Disagree button for engine shutdown
 

The commonalities between jeju and Air India are astounding, engine shutdown when totally not appropriate.

I would suggest cockpits be added with a 2nd shutdown switch. That if an engine shutdown is commanded by the crew, and the computer disagrees its necessary, that the crew need to push a 2nd, more guarded and inaccessible, switch to command the shutdown.

I have discussed this very concept with certification authorities for future consideration. Considering the many twin engine airplanes will not allow the autofeather system to feather the second engine, the same theme has merit when it comes to shutting down the engine entirely! There have been cases where two (both) engines were shut down by mistake, resulting in a crash. Automated systems, along with electric, rather than completely manual, shut off controls, gives us a new design opportunity to prevent what might be thought of as a single point failure in pilot action.

I can understand why you might want to pull the fuel cut-off switches for an engine fire but would it be more logical that the thrust had to be reduced to idle for a short period - perhaps 5 seconds - first ?

You've chosen two examples where we don't have final reports, so we don't really know what happened.

Your proposal would not prevent malicious shutdown.
It would not prevent wrong engine shutdown when the crew is convinced they have the correct engine, and thus operate the second switch without further thought.

It may help when the shutdown was commanded as an action slip, but many pilots think that never happened anyway—it's certainly very rare.

But you would run the danger of creating situations where it becomes impossible to shut down an engine due to a computer malfunction; or a situation where the crew thinks they have shut down the engine when it is still running because the system is still waiting for a confirmation they didn't think it would ask for.
As an example, if weight-on-wheels fails, the system might require confirmation when shutting the engines down at the stand when it normally is not required.

Hang on, to shut an engine down we follow a set procedure of diagnosis, agreement of the condition, and then a monitored and confirmed drill with both pilots fully involved. If this is done properly then the chances of shutting down the wrong engine are extremely small. The thrust lever is retarded first, then the fuel control switch cutoff, then the fire switch if necessary. Each one is done carefully and deliberately and I always check that the other engine is still running at (usually higher thrust) after closing the thrust lever, and before moving the fuel control switch. Just a quick glance. I’d be even more careful for real I think, especially if both engines were at idle in the descent.

As I write this there are approx 4,000 Boeing Aircraft in the sky at this time, according to Chatgpt, with 263,000 Commercial Movements today worldwide, a third of them Boeing.
Approx 3,700 to 3,800 people will die today because of Automobiles, and other road transport, shall we ban cars?

Seeing 100% of Pilot Suicides are caused by human's maybe we should remove the human form the flight deck?


Sorry, but without the full report on what happened, its a bit early to be jumping to conclusions.

Agreed.

Shutting down all engines at the take-off phase of flight is unthinkable to most pilots, and adding layers of electronics between the switches and the FADECs and valves would not improve the robustness, because that would introduce the possibility of malfunctions, leading to uncommanded shut-downs.

Possibly, only possibly; a physical gate moved by the thrust levers, so that the fuel cut-off could not be moved unless the relevant thrust lever was at idle. That way, PM would not be physically able to move the switches because PF would have their hands on the thrust levers at that point and therefore able to resist - or at least be warned of what PM might be attempting.

But airliners have flown millions of hours and take-offs without this problem ever arising, so I would question the need for any change, (while re-stating my personal call to make pilot rosters more reasonable).

But, 'we' need to introduce some sort of reporting system that pilots could use for personal stress issues, without fear of reprisals. E.g. the fatigue reporting system could be expanded to include stress. Pilot licence or earnings replacement insurance should not be allowed to be refused for mental issues in the event of a pilot losing their medical.

Such measures might help pilots under (any form of) stress to get help and be excused line duties if necessary, until they had satisfactorily sorted their problems out.

Peer support programs already exist and used by many airlines. It's a positive evolution that needs more development as well...

As to the initial proposition of this thread, I don't see how this would solve the issue for the mentioned cases. If you want to shut down the engine, you shut it down. If you shut down the wrong one, at one point both pilots were convinced it was the "correct" engine to shut down. Surges and stalls can be deceiving. Ie everybody talks about vibration, yet Boeing knows vibration is deceiving and the instrument unreliable.

I preface by saying that I am not a jet pilot at all, though lots of twin propeller time. I have flown the DA-42, where an engine failure is a no pilot action event, other than securing it when time permits - big jet like in procedures.

In a twin prop, getting the failed one feathered promptly is pretty important. I understand that a jet, less so. Wait it out steady up to altitude X, then start securing things. So, I ask myself, and considering the immensely low risk of a malicious shutdown, what if software delayed any action to shut down a second engine by umpteen seconds? Sure, pilot action for a first engine event. But, is there any need for instant action behind that for a second engine shut down! Engine fire aside, whatever could possibly cause a pilot to decide to shut down the second engine could probably wait 30 seconds before the shut down command was actioned by the airplane. So a message: "You have commanded the shutdown of the second engine. This shutdown will occur in thirty seconds unless you XXX". If nothing else, it would give a very surprised second pilot time to do something to prevent the shutdown, rather than dealing with it after the shutdown had commenced.

I'm thinking about this from a certification perspective, as we have already been having discussions in this theme....

I hear the arguments against, which is pilots are well trained, but with Kegworth we now have at least 3 recent instances where the wrong/both engines were shut down. I would suggest at the least, if not my suggested solution, than a safety body should take this issue onboard as a priority and come up with a solution for the next generation of passenger jets. Air India and others could give us a chance to make a step forward in airline safety, or could be a wasted opportunity. The other priority issues are US runway incursions and aircrew mental health (EgyptAir, germanwings, MH370). ICAO or whoever should take these concerns on board and aim for a step change in safety.

