Posts about: "Dual Engine Failure" [Posts: 231 Pages: 12]

The Indian Express is carrying a story ( https://indianexpress.com/article/ci...lues-10077117/ ) that includes the following:"Investigators probing the June 12 crash of Air India flight AI-171 from Ahmedabad to London Gatwick are taking a close look at a February 2020 incident in Gatwick, involving an Airbus A321, in which both engines malfunctioned immediately after takeoff. It led to a Mayday call before the aircraft returned to Gatwick 11 minutes later after a turnaround." ...

..."it was \x93clear from visual observation and wreckage\x94 that the flight suffered a power failure." ...

..."The black boxes and the DVR have been recovered but the officer said that the devices were damaged and file extraction would \x93be a complicated process\x94." ...

... "We will check the technical logs to see if any of the engineering teams or pilots of the previous flight left comments on the performance of both engines"
Assuming there is some credence to the article, dual engine failure due to water contamination is the leading theory. It certainly fits much of the speculation in this thread. It may be that the flight data was not captured and much more reliance will be on forensic examination of the CCTV footage and the wreckage. Those waiting for the flight data to be published may be disappointed.

If the original CCTV footage was made available, together with a detailed survey map of the airport, it will be possible to accurately estimate the takeoff speed and altitude during all the critical periods. My guess is thrust was reduced or lost very early and perhaps before the aircraft left the tarmac. Then shortly after becoming airborne, power was lost resulting in the deployment of the RAT. It is doubtful that the pilots shut down the engines or the wrong engine. Likewise flap/slat misconfiguration is unlikely.

No it can't be. All discussion about power loss is to be focused on TMCA, FADEC and RATs being deployed. Anything else has already been discussed.

Yes. I simplified. The point stands that the throttle needs to be pulled back, as it was in the ANA event, because that was a landing and not a take-off.

First, you posted a good summary. I'd have added "unanticipated hardware fault" and "unanticipated software fault" as generic causes.

Note that the thrust lever actuators are wired to the FADECs, and that the TCMA gets the T/L position from that. For TCMA to trigger, it has to determine that its FADEC (on that engine) failed to achieve a commanded reduction in thrust. So we're either looking at a weird, unprecedented edge case, or a FADEC failure, or both.

It has been mentioned before that this capability existed as part of the N2 overspeed protection: the FADEC would shut down a runaway engine by cutting its fuel before it disintegrates.
The thrust lever sensors are wired directly to the FADEC (and hence the TCMA). No data bus is involved with this item.

With a MCAS crash, it required a hardware problem with an AOA sensor, used as input to a correctly working MCAS, to cause the aircraft to behave erratically. With a correctly working TCMA, I believe it'd require two hardware problems to get TCMA to shut down the engine, as there'd have to be an implausible thrust lever reading, and a FADEC/engine failure to process it within the TCMA allowed range ("contour"?). On both engines, separately and simultaneously.

That leaves a software problem; it's not hard to imagine. The issue is, at this point it's just that: imagination. I could detail a possible software failure chain, but without examining the actual code, it's impossible to verify. We simply don't have the evidence.
I could just as well imagine a microwave gun frying the electronics on both engines. An escaped hamster under the floor peeing on important contacts. A timed device installed by a psychopathic mechanic. There's no evidence for that, either.

This process is a way to psychologically cope with the unexplained accident, but because it lacks evidence, it's not likely to identify the actual cause. We've run the evidence down to "most likely both engines failed or shut off close to rotation, and the cause for that is inside the aircraft". Since the take-off looked normal until that failure, we have no clues as to the cause hidden inside the aircraft. We need to rely on the official investigation to discover and analyse sufficient evidence. The post-crash fire is going to make that difficult.

