Published Date: 2019-03-13
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the Boeing 737 Max 8 jets was delayed due to a software update that was supposed to be announced as early as January [81915]. 2. The software update was further delayed by the US government shutdown, which lasted for 35 days [81915]. 3. The software update was planned to happen 'in the coming weeks' after the delay caused by the government shutdown [81915]. Estimation: Step 1: The article was published on 2019-03-13, mentioning delays due to the government shutdown and plans for the software update in the coming weeks. Step 2: Published on 2019-03-13. Step 3: The software failure incident likely occurred in early 2019, possibly around February or March. |
| System | 1. Boeing 737 Max 8 software update system [81915] |
| Responsible Organization | 1. Boeing - The software failure incident was caused by a delay in a software update by Boeing to fix a suspected nosedive problem in its 737 Max 8 jets [81915]. |
| Impacted Organization | 1. Boeing - The software failure incident impacted Boeing as their software update to fix a suspected nosedive problem in its 737 Max 8 jets was delayed by the US government shutdown [81915]. 2. Norwegian Air - Norwegian Air stated they will seek compensation from Boeing for lost revenue and extra costs after grounding its 737 Max 8 aircraft [81915]. |
| Software Causes | 1. The software update to fix a suspected nosedive problem in Boeing's 737 Max 8 jets was delayed due to the US government shutdown, causing a delay in the safety fixes [81915]. 2. Sensors on the Lion Air plane produced erroneous information on its last four flights, triggering an automatic nose-down command which the pilots were unable to overcome, leading to the crash [81915]. 3. Boeing was tweaking a system designed to prevent an aerodynamic stall if sensors detect that the plane's nose is pointed too high and its speed is too slow, which was part of the software changes being made [81915]. |
| Non-software Causes | 1. The suspected nosedive problem in Boeing 737 Max 8 jets was delayed due to the US government shutdown, which caused engineering and regulatory complications [81915]. 2. Differences of opinion among federal and company safety experts over how extensive the alterations needed to be also contributed to the delays in implementing safety fixes for the suspected nosedive problem in the jets [81915]. 3. Erroneous information from sensors triggering an automatic nose-down command on a Lion Air flight, which the pilots were unable to overcome, led to the crash in Indonesia [81915]. 4. Pressure from various countries and airlines to ground the Boeing 737 Max 8 jets following the Ethiopian Airlines crash also played a role in the failure incident [81915]. |
| Impacts | 1. The software failure incident involving the Boeing 737 Max 8 jets led to delays in safety fixes that were initially planned for early January, following the Lion Air disaster in Indonesia [81915]. 2. The delayed software updates were reportedly caused by engineering and regulatory complications, as well as the 35-day partial government shutdown in America [81915]. 3. The incident resulted in the grounding of Boeing 737 Max 8 jets by multiple countries and airlines, impacting flight schedules and causing financial losses for airlines like Norwegian Air [81915]. 4. The software failure incident raised concerns about the safety of the Boeing 737 Max 8 jets, leading to pressure on Boeing and the FAA to address the issue and potentially ground the planes for further investigation [81915]. 5. The software failure incident prompted various aviation safety regulators, including the European Union, China, Australia, and the United Kingdom, to take action independently of the FAA, reflecting a lack of consensus on the airworthiness of the Boeing 737 Max 8 jets [81915]. |
| Preventions | 1. Ensuring timely software updates and fixes: The delay in the Boeing software update to fix the suspected nosedive problem in its 737 Max 8 jets due to the US government shutdown could have been prevented by ensuring timely updates and fixes [81915]. 2. Conducting thorough testing and validation: Proper testing and validation of the software updates could have potentially identified any issues or flaws before deployment, preventing incidents like the crashes of the 737 Max 8 jets [81915]. 3. Implementing robust sensor systems: Enhancing the sensor systems on the aircraft to prevent erroneous information and false triggers of automatic commands could have helped prevent incidents like the Lion Air and Ethiopian Airlines crashes [81915]. |
| Fixes | 1. Implementing a software update to fix the suspected nosedive problem in Boeing's 737 Max 8 jets [81915] 2. Upgrading the flight-control software to rely on data from more than one sensor to trigger a nose-down command and reduce the magnitude of the change [81915] 3. Providing more training for pilots on the updated software and system changes [81915] | References | 1. Boeing spokesperson 2. Wall Street Journal 3. Norwegian Air 4. American Airlines 5. European Aviation Safety Agency 6. Association of Professional Flight Attendants 7. Southwest Airlines 8. Federal Aviation Administration 9. Rep. Peter DeFazio 10. Bill McGee, aviation adviser for Consumer Reports 11. Former Transportation Secretary Ray LaHood 12. John Goglia, independent safety consultant and former member of the National Transportation Safety Board 13. John Cox, president and CEO of the aviation consultancy Safety Operating Systems 14. Democratic Sens. Richard Blumenthal and Dianne Feinstein 15. European Union Aviation Safety Agency 16. Sandy Morris, aerospace analyst at Jefferies in London [81915] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - Boeing faced a software failure incident related to a suspected nosedive problem in its 737 Max 8 jets. This incident occurred again with another 737 Max 8 crashing in