engine status.
There is no conversation that mentions flipping the switch to RUN again.
EDIT: Why is there no Cockpit Video Recorder? The days of limited storage are over.
I've had discussions on HN with people who insisted that having a video camera always pointed out the control tower at the runway was some sort of impossibility. Despite every 7-11 having such a system.
This would leave accident investigators with a lot of work to do to try to figure out how a collision happened.
Airlines are decades behind on tech. You can get satellite internet almost anywhere on the planet and GPS can give you ten-foot accurate positioning, but we've still _lost_ planes because we haven't mandated a system that sends the realtime position of the plane over the satellite internet. The days of limited storage are still going strong in the industry.
There are reasons they don’t. This is a deceptively difficult problem
Cost is a big one (satellite data is still quite a bit more expensive than you think, especially with many stations)
And by stations, I mean aircraft. There are a TON. Current constellations probably wouldn’t even be able to handle half the current aircraft transmitting all at once. Bandwidth, in the physical sense, becomes a limiting factor
Coverage (different constellations have different coverage, which means planes would not have transmit guarantees depending on flight path). So you’d have huge gaps anyways
There have been alternative solutions posed, some of which are advancing forward. For example, GPS aware ELTs that only transmit below certain altitudes. But even that has flaws
Anyways I think we’ll see it in the next decade or two, but don’t hold your breath
There's somewhere around 15 thousand relevant planes in the air at any time.
If you sent two updates a minute over Iridium, using their 25 byte message plan, you'd be looking at a megabyte per minute for the entire planet. That's such a tiny fraction of what that single constellation can do.
Most airplanes regularly crossing oceans already do have satcom.
The cost of hardware and additional fuel consumption due to drag aren’t nothing, but the data used itself is essentially a rounding error. (Iridium for example has tiny antennas, and SBD data costs about a dollar per kilobyte, and position data is tiny.)
Of course, that’s all little help when a pilot acts adversarial; on MH370, the breakers for both satcom and transponder were likely pulled, for example.
Yep. Inmarsat has this data for most of the world widebody fleet, and had it for MH370... except when transmission stopped. It's not publicly shared information, because that's what the ADS-B transponder they're all equipped with is for...
Not necessarily. Required certifications, SLAs etc. for safety critical systems are vastly different from those only handling passenger entertainment/connectivity. For example, Iridium has been around for almost 30 years now (launched in 1998), but it only became certified for safety of life applications at sea in 2019, and for aviation around 2010.
Many planes still use completely separate systems for non-critical communication (often Ku or Ka band based geostationary satelliets) and for ATC or operational communication (usually L-band based Inmarsat or Iridium) as a result.
> Cost is a big one (satellite data is still quite a bit more expensive than you think, especially with many stations)
That’s nonsense. Even when I’m flying right over the north pole my airline will give me unlimited in-flight internet for $20. Maybe antartica has worse reception, but cost isn’t the issue.
> So the fuel supply was cut off intentionally. The switches in question are also built so they cannot be triggered accidentally
FAA issued a Special Airworthiness Information Bulletin SAIB NM-18-33 in 2018 warning that on several Boeing models including the 787 the locking mechanism of the fuel switches could be inoperative.
So? The comparison still makes no sense. Those switches cannot be accidentally flipped, and they are in a place where the pilots' hands have no action to take at all during that period. That is very different from mixing up two similar weapons in a similar location.
The pilots have no business with their hands in the area of those switches in that phase of the flight (9:30+ in the video). They don't even have to touch the throttle, and even if they did, that's a long way from where you touch the throttle down to the base where those switches are. Which you can't just flip either.
How is that even remotely similar to that cop's situation?
Yes, unbelievable things can happen. There are crashes where the pilot got discombobulated and a crash resulted.
For another example, there are at least two crashes I recall (and I am sure there are many more) where the pilot pulled back to recover from a stall despite being trained endlessly to push forward to recover. (And they killed everyone on board.) Pilots get confused by what an alarm means, and do the wrong thing. Pilots assume the autopilot is on but they had accidentally turned it off. Sometimes people get crazy urges to do the wrong thing (there's a word for that: cacoethes).
