The Maneuvering Characteristics Augmentation System (MCAS) is a flight stabilizing feature developed by Boeing that became notorious for its role in two fatal accidents of the 737 MAX in 2018 and 2019, which killed all 346 passengers and crew among both flights.
Because the CFM International LEAP engine used on the 737 MAX was larger and mounted further forward from the wing and higher off the ground than on previous generations of the 737, Boeing discovered that the aircraft had a tendency to push the nose up when operating in a specific portion of the flight envelope (flaps up, high angle of attack, manual flight). MCAS was intended to mimic the flight behavior of the previous Boeing 737 Next Generation. The company indicated that this change eliminated the need for pilots to have simulator training on the new aircraft.
After the fatal crash of Lion Air Flight 610 in 2018, Boeing and the Federal Aviation Administration (FAA) referred pilots to a revised trim runaway checklist that must be performed in case of a malfunction. Boeing then received many requests for more information and revealed the existence of MCAS in another message, and that it could intervene without pilot input.[1] [2] According to Boeing, MCAS was implemented to compensate for an excessive angle of attack by adjusting the horizontal stabilizer before the aircraft would potentially stall. Boeing denied that MCAS was an anti-stall system, and stressed that it was intended to improve the handling of the aircraft while operating in a specific portion of the flight envelope. Following the crash of Ethiopian Airlines Flight 302 in 2019, Ethiopian authorities stated that the procedure did not enable the crew to prevent the accident, however further investigation revealed that the pilots did not follow the procedure properly.[3] The Civil Aviation Administration of China then ordered the grounding of all 737 MAX planes in China, which led to more groundings across the globe.
Boeing admitted MCAS played a role in both accidents, when it acted on false data from a single angle of attack (AoA) sensor. In 2020, the FAA, Transport Canada, and European Union Aviation Safety Agency (EASA) evaluated flight test results with MCAS disabled, and suggested that the MAX might not have needed MCAS to conform to certification standards.[4] Later that year, an FAA Airworthiness Directive[5] approved design changes for each MAX aircraft, which would prevent MCAS activation unless both AoA sensors register similar readings, eliminate MCAS's ability to repeatedly activate, and allow pilots to override the system if necessary. The FAA began requiring all MAX pilots to undergo MCAS-related training in flight simulators by 2021.
In the 1960s, a basic pitch control system known as the stick shaker was installed in the Boeing 707 to avoid stalling.
Later, a similar system to avoid stalling, in this case specifically called the Maneuvering Characteristics Augmentation System (MCAS), was implemented on the Boeing KC-46 Pegasus military aerial refueling tanker. The KC-46, which is based on the Boeing 767, requires MCAS because the weight and balance shifts when the tanker redistributes and offloads fuel. On that aircraft, the MCAS is overridden and disengaged when a pilot makes a stick input.
Another MCAS implementation was developed for the Boeing 737 MAX, because its larger, repositioned engines changed the aircraft's flight characteristics compared to the preceding 737 generations.[6] When a single angle of attack (AoA) sensor indicated that the angle was too high, MCAS would trim the horizontal stabilizer in the nose-down direction.[7] Boeing did this to meet the company's objective of minimizing training requirements for pilots already qualified on the 737NG, which Boeing felt would make the new variant more appealing to aircraft customers that would prefer not to bear the costs of differences training. However, according to interviews with agency directors describing assessments undertaken after the MCAS-induced crashes had occurred, both the FAA and EASA felt that the aircraft would have had acceptable stability without MCAS.
