Two crashes of virtually new Boeing 737 MAXs just over four months apart were each initiated by a single malfunctioning sensor. In both cases, that trigger left the pilots in a deadly struggle against a new flight control system that ultimately forced their jet into a nose dive.
The deaths of the 346 people — on Lion Air flight JT610 in October 2018 and Ethiopian Airlines flight ET302 in March 2019 — prompted safety regulators to ground the jets worldwide after the second crash. Twenty months later, after intense scrutiny,the Federal Aviation Administration on Nov. 18 approved Boeing’s fixes and cleared the MAX to fly passengers once again.
Here’s what you need to know about how we got to this point, set out in answers to the questions that have dominated the debate over the MAX since the tragedies in Indonesia and Ethiopia.
- Why did Boeing revamp the 50-year-old 737 as the MAX instead of developing an all-new plane?
After the successful Airbus launch of its A320neo with new fuel-efficient engines in December 2010, Boeing leaders publicly dithered about whether to respond with a similarly re-engined 737 or to take an extra few years to develop an all-new single-aisle jet.
Boeing at the time was focusing all its resources and investment on fixing the 787 Dreamliner program, already three years late and still not delivered. So management favored going with the all-new jet option to delay the needed investment. Boeing Chairman and CEO Jim McNerney in May 2011 said that “as a betting man, I think that’s where we’re going to end up.”
McNerney lost that bet just two months later when longtime exclusive Boeing customer American Airlines defected and ordered the A320neo. Boeing leaders scrambled to Dallas and got a last-minute commitment from American to split the massive order provided they could deliver a re-engined 737 – and so the MAX was prematurely born. Boeing committed to the MAX without even having a finalized design or engine supplier. In December that year, Southwest Airlines placed the first order.
Because the 737 MAX was a derivative model of such an old design, one that has proven safe for many years, many of its systems were grandfathered in, rather than upgraded to the latest FAA safety standards.
And because the airlines, to reduce their costs, demanded that the MAX be designed so that pilots flying the previous 737 model would require minimal training, Boeing assured them that the MAX would handle exactly like the previous version of the 737.
For that first order, Boeing committed to launch customer Southwest that it would pay the airline $1 million per airplane if the final product were to require expensive new training for pilots in full flight simulators.
- Why was the new MCAS flight control system needed?
As part of certifying a new airliner, the FAA requires flight-test maneuvers that go beyond what would be expected in normal passenger service. Among those, test pilots must fly through what’s called a “wind-up turn,” a banked, high-speed turn that approaches a stall, then spirals downward.
During this maneuver, the angle between the wing and the oncoming air flow, the angle of attack, will be high and the pilot will experience a high G-force. To win approval, the plane must fly through this smoothly, with the pilots experiencing a steady gradual shift in the feel of the control column.
But early in the development of the MAX, data from wind-tunnel tests told engineers that the bigger engines placed further forward on the wing would give the airframe a tendency to pitch up during this maneuver. This would mean a sudden slackening of the force in the control column that had to be eliminated.
When small physical changes to the airframe didn’t fix the problem, Boeing devised a piece of software — the Maneuvering Characteristics Augmentation System (MCAS) — that would counter the tendency for the nose to pitch up. When two sensors, measuring the angle of attack and the G-force, reached a certain threshold, MCAS — without any command from the pilot — would swivel up the jet’s movable horizontal tail, and so automatically give the airplane’s nose a push-down that would exactly counter the pitch-up. If the system operated as designed, the pilot wouldn’t even notice.
- How and why did the MCAS design change during the MAX’s development?
During flight tests in the final year before certification, Boeing discovered that the pitch-up phenomenon also occurred in some low-speed scenarios when the angle of attack was high but G-force was not.
Boeing changed MCAS to cover this circumstance, too, which meant it would be triggered by a single sensor, the angle of attack sensor. And for low-speed activations, when more movement of the horizontal tail is needed to have the same effect, it quadrupled the power of the tail swivel.
MCAS now could move the tail 2.5 units instead of 0.6 units. From horizontal flight to maximum nose-down is about 4.8 units, which could be achieved in two activations of MCAS.
