Comment by xenadu02
7 months ago
It could be defective switch springs, fatigue-induced muscle memory error, or something else. The pilot who did it saying he did not may not have realized what he did. It's pretty common under high workload when you flip the wrong switch or move a control the wrong way to think that you did what you intended to do, not what you actually did.
That said Boeing could take a page out of the Garmin GI275. When power is removed it pops up a "60s to shutdown dialog" that you can cancel. Even if you accidentally press SHUTDOWN it only switches to a 10s countdown with a "CANCEL" button.
They could insert a delay if weight on wheels is off. First engine can shutdown when commanded but second engine goes on 60s delay with EICAS warning countdown. Or just always insert a delay unless the fire handle is pulled.
Still... that has its own set of risks and failure modes to consider.
When your engine catches on fire/blows apart on takeoff you want to cut fuel as fast as possible.
If its both engines you're fucked anyway if its shortly after takeoff.
But I'm an advocate of KISS. At a certain point you have to trust the pilot is not going to something extremely stupid/suicidal. Making overly complex systems to try to protect pilots from themselves leads to even worse issues, such as the faulty software in the Boeing 737-MAX.
Was thinking this same thing. A minute feels like a long time to us (using a Garmin as the example said) but a decent number of airplane accidents only take a couple minutes end to end between everything being fine and the crash. Building an insulation layer between the machine and the experts who are supposed to be flying it only makes it less safe by reducing control.
Proposed algorithm: If the flight computer thinks the engine looks "normal", then blare an alarm for x seconds before cutting the fuel.
I wonder if there have been cases where a pilot had to cut fuel before the computer could detect anything abnormal? I do realize that defining "abnormal" is the hardest part of this algorithm.
The incident with Sully landing in the Hudson is an interesting one related to this. They had a dual birdstrike and both engines were totally obliterated and had no thrust at all, but it came up later in the hearing that the computer data showed that one engine still had thrust due to a faulty sensor, so that type of sensor input can't really be trusted in a true emergency/edge case, especially if a sensor malfunctions while an engine is on fire or something.
As a software engineer myself I think it's interesting that we feel software is the true solution when we wouldn't accept that solution ourselves. For example typically in a company you do code reviews and have a release gating process but also there's some exception process for quickly committing code or making adjustments when theres an outage or something. Could you imagine if the system said "hey we aren't detecting an outage, you sure about that? why don't you go take a walk and get a coffee, if you still think there's an outage in 15 minutes from now we will let you make that critical change".
If the computer could tell perfectly whether the engine “looks normal” or not, there wouldn’t be any need for a switch. If it can’t, the switch most likely needs to work without delay in at least some situations.
In safety-critical engineering, you generally either automate things fully (i.e. to exceed human capabilities in all situations, not just most), or you keep them manual. Half-measures of automation kill people.
2 replies →
If engine_status == normal and last_activation greater than threshold time
Else Shut off immediately End
Override warning time by toggling again.
First, the fire handles would override any delay and cut fuel (and other things) immediately.
Second: the window of time where you don't have enough altitude (aka time) to restart is relatively small. So this could easily be a temporary protection.
It is difficult to find exact data on this but restart to significant thrust seems to be in the 30-60s range. If you run the numbers on climb rate and glide time the possible danger zone is relatively small, a few minutes after takeoff at most.
Is this an extremely rare event? Yes. But most other accident causes are also rare, regardless of whether they are pilot error or mechanical.
For example: you might think no pilot would deploy the thrust reversers in flight but system protection errors and/or mechanical failures have conspired to allow it and a bunch of people paid in blood to learn that reverser deployment in flight at altitude was actually unrecoverable - contrary to conventional wisdom at the time. It turned out everyone was flying around with a "kill everyone now" mechanism. In some cases with a much lower margin of safety than previously believed due to the aforementioned "conventional wisdom" that if it happened it wouldn't be a big deal.
