Published Date: 2018-11-08
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the Ethiopian Airlines Boeing 737 MAX 8 crash occurred on March 10, 2019 [81911]. 2. The Lion Air Flight 610 crash, which was also related to the Boeing 737 MAX, happened on October 29, 2018 [81911]. |
| System | 1. Maneuvering Characteristics Augmentation System (MCAS) - The automated flight software system suspected to have a role in the two deadly crashes involving Boeing 737 MAX jets [Article 82845, Article 81911]. 2. Angle of Attack (AOA) sensors - Sensors that provide information to the MCAS system about the aircraft's angle of attack, which could have led to the activation of the MCAS system [Article 81911]. |
| Responsible Organization | 1. The software failure incident was caused by the Maneuvering Characteristics Augmentation System (MCAS) flight-control feature installed in the Boeing 737 MAX planes [81920, 81911]. 2. Boeing was responsible for the software failure incident due to the design and implementation of the MCAS system in the 737 MAX aircraft [81920, 81911]. |
| Impacted Organization | 1. Boeing Co - The software failure incident impacted Boeing Co as their Boeing 737 MAX 8 and 9 planes were grounded due to the need for a software upgrade [82932, 81861, 81989, 82019, 81920, 82845]. 2. Airlines worldwide - The grounding of the Boeing 737 MAX planes impacted airlines worldwide as they had to adjust their flight schedules and operations [82845]. 3. Passengers - The grounding of the Boeing 737 MAX planes affected passengers who were scheduled to fly on these aircraft [82845]. 4. Aviation industry - The software failure incident had implications for the aviation industry as a whole, causing concerns and scrutiny regarding the safety of the Boeing 737 MAX planes [81920, 82845]. |
| Software Causes | 1. The failure incident was caused by the Maneuvering Characteristics Augmentation System (MCAS) automatically activating before the plane nose-dived into the ground, based on preliminary findings from the Ethiopian Airlines Boeing 737 MAX 8 crash [Article 81911]. 2. The MCAS system, designed to automatically lower the nose of the plane based on information from external angle of attack sensors, was implicated in both the Ethiopian Airlines and Lion Air crashes involving the Boeing 737 MAX planes [Article 81911]. 3. Boeing had been working on a software upgrade for the MCAS system to prevent the plane's nose from rising and causing a stall, with changes including relying on readings from more than one sensor before activation and making the system's actions less severe and easier for pilots to handle [Article 82845]. |
| Non-software Causes | 1. The preliminary findings suggest that a flight-control feature automatically activated before the plane nose-dived into the ground, based on data retrieved from Flight 302’s black boxes [81911]. 2. The MCAS system, which automatically lowers the nose of the plane based on information from external sensors, may have been to blame in both the Ethiopian Airlines and Lion Air crashes [81911]. 3. The MCAS system in the Lion Air crash forced the plane’s nose down more than 24 times before it crashed into the sea, responding to a faulty sensor [81911]. 4. Pilots transitioning to the Boeing 737 Max 8 aircraft from older models were required to undertake a short computer-based training program that did not adequately explain the MCAS feature [81911]. |
| Impacts | 1. The Boeing 737 MAX 8 and 9 planes were grounded worldwide due to the software failure incident, leading to significant disruptions in air travel and operations [82932, 81920]. 2. Boeing paused deliveries of its 737 MAX aircraft and continued production at full speed while dealing with the grounding of the worldwide fleet [82932]. 3. Airlines coped with the grounding by switching planes, and nearly 5,000 MAXs on order faced potential cancellations, impacting the aviation industry financially [82932]. 4. Boeing's market value decreased by over $26 billion following the crash incidents, and its stock fell significantly [82932]. 5. The software update for the Boeing 737 MAX jets was delayed, leading to extended grounding of the aircraft and affecting airlines' schedules and operations [82344]. 6. Airlines like American, Southwest, and United had to cancel flights and adjust schedules due to the grounding of the 737 MAX jets [82845]. 7. Boeing faced intense scrutiny and regulatory investigations, including the need for additional training for pilots and software updates to address the software failure incidents [82845]. 8. The crashes resulted in a halt in Boeing's deliveries of the 737 MAX jets, impacting the company's production and delivery schedules [82845]. 9. The software failure incidents raised concerns about Boeing's safety certification processes and the need for enhanced safety features and training for pilots [81911]. 10. The incidents led to a reevaluation of Boeing's safety systems and training programs, with a focus on addressing potential flaws in the automated flight software [81911]. |
