Comment by xenadu02
2 days ago
It could be defective switch springs, fatigue-induced muscle memory error, or something else. The pilot who did it saying he did not may not have realized what he did. It's pretty common under high workload when you flip the wrong switch or move a control the wrong way to think that you did what you intended to do, not what you actually did.
That said Boeing could take a page out of the Garmin GI275. When power is removed it pops up a "60s to shutdown dialog" that you can cancel. Even if you accidentally press SHUTDOWN it only switches to a 10s countdown with a "CANCEL" button.
They could insert a delay if weight on wheels is off. First engine can shutdown when commanded but second engine goes on 60s delay with EICAS warning countdown. Or just always insert a delay unless the fire handle is pulled.
Still... that has its own set of risks and failure modes to consider.
When your engine catches on fire/blows apart on takeoff you want to cut fuel as fast as possible.
If its both engines you're fucked anyway if its shortly after takeoff.
But I'm an advocate of KISS. At a certain point you have to trust the pilot is not going to something extremely stupid/suicidal. Making overly complex systems to try to protect pilots from themselves leads to even worse issues, such as the faulty software in the Boeing 737-MAX.
Was thinking this same thing. A minute feels like a long time to us (using a Garmin as the example said) but a decent number of airplane accidents only take a couple minutes end to end between everything being fine and the crash. Building an insulation layer between the machine and the experts who are supposed to be flying it only makes it less safe by reducing control.
Proposed algorithm: If the flight computer thinks the engine looks "normal", then blare an alarm for x seconds before cutting the fuel.
I wonder if there have been cases where a pilot had to cut fuel before the computer could detect anything abnormal? I do realize that defining "abnormal" is the hardest part of this algorithm.
The incident with Sully landing in the Hudson is an interesting one related to this. They had a dual birdstrike and both engines were totally obliterated and had no thrust at all, but it came up later in the hearing that the computer data showed that one engine still had thrust due to a faulty sensor, so that type of sensor input can't really be trusted in a true emergency/edge case, especially if a sensor malfunctions while an engine is on fire or something.
As a software engineer myself I think it's interesting that we feel software is the true solution when we wouldn't accept that solution ourselves. For example typically in a company you do code reviews and have a release gating process but also there's some exception process for quickly committing code or making adjustments when theres an outage or something. Could you imagine if the system said "hey we aren't detecting an outage, you sure about that? why don't you go take a walk and get a coffee, if you still think there's an outage in 15 minutes from now we will let you make that critical change".
If the computer could tell perfectly whether the engine “looks normal” or not, there wouldn’t be any need for a switch. If it can’t, the switch most likely needs to work without delay in at least some situations.
In safety-critical engineering, you generally either automate things fully (i.e. to exceed human capabilities in all situations, not just most), or you keep them manual. Half-measures of automation kill people.
2 replies →
If engine_status == normal and last_activation greater than threshold time
Else Shut off immediately End
Override warning time by toggling again.
Delay is probably worse - now you're further disassociating the effect of the action from the action itself, breaking the usual rule: if you change something, and don't like the effect, change it back.
This makes me wonder. Is there no audible alarm when the fuel is set to cutoff?
Shutting off both engines would display "ENG SHUTDOWN" in yellow text (caution) on the EICAS. If only one engine was shut down, it would say "ENG SHUTDOWN L" or "ENG SHUTDOWN R".
Any of these would trigger an unmistakable audible "BLEEP BLEEP BLEEP" to draw your attention to the screen so that you could see what the caution was. These messages are right next to the engine N1 indications anyway, so it would be immediately obvious that one or more of the engines was spooling down.
I'm doing it all the time while rebasing commits or force pushing to my branch. Sometimes I would just click the wrong buttons and end up having to stay late to clean the mess. It's a great thing I'm not a pilot. I would be dead by now.
[flagged]
Please don't sneer, including at the rest of the community.
https://news.ycombinator.com/newsguidelines.html
This is a place that puts "Hacker" in the name despite the stigma in the mainstream. Given the intended meaning of the term, I would naturally expect this to be a place where people can speculate and reason from first principles, on the information available to them, in search of some kind of insight, without being shamed for it.
You don't have to like that culture and you also don't have to participate in it. Making a throwaway account to complain about it is not eusocial behaviour, however. If you know something to be wrong with someone else's reasoning, the expected response is to highlight the flaw.
For me it's mainly about intent/unearned confidence.
If someone is speculating about how such a problem might be solved while not trying to conceal their lack of direct experience, I'm fine with it, but not everyone is.
If someone is accusing the designers of being idiots, with the fix "obvious" because reasons, well, yeah, that's unhelpful.
1 reply →
> That said Boeing could take a page out of the Garmin GI275
This is not "reasoning from first principles". In fact, I don't think there is any reasoning in the comment.
There is an implication that an obvious solution exists, and then a brief description of said solution.
I am all for speculation and reasoning outside of one's domain, but not low quality commentary like "ugh can't you just do what garmin did".
This is not a throwaway, I'm a lurker, but was compelled to comment. IMHO HN is not the place for "throwaway" ad hominems.
1 reply →
(Different user here) Hacker News' "culture" is one of VC tech bros trying to identify monopolies to exploit, presumably so they can be buried with all their money when they die. There's less critical thinking here than you'd find in comments sections for major newspapers.
3 replies →
Yeah, people shouldn't bat ideas around and read replies from other people about why those ideas wouldn't work. Somebody might learn something, and that would be bad.