On Lion Air Flight 610 and Ethiopian Airlines Flight 302, investigators determined that MCAS was triggered by falsely high AoA inputs, as if the plane had pitched up excessively. On both flights, shortly after takeoff, MCAS repeatedly actuated the horizontal stabilizer trim motor to push down the airplane nose.[8] [9] [10] [11] Satellite data for the flights showed that the planes struggled to gain altitude.[12] Pilots reported difficulty controlling the airplane and asked to return to the airport.[13] [14] The implementation of MCAS has been found to disrupt autopilot operations.[15]
On March 11, 2019, after China had grounded the aircraft,[16] Boeing published some details of new system requirements for the MCAS software and for the cockpit displays, which it began implementing in the wake of the prior accident five months earlier:
On March 27, Daniel Elwell, the acting administrator of the FAA, testified before the Senate Committee on Commerce, Science, and Transportation, saying that on January 21, "Boeing submitted a proposed MCAS software enhancement to the FAA for certification. ... the FAA has tested this enhancement to the 737 MAX flight control system in both the simulator and the aircraft. The testing, which was conducted by FAA flight test engineers and flight test pilots, included aerodynamic stall situations and recovery procedures."[17] After a series of delays, the updated MCAS software was released to the FAA in May 2019.[18] [19] On May 16, Boeing announced that the completed software update was awaiting approval from the FAA.[20] [21] The flight software underwent 360 hours of testing on 207 flights.[22] Boeing also updated existing crew procedures.
On April 4, 2019, Boeing publicly acknowledged that MCAS played a role in both accidents.[23]
The FAA and Boeing both disputed media reports describing MCAS as an anti-stall system, which Boeing asserted it is distinctly not and instead a system that's designed to provide handling qualities for the pilot that meet pilot preferences.[24] [25] [26] The aircraft had to perform well in a low-speed stall test.[27] The (JATR) "considers that the /MCAS and elevator feel shift (EFS) functions could be considered as stall identification systems or stall protection systems, depending on the natural (unaugmented) stall characteristics of the aircraft".
The JATR said, "MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used; this [might have] identified the potential for the stabilizer to overpower the elevator."[28]
The Maneuvering Characteristics Augmentation System (MCAS) is a flight control law[29] built into the Boeing 737 MAX's flight control computer, designed to help the aircraft emulate the handling characteristics of the earlier Boeing 737 Next Generation. According to an international Civil Aviation Authorities team review (JATR) commissioned by the FAA, MCAS may be a stall identification or protection system, depending on the natural (unaugmented) stall characteristics of the aircraft.[28] [30] Boeing considered MCAS part of the flight control system, and elected to not describe it in the flight manual or in training materials, based on the fundamental design philosophy of retaining commonality with the 737NG. Minimizing the functional differences between the Boeing 737 MAX and Next Generation aircraft variants allowed both variants to share the same type rating. Thus, airlines can save money by employing and training one pool of pilots to fly both variants of the Boeing 737 interchangeably.[31]
When activated, MCAS directly engages the horizontal stabilizer, which is distinct from an anti-stall device such as a stick pusher, which physically moves the pilot's control column forward and engages the airplane's elevators when the airplane is approaching a stall.
Boeing's former CEO Dennis Muilenburg said has been reported or described as an anti-stall system, which it is not. It's a system that's designed to provide handling qualities for the pilot that meet pilot preferences."
The 737 MAX's larger CFM LEAP-1B engines are fitted farther forward and higher up than in previous models. The aerodynamic effect of its nacelles contributes to the aircraft's tendency to pitch up at high angles of attack (AOA). The MCAS is intended to compensate in such cases, modeling the pitching behavior of previous models, and meet a certain certification requirement,[27] in order to enhance handling characteristics and thus minimizing the need for significant pilot retraining.[32] [33] [34]
The software code for the MCAS function and the computer for executing the software are built to Boeing's specifications by Collins Aerospace, formerly Rockwell Collins.[35]
As an automated corrective measure, the MCAS was given full authority to bring the aircraft nose down, and could not be overridden by pilot resistance against the control wheel as on previous versions of the 737.[36] Following the Lion Air accident, Boeing issued an Operations Manual Bulletin (OMB)[37] on November 6, 2018, to outline the many indications and effects resulting from erroneous AOA data and provided instructions to turn off the motorized trim system for the remainder of the flight, and trim manually instead. Until Boeing supplemented the manuals[38] and training, pilots were unaware of the existence of MCAS due to its omission from the crew manual and no coverage in training.[36] Boeing first publicly named and revealed the existence of MCAS on the 737 MAX in a message to airline operators and other aviation interests on November 10, 2018, twelve days after the Lion Air crash.[39]
As with any other equipment on board an aircraft, the FAA approves a functional "design assurance level" corresponding to the consequences of a failure, using the SAE International standards ARP4754 and ARP4761. MCAS was designated a "hazardous failure" system. This classification corresponds to failures causing "a large reduction in safety margins" or "serious or fatal injury to a relatively small number of the occupants", but nothing "catastrophic".[40]
The MCAS was designed with the assumption, approved by FAA, that pilots would react to an unexpected activation within three seconds.[41]
The MCAS design parameters originally envisioned automated corrective actions to be taken in cases of high AoA and g-forces beyond normal flight conditions. Test pilots routinely push aircraft to such extremes, as the FAA requires airplanes to perform as expected. Before the MCAS, test pilot Ray Craig determined the plane did not fly smoothly, in part due to the larger engines. Craig would have preferred an aerodynamic solution, but Boeing decided to implement a control law in software.
