mathias, Author at dr göschl

AI171 – prelim. report notes, update 1

07.15.202507.15.2025mathias

here’s an update to my initial comments (12.07.25) on the preliminary report published 11.07.25.

DISCLAIMER: This is a private analysis without any guarantee for the accuracy of the reported facts and conclusions.

in my opinion, the central and yet unanswered question is: did the fuel control switches physically move ?

The switches can be identified as HONEYWELL part number 4TL837-3D, a robust 4-PDT (Four Pole Double Throw) type switch with mechanical switch lock and LED illumination. It has been established by multiple sources competent with the matter that the 2 FADEC channels related to one engine are each “linked” to one switch circuit. The two remaining switch circuits seem to be connected to (independent) digital data hubs from which (among other devices) the 2 FDRs record their data. A single “double throw” circuit of the switch alternates a contact between 2 other contacts, switching a fixed DC voltage or resistance logic level between the two related logical positions “RUN” / “CUTOFF”. In a classical “analog” electronic sensing logic, any “noise” introduced to either of the contacts would likely be filtered or attenuated by the wiring or subsequent analog signal propagation. In a digital setup (B787 has a fully integrated digital data bus system), “noise” – depending on the way a logic level threshold is discriminated by logic level shifters, analog-digital converters (ADC) and software – could falsely be propagated as a “normalized” digital signal which is relied upon. If, for example, switch circuits are related to a common ground contact (as a reference towards a DC target switch level), it is thinkable that any voltage spike introduced into this common reference could shift digital switch state to a value not compatible with the physical switch position and this state being propagated as a binary state on 4 digital routes simultaneously, impacting both: fuel valves & DFDR recording. Since a DC ground reference is most likely shared among several devices in close physical vicinity, such ground voltage level “noise” could possibly affect both LH/RH control circuits. With further insight into wiring diagrams or the nature of the A/D interface, I admit that the nature of this analysis is highly speculative.

The instability of electrical power due to the dual shutdown (subsequently and partially recovered by RAT deployment, in the meantime hopefully bridged by main battery power) could have resulted in a restart condition of the aircraft’s digital data bus system, which could have cleared the digital CUTOFF states after system restart (corresponding to the 10-14s delay in the RUN transition) – without moving switch position.

There is an important third identification of switching (among switch lever position change and logic level change): switch “click” sound, which is strongly audible due to the robust physical nature of the switch mechanism (references 1, reference 2). The switch click(s) should be discernible on the FDR audio (in fact such audible features have been established as proof for operation of critical switches in numerous other crash investigation reports), not only in the CUTOFF transition (with maximum engine noise in the background) but specifically for the RUN transition that took place with engines below idle thrust and with low noise. Although the investigation specifically focused on fuel control switch operation, this feature has not been mentioned in the preliminary report.

From the above B787 cockpit videos, it is apparent that both switches can be operated within 1 second by an experienced cockpit crew member.

In summary: If it can be established by at least some of the possible 4 switch clicks in sync with recorded FDR data, that the switches have indeed physically moved, I would concur with the hypothesis of suicidal intent. If this cannot be established reliably, however, a “deep” electronics issue, possibly related to inertial force during rotation, such as described in my previous analysis, cannot be ruled out.

AI171 – prelim. report notes

07.12.202507.12.2025mathias

on 11.07.25 the preliminary report was published by the Indian AAIB. This note relates to my initial assessment of the aircraft accident (specifically my hypotheses #1-#5) and is intended to interpret the information published in the prelim. report.

DISCLAIMER: This is a private analysis without any guarantee for the accuracy of the reported facts and conclusions.