These things are rare, but when there are millions of flights, rare things happen.
Suicide is quite a stretch without any supporting evidence from the pilots' backgrounds. I would take mental fog, cognitive overload, wrong muscle memory, even a defective fuel cutoff system over suicide.
Agreed. The sequence of events also supports this.
I believe one of the pilots made a terrible muscle memory mistake and cutoff the fuel instead of raising the landing gear. This would explain why the landing gear was never raised, why the pilot who was accused of cutting off the fuel denied it (in his mind he had only retracted the landing gear) and why the engines were turned back on after presumably realizing the mistake.
Not that humans are known to behave rationally when trying to commit suicide, but it’s interesting that the switches were re-engaged successfully without protest or a fight. It’s just an interesting detail to wonder about.
The reasoning I’ve heard is: it didn’t matter anymore, the damage was already done and there was no way any attempts at recovering from it would have been successful.
and immediately thereafter, the Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position one after another with a time gap of 01 sec
Or more precisely, the signals which come from them were found to behave as such.
Without any audible record of turning the switches off, I wouldn't blame the pilots without first checking the wiring and switches themselves for faults. This reminds me of the glitches caused by tin whiskers.
But from the audio recording it seems like one pilot is noticing them bering in the CUTOFF position, and asking why (and moving it back). If the switch was actually in RUN, but some other issue caused the signal to be sendt, the pilot would see it beeing in the RUN position, not CUTTOF.
This is very clearly EAFR data, so the logical/electrical switch state. Nothing about the mechanical state of the switches has been mentioned, except a picture that shows their final state to be in the RUN position (which makes sense given the relight procedure was ongoing).
From what I understand, the relight procedure involves cycling these back to CUTOFF and then to RUN anyway. So it is not clear if they were mechanically moved from RUN to CUTOFF preceding the loss of thrust, or cycled during relight.
You can't yet - what we have is this sentence from the report: "In the cockpit voice recording, one of the pilots is heard asking the other why did he cutoff.
The other pilot responded that he did not do so."
It's not a direct quote or transcript, it's reported speech.
I agree, there's a significant distinction between "the switches were (physically) flipped" and "the circuit was opened/closed".
In this case, it may be a moot distinction, particularly if no physical evidence of fault or tampering has been discovered in investigation. But, in theory, very important - there's a lot of potential grey-area between the two statements.
The proximity of the incident to the ground may also increase the possible attack vectors for simple remote triggers.
My understanding from what we've been reading is that these are physical switches that cannot be moved using remote triggers. Wildly speculating, there _may_ be a possibility that the _effect_ of the switch may be triggered remotely, if it's a signal being read by a control unit or computer of some sort that then actuates the specific electromechanical components. But it would seem impossible to move a physical switch to do it.
As an analogy, if you have a smart lock, you can remotely trigger the _effect_ of turning the key using (let's say a bluetooth control), but if a key is inserted into the keyhole, unless there is two-way mechanical linkage, that key _will not turn_.
If that was the case, it does seem a bit odd that there was a one second gap. But yeah, still worth investigating, if that’s even possible given the extensive damage.
> And both pilots deny doing it.
> It's difficult to conclude anything other than murder-suicide.
You’re trying to prove a negative here.
I am not familiar with the 787 operations, but there are a few issues that need to be sorted out first:
- altitude when pilots start the after takeoff checklist
- if there are any other switches that are operated in tandem in the general vicinity of where the engine cutoff switches are
- if the cutoff switches had the locking mechanisms present, and if not, if they could be moved inadvertently by the pilot flying hand
Discarding other possibilities in an investigation can have adverse consequences.
Did you ever always push the right buttons every time?
The switches have lockout mechanisms that prevent accidental triggering. I'm not a pilot, but these guys are, and they find it exceedingly unlikely that anyone would switch both off by accident:
You have to time it spy movie right to ensure dying.
This is what I am debating.
There are too many variables you need to account for.