"Both engines failed or shut off close to rotation" explains all of the evidence : it explains an unremarkable take-off roll, loss of lift, absence of pronounced yaw, loss of electrical power, loss of the ADS-B transponder, RAT deployment, the noise of the RAT banging into place and revving up, emergency signs lighting up, a possible mayday call reporting loss of thrust/power/lift, and a physically plausible glide from a little over 200 ft AAL to the crash site 50 feet (?) below aerodrome elevation .
It explains what we saw on the videos, what the witness reported, where the aircraft ended up, and the ensuing sudden catastrophe.

I don't believe we have evidence for anything else right now—I'd be happily corrected on that.

-----
Edit: the evidence of the crash photo with the open APU inlet door, and the main gear bogeys tilted forward, are also explained by the dual engine failure/shut off.

There is no inter-engine interaction. But if both FADECs are running the same software then they will potentially behave identically to some bug or external input / condition. That's why software redundancy isn't always redundancy.

I agree.

Thank you. So saying "TCMA would only trigger if WoW and RA have failed somehow" is incorrect? Those are simply inputs to software, which might itself fail badly for other reasons. See the FAA AD to replace FADEC software on certain P&W engines following a previous uncommanded dual engine shutdown.

There you go, that’s the tell I expect. Someone sloshing chemicals around and it was finally been noticed in the paperwork somewhere and then they start checking the accident records or vv

https://www.gov.uk/aaib-reports/airc...-february-2020

In general, we can classify computer errors into 3 categories:

1. Errors in system design, specifications, or algorithms. These are cases where the computer does exactly what it was designed to do, but the design itself was flawed or inadequate, or had unforeseen consequences. This would include things like MCAS on the 737 MAX.
2. Software errors. These are cases where the computer does exactly what the code tells it to do, but not what the designers wanted it to do. This results from mistakes in writing the actual code, and this is usually what we'd refer to as a "bug." This includes things like race conditions, loops that fail to terminate, incorrect type conversion, etc.
3. Hardware malfunctions. These are cases where the computer does something different from what the code instructs. It can involve memory corruption or data bus corruption. It can result in a system that appears to work, but returns incorrect outputs, e.g. a calculator saying 2+2=5. It can also cause the computer to execute valid instructions, but at an inappropriate time. It can result from manufacturing defects in components, cosmic rays (SEU or SEE), radiofrequency interference (HIRF), moisture ingress, failed solder joints, and numerous other things.

As I said previously, I think we can rule out category 3 in this case. Hardware malfunctions are essentially random events. They're inherently unpredictable since there's little to no relationship between what the system was supposed to do and what it actually does. It would be astronomically improbable for the same failure to occur on both engines at the same moment.

Categories 1 and 2 would be common to both engines, so they both remain plausible. For category 2, it would be impossible to identify the issue without analyzing the complete source code. Since we don't have access to that code, this is a dead end. It could be the cause, but we won't be able to figure it out. Looking at how the FADECs are designed to work isn't going to be very useful here, since by definition, they'd be doing something they weren't supposed to.

Category 1 is a bit different. There are 2 functions we know of that can close the fuel shutoff valve: TCMA and N2 overspeed protection. We don't have the complete specifications, but the basic logic of both functions has been described. If we assume that one of these was the cause, then the conditions for one of those functions must have been met.

The conditions for TCMA, at least as it's been described in this thread, are:

• Airplane on ground
• Thrust higher than commanded by thrust lever angle (TLA) for some period of time

It's reasonable to assume that the first condition is common to both engines. But that still leaves the second. To my knowledge, there's no plausible scenario that would cause that condition to be met on both engines simultaneously. Each thrust lever has 2 resolvers which are wired directly to the corresponding FADECs. That means the signals don't pass through any common component. An incorrect reading from one resolver could conceivably trigger TCMA, but I don't see any reason why that would happen to both engines simultaneously.

As for the overspeed protection, as far as I know, there's only one condition: N2 greater than a certain value. That reading comes from sensors that are inside each engine and wired directly to the FADECs. I don't see any way this could affect both engines simultaneously either, but it still seems a bit more likely than something involving TCMA since it only requires 2 separate, simultaneous failures rather than 3 or more.