This process has begun in its infancy in Canada, with discussions I have had with Transport Canada staff. That said, short of FAA NPRM action to change FAR 25 (which would be a good idea), the execution of the "good idea" in here must be by the aircraft designed (approval applicant) rather than the "safety body". A good way to begin that is that the customers (the airlines, in this case) ask for this in the design of the products that they buy. It'll be an awkward ask though, as the airlines would rather not discuss why they think they could need this feature!

So we're in that regulatory grey zone, where a good idea lacks actual regulation, and lacks a proponent to carry it forward to be a requirement and feature - but, the theme is not overlooked....

The current layout of the Boeing fuel control switches has remained the same for 70 years - literally generations of pilots know and use this layout.
The potential of a redesign introducing undesirable unintended consciences is very high - especially if it's a knee-jerk response. Something like this needs to be carefully and thoroughly vetted before it sees the light of day. For example, requiring the thrust lever at idle - what if the lever gets jammed somehow and can't be moved to idle? Requiring both pilots to take an action - what if one pilot is incapacitated?

As I understand it, Kegworth both pilots agreed on the engine - it's just that they were both wrong.

I think the first step is to better educate and train the pilots that there is almost never a reason to rush shutting down a turbofan engine. Even with an engine fire, the bult in protections give you minutes to take action, not seconds. Was there some reason (that we don't yet know about) that caused Jeju to 'rush to judgement' and shutdown an engine quickly? Or did they just panic, and get it wrong?

There are lots of ways a panicked pilot can crash an aircraft - shutting down the wrong engine is just one. Maybe the answer is to get pilots to not panic?

Things like EICAS/ECAM have made it far easier to correctly identify a malfunctioning engine - are pilots being appropriately trained to use that?

Exactly, engine identification is the issue, not the execution.

The issue with "vibration" has always caused confusion, back in the BMI days and still today... we even had those discussions on the 777.

Birdstrikes might lead to surges/stalls, but with airframe vibrations, many crews will consider it "severe damage". Which is what this crew did. So maybe they identified the wrong engine. But if the discussion now ends up in a "yes both engines were vibrating, but engine X was the only engine providing electrical power and was the wrong engine to shut down", we are not done with the Boeing 737 procedures and blaming pilots is just too simple office talk. This would be a fun sim scenario by the way...

So yes, the BIG question should be brought to the Boeing table: why no EICAS to help the situational awareness? (I know, money) Allowing correct identification is key here.

Engine fire notwithstanding, is there a rush to shut down a turbofan engine at all? Particularly shortly after takeoff?

The only thing I can think of is severe engine vibrations from something like a fan blade-out event. I've been told the resultant vibrations have been so bad that the pilots can't see the displays.
That being said, it's unlikely that and engine will keep running after such an event, and shutting it down doesn't get rid of the vibration, it just lessens it somewhat.

I’ve been associated with two (I think THE two) Fan Blade Off events involving the BR 725 engines on Global Expresses. I personally knew the first crew. They reported a loud bang and instantly very severe vibrations that were disorienting, not in the spatial way, in a hard to read and understand the instruments way. They did nothing because couldn’t decide what to do. Soon the engine shut itself down. There was still vibration, but reduced. The USAF E-11 crew had a similar event, but despite using the old “move the throttle to identify the dead engine” decided wrong and caged the wrong one. The affected engine shut down and the vibration, we believe, continued. The crew appears to never recognized the engine with status message ENG SHUTDOWN was perfectly usable and could have restarted, perhaps due to extent of continuing vibration.

Doing nothing until you understand the situation you are in is very valid. If you can keep your guts out of your throat, of course.

BTW, the Gulfstreams with BR 725 have a very specific procedure due to the possibility of the FBO engine creating an harmonic with structure at certain speeds.

Not being able to see the displays is a "definition" to identify severe turbulence.

When it comes to fan blad failures, the Boeing FCTM is pretty scary. It states vibration may be severe, but "it is extremely unlikely that the vibration will damage the airplane structure or critical systems". It furthermore discusses the impact on human performance and gives some advice "to find relief" like leaning forward or even... standing up. I think the main goal is to remain seated with seatbelts on. When reading this the first time I did wonder what level of vibration we are talking about and what the psychological effect would be if an FCTM needs to comfort you it will not damage the structure.

I've talked to some people who've experienced engine surges. Most of them fairly "as expected" from simulator training, but one described it as "much more violent" than the simulator.

Perhaps adding the engine auxiliaries (generator/s and pump/s) to the detailed engine status display might be helpful? If everything on one engine is orange, you don't want to shut down the other engine, at least not without getting the APU running first (depending on aircraft architecture).

I wonder if you could get a general 'engine health' or 'maximum predicted available thrust' rating out of the FADEC. Display it on the N1/EPR dials post engine malfunction.

On detection of high cockpit vibration, swap the engine display to a large-text large-dial version, in the same way that fire/smoke procedures are printed in large text for easy visibility. New aircraft with massive displays mean you can probably seize display area from lower-priority displays (subject to an override back to normal mode) to get easier-to-read information.

There is no need to reinvent the wheel. Aircraft manufacturers should simply take a page out of Embraers book. In an Ejet, the engine will not shut down unless the trust lever is at idle before the run switch is selected to stop. preventing incorrect shutdowns.

And Boeing have a failure case in which the thrust lever remains stuck in its position. Much fun on leveloff after takeoff.