For example, I want an expert opinion about the tone in the cockpit when the other pilot said “No, I did not touch it” or what was said. Is it calm? Surprised? Cold?
> Did you ever always push the right buttons every time?
A whole world full of 787’s is pushing the right buttons every single day. If we’re talking about accidentally pressing buttons it seems we’d have seen incidents before.
I wonder if the switches are still in tact after the crash? Can they verify that the switches are mechanically sound? If so, seems highly likely it was intentional.
I'd suspect the wiring leading from the switches to the engine controllers first, especially since it looked like both circuits cut out nearly at the same time.
This is speculation again since I don't really know, but my understanding of aviation engineering is that there would be two separate controllers for each engine connected to these two switches. At no point would they be connected to the _same_ control unit. The really short time (~1s) between the two being cutoff is the difficult thing to explain here.
Are the wires leading up to those switches on the console also kept separate, or are they just bundled together as part of the same harness (presumably before it splits to go to the engines)? I think that's also important in understanding the possible failure modes.
> It's difficult to conclude anything other than murder-suicide.
The balance of probability might tend to support that hypothesis. However I'm wondering if it was just something involuntary. My ex for instance who learned to drive on a stick shift would randomly stall the engine after a few weeks driving an automatic.
You have to pull the switches out (against a spring) to be able to move them over a notch and flip them. Not really something you can just mistake for another switch or bump into by accident.
I'd liken it to turning off the ignition by turning the key while driving your car. Possibly something that could happen if you're really fatigued, but requires quite a mental lapse.
Is it possible to rest the switch on the notch? Does the switch make contact if the switch is in the RUN position but the switch is not completely down?
That is, is it possible they flipped the switches over to RUN but did not seat the switches properly, and instead leaving them on top of the notch, with later vibration causing the switches to disengage?
Just trying to think of some semi-plausible non-active causes.
?? One pilot to other: why cut-off. Other: Did not do it
08:08:52 Engine 1 run
08:08:52 Engine 2 run
1 second to switch them both off and then 4 seconds to switch them both on. No one admitted to switch them off. They are probably going with fine comb over the audio and also the remains of the chared switches.
Looks like the engines react very quickly to cut-off so it is not clear whether the question about the cut-off is prompted by a glance to the switches or the feel of the airplane.
The big question is whether the switches were moved or something made it seem as if the switches were moved.
Well in the murder-suicide scenario it makes sense for the culprit to turn them off as quickly as possible. The longer time to turn them on could plausibly be a struggle or simply needing to fly the plane while reaching for each switch individually.
> Looks like the engines react very quickly to cut-off so it is not clear whether the question about the cut-off is prompted by a glance to the switches or the feel of the airplane.
The workload is pretty high during the takeoff phase. The engines react right away when fuel flow is stopped. The engine displays can have some lag before data is updated.
Relighting an engine at low speed is not feasible - most need 230-250kts IAS before attempting the operation.
Maybe you could do it if the APU was still running and could provide compressed air, but it takes about 20-30 seconds to start up amd then probably 5-10 more to spool up to full thrust. I am speculating here a bit, but the pilot did not have enough time to save the plane even if he did everyting right and as fast as humanly possible.
All this aside is overshadowed by the limited amount of time the pilot flying (I would assume the captain in this case since there was only one ATPL pilot in the cockpit) had to troubleshoot the issue of a dual engine failure - as this is what would have felt to him - during takeoff.
My bad. I assumed it was the captain since the report says the FO only has a CPL license. And I was a bit surprised he could fly on a comercial airplane with only that kind of license and not an ATPL one.
Did you mean to say you can activate the switches with one hand simultaneously? That is probably what the above commenter assumed you meant. Since lifting and twisting two switches simultaneously with one hand seems challenging.
snypher: You can do them with one hand. [Ed. This is ambiguous and could be read as "one hand, simultaneously". In fact, doing it with one hand non-simultaneously would be a weird claim to make of a simple knob. See also ajb's comment below.]
zihotki: Really? They are not close together and have a spring mechanism. [Ed. Seems to believe snypher is claiming simultaneous operation.]