For the sake of accuracy, I should also note that not everything fits neatly into one of my 3 categories. For example, let's say we have a machine that's programmed to shut down if any one of 3 parameters goes above a certain value. If one of those values gets corrupted by a faulty memory chip, the machine could shut down unnecessarily. If we add more parameters to the list, the probability of an inadvertent shutdown increases since there are more critical areas in memory. As another example, consider a case where corruption of the CPU's program counter causes it to inadvertently jump to a particular subroutine. If we add more subroutines that can trigger a shutdown, we make the machine more vulnerable, albeit to a very small degree. Changes like these are sometimes referred to as "increasing the surface area."

Due to those types of scenario, I will admit that the existence of something like TCMA probably makes an engine ever-so-slightly more likely to fail. Whether the benefit is worth the cost could be debated. In any case, I still find it pretty unlikely that any of this will turn out to have been a factor in this accident.

Under most circumstances you would apply the benefit of the doubt but as the RAT deployed (something there is a lot of evidence for) it strongly suggests this. Yes, the RAT can deploy for other reasons but that would imply an even greater level of coincidence than two engines failing in a short period (3 hydraulic systems, 4 generators, etc.). The distance they went until ground contact also ties in with a loss of pretty much all thrust, as does the audio recording of idling/windmilling engines. There is also the fact, which may turn out to be an assumption, that any failure of other aircraft systems should not affect engine operation as a) the engines are effectively self-powered in flight and b) the engine controls on the flight deck are part of an isolated system powered by the FADECs.

I would be very surprised if the thrust levers were not firewalled early on, in fact with such determination that they went through the instrument panel!

On a wider observation, professional commercial pilots like the Air India ones in this accident go through regular simulator training according their own SOPs, which when dealing with things like thrust loss during or after the takeoff roll are likely pretty similar or even identical to the manufacturer\x92s guidelines; if they did differ it would be because they were more conservative in application. Boeing standard is to do nothing until 200\x92AGL other than control the aircraft in yaw, pitch and roll. Above 400\x92AGL you can start doing some drills, if applicable. This assumes, of course, that you can get to these heights in the first place.

I would put forward that in this accident, the crew immediately found themselves in what Boeing call \x93Special situations\x94 or \x93Situations beyond the scope of normal procedures\x94. We don\x92t know yet whether there was a thrust loss or total failure at the outset; we don\x92t know if the RAT deployed due to sensed failures or control operation. As a trainer, the captain would have known the implications of actioning the dual engine failure memory items, especially near the ground, but if you\x92ve tried everything else and are still going down then what is there to lose? This is not to suggest this is what happened, just to fill in the blanks in terms of possibilities. Whatever did occur likely put them outside the realm of SOPs in short order, which is a difficult situation at the best of times, especially as for your whole flying career you have been trained and assessed at your ability to conform to those SOPs as accurately as possible in the takeoff phase.

I have read through all the first thread and much of the second before commenting; SLF here, albeit with a lot of flights in a lot of commercial, emergency and non-commercial aircraft but with a relevant background and expertise in collision reconstruction and looking for holes in Swiss Cheese.

The evidence is overwhelming that both engines lost power, and substantial that they were cut simultaneously. There is one matter that I have not seen adequately explored here, and that is the Christmas Tree hypothesis, where a plane not in use is used as a stock of spare parts, which then have to be replaced if it is then called for service.

One of the engineering experts has noted that a specific engine control circuit board must be powered down every 51 days or can cause problems, and even more so at 249 days when it has the capacity to cut both engines simultaneously. As the same expert pointed out, there are very few single points of failure in an aircraft - but this would seem to be one of them and accordingly should receive significant scrutiny. Is it possible, that on a parked aircraft, this item could have remained powered, silently ticking off the days? It then returns to service and the counter overflows at an extraordinarily unfortunate moment causing catastrophe? This is the way statistics works.

