For the record I don't think the designers of the switch or Boeing are idiots. The switches have guard notches and the throttle quad has metal guard edges to help prevent accidental activation.
As far as we know this is the first accidental dual engine cutoff at low altitude; with just a bit more altitude (not sure of how much exactly) the engine that had restarted and was ramping would have started producing enough thrust to arrest their descent. That makes the margin of "unrecoverable" a lot smaller than you might initially think.
Bottom line is it is worth considering implementing some protection here:
1. It can be done in software without a lot of complexity
2. The transition to "air mode" is relatively reliable.
3. The failure scenario is the system doesn't provide the protection but because the failure we protect against is very rare that is acceptable
4. It typically fails "safe": allowing shutdown without delay and worst case is a delay in shutdown.
5. The fire handle overrides delay; if things are going so wrong the delay matters the engine isn't coming back and pulling the fire handle is likely already part of your checklist.
The benefit being elimination of the small window after takeoff where accidental dual engine shutdown is unrecoverable.
Obviously before implementing something like this the proper engineering and failure analysis has to be done.
As far as we know this is the first accidental dual engine cutoff at low altitude; with just a bit more altitude (not sure of how much exactly) the engine that had restarted and was ramping would have started producing enough thrust to arrest their descent. That makes the margin of "unrecoverable" a lot smaller than you might initially think.
Bottom line is it is worth considering implementing some protection here:
The benefit being elimination of the small window after takeoff where accidental dual engine shutdown is unrecoverable.Obviously before implementing something like this the proper engineering and failure analysis has to be done.