Air India Crash

Another one bites the dust.

These days the programming should also be considered.
Especially when the computers do not inform what kind of drastic action they are going to pull off.

Example : 737-Max-8 Trim to nose down based on bad sensor data. Two new airplanes bite the dust or water.

787 ANA 2013 engine fuel cutoff based on bad sensor data. Luckily the plane was on the ground and in taxi mode.

This makes at least three cases where bad error data was available from ONE sensor and based on that the computers took decisions to override the human operators.

What I am recommending is that they should instead do what they normally do like give audio warnings like
Pull up, terrain, bank angle…
In the PIA case the audio warning of gear not down was probably not made due to being dumped out of the queue because of other warnings like overspeed and stuff. Not excusable. Just add a queue so ALL warnings are made at least once.

The current kind of programming does not seem user friendly. Hidden code which is not in the manual and there is no warning as to what the computer is going to pull off.

Also the Qantas flight where it got bad data and suddenly pitch down causing many passengers to hit the ceiling and experience negative G forces for many seconds.

Here’s a concise breakdown of the Qantas Flight 72 upset, in which erroneous onboard data led to uncommanded nose-down movements and negative-g in the cabin:

1. Flight and aircraft details
   – Date & route: 7 October 2008, Singapore (Changi) → Perth (via Learmonth diversion)
   – Type: Airbus A330-303, registration VH-QPA
   – Occupants: 315 (303 passengers, 12 crew) (Wikipedia)
2. Root cause: bad data from the ADIRU
   – One of the three Air Data Inertial Reference Units (ADIRUs) began outputting corrupted angle-of-attack values.
   – This bad AOA data fed into the flight control primary computers (FCPCs), triggering an automatic “high-AOA protection” nose-down command (Wikipedia).
3. Sequence of the two uncommanded pitch-downs
   – First event (12:42:27 AWST):
   • Sudden pitch-down to 8.4° nose-down, vertical acceleration dropped to –0.8 g.
   • Aircraft lost about 650 ft before crew recovered to FL 370.
     – Second event (12:45:08 AWST):
   • A smaller nose-down to 3.5°, producing +0.2 g (near-weightlessness).
   • Aircraft lost about 400 ft before being re-leveled (Wikipedia, ATSB).
4. Negative-g effects in the cabin
   – During the first plunge, unrestrained and even some restrained passengers and crew were lifted toward—and struck—the cabin ceiling, amid flying luggage and equipment.
   – The near-one full negative-g event lasted several seconds, causing weightlessness from the cabin frame of reference (Wikipedia).
5. Injuries and diversion
   – Injuries: 119 people injured (11 serious, 108 minor), including fractures and lacerations.
   – Diversion & landing: Declared mayday and diverted to Learmonth Airport, where injured were evacuated by RFDS and CareFlight (Wikipedia).

Aftermath:
– The ATSB identified both the ADIRU fault and a software design limitation in the A330 FCPC.
– EASA issued an emergency airworthiness directive in January 2009 for A330/A340 aircraft with the affected ADIRUs to prevent recurrence.

Based on the search results, the 2013 ANA (All Nippon Airways) incident involving FADEC-induced fuel shutoff occurred under the following circumstances:

⚙️ 1. Incident Overview

• Date: January 16, 2013
• Aircraft: Boeing 787-8 Dreamliner (Registration: JA804A) with Rolls-Royce Trent 1000 engines .
• Location: Takamatsu Airport, Japan, during taxiing operations .
• Event: Both engines simultaneously shut down without crew input. The FADEC system commanded fuel cutoff erroneously while the fuel control switches remained in the “ON” position .

🔍 2. Technical Cause

• Root Failure: Faulty Thrust Lever Angle (TLA) sensors sent erroneous data to the FADEC. The system misinterpreted this as a command to shut off fuel flow, triggering an automated dual-engine shutdown .
• FADEC Behavior: The FADEC lacked manual override capabilities. With no pilot intervention possible, the engines failed despite operational fuel switches .
• Investigation: Japan Transport Safety Board (JTSB) confirmed no crew error or physical switch movement. The failure was attributed to FADEC software logic vulnerabilities in processing sensor data .