According to a news report in the Wall Street Journal, engineers who had worked on the KC-46A Pegasus tanker, which includes an MCAS function, suggested MCAS to the design team.[42]
With the MCAS implemented, new test pilot Ed Wilson said the "MAX wasn't handling well when nearing stalls at low speeds" and recommended MCAS to apply across a broader range of flight conditions. This required the MCAS to function under normal g-forces and, at stalling speeds, deflect the vertical trim more rapidly and to a greater extent—but now it reads a single AoA sensor, creating a single point of failure that allowed false data to trigger MCAS to pitch the nose downward and force the aircraft into a dive.[43] [32] "Inadvertently, the door was now opened to serious system misbehavior during the busy and stressful moments right after takeoff", said Jenkins of The Wall Street Journal.[44]
The FAA did not conduct a safety analysis on the changes. It had already approved the previous version of MCAS, and the agency's rules did not require it to take a second look because the changes did not affect how the plane operated in extreme situations.[45]
The Joint Authorities Technical Review found the technology unprecedented: "If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used. MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If an issue paper had been required, the JATR team believes it likely would have identified the potential for the stabilizer to overpower the elevator."
In November 2019, Jim Marko, a manager of aircraft integration and safety assessment at Transport Canada aviation regulator's National Aircraft Certification Branch questioned the readiness of MCAS. Because new problems kept emerging, he suggested to his peers at FAA, ANAC and EASA to consider the safety benefits of removing MCAS from the MAX.[46]
The MCAS came under scrutiny following the fatal crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302 soon after takeoff. The Boeing 737 MAX global fleet was grounded by all airlines and operators, and a number of functional issues were raised.[47] [48] [49]
The MCAS deflects the horizontal stabilizer four times farther than was stated in the initial safety analysis document.[47] Due to the amount of trim the system applies to the horizontal stabilizer, aerodynamic forces resist pilot control effort to raise the nose. As long as the faulty AOA readings persist, a human pilot "can quickly become exhausted trying to pull the column back".[50] In addition, switches for the horizontal stabilizer trim assist now serve a shared purpose of turning off automated systems such as MCAS as well as the trim buttons on the yoke, whereas in previous 737 models each could be switched off independently. In simulator sessions, pilots were stunned by the substantial effort needed to manually crank the trim wheel out of its nose down setting when the trim assist was deactivated.[51] [52] [53]
Boeing CEO Dennis Muilenburg has stated that there was "no surprise, or gap, or unknown here or something that somehow slipped through a certification process."[54] On April 29, 2019, he stated the design of the aircraft was not flawed and reiterated that it was designed per Boeing's standards.[55] In a May 29 interview with CBS, Boeing admitted that it had botched the software implementation and lamented the poor communications.[56]
On September 26, the National Transportation Safety Board criticized Boeing's inadequate testing of the 737 MAX, and pointed out that Boeing made erroneous assumptions on pilots' response to alerts in 737 MAX, triggered by activation of MCAS due to a faulty signal from an angle-of-attack sensor.[57] [58]
The Joint Authorities Technical Review (JATR), a team commissioned by the FAA for 737 MAX investigation, concluded that FAA failed to properly review MCAS. Boeing failed to provide adequate and updated technical information regarding the MCAS system to FAA during Boeing 737 Max certification process, and had not carried out a thorough verification by stress-testing of the MCAS system.[59] [60]
On October 18, Boeing turned over a discussion from 2016 between two employees that revealed prior issues with the MCAS system.[61]
Boeing's own internal design guidelines related to the 737 MAX's development stated that the system should "not have any objectionable interaction with the piloting of the airplane" and "not interfere with dive recovery".[62] The operation of MCAS violated those.[63]
