How Software Can Make an Airplane Crash

NEWS ANALYSIS: As is the case where software controls hardware, there are ways things can go wrong either because something happened that wasn’t anticipated, or because the response was wrong.

Boeing737Max8

[Editor's note: This story was updated March 13, 2019 at 14:38 to add the latest news about grounding of the Boeing 737 Max aircraft by the FAA in the U.S. Here is the text of the FAA order.]

The loss of an Ethiopian Airlines Boeing 737 Max-8 aircraft on March 10, coming as it happens less than five months after the loss of another Max-8 from Indonesia’s Lion Air, is raising questions about how a software glitch can cause an airplane to crash, and it’s led to the subsequent grounding of all 737 Max aircraft worldwide. The answers are complex, and they hold lessons for other mechanical systems that are controlled by software--which are a lot of them.

Before we start talking about airplanes, it’s important to remember that software control of mechanical systems is ubiquitous. Not only is the car you drive likely to be software controlled, but so is your company’s production machinery, your security systems and your HVAC. Most modern airliners and some private aircraft have computer-controlled flight systems. Even many ships are sea are operated by such systems.

These control systems are critically important for the operation of the devices they operate. In many cases some systems, such as in manufacturing, simply couldn’t operate without it. In others, such as vehicle safety system, the cars would be harder to drive and less safe. In the case of aviation, computer control makes the aircraft much easier to control and usually more efficient. In the case of some aircraft, including the Air Force’s F-16 made by General Dynamics and the Northrup Grumman B-2 bomber, the planes are not even flyable without computer control.

What 'Fly-by-Wire' Means

This brings us to airliners. Most modern airliners use a concept known as “fly-by-wire,” in which the pilot’s inputs go to a computer, and the computer actually flies the airplane by sending instructions to actuators, which then move the control surfaces--including the ailerons, elevator, rudder and flaps. The flight-control computers also use input from sensors to confirm that the pilot is flying safely.

For example, the fly-by-wire system on an airliner will be aware of the aircraft’s speed through the air, the thrust produced by its engines, the angle of attack (which is the angle that the wings are meeting the oncoming air) and even the aircraft loading, along with a number of other factors. So if the pilot tries to do something unwise, such as pulling the nose of the airplane up to gain altitude without increasing power and / or lift, the airplane will either provide a warning, or it will simply refuse to do it. With some fly-by-wire systems, the airplane may take action on its own to counteract a perceived danger.

Exactly how these actions are taken depend on how the software that operates the aircraft is programmed, including how much authority it’s given to control the airplane. Some aircraft makers give ultimate control to the pilot, while others give it to the computer. In addition, in some airplanes the flight-control computers take care of everything; in some it’s only partial, and in some the fly-by-wire only controls a few things--and a computer may not be a major component.

The Airbus A320 series of airliners uses a full fly-by-wire control system. The pilot moves a joystick located to the side of the control position, which sends the commands to the flight computer, which then flies the airplane. Current Airbus aircraft are quite safe and the control systems are evolved since an early failure in 1988 caused a crash during an airshow. In that case, the pilot did not have the authority he needed to prevent the crash.

Boeing's Approach to Ultimate Control

By contrast, Boeing designs its planes so that the pilot retains ultimate authority, and while the flight-control systems will provide warnings, such as by shaking the control yoke shortly before a stall, the pilot can override those warnings. Boeing airliners use a control yoke that harkens back to the days when flight controls were fully mechanical or hydraulic, and you needed to be able to pull pretty hard for some maneuvers.

However, not all systems in the Boeing 737 Max series are designed for pilot override. The airplane’s flaps, for example, use a new fly-by-wire system that controls them automatically for most stages of a flight. Another fly-by-wire system is the MCAS (Maneuvering Characteristics Augmentation System), which adjusts the position of the aircraft’s horizontal stabilizer to prevent a stall. A stall happens when the aircraft’s angle of attack is such that the wings lose lift.

The way to prevent a stall when you’re flying is to lower the angle of attack by lowering the nose of the airplane, which you do by pushing forward on the stick or yoke that you’re using to control the aircraft. On the 737 Max aircraft, the MCAS does this automatically if it detects a stall and when other characteristics indicate a stall is imminent.

The MCAS is a safety system that’s designed to prevent stalling accidents. The reason it’s on the 737 Max is because Boeing changed the location of the engines under the wings, and that in turn changed the characteristics of the airplane when power was added in a way that could make a stall more likely. The MCAS would do this by checking the flap position and the angle of attack first, and if the angle of attack was too high, and the flaps weren’t in the right position, it would force the nose down.

Software Can Push Back at the Pilot

Normally, a pilot sensing that the nose was being forced down, would pull back on the yoke, but with the new MCAS, the airplane simply pushed back harder. Eventually the pilot would lose the battle, and if the MCAS still thought the airplane was about to stall, then a crash was inevitable. This is what happened in October 2018 with the Lion Air crash, because a faulty sensor told the MCAS the airplane was stalling.

The pilot can prevent this by toggling a pair of switches at the right rear of the throttle console, thus turning the MCAS off. But pilots have reported not being told of this, and apparently not having had any training in that action.

As I’m writing this, we don’t know if the same thing happened to the Ethiopian Airlines Max-8 because the various authorities haven’t completed reading the flight data and flight voice recorders. However, subsequent readings of refined satellite data of the two planes showed enough similarities for Boeing to recommend to the Federal Aviation Administration that the 737 Max aircraft be temporarily grounded, in as Boeing said, “an abundance of caution.”

Meanwhile, a number of entries in an FAA database turned up reports by pilots that they were having control problems related to the MCAS in the 737 Max series of aircraft. Those reports are submitted anonymously by pilots to the FAA in a variety of ways, and the database exists to reveal safety issues that might not otherwise be noticed, which is the case here. This added to the evidence that the FAA needed to order the grounding.

Other Things Can Cause Systems to Fail

What’s important here is to remember that there may be circumstances in which your automated systems go awry. This can happen with faulty sensors, a computer glitch, programming error or human intervention. While it’s impossible to account for every possibility, it might be a good idea to design in redundancy and to design in a means of overriding the actions of the control systems if they’re not reacting properly for whatever reason.

And it doesn’t even need to be computer related. Air Force drones have crashed because of loose wires. It also can strike closer to home. I was flying along the lower Potomac River one gorgeous, sunny afternoon, when I struck severe clear-air turbulence that knocked out my aircraft’s electrical system. I lost my radios, navigation and even my flaps, and had I depended on an automated system (or even GPS) to get me home, I’d have found a watery end to my flight.

But I know how to fly, I knew the area, and I flew the old-fashioned way with a compass to reach my home airport in Manassas, Virginia. With no flaps, I landed pretty hot, but I had 8000 feet of runway ahead, so a manual approach worked just fine. Sometimes, you need a manual fallback, and in addition, you need training in how to use it. Training is what was missing with the first Max-8 loss, as well as a poorly written manual that did not make it clear how to disable the MCAS or why it should be done, along with what could be ill-chosen authority settings in the software.

Meanwhile, the crucial information on the flight recorders remains unread while Ethiopian Airlines executives ponder their disposition.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...