- What were the flaws in the design of MCAS?
First, the system is triggered by a signal from a single sensor, an angle-of-attack (AOA) vane, with no redundancy. Even though the jet has two AOA vanes, only one is used to trigger MCAS on a flight. On both fatal 737 MAX crashes, the sequence of events began when the AOA vane gave a false signal.
Airplane engineers include multiple redundancies in their systems to ensure that no failure of a single component can bring down the plane. Avoiding such “single points of failure” is an essential element of airplane design.
Boeing’s engineering leaders have insisted that the AOA failure that initiated both MAX crashes was not a “single point of failure.” Their argument is that in the event of MCAS activating erroneously, the crew should know a standard procedure to recover the airplane. Effectively, they count the crew as the backup system.
The second flaw was that, although MCAS was supposed to activate in rare, extreme circumstances, the design allowed it to activate repeatedly if the AOA vane remained faulty. In both crashes, every time the pilots acted to counter the nose-down movement, MCAS kept kicking in again every 10 seconds.
Third, the system was given unnecessary authority. MCAS could move the horizontal tail so as to push the jet’s nose down with enough force to overcome countering nose-up commands from the pilot pulling back on the control column.
Fourth, Boeing assumed that the pilots would realize what was wrong and react appropriately within four seconds. The pilots were expected in such an emergency to follow a checklist that entailed manually bringing the nose of the jet up by turning a large wheel in the cockpit. This trim wheel connects by cable to the horizontal tail. But on the Ethiopian Airlines flight, the crew was unable to move the wheel because the physical forces on the tail at high speed had jammed it.
Aside from MCAS, a separate flaw resulted in the absence of a potential indicator to the flight crew of what was wrong: Although Boeing had installed a warning light to alert the pilot if the two AOA vanes disagreed, because of a software error this didn’t work. It was functional only if the airline had paid for an optional extra that added the AOA reading on the primary flight display.
Neither Lion Air nor Ethiopian Airlines had paid for that option. Boeing knew about this flaw in 2017, a year before the crashes, but didn’t consider it critical. Boeing had planned to fix the error in a software update in 2020.
The System Safety Assessment that Boeing submitted to the FAA did not take account of the quadrupling of the system’s power in low-speed scenarios, nor did it cover repeated activations of the system.
While developing the fix for MCAS, the FAA discovered a separate problem, which is that a very unlikely glitch in the microprocessor inside the jet’s flight control computer could theoretically create a similar scenario to the two crashes even without MCAS activating.
The original MCAS takes input from only one of the two flight-control computers on the aircraft. This theoretically could leave it vulnerable to a computer hardware failure, though this is not known to have happened.
- Why didn’t Boeing catch these flaws during development of the MAX?
The FAA delegated to Boeing itself most of the analysis and testing required to certify the MAX as safe to fly. This work is done by Boeing engineers who work on behalf of the FAA and are its authorized representatives (ARs). Specifically, Boeing ARs conducted a System Safety Assessment that included an analysis of the ways in which the new MCAS flight-control system could fail and the impact on the airplane if it did so.
Former Boeing CEO Dennis Muilenburg repeatedly stated that the MAX was designed and certified to Boeing’s traditional standards. “We followed exactly the steps in our design and certification processes that consistently produce safe airplanes,” he said.
However, some Boeing ARs complained of heavy pressure from managers to limit safety testing and move quickly through the analyses. One AR who balked at such pressure was removed from the program.
The System Safety Analysis that Boeing submitted to the FAA did not include an assessment of the changes made to MCAS during the flight-test phase and missed the system’s flaws.
According to internal Boeing documents revealed in a U.S. House Committee on Transportation and Infrastructure hearing, as early as 2015 engineers working on the MAX design questioned if it was vulnerable to a single angle-of-attack sensor failure.
And in June 2018, before the first crash, another Boeing engineering memo acknowledged that a slow reaction by the pilots, if they took 10 seconds to react instead of four, would be “catastrophic.” These memos produced no change to the design.
