The Switch That Shouldn’t Exist: When Design Fails in Silence

Title: The Switch That Shouldn’t Exist: When Design Fails in Silence

Subtitle: 261 lives. 1 second. 2 switches. 0 software logic.

“While this fuel control switch is indeed present in every modern aircraft as part of safety design, FAA bulletins show it can be moved to ‘off’ under certain conditions in flight.
My concern is not about deliberate use during take‑off (which is strictly prohibited) but about the underlying design that allows such a critical switch to be actioned without an additional safeguard. In high‑stress scenarios, that’s a latent design flaw waiting to surface.”

On June 12, 2025, Air India Flight AI171, a Boeing 787 Dreamliner, lifted off from Ahmedabad en route to London. Less than a minute later, it fell out of the sky, crashing into buildings and killing 261 people.

The black box revealed a chilling moment in the cockpit. One pilot asked the other: “Why did you cutoff?” The reply: “I didn’t.”

Both fuel control switches had been moved from RUN to CUTOFF. Both engines died. And despite the aircraft being in its most vulnerable flight phase—just seconds after takeoff—there was no system warning, no logic gate, no override.

Just silence.

“Some engineers and pilots have pointed out that in incidents like these, a sudden loss of thrust might indicate an underlying engine failure, independent of the fuel control switch position. If that’s true, then the design discussion around the switch is only part of a bigger safety puzzle.”

This Is Not About Blame. It’s About System Design.

Let’s assume, for argument’s sake, that a pilot made a mistake. Maybe one of them panicked. Maybe it was a rogue act. Maybe not. But here’s the real question:

If a $250 million aircraft knows it’s in the air, past V1 (takeoff decision speed), why is it even possible to shut down both engines with two fingers and no challenge logic?

The same plane blocks hundreds of systems while on the ground. The Ram Air Turbine (RAT), a backup power device, is explicitly disabled in taxi or parked state. It only deploys in flight under strict failure conditions. It knows.

So why don’t the engine cutoff switches know?

If a moon lander can cancel a thruster burn because of height-to-thrust mismatch (as ISRO learned the hard way during Chandrayaan-1), why can’t a Dreamliner prevent dual fuel shutoff at 200 feet?

Even NASA’s planetary probes use cheap depth sensors to assess terrain and make decisions on descent thrust profiles. These are sensors that cost less than a fast-food meal and yet guide billion-dollar hardware safely onto alien worlds.

Commercial aircraft carry human lives. And yet?

This Was Not a Crash. It Was a System-Sanctioned Shutdown.

The preliminary investigation confirms: - Both switches flipped at 08:08:42, 3 seconds after liftoff. - RAT deployed automatically. - Engines tried to relight, but too late. - No prior defect. No bird strike. No mechanical failure.

And yet, the FAA issued a statement declaring the design as “not unsafe.” Boeing echoed this. No Airworthiness Directive. No mandatory retrofit. Nothing.

Instead, the narrative is slowly shifting: “Pilot error.”

Even if that’s true, the system’s role is to protect lives from that error.

The Failure Wasn’t in the Cockpit. It Was in the Code.

Safety-critical systems must be built with a simple truth:

Human error is expected. System failure is not.

The fuel cutoff switches should be: - Disabled below a safe altitude unless there’s an engine fire - Interlocked against simultaneous activation - Tied to thrust logic and gear position - Require dual confirmation when airborne

This isn’t advanced AI. It’s a five-line IF condition.

We Deserve Better From the Systems That Carry Us

I’m not a pilot. I’m not a Boeing engineer. I’m a systems designer and software architect. And this disaster is personal to me because I know what it feels like to raise a flag and be told: “We’ll fix it in the next version.”

We shouldn’t have to die waiting for Version 2.

Let this be a turning point. Not for headlines, but for design accountability.

If the RAT can wait for the sky to deploy, then the engine shutdown switches can wait for the ground.

“The cockpit transcript shows a brief but critical moment — the captain suddenly asks, ‘Did you turn the fuel off?’ and receives a reply, ‘No.’
That fleeting suspicion, combined with a sudden loss of thrust, has fueled global speculation.
Some argue a pilot may have mistakenly moved a switch and quickly corrected it; others point to deeper mechanical issues, noting both switches were found in the ON position after the crash.
Until the final report is released, we are left dissecting human factors, design flaws, and mechanical mysteries — all from that single exchange in the cockpit.”

“This isn’t about blaming a pilot or a machine. It’s about questioning why critical design elements—left open to interpretation in moments of crisis—still exist in systems meant to save lives.”

Written by: Mahendra Pratap Singh, Engineer | Founder