A big challenge is handling a shutdown that occurs while in the middle of an existing i2c transfer. Two big risks in that case: 1 - the i2c command to turn off pins may fail and lead to an infinite shutdown loop (thus not actually turning off heaters), or 2 - the shutdown i2c commands aren’t sent in that case (thus some pins not actually turned off during shutdown). It’s also very difficult to effectively test for these types of “race conditions”, so hard to have confidence that they are handled correctly.
-Kevin