As The Seattle Times also revealed, an internal Boeing whistleblower filed an ethics complaint claiming that Boeing managers rejected multiple 737 MAX safety upgrades during development of the jet. They wanted minimal changes to the flight systems so as to avoid the need for extra pilot training that would upset airlines. Former colleagues of the whistleblower backed up his account.
- Why didn’t the FAA catch these flaws during certification of the MAX?
Because of a change made in 2004 to the way the FAA and Boeing work together on new airplane development, the FAA safety engineers — whose job is to certify the systems on a new jet and to assess the testing and analysis documents submitted by Boeing — had little direct contact with the Boeing ARs. Communication between the FAA and the company was largely through managers. The FAA managers, not the agency’s technical experts, had final authority on what certification work was delegated to Boeing versus retained by the FAA.
As certification of the MAX progressed, many FAA technical staff complained of pressure from their managers to delegate more of the work to Boeing. And when Boeing submitted documents such as the System Safety Assessment that analyzed failures of MCAS and other flight-control systems, these documents came in late in the process with little time for review.
“There wasn’t a complete and proper review of the documents,” said one former FAA engineer who worked on the MAX certification. “Review was rushed to reach certain certification dates.”
When time was too short for FAA technical staff to complete a review, sometimes managers either signed off on the documents themselves or delegated their review back to Boeing. The System Safety Analysis that Boeing submitted to the FAA did not mention the changes made to MCAS during the flight-test phase.
Some senior officials at the FAA who supervised certification of the MAX were unfamiliar with the MCAS system, and unaware even of its name, until after the Lion Air crash.
- Why didn’t Boeing tell pilots about MCAS before the crashes?
The pilots of the Lion Air plane had no awareness of MCAS, as it wasn’t detailed in the flight manual. Boeing first informed pilots around the world of the existence of MCAS almost two weeks after the Lion Air crash.
Boeing says MCAS was supposed to act in the background in rare circumstances. It decided the pilots didn’t need to know about the system and shouldn’t be overloaded with the information. The reasoning was that if MCAS went wrong, there is a standard procedure pilots should know for dealing with uncommanded movement of the horizontal tail: cut electric power to the tail and move it manually.
- What happened on the Lion Air flight immediately prior to the crash of Flight 610?
On Oct. 28, before the pilots took off, they were informed by a maintenance engineer that previous flights had shown indications of a faulty AOA sensor and that this sensor had been replaced and tested.
The replacement sensor was secondhand, refurbished and recalibrated by Florida-based aviation repair shop Xtra Aerospace. The final investigation report into the Lion Air crash states that this sensor was miscalibrated so that the angle it registered was 21 degrees too high. A day after that report was released, the FAA shut down Xtra, revoking its aviation repair station certificate.
So on that flight the day before the crash flight, the AOA readings from the two sensors were off by 21 degrees even as the jet taxied on the ground and throughout the flight. The pilots would not have been aware of this fault because the AOA Disagree light wasn’t working. As soon as the pilots gained enough altitude to retract the wing flaps, the fault created problems similar to those that appeared the next day on the accident flight: The stick shaker activated, various warning messages were displayed and MCAS began pushing the jet’s nose down. The pilots countered each of the nose-down movements and conducted three checklists, including one that turned off electric power to the horizontal tail, which eliminated MCAS.
The pilots flew on and landed safely. The captain reported the problems on the flight in Lion Air’s reporting system, but because he was unaware of MCAS, his report failed to identify the real cause of what had happened. The maintenance engineer at the destination also seems to have misdiagnosed the cause. He flushed the pitot tube sensor, which measures airspeed, and cleaned an electrical connector — both irrelevant — then performed a test and declared the issue solved.
- What happened on Lion Air Flight 610?
On Oct. 29, the same plane took off and the AOA problem immediately recurred. The AOA vane feeding MCAS gave a false reading, off by 21 degrees even as the jet taxied on the ground, and stayed that way throughout the 12-minute flight.
Again, the pilots would not have realized the problem stemmed from the AOA sensors. The warning light that would have told them the AOA sensors disagreed was not working due to a Boeing software error. Also, the pilots knew nothing about MCAS.