On September 26, 2019, the National Transportation Safety Board (NTSB) released the results of its review of potential lapses in the design and approval of the 737 MAX.[64] [65] [66] The NTSB report concludes that assumptions "that Boeing used in its functional hazard assessment of uncommanded MCAS function for the 737 MAX did not adequately consider and account for the impact that multiple flight deck alerts and indications could have on pilots' responses to the hazard".[65] When Boeing induced a stabilizer trim input that simulated the stabilizer moving consistent with the MCAS function,
the specific failure modes that could lead to unintended MCAS activation (such as an erroneous high AOA input to the MCAS) were not simulated as part of these functional hazard assessment validation tests. As a result, additional flight deck effects (such as IAS DISAGREE and ALT DISAGREE alerts and stick shaker activation) resulting from the same underlying failure (for example, erroneous AOA) were not simulated and were not in the stabilizer trim safety assessment report reviewed by the NTSB."[67]
The NTSB questioned the long-held industry and FAA practice of assuming the nearly instantaneous responses of highly trained test pilots as opposed to pilots of all levels of experience to verify human factors in aircraft safety.[68] The NTSB expressed concerns that the process used to evaluate the original design needs improvement because that process is still in use to certify current and future aircraft and system designs. The FAA could, for example, randomly sample pools from the worldwide pilot community to obtain a more representative assessment of cockpit situations.[69]
The updates proposed by Boeing focus mostly on MCAS software.[29] In particular, there have been no public statements regarding reverting the functionality of the stabilizer trim cutout switches to pre-MAX configuration. A veteran software engineer and experienced pilot suggested that software changes may not be enough to counter the 737 MAX's engine placement.[70] The Seattle Times noted that while the new software fix Boeing proposed "will likely prevent this situation recurring, if the preliminary investigation confirms that the Ethiopian pilots did cut off the automatic flight-control system, this is still a nightmarish outcome for Boeing and the FAA. It would suggest the emergency procedure laid out by Boeing and passed along by the FAA after the Lion Air crash is wholly inadequate and failed the Ethiopian flight crew."[71]
Boeing and the FAA decided that the AoA display and an AoA disagree light, which signals if the sensors give different readings, were not critical features for safe operation.[72] Boeing charged extra for the addition of the AoA indicator to the primary display.[73] [74] In November 2017, Boeing engineers discovered that the standard AoA disagree light cannot independently function without the optional AoA indicator software, a problem affecting 80% of the global fleet that had not ordered the option.[75] [76] The software remedy was scheduled to coincide with the roll out of the elongated 737 MAX 10 in 2020, only to be accelerated by the Lion Air accident. Furthermore, the problem had not been disclosed to the FAA until 13 months after the fact. Although it is unclear whether the indicator could have changed the outcome for the ill-fated flights, American Airlines said the disagree indicator provided the assurance in continued operations of the airplane. "As it turned out, that wasn't true."[77]
In February 2016, the EASA certified the MAX with the expectation that pilot procedures and training would clearly explain unusual situations in which the seldom used manual trim wheel would be required to trim the plane, i.e. adjust the angle of the nose; however, the original flight manual did not mention those situations.[78] The EASA certification document referred to simulations whereby the electric thumb switches were ineffective to properly trim the MAX under certain conditions. The EASA document said that after flight testing, because the thumb switches could not always control trim on their own, the FAA was concerned by whether the 737 MAX system complied with regulations.[79] The American Airlines flight manual contains a similar notice regarding the thumb switches but does not specify conditions where the manual wheel may be needed.