Context is both these switches being turned off with a 1 second gap. Doing it with one hand simultaneously would possibly explain it, otherwise it doesn’t seem relevant.
What I gathered from comments here is it's not a simple flick of the switch and it actually takes some effort to turn them off. Can you really do it twice within the span of 1 second?
You pull it out and flip it. It’s not easy to do inadvertently. But it’s also not convoluted—you want to be able to quickly cutoff if there is an engine fire.
I wonder if they could theoretically rest on top of the notch, not fully locked into either position and flip accidentally. No idea how the switches behave when not all the way up or down, but the notch looks pretty long and flat so it could be possible.
It could be defective switch springs, fatigue-induced muscle memory error, or something else. The pilot who did it saying he did not may not have realized what he did. It's pretty common under high workload when you flip the wrong switch or move a control the wrong way to think that you did what you intended to do, not what you actually did.
That said Boeing could take a page out of the Garmin GI275. When power is removed it pops up a "60s to shutdown dialog" that you can cancel. Even if you accidentally press SHUTDOWN it only switches to a 10s countdown with a "CANCEL" button.
They could insert a delay if weight on wheels is off. First engine can shutdown when commanded but second engine goes on 60s delay with EICAS warning countdown. Or just always insert a delay unless the fire handle is pulled.
Still... that has its own set of risks and failure modes to consider.
If its both engines you're fucked anyway if its shortly after takeoff.
But I'm an advocate of KISS. At a certain point you have to trust the pilot is not going to something extremely stupid/suicidal. Making overly complex systems to try to protect pilots from themselves leads to even worse issues, such as the faulty software in the Boeing 737-MAX.
Was thinking this same thing. A minute feels like a long time to us (using a Garmin as the example said) but a decent number of airplane accidents only take a couple minutes end to end between everything being fine and the crash. Building an insulation layer between the machine and the experts who are supposed to be flying it only makes it less safe by reducing control.
Proposed algorithm: If the flight computer thinks the engine looks "normal", then blare an alarm for x seconds before cutting the fuel.
I wonder if there have been cases where a pilot had to cut fuel before the computer could detect anything abnormal? I do realize that defining "abnormal" is the hardest part of this algorithm.
The incident with Sully landing in the Hudson is an interesting one related to this. They had a dual birdstrike and both engines were totally obliterated and had no thrust at all, but it came up later in the hearing that the computer data showed that one engine still had thrust due to a faulty sensor, so that type of sensor input can't really be trusted in a true emergency/edge case, especially if a sensor malfunctions while an engine is on fire or something.
As a software engineer myself I think it's interesting that we feel software is the true solution when we wouldn't accept that solution ourselves. For example typically in a company you do code reviews and have a release gating process but also there's some exception process for quickly committing code or making adjustments when theres an outage or something. Could you imagine if the system said "hey we aren't detecting an outage, you sure about that? why don't you go take a walk and get a coffee, if you still think there's an outage in 15 minutes from now we will let you make that critical change".
If the computer could tell perfectly whether the engine “looks normal” or not, there wouldn’t be any need for a switch. If it can’t, the switch most likely needs to work without delay in at least some situations.
In safety-critical engineering, you generally either automate things fully (i.e. to exceed human capabilities in all situations, not just most), or you keep them manual. Half-measures of automation kill people.
But humans can't tell perfectly either and would be responding to much of the same data that automation would be.
I wonder if they could have buttons that are about the situation rather than the technical action. Have a fire response button. Or a shut down on the ground button.
But it does seem like half measure automation could be a contributing factor in a lot of crashes. Reverting to a pilot in a stressful situation is a risk, as is placing too much faith in individual sensors. And in a sense this problem applies to planes internally or to the whole air traffic system. It is a mess of expiring data being consumed and produced by a mix of humans and machines. Maybe the missing part is good statistical modelling of that. If systems can make better predictions they can be more cautious in response.