As a result of the false AOA signal, MCAS activated repeatedly, each time the pilot pulled the nose of the jet back up. But this time, unlike on the flight the previous day, the crew did not perform the key checklist. The captain struggled against MCAS to bring the nose back up more than 20 times. In the last moments of the flight, he passed control to the first officer, who countered the MCAS nose-down movement less aggressively and the nose dropped more steeply. The system had activated relentlessly 26 times before the pilots finally lost control.
The plane dived into the Java Sea at more than 500 miles per hour, killing all 189 people on board.
- Were the Lion Air pilots at fault?
MCAS is designed to push down the jet’s nose by swiveling the horizontal tail of the aircraft, also known as the horizontal stabilizer.
If the pilots had followed the “Runaway Stabilizer Checklist” as the previous crew had done, they could have saved the aircraft. However, lacking any knowledge of MCAS, neither of the Lion Air crews understood what was really happening. Both faced multiple alerts on their displays. The crew on the previous flight hit upon the right procedure after trying several others.
Adding to the confusion: On previous models of the 737, if a pilot pulls back the control column to pull up the nose, this automatically stops any stabilizer nose-down movement. Boeing designed the MAX flight controls so that this doesn’t happen when MCAS is active.
Also, in a classic “runaway stabilizer” scenario, the stabilizer (the horizontal tail) swivels in one direction and won’t stop. This typically might be caused by the motor that moves the stabilizer seizing up. However, the nose-down movements induced by MCAS repeatedly stopped and then restarted. This may have added further confusion for the crew.
- What did Boeing and the FAA do in response to that first crash?
A week after the crash, following preliminary information from crash investigators in Indonesia, Boeing issued a special bulletin warning pilots that an erroneous AOA reading could trigger a new system on the MAX to move the horizontal tail uncommanded and repeatedly push the nose down every 10 seconds. The bulletin did not name the system as MCAS.
The bulletin reminded pilots of a standard procedure to address such uncommanded movement, the “Runaway Stabilizer Checklist,” which requires pilots to cut electric power to the tail and then move it manually nose-up using a large trim wheel in the cockpit. The warning also noted that “higher control forces may be needed” to move the nose back up and told pilots to use electric thumb switches on the control column to do so before cutting electric power to the tail.
The following day, the FAA issued a directive mandating this information be provided to all MAX pilots.
Exactly two weeks after the crash, Boeing issued a message to all 737 MAX operators that for the first time named the erroneous flight control system, MCAS, and gave details about how it operated. U.S. pilot groups reacted with anger that they hadn’t been informed about the system before that day.
- What happened on Ethiopian Airlines Flight 302?
The AOA vane feeding MCAS was reading accurately until just after takeoff, when suddenly it veered off by 75 degrees. That’s an impossible reading; no airplane could fly at such an angle. The sudden change suggests the vane may have been sheared off by a bird strike.
As a result, MCAS activated five times in succession. The flight data then indicates that the crew hit the cut-off switches, killing power to the horizontal tail, as per Boeing’s instructions. However, when they tried to raise the nose with the manual trim wheel, they found they couldn’t move it. The pilots had allowed the jet to gain too much speed and this may have caused high forces on the tail that made it hard to move, leaving the stabilizer stuck in its nose-down position.
Less than three minutes later, the crew turned the electric power to the tail back on and tried moving the nose back up. But MCAS reactivated and pushed the nose aggressively down.
The plane nose-dived into the earth at high speed, killing all 157 people on board.
- Were the Ethiopian pilots at fault?
The flight data indicates the pilots realized that MCAS was operating and tried to follow the instructions issued by Boeing after the Lion Air crash. However, the crew appears to have acted precipitously and bypassed the first step in the procedure, which was to raise the plane’s nose with the electric thumb switches on the control column. Instead, they jumped straight to the cut-off switches, which cut further electrical power to the tail but left the stabilizer in its nose-down position. Boeing’s instructions didn’t indicate how dangerous this could prove to be.