Ethiopia, killing all 159 onboard [81915]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that the Lion Air disaster in Indonesia, which also involved a Boeing 737 Max 8 jet, claimed 189 lives in October. This indicates that similar incidents have happened with the same type of aircraft at different organizations [81915]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the delay of a Boeing software update to fix a suspected nosedive problem in its 737 Max 8 jets. The safety fixes were reportedly slated for announcement as early as January following the Lion Air disaster in Indonesia, but the updates were delayed due to engineering and regulatory complications, as well as differences of opinion among federal and company safety experts on how extensive the alterations needed to be [81915]. (b) The software failure incident related to the operation phase can be observed in the erroneous information produced by sensors on a Lion Air plane in its last four flights, triggering an automatic nose-down command that the pilots were unable to overcome, leading to the plane crashing into the sea. This failure was attributed to the sensors providing incorrect data, impacting the operation of the aircraft [81915]. |
| Boundary (Internal/External) | within_system | (a) within_system: The software failure incident related to the Boeing 737 Max 8 jets was primarily within the system. The failure was attributed to a suspected nosedive problem in the aircraft, which was to be fixed through a software update by Boeing. The update was delayed due to engineering and regulatory complications, as well as differences of opinion among federal and company safety experts on the extent of alterations needed [81915]. The software update was intended to tweak a system designed to prevent an aerodynamic stall by relying on data from more than one sensor to trigger a nose-down command and reducing the magnitude of the change. The failure was within the system as it involved the software controlling the aircraft's flight dynamics and safety features. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident in the Boeing 737 Max 8 jets was primarily due to non-human actions. The incident was related to a suspected nosedive problem in the aircraft, which was caused by a faulty software system designed to prevent an aerodynamic stall if sensors detected the plane's nose was pointed too high and its speed was too slow. This system, which automatically triggered a nose-down command, was found to rely on erroneous sensor data, leading to the fatal crashes [81915]. (b) Human actions also played a role in the software failure incident. Delays in implementing safety fixes and software updates for the 737 Max 8 jets were reported to have been caused by engineering and regulatory complications, as well as differences of opinion among federal and company safety experts over the extent of alterations needed. Additionally, the 35-day partial government shutdown in America reportedly suspended consideration of the necessary changes, further contributing to the delay in addressing the software issues [81915]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The article mentions that the Boeing 737 Max 8 jets experienced a suspected nosedive problem, which was related to a system designed to prevent an aerodynamic stall if sensors detect that the plane's nose is pointed too high and its speed is too slow. This system was triggered by erroneous information from sensors on the plane, leading to an automatic nose-down command that the pilots were unable to overcome, ultimately resulting in a crash [81915]. (b) The software failure incident occurring due to software: - The article highlights that a Boeing software update to fix the suspected nosedive problem in the 737 Max 8 jets was delayed by the US government shutdown. The safety fixes, which were supposed to be announced earlier, were postponed due to engineering and regulatory complications. The software update was intended to tweak the flight-control software to rely on data from more than one sensor to trigger a nose-down command and to reduce the magnitude of the change. Additionally, more training for pilots was planned as part of the software update [81915]. |
| Objective (Malicious/Non-malicious) | non-malicious | The software failure incident related to the Boeing 737 Max 8 jets can be categorized as non-malicious. The incident involved a delay in a Boeing software update to fix a suspected nosedive problem in the jets, which was reportedly caused by engineering and regulatory complications as well as the 35-day partial government shutdown in America [81915]. The safety fixes were initially earmarked for completion in the wake of the Lion Air disaster in Indonesia, and the updates were planned to happen 'in the coming weeks' after the Ethiopian Airlines crash [81915]. The delays in implementing the software update were due to differences of opinion among federal and company safety experts over the extent of alterations needed, as well as discussions on whether to add extra pilot training and cockpit alerts to the changes [81915]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) poor_decisions: Failure due to contributing factors introduced by poor decisions - The software failure incident related to the Boeing 737 Max 8 jets was delayed due to the US government shutdown, which caused the safety fixes to be postponed [81915]. - The delays in implementing the software updates were attributed to engineering and regulatory complications, as well as differences of opinion among federal and company safety experts over the extent of alterations needed [81915]. - Consideration of the software fixes was suspended during the 35-day partial government shutdown in America, which further contributed to the delays in addressing the suspected nosedive problem in the jets [81915]. - The software update to fix the nosedive problem was initially earmarked for completion by early January following the Lion Air disaster, but the updates were continuously delayed [81915]. - The delays in implementing the software fixes were also linked to discussions about whether to add extra pilot training and cockpit alerts to the package of changes, indicating a lack of consensus on the necessary actions to address the issue [81915]. |
