That said Boeing could take a page out of the Garmin GI275. When power is removed it pops up a "60s to shutdown dialog" that you can cancel. Even if you accidentally press SHUTDOWN it only switches to a 10s countdown with a "CANCEL" button.
They could insert a delay if weight on wheels is off. First engine can shutdown when commanded but second engine goes on 60s delay with EICAS warning countdown. Or just always insert a delay unless the fire handle is pulled.
Still... that has its own set of risks and failure modes to consider.
But I'm an advocate of KISS. At a certain point you have to trust the pilot is not going to something extremely stupid/suicidal. Making overly complex systems to try to protect pilots from themselves leads to even worse issues, such as the faulty software in the Boeing 737-MAX.
I wonder if there have been cases where a pilot had to cut fuel before the computer could detect anything abnormal? I do realize that defining "abnormal" is the hardest part of this algorithm.
As a software engineer myself I think it's interesting that we feel software is the true solution when we wouldn't accept that solution ourselves. For example typically in a company you do code reviews and have a release gating process but also there's some exception process for quickly committing code or making adjustments when theres an outage or something. Could you imagine if the system said "hey we aren't detecting an outage, you sure about that? why don't you go take a walk and get a coffee, if you still think there's an outage in 15 minutes from now we will let you make that critical change".
In safety-critical engineering, you generally either automate things fully (i.e. to exceed human capabilities in all situations, not just most), or you keep them manual. Half-measures of automation kill people.
warn then shut offOverride warning time by toggling again.
Second: the window of time where you don't have enough altitude (aka time) to restart is relatively small. So this could easily be a temporary protection.
It is difficult to find exact data on this but restart to significant thrust seems to be in the 30-60s range. If you run the numbers on climb rate and glide time the possible danger zone is relatively small, a few minutes after takeoff at most.
Is this an extremely rare event? Yes. But most other accident causes are also rare, regardless of whether they are pilot error or mechanical.
For example: you might think no pilot would deploy the thrust reversers in flight but system protection errors and/or mechanical failures have conspired to allow it and a bunch of people paid in blood to learn that reverser deployment in flight at altitude was actually unrecoverable - contrary to conventional wisdom at the time. It turned out everyone was flying around with a "kill everyone now" mechanism. In some cases with a much lower margin of safety than previously believed due to the aforementioned "conventional wisdom" that if it happened it wouldn't be a big deal.
Know what else isn't normally a big deal (relatively speaking)? Accidental shutdown of both engines. Because a single engine shutdown is easily recovered and the aircraft can fly on one engine. And dual engine shutdown is easily recovered with a restart if you have enough altitude. But it turns out there's a small window after takeoff where it is fatal.
Somewhat relatedly shutting down the wrong engine in an engine failure scenario is so common they explicitly train crews to slow down and not immediately shut down an engine after failure because rushing just leads to dual engine loss.
You don't have to like that culture and you also don't have to participate in it. Making a throwaway account to complain about it is not eusocial behaviour, however. If you know something to be wrong with someone else's reasoning, the expected response is to highlight the flaw.
If someone is speculating about how such a problem might be solved while not trying to conceal their lack of direct experience, I'm fine with it, but not everyone is.
If someone is accusing the designers of being idiots, with the fix "obvious" because reasons, well, yeah, that's unhelpful.
This is not "reasoning from first principles". In fact, I don't think there is any reasoning in the comment.
There is an implication that an obvious solution exists, and then a brief description of said solution.
I am all for speculation and reasoning outside of one's domain, but not low quality commentary like "ugh can't you just do what garmin did".
This is not a throwaway, I'm a lurker, but was compelled to comment. IMHO HN is not the place for "throwaway" ad hominems.
My proposal is during this window if dual engine shutdown is commanded don't do it. Treat it like it is happening - show the EICAS message, give the alert, but don't actually do the shutdown until the window has passed. This gives the pilots 10 seconds of startle factor then a bit of time to flip the switch back on.
Single engine shutdown would still behave as today so sure if one engine eats a fan blade shut it down. Not that it matters, the engine computer is going to cut fuel in that case anyway.
Insert a delay only for shutting down the remaining engine and only for X seconds after transition to air mode. A delay that the fire handle overrides.
Just a tiny bit of insurance. There aren't any emergency scenarios at low altitude where engine shutdown works but pulling the fire handle does not. You are coming right back to land at the airport no matter what.
Any of these would trigger an unmistakable audible "BLEEP BLEEP BLEEP" to draw your attention to the screen so that you could see what the caution was. These messages are right next to the engine N1 indications anyway, so it would be immediately obvious that one or more of the engines was spooling down.