From the preliminary report, my hypothesis #1, #3 and #4 can be confirmed as invalid due to the documented A/C configuration at the crash site and official probes into fuel quality. There are also no apparent, critical technical or maintenance items related to the incident. From the flight data and voice recorder (FDR, CVR) readouts the following sequence is documented, following an uneventful take-off run

08:08:39Z aircraft left the ground
08:08:42Z engine #1 fuel cutoff switch transitioned from RUN to CUTOFF
08:08:43Z engine #2 fuel cutoff switch transitioned from RUN to CUTOFF
AUDIO: “one of the pilots is heard asking the other why did he cutoff. The other pilot responded that he did not do so“
08:08:47Z the ram air turbine (RAT) is confirmed to supply hydraulic power and there is visual confirmation that the RAT was already deployed in the very initial climb phase, right after take-off, well within the perimeter of the airport.
08:08:52Z engine #1 fuel cutoff switch transitioned from CUTOFF to RUN
08:08:54Z APU startup sequence initiated (also visually confirmed by the APU inlet door found open at crash site)
08:08:56Z engine #2 fuel cutoff switch transitioned from CUTOFF to RUN
AUDIO (08:09:05Z) “MAYDAY, MAYDAY, MAYDAY”

thereafter, engine parameters and APU/RAT deployment are consistent with dual engine failure (below engine idle thrust) with attempted auto-re-ignition sequence applied to both engines, which however came too late to restore thrust prior to crashing into the ground.

“fuel control switch“: for LH/RH engines, both are located directly below the thrust levers on the center console. Per definition a “switch” is a physical device with a physical state (switch lever position) and an (electric) logic state that is directly related to its physical state and wherein the logic state is electrically transmitted to the intended target of the switching process (here: electro-mechanical fuel valves). The switching process – usually – consists in 1) actuating the switch lever, 2) the altered switch lever position changing the (electrical) logical state, 3) the electrical state change being propagated to the device targeted by the switch. 4) the switch target responds to the change.

With regard to the FDR events recorded, it can be assumed (though, this detail has to be confirmed) that the “fuel cutoff switch state (RUN|CUTOFF)” does not necessarily reflect the absolute physical position of the switch lever (sensed via any hypothetical secondary FDR-specific logic circuit which would be INDEPENDENT from the switch actual logic output state) but it is recorded from the apparent electrical output logic state “downstream” in the switching process.

In this light, the following scenarios could apply:

The switches have been physically altered to CUTOFF by human intend.
The switches have been physically altered to CUTOFF without human intervention.
The switches have not been physically altered, but downstream to the “designed” switching process, another event altered the logical (electric) switch state.

To start with scenario 2, I think this can be ruled out since both switches are (independently) physically guarded and their operation requires overcoming a physical switch lock specifically designed against unintentional physical operation of the switches.

Scenario 1 could be one of the following:

a standard procedure requested by aircraft malfunction. This would require observation of any prior fault, communication by the crew and execution of the respective checklist procedure. Engine cutoff (or switch cycling) as an action item does only occur in procedures related to engine fire or re-ignition following an in-flight engine malfunction. None of these factors have been observed in FDR and CVR data recorded and as such I rule out the possibility that an intential engine cutoff was based on procedure.
suicidal intent by one crew member. This scenario is physically possible, however I would rule this out based on the following observations:
- a) it is unlikely that the rapid (1s interval) action to move both fuel switches from RUN to CUTOFF by one pilot moving hands towards the center console is not noticed in the peripheral field of view of the other pilot being focused on flying the aircraft. It is in fact a strength of peripheral vision to detect such motion.
- b) an action as decribed in (a) and not being compatible with any trained procedures, would have clearly resulted in a strong response by the other pilot, verbally by assertive language and/or physically by action (or open struggle) to re-establish the correct fuel switch setting.
- c) the CVR recording of both persons rather reflects complete surprise and astonishment at the observation of the fuel valve status. It is unclear if this observation by the person asking is based on physical position of the switches or alerts on the engine monitoring displays that mirror the effects of a fuel cutoff logical switching. The response of the “accused” pilot reflects a defensive position and surprise and – in my opinion – is not compatible with aggressive suicidal intent or the feeling of one’s deadly plan just having been discovered and compromised by a another person.
- d) the time from recorded CUTOFF to recovery into RUN state is excessively long and almost identical (10/11 seconds) for both engines. If fuel control switches were indeed physically selected to CUTOFF and visually identified as such, any corrective action should have occured way much faster or should have resulted in at least a struggle audible on the CVR audio. This hints rather towards a scenario where switches are indeed in the RUN position, the CUTOFF state being introduced elsewhere “downstream” and pilots remained passive to witness automated engine recovery.
- e) extending the argumentation of (d) it is also unlikely that a pilot with suicidal intent would not have used the recovery time available to crash the aircraft by other means, i.e. pulling back thrust levers, making control column inputs, introducing fatal aircraft configuration (i.e. speed breaks)

