Written by Jack Nicas, David Gelles and James Glanz
While designing its newest jet, Boeing decided to make two significant changes to an automated system now suspected of playing a role in two deadly crashes of the plane.
Despite the added risks, the Federal Aviation Administration did not conduct another safety review of the system, since the changes didn’t affect what it considered a critical phase of flight, namely high-speed maneuvers.
The omission involving Boeing’s 737 Max exposes a glaring regulatory gap, with the agency’s bureaucratic process proving insufficient for the increasing complexity of airplane design.
“The more we know, the more we realize what we don’t know,” said John Cox, an aviation safety consultant and a former 737 pilot.
The FAA is supposed to be the gold standard in global aviation regulation, with the toughest and most stringent rules for certifying planes. But the March crash in Ethiopia and an earlier one in Indonesia have broadly raised concerns about the agency’s ability to push back against the industry or root out flaws.
In both crashes, the authorities suspect that faulty sensor data triggered the anti-stall system, revealing a single point of failure on the plane. Pilots weren’t informed about the system until after the Lion Air crash in Indonesia, and even then, Boeing didn’t fully explain or understand the risks. The government outsourced much of the certification to Boeing employees, creating a cozy relationship between the company and its regulator.
After the agency’s initial safety review, Boeing decided to quadruple the power of the anti-stall system, which could push down the plane’s nose. The company also expanded the use of the software, known as MCAS, to activate in more situations.
Although officials were aware of the changes, none were fully examined by the FAA, according to three people with knowledge of the process.
A new review would have required FAA officials to take a closer look at the system’s effect on the overall safety of the plane, as well as to consider the potential consequences of a malfunction. Instead, the agency relied on an earlier assessment of the system, which was less powerful and activated in more limited circumstances.
While it is unclear which officials were involved in the review of the anti-stall system, they followed a set of bureaucratic procedures, rather than taking a proactive approach. The result is that officials didn’t fully understand the risks of the more robust anti-stall system, which could cause a crash in less than a minute.
The FAA defended its certification process, saying it has consistently produced safe aircraft. An FAA spokesman said agency employees had collectively spent more than 110,000 hours reviewing the Max, including 297 test flights.
The spokesman said FAA employees were following agency rules when they didn’t review the change. “The change to MCAS didn’t trigger an additional safety assessment because it did not affect the most critical phase of flight, considered to be higher cruise speeds,” an agency spokesman said. “At lower speeds, greater control movements are often necessary.”
Speaking in Dallas on Thursday, Boeing’s chief executive, Dennis A. Muilenburg, described MCAS as “one link in a longer chain of events,” that contributed to the crashes. “We know we can break this chain link,” he said. “And it’s our responsibility to eliminate this risk.”
A spokesman for Boeing said, “The FAA considered the final configuration and operating parameters of MCAS during Max certification, and concluded that it met all certification and regulatory requirements.”
Some of the details of the evolving design of MCAS were earlier reported by The Seattle Times.
MCAS was created to help make the 737 Max handle like its predecessors, part of Boeing’s strategy to get the plane done more quickly and cheaply.
The system was initially designed to engage only in rare circumstances, namely high-speed maneuvers, in order to make the plane handle more smoothly and predictably for pilots used to flying older 737s, according to two former Boeing employees who spoke on the condition of anonymity because of the open investigations.
For those situations, MCAS was limited to moving the stabilizer — the part of the plane that changes the vertical direction of the jet — about 0.6 degrees in about 10 seconds.
It was around that design stage that the FAA reviewed the initial MCAS design. The planes hadn’t yet gone through their first test flights.
After the test flights began in early 2016, Boeing pilots found that just before a stall at various speeds, the Max handled less predictably than they wanted. So they suggested using MCAS in those instances, too, according to one former employee with direct knowledge of the conversations.
But the system needed more power to work in a broader range of situations.
At higher speeds, flight controls are more sensitive and less movement is needed to steer the plane. Consider the effect of turning a car’s steering wheel at 70 mph versus 30 mph.
To prevent stalls at lower speeds, Boeing engineers decided that MCAS needed to move the stabilizer faster and by a larger amount. So Boeing engineers quadrupled the amount it could move the stabilizer in one cycle, to 2.5 degrees in less than 10 seconds.
“That’s a huge difference,” said Dennis Tajer, a spokesman for the American Airlines pilots’ union, who has flown 737s for a decade. “That’s the difference between controlled flight or not.”
Speed was a defining characteristic for the FAA. The agency’s rules require an additional review only if the changes affect how the plane operates in riskier phases of flight: at high speeds and altitudes. Because the changes to the anti-stall system affected how it operated at lower speeds and altitudes, FAA employees didn’t need to take a closer look at them.
The overall system represented a major departure from Boeing’s design philosophy. Boeing has traditionally favored giving pilots control over their planes, rather than automated flight systems.
“In creating MCAS, they violated a long-standing principle at Boeing to always have pilots ultimately in control of the aircraft,” said Chesley B. Sullenberger III, the retired pilot who landed a jet in the Hudson River. “In mitigating one risk, they created another, greater risk.”
The missed risks, by the FAA and Boeing, flowed to other decisions. A deep explanation of the system wasn’t included in the plane manual. The FAA didn’t require training on it. Even Boeing test pilots weren’t fully briefed on MCAS.
“Therein lies the issue with the design change: Those pitch rates were never articulated to us,” said one test pilot, Matthew Menza.
Menza said he looked at documentation he still had and did not see mention of the rate of movement on MCAS. “So they certainly didn’t mention anything about pitch rates to us,” he said, “and I certainly would’ve loved to have known.”
The system’s increased power was also compounded by its design: The software engaged repeatedly if the sensor suggested it was necessary to avoid a stall. In the Lion Air crash, data showed that the pilots, who weren’t aware of MCAS, fought for control of the plane, as it pushed the nose back down each time they pulled it up.
Few truly understood just how powerful the system would prove. It wasn’t fully disclosed until after the Lion Air disaster, killing all 189 people on board. On the Ethiopian Airlines flight, the pilots struggled to regain control after MCAS engaged at least three times.
Last month, during flight simulations recreating the problems with the Lion Air flight, American pilots were surprised at how strong MCAS was. They essentially had less than 40 seconds to manually override a system malfunction before a crash.
Updates to the software by Boeing, which will require FAA approval, will address some of the concerns with the anti-stall system. The changes will limit the system to engaging just once in most cases. And they will prevent MCAS from pushing the plane’s nose down more than a pilot could counteract by pulling up on the controls.
Boeing had hoped to deliver the software fix to the FAA by now, but it was delayed by several weeks. As a result, the grounding of the jet is expected to drag on. Southwest Airlines has changed its schedule through early August and American Airlines cancellations stretch into June.