That said Boeing could take a page out of the Garmin GI275. When power is removed it pops up a "60s to shutdown dialog" that you can cancel. Even if you accidentally press SHUTDOWN it only switches to a 10s countdown with a "CANCEL" button.
They could insert a delay if weight on wheels is off. First engine can shutdown when commanded but second engine goes on 60s delay with EICAS warning countdown. Or just always insert a delay unless the fire handle is pulled.
Still... that has its own set of risks and failure modes to consider.
But I'm an advocate of KISS. At a certain point you have to trust the pilot is not going to something extremely stupid/suicidal. Making overly complex systems to try to protect pilots from themselves leads to even worse issues, such as the faulty software in the Boeing 737-MAX.
I wonder if there have been cases where a pilot had to cut fuel before the computer could detect anything abnormal? I do realize that defining "abnormal" is the hardest part of this algorithm.
As a software engineer myself I think it's interesting that we feel software is the true solution when we wouldn't accept that solution ourselves. For example typically in a company you do code reviews and have a release gating process but also there's some exception process for quickly committing code or making adjustments when theres an outage or something. Could you imagine if the system said "hey we aren't detecting an outage, you sure about that? why don't you go take a walk and get a coffee, if you still think there's an outage in 15 minutes from now we will let you make that critical change".
In safety-critical engineering, you generally either automate things fully (i.e. to exceed human capabilities in all situations, not just most), or you keep them manual. Half-measures of automation kill people.
I wonder if they could have buttons that are about the situation rather than the technical action. Have a fire response button. Or a shut down on the ground button.
But it does seem like half measure automation could be a contributing factor in a lot of crashes. Reverting to a pilot in a stressful situation is a risk, as is placing too much faith in individual sensors. And in a sense this problem applies to planes internally or to the whole air traffic system. It is a mess of expiring data being consumed and produced by a mix of humans and machines. Maybe the missing part is good statistical modelling of that. If systems can make better predictions they can be more cautious in response.
warn then shut offOverride warning time by toggling again.
Second: the window of time where you don't have enough altitude (aka time) to restart is relatively small. So this could easily be a temporary protection.
It is difficult to find exact data on this but restart to significant thrust seems to be in the 30-60s range. If you run the numbers on climb rate and glide time the possible danger zone is relatively small, a few minutes after takeoff at most.
Is this an extremely rare event? Yes. But most other accident causes are also rare, regardless of whether they are pilot error or mechanical.
For example: you might think no pilot would deploy the thrust reversers in flight but system protection errors and/or mechanical failures have conspired to allow it and a bunch of people paid in blood to learn that reverser deployment in flight at altitude was actually unrecoverable - contrary to conventional wisdom at the time. It turned out everyone was flying around with a "kill everyone now" mechanism. In some cases with a much lower margin of safety than previously believed due to the aforementioned "conventional wisdom" that if it happened it wouldn't be a big deal.
Know what else isn't normally a big deal (relatively speaking)? Accidental shutdown of both engines. Because a single engine shutdown is easily recovered and the aircraft can fly on one engine. And dual engine shutdown is easily recovered with a restart if you have enough altitude. But it turns out there's a small window after takeoff where it is fatal.
Somewhat relatedly shutting down the wrong engine in an engine failure scenario is so common they explicitly train crews to slow down and not immediately shut down an engine after failure because rushing just leads to dual engine loss.
My proposal is during this window if dual engine shutdown is commanded don't do it. Treat it like it is happening - show the EICAS message, give the alert, but don't actually do the shutdown until the window has passed. This gives the pilots 10 seconds of startle factor then a bit of time to flip the switch back on.
Single engine shutdown would still behave as today so sure if one engine eats a fan blade shut it down. Not that it matters, the engine computer is going to cut fuel in that case anyway.
Insert a delay only for shutting down the remaining engine and only for X seconds after transition to air mode. A delay that the fire handle overrides.
Just a tiny bit of insurance. There aren't any emergency scenarios at low altitude where engine shutdown works but pulling the fire handle does not. You are coming right back to land at the airport no matter what.
