Figure 1. Lion Air Boeing 737 Max 8. The location of one of the aircraft’s AOA sensors is indicated by the yellow arrow. A second identical AOA sensor is located on the other side of the aircraft’s nose. The horizontal stabilizer is located at the rear of the airplane, indicated by the red arrow.Figure 1. Lion Air Boeing 737 Max 8. The location of one of the aircraft’s AOA sensors is indicated by the yellow arrow. A second identical AOA sensor is located on the other side of the aircraft’s nose. The horizontal stabilizer is located at the rear of the airplane, indicated by the red arrow.

Humans are increasingly reliant on automated systems to make decisions to keep us safe. Computers are often seen as infallible; for example, they are typically incapable of making a mistake on clearly defined problems like math calculations.

But computers and software are designed and built by error-prone humans. Furthermore, the intelligence of automated systems is limited by the algorithms that prescribe their actions. Constrained by programming, algorithms cannot adapt to new situations in the same way that humans can. (Although, as artificial intelligence improves, the capability gap is closing).

In safety-critical applications like automated flight control systems, which have over aircraft maneuvers, the failure of an automated system can be deadly.

(On September 26, the National Transportation Safety Board issued seven safety recommendations to the Federal Aviation Administration, calling upon the agency to address concerns about how multiple alerts and indications are considered when making assumptions as part of design safety assessments.)

Maneuvering characteristics augmentation system

The apparent failure of the maneuvering characteristics augmentation system (MCAS) on Boeing 737 Max aircraft is implicated in two separate crashes in which 346 people lost their lives: Ethiopian Airlines Flight 302 on March 10, and Lion Air Flight 610 on Oct. 29, 2018.

Figure 2. Aircraft pitch angle, angle of attack (AOA) and flight path angle. Source: Boeing (Click image to enlarge)Figure 2. Aircraft pitch angle, angle of attack (AOA) and flight path angle. Source: Boeing (Click image to enlarge)

MCAS is a new addition to the 737 Max that was not present on previous generations of the 737. It is a software function in the flight control system designed to enhance the aircraft’s pitch stability.

Pitch is a rotation of an aircraft about its center of gravity resulting in an up or down motion of the aircraft’s nose. Pitch angle is the angle between the longitudinal axis of the airplane (i.e., the axis that goes from tail to nose through the aircraft’s center of gravity) and the horizon. Pitch is a rotation about the horizontal axis parallel to a line that goes from wingtip to wingtip, passes through the aircraft’s center of gravity and is perpendicular to the longitudinal axis. If an aircraft’s nose pitches up too high, the aircraft will stall, resulting in a drastic reduction in lift generated by the wings and severely impaired ability for pilots to control the aircraft.

Figure 3. An AOA sensor similar to the one on the Boeing 737 Max. Source: UTC Aerospace SystemsFigure 3. An AOA sensor similar to the one on the Boeing 737 Max. Source: UTC Aerospace SystemsMCAS automatically changes the angle of the horizontal stabilizer on the tail of the aircraft to adjust nose pitch when one of two angle-of-attack sensors (AOA) mounted on the exterior of the airplane indicates the nose is pitching up beyond a certain threshold. MCAS swivels the stabilizer up to create an aerodynamic force on the control surface, generating a moment about the airplane’s center of gravity that pitches the aircraft’s nose down.

In the two tragic crash incidents, bad data from an AOA sensor triggered MCAS, repeatedly pushing the plane nose downward as pilots struggled and failed to counteract the system.Figure 4. Angle of attack (AOA) is the angle between the wing mean aerodynamic chord and the direction of relative wind. If AOA rises above a critical value, the aircraft stalls and pilots are no longer able to effectively control the aircraft. This is because the wing no longer produces enough lift due to a separation of airflow from the wing and a transition from smooth to turbulent airflow over the wing. Source: UTC Aerospace Systems (Click image to enlarge)Figure 4. Angle of attack (AOA) is the angle between the wing mean aerodynamic chord and the direction of relative wind. If AOA rises above a critical value, the aircraft stalls and pilots are no longer able to effectively control the aircraft. This is because the wing no longer produces enough lift due to a separation of airflow from the wing and a transition from smooth to turbulent airflow over the wing. Source: UTC Aerospace Systems (Click image to enlarge)

The need for MCAS

The reasons for MCAS’s existence can be traced to competition between Boeing and archrival Airbus for supremacy of the commercial jet market. In December 2010, Airbus announced the A320neo, a new model for the extremely popular narrow-body airliner market, which burned 6% less fuel than Boeing’s competing aircraft, the 737NG. At the Paris Air Show in June 2011 the A320neo won 667 orders, a record number for the event.

