Boeing has admitted that the recent two crashes involving their 737 MAX aircraft model was due to a problem with the software running on the aircraft. The problem involves the Maneuvering Characteristics Augmentation System (MCAS) that was introduced to compensate for changes in the design of the newer 737 model compared to earlier versions. Here’s from RT:
Boeing CEO Dennis Muilenburg has said “it’s apparent” that the 737 MAX 8’s MCAS maneuvering system contributed to two fatal air accidents. […] “It’s apparent that in both flights the Maneuvering Characteristics Augmentation System, known as MCAS, activated in response to [the] erroneous angle of attack information,” he continued.
The MCAS system reads the 737 MAX’s angle of attack (the angle of the plane’s nose) through a nose-mounted sensor. If the nose drifts too far upward, it manipulates the tail to keep the plane level and avoid a stall. However, investigators and Boeing whistleblowers claim that the sensors can deliver false readings, and the system can overcompensate, throwing the aircraft into a dive.
Muilenberg’s statement comes on the same day Ethiopian investigators determined that Flight 302’s crew “had performed all the procedures, repeatedly, provided by [Boeing], but was not able to control the aircraft.” CNN, claiming to have seen the full report, described how the pilots fought the plane’s MCAS system for the entirety of the six-minute flight, but were unable to pull the plane’s nose up and regain control.
A group of Boeing engineers told the Seattle Times last month that pilots were unaware of how to override the MCAS system, and Boeing has promised to rectify this too by providing “additional educational materials.” In addition, two critical safety features that could have warned pilots of an impending dive were sold as optional extras by the manufacturer. One of these – a warning light – will now be fitted as standard.
This is what happens when you try to cut costs to maximize profits. First of all, why did MCAS rely on just one angle of attack sensor for its operation? This is fucking ridiculous. For such a critical feature responsible for keeping the plane in the air, you can’t have it rely on just one sensor for normal operation. What if the sensor gets damaged? At the very least they had to have placed 3 of those sensors at different locations on the aircraft, and have the software check all of them for a 2 out of 3 consensus (at least) before it decides to do anything (and if there’s no 3 out of 3 consensus warn the pilots immediately, with the option to manually override or shut down the system).
This reminded me of an incident with SpaceX a few months ago where one of their Falcon 9 boosters experienced a failure in the hydraulic pump responsible for driving the grid fins. During landing the hydraulic pump failed and caused the booster to spin around and land in the sea. Elon Musk said the following about it:
According to Musk, the fix could be to add a backup system to the current grid fin hardware. “Pump is single string. Some landing systems are not redundant, as landing is considered ground safety critical, but not mission critical,” he added. “Given this event, we will likely add a backup pump & lines.”
So ground safety is not critical? The failure of the hydraulic pump could have caused the rocket to head for nearby land and fall on buildings. I was surprised there was no redundancy built into such an important system from the very beginning. You actually need some failure event to occur before deciding that you need a backup pump? In addition, sometime later during a press conference (at 10:35 into the video), NASA Launch Manager Steve Stich, in response to a question from Tim Dodd, said that they didn’t install a backup pump anyway, but added a “simple valve fix”. There you have the cheap and easy fix again. Consider that on modern airliners there’s redundancy built into the hydraulic systems:
As the dependency upon hydraulic power increases, the integrity of the hydraulic systems becomes ever more critical to the safety of flight. Based on this hydraulic system criticality, many design features are incorporated to ensure reliability, redundancy and the ability to maintain control of the aircraft in the event of one or more failures. Often two or more hydraulic systems are built into the design of an aircraft.
One would hope that on SpaceX’s upcoming “Starship” rocket, which will have to land with people on board, they’re going to take a different approach.
In the case of the 737 MAX, the documentation was also incomplete and pilots weren’t trained on how to work with MCAS. Moreover, a warning light that’s supposed to warn the pilots of an issue with MCAS was also sold as “an optional extra”. How can such a critical safety feature be an optional extra? Again, Boeing seemed to care more about the money here.
I think it’s time that we start to look at such cases with a very critical eye because building reliable, redundant and resilient hardware and software systems is going to become increasingly more important in the future. For example, we’re going to rely on, and be surrounded by, hardware and software systems built on artificial intelligence (AI) which will rely on various sensors to work correctly. Think of self-driving cars and the autopilot feature being introduced in newer car models. As we get surrounded more and more by such systems in the future, the chances of something going terribly wrong if we don’t build them correctly will only increase. I hope manufacturers take note of and learn from these mistakes made by Boeing.
Update April 8 2019
The 737 MAX actually has two angle of attack sensors mounted on the left and right of the nose (not one as I mentioned above). But for some reason, MCAS was designed to take or require input from only one of those sensors.