The Boeing accident was unusual. Where was the fatal bug?

1. Starting from the EgyptAir crash

Xiaobai: The EgyptAir crashed. What happened?

Dadong: On the morning of March 10, local time, Ethiopian Airlines flight ET302 carrying 149 passengers and 8 crew members crashed on its way from Addis Ababa to Nairobi. Ethiopian Airlines said that the passengers came from 33 countries, there were no survivors in the accident, and 8 of the victims were Chinese.

The crash site near Bishoftu, Addis Ababa, Ethiopia

Xiaobai: How could this happen? Isn't Ethiopian Airlines one of the most highly praised airlines in Africa, with an excellent safety record and the latest aircraft models on the continent?

Dadong: The aircraft involved this time is a Boeing 737MAX8, a new aircraft that was delivered just a few months ago.

Xiaobai: Boeing 737MAX8? If I remember correctly, this is the same model as the one involved in the Lion Air crash in Indonesia on October 29 last year.

Dadong: Yes, it was the same model, and the crashes occurred just a few minutes after takeoff.

Xiaobai: It’s so scary. I’ve seen too many news reports about plane crashes recently. Now I don’t dare to take a plane anymore. The shadow in my heart is so huge.

II. The whole story of the big talk

Xiaobai: The aircraft involved in the two accidents were both Boeing 737MAX models. This can't be a coincidence. The safety issues of this model should be taken seriously by people.

Dadong: Some analysts believe that the Boeing 737MAX is equipped with an automatic anti-stall system, namely the "Maneuvering Characteristics Augmentation System", which is the cause of the accident. The higher the nose of the aircraft is during flight, the greater the angle of attack (the angle between the airflow and the chord line of the wing). When the angle of attack exceeds a certain range, the aircraft faces the risk of stalling. Once the automatic anti-stall system equipped with the MAX 8 determines that the aircraft is stalled, it can take over the control of the aircraft without the intervention of the pilot and make the aircraft fly with its head down to correct the stall.

Lion Air JT610 crash

Xiaobai: Doesn’t this look like a great system?

Dadong: Boeing's concept of stall protection for aircraft is relatively comprehensive. On the one hand, the processor in the aircraft stall protection system can be connected to the aircraft flight control computer to automatically control and protect the aircraft when it stalls. On the other hand, it also allows pilots to intervene manually and drive manually. However, in fact, there may be loopholes in these two links.

Xiaobai: what?

Dadong: Although the pilot can intervene by manually inputting commands when the aircraft's stall protection system is controlling the aircraft to descend, the incident happened too suddenly and there was a lack of prior specialized training and warnings. It is difficult for the pilot, who is confused about the situation, to complete the correct operations to eliminate the risk in a timely manner. The uninformed ground management agency is also unable to provide correct guidance or disposal suggestions.

Xiaobai: Raise your hand and ask a question. When the stall protection system triggers and controls the aircraft to dive down, the pilot has been manually intervening. At this time, what choice will the stall protection system make? Is the pilot's input command prioritized? Or is the stall protection system's control software program prioritized? Or are they both prioritized?

Dadong: That’s a good question. Even in manual flight mode, the anti-stall system on the Boeing 737MAX may cause the aircraft to drop sharply for up to 10 seconds. During this period, the pilot has difficulty controlling the aircraft. Even if the pilot manually pulls up the nose of the aircraft, the nose will automatically repeat the descent process after 5 seconds.

Xiaobai: Why did it automatically go down again?

Dadong: This shows that when the crashed plane was diving, even in the pilot's manual flight mode, the plane's anti-stall system was still activated. When the accident occurred, the pilot should not have had full control of the plane.

Xiaobai: Then why does the stall protection system insist on mistakenly believing that the aircraft is in a "stall" state? Why does the stall protection system ignore the pilot's manual operation instructions?

Dadong: There are three angle of attack sensors on the crashed plane. The control program design of Boeing's automatic stall protection system is very strange. Its logic is that as long as the main sensor thinks that the aircraft's angle of attack is too high (the nose is raised too high) and the aircraft is in danger of stalling, the automatic protection system can be activated.

Xiaobai: If only the main sensor fails, won’t it cause the entire system to fail?

3. Fatal software design flaws

Xiaobai: So many innocent lives have been lost due to design flaws in the aircraft system, and countless families are in grief.

Dadong: Do you still remember the news about the disappearance of the Air France plane on June 1, 2009?

Xiaobai: It was ten years ago, I really don’t remember this, please give me some advice.

