📰 🔐 Complexity, Assurance, and Airplanes

Recent tweets from the President have brought the issue of complexity to the front of the news cycle. In response to the second crash of a Boeing 737 Max 8 Jet, the President tweeted:

Airplanes are becoming far too complex to fly. Pilots are no longer needed, but rather computer scientists from MIT. I see it all the time in many products. Always seeking to go one unnecessary step further, when often old and simpler is far better. Split second decisions are needed, and the complexity creates danger. All of this for great cost yet very little gain. I don’t know about you, but I don’t want Albert Einstein to be my pilot. I want great flying professionals that are allowed to easily and quickly take control of a plane!

So is the President right or wrong. Before I answer that, let’s explore the question of complexity and the risk that it brings. Any cybersecurity security expert worth their salt can tell you the three characteristics of a reference monitor:

  1. Always Invoked / Non-Bypassable.
  2. Tamper-proof.
  3. Never eat at a place called “Moms” Small enough to be easily understood and evaluated.

Why is that last point there? Simply, because complexity is the enemy of assurance. We’ve all heard of “feeping creaturism” — the way that software vendors keep adding in features to sell a product while not fixing known problems and making the product more reliable. This is because adding features sells products, while adding assurance does not. But the more and more features and capabilities you put into the code, the less assurance you have in its correctness. Logically, this makes a lot of sense: each feature has multiple inputs and options, each creating a new path through the code, and very quickly it becomes impossible to test all code paths. Simpler code means fewer code paths, meaning more reliability. Complex code means code that wasn’t completely tested in every possible situation, and as Hoare pointed out, once you find the first bug, you have an infinite number.

We are adding more and more complexity to the software we use every day. Remember the Toyota unintended acceleration problem? That turned out to be a software bug (which they claimed was a carpet mat problem, but they updated the software at the same time) from a rare complex interaction. Cars today have even more complex software, what with all the sensors monitoring things for safety. Most of the time these work, but there have been cases where problems have been identified due to software errors. Subaru, in fact, just had a recall to fix the software on the head unit related to the rear camera.

Airplane software is equally complex. When the Airbus Jets first came out, they were revolutionary in that they were “fly-by-wire”. In other words, instead of multiple physical hydraulic lines to control the rudders and wing surfaces, there was an electrical signal that went to the other end of the plane. Many people didn’t trust fly-by-wire and only flew the Boeing. It took multiple flights to convince the public of the safety of the systems, and now all modern jets use fly-by-wire.

So, are airplanes too complex to fly? Airplanes are controlled by software, and that software is very complex. But statistically, airplanes are safer than they were in the days when there were only simple physical controls. Similarly, cars are more complex, but they are statistically safer than vehicles from the 1950s and 1960s.

But that doesn’t mean the complexity doesn’t cause problems. In fact, it looks like Boeing is already adjusting the systems in the Max series: instead of just using one sensor to control nose down, they are using multiple sensors.

Now, let’s go to the second part of Trump’s statement: do you need a computer scientist from MIT to fly a plane? Flying a jet — even an older one like a Boeing 707 — is very different than flying a private two-seater Cessna. The number of systems that must be monitored are immense, and you need a strong understanding of the physics of flight. You don’t need to be a computer scientist — after all, you’re not programming the systems — but you do need to be comfortable with technology and have a strong understanding of physics. Given the choice, you want a pilot with lots of experience (and no mental problems) flying the plane; not a rookie MIT computer scientist. However, you might want that scientist writing the software.

Lastly, there is one other assertion in Trump’s tweet we need to address: “old and simpler is far better.” No, it isn’t. Old and simpler — both in technology and people — cannot grasp the complexity of today’s split second world. You want someone nimble, who truly has a deep understanding of the system. You want someone with years of experience with that technology at the helm.

Yes, those last two sentences were an allusion. As was the point that you need a pilot with no mental problems.

Share

One Reply to “📰 🔐 Complexity, Assurance, and Airplanes”

  1. Daniel, One of the first examples in The Checklist Manifesto was the B-39. The first test flight by the company’s lead test pilot ended with a crash, killing the pilot. As described in the book, the engineers and pilots got together and tried to figure out how this plane could be flown and flown safely. They created the first airplane checklist, a method still in use today, ‘though expanded substantially.

    Complexity in airplanes goes back to WWII and the industry has found a way to deal with it. tRump is off the mark. Again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.