| Capability (Incompetence/Accidental) | accidental | (a) The software failure incident related to the Boeing 737 Max 8 jets was not directly attributed to development incompetence. However, there were delays in the software update to fix a suspected nosedive problem in the jets due to engineering and regulatory complications, as well as differences of opinion among federal and company safety experts over the extent of alterations needed [81915]. (b) The software failure incident can be considered accidental as it was not intentional but rather a result of delays in the software update process. The delays were caused by factors such as the 35-day partial government shutdown in America, engineering and regulatory complications, and differences of opinion among safety experts [81915]. |
| Duration | temporary | The software failure incident related to the Boeing 737 Max 8 jets can be categorized as a temporary failure. The incident involved a delay in a Boeing software update to fix a suspected nosedive problem in the jets, which was reportedly caused by engineering and regulatory complications, as well as the partial government shutdown in America [81915]. The safety fixes were initially earmarked for completion by early January following the Lion Air disaster, but the updates were delayed, and the software fixes were still pending at the time of the Ethiopian Airlines crash [81915]. The delay in the software update implementation was a temporary failure caused by specific circumstances that hindered the timely resolution of the suspected issue. |
| Behaviour | crash, omission | (a) crash: The software failure incident in the articles can be categorized as a crash. This is evident from the description of the Boeing 737 Max 8 jets crashing in both the Lion Air disaster in Indonesia and the Ethiopian Airlines crash, resulting in the loss of lives [81915]. (b) omission: The software failure incident can also be linked to omission as the system failed to perform its intended functions correctly. Specifically, sensors on the Lion Air |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, embedded_software | (a) sensor: The software failure incident related to the Boeing 737 Max 8 jets was partially attributed to sensor errors. Officials at Lion Air in Indonesia reported that sensors on their plane produced erroneous information on its last four flights, triggering an automatic nose-down command which the pilots were unable to overcome, leading to the plane crashing into the sea [81915]. (e) embedded_software: The failure was also linked to issues with the embedded software. Boeing was working on tweaking a system designed to prevent an aerodynamic stall if sensors detect that the plane's nose is pointed too high and its speed is too slow. The company promised to upgrade some flight-control software 'in the coming weeks' after the Lion Air crash, indicating that the embedded software needed modifications to enhance safety measures [81915]. |
| Communication | unknown | The software failure incident related to the Boeing 737 Max 8 jets was not directly related to the communication layer of the cyber physical system that failed. The incident was primarily associated with a suspected nosedive problem in the aircraft, which was addressed through a software update that was delayed due to the US government shutdown [81915]. The failure was more focused on the flight-control software and sensors triggering erroneous commands, leading to potential aerodynamic stalls rather than issues at the communication layer of the system. |
| Application | FALSE | The software failure incident related to the Boeing 737 Max 8 jets was not directly attributed to the application layer of the cyber physical system. The failure was primarily associated with a suspected nosedive problem and a system designed to prevent an aerodynamic stall based on erroneous sensor information, which led to automatic nose-down commands that pilots were unable to overcome [81915]. Therefore, the failure was not specifically linked to bugs, operating system errors, unhandled exceptions, or incorrect usage at the application layer. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | death, harm, property | (a) death: People lost their lives due to the software failure - The software failure incident involving the Boeing 737 Max 8 jets led to two deadly crashes, one in Indonesia and another in Ethiopia, resulting in a total of 346 lives lost [81915]. (b) harm: People were physically harmed due to the software failure - The crashes resulting from the software failure incident caused physical harm to the passengers and crew onboard the Boeing 737 Max 8 jets [81915]. (d) property: People's material goods, money, or data was impacted due to the software failure - Norwegian Air stated that it would seek compensation from Boeing for lost revenue and extra costs after grounding its fleet of 737 MAX 8 aircraft following the Ethiopian Airlines crash [81915]. |
| Domain | transportation | The software failure incident reported in the news articles is related to the transportation industry. Specifically, the failed system was intended to support the safe operation of Boeing 737 Max 8 jets. The software update to fix a suspected nosedive problem in these jets was delayed due to the US government shutdown, and this delay was linked to the crashes of Lion Air and Ethiopian Airlines flights [81915]. The incident led to the grounding of Boeing 737 Max jets by various countries and airlines, indicating the impact on the transportation sector [81915]. |
Article ID: 81915