In addition, apparently preoccupied with countering the MCAS nose-down movements, the crew didn’t throttle back the engines after takeoff, which meant the jet gathered far too much speed — exceeding the jet’s maximum design limit. The AOA failure had caused a cockpit warning that their airspeed reading was unreliable, so the pilots may not have paid attention to it. Moving so fast caused high forces on the tail, which jammed the stabilizer. With electric power cut off, the crew didn’t have the strength to move it manually per Boeing’s instructions.
Separate re-creations of the critical phase of the Ethiopian flight in flight simulators by U.S. and European 737 pilots indicated that the pilots “faced a near-impossible task” to regain control. At that speed, the pilots in the simulations found that they too could not move the manual trim wheel. An American pilot who knew the Ethiopian captain, 29-year-old Yared Getachew, described him as an “excellent pilot” and “always well-prepared.” The first officer, 25-year-old Ahmednur Mohammed, was inexperienced, with only 361 flight hours.
- What linked the two crashes and caused the MAXs to be grounded?
Within days of the Ethiopian crash, investigators saw the same pattern as on the Lion Air flight of the nose pitching down repeatedly. And the jack screw that moves the horizontal tail, found in the wreckage, showed the tail was in the maximum nose-down position when the plane hit the earth. This evidence was enough for regulators to ground the jets.
The flight data then revealed that, as suspected, on both flights an AOA failure had activated MCAS, causing the nose-down movements.
- Should the MAX have been grounded after the first crash?
An internal Boeing document released by a U.S. House Committee showed that seven weeks after the Lion Air crash, Boeing made a presentation to the FAA justifying its design of the MCAS flight control system, yet including details that revealed serious holes in the original MCAS evaluation.
The presentation shows that in its original certification of the MAX, Boeing presented MCAS to the FAA as not being a “new and novel” technology — and thus not requiring deeper scrutiny.
It did not consider in its safety assessment the effect of multiple system failures and how this would affect the reactions of the pilots. It used questionable math to downgrade the system’s risk classification below a level that would have required more redundancy with at least two sensors to activate it. And despite one scenario in which an MCAS failure was assessed as “catastrophic,” it stuck — despite the Lion Air experience — to its prior assumption that “appropriate flight crew action” would save the aircraft.
The FAA concurred with Boeing that it was sufficient to issue the bulletin reminding pilots how to handle uncommanded movement of the horizontal tail.
In hindsight, the instructions in the bulletin seem woefully inadequate. The Ethiopian pilots attempted to follow Boeing’s instructions but couldn’t recover. The assumption that pilots would be able to handle such a scenario proved false.
In addition, a document revealed in a U.S. House Committee on Transportation and Infrastructure hearing shows that a month after the Lion Air crash, the FAA judged there was a high risk of further crashes. The FAA’s December 2018 risk analysis estimated that without action to address the jet’s faulty flight control system, the MAX would suffer an average of about one crash every three years during the life of the worldwide fleet. Boeing’s internal risk analysis concurred.
At that point, Boeing was telling U.S. airline pilots that they would have a software fix for MCAS ready within about six weeks. Both the FAA and Boeing therefore saw no need to ground the plane.
After the second crash, Boeing’s proposed fix received intense scrutiny by aviation safety regulators around the world. It was finally approved by the FAA and the plane ungrounded 20 months after the second crash.
- Describe Boeing’s proposed fix for the MAX.
The redesigned MCAS will take input from both AOA sensors, rather than one. If the readings differ by 5.5 degrees or more, MCAS will not activate.
If a high AOA value is detected, the system will activate just once, not repeatedly.
And it will respond with a less forceful nose-down command, one limited enough that the flight crew can always counteract it by pulling back on the control column.
The MAX cockpit will include a standard warning light that will illuminate when the two angle-of-attack sensors disagree. And airlines can opt to add, free of charge, angle-of-attack data to the primary flight display.
Besides the MCAS fix, Boeing is also addressing the potential failure of a computer chip by changing the software to detect any such failure.
In addition, it will fundamentally change the software architecture of the MCAS system by taking input from both flight-control computers on the airplane instead of only one. If their outputs differ, MCAS will not activate. This change will also guard against any possible computer hardware failure.