If the warning period is short enough is it possible it's always beneficial or is 2-3 seconds of additional fuel during a undetected fire more dangerous?
First, the fire handles would override any delay and cut fuel (and other things) immediately.
Second: the window of time where you don't have enough altitude (aka time) to restart is relatively small. So this could easily be a temporary protection.
It is difficult to find exact data on this but restart to significant thrust seems to be in the 30-60s range. If you run the numbers on climb rate and glide time the possible danger zone is relatively small, a few minutes after takeoff at most.
Is this an extremely rare event? Yes. But most other accident causes are also rare, regardless of whether they are pilot error or mechanical.
For example: you might think no pilot would deploy the thrust reversers in flight but system protection errors and/or mechanical failures have conspired to allow it and a bunch of people paid in blood to learn that reverser deployment in flight at altitude was actually unrecoverable - contrary to conventional wisdom at the time. It turned out everyone was flying around with a "kill everyone now" mechanism. In some cases with a much lower margin of safety than previously believed due to the aforementioned "conventional wisdom" that if it happened it wouldn't be a big deal.
Know what else isn't normally a big deal (relatively speaking)? Accidental shutdown of both engines. Because a single engine shutdown is easily recovered and the aircraft can fly on one engine. And dual engine shutdown is easily recovered with a restart if you have enough altitude. But it turns out there's a small window after takeoff where it is fatal.
Somewhat relatedly shutting down the wrong engine in an engine failure scenario is so common they explicitly train crews to slow down and not immediately shut down an engine after failure because rushing just leads to dual engine loss.
Delay is probably worse - now you're further disassociating the effect of the action from the action itself, breaking the usual rule: if you change something, and don't like the effect, change it back.
There is a relatively short window where dual engine shutdown is unrecoverable. Once you have a bit of altitude (and these jets climb at 2000-3000fpm) you have time for a restart and as thrust comes back sink rate will decrease even on one engine.
My proposal is during this window if dual engine shutdown is commanded don't do it. Treat it like it is happening - show the EICAS message, give the alert, but don't actually do the shutdown until the window has passed. This gives the pilots 10 seconds of startle factor then a bit of time to flip the switch back on.
Single engine shutdown would still behave as today so sure if one engine eats a fan blade shut it down. Not that it matters, the engine computer is going to cut fuel in that case anyway.
Insert a delay only for shutting down the remaining engine and only for X seconds after transition to air mode. A delay that the fire handle overrides.
Just a tiny bit of insurance. There aren't any emergency scenarios at low altitude where engine shutdown works but pulling the fire handle does not. You are coming right back to land at the airport no matter what.
Shutting off both engines would display "ENG SHUTDOWN" in yellow text (caution) on the EICAS. If only one engine was shut down, it would say "ENG SHUTDOWN L" or "ENG SHUTDOWN R".
Any of these would trigger an unmistakable audible "BLEEP BLEEP BLEEP" to draw your attention to the screen so that you could see what the caution was. These messages are right next to the engine N1 indications anyway, so it would be immediately obvious that one or more of the engines was spooling down.
I'm doing it all the time while rebasing commits or force pushing to my branch. Sometimes I would just click the wrong buttons and end up having to stay late to clean the mess. It's a great thing I'm not a pilot. I would be dead by now.
This is a place that puts "Hacker" in the name despite the stigma in the mainstream. Given the intended meaning of the term, I would naturally expect this to be a place where people can speculate and reason from first principles, on the information available to them, in search of some kind of insight, without being shamed for it.
You don't have to like that culture and you also don't have to participate in it. Making a throwaway account to complain about it is not eusocial behaviour, however. If you know something to be wrong with someone else's reasoning, the expected response is to highlight the flaw.
For me it's mainly about intent/unearned confidence.
If someone is speculating about how such a problem might be solved while not trying to conceal their lack of direct experience, I'm fine with it, but not everyone is.
If someone is accusing the designers of being idiots, with the fix "obvious" because reasons, well, yeah, that's unhelpful.
For the record I don't think the designers of the switch or Boeing are idiots. The switches have guard notches and the throttle quad has metal guard edges to help prevent accidental activation.