Boeing's CEO Muilenburg, when asked about the non-disclosure of MCAS, cited the "runaway stabilizer trim" procedure as part of the training manual. He added that Boeing's bulletin pointed to that existing flight procedure. Boeing views the "runaway stabilizer trim" checklist as a memory item for pilots. Mike Sinnett, vice president and general manager for the Boeing New Mid-Market Airplane (NMA) since July 2019, repeatedly described the procedure as a "memory item".[80] However, some airlines view it as an item for the quick reference card.[81] The FAA issued a recommendation about memory items in an Advisory Circular, Standard Operating Procedures and Pilot Monitoring Duties for Flight Deck Crewmembers: "Memory items should be avoided whenever possible. If the procedure must include memory items, they should be clearly identified, emphasized in training, less than three items, and should not contain conditional decision steps."[82]
In November 2018, Boeing told airlines that MCAS could not be overcome by pulling back on the control column to stop a runaway trim as on previous generation 737s.[83] Nevertheless, confusion continued: the safety committee of a major U.S. airline misled its pilots by telling that the MCAS could be overcome by "applying opposite control-column input to activate the column cutout switches".[84] Former pilot and CBS aviation & safety expert Chesley Sullenberger testified, "The logic was that if MCAS activated, it had to be because it was needed, and pulling back on the control wheel shouldn't stop it."[85] In October, Sullenberger wrote, "These emergencies did not present as a classic runaway stabilizer problem, but initially as ambiguous unreliable airspeed and altitude situations, masking MCAS."[86]
In a legal complaint against Boeing, the Southwest Airlines Pilot Association states:[87]
An MCAS failure is not like a runaway stabilizer. A runaway stabilizer has continuous un-commanded movement of the tail, whereas MCAS is not continuous and pilots (theoretically) can counter the nose-down movement, after which MCAS would move the aircraft tail down again. Moreover, unlike runaway stabilizer, MCAS disables the control column response that 737 pilots have grown accustomed to and relied upon in earlier generations of 737 aircraft.
In May 2019, The Seattle Times reported that the two stabilizer cutoff switches, located on the center console, operate differently on the MAX than on the earlier 737 NG. On previous aircraft, one cutoff switch deactivates the thumb buttons on the control yoke that pilots use to move the horizontal stabilizer; the other cutoff switch disables automatic control of the horizontal stabilizer by autopilot or /MCAS. On the MAX, both switches are wired in series and perform the same function: they cut off all electric power to the stabilizer, both from the yoke buttons and from an automatic system.
Thus, on previous aircraft it is possible to disable automatic control of the stabilizer yet to employ electric power assist by operating the yoke switches. On the MAX, with all power to the stabilizer cut, pilots have no choice but to use the mechanical trim wheel in the center console.[88]
As pilots pull on the 737 controls to raise the nose of the aircraft, aerodynamic forces on the elevator create an opposing force, effectively paralyzing the jackscrew mechanism that moves the stabilizer.[89] It becomes very difficult for pilots to hand crank the trim wheel.[89] The problem was encountered on earlier 737 versions, and a "roller coaster" emergency technique for handling the flight condition was documented in 1982 for the 737-200 but did not appear in training documentation for later versions (including the MAX).[89]
This problem was originally found in the early 1980s with the 737-200 model. When the elevator operated to raise or lower the nose, it set up a strong force on the trim jackscrew that opposed any corrective force from the control systems. When attempting to correct an unwanted deflection using the manual trim wheel, exerting enough hand force to overcome the force exerted by the elevator became increasingly difficult as speed and deflection increased and the jackscrew effectively jammed in place.[90]
For the 737-200, a workaround called the "roller coaster" technique was developed. Counter-intuitively, to correct an excessive deflection causing a dive the pilot first pushes the nose down further, before easing back to gently raise the nose again.[91] During this easing back period, the elevator deflection reduces or even reverses, its force on the jackscrew does likewise and the manual trim eases up. The workaround was included in the pilot's emergency procedures and in the training schedule.[90]
While the 737 MAX has a similar jackscrew mechanism, the "roller coaster" technique has been dropped from the pilot information. During the events leading to the two MAX crashes, the stiffness of the manual trim wheel repeatedly prevented manual trim adjustment to correct the MCAS-induced nose-down pitching. The issue has been brought to the notice of the DoJ criminal inquiry into the 737 MAX crashes.[90]
In simulator tests of Ethiopian Airlines Flight 302 flight scenario, the trim wheel was "impossible" to move when one of the pilots would instinctively pull up following an automatic nose-down trim input. It takes 15 turns to manually trim the aircraft one degree, and up to 40 turns to bring the trim back to neutral from the nose-down trim input caused by MCAS. Note that in the Ethiopian flight, the autothrottle was not disengaged and the aircraft entered overspeed conditions at low altitude which resulted in extraneous aerodynamic forces on the control surfaces.[92]
The horizontal stabilizer is fitted with a conventional elevator for flight control. However, it is itself all-moving about a single pivot and can be trimmed to adjust its angle. The trim is actuated via a jackscrew mechanism.
