Boeing 737 crash is first mass killing by software?

The Lion Air 610 mystery/tragedy seems to be mostly solved. The Boeing 737 MAX 8 airplane, which uses a de Havilland Comet (1949; also BBC)-style hydro-mechanical flight control system, has a touch of intelligent software layered on top. This NYT article and an Emergency Airworthiness Directive #2018-23-51 explain how the airplane will trim itself into a crazy nose-down attitude in the event of a single angle-of-attack (AOA) sensor going bad.

“At Doomed Flight’s Helm, Pilots May Have Been Overwhelmed in Seconds” (nytimes) explains 

[disabling the system] would not have been a simple matter of pushing a button. Instead, pilots said, Captain Suneja could have braced his feet on the dashboard and yanked the yoke, or control wheel, back with all his strength. Or he could have undertaken a four-step process to shut off power to electric motors in the aircraft’s tail that were wrongly causing the plane’s nose to pitch downward.

Can we consider this the first mass killing by software?

[Background: an airplane wing will suffer an aerodynamic stall, in which the airflow over the top of the wing is no longer smooth, and lose Bernoulli effect lift, if the angle between the relative wind and the wing is too large. This is what limits an airplane’s ability to hover. To generate sufficient lift, the wing has to be within about 12 degrees of level and the wing needs to keep moving. It isn’t possible to fly super slowly at a 45-degree nose-up angle and still have enough lift to remain at the same altitude. The helicopter works by spinning a conventional airfoil so that, even if the fuselage isn’t moving, the wing is still moving rapidly and generating lift.]

What are some alternatives to Boeing’s design, you might ask? The Airbus philosophy, as embodied in the A320 and subsequent airliners, is to turn everything over to the computer(s). Despite holding the stick all the way back, Captain Sully was not able to stall the A320 that landed in the Hudson River. If the fancy computers on an Airbus aren’t getting what they think is good or consistent data from the various sensors, they hand over the machine to the pilot who can look out the window or at the attitude indicators in the cockpit and do something sensible (or panic like a student pilot, as with Air France 447).

Stepping down the food chain, we have the Pilatus PC-12, a Swiss-designed 11-seat turboprop. The plane starts out with a standard light aircraft flight control system. The pilots’ yokes are connected directly to control surfaces via pushrods and cables. On top of this Pilatus has layered a stick shaker to warn pilots that the airplane is nearing a stall and a stick pusher that yanks the yoke forward. The airplane has a great safety record despite being operated into some challenging short runways and being flown, in some cases, by inexperienced pilots.

Instead of Boeing’s single AOA sensor and software to run the trim, the PC-12 has two AOA sensors and two computers. If both sides agree that it is time to go nose-down, then and only then will the stick pusher be engaged. If somehow both sensors and both computers are defective and push inappropriately, a “pusher interrupt” button is always right there on each yoke. From the AFM (“owner’s manual”):

A friend who is a Silicon Valley engineer texted me incredulously “Wouldn’t they do fusion from zillions of sensors?” My response on the FAA certification process:

It is like ISO 9000. Boeing had binders of paperwork and bureaucratic approval for their design, but the design itself may never be scrutinized.

Almost certainly if the B737 had the same system design as the PC-12 all 189 folks aboard Lion Air 610 would have arrived safely at their destination. The worst that would have happened is the pilots being briefly annoyed by a shaking stick and having to hit a checklist.

I’m not sure if this crash can fairly be attributed to a software problem, since the software presumably did function as designed. It seems that we can attribute the crash to a poor system design, but ultimately the plane was crashed into the water by software.

Related:

  • Wikipedia has a good article on the various aircraft flight control system alternatives

10 thoughts on “Boeing 737 crash is first mass killing by software?

  1. Thank you! A few questions:

    1. Are you sure Boeing has only one AOA sensor and only one computer?

    2. I could not find anything about putting feet on the dashboard or about 4 step process of turning off the motors in Emergency Airworthiness Directive. Could you decrypt it for us please?

  2. Alexey: Airliners usually have at least two of everything, so probably there are AOA sensors on both sides. But it sounds as though the software responds with heavy trim even if just one of the AOA sensors reports getting close to a stalling angle of attack. In that case I guess we could call it a software failure.

    If an airplane is crazily out of trim it will require heroic forces on the yoke or stick to overcome either the aerodynamic loads (smaller planes in which the control surfaces are directly connected) or the artificial feel forces (big planes in which the controls are powered by hydraulics). That’s the “feet on the dashboard” part.

    I’m not typed in the 737 MAX 8 so I can’t authoritatively interpret the Emergency AD. However, it sounds as though pilots need to (a) re-trim manually, and (b) then find the “STAB TRIM CUTOUT” switches so that the automatic system can’t undo what they just did. (“STAB” is short for “horizontal stabilizer”) Unlike in the PC-12, though, it seems that these cutout switches are not right on the yoke. The pilots wouldn’t get anywhere near them in day to day flying so finding them in an early morning emergency wouldn’t be natural or necessarily easy (it is a lot easier to write down “do X, Y, and Z when it is 6:30 am and your plane is trying to crash itself”).

