Analysis and Prevention of MCAS-Induced Crashes

TL;DR

This paper investigates the safety-critical problem of control conflicts in semi-autonomous systems by analyzing the Boeing 737-MAX MCAS designs and their failure modes. It introduces SA-MCAS, a dynamic arbiter combining a SADS-based cross-check with multi-layer consistency checks to decide which actor controls pitch, and validates it through a MATLAB/Simulink/JSBSim toolkit with sensor-error injections and pilot behavior models. The results show that SA-MCAS improves recoverability under both sensor faults and dangerous pilot actions, addressing the single-point-of-failure risk of MCAS_old and the residual risks of MCAS_new, with implications for flight safety and broader autonomous-system contexts. The work suggests integrating SA-MCAS-like arbitration into safety-critical SA systems to enhance reliability, trust, and safety in the presence of erroneous inputs from either human or autonomous controllers.

Abstract

Semi-autonomous (SA) systems face the challenge of determining which source to prioritize for control, whether it's from the human operator or the autonomous controller, especially when they conflict with each other. While one may design an SA system to default to accepting control from one or the other, such design choices can have catastrophic consequences in safety-critical settings. For instance, the sensors an autonomous controller relies upon may provide incorrect information about the environment due to tampering or natural fault. On the other hand, the human operator may also provide erroneous input. To better understand the consequences and resolution of this safety-critical design choice, we investigate a specific application of an SA system that failed due to a static assignment of control authority: the well-publicized Boeing 737-MAX Maneuvering Characteristics Augmentation System (MCAS) that caused the crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302. First, using a representative simulation, we analyze and demonstrate the ease by which the original MCAS design could fail. Our analysis reveals the most robust public analysis of aircraft recoverability under MCAS faults, offering bounds for those scenarios beyond the original crashes. We also analyze Boeing's updated MCAS and show how it falls short of its intended goals and continues to rely upon on a fault-prone static assignment of control priority. Using these insights, we present Semi-Autonomous MCAS (SA-MCAS), a new MCAS that both meets the intended goals of MCAS and avoids the failure cases that plague both MCAS designs. We demonstrate SA-MCAS's ability to make safer and timely control decisions of the aircraft, even when the human and autonomous operators provide conflicting control inputs.

Figures (7)

• Figure 1: The components of the Boeing 737-MAX aircraft pitch control stability system. This was adapted from those found in boeing:operations.
• Figure 2: Simulation of the fault-tolerance of MCAS$_{old}$ and MCAS$_{new}$. For each, we simulated 737-MAX takeoff using our custom toolkit (\ref{['sec:sim']}) built on top of JSBSim berndt:04:aiaa.
• Figure 3: Simulated aircraft traces of typical Boeing 737-MAX maneuvers.
• Figure 4: Simulations of the flight JT610, alongside a delta injection with $\delta=15^\circ$. The simulated flights are plotted against the flight path of JT610.
• Figure 5: Summary of the stress test simulation for MCAS$_{old}$.