| Preventions | 1. Enhanced pilot training on the Maneuvering Characteristics Augmentation System (MCAS) feature could have potentially prevented the software failure incident by ensuring pilots are well-equipped to handle the system effectively [81911]. 2. Implementing a software update that relies on readings from more than one sensor before activating the anti-stall system and making the system's actions less severe and easier for pilots to handle could have helped prevent the incident [82845]. 3. Conducting thorough audits and reviews of the software system to identify and address any potential issues before deployment could have also been a preventive measure [81911]. |
| Fixes | 1. Boeing has been working on a software upgrade for the anti-stall system, known as MCAS, on the 737 MAX jets to disable the system if conflicting data from sensors is received, and to make the system's actions less severe and easier for pilots to handle. This upgrade is expected to be rolled out in the coming weeks [Article 82019]. 2. The FAA expects Boeing to complete the software upgrade for the 737 MAX jets in the coming weeks, after which it will need approval from the FAA and other regulators before the planes can return to service [Article 82845]. 3. Boeing has redesigned the software to ensure the MCAS will no longer repeatedly make corrections when a pilot tries to regain control, and will install an extra warning system on all 737 MAX aircraft to alert pilots when sensors produce contradictory readings. This upgrade is part of Boeing's plan to address the software issues suspected to have played a role in the crashes [Article 81920]. | References | 1. Ethiopian Airlines officials and Ethiopia’s transport minister [81920] 2. Wall Street Journal [81911] 3. Federal Aviation Administration (FAA) [81911] 4. Indonesia’s National Transportation Safety Committee [81911] 5. Boeing [81911] 6. US Federal Aviation Administration (FAA) [82845] 7. Boeing spokesman [82845] 8. Ethiopian Airlines CEO Tewolde GebreMariam [81911] 9. Pilots’ union spokesmen for Southwest and American [81911] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The Boeing 737 MAX aircraft crashes, including the Ethiopian Airlines Flight 302 crash, have raised concerns about the Maneuvering Characteristics Augmentation System (MCAS) software installed in the planes [81911]. - Preliminary findings suggest that the MCAS system automatically activated before the Ethiopian Airlines Flight 302 nose-dived into the ground, similar to the Lion Air crash in Indonesia [81911]. - The MCAS system is designed to automatically lower the nose of the plane based on information from external sensors to prevent stalling, but it has been under scrutiny for its role in the crashes [81911]. - Boeing has been working on a software update for the MCAS system to address the concerns and make the system less severe and easier for pilots to handle [82845]. - The Ethiopian Airlines CEO mentioned that pilots transitioning to the Boeing 737 Max 8 were only required to undertake a short computer-based training program, which did not adequately cover the MCAS feature [81911]. (b) The software failure incident having happened again at multiple_organization: - The Boeing 737 MAX crashes have led to a worldwide grounding of the planes due to concerns about the MCAS system and its potential role in the accidents [81911]. - The Lion Air crash in Indonesia and the Ethiopian Airlines crash share similarities in terms of the MCAS system and the challenges faced by pilots in controlling the aircraft [81911]. - The FAA grounded all Boeing 737 Max planes after identifying similarities between the two crashes, indicating a broader issue with the software system across different airlines and organizations [81911]. - Boeing has been working on changes to the flight-control system suspected of playing a role in the crashes, affecting airlines globally that operate the 737 MAX jets [82845]. - The delays in implementing the software upgrade have impacted airlines like American, Southwest, and United, leading to flight cancellations and adjustments in their schedules [82845]. |
| Phase (Design/Operation) | design, operation | (a) In the case of the Boeing 737 MAX crashes, the software failure incident was primarily related to the design phase. The Maneuvering Characteristics Augmentation System (MCAS) installed in both the Ethiopian Airlines Flight 302 and Lion Air Flight 610 planes was identified as a contributing factor to the crashes. The MCAS is an automated flight software that automatically lowers the nose of the plane based on data from external angle of attack sensors to prevent stalling. The preliminary findings from the investigations suggest that the MCAS may have automatically activated before the planes nose-dived into the ground, indicating a flaw in the design of the system [81911]. (b) Regarding the operation phase, concerns were raised about the training provided to pilots transitioning to the Boeing 737 MAX 8 aircraft. Pilots were required to undertake a short computer-based training program prescribed by Boeing and approved by the FAA. The flight simulator used for training did not replicate the MCAS automated feature, which crash investigators are scrutinizing. This lack of comprehensive training on the MCAS system raised questions about the operation and understanding of the system by the pilots [81911]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident related to the Boeing 737 MAX crashes, specifically the Ethiopian Airlines Flight 302 and Lion Air Flight 610 crashes, is