I ran over a very small rock yesterday in a car with reinforced tyre walls on the wheels. I thought nothing of it until the tyre pressure warning lit - and the tyre was indeed losing air. I have checked the CCTV (dashcam) and inspected the wheel. It was clear that I had touched the stone in the one place where it had compressed the tyre against the rim and cut the sidewall. That car has travelled 207,000km in my hands. The rock was about 5cm in diameter. The chances of that I would hit a rock that size at that moment in that precise way to destroy my tyre were over 4 billion to one. But it did.

Not quite. It was software for generator controllers. That bug, glitch or whatever it was accurately described to be was not the cause of any engine failures (so far as I am aware).

I'd agree, without expert knowledge there would have to be big assumptions, but I expect that Aircraft Flight Engineers could do it. Probably already have.

Sure, actual data is usually more accurate than eyeballed stuff. But not always. In fact, it's often the eye that determines that something measured or calculated is "Off". How accurate is ADS-B data? I've seen FR24 tracks go way off course then suddenly get corrected / interpolated, frequently. The erroneous data seems to be "removed" by their algorithm, but where are the errors arising? Why this inaccuracy, and therefore, how accurate are the datagrams referred to? I know there were no datagrams received during the backtrack that I accept actually occurred, but that's completely different from receiving erroneous ADS-B data.

Sure, the CCTV footage I've seen is very poor, a video, moved about and zoomed, of the CCTV screen. Not easy to judge, but still useful and could be analysed frame-by-frame to compensate for all the extraneous input. Anyway, it's obvious to me that the rate of climb dropped abruptly just before the flight attained its apex, as if thrust was suddenly cut off. Knowing the momentum to altitude conversion, it might be possible to estimate whether that's true or not. The evident RAT deployment supports engine shutdown, not just engines to Idle, doesn't it? In that case, it would be useful to know at what altitude the engine shutdown took place.

Okay, didn't know that, I guess suggests means it's uncertain? Can you tell me from what height to what height it suggests this?

And why all the wrong figures for the height attained, quoted in previous thread? Can't all be the atmospheric conditions.

Haha! Even a stone (the right shape) can do that, and I'm not disputing that kinetic energy can be converted to altitude. Wings are useful for that... Just curious to get an idea of how much in this case.

To be honest, i believe that taking a lot of the evidence into consideration, it is possible to arrive at a limited number of scenarios for what is most likely to have happened.

One fact that alters things substantially is whether the survivor's impression is correct that possibly the engines started to spool up again just before impact. If that's the case then what does that do to the possibility or otherwise that the TMCA system caused a dual engine shutdown?

To me, since the world seems to be watching this forum, and we are getting no feedback from the authorities, what is posted here might be useful in helping the investigators look at things they might not have considered. Besides, as Icarus2001 has kindof suggested, it's probably a very good thing that there are clearly lots of keen eyes on this.

Thank you for your reply! There's a lot we agree on; unfortunately, I'll be cutting that from my response here.
Right. ADS-B is transmitted via radio, so reception can be patchy, or obstructed by someone else transmitting on the same frequency (e.g. other aircraft), so not every datagram that the aircraft sends gets received. When that happens, the live display of FR24 assumes the aircraft kept doing what it did, and when another datagram eventually comes in, it corrects the position. It also connects the locations of these datagrams, regardless of whether the aircraft actually went there. For example, in the AI171 there's a 4-minute gap between a datagram sent on the taxiway, and the next datagram sent when the aircraft was off the ground towards the departure end of the taxiway. FR24 then connected these points via the shortest route; but we know that the aircraft actually used the intervening 4 minutes to taxi to the approach end of the runway, where it then started its take-off run. So that was false. (Another source of errors is when different FR24 receivers don't have synchronised clocks, so a mixture of data from these can have weird artifacts as a result.)
However, the datagrams that FR24 actually received were correct. They contain the GPS position of AI171 and its unadjusted barometric altitude, as determined by its onboard instruments. This data is as reliable as the instruments themselves are. (An example here is that the NTSB wasn't sure that the altimeter on the Blackhawk that crashed at Washington-Reagan was accurate; if that is the case, the ADS-B data would also be affected.)

