Following two disastrous aviation accidents involving the same type of aircraft, the FAA on Wednesday issued an Emergency Order of Prohibition that grounded the Boeing 737 MAX planes.
The equipment the airlines were using in both crashes—Lion Air Flight 610 and Ethiopian Airlines Flight 302—was a 737 MAX 8. While investigations are ongoing, and it is too soon to know if their causes were the same, some see a resemblance between the two disasters, as The New York Times and others have reported. The FAA itself has said it sees “similarities.”
Even before the crash in Ethiopia, Boeing had been working on a software update for these aircraft. That patch will affect a system on the plane called the Maneuvering Characteristics Augmentation System, or MCAS. (More on what that system does, below.)
While Boeing is not commenting on the software update beyond what they have said publicly, a company representative has confirmed the update will take around 60 minutes to install per aircraft.
While the public is used to upgrading the software on their phone and computers with over-the-air updates, the software for a plane has a different protocol. Updates to a plane’s code are typically done by a mechanic, says John Hansman, a professor of aeronautics and astronautics and the director of the International Center for Air Transportation at MIT.
Of course, the stakes are high for any code that’s involved in flying a plane. “This is very critical software, and you really don’t want anybody hacking it, so it’s a very protected process,” he says.
Software and hardware fail in different ways
The hardware of a plane—the fuselage, wings, engines, and movable surfaces on the outside that give the pilot control—are what passengers naturally notice. But these accidents, and the forthcoming software update from Boeing, have put the importance of the code that runs on the aircraft into a spotlight.
“We always like to think that it’s the shape of the airplane that makes it work,” says William Crossley, a professor at Purdue University’s School of Aeronautics and Astronautics. “It’s actually moving to the point where the software is as important as the shape of the airplane.”
The software allows the aircraft makers to accomplish a lot. For example, Crossley notes, “Military aircraft can be actually statically unstable and [still] fly, because of the computer and the software.”
In short: don’t underestimate the importance of the code running the vehicle. “The software costs on a modern airplane, particularly for military planes, are typically more than 50 percent of the [total] cost,” says Hansman, of MIT. “It is a huge part of the development of the airplane.”
Aviation engineers also must consider hardware and software in different ways when it comes to safety. “Software fails differently from hardware,” Hansman says.
For example, on the hardware side, the best way to make sure a sensor system is safe is through redundancy, or having multiple sensors that monitor the same or similar variables. Simply put, three sensors to measure something is ideal, he says, because then a plane can utilize a type of voting system if one sensor breaks. If one of the three is giving an aberrant reading, the two that agree with one another are the ones to trust. (In reality, there are more complex ways of doing this than just duplicating a sensor three times—a plane can use data from other places onboard, a process known as “analytical redundancy.”)
Redundancy comes into play in other ways in airplane hardware, of course, too: Two engines propel even some of the biggest commercial planes, like Boeing 777s, and the craft can still land if one fails.
But with software, Hansman says, modern commercial planes do not have two software systems that completely duplicate each other—the coding equivalent of two engines. However, a famous spacecraft did, he notes. “The Space Shuttle had a totally separate software package that was written by an entirely independent team,” he says, and points out that the astronauts could switch to the backup system by hitting a button. But that approach is “incredibly expensive,” he says. The problem with that strategy is that even two independent software systems could have the same kind of mistake in the same place.
But commercial planes don’t take a two-independent-systems approach like the Shuttle. Instead, critical software is carefully vetted and certified through a document called DO-178C.
“It’s a very arduous process,” Hansman says.
The Boeing patch
With the Boeing update, the patch will affect how the MCAS works, which is a subsystem the aircraft maker put in place to prevent a stall—that can happen when the angle of attack of the wings is too high and the nose is pointed up. If the system malfunctioned and thought the plane was stalling, it could cause the plane’s nose to dip down so that the wings lower their angle of attack, even if the pilots didn’t want it to—here is great infographic of that system as it pertains to the Lion Air crash.
Hansman says that the code has been finished for some time, and that it’s designed to address a perceived vulnerability relating to the fact that MCAS is “primarily reliant on the active angle-of-attack sensor,” he says. “My understanding, from what the reports are, is that they are integrating other data sources.”