All depends what 'shutdown' means?
The definition of "shut down" is a bit vague. Even Flight magazine don't have one:
http://www.flightglobal.com/news/articles/faa-orders-new-787-electrical-fix-to-prevent-power-failure-411794/
Does it mean "main engines shut down'? That seems unlikely, as the odds of main engines NOT being shut down for months at a time seem very small (maybe even smaller than the odds of two speed probes failing identically at the same time, AF447 style).
Does it mean "main engine generators and APU generators shut down"?
Does it mean "main engines, APU, and ground power all shut down"?
Does it mean "main engines, APU, ground power, and lithium battery all shut down or unavailable"?
Or some other set of circumstances not listed above?
And perhaps a more fundamental question: what level of certification is needed for a Generator Control Unit, and what went wrong from the design and certification process that allowed an arithmetic overflow to be designed in rather than designed out? It seems a fair bet that overflow is what happens to trigger the entry in to "fail safe mode", although the exact details are not yet clear.
It also seems a bit strange that "fail safe mode" in this case seems to mean "fail unsafe" (as in, "generate no power").
Have these guys been taking lessons from the [redacted] School of Safety Critical Software Design?
http://www.eetimes.com/document.asp?doc_id=1319966
Biting the hand that feeds IT