On their blog post at https://www.flightradar24.com/blog/f...rom-ahmedabad/ , FR24 have published the data that they actually received.

Have you ever seen a parabolic trajectory from "the short end"?
Yes.

It's uncertain because the 787 rounds all altitudes it sends to the nearest multiple of 25. The altitudes sent were from 575 ft to 625 ft., but that's MSL and not adjusted for the weather: low air pressure makes that number higher than the actual altitude. FR24 adjusted this to 21ft climbing to 71 ft, but it could've been 30 to 60 or maybe 10 to 80, as it's rounded. I think it's fairly close to 50 feet of climb, though.

1) people taking the MSL altitude literally (625 ft)
2) people adjusting for airport elevation (189 ft), but not for pressure: 437 ft
3) people adjusting for pressure, some adjusting for temperature, get 71 to ~100 feet for the last recorded altitude.
But while ADS-B reception was lost then (or the transmitter lost power), the aircraft continued climbing; examine the cctv video, knowing the wingspan is ~200 feet, we see that the aircraft reached 200 feet but not much more.

The survivor likened the sound to a car engine revving up. If you've listened to a good version of the phone video, you'll have noticed the "vroom" sound at the start that some likened to a motorcycle. That sound is the RAT in action, and you can imagine what that would sound like when it rapidly spins up: like a driver stepping on the throttle with their car engine in neutral. The RAT deploying is a consequence of a dual engine shutdown. It says nothing about whether the TMCA was involved.

[Now I just hope your post is still there as I post this. ]

Indeed, thanks to you for your most informative reply! Great to know we're much on the same page.

I'll strive for brevity here. [Fail, sorry!]

Aha! Very misleading by FR24! Maybe they can devise a way to show where data is missing.

Sorry, I got confused about this ^^^, when you wrote this:

but I'm assuming reliable within the 25ft granularity that the 787 creates, which mostly is neither here nor there, but in this case, not so helpful!

Yes, got it, but wasn't what I was meaning to ask, sorry. My bad. I'm about over this TMCA stuff because it sounds like it's Trade Secret so a lot of guesswork, but the question I was intending was:

If the TMCA did activate and shut off the fuel for whatever reason, what causes the TMCA/FADEC Hardware (and Software) to Reset, since it's independently powered off the engine-driven PMG after engine start? There is so much here that is just so unclear. I haven't seen anything about a Reset input anywhere, and since it's supposed to work only when on the ground, that's not really necessary, as the engine will eventually spool down. At some point before that, the PMG output voltage will go to low enough that the FADEC/TMCA should be forced into a Hardware Reset. That's all fine on the ground, but in the air, the engine will windmill, potentially until.... Is the PMG output fed through a switch/relay that cuts the FADEC/TMCA supply at low (i.e. windmill) RPM, so that a Pilot-activated Engine Off/On cycle can reconnect the Aircraft FADEC Supply link, thus Rebooting the FADEC so that it reopens the Fuel Shutoff valve(s)? It all seems so "awkward". And potentially fatal. Is this a scenario that the designers considered? (Who can answer that one? )

Just now, I realise that if this is roughly what happens, then maybe the engines did commence a restart just before impact, due to the plane being deliberately mushed/stalled to the ground as softly as possible, thereby reducing the windmill RPM. And maybe the engines restarting interfered with that planned landing.

Or maybe I've got this all wrong. I'm hoping someone will tell us all.

Thankfully, Yes. Hope this Reply gets through too.

That’s what got me headed down the low altitude capture route. While the mind does really strange things post traumatic event — and memory and recollection are greatly affected by it — if true it means that thrust was lost but the engines stayed lit.