primarily attributed to the automated flight software called the Maneuvering Characteristics Augmentation System (MCAS) installed in both planes. The MCAS is a system designed to automatically lower the nose of the plane when it receives information from its external angle of attack (AOA) sensors that the aircraft is flying too slowly or steeply, and at risk of stalling. The preliminary findings from the investigations suggest that the MCAS feature automatically activated before the planes nose-dived into the ground, indicating a potential software malfunction within the system [81911]. (b) outside_system: Contributing factors that originate from outside the system in the software failure incident related to the Boeing 737 MAX crashes include concerns about pilot training and the adequacy of information provided to pilots regarding the MCAS system. Ethiopian Airlines CEO mentioned that pilots transitioning to the Boeing 737 Max 8 aircraft were required to undertake a short computer-based training program prescribed by Boeing and approved by the FAA. Additionally, pilots' union spokesmen for Southwest and American airlines highlighted that the self-administered course did not adequately explain the MCAS feature, raising questions about the training provided to pilots regarding the new system [81911]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - Preliminary findings from the Ethiopian Airlines Boeing 737 MAX 8 crash suggest that a flight-control feature automatically activated before the plane nose-dived into the ground, indicating a potential issue with the automated flight software called the Maneuvering Characteristics Augmentation System (MCAS) [Article 81911]. - The MCAS system, designed to automatically lower the nose of the plane based on external angle of attack (AOA) sensor data, was implicated in both the Ethiopian Airlines and Lion Air crashes, potentially due to responding to faulty sensor information [Article 81911]. - Boeing has been working on a software upgrade for the 737 MAX jets to address the MCAS system and make changes to prevent similar incidents in the future [Article 82845]. (b) The software failure incident occurring due to human actions: - Pilots transitioning to the Boeing 737 Max 8 aircraft from older models were required to undertake a short computer-based training program, which did not adequately cover the MCAS automated feature that is under scrutiny in the crashes [Article 81911]. - Concerns have been raised about the training provided to pilots regarding the MCAS system and whether they were sufficiently prepared to handle the system's actions in critical situations [Article 81911]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The preliminary findings from the Ethiopian Airlines Boeing 737 MAX 8 crash suggest that a flight-control feature automatically activated before the plane nose-dived into the ground, indicating a potential hardware-related issue [Article 81911]. - The investigation into the Ethiopian Airlines crash found a screw-like device in the tail of the crashed plane that was positioned to pitch the plane nose-down upon impact, pointing towards a hardware-related contributing factor [Article 81920]. (b) The software failure incident occurring due to software: - The preliminary findings from the Ethiopian Airlines crash suggest that the Maneuvering Characteristics Augmentation System (MCAS), an automated flight software, may have automatically activated before the crash, indicating a potential software-related issue [Article 81911]. - The MCAS system, designed to prevent the 737 MAX from stalling, was implicated in both the Ethiopian Airlines and Lion Air crashes, suggesting a software-related contributing factor [Article 81911]. - Boeing has been working on a software upgrade for the 737 MAX jets to address the flight-control system suspected of having a role in the crashes, indicating a software-related issue [Article 82845]. |
| Objective (Malicious/Non-malicious) | non-malicious | (a) malicious: The articles do not indicate any malicious intent behind the software failure incident related to the Boeing 737 MAX crashes. The focus is on the automated flight software system called the Maneuvering Characteristics Augmentation System (MCAS) and its role in the crashes, with investigations pointing towards potential flaws in the system that automatically activated and caused the planes to nose-dive [81911]. (b) non-malicious: The software failure incident related to the Boeing 737 MAX crashes is considered non-malicious, with preliminary findings suggesting that a flight-control feature automatically activated before the planes nose-dived into the ground. The system in question, the MCAS, is designed to automatically lower the nose of the plane based on external sensor data to prevent stalling, but issues with this system have been identified as a potential contributing factor to the crashes [81911]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | [a82845] Preliminary findings from the investigation into the Ethiopian Airlines Boeing 737 MAX 8 crash suggest that a flight-control feature automatically activated before the plane nose-dived into the ground. This indicates a potential software failure due to contributing factors introduced by poor decisions or design flaws in the Maneuvering Characteristics Augmentation System (MCAS) that may have played a role in the two deadly crashes involving the 737 MAX aircraft. The MCAS is a system designed to automatically lower the nose of the plane based on data from external sensors, and if confirmed, this automated system activation could be a critical factor in the incidents. