Originally Posted by
arf23
I started the "disagree" conversation. I intend this to mean the computer disagrees. The consensus is most aircraft computer systems these days are very very smart, and have a good grasp of what the aircraft is doing, what it should be doing and what constitutes smart actions and what is not. So if a pilot tries to shut down an engine, and the computer thinks that's not a great idea (Kegworth, Jeju, Air India, no doubt others) then the computer says "disagree" and the pilots are required to then press a 2nd button located someplace else. To my mind this second button would have the fidelity of the current "fuel off" button, i.e. it's a straight cut-off, no ifs or buts.
The issue is now you've put a 'logic device' in charge. The entire hardware system currently in use on all Boeing aircraft is specifically designed to
prevent exactly that - a rogue computer doing something stupid.
Yes, we give the FADEC the authority to control the engine - and potentially the authority to perform a shutdown for rotor overspeed (and TCMA using the rotor overspeed protection). By design, the rest of the FADEC doesn't use the digital 'cutoff' command from the aircraft except during autostart - once out of the 'start' mode, that logic tree is disabled. But all that is separate between engines. If you put an aircraft logic device in the CUTOFF circuit, you've suddenly introduced a potential single failure that can affect both engines.
In the aftermath of the Air India crash, you should certain see why that might not be a good idea (and besides, it would violate the engine isolation requirements of 25.901(c).).