This eventually leaves us with scenario 3, some sort of a “wicked” electrical effect that either introduced almost synchroneous fuel cutoff electrical logic state into the wiring (between physical switches and targeted valves) OR directly into the EEC/FADEC logic generating equivalent fuel switch logic state based on other factors than fuel control switch logic state alone. Let’s note that both engines independently operate completely autonomous with regard to their commanded thrust/fuel state. Once received by the EEC/FADEC logic of either engine, the state will be executed (independently from A/C hull electric supply) as long as fuel and air can be fed into combustion. The nearly synchronous shutdown of both engines by closure of both fuel valves therefore points towards a logic in which the commanded state originates from an engine-independent but single origin. This origin must be located inside the A/C hull since engines cannot command each other mutually.

as a consequence I maintain hypothesis 5 of my previous analysis with the alteration that apparently no major cascading electrical fault (this would have been obvious in the FDR readout) led to the observed fuel control states, but the causal event would be rather limited to affecting downstream electric logic state of the fuel control switches or any other electric logic state having the authority to close fuel valves, for example EEC/FADEC TCMA. Since the event is tightly bound to A/C physical rotation on the take-off timeline, this could hint towards an effect driven by inertia on the electrical signalling, for example:The motion of amounts of water from condensation or any lose wiring.

Air India 171 B787-800 crash 12.06.25

06.17.202506.18.2025mathias

ahead of any initial report from the Aircraft Accident Investigation Bureau of India, I am attempting an educated look into the crystal ball.

DISCLAIMER: This is a private analysis without any guarantee for the accuracy of the reported facts and conclusions.

a) observation (high confidence) from available video footage:

takeoff run after backtrack from VAAH (Ahmedabad) RWY 23. Visual impression that A/C got airborne rather late. Plume of dust indicating significant engine thrust at initial climb over the runway end.
regular initial climb attitude.
about 12 seconds after rotation, change in pitch attitude, climb terminated within few seconds, no apparent stall, controlled glide into terrain.
RAT was deployed on final glide, no audible engine thrust noise, APU inlet open at crash site pictures.
wing trailing flaps deployed at crash site pictures.
a mayday call indicating thrust problems has been reported by authorities, though literal transcript has not yet been published.
gear extended until impact, forwarded tilted gear trucks may indicate initiation of gear-up sequence
sole survivor reported green/white (emergency) cabin lights and flickering.

b) apparent final state of A/C at crash:

RAT (auto-)deploy, (auto-)initiation of APU startup, flickering lights / switch to emergency cabin lights: loss of electrical power fed from engine driven generators
Control surfaces operational (RAT can assure minimum hydraulics + electric control) to maintain wings level and to control glide speed
Insufficient/no thrust on both engines to maintain or gain altitude

c) discussion of possible faults and consequences:

~~hypothesis 1~~ “a/c misconfiguration for take-off“: erroneous settings of takeoff weight, ambient temperature/pressure, engine de-rating factor, flaps setting, possible miscalculation of V1, VR. Highly unlikely due to B788 automated crosschecking of weight on wheels, flaps settings. Would have triggered warning messages prior to T/O. After all, the A/C had a rather nominal takeoff run and initial climb with no observable “out of envelope” behavior. Hypothesis 1 is inconsistent with observed electrical system + dramatic thrust loss.

~~hypothesis 2~~ “unlawful interference, intentional action“: contradicted by a reported technical mayday call. Manually commanded dual-engine shutdown is a complex process and is unlikely performed after rotation in an efficient manner to affect both engines in an apparent simultaneous manner. Intentionally pulling back both thrust levers to flight idle would not be enough to trigger the electrical backup system, i.e. RAT deployment.