As far as we know this is the first accidental dual engine cutoff at low altitude; with just a bit more altitude (not sure of how much exactly) the engine that had restarted and was ramping would have started producing enough thrust to arrest their descent. That makes the margin of "unrecoverable" a lot smaller than you might initially think.
Bottom line is it is worth considering implementing some protection here:
1. It can be done in software without a lot of complexity
2. The transition to "air mode" is relatively reliable.
3. The failure scenario is the system doesn't provide the protection but because the failure we protect against is very rare that is acceptable
4. It typically fails "safe": allowing shutdown without delay and worst case is a delay in shutdown.
5. The fire handle overrides delay; if things are going so wrong the delay matters the engine isn't coming back and pulling the fire handle is likely already part of your checklist.
The benefit being elimination of the small window after takeoff where accidental dual engine shutdown is unrecoverable.
Obviously before implementing something like this the proper engineering and failure analysis has to be done.
I don't think most think they know better but it's frankly fun to speculate and this is a casual space rather than the serious bodies tasked with actually chewing over this problem in earnest.
First I am a pilot. Not commercial or jet rated but I like to think I have a tiny bit more insight than average.
The point of what GI275 does is as a backup instrument you are much more likely to need it when the electrical system fails or is turned off due to fire. Yet if it just remains on until shutdown pilots would frequently forget to turn it off on the ground, resulting in its battery being worn out. Because it is considered critical it delays its own shutdown. Long enough for you to notice in flight but not so long it wears out the battery (which might result in only a few minutes of power in a real emergency).
My entire point was that engine restarts take some time. If both engines eat a blade or catch fire you are screwed anyway so whether or not the fuel cutoff switch does anything at 1500ft is irrelevant. But that is so rare I don't think we have any events on record. So it might be worth inserting a delay - enough to account for standard climb rates to achieve enough altitude to make restart likely or at least possible. The delay would only be for the second engine shutdown and only for time T after going into air mode. And if the system gets it wrong, thinking the other engine is shutdown when it is not pulling the fire handle would override any delay - and pulling the fire handle is part of any engine failure or departed aircraft procedure I know of. In other words you wouldn't even need to change the QRH or emergency checklists in most cases.
I noted that engineering for aviation is complex and everything has failure modes to consider. Privately I went through several iterations of this idea and discarded them for problems with failure modes and complexity. What I proposed is boiled down to the minimal thing that would have saved this flight.
The other thing I'll say is there is a reason the computer will auto-extend some flaps/slats at slow speed even if you put the handle to zero. And there's a reason auto-throttle provides protection. And with the exception of the 737 the computer auto-starts the APU on dual engine failure. And any attempt to deploy thrust reversers in the air is ignored. And stick pushers exist for good reason.
We put in all kinds of measures to override human decisions to prevent mistakes and errors.
It literally is. Accidental/malicious activation can be catastrophic, therefore it must be guarded against. First principles.
The shutoff timer screen given as an example is a valid way of accomplishing it. Not directly applicable to aircraft, but that's not the point.
> "ugh can't you just do what garmin did"
That's your dishonest interpretation of a post that offers reasonable, relevant suggestions. Don't tell me I need to start quoting that post to prove so. It's right there.
(Different user here) Hacker News' "culture" is one of VC tech bros trying to identify monopolies to exploit, presumably so they can be buried with all their money when they die. There's less critical thinking here than you'd find in comments sections for major newspapers.
If Boeing only had the foresight to hire an army of HN webshitters to design the cockpit, this disaster could have been averted.
All the controls would be on a giant touchscreen, with the fuel switches behind a hamburger button (that responded poorly and erratically to touch gestures). Even a suicidal pilot wouldn't be able to activate it.
Yeah, people shouldn't bat ideas around and read replies from other people about why those ideas wouldn't work. Somebody might learn something, and that would be bad.
