> it's a great fail safe but not if you lose your engines in flight and can't relight them like in the article.
It is still better to lose all engines than to have thruster reversers deploy in unsafe situations. You may stall without an engine at low altitude in a landing configuration, but you should still be able to glide for some time. Deploy reversers (or even a single reverser) and you fall like a brick very quickly.
This existing system wouldn't likely cause loss of all engines unless the PIC commanded all engines TR in-flight. Also, it doesn't make sense that such a system would go out untested because such a system should try command engines to idle before cutting fuel to what it thinks are runaway engines. Finally, it's still unknown if it's a Boeing software issue or a RR T1K issue... the OP article is purely speculative and guesswork "news" is not how aircraft safety is handled.
A single engine on reverse is enough to mess up the the flight violently enough that it'll break apart before hitting the ground (see the Lauda Air case).
I think there are a few options for a failsafe here.
none where it would deploy the reverse thrusters and probably crash regardless of other inputs to the system(could be one or more of many inputs wheel speed, slats deployed, airspeed, elevation, throttle position, etc.)
turning off the engine (presumably you want this because you are on the ground but your ground sensor is failing so you want to cut engine and apply brakes which is less preferable than the reverse thrusters but manageable normally.)
ignoring the input altogether.
not a failsafe at all and an unexpected failure mode of the system (I think this is probably the case since they couldn't relight the engine on the ground)
the point i was making is that if you have the failsafe turn off the engines under normal operating procedures it should be able to relight when in flight and it's not good if a software glitch turns your heavy into a glider without possibility to relight. (i am not a pilot but it's my understanding that you still have the turbines spinning and all you need to do is give it some fuel and fire up both ignition plugs. might need to use the compressor to spin them up to full speed but i doubt it.)
Have a mechanical latches on reverse cowls that will be operated separately of the code that deploys reverse. Landing without reverse is better than falling like a brick.
Having altitude and being able to glide in is a hell of a lot better than one of your engines reversing and throwing your plane into an irrecoverable spin.
Cutting power to all engines in response to an event that is most likely to happen while the aircraft is operating close to, but not actually on, the ground is not failing safe.
I am not sure there is a perfect solution here. you have competing issues that you need to resolve.
If it gets pulled in normal flight you would lose both engines but that's fine because you can glide and restart the engines. if the altitude sensor/ground sensor was broken and you want to override the reverse thrusters you have a conflicting goal there.
If you accidentally pull it during the approach you lose your engines and probably don't have time to relight before landing. in that case you might be able to still land by backup systems(FAU or just the ancillary tail turbine?) and glide?
I guess it boils down to how much trust you place in the pilots to not do the wrong thing or how much trust you place in the machine to not do the wrong thing/malfunction. It's a difficult question without a perfect solution imo.
Well, I thought that the design was that they would not engage if it gets pulled in normal flight.
If it's on the approach, I'd be worried. I imagine that that, at an airport like ORD, that might result in more risk than anyone really wants of the plane unexpectedly touching down on an interstate highway or something like that.
If it's like what Boeing described in the bulletin, where the engines only get shut down after the wheels are on the ground, that's maybe not super worrisome, but I can still see some room for concern. My reconsidered but still totally uninformed reading on the situation is that it takes some time for all the aircraft's systems to get the memo on whether the plane is on the ground, and that what's really going on here is that the order in which they get the memo isn't quite right. So the question of whether or not to allow a Lauda Air type situation isn't really at play here, but perhaps a related glitch to the one that caused this event could interfere with something like aborting a landing at the last minute.
Interestingly, some airplane types allow the use of thrust-reversal in flight, notably some fighter jets. It's apparently used when you do need to sink quickly..
It is still better to lose all engines than to have thruster reversers deploy in unsafe situations. You may stall without an engine at low altitude in a landing configuration, but you should still be able to glide for some time. Deploy reversers (or even a single reverser) and you fall like a brick very quickly.
https://aviation-safety.net/database/record.php?id=19961031-...