Engineers Sylvain Alarie and Gilles Primeau, experts on horizontal stabilizers consulted by Radio-Canada, observed anomalies in the data recorded during the Lion Air and Ethiopian Airlines crashes: a progressive shift of the horizontal stabilizer by 0.2°, before the crash. In reference to the Ethiopian Airlines flight, Alarie noted that without receiving a command from the MCAS or the pilots, the jackscrew slipped, and then slipped again as the aircraft accelerated and dove. Primeau noted that this deflection was an order of magnitude larger than what would ordinarily be permitted, and they concluded that these deflections were disallowed by FAA regulation 395A. These experts are concerned that the loads on the jackscrew have potentially increased since the creation of the 737, modern versions of which are considerably larger than the original design.
These experts have raised concerns about the motors possibly overheating in April 2019.[93]
During the groundings, special flights to reposition MAX aircraft to storage locations, as per 14 CFR § 21.197, flew at lower altitude and with flaps extended to circumvent MCAS activation, rather than using the recovery procedure after the fact. Such flights required a certain pilot qualification as well as permission from corresponding regulators, and with no other cabin crew or passengers.[94]
As per Boeing technical description: "the Angle of Attack (AoA) is an aerodynamic parameter that is key to understanding the limits of airplane performance. Recent accidents and incidents have resulted in new flight crew training programs, which in turn have raised interest in AoA in commercial aviation. Awareness of AOA is vitally important as the airplane nears stall."[95] Chesley Sullenberger said AoA indicators might have helped in these two crashes. "It is ironic that most modern aircraft measure (angle of attack) and that information is often used in many aircraft systems, but it is not displayed to pilots. Instead, pilots must infer (angle of attack) from other parameters, deducing it indirectly."[96]
Though there are two sensors on the MAX only one of them is used at a time to trigger MCAS activation on the 737 MAX. Any fault in this sensor, perhaps due to physical damage,[85] creates a single point failure: the flight control system lacks any basis for rejecting its input as faulty information.
