Analysis and Prevention of MCAS-Induced Crashes

TL;DR

This paper analyzes the failure modes of the Boeing MCAS system, demonstrating its vulnerabilities, and proposes a new semi-autonomous MCAS design that improves safety by better managing conflicting control inputs.

Contribution

The paper provides a detailed analysis of MCAS failures and introduces SA-MCAS, a novel semi-autonomous control system that enhances safety in conflict scenarios.

Findings

Original MCAS design is vulnerable to faults and failures.

Updated MCAS still relies on static control priorities and remains fault-prone.

SA-MCAS improves safety by making better control decisions during conflicts.

Abstract

Semi-autonomous (SA) systems face the challenge of determining which source to prioritize for control, whether it's from the human operator or the autonomous controller, especially when they conflict with each other. While one may design an SA system to default to accepting control from one or the other, such design choices can have catastrophic consequences in safety-critical settings. For instance, the sensors an autonomous controller relies upon may provide incorrect information about the environment due to tampering or natural fault. On the other hand, the human operator may also provide erroneous input. To better understand the consequences and resolution of this safety-critical design choice, we investigate a specific application of an SA system that failed due to a static assignment of control authority: the well-publicized Boeing 737-MAX Maneuvering Characteristics Augmentation System (MCAS) that caused the crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302. First, using a representative simulation, we analyze and demonstrate the ease by which the original MCAS design could fail. Our analysis reveals the most robust public analysis of aircraft recoverability under MCAS faults, offering bounds for those scenarios beyond the original crashes. We also analyze Boeing's updated MCAS and show how it falls short of its intended goals and continues to rely upon on a fault-prone static assignment of control priority. Using these insights, we present Semi-Autonomous MCAS (SA-MCAS), a new MCAS that both meets the intended goals of MCAS and avoids the failure cases that plague both MCAS designs. We demonstrate SA-MCAS's ability to make safer and timely control decisions of the aircraft, even when the human and autonomous operators provide conflicting control inputs.