To prevent Airbus from market domination, Boeing needed to swiftly introduce its own improved narrow-body aircraft to compete. The time constraint forced Boeing to upgrade its existing 737 family of aircraft instead of developing an entirely new model. In August 2011, Boeing unveiled the 737 Max, which it promised would increase fuel efficiency by 8% over the A320neo.

In designing the new model, fuel-efficient LEAP-1B engines were chosen to replace the older CFM56 engines. The new engines are larger and more powerful than those on older 737s, requiring a mounting arrangement that places them higher and farther forward on the wing. The bigger engine geometry and different positioning changed the aerodynamics of the new airplane. The larger engine nacelles produced additional lift, particularly at high angles of attack. This affected the longitudinal (pitch) stability of the aircraft in certain situations, lowering its margin of stability in aggressive maneuvers like steep banking turns. (Pitch instability is a dangerous scenario where small changes in pitch tend to be amplified instead of damped, a scenario where pitch angle could rapidly increase leading to a stall.) The different aerodynamics altered the Max’s handling characteristics, causing pilots to feel uneven forces in the control stick in certain conditions.

Figure 5. Larger, fuel-efficient LEAP-1B engines are mounted higher and farther forward on the 737 Max 8 compared to CFM56 engines on the 737-800. Source: noreppo.com (illustration) via IEEE Spectrum (Click image to enlarge)Figure 5. Larger, fuel-efficient LEAP-1B engines are mounted higher and farther forward on the 737 Max 8 compared to CFM56 engines on the 737-800. Source: noreppo.com (illustration) via IEEE Spectrum (Click image to enlarge)

This posed a dilemma for Boeing. To meet the FAA's requirements for a new model within the existing 737 type, the Max needed to behave similarly to each of the previous 737 models, all the way back to the original 737-100, which first entered service in February 1968. There is also an FAA requirement that stick forces must smoothly change when flying commercial aircraft.

If Boeing was unable to convince the FAA that the Max was simply a new model within the 737 type, the aircraft would not receive a 737-type certificate and would be less appealing to the marketplace. This is because airlines often build fleets around specific families of aircraft to realize efficiencies in aircraft maintenance, pilot training and scheduling. A prime example is Southwest Airlines, which operates only 737s. Certifying pilots for multiple types of airplane is more expensive than using a single family of aircraft.

For these reasons, Boeing created MCAS for the 737 Max. The system would mimic the handling characteristics of older 737s and smooth control stick forces during certain maneuvers and flight conditions, allowing the Max to be certified as a new model within the 737 type of aircraft.

Flawed implementation

The presence of an automated system to smooth flight control is not, in itself, necessarily dangerous. But the implementation of MCAS was beset by deficient design rigor, rushed certification by an under-funded regulator and insufficient pilot training materials.

Even though the 737 Max is equipped with two AOA sensors, MCAS was triggered by data from only a single AOA sensor. If that sensor was damaged or malfunctioned, causing it to generate bad data, MCAS could trigger inadvertently.

Graph 1. Significant parameters recorded by the flight data recorder aboard the Boeing 737 Max 8 that flew Lion Air Flight 610. Of note are the light blue and orange lines, which indicate manual and automatic trim adjustments, as well as the dark blue line, which indicates stabilizer pitch trim position. These lines tell the story of how the pilots repeatedly tried to counteract the stabilizer trim adjustments commanded by MCAS. Also shown is the discrepancy in AOA sensed by the aircraft’s two AOA sensors. Source: Preliminary Accident Investigation Report, National Transportation Safety Committee of Indonesia, via Aviation Safety Network (Click image to enlarge)Graph 1. Significant parameters recorded by the flight data recorder aboard the Boeing 737 Max 8 that flew Lion Air Flight 610. Of note are the light blue and orange lines, which indicate manual and automatic trim adjustments, as well as the dark blue line, which indicates stabilizer pitch trim position. These lines tell the story of how the pilots repeatedly tried to counteract the stabilizer trim adjustments commanded by MCAS. Also shown is the discrepancy in AOA sensed by the aircraft’s two AOA sensors. Source: Preliminary Accident Investigation Report, National Transportation Safety Committee of Indonesia, via Aviation Safety Network (Click image to enlarge)

Safety analyses by Boeing rated a potential failure of MCAS as, at most, “hazardous” on the FAA’s scale of failure conditions, which ranks possible system failures by their severity. A hazardous failure condition could cause “serious or fatal injury to an occupant.” This is less than the most severe system failure category of “catastrophic.” Even so, dual redundancy is typically required for instruments that could cause hazardous failure conditions. For example, a similar MCAS on the Air Force’s KC-46 tanker aircraft is programmed to compare readings from both sensors.

