Boeing 737 Max 8 Plane Crashes Could Have Been Prevented By Better Process Control Logic And Process Control Training

Two Boeing 737 Max 8 airplanes crashed in less than six months. How is this possible in today’s day and age when safety and training procedures have been matured and perfected over several decades?

What is more amazing and truly shocking is that Boeing process control logic used only two sensors and used a primitive one out of two voting logic. If just one sensor reported a problem, the automatic MCAS software logic triggered the anti-stall control logic lowering the nose of the plane. This is shockingly bad design as the industry standard in chemical plants is two out of three voting, never one out of two. Given the critical nature of this process control logic, the safer way was to install two sensors on both sides of the plane and then use a three-out-of-four voting logic. So if three out of the four AOA sensors reported trouble, only then the MCAS should have been triggered. Boeing also concedes that there was no easy way for the pilots to override or disable the MCAS system – and this is the most glaring and shocking of all revelations coming from Boeing and the pilots. The pilots were even unaware of the existence of the MCAS itself. How is this possible when new planes are being flown and pilot training is so poorly and carelessly done? Shocking, amazing, flabbergasting.

Now after two crashes and over 300 deaths, Boeing finally said it will change the MCAS software to give the system input from more than one AOA sensor. It will limit how much MCAS can move the horizontal tail in response to an erroneous AOA signal. And when activated, the system will kick in only for one cycle, rather than multiple times. All this should have been done before the first plane flew the skies. Look at the shocking picture showing out of control oscillations clearly indicating to unstable process control.

In process control logic, control logic shutdown systems, anytime safety is involved, anytime when the end result can be catastrophic, it is important to use at least three or more sensors, never just two like what Boeing control engineers did. When you have three redundant sensors, use two-out-of three voting to trigger automatic control action. When you have four redundant sensors, use three-out-of four voting to trigger automatic control action.