Reports of a single point of failure were not always acknowledged by Boeing. Addressing American Airlines pilots, Boeing vice-president Mike Sinnett contradicted reports that the MCAS had a single-point failure, because the pilots themselves are the backup. Reporter Useem said in The Atlantic it was "showing both a misunderstanding of the term and a sharp break from Boeing's long-standing practice of having multiple backups for every flight system".[97]
Problems with the AoA sensor had been reported in over 200 incident reports submitted to the FAA; however, Boeing did not flight test a scenario in which it malfunctioned.[98]
The sensors themselves are under scrutiny. Sensors on the Lion air aircraft were supplied by United Technologies' Rosemount Aerospace.[99]
In September 2019, the EASA said it prefers triple-redundant AoA sensors rather than the dual redundancy in Boeing's proposed upgrade to the MAX. Installation of a third sensor could be expensive and take a long time. The change, if mandated, could be extended to thousands of older model 737s in service around the world.[100]
A former professor at Embry-Riddle Aeronautical University, Andrew Kornecki, who is an expert in redundancy systems, said operating with one or two sensors "would be fine if all the pilots were sufficiently trained in how to assess and handle the plane in the event of a problem". But, he would much prefer building the plane with three sensors, as Airbus does.[101]
In November 2017, after several months of MAX deliveries, Boeing discovered that the
AoA Disagree message, which is indicative of potential sensor mismatch on the primary flight display,[102] was unintentionally disabled.Clint Balog, a professor at Embry-Riddle Aeronautical University, said after the Lion Air crash: "In retrospect, clearly it would have been wise to include the warning as standard equipment and fully inform and train operators on MCAS".[103] According to Bjorn Fehrm, Aeronautical and Economic Analyst at Leeham News and Analysis, "A major contributor to the ultimate loss of JT610 is the missing AoA DISAGREE display on the pilots' displays."[104]
The software depended on the presence of the visual indicator software, a paid option that was not selected by most airlines.[105] For example, Air Canada, American Airlines and Westjet had purchased the disagree alert, while Air Canada and American Airlines also purchased, in addition, the AoA value indicator, and Lion Air had neither.[106] [107] Boeing had determined that the defect was not critical to aircraft safety or operation, and an internal safety review board (SRB) corroborated Boeing's prior assessment and its initial plan to update the aircraft in 2020. Boeing did not disclose the defect to the FAA until November 2018, in the wake of the Lion Air crash.[108] [109] [110] Consequently, Southwest had informed pilots that its entire fleet of MAX 8 aircraft will receive the optional upgrades.[111] [112] In March 2019, after the second accident of Ethiopian Airlines Flight 302, a Boeing representative told Inc. magazine, "Customers have been informed that AoA Disagree alert will become a standard feature on the 737 MAX. It can be retrofitted on previously delivered airplanes."[113]
On May 5, 2019, The Wall Street Journal reported that Boeing had known of existing problems with the flight control system a year before the Lion Air accident.[114] Boeing defended that "Neither the angle of attack indicator nor the AoA Disagree alert are necessary for the safe operation of the airplane." Boeing recognized that the defective software was not implemented to their specifications as a "standard, standalone feature." Boeing stated, "...MAX production aircraft will have an activated and operable AoA Disagree alert and an optional angle of attack indicator. All customers with previously delivered MAX airplanes will have the ability to activate the AoA Disagree alert." Boeing CEO Muilenburg said the company's communication about the alert "was not consistent. And that's unacceptable."[115] [116]
Boeing published an article in Aero magazine about AoA systems, "Operational use of Angle of Attack on modern commercial jet planes":
Boeing announced a change in policy in the Frequently Asked Questions (FAQ) about the MAX corrective work, "With the software update, customers are not charged for the AoA Disagree feature or their selection of the AoA indicator option."[117]
In 1996, the NTSB issued Safety Recommendation A-96-094.
TO THE FEDERAL AVIATION ADMINISTRATION (FAA): Require that all transport-category aircraft present pilots with angle-of-attack info in a visual format, and that all air carriers train their pilots to use the info to obtain maximum possible airplane climb performance.
The NTSB also stated about another accident in 1997, that "a display of angle of attack on the flight deck would have maintained the flightcrew's awareness of the stall condition and it would have provided direct indication of the pitch attitudes required for recovery throughout the attempted stall recovery sequence." The NTSB also believed that the accident may have been prevented if a direct indication of AoA was presented to the flightcrew (NTSB, 1997)."[118]
In early April 2019, Boeing reported a problem with software affecting flaps and other flight-control hardware, unrelated to MCAS; classified as critical to flight safety, the FAA has ordered Boeing to fix the problem correspondingly.[119] In October 2019, the EASA has suggested to conduct more testing on proposed revisions to flight-control computers due to its concerns about portions of proposed fixes to MCAS.[120] The necessary changes to improve redundancy between the two flight control computers have proved more complex and time-consuming than the fixes for the original MCAS issue, delaying any re-introduction to service beyond the date originally envisaged.
