From a functional safety viewpoint, surely switching something off should always be a last resort... the turn it of then back on again attitude we have become used to with our PCs should not be acceptable in any safety-critical environment.
Autonomy is all well and good, but if you permit a FADEC to switch off an engine automagically, I'd like to see your PROOF that it can't turn off another.