Skip to main content
Back to Library
postmortem

What the Review Missed and What Changed

5 min read Chapter 28 of 38

What the Review Missed

Multiple investigations examined the 737 MAX failures. The Indonesian KNKT investigated Lion Air 610. The Ethiopian Accident Investigation Bureau investigated Ethiopian Airlines 302. The Joint Authorities Technical Review (JATR), comprising aviation authorities from nine countries, examined the certification process. The U.S. House Committee on Transportation and Infrastructure conducted a Congressional investigation that produced a 238-page final report.

The KNKT report identified the faulty AOA sensor, the MCAS single-sensor design, and the inadequate pilot training as contributing factors. The Ethiopian investigation reached similar conclusions. Both reports correctly identified the technical chain of causation.

The JATR and Congressional investigation went further, examining the certification process that allowed MCAS to be approved with a single-sensor design and without explicit pilot training requirements. Their findings were severe:

Boeing’s safety assessment of MCAS classified it at a hazard level that did not require redundant sensors. This classification was based on MCAS’s original, limited authority. When the authority was increased during development, the safety assessment was not updated. Boeing employees acting as FAA delegates reviewed the system. The FAA did not independently review the updated MCAS design in detail.

The Congressional investigation found that Boeing was aware of the AOA disagree alert issue (the feature that would have warned pilots of sensor disagreement was not standard equipment) and did not disclose it to the FAA or airlines until after the Lion Air crash. The investigation also documented internal Boeing communications that raised concerns about MCAS’s behavior and pilot training requirements, concerns that were not escalated to the certification process.

The investigation identified a structural problem in the certification process: the FAA’s delegation of certification authority to the manufacturer created a conflict of interest. Boeing’s business interest in certifying the 737 MAX without requiring new pilot training (which would reduce the aircraft’s competitive advantage over the A320neo) was in tension with the safety interest in ensuring that MCAS was properly classified, assessed, and disclosed to pilots.

The official reviews did not miss the systemic issues. The Congressional report in particular is a thorough analysis of organizational and regulatory failure. Where the reviews were necessarily limited is in their ability to mandate the kind of architectural change that would prevent similar failures: requiring that safety-critical automated systems in aircraft use redundant, cross-checked inputs as a non-waivable requirement, regardless of the system’s initial hazard classification.

What Changed

The 737 MAX grounding (March 2019 to January 2021 in the U.S., longer in some jurisdictions) and the subsequent investigations produced the most significant changes to aviation certification since the introduction of the FAA’s current certification framework.

MCAS redesign. The redesigned MCAS uses both AOA sensors. If the sensors disagree by more than a threshold, MCAS does not activate. The AOA disagree alert is standard equipment on all 737 MAX aircraft. MCAS’s authority is limited to a single activation: it cannot repeatedly command nose-down trim. The redesigned system treats a sensor disagreement as an indication that the sensor data is unreliable, rather than assuming either sensor is correct.

FAA certification reforms. The Aircraft Certification, Safety, and Accountability Act, signed into law in December 2020, reformed the FAA’s delegation of certification authority. Key changes:

The FAA retains authority over safety-critical certification decisions and cannot delegate them to the manufacturer for systems where a failure could result in “catastrophic” outcomes. The manufacturer’s Organization Designation Authorization is subject to greater FAA oversight, including the ability for FAA engineers to intervene in certification decisions at any point.

Safety assessments must be updated when the design changes. A system whose hazard classification was determined at one authority level cannot be deployed at a higher authority level without re-assessment. This addresses the authority creep that allowed MCAS to be deployed with a single-sensor design at an authority level inconsistent with its original safety assessment.

Pilot training requirements. All pilots transitioning to the 737 MAX must complete simulator training that includes MCAS failure scenarios. The system is described in pilot training materials by name, with its behavior, its failure modes, and the correct recovery procedures. The position that pilots did not need to know about MCAS because it was a minor modification was definitively rejected.

Software safety assessment in aviation. The 737 MAX case elevated the scrutiny applied to flight control software that compensates for aerodynamic deficiencies. The principle that emerged: software that modifies the aircraft’s flight characteristics is not a minor modification. It is a flight-critical system that requires the same level of redundancy, testing, and pilot awareness as any other flight-critical system, regardless of whether it is classified as a “modification” to an existing system or a new system.

This principle extends beyond aviation. Any system where software compensates for a hardware design limitation introduces a dependency: the hardware is safe only if the software functions correctly. This dependency must be assessed at the system level, not at the component level. A hardware design that is unsafe without software compensation requires the software to meet the same safety standards as the hardware it is compensating for.

The Rule

Software that compensates for a hardware design limitation is safety-critical by definition, regardless of how it is classified in the safety assessment. If the hardware is unsafe without the software, the software must meet the same redundancy, verification, and transparency requirements as the hardware it protects.

This rule comes from the Boeing 737 MAX, where software designed to correct an aerodynamic characteristic caused by larger engines relied on a single sensor with no cross-check, was not disclosed to pilots, and was classified at a hazard level inconsistent with its actual authority. 346 people died in two crashes when that sensor failed.