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - The preliminary findings from officials investigating the Ethiopian Airlines Boeing 737 MAX 8 crash suggest that a flight-control feature automatically activated before the plane nose-dived into the ground, indicating a potential failure in the Maneuvering Characteristics Augmentation System (MCAS) software [Article 81911]. - Boeing had been working on a software upgrade for the anti-stall system and pilot displays on its 737 MAX jetliner following the Lion Air crash, indicating a need for software improvements due to the initial system design [Article 81920]. (b) The software failure incident occurring accidentally: - The preliminary findings from the Ethiopian Airlines crash suggest that the MCAS system automatically activated before the plane nose-dived, indicating an accidental triggering of the system [Article 81911]. - The MCAS system, designed to prevent the 737 MAX from stalling, was implicated in the Lion Air crash due to a malfunction, suggesting an accidental triggering of the system in that incident as well [Article 81911]. |
| Duration | temporary | (a) The software failure incident in the Boeing 737 MAX crashes is considered temporary. The preliminary findings from the investigations suggest that a flight-control feature automatically activated before the planes nose-dived into the ground, indicating a potential issue with the Maneuvering Characteristics Augmentation System (MCAS) [Article 81911]. Boeing has been working on a software upgrade for the anti-stall system suspected to have a role in the crashes, and the FAA expects the software upgrade to be completed in the coming weeks [Article 82845]. The software update is aimed at addressing the issues with the MCAS system and making the system's actions less severe and easier for pilots to handle [Article 82845]. Additionally, the software issue is being addressed through changes in the flight-control system and pilot training, with Boeing planning to disable the MCAS if it receives conflicting data from its sensors and installing an extra warning system on all 737 MAX aircraft [Article 82019]. These actions indicate that the software failure incident is not permanent but rather a result of specific contributing factors related to the MCAS system and its interaction with the aircraft's sensors. |
| Behaviour | crash, omission, value, other | (a) The behavior of the software failure incident as a crash: - The Ethiopian Airlines Boeing 737 MAX 8 crashed after takeoff, killing all 157 people on board [Article 81911]. - Lion Air Flight 610 also crashed into the Java Sea in Indonesia, resulting in the deaths of all 189 people on board [Article 81911]. (b) The behavior of the software failure incident as omission: - The MCAS system in the Boeing 737 MAX planes omitted to perform its intended function of preventing the plane from stalling, leading to the crashes [Article 81911]. (c) The behavior of the software failure incident as timing: - The MCAS system in the Boeing 737 MAX planes activated automatically before the planes nose-dived into the ground [Article 81911]. (d) The behavior of the software failure incident as value: - The MCAS system in the Boeing 737 MAX planes performed its intended function incorrectly, causing the planes to nose-dive [Article 81911]. (e) The behavior of the software failure incident as byzantine: - There is no specific mention of the software failure incident behaving in a byzantine manner in the provided articles. (f) The behavior of the software failure incident as other: - The software failure incident involved the MCAS system automatically activating before the planes nose-dived into the ground, indicating a failure due to system losing state and not performing its intended functions [Article 81911]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, embedded_software | (a) sensor: The failure was related to the sensor in the software system. In the case of the Ethiopian Airlines Boeing 737 MAX 8 crash, preliminary findings suggest that a flight-control feature automatically activated before the plane nose-dived into the ground, indicating a sensor-related issue [Article 81911]. (b) actuator: There is no specific mention of the failure being related to an actuator error in the articles provided. (c) processing_unit: There is no specific mention of the failure being related to a processing error in the articles provided. (d) network_communication: There is no specific mention of the failure being related to a network communication error in the articles provided. (e) embedded_software: The failure was related to the embedded software in the system. The Maneuvering Characteristics Augmentation System (MCAS) installed in both the Ethiopian Airlines and Lion Air planes, which could be to blame for the crashes, is an automated flight software system, indicating an embedded software error [Article 81911]. |