Figure 6. A primary flight display (PFD) like the one on 737 Max aircraft. The PFD AOA indicator was an optional upgrade available for customers to purchase from Boeing. The AOA disagree alert, which warns of a difference in readings between the aircraft’s two AOA sensors, was supposed to be a standard feature on all 737 Max aircraft. A bug, however, prevented the disagree alert from displaying unless the customer had purchased the AOA indicator option. Neither of the airlines involved in the two 737 Max crashes had purchased the AOA indicator option, perhaps limiting pilot ability to diagnose and react to the problem. When the 737 Max returns to flight, Boeing will fix the bug preventing display of the AOA disagree alert, making it standard for all customers in addition to offering an option to enable the AOA indicator. Source: Leeham Co.Figure 6. A primary flight display (PFD) like the one on 737 Max aircraft. The PFD AOA indicator was an optional upgrade available for customers to purchase from Boeing. The AOA disagree alert, which warns of a difference in readings between the aircraft’s two AOA sensors, was supposed to be a standard feature on all 737 Max aircraft. A bug, however, prevented the disagree alert from displaying unless the customer had purchased the AOA indicator option. Neither of the airlines involved in the two 737 Max crashes had purchased the AOA indicator option, perhaps limiting pilot ability to diagnose and react to the problem. When the 737 Max returns to flight, Boeing will fix the bug preventing display of the AOA disagree alert, making it standard for all customers in addition to offering an option to enable the AOA indicator. Source: Leeham Co.

According to the FAA, the probability of hazardous failures must be less than one in 10 million. Boeing calculated that the probability of a hazardous failure condition of MCAS was about 1 in 223 trillion, well within the FAA’s guidelines. But AOA sensor anomalies occur regularly on commercial aircraft, with more than 50 problems reported in the past five years, calling into question Boeing’s probability analysis and its decision to rely on a single AOA sensor for MCAS activation.

Another problem is that safety assessments did not account for the complete range of MCAS capabilities. The analyses were based on an early iteration of MCAS that only changed the horizontal stabilizer by 0.6° from the trimmed position, instead of the more powerful final version which allowed up to 2.5° per activation. They also failed to take into account the possibility of multiple repeated MCAS activations.

Figure 7. The pitch control system schematic from Boeing’s 737 Max Flight Crew Manual. The schematic shows that stabilizer trim is affected by inputs from multiple sensors and instruments, including the left and right pilot probes and the left and right air data inertial reference units (ADIRUs). ADIRUs collect data from multiple sensors, including the pilot, temperature and AOA sensors. The schematic does not indicate the role of MCAS in the automated pitch control system. Source: Ethiopian Airlines Flight 302 Preliminary Accident Investigation Report, Ministry of Transport of Ehtiopia, via Aviation Safety Network (Click image to enlarge)Figure 7. The pitch control system schematic from Boeing’s 737 Max Flight Crew Manual. The schematic shows that stabilizer trim is affected by inputs from multiple sensors and instruments, including the left and right pilot probes and the left and right air data inertial reference units (ADIRUs). ADIRUs collect data from multiple sensors, including the pilot, temperature and AOA sensors. The schematic does not indicate the role of MCAS in the automated pitch control system. Source: Ethiopian Airlines Flight 302 Preliminary Accident Investigation Report, Ministry of Transport of Ehtiopia, via Aviation Safety Network (Click image to enlarge)

During the certification process, the FAA missed safety issues with MCAS because the agency did not carry out its own detailed analyses of the system. The System Safety Analysis for MCAS was carried out by Boeing and reviewed by the FAA. FAA management also pressured its own technical experts to complete the certification process quickly.

Due to a lack of resources the FAA delegates much of the safety assessment work, which is crucial to airplane certification, to aircraft manufacturers. In March 2019, the FAA said it would need $1.8 billion per year for 10,000 more employees to carry out all certification work independently.