Reminds me of 2017 Las Vegas shooting. The perpetrator looked and acted completely normal till the day of shooting and all his issues like anxiety or losing money was nothing far from ordinary. And what seems all of a sudden did a well planned shooting and didn't bother to leave a note or tell his story.
There's 0 reason to conclude murder-suicide, there's an infinitude of things that could have the same result, and both pilots denied it to eachother: how is that presented as proof?
I hope I don't need to explain why the fact no one knew in advance the Las Vegas shooter was going to shoot has ~0 similarities with the situation as we know it, and banal similarities with every murder.
Could you explain more? There's too many negatives in that last sentence for my decaffeinated early morning brain. I'm titillated by the idea there's a way to justify making up things so I really want to parse it.
A rodent chewing on wires. Vibration-induced chafing. Tin whiskers causing an intermittent short. There are many possibilities, those came to mind first.
But why does the pilot then comment that they are in the CUTTOF position and move it to RUN? A mechanical failure would have to also move the physical switch in the cockpit for the audio recording to make sence.
You have the exact CVR audio? The report says "one of the pilots is heard asking the other why did he cutoff" which I interpreted to mean one of them noticed the engines shutting down, and asked the other if he did that.
Then he would have asked the other pilot why the engines are shutting down. It seems a lot more probable that he glanced at the switches before asking such an explicit question.
From the preliminary report, quote: "In the cockpit voice recording, one of the pilots is heard asking the other why did he cutoff. The other pilot responded that he did not do so."
I'm trying to understand your complaint here... you think you need to hear their voices with your own ears to believe it?
We know that the switches physically moved from the run to the cutoff position because one of the pilots noted that they were in the wrong position. We know that they were moved back to the run position because they found in that position. I don't understand how a short could explain that - it really seems like someone would have had to physically move the switches.
What we have is reported speech: "In the cockpit voice recording, one of the pilots is heard asking the other why did he cutoff. The other pilot responded that he did not do so."
So we don't know the exact words used. Did he say for example, "Why did you move the switches to cutoff" or did he ask "Why did you cut off the engines"? If there are indeed two shorts (astronomically low as those probabilities are), the other pilot would say "I didn't", look around confused and then (possibly?) flip both of them down and back up? Which could explain the 4s delay in pulling them back up.
Speculation, but since we do not have actual transcripts or recordings, all I'm doing is answering speculation with more speculation.
Do we know that the pilot noticed they were in the wrong physical position, or did some other status indicate the engie fuel had been cut?
I would be surprised if there was only one channel for this information
In the last mentour pilot livestream, they showed the simulator and both engines, and there's a little graphic near the cutoffs showing engine state and performance. Also, in _this_ livestream as soon as the report was released, Ben mentions in response to a question that if you cut off the engine, a lot of electrical systems are going to face power cuts, so there will be alarms blaring all over the cockpit. So, yes. There are many channels of information here.
It amazes me that some people can ever make it out the door if they spend all their lives contemplating a series of increasingly unlikely possibilities.
It's not that rare, and there are institutional factors (such as seeking treatment for psychosis being career-ending for a pilot) that incentivize serious pilot mental health crises being untreated.
This is highly reminiscent to me of this case. [0] The co-pilot accidentally hit the wrong switch and then quietly corrected his mistake later, without resetting the previous switch (which led to feathering).
>It's difficult to conclude anything other than murder-suicide.
This kind of attitude gets innocent people behind bars for life. Disgusting.
It's difficult to conclude anything until the investigation is finished and I hope the ones who are carrying it out are as levelheaded, neutral and professional as possible.
Cutting the engines within seconds of leaving the ground doesn't fit suicide very well. I'd expect something more like flying into the side of a mountain or heading really far out into the Indian ocean until you vanish from radar and cause a big mystery.
For instance, you might deliberately kill yourself by driving your car really fast into something solid, but you probably wouldn't try to do that while backing out of the garage.
I think it is opposite.
Flying into a mountain & etc would require one pilot to somehow incapacitate another pilot.
Cutting fuel off, if done on takeoff, is not recoverable (engines can’t relight and spin up quickly enough).
