- Urban Mobility
- Urban Innovation
- Automated Driving
- Automated Driving Systems
Boeing 737 Max Issues Demonstrate Need for Redundancy and Diversity in Driving Automation
As the grounding saga of the Boeing 737 Max drags on, more lessons emerge that the automated driving industry should pay attention to. The first lesson is the danger of letting foxes guard the henhouse, or in this case allowing the aircraft industry to self-regulate. The second lesson is there might be a problem related to bit flipping in the Boeing 373 Max control systems’ microprocessor.
Do Not Rely On a Single Input
As a young engineer working on automotive slip control systems, I learned early about the dangers of relying on a single input to manage a safety-critical system. In 1990, anti-lock braking systems had only four wheel speed sensors and a brake pedal switch to indicate when the driver was trying to slow down and whether any of the wheels were in danger of locking up. A couple of years later, while working on traction control, I tried using wheel speeds to detect when the vehicle was over or understeering and worked up what became a rudimentary stability control. Unfortunately, wheel speeds alone were not a sufficiently reliable indicator and that effort was abandoned.
Several years later, while developing stability control with yaw rate, steering angle, and three-axis accelerometers added to the mix, each signal was still problematic. In initial track testing, these sensors proved to be what I had been missing and filled in some gaps; however, as testing proceeded, we found issues with these sensors as well. Many real-world curves and grades skewed signals and skewed inputs. The bottom line is that we learned we could not 100% rely on any of these signals in isolation. However, it was possible to create virtual signals by combining other sensors. For example, the combination of speed, steering angle, and yaw rate could be used to estimate lateral acceleration. Through this method we could cross-check against the direct signal and compute correction factors where needed for a more robust overall system.
Did Cosmic Forces Intervene?
On the 737 Max, certain control systems run on a single computer. In rare instances, cosmic rays can cause bits in a processor to randomly flip states. This can result in data values changing or incorrect instructions being executed that can lead to erroneous control commands to the aircraft. This probably was not the case in the 737 Max jet crashes. During the crash’s investigation, however, the potential for bit flipping to cause such errors was found and Boeing's engineers are revising the system to run on two computers in parallel. This way the issue is unlikely to affect both simultaneously.
Most companies developing automated driving are aware of the risks of over-reliance on a single sensor type or computer. That is why they build in redundancy with multiple sensor types and computers with some overlap to enable cross checking. Relying only on cameras, radar, lidar, or any other single sensor is a recipe for disaster.
Redundancy in Automated Systems Is Paramount to Consumer Safety
Redundancy is also extended to actuation systems such as steering and braking. GM Cruise uses Chevy Bolt prototypes with redundancies that have been built in since 2017 and Ford is currently deploying new third generation automated driving prototypes with similar capabilities. Any company that attempts to sell an automated vehicle without these sorts of protections might get a low cost system, but is the cost worth it for the consumer?