Dadong: Because the Pitot tube that measures the aircraft's airspeed was frozen, there was no airspeed reading and the autopilot system was immediately shut down.

Xiaobai: Then the pilot needs to operate it.

Dadong: The two pilots were very panicked at the time, their coordination failed, and they did not hear the stall warning issued by the aircraft. One piloted the aircraft to ascend, while the other piloted the aircraft to descend. The aircraft system did not make automatic corrections, which ultimately led to the tragedy.

The situation when salvaging the black box of the crashed Air France plane

Xiaobai: Why doesn’t the aircraft system fight for control of the aircraft this time?

Dadong: On January 1, 2002, a cargo plane and a Russian plane were on a collision course in German airspace, but the ground control personnel did not notice this. In the air, the two planes were less than a minute apart, and the TCAS air collision avoidance system on the plane issued a warning. The TCAS system of the cargo plane instructed the pilot to descend, and the TCAS system of the Russian plane instructed the pilot to climb.

Xiaobai: The two air collision avoidance systems issued mutually coordinated instructions, which can avoid the accident.

Dadong: Unfortunately, the ground controller discovered that the two planes were about to collide. He contacted the crew of the Russian plane and gave the opposite instruction to the pilot to descend, without knowing that the anti-collision system had issued a climb instruction. The Russian pilot finally obeyed the air traffic control instruction and began to descend.

Xiaobai: If I had trusted the TCAS system instead of the controller, nothing would have happened.

Dadong: After this incident, pilots around the world must give priority to following the instructions of the air collision avoidance system rather than the instructions issued by air traffic control.

Xiaobai: The current safety issues are caused by design flaws in the software logic itself, which is a passive safety issue. If a hacker invades the aircraft control system, any link may cause a major accident.

Dadong: What you said reminded me of a recent foreign media report about a bored "cybersecurity expert" on a transoceanic flight who accidentally broke the in-flight entertainment system. He "tirelessly" copied and pasted a long string of characters on the screen, including words like "fdkfdkfdkfdkfdhhhhhhhhh". Soon after, the app got stuck.

In-flight entertainment system on airplanes

Xiaobai: I was so scared when I heard this. What if the entertainment system is abused like this and affects the normal flight?

Dadong: Fortunately, this wave of operations did not cause any damage, but industry experts said that research is indeed a good way to promote security upgrades, but there is a boundary between research behavior and hacking behavior, that is, knowing the potential consequences of one's actions but not stopping in time.

Xiaobai: Even if you really want to test whether the in-flight entertainment system has any loopholes, you should at least wait until there is no one on the plane.

IV. Safety Information Warning and Inspiration Suggestions

Xiaobai: The incident happened, we must learn to draw lessons from it. Do we have any preventive measures for this incident?

Dadong: For pilots, if a similar accident happens again, it may not be enough for the crew to deal with the "angle of attack data error" simply according to the operating manual. The pilots may need to immediately turn off the automatic stall protection system to gain full control of the aircraft.

Xiaobai: Pilots should be given more training so that they are prepared to deal with such risks.

Dadong: In addition, Boeing may address design flaws in sensor safety margin and data authenticity verification, as well as priority of pilots' manually input commands, when updating the automatic stall protection system on its 737 MAX.

Xiaobai: This is indeed very important.

Dadong: Civil aircraft manufacturers should take this as a warning and pay attention to the design of automatic control and automatic stall protection systems to avoid safety hazards and logical loopholes in software design.

Xiaobai: But judging from these incidents, it is very confusing as to when pilots should trust the software and when they should take control of the aircraft themselves. The consequences of being careless can be disastrous.

Dadong: That's right. So the most taboo when designing software is to fail to consider abnormal modes or failure modes thoroughly and adequately. Compared with Airbus, Boeing has software defects in the control program design of the stall protection system.

Xiaobai: Software design flaws are the most fatal!

Dadong: Boeing issued an operating manual announcement: We have discovered a design flaw in the aircraft. We don’t know how to correct it at the moment, but there is no need to ground the aircraft. We have already sent the fault operating manual to the pilots.

Xiaobai: What the hell is this? I don't want to take a 737MAX8 plane anymore. It's too risky.

Dadong: Let me tell you a good news. To ensure flight safety, the Civil Aviation Administration requires domestic airlines to suspend the commercial operation of Boeing 737-8 aircraft before 18:00 on March 11, 2019.

Xiaobai: That’s great. Thumbs up to the Civil Aviation Administration of China.