Analysis and Prevention of MCAS-Induced Crashes

IF 2.7 3区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems Pub Date : 2024-11-06 DOI:10.1109/TCAD.2024.3438105

Noah T. Curran;Thomas W. Kennings;Kang G. Shin

{"title":"Analysis and Prevention of MCAS-Induced Crashes","authors":"Noah T. Curran;Thomas W. Kennings;Kang G. Shin","doi":"10.1109/TCAD.2024.3438105","DOIUrl":null,"url":null,"abstract":"Semi-autonomous (SA) systems face the C\n<sc>hallenge</small>\n of determining which source to prioritize for control, whether it is from the human operator or the autonomous controller, especially when they conflict with each other. While one may design an SA system to default to accepting control from one or the other, such design choices can have catastrophic consequences in safety-critical settings. For instance, the sensors an autonomous controller relies upon may provide incorrect information about the environment due to tampering or natural fault. On the other hand, the human operator may also provide erroneous input. To better understand the consequences and resolution of this safety-critical design choice, we investigate a specific application of an SA system that failed due to a static assignment of control authority: the well-publicized Boeing 737-MAX maneuvering characteristics augmentation system (MCAS) that caused the crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302. First, using a representative simulation, we analyze and demonstrate the ease by which the original MCAS design could fail. Our analysis reveals the most robust public analysis of aircraft recoverability under MCAS faults, offering bounds for those scenarios beyond the original crashes. We also analyze Boeing’s updated MCAS and show how it falls short of its intended goals and continues to rely upon on a fault-prone static assignment of control priority. Using these insights, we present SA-MCAS, a new MCAS that both meets the intended goals of MCAS and avoids the failure cases that plague both MCAS designs. We demonstrate SA-MCAS’s ability to make safer and timely control decisions of the aircraft, even when the human and autonomous operators provide conflicting control inputs.","PeriodicalId":13251,"journal":{"name":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","volume":"43 11","pages":"3382-3394"},"PeriodicalIF":2.7000,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10745869/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Semi-autonomous (SA) systems face the C hallenge of determining which source to prioritize for control, whether it is from the human operator or the autonomous controller, especially when they conflict with each other. While one may design an SA system to default to accepting control from one or the other, such design choices can have catastrophic consequences in safety-critical settings. For instance, the sensors an autonomous controller relies upon may provide incorrect information about the environment due to tampering or natural fault. On the other hand, the human operator may also provide erroneous input. To better understand the consequences and resolution of this safety-critical design choice, we investigate a specific application of an SA system that failed due to a static assignment of control authority: the well-publicized Boeing 737-MAX maneuvering characteristics augmentation system (MCAS) that caused the crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302. First, using a representative simulation, we analyze and demonstrate the ease by which the original MCAS design could fail. Our analysis reveals the most robust public analysis of aircraft recoverability under MCAS faults, offering bounds for those scenarios beyond the original crashes. We also analyze Boeing’s updated MCAS and show how it falls short of its intended goals and continues to rely upon on a fault-prone static assignment of control priority. Using these insights, we present SA-MCAS, a new MCAS that both meets the intended goals of MCAS and avoids the failure cases that plague both MCAS designs. We demonstrate SA-MCAS’s ability to make safer and timely control decisions of the aircraft, even when the human and autonomous operators provide conflicting control inputs.

查看原文本刊更多论文

分析和预防 MCAS 引发的碰撞事故

半自主（SA）系统面临的挑战是如何确定优先从人类操作员还是自主控制器获取控制权，尤其是当两者相互冲突时。虽然人们在设计半自主系统时可能会默认接受其中一个来源的控制，但这种设计选择可能会在安全关键环境中造成灾难性后果。例如，自主控制器所依赖的传感器可能会因篡改或自然故障而提供错误的环境信息。另一方面，人类操作员也可能提供错误的输入。为了更好地理解这种对安全至关重要的设计选择的后果和解决方法，我们研究了一个因静态分配控制权而失败的 SA 系统的具体应用：广为人知的波音 737-MAX 操纵特性增强系统 (MCAS)，它导致了狮航 610 号航班和埃塞俄比亚航空 302 号航班的坠毁。首先，我们使用具有代表性的模拟，分析并展示了 MCAS 原始设计失效的可能性。我们的分析揭示了在 MCAS 故障情况下飞机可恢复性的最可靠公开分析，为最初坠机以外的情况提供了界限。我们还分析了波音公司更新后的 MCAS，并展示了它是如何达不到预期目标，并继续依赖于容易出错的控制优先级静态分配的。利用这些见解，我们提出了 SA-MCAS，一种新的 MCAS，它既能实现 MCAS 的预期目标，又能避免困扰这两种 MCAS 设计的故障情况。我们展示了 SA-MCAS 的能力，即使在人类和自主操作员提供相互冲突的控制输入时，它也能对飞机做出更安全、更及时的控制决策。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 工程技术-工程：电子与电气

CiteScore

5.60

自引率

13.80%

发文量

500

审稿时长

7 months

期刊介绍： The purpose of this Transactions is to publish papers of interest to individuals in the area of computer-aided design of integrated circuits and systems composed of analog, digital, mixed-signal, optical, or microwave components. The aids include methods, models, algorithms, and man-machine interfaces for system-level, physical and logical design including: planning, synthesis, partitioning, modeling, simulation, layout, verification, testing, hardware-software co-design and documentation of integrated circuit and system designs of all complexities. Design tools and techniques for evaluating and designing integrated circuits and systems for metrics such as performance, power, reliability, testability, and security are a focus.