Know what else isn't normally a big deal (relatively speaking)? Accidental shutdown of both engines. Because a single engine shutdown is easily recovered and the aircraft can fly on one engine. And dual engine shutdown is easily recovered with a restart if you have enough altitude. But it turns out there's a small window after takeoff where it is fatal.
Somewhat relatedly shutting down the wrong engine in an engine failure scenario is so common they explicitly train crews to slow down and not immediately shut down an engine after failure because rushing just leads to dual engine loss.
Delay is probably worse - now you're further disassociating the effect of the action from the action itself, breaking the usual rule: if you change something, and don't like the effect, change it back.
There is a relatively short window where dual engine shutdown is unrecoverable. Once you have a bit of altitude (and these jets climb at 2000-3000fpm) you have time for a restart and as thrust comes back sink rate will decrease even on one engine.
My proposal is during this window if dual engine shutdown is commanded don't do it. Treat it like it is happening - show the EICAS message, give the alert, but don't actually do the shutdown until the window has passed. This gives the pilots 10 seconds of startle factor then a bit of time to flip the switch back on.
Single engine shutdown would still behave as today so sure if one engine eats a fan blade shut it down. Not that it matters, the engine computer is going to cut fuel in that case anyway.
Insert a delay only for shutting down the remaining engine and only for X seconds after transition to air mode. A delay that the fire handle overrides.
Just a tiny bit of insurance. There aren't any emergency scenarios at low altitude where engine shutdown works but pulling the fire handle does not. You are coming right back to land at the airport no matter what.
This makes me wonder. Is there no audible alarm when the fuel is set to cutoff?
Shutting off both engines would display "ENG SHUTDOWN" in yellow text (caution) on the EICAS. If only one engine was shut down, it would say "ENG SHUTDOWN L" or "ENG SHUTDOWN R".
Any of these would trigger an unmistakable audible "BLEEP BLEEP BLEEP" to draw your attention to the screen so that you could see what the caution was. These messages are right next to the engine N1 indications anyway, so it would be immediately obvious that one or more of the engines was spooling down.
I'm doing it all the time while rebasing commits or force pushing to my branch. Sometimes I would just click the wrong buttons and end up having to stay late to clean the mess. It's a great thing I'm not a pilot. I would be dead by now.
[flagged]
Please don't sneer, including at the rest of the community.
https://news.ycombinator.com/newsguidelines.html
This is a place that puts "Hacker" in the name despite the stigma in the mainstream. Given the intended meaning of the term, I would naturally expect this to be a place where people can speculate and reason from first principles, on the information available to them, in search of some kind of insight, without being shamed for it.
You don't have to like that culture and you also don't have to participate in it. Making a throwaway account to complain about it is not eusocial behaviour, however. If you know something to be wrong with someone else's reasoning, the expected response is to highlight the flaw.
For me it's mainly about intent/unearned confidence.
If someone is speculating about how such a problem might be solved while not trying to conceal their lack of direct experience, I'm fine with it, but not everyone is.
If someone is accusing the designers of being idiots, with the fix "obvious" because reasons, well, yeah, that's unhelpful.
2 replies →
> That said Boeing could take a page out of the Garmin GI275
This is not "reasoning from first principles". In fact, I don't think there is any reasoning in the comment.
There is an implication that an obvious solution exists, and then a brief description of said solution.
I am all for speculation and reasoning outside of one's domain, but not low quality commentary like "ugh can't you just do what garmin did".
This is not a throwaway, I'm a lurker, but was compelled to comment. IMHO HN is not the place for "throwaway" ad hominems.
2 replies →
(Different user here) Hacker News' "culture" is one of VC tech bros trying to identify monopolies to exploit, presumably so they can be buried with all their money when they die. There's less critical thinking here than you'd find in comments sections for major newspapers.
3 replies →
Yeah, people shouldn't bat ideas around and read replies from other people about why those ideas wouldn't work. Somebody might learn something, and that would be bad.