Lack of training

Figure 8. The runaway stabilizer checklist from Boeing’s 737 Max Flight Crew Manual contains the procedure necessary to disable automated stabilizer movement, including MCAS. Source: Ethiopian Airlines Flight 302 Preliminary Accident Investigation Report, Ministry of Transport of Ethiopia, via Aviation Safety Network. (Click image to enlarge.)Figure 8. The runaway stabilizer checklist from Boeing’s 737 Max Flight Crew Manual contains the procedure necessary to disable automated stabilizer movement, including MCAS. Source: Ethiopian Airlines Flight 302 Preliminary Accident Investigation Report, Ministry of Transport of Ethiopia, via Aviation Safety Network. (Click image to enlarge.)Not only did MCAS lack sensor redundancy and a rigorous safety review, but pilots were not fully informed of the automated system’s existence.

In the entire 1,600 page operating manual for the 737 Max, there was only a single reference to MCAS, where the acronym is defined in the manual's abbreviations section. The quick reference handbook for the aircraft did include a procedure for how to handle a runaway stabilizer situation in which “uncommanded stabilizer trim movement occurs continuously,” but details about how MCAS works were not provided.

It was not until the week after Lion Air Flight 610 crashed, on November 6, 2018, that Boeing issued a bulletin with further information, explaining that the “pitch trim system” could initiate uncommanded nose down cycles repetitively every 5 seconds if AOA data was erroneous. (The bulletin did not explicitly state that this behavior was caused by a software function named MCAS).

The full name of MCAS in connection with additional details about its operation, such as the fact that it could change the horizontal stabilizer angle up to 2.5° during each activation, were not revealed until four days later on November 10, 2018 in a multi-operator message to all Boeing 737 Max customers. (Boeing’s bulletin and message regarding MCAS can be found in the appendices of Indonesia’s preliminary accident investigation report on Flight 610.)

A tragic fact is that the quick reference handbook’s procedure to stop a runaway stabilizer could have prevented both crashes. This procedure disables automation of the horizontal stabilizer – including complete MCAS deactivation – by disengaging the autopilot and autothrottle and flicking two "STAB TRIM" switches in the cockpit's center console to the cutout position.

Tragically, on Ethiopian Airlines Flight 302, the pilots did flip the switches to deactivate MCAS, but the aircraft had passed the speed at which aerodynamic forces make the plane difficult to control and attempts to get the airplane to climb fail, so the switches were flipped back. Perhaps the pilots thought automatic trim control might help recover the plane. Instead, shortly after reactivating MCAS, the plane crashed.

Figure 9. The aisle-stand controls in the cockpit of a Boeing 737 Max. If the two switches shown at the bottom right under the STAB TRIM label are flipped to the cutout position, all automated movement of the horizontal stabilizer is disabled, including MCAS. Source: Dimas Ardian/Bloomberg via Seattle Times (Click image to enlarge)Figure 9. The aisle-stand controls in the cockpit of a Boeing 737 Max. If the two switches shown at the bottom right under the STAB TRIM label are flipped to the cutout position, all automated movement of the horizontal stabilizer is disabled, including MCAS. Source: Dimas Ardian/Bloomberg via Seattle Times (Click image to enlarge)

Remedial actions

In the aftermath of the second crash in Ethiopia, all 387 Max aircraft that were in service worldwide were grounded. Hundreds of additional Max jets are parked for storage as Boeing continues production of the aircraft.

The 737 Max will not fly again until Boeing finishes fixing and improving MCAS function and regulators certify that the aircraft is safe to fly.

Boeing’s fixes for MCAS include requiring a comparison of data from both AOA sensors before MCAS activation; preventing MCAS activation if the two AOA sensors differ by more than 5.5°; limiting MCAS activation to a single cycle instead of repeated cycles; and preventing MCAS from commanding more stabilizer input than pilots can counteract on the flight stick.

Boeing is also developing new computer-based training material for pilots, including information on how MCAS works and how to respond to a system malfunction.

Further reading

The inside story of MCAS: How Boeing’s 737 Max system gained power and lost safeguards

The many human errors that brought down the Boeing 737 Max

Preliminary Aircraft Accident Investigation Report – Lion Air Flight 610 [PDF]

Preliminary Aircraft Accident Investigation Report – Ethiopian Airlines Flight 302 [PDF]