| Communication | unknown | [a] The failure related to the software system in the Boeing 737 MAX incidents was not directly related to the communication layer of the cyber physical system that failed. The failures were primarily associated with the Maneuvering Characteristics Augmentation System (MCAS) software, which automatically activated and caused the planes to nose-dive. This system was designed to prevent stalling by automatically lowering the nose of the plane based on data from external sensors. The MCAS system was implicated in both the Ethiopian Airlines and Lion Air crashes, leading to concerns about its functionality and the training provided to pilots regarding this system. The Wall Street Journal reported preliminary findings suggesting that the MCAS system automatically activated before the Ethiopian Airlines crash [81911]. Additionally, the FAA grounded all Boeing 737 MAX planes due to similarities between the two crashes, indicating a potential issue with the MCAS system [81911]. Boeing has been working on a software update for the MCAS system to address these concerns. The update includes changes to rely on readings from more than one sensor before activating the anti-stall system and making the system's actions less severe and easier for pilots to handle. Boeing is also revising pilot training to provide enhanced understanding of the 737 MAX flight system and crew procedures [82845]. |
| Application | TRUE | The software failure incidents related to the Boeing 737 MAX crashes were indeed related to the application layer of the cyber physical system. The failures were specifically linked to the Maneuvering Characteristics Augmentation System (MCAS), an automated flight software feature installed in the planes. The MCAS is designed to automatically lower the nose of the plane when it receives information from its external angle of attack (AOA) sensors that the aircraft is flying too slowly or steeply, and at risk of stalling. 1. Article 81911 reports that preliminary findings from the Ethiopian Airlines Boeing 737 MAX 8 crash suggest that a flight-control feature, which is part of the application layer of the software system, automatically activated before the plane nose-dived into the ground. This feature, known as the Maneuvering Characteristics Augmentation System (MCAS), was implicated in both the Ethiopian Airlines and Lion Air crashes. 2. Article 81920 mentions that data from the Ethiopian Airlines Flight 302 showed wild swings in the aircraft's vertical speed before the crash, indicating the involvement of the MCAS system. The MCAS is part of the application layer of the software system that is meant to prevent the plane's nose from rising too steeply and causing a stall. 3. Article 82845 discusses how Boeing needed more time to finish changes in the flight-control system suspected of having a role in the crashes. The changes include updates to the automated system that is part of the application layer, designed to prevent the plane's nose from rising dangerously. Therefore, the software failure incidents related to the Boeing 737 MAX crashes were indeed linked to the application layer of the cyber physical system, specifically the MCAS system. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | death, harm, property, delay, non-human, theoretical_consequence | (a) death: - The Ethiopian Airlines Flight 302 crash resulted in the death of all 157 people on board [82932]. - The Lion Air Flight 610 crash in Indonesia led to the death of all 189 people on board [81911]. (b) harm: - The preliminary findings suggest that the flight-control feature automatically activated before the Ethiopian Airlines Flight 302 nose-dived into the ground, resulting in harm to all 157 people on board [81911]. (d) property: - The grounding of the Boeing 737 MAX planes has led to financial implications for the aviation industry, with Boeing's stock value decreasing significantly [82932]. - Airlines have been forced to ground their Boeing 737 MAX jets, impacting their operations and potentially leading to financial losses [82845]. (f) non-human: - The Boeing 737 MAX aircraft, specifically the MCAS system, was identified as a potential cause of the crashes involving Lion Air and Ethiopian Airlines flights [81911]. - The MCAS system, an automated flight software, was suspected to have automatically activated before the Ethiopian Airlines Flight 302 crash [81911]. (h) theoretical_consequence: - The preliminary findings from the Ethiopian Airlines crash suggest that the MCAS system could be to blame for the incidents, indicating a potential consequence of the software failure [81911]. - Concerns were raised about the MCAS system and pilot training in relation to the crashes of the Boeing 737 MAX planes [81911]. - The delay in the completion of the software upgrade for the 737 MAX jets could prolong the grounding of the aircraft, impacting airlines and passengers [82845]. |
| Domain | transportation | (a) The failed system was intended to support the transportation industry. The Boeing 737 MAX aircraft, which experienced the software failure incident, is used for air transportation [82932, 81861, 81989, 82344, 77658, 82019, 81920, 82845, 81911]. |
Article ID: 82932
Article ID: 81861
Article ID: 81989
Article ID: 82344
Article ID: 77658
Article ID: 82019
Article ID: 81920
Article ID: 82845
Article ID: 81911