It's interesting to see how people manage incomplete information.
You could have made the same assumptions after the first MCAS crash, much like boeing assumed pilot error. It's easy, comforting and sometimes kills people because it makes you stop looking.
I know this thread runs the gamut of armchair experts, pretend experts, and actual experts and there's no telling who is which but I really want to know why the downvotes and why this is not a good idea.
The idea is to notify for crucial settings, replace vocal confirmation (probably) already in the SOP anyway, reducing mistakes in bad faith or otherwise.
Don't some planes already have an automated announcement for seatbelts on?
Only reason I can think of why it's not there yet is the cost (whether $$$ or design opportunity) of cramming that in the already-cramped cockpit.
My first instinct is that the suggestion is overfitted due to hinsight bias. This particular accident happened to involve these particular switches so let's add a warning to these switches. Duh!
Some problems that immediately come to mind:
- For which settings is there going to be a voice confirmation? Is their confirmation more important than all the other audio warnings?
- During emergency situations, when pilot workload is high, will these only add to that workload, making the emergency even worse?
- Will the pilots get so used to hearing these every day that their brains will simply tune them out as background noise?
Really though, if a pilot wishes to doom an aircraft, there's 1000 different ways they could do so. The solution to this problem likely lies in the pilot mental health management department, rather than the fuel cut off switch audio warning one.
Pretty obviously a bad joke and a bad idea IMO. I did not personally downvote, but I think it deserves its current score.
Look at the timeline of the events. The switches were shut off, noticed to be shut off, and restored to the proper position within 10 seconds with the current system. Insufficient notification that the switches have been turned off was clearly not a problem in need of a solution. It would be slower and more challenging to understand an automated verbal announcement than the surely extremely obvious sudden lack of thrust and all engine dials rapidly dropping to zero.
So it wouldn't contribute at all to solving this particular case, would only be a slightly annoying distraction in the more normal case of normal aircraft shut-down after completing its flights, and would be a potentially hazardous distraction in the intended emergency case of engine is on fire and fuel must be cut off immediately, where there's probably a bunch of other extremely important and urgent things to pay attention to and do other than a silly automated warning telling you what you just did.
It's a joke about the design of safety systems involving actual human lives (movies being more safe). I get an audible warning on my laptop if i hit a key for too long for God's sake. These companies are a joke.
Do you know if the mechanical position of the switch guarantees its electronic state without any possibility for hardware malfunction? If no, then you are claiming a person made one of the most grave acts of inhumanity ever.
This sounds to me like an electronics issue - an intermittent, inadvertent state transition likely due to some PCB component malfunction
The time between the two switches being activated and then them being switched back on after being noticed strongly suggests that they were actually manipulated. Malice looke very likely to me. An investigation into the pilots life may turn something up, I guess.
It’s worth noting that Premeditation or “intention” doesn’t have to factor into this.
Studies of survivors of impulse suicides (jumping off of bridges etc) indicate that many of them report having no previous suicidal ideation, no intention or plan to commit suicide, and in many cases no reported depression or difficulties that might encourage suicide.
Dark impulses exist and they don’t always get caught in time by the supervisory conscious process. Most people have experienced this in its more innocuous forms, the call of the void and whatnot, but many have also been witness to thoughtless destructive acts that defy reason and leave the perpetrator confused and in denial.
> The time between the two switches being activated and then them being switched back on after being noticed strongly suggests that they were actually manipulated
How so? It is just as likely to be an intermitted electronic malfunction.
And then 10s later the switches magically fixed themselves? The likely not electronically connected switches since that would compromise engine redundancy?
It is, and one would expect that a single switch failure would be far more probable, so how often have we had switch failure single engine cutoff in the 787?
So the fuel supply was cut off intentionally. The switches in question are also built so they cannot be triggered accidentally, they need to be unlocked first by pulling them out.
> In the cockpit voice recording, one of the pilots is heard asking the other why did he cutoff. The other pilot responded that he did not do so.
And both pilots deny doing it.
It's difficult to conclude anything other than murder-suicide.