  3. As AF447 shows, it’s sort of damned if you do, damned if you don’t – the reason we have automated systems like stick/yoke pushers in the 1st place is to stop the human pilots from doing really dumb things. Stick pushers probably save a lot more people than they kill.

    Fundamentally there was only a slight difference between the Pilatus and the Boeing . In both cases you have a pusher system that has the ability to do automatic trim if the computer thinks (rightly or wrongly) that you are about to stall and in both cases the pilot can override an erroneous automatic trim, firstly by overcoming the force of the pusher system and then by pushing a button. The only difference seems to be that the Boeing button is less conveniently located.

    Lion is a 3rd rate airline with lousy mechanics and lousy pilots. The AOA sensor on this plane had been flaky for several previous flights and they just kept flying. The pilot KNEW that the sensor was flaky (in was in the logs) and he still decided to fly. Then when the pusher system kicked in the guy did not react fast enough to save his life and that of his passengers. Given the known flaky sensor he should have been primed for this and ready to intervene instantly. The amount of force required to overcome the pusher is not beyond what can be mustered by an ordinary human, feet on the dash or not (I think you can get the co-pilot to join in also). You’ve got that nice big Boeing yoke to grab onto with both hands. Even if the pilots have not been hitting the gym they can yank with 90 lbs. force as if their life depended on it (because it did).

    Fundamentally this is pilot error. The reason the pilot is there in the 1st place and we don’t just let the computer fly the plane 100% of the time is precisely for such situations – it’s for these events that the pilot is supposed to earn his keep and these guys didn’t.

  4. Jack: Have you seen https://www.seattletimes.com/business/boeing-aerospace/u-s-pilots-flying-737-max-werent-told-about-new-automatic-systems-change-linked-to-lion-air-crash/ ?

    Early Saturday morning, Capt. Mike Michaelis, chairman of the safety committee of the Allied Pilots Association (APA) at American Airlines, sent out a message to pilots informing them of details Boeing had shared with the airline about this new 737 MAX system — called MCAS (Maneuvering Characteristics Augmentation System).

    “This is the first description you, as 737 pilots, have seen,” the message from the pilots association at American reads. “It is not in the American Airlines 737 Flight Manual … nor is there a description in the Boeing FCOM (Flight Crew Operations Manual). It will be soon.”

    “We had NO idea that this MCAS even existed. It was not mentioned in our manuals anywhere (until today). Everyone on the 737 had to go through differences training for the MAX and it was never mentioned there either,” the anonymous pilot posted. “I’ve been flying the MAX-8 a couple times per month for almost a year now, and I’m sitting here thinking, what the hell else don’t I know about this thing?”

  5. No I hadn’t and that is certainly a failure if it is true (a human failure on the part of Boeing). The MAX-8 is clearly a different (more modern) plane with new systems on board and pilots should have been trained on all of the new features, especially one like this that has such a radical effect on the plane’s behavior.

    BUT, in the event of sudden pitch down (regardless of whether it is caused by MCAS or something else) the pilot should have instinctively fought to pull the nose up and it doesn’t seem that he did. It seems like he just flew the plane into the ocean.

  6. BTW, this was not just a sudden event that the pilots had no warning of. According to your linked article, “Tracking data indicate that the Lion Air jet pitched up and down like a roller coaster during the 12-minute flight before the pilots apparently lost control and nose-dived into the Java Sea.”

    So the guys had 12 minutes in which to try to figure something out – call for advice, run checklists, look for the right button, climb higher so that they had more room to play with. I understand that if you are at low altitude and going 400 mph and the plane does something funky then the terrain comes up on you awfully damn fast with no 2nd chances but these guys had a full 12 minutes to figure something out.

    It sounds like they were trying to make it back to a runway and were descending without having really grasped what was going on when they should have put themselves up a high altitude until they had a better grasp on what was causing the plane to roller coaster.

    • There were at 5000ft, which is what the manual recommends, also no point in running checklists considering that Boeing neglected to included this system in the manuals and therefore it would not be in the checklist. The pilots had no idea the system was there or they would have turned it off.

  7. From today’s NYTimes:

    1. Plane had problems in previous flights with AOA sensor – Lion let it keep flying.

    2. On previous flight, same thing happened but the other pilot figured out how to turn off the automatic trim.

    Boeing apparently oversold the “your 737 pilots won’t need any expensive retraining” angle on the MAX in competition with the A320neo (which is not very neo so the pilots REALLY don’t need retraining) for marketing reasons, which is a really bad reason for killing almost 200 people.

    And pilots shouldn’t have to play a guessing game – when something like this happens they should have been trained on it beforehand and have a checklist to run so that even a below average pilot can deal with the anomaly.

    But, a better pilot should have been (we know in fact was) able to find the “turn off auto trim” button over the course of 12 minutes.

    • Jack, can you please post where you discovered ‘On previous flight, same thing happened but the other pilot figured out how to turn off the automatic trim’? A friend of mine lost 12 colleagues on that flight.

Comments are closed.