Close

Presentation

Models of Human-Automation Systems: Initial Analysis of the 737MAX Accidents
DescriptionWe describe the potential role of formal models of human automation in identifying errors and usability inconsistencies in the design of automated control systems. We utilize three models for the analysis: the first describes the underlying behavior of the machine, the second, which is derived from the first, concerns the interface indications and information provided in user manuals and formal training, and the third characterizes the user’s mental model of how the machine behaves. While the first and second models are fixed and can only change through design modification and additional information/training, the third, the user’s mental model of the machine, is subject to erosion and abstraction. Erosion and deterioration can occur due to lack of recurrent training, forgetfulness, and misunderstanding. Abstraction and simplifications can occur due to (imperfect) similarity to mental models of other systems, the incorrect generation of personal heuristics, and “folk model” interventions. We apply this formal modeling approach to analyze the two fatal accidents involving the B737MAX, which resulted from the flight crews’ inability to overcome the effects of the Maneuvering Characteristics Augmentation System (MCAS) that is designed to mimic the control column feel pressure and pitching behavior of the B737NG (the basis for the certification of the B737MAX).

The analysis identifies three main “incorrectness properties” in the MCAS system: (1) the non-deterministic behavior of the pilot’s control column when the MCAS is active, (2) the lack of symmetry (inconsistent behavior ) between the control column responses between nose up and nose down while the MCAS is active, (3) the lack of alert as to the MCAS’ repetitive and cyclical activation (number of occurrences) for an extended period of time (Time>x seconds). The analysis also highlights the incomplete structure of the “open control loop” design of the MCAS which allows for unlimited accumulation of trimmed control values (which ultimately became so powerful that they prevented manual intervention to arrest the dive). We also discuss some of the relevant human factor issues involved in these accidents related to the aircraft’s repetitive and cyclical behavior that may have affected the pilots’ psychological states, thus leading to frustration and the inability to comprehend the situation. The implications for automation design are presented.
Event Type
Lecture
TimeThursday, September 12th3:40pm - 4pm MST
LocationFLW Salon A
Tracks
Aerospace Systems