There may have been other electrical and systems malfunctioning. But if whatever happened, let’s say the auto throttle simply pulled power to idle —or a low power setting—at a critical time. Perhaps on its own perhaps with other systems failures.

We like to think it basic that we’d slam the throttles forward. Right away.

But Asiana didn’t.

And neither did Air Florida years ago.

Are you certain of that? Because tdracer (and perhaps others) have asserted that the valves are latching, and must be powered on OR off, precisely so that an electrical power loss does not close the valve (and shut down the engine).

Great first post (IMMHO!) If this is correct, then I think you are onto something very significant. No expert, just an outside the box thinker who has been trying to see what ordinary (non-pilot-blaming) explanations there could be for a near simultaneous dual engine failure. I imagine a complete electrical failure leading to fuel starvation from lack of pump feed pressure from the centre tank would not result in apparently near simultaneous engine failure, but who knows? (Aren't there (suction) bypass valves here, but maybe they get stuck after long non-opening - instead long subject to closing pressures?) This could have been the case here as my experience suggests the probabilities aren't small.

FWIW, according to earlier posts, the fuel load was about 50T, leaving about 18T in the centre tank, so (I think) about 25-30% full. A full centre tank might allow engine pump suction to work fine, but this might not? (Contrary to what some have said.)

Anyway, FWIW, not everyone agrees with RAT Deployment - see recent post by shep69. Would love to know why he doesn't go with RAT deployment...

For those postulating the RAT was not deployed, what counter explanations do you have for the following clues?

• Distinctive RAT sound in the rooftop video, audio analysis here .
• RAT visible in rooftop video, example in this image .
• APU door open suggesting auto APU start, suggestive of a full electrics failure (one of the criteria for auto RAT deployment)
• Loss of ADSB data suggestive of a full electrics failure (one of the criteria for auto RAT deployment)
• Unusual gear forward tilt position, suggestive of hydraulic failure and/or full electrics failure (one of the criteria for auto RAT deployment).
• Loss of all thrust, ie dual engine failure (one of the criteria for auto RAT deployment)

Great summary. I've already mentioned the first below, but I'd add another:

• The existence (and timing) of the flyby video by a young lad who apparently lived where the footage was shot from. With planes flying past every few minutes, why would he choose to film this one, before he could even see it? The video starts with the plane still approaching, out of view, and his position suggests it was unplanned, before he could move to a better vantage point. I say he already knew it was extraordinary - from the sound.
• Eye witness account from the mother of the lad who filmed the flyby, apparently said that the plane was "shaking". I'll assume she didn't know how to describe it properly, and that maybe it sounded like it was shaking, from hearing the noise from the RAT. Or it's a translation issue of a word/s with multiple meanings or used colloquially.

One question - are there two exterior doors to the APU compartment, one on top, one below, presumably inlet and outlet of cooling airflow? I've seen photos showing two open doors, but the lower one could be something else, and busted open during the crash.

The issues with the "they shut down the wrong engine" theory:
1. No asymmetry evidence with flight path deviation. No roll, no yaw effects
2. No rudder inputs visible.
3. No crew should be doing memory items below 400ft. Boeing requires each crew member confirm together memory item switch/control selections.
4. Non-normal gear truck tilt position, a one engine failure should not affect the C hydraulics. As per (3) gear would be selected Up before any memory actions.

The evidence so far is an almost simultaneous dual engine failure, which rules out alot of other theories.

The 787 will control yaw.

I'm sure this has been answered elsewhere and that I've just missed it by scrolling too fast through the backlog of (much appreciated) posts, but it's been buzzing round my mind and I wanted to try and get an answer if possible please.

Has it been confirmed that there was a dual engine shutdown and, if so, why weren't people commenting on this from the videos of the incident (if the audio was good enough to detect the RAT then surely it was good enough to tell whether the engines were running).

Thank you for your patience!