~~hypothesis 3~~: “a/c misconfiguration on initial climb“: initial climb would have normally seen “gear-up” action and in theory could have been confounded with “flaps up” action by pilot error, resulting in a loss of lift. This unlikely misconfiguration however could have been healed without catastrophic consequences by applying max thrust and manually keeping the A/C within the flight envelope. Hypothesis 3 is also inconsistent with observed electrical system + dramatic thrust loss.

now, leaving us with only scenarios which are able to trigger a rapid, simultaneous dual engine loss of thrust:

~~hypothesis 4~~: “fuel contamination / temperature“: A contamination of fuel (water, any sort of dirt) residual to the main tank (feeding the engines) from present or past refueling cannot be rules out, but it is highly unlikely that: i) this would lead to a perfectly synchronous and extremely quick and “efficient” flame-out of both engines without apparent visible clues (smoke, thrust bursts and altitude variations), ii) it has not been experienced (at least in parts noticed by crew or engine telemetry) by any other aircraft refueled from the same hypothetical contaminated airport(s). Although ambient temps in Ahmedabad were high (METAR: VAAH 120830Z 24003KT 6000 NSC 37/17 Q1000 NOSIG), I would also rather discount the possible issue of fuel vapor lock (elevated fuel temperature can result in the development of fuel vapor which cannot be processed by liquid fuel pumps) due to the large amount of fuel very likely drafted from the underground hydrant fuel system available at AMD or residual fuel from the prior flight and short rotation from DEL.

hypothesis 5: “systems commanded dual engine cutoff“: Both engines have their own EEC/FADEC (electronic engine control / full authority digital engine control) units with 2-fold redundancy and electricity generated by engine-mounted redundant generators. As long as the engine is turning, EECs are powered and are able to control fuel flow as commanded by cockpit-side thrust levers and fuel master switch sensors (with redundant sensors and wiring). On the fuel delivery side, each engine has it’s own mechanically coupled fuel pump which is able to directly draft fuel from the main tank – without support of main tank electrical boost pumps. Therefore, even with a total loss of power on all of the A/C electrical busses, each engine – once started – will autonomously continue to operate according to thrust-lever input, until fuel starvation. Now, B787 series got a unique further software package integrated into EEC called TCMA (Thrust Control Malfunction Accomodation System, https://patents.google.com/patent/US6704630B2/en). It actually does what the title is promising: Use a software logic to “correct” any physical misbehavior of an engine with regard to its commanded thrust level, more precisely: It is designed to radically shut down (closing of fuel master valve) a “runaway” engine if all of the following conditions are met: 1) the aircraft is on the ground, 2) thrust lever is at idle position, 3) engine is above idle rpm. TCMA has two independent channels (for each engine, each of the channels has authority to close the fuel valve) which each evaluate the 1-3 conditions. TCMA seems to be the only “authority” – apart from pilot action in the cockpit – to close the fuel valves and to simultaneously and rapidly shut down both engines. From the TCMA conditions, in the present scenario – takeoff thrust – only (3) was true at all times, (1) should have transitioned from true to false after leaving the ground while (2) is supposed to remain false at all times during takeoff.

Now, the real speculation starts: If the aircraft was faced with some additional, electrical issue (moisture, electric arc, power surge … these kind of things) at the very end of the takeoff run (past V1, such that the crew did not consider the option to abort – but possibly was distracted for an instant, explaining the slightly longer than expected ground run) or after rotation (in anticipation of, or at gear retraction) and that electrical interference and/or a software restart condition compromised the readout of the WOW (weight on wheels) and thrust lever sensors such that WOW remained at it’s ground state and thrust lever (both!) readouts were shortly flickering to an idle or null readout (and as such were accepted as valid input !) this could have closed both engine’s fuel valves shortly into the climb, leaving just some residual fuel for the initial positive rate.

I can’t resist my gut feeling, but the “capabilities” of TCMA remind me of MCAS (Maneuvering Characteristics Augmentation System) of the B737 MAX series (two fatal crashes: Lion-610, 29.10.18, Ethiopian-302, 10.03.19), where a “full authority” automated software system (which was introduced to control a secondary problem) detected an incorrect state from erroneous sensor input and executed an unexpected fatal action – unrelated to the problem it was designed for.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.