NigelOnDraft

I think some are getting too hung up on this. There is "redundancy" in the engine shut off, AFIAK there are 2 physically separated electrical circuits to do this, and in this event, both got cut.

To create "a tragedy", seems therefore to require 4 very unlikely specific events:

1. A failure that is uncontained (as here, unusual and has to be addressed)
2. >1 fragment that causes damage elsewhere (I saw somewhere design assumes 1 fragment)
3. These 2 (or more) fragments fortuitously cutting the separate redundant paths of an important system
4. That system's failure then leading to a signifcantly increased safety problem.

If you over-concentrate on "shutting" an engine down, you end up with engines shutting themselves down of no accord - a far greater, IMHO, safety issue
We had 3 of 4 "unlikely" events, P of the 4th is small?

Or look at it another way, if you over-emphasise the need to shut engines down, then maybe Airbus could have designed the shut off curcuits to "self monitor", and if both circuits were cut, to shut down the engine. Sound a good design? Maybe, but in this case it would have given them a double engine failure

A manual shut off valve? (in the pylon?) - OK, maybe a good idea, but really enhancing flight safety? In both the quoted cases, once an engineer is in place to operate it, everybody was, or could be off, and well clear anyway.

I suspect the ATSB will look at it, but I disagree they will place strong recommendations on addressing it. As an airline pilot, I am wary of too many "safety systems" being too cleaver - they usually cause more problems than they solve. I am "nervous" of the software in the Trent that can "shut the engine down" without warning / pilot control.