An element of my thinking on this includes asking if the control has a gate or not, and its criticality. I am not at all a jet pilot, so I approach discussion of controls in a jet with caution. That said, I am very familiar with "lift to actuate" toggle switches, which are the type used as the engine RUN/CUTOFF switches we were discussing elsewhere. In my mind, those "lift to actuate" switches are "gated" just as a propeller control might have a gate to prevent inadvertent selection into feather, or a condition lever has a gate to prevent engine shut down. The "gate" in this sense is different from a guard.

Thinking to the Twin Otter, the condition levers are guarded, you have to move a clear plastic shield to move the lever(s) toward shut down. The propeller levers are gated, a second motion is required to get them into feather, and the power levers are gated as you have to roll the handles to unlock a gate to select them backward into Beta range. All good for me. Add to that, the Twin Otter autofeather system is designed (and it's a pre takeoff check) that when autofeather is armed (for takeoff) a power loss of an engine will result in the automatic feather of that engine. However, if the second engine also loses power, it will not autofeather. If you want to feather the second engine, you have to do it manually by moving that propeller lever past a gate. I like that system too. My MT reversing propeller, in addition to a guarded switch to actuate reverse, also has a maximum propeller RPM (well below flight) and maximum airspeed [diaphragm switch] (well below flying speed) to prevent the operation of reverse in flight. Serious protections against a serious error which a pilot could make - good!

So, I wonder to myself, if 1960's technology can include this simple protection against a second error, why would the RUN/CUTOFF switches of a very modern airliner have at least that protection. I presume that there must be a reason, but darned if I can imagine it!

And/or, why not have a "confirmation" button/screen tab etc. which lights up saying that the second switch has been moved to "CUTOFF", confirm you want that to happen by pushing this button - very similar to the Twin Otter autofeather system - the next one won't unless a second action is performed.

As said, it's hard to guard against a brain fart, but it is possible. A gated switch/control is a start - two distinct actions to make the selection. A guarded switch - okay, still two actions, though one action could do it if it were the right action. I don't accept that a brain fart will end up shutting down two engines one immediately after the other, when two distinct actions on one switch, then two more on a second switch are required to accomplish that, but maybe I'm wrong. I do know that a Basler DC-3T was splashed because a crew member pulled both condition levers past their gate and into cutoff right after takeoff. But, that can be one hand [on two levers] one action - because the Basler's condition lever gates are more like a gentle reminder than a hard gate.

I agree that it's much more difficult to design away the opportunity for deliberate malicious pilot action, though in the case of simply switching off one engine after another, the afore mentioned "confirm that you really want to do that" would give a second crew member a hope of acting to prevent the second malicious shut down. Heck my computer requires that I confirm I want to delete a file, it can't be that difficult.

Sure, every new system we introduce to protect against something introduces another thing that can fail, so there is a balance. That' why when flying the Twin Otter, I would do the pre takeoff autofeather test.

I am certainly guilty of the occasional brain fart, or simply having my finger on the wrong switch when brain commanded my hand to move something. A couple of years ago, chocked on the apron with the new test airplane I did it, and though the plane did not move as a result of my mis step, the result was very noticeable to the group of people watching, and certainly a large reduction in safety at the moment. the next prototype will have a very different switch arrangement for that test function, because I have specified it. The team seeing me make the error agrees that someone else would too, so let's design out the error before we freeze the design!

We learn by mistakes. Hopefully, our learning is broad enough that we can begin to anticipate mistakes before they are made. I give a lot of thought to these factors/errors when I consider certification of new designs. These discussions help!