In January 2020, new software issues were discovered, affecting monitoring of the flight computer start-up process and verifying readiness for flight.[121] In April 2020, Boeing identified new risks where the trim system might unintentionally command nose down during flight or prematurely disconnect the autopilot.[122]
The MAX systems are integrated in the "e-cab" test flight deck, a simulator built for developing the MAX.[123] [124] In June 2019, "in a special Boeing simulator that is designed for engineering reviews,"[125] FAA pilots performed a stress testing scenarioan abnormal condition identified through FMEA after the MCAS update was implemented[126] for evaluating the effect of a fault in a microprocessor: as expected from the scenario, the horizontal stabilizer pointed the nose downward. Although the test pilot ultimately recovered control, the system was slow to respond to the proper runaway stabilizer checklist steps. Boeing initially classified this as a "major" hazard, and the FAA upgraded it to a much more severe "catastrophic" rating. Boeing stated that the issue can be fixed in software.[127] The software change will not be ready for evaluation until at least September 2019.[128] EASA director Patrick Ky said that retrofitting additional hardware is an option to be considered.
The test scenario simulated an event toggling five bits in the flight control computer. The bits represent status flags such as whether MCAS is active, or whether the tail trim motor is energized. Engineers were able to simulate single event upsets and artificially induce MCAS activation by manipulating these signals. Such a fault occurs when memory bits change from 0 to 1 or vice versa, which is something that can be caused by cosmic rays striking the microprocessor.[129]
The failure scenario was known before the MAX entered service in 2017: it had been assessed in a safety analysis when the plane was certified. Boeing had concluded that pilots could perform a procedure to shut off the motor driving the stabilizer to overcome the nose-down movement.[130] The scenario also affects 737NG aircraft, though it presents less risk than on the MAX; on the NG, moving the yoke counters any uncommanded stabilizer input, but this function is bypassed on the MAX to avoid negating the purpose of MCAS.[131] Boeing also said that it agreed with additional requirements that the FAA required it to fulfill, and added that it was working toward resolving the safety risk. It will not offer the MAX for certification until all requirements have been satisfied.
Early news reports were inaccurate in attributing the problem to an 80286[132] microprocessor overwhelmed with data, though as of April 2020 the concern remains that the MCAS software is overloading the 737 MAX's computers.[133]
, the two flight control computers of Boeing 737 never cross-checked each other's operations; i.e., each was a single non-redundant channel. This lack of robustness existed since the early implementation and persisted for decades. The updated flight control system will use both flight control computers and compare their outputs. This switch to a fail-safe two-channel redundant system, with each computer using an independent set of sensors, is a radical change from the architecture used on 737s since the introduction on the older model 737-300 in the 1980s. Up to the MAX in its prior-to-grounding-version, the system alternates between computers after each flight. The two computers' architecture allowed switching in-flight if the operating computer failed, thus increasing availability. In the revised architecture, Boeing required the two computers to monitor each other so that each one can vet the other.[134]
In January 2020, during flight testing, Boeing discovered a problem with an indicator light; the defect was traced to the "redesign of the two flight computers that control the 737 MAX to make them more resilient to failure". The indicator, which signals a problem with the trim system, can remain on longer than intended by design.[135] [136]
In November 2020, an Airworthiness Directive required corrective actions to the airplane's flight control laws (embodied in the Speed Trim System software):
- The new flight control laws now require inputs from both AOA sensors in order to activate MCAS. They also compare the inputs from the two sensors, and if those inputs differ significantly (greater than 5.5 degrees for a specified period of time), will disable the Speed Trim System (STS), which includes MCAS, for the remainder of the flight and provide a corresponding indication of that deactivation on the flight deck.
- The new flight control laws now permit only one activation of MCAS per sensed high-AOA event, and limit the magnitude of any MCAS command to move the horizontal stabilizer such that the resulting position of the stabilizer will preserve the flightcrew's ability to control the airplane's pitch by using only the control column. This means the pilot will have sufficient control authority without the need to make electric or manual stabilizer trim inputs.
- The new flight control laws also include Flight Control Computer (FCC) integrity monitoring of each FCC's performance and cross-FCC monitoring, which detects and stops erroneous FCC-generated stabilizer trim commands (including MCAS)