Any of these would trigger an unmistakable audible "BLEEP BLEEP BLEEP" to draw your attention to the screen so that you could see what the caution was. These messages are right next to the engine N1 indications anyway, so it would be immediately obvious that one or more of the engines was spooling down.
You don't have to like that culture and you also don't have to participate in it. Making a throwaway account to complain about it is not eusocial behaviour, however. If you know something to be wrong with someone else's reasoning, the expected response is to highlight the flaw.
If someone is speculating about how such a problem might be solved while not trying to conceal their lack of direct experience, I'm fine with it, but not everyone is.
If someone is accusing the designers of being idiots, with the fix "obvious" because reasons, well, yeah, that's unhelpful.
As far as we know this is the first accidental dual engine cutoff at low altitude; with just a bit more altitude (not sure of how much exactly) the engine that had restarted and was ramping would have started producing enough thrust to arrest their descent. That makes the margin of "unrecoverable" a lot smaller than you might initially think.
Bottom line is it is worth considering implementing some protection here:
1. It can be done in software without a lot of complexity
2. The transition to "air mode" is relatively reliable.
3. The failure scenario is the system doesn't provide the protection but because the failure we protect against is very rare that is acceptable
4. It typically fails "safe": allowing shutdown without delay and worst case is a delay in shutdown.
5. The fire handle overrides delay; if things are going so wrong the delay matters the engine isn't coming back and pulling the fire handle is likely already part of your checklist.
Obviously before implementing something like this the proper engineering and failure analysis has to be done.
This is not "reasoning from first principles". In fact, I don't think there is any reasoning in the comment.
There is an implication that an obvious solution exists, and then a brief description of said solution.
I am all for speculation and reasoning outside of one's domain, but not low quality commentary like "ugh can't you just do what garmin did".
This is not a throwaway, I'm a lurker, but was compelled to comment. IMHO HN is not the place for "throwaway" ad hominems.
The point of what GI275 does is as a backup instrument you are much more likely to need it when the electrical system fails or is turned off due to fire. Yet if it just remains on until shutdown pilots would frequently forget to turn it off on the ground, resulting in its battery being worn out. Because it is considered critical it delays its own shutdown. Long enough for you to notice in flight but not so long it wears out the battery (which might result in only a few minutes of power in a real emergency).
My entire point was that engine restarts take some time. If both engines eat a blade or catch fire you are screwed anyway so whether or not the fuel cutoff switch does anything at 1500ft is irrelevant. But that is so rare I don't think we have any events on record. So it might be worth inserting a delay - enough to account for standard climb rates to achieve enough altitude to make restart likely or at least possible. The delay would only be for the second engine shutdown and only for time T after going into air mode. And if the system gets it wrong, thinking the other engine is shutdown when it is not pulling the fire handle would override any delay - and pulling the fire handle is part of any engine failure or departed aircraft procedure I know of. In other words you wouldn't even need to change the QRH or emergency checklists in most cases.
I noted that engineering for aviation is complex and everything has failure modes to consider. Privately I went through several iterations of this idea and discarded them for problems with failure modes and complexity. What I proposed is boiled down to the minimal thing that would have saved this flight.
The other thing I'll say is there is a reason the computer will auto-extend some flaps/slats at slow speed even if you put the handle to zero. And there's a reason auto-throttle provides protection. And with the exception of the 737 the computer auto-starts the APU on dual engine failure. And any attempt to deploy thrust reversers in the air is ignored. And stick pushers exist for good reason.
We put in all kinds of measures to override human decisions to prevent mistakes and errors.
It literally is. Accidental/malicious activation can be catastrophic, therefore it must be guarded against. First principles.
The shutoff timer screen given as an example is a valid way of accomplishing it. Not directly applicable to aircraft, but that's not the point.
> "ugh can't you just do what garmin did"
That's your dishonest interpretation of a post that offers reasonable, relevant suggestions. Don't tell me I need to start quoting that post to prove so. It's right there.
The modal HN reader now is a tech employee or freelancer.