Skip to main content
Back to Library
postmortem

The Mechanism

4 min read Chapter 27 of 38

The Mechanism

MCAS is a flight control law implemented in the flight control computer software. Its logic, reconstructed from the Joint Authorities Technical Review (JATR) and other public investigation documents:

// RECONSTRUCTED FROM JATR AND INVESTIGATION REPORTS
// Boeing 737 MAX Flight Control Computer
// MCAS (Maneuvering Characteristics Augmentation System)

#define AOA_THRESHOLD    // Angle-of-attack threshold (degrees)
#define MCAS_STAB_RATE   // Stabilizer movement rate (units/sec)
#define MCAS_MAX_COMMAND // Maximum stabilizer command per activation

struct mcas_state {
    int active;
    float last_aoa;
    float stab_command_total;
    int activation_count;
};

void mcas_update(struct mcas_state *state, 
                 struct flight_data *fd) {
    
    // FAILURE POINT: Single sensor input, no cross-check
    // The 737 MAX has TWO AOA sensors. MCAS uses ONE.
    // Which sensor is used alternates between flights.
    // If the active sensor is faulty, MCAS has no way to detect it.
    float aoa = fd->aoa_sensor[fd->active_aoa_sensor];
    
    // No comparison with the other sensor
    // No reasonableness check against attitude or airspeed
    // No voting logic between redundant inputs
    
    if (aoa > AOA_THRESHOLD && fd->flaps_retracted) {
        // MCAS activates: command nose-down stabilizer trim
        float command = compute_stab_command(aoa, MCAS_STAB_RATE);
        
        // FAILURE POINT: Repeated activations accumulate
        // Each activation adds more nose-down trim
        // Original design limited to single activation
        // Production version allows unlimited reactivation
        // after 5-second pause if AOA still high
        apply_stabilizer_trim(command, NOSE_DOWN);
        
        state->activation_count++;
        state->stab_command_total += command;
    }
}

Three design decisions converge:

Single-sensor dependency. Using one AOA sensor instead of two eliminates the system’s ability to detect sensor faults. A disagree check (comparing the two sensors and alerting when they differ by more than a threshold) is available on the 737 MAX, but only as an optional feature that airlines must purchase separately. The AOA disagree alert was not standard equipment. Neither Lion Air nor Ethiopian Airlines had purchased it. The system that depends on a single sensor has no mechanism to detect when that sensor is wrong.

Authority creep. During the development of the 737 MAX, MCAS’s authority, the maximum stabilizer movement it can command, was increased. The original design limited MCAS to a small stabilizer movement, consistent with its classification as a “speed trim” modification. During flight testing, Boeing discovered that a larger authority was needed to provide the desired handling characteristics across the flight envelope. The authority was increased, but the safety assessment was not updated to reflect the larger authority. The system classification remained at a hazard level that did not require redundant sensors.

This is the mechanism that made the single-sensor design invisible to the certification process. MCAS was classified based on its original, limited authority. At that authority level, a single-sensor design was acceptable because an MCAS malfunction would result in a small, easily correctable trim change. At the final, larger authority, an MCAS malfunction could result in a trim change that the pilots could not correct. The safety assessment did not reflect the actual system.

Certification by difference. The 737 MAX was certified as a variant of the 737 NG, not as a new aircraft type. Certification by difference means that only the changes from the previous model require full certification review. Components and systems that are unchanged from the 737 NG are grandfathered. This is an efficient process for genuine derivatives, but it creates a gap when a new system (MCAS) is classified as a minor change to an existing system (speed trim) and therefore receives less scrutiny than a new safety-critical system would require.

The FAA delegated significant certification authority to Boeing itself through the Organization Designation Authorization (ODA) program. Boeing employees, acting as authorized representatives of the FAA, performed safety assessments of MCAS. The FAA did not independently review the MCAS safety assessment in detail. The FAA has stated that it relied on Boeing’s assessment that MCAS was a low-risk modification.

The recovery gap. When the Ethiopian Airlines pilots followed the runaway stabilizer procedure and disabled electric trim, they lost the ability to counteract MCAS’s nose-down trim, but they also lost the ability to electrically command nose-up trim. The manual trim wheels, the backup, require significant physical force to turn against aerodynamic loads at high speed. At the speeds the aircraft was traveling after takeoff, the aerodynamic forces on the out-of-trim stabilizer exceeded what the pilots could physically overcome through the manual trim system. The procedure that was designed to save them by disabling the malfunctioning system also disabled the tool they needed to recover.