⚠️ 3. Safety Implications

• Systemic Risk: This incident exposed a critical flaw in Boeing 787 FADEC design, where a single sensor fault could cascade into dual-engine failure .
• Redundancy Failure: Although FADEC systems typically have redundant digital channels, the simultaneous sensor fault bypassed this safeguard .
• Regulatory Context: The FAA had previously issued advisories (e.g., SAIB NM-18-33) about fuel control switch defects, but compliance was not mandatory .

🛠️ 4. Aftermath & Actions

• Software Updates: Boeing revised FADEC software to improve sensor fault tolerance and prevent similar misinterpretations .
• Maintenance Protocols: Airlines implemented enhanced sensor inspections and FADEC diagnostic procedures, aligning with FAA airworthiness directives for fuel shutoff systems .
• Industry Impact: The incident became a key case study in advocating for mandatory FADEC redundancy improvements and stricter oversight of sensor reliability .

💎 Conclusion

The 2013 ANA incident underscores how sensor malfunctions could trigger unintended FADEC actions, leading to catastrophic engine shutdowns. It highlighted the need for robust fault-detection logic in digital engine controls and influenced subsequent aviation safety regulations .

How to restart if the FADEC cuts off.

When an engine’s FADEC has driven the fuel flow to “cutoff” (for example, during a flame-out or as part of an automatic shutdown), you restart it essentially the same way you conduct any FADEC-controlled start—FADEC takes care of the fuel scheduling, ignition, and protection. The exact switches and levers vary by airframe/engine type, but the generic procedure is:

1. Verify conditions for restart
   • Check that no fire or other emergency condition exists.
   • Ensure electrical power (battery or external) is on so FADEC is powered.
   • Make sure you’re within the envelope for a windmill or starter-assisted restart (altitude, airspeed, N2 or N3 windmill speed).
2. Select FADEC to “ON” (if you had switched it “OFF”)
   • On most turboprops/turboshafts you’ll have a condition lever or FADEC switch—ensure it’s in the “ON” (or “CONT”) position.
   • On turbofans, the engine master switch or ignition switch must be in “ON” so FADEC can control fuel.
3. Position the power lever to IDLE/CUTOFF cycle
   • If the lever is still at “CUT-OFF,” move it forward through “IDLE” and back to “CUT-OFF,” then forward again to “IDLE.”
   • This cycling wakes up FADEC and primes its fuel-valve actuator.
4. Initiate the start
   • Press and hold the engine start (or ignition) switch.
   • FADEC will:
     1. Open the fuel metering valve just enough to introduce fuel.
     2. Engage ignition.
     3. Monitor N2/N3 speed and light off.
5. Monitor the start sequence
   • Watch N2 (or N3) accelerate.
   • Observe EGT rise—light-off should occur typically below 15% N2/N3.
   • When N2/N3 reaches the scheduled idle speed (e.g. 55–60%), FADEC will cut out ignition and schedule fuel to idle.
6. Verify a stable idle
   • Check that all parameters (torque/TIT/ITT, N1/N2, oil pressure) are within green bands.
   • If parameters don’t stabilize, secure the engine (move condition lever to “CUT-OFF”) and troubleshoot per the QRH.

---

Example: Turbofan Windmill Restart (e.g., CFM56 on a narrowbody)

1. Battery ON, APU ON (to supply bleed air), or cross-bleed/engine bleed ON.
2. Engine master switch—select “ON.”
3. Thrust lever—CUTOFF → IDLE → CUTOFF → IDLE.
4. Press Engine Start switch; hold until N2 spools up.
5. Monitor N2, EGT; at light-off, release Start switch.
6. Verify idle.

Example: Turboprop Starter-Assisted Restart (e.g., PT6A)

1. Condition lever—“FEATHER” to “START.”
2. Starter switch—“ON” (FADEC energizes starter and ignition).
3. At 12% Ng, FADEC introduces fuel; light-off occurs.
4. Ng accelerates to “IDLE” RPM.
5. Starter cuts out automatically; verify stable idle.

---

Key FADEC reminders:

• FADEC handles all fuel scheduling—you never “manually” introduce fuel.
• Cycling the power/condition lever from cutoff through idle primes the fuel actuator.
• Always follow your QRH/AFM-specified limits for N2 windmill speeds, EGT margins, and altitude/airspeed envelopes.

If you tell me your specific airframe or engine model I can give you the exact switch-and-lever sequence from the AFM/QRH.