KISS in combination with human psychology means, that the system should only assume the last command given by the human as valid, and disregard any conflicting earlier commands.
In this particular accident the last commands given to the systems were by autothrust: engines to idle, and by the humans: left hand engine to idle and into reverse. Hence, the right hand engine had no reason to spool up, even though the T/L#2 was seen in a high power setting by the computers. The last command by the human was clearly to stop the airplane, hence spoilers and brakes should activate too.
Now let's look into this a bit closer.
For example, the human activated autothrust, so he delegated thrust control to the automatics. Fine, the automatics will do the job as commanded and hence adjust thrust as needed. No change to current way of operation. Fully within the expectation of the pilot, so no problem from human psychology, too.
Now, assume, the airplane is in the flare, and autothrottles brings the engines back to (nearly) idle. At 20 feet the human retards only one thrust lever (TL#1).
What was the last command given by the human? Correct - go to idle (on the left engine), we are going to land. As a result, autothrottle disconnects. So far, so good - and so far that's what happened in this accident (as seen by the computers and the FDR recordings).
And now we are in the critical decision: what is the human intending really? The other T/L#2 is commanding a high power, does he want a go-around indeed as quite a few claimed in this thread?
So, in this conflict, why did autothrust disengage then? If the system can not decide, are we going to land or are we going around, why did the autothrust system disconnect and follow the command to land, while the other systems did not and instead setup for a go-around? This, in my opinion, is a violation of all engineering principles, I know. Based on the very same input different systems must not go into conflicting modes!
If we let the last command prevail however: the pilot wants to stop the airplane, of course, otherwise it would be inexplicable, why the one thrust lever was brought to idle.
As the system didn't sense movement of the other thrust lever (for whatever reason - be it the human forgetting the lever, be it a computer glitch as has happened before where the link between thrust lever and computers was broken, be it an electronic or any other problem), the command to put it into the CLB detent or anywhere between CLB and Idle Detent was issued before that last disengagement of autothrust and is now to be disregarded until the human makes clear, what he really wants.
Hence, the engine should not spool up as it did in this accident, but remain at whatever power setting it was producing at the time of autothrottle disengagement. The FDR tells, that the engine was at close to idle, if not idle, so that's in agreement with this pilot's expectation of the engine's behaviour. At the same time the systems to stop the airplane, spoilers, autobrakes, etc. should arm and operate upon WOW as both engines are at or close to idle, or in reverse.
Now what, if the pilot really wanted to go-around as some have claimed in this thread? It is natural for a pilot to advance the throttle levers for a go-around, and put them into TOGA. He expects and is used to, that he needs to actively issue a command to initiate the go around. So, if he did indeed advance one or more levers at this stage, then the systems would of course assume a go-around and react accordingly by increasing the according engine's thrust and disengage spoilers, brakes etc.
But this time, it is not a decision on its own based on an outdated (forgotten) thrust lever setting, but on a current lever movement clearly indicating the pilot's intentions. And yes, that go-around would be initiated even with T/L#1 still in reverse and reverser deployed on engine#1, so the human would not deprived of that option in the case, he feels it is safer to abort than to continue the landing despite the deployed reverser.
Now, how would that system react to an engine problem and the pilot putting the according thrust lever into the idle detent?
Same way. Autothrust would turn off, the other engine would continue on its current thrust setting, and the troubled engine would spool down to idle. Pilot moves the other thrust lever into the MCT detent or commands a slightly higher manual thrust setting to compensate for single engine operation, and everything works as normal (autothrust engages again to command the other engine only or other engines spools up to manually commanded thrust setting).
No brainer, as fas as I am concerned, in the technical design of the systems. But it puts the pilot back into control, and does not confront him with a scenario, where he gets taken at surprise by an accelerating engine in a very critical moment of flight without him commanding that acceleration (as far as the pilot is concerned, even though the throttle lever may be in a position commanding a high thrust output).
Even if - which may be an outcome of the investigation, too - the links between the thrust lever and the computers were lost (and hence the computers no longer registered any movement of the lever, as it has happened on quite a few flights already) or the pilots really forgot to retard that lever, this would not have ended in the catastrophic outcome as in this crash. And the pilot would still have had the option to initiate a go-around on single engine with one thrust reverser deployed on the other engine. All the pilot would need to command that go around, advance (move) the other thrust lever.
This solution would be equivalent to the moving thrust levers in other plane types, too. As the autothrust system on those types would move those throttles to idle during the flare, the engine would remain at the idle setting even if the human forgets to pull the throttles back to idle. Upon autothrust deactivation no engine would spool up on those types.
Well, what, if the lever was forgotten in the CLB detent and the pilot actually now requires it to be in the CLB detent to resolve the resulting situation? Just move it out of the CLB shortly and back in. That would be a natural move for the human anyway, as he'd assume the lever in the IDLE detent and thus grab it and move it forward, then develops the feel of a wrong position and probably looks down to get in sync with the current position again.
What happens, if the pilot forgets both levers in the CLB detent? During the flare autothrust would command both engines to idle. As a result, spoilers and brakes would arm and operate. If the pilot now wants to abort the landing, it would be natural for him anway to advance both levers to TOGA, which would increase engine thrust, stow spoilers and disengage brakes. Works as with any other plane, even those whose autothrust systems move the thrust levers, except perhaps that the hand wouldn't find the thrust levers in the IDLE position.
Now, let's assume, the pilot forgot one or all levers in the CLB detent, autothrust remained active though spoilers and brakes operated due to both engines at idle and WOW, now the airplane is about to taxi off the runway, and at this point the pilot moves the levers to increase thrust for taxi. Now the engines would respond, of course - but now it's absolutely clear to the pilot, that his last action was to command thrust, something went wrong with this command, and he would immediately turn his attention towards that last command and correct, whatever went wrong, especially he'd immediately pull the throttles to idle (which effectively turns off autothrust and brings the thrust levers into the needed position and engines back to idle). Pilot and machine are immediately back in synchronisation again.
Now, a look at the normal way of moving from autothrust to manual thrust: the pilot moves the levers into a position that is consistent with the current thrust output of the engines, then turns autothrust off. Bingo, works as we are used to. The engines would remain at their current thrust output until the levers are moved again. Exactly, what we want.
So my solution to this would be: always adhere to the last command given by the pilot.
Once autothrottle deactivates, leave the engines at their current thrust setting, regardless of lever position, and wait where the humans move the thrust levers to. If engines are at or close to idle and weight is on the wheels, allow activation of spoilers and brakes.
I believe, such a system would support the human - without needing an alert at a critical phase of flight, which may be blanked out by the human brain concentrated on other tasks. And I believe, the system would be correct in the principles of control circuits, match human psychology and provide a solid, easy and simple man/machine interfaces compatible with all existing plane types. An absolutely intuitive solution consistent with KISS.
Have I overlooked something, that would not be covered in such a scenario?
Servus, Simon