Originally Posted by
Cyberhacker
Autonomy is all well and good, but if you permit a FADEC to switch off an engine automagically, I'd like to see your PROOF that it can't turn off another.
From a system engineering prospective, this would not be difficult to do.
For example, each engine controller could determine the health of its own engine and specifically if it was reliable enough to allow another engine to shut down. If it was, it would send a continuous coded "reliable engine" message to the other engine controller. A controller would only shut down the engine after it had terminated its own "reliable engine" message for some period of time (a few seconds), was receiving the "reliable engine" message from the other controller, and had determined that running its own engine was unsafe.