当前位置:
X-MOL 学术
›
arXiv.eess.SY
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Is Boeing 737-MAX Still Safe? Analysis and Prevention of MCAS-Induced Crashes
arXiv - EE - Systems and Control Pub Date : 2023-01-20 , DOI: arxiv-2301.08779 Noah T. CurranUniversity of Michigan, Thomas KenningsUniversity of Michigan, Kang G. ShinUniversity of Michigan
arXiv - EE - Systems and Control Pub Date : 2023-01-20 , DOI: arxiv-2301.08779 Noah T. CurranUniversity of Michigan, Thomas KenningsUniversity of Michigan, Kang G. ShinUniversity of Michigan
Semi-autonomous (SA) systems face the problem of deciding whether to select
control input from the human operator or autonomous controller when they
conflict with each other. While one may design an SA system to default to
accepting control from one or the other, such design choices can have
catastrophic consequences in safety-critical settings. For instance, the
sensors an autonomous controller relies upon may provide incorrect information
about the environment due to tampering or natural wear. On the other hand, the
human operator may also provide dangerous input. This begs an important
question: Can we convert an existing SA system to make dynamic real-time
control decisions that are tolerant of erroneous/malicious input? To explore this question in this paper, we investigate a specific application
of an SA system that failed due to a static assignment of control authority.
Namely, the well-publicized failure of the Boeing 737-MAX Maneuvering
Characteristics Augmentation System (MCAS) that caused the crashes of Lion Air
Flight 610 and Ethiopian Airlines Flight 302. First, through in-depth real-time
simulation, we analyze and demonstrate the ease by which the original MCAS
design could fail. Our analysis reveals several novel vectors of failure that
were not present in the original crashes. We also analyze Boeing's revised MCAS
and show how it falls short of its intended goals. Using these insights, we
present Semi-Autonomous MCAS (SA-MCAS), a new MCAS that both meets the intended
goals of MCAS and avoids the failure cases that plagued the original MCAS
design. We demonstrate SA-MCAS's ability to make correct control decisions of
the aircraft, even when the human and autonomous operators provide conflicting
control inputs.
中文翻译:
波音 737-MAX 还安全吗?MCAS 引发的碰撞分析和预防
半自主 (SA) 系统面临的问题是,当它们相互冲突时,决定是选择来自人类操作员还是来自自主控制器的控制输入。虽然有人可能将 SA 系统设计为默认接受来自其中一个或另一个的控制,但此类设计选择可能会在安全关键环境中产生灾难性后果。例如,自主控制器所依赖的传感器可能会由于篡改或自然磨损而提供有关环境的错误信息。另一方面,操作员也可能提供危险的输入。这就引出了一个重要的问题:我们能否将现有的 SA 系统转换为能够容忍错误/恶意输入的动态实时控制决策?为了在本文中探讨这个问题,我们调查了由于控制权限的静态分配而失败的 SA 系统的特定应用程序。即广为人知的波音737-MAX机动特性增强系统(MCAS)故障导致狮航610航班和埃塞俄比亚航空302航班坠毁。首先,我们通过深入的实时仿真,分析论证原始 MCAS 设计失败的难易程度。我们的分析揭示了原始崩溃中不存在的几种新的故障向量。我们还分析了波音公司修改后的 MCAS,并展示了它如何未能达到预期目标。利用这些见解,我们提出了半自主 MCAS (SA-MCAS),这是一种新的 MCAS,既满足 MCAS 的预期目标,又避免了困扰原始 MCAS 设计的故障案例。我们展示了 SA-MCAS'
更新日期:2023-01-25
中文翻译:
波音 737-MAX 还安全吗?MCAS 引发的碰撞分析和预防
半自主 (SA) 系统面临的问题是,当它们相互冲突时,决定是选择来自人类操作员还是来自自主控制器的控制输入。虽然有人可能将 SA 系统设计为默认接受来自其中一个或另一个的控制,但此类设计选择可能会在安全关键环境中产生灾难性后果。例如,自主控制器所依赖的传感器可能会由于篡改或自然磨损而提供有关环境的错误信息。另一方面,操作员也可能提供危险的输入。这就引出了一个重要的问题:我们能否将现有的 SA 系统转换为能够容忍错误/恶意输入的动态实时控制决策?为了在本文中探讨这个问题,我们调查了由于控制权限的静态分配而失败的 SA 系统的特定应用程序。即广为人知的波音737-MAX机动特性增强系统(MCAS)故障导致狮航610航班和埃塞俄比亚航空302航班坠毁。首先,我们通过深入的实时仿真,分析论证原始 MCAS 设计失败的难易程度。我们的分析揭示了原始崩溃中不存在的几种新的故障向量。我们还分析了波音公司修改后的 MCAS,并展示了它如何未能达到预期目标。利用这些见解,我们提出了半自主 MCAS (SA-MCAS),这是一种新的 MCAS,既满足 MCAS 的预期目标,又避免了困扰原始 MCAS 设计的故障案例。我们展示了 SA-MCAS'
京公网安备 11010802027423号