Skip to main content
Back to Library
postmortem

The Boeing 737 MAX: Software Designed to Correct a Hardware Problem

6 min read Chapter 26 of 38

The Boeing 737 MAX: Software Designed to Correct a Hardware Problem and the Certification Process That Did Not Know It Existed

The System as Its Engineers Understood It

The Boeing 737 MAX is a variant of the Boeing 737 family, the most produced commercial aircraft in history. The MAX variant is designed to compete with the Airbus A320neo by offering better fuel efficiency. The primary change from the previous 737 NG variant is the engine: the MAX uses the CFM International LEAP-1B engine, which is larger and more fuel-efficient than the previous CFM56.

The larger engine creates an aerodynamic problem. The 737’s landing gear is short, a legacy of the original 1960s design when the aircraft was intended to operate from poorly maintained runways. The short gear limits how low the engine can be mounted under the wing. The LEAP-1B is too large to fit in the same position as the CFM56. Boeing’s solution is to mount the engine further forward and higher on the wing. This changes the aerodynamic behavior of the aircraft.

At high angles of attack (the angle between the wing’s chord line and the oncoming airflow), the forward-mounted nacelles generate a nose-up pitching moment. This means the aircraft has a tendency to pitch up further when the angle of attack is already high. In extreme cases, this tendency could push the aircraft into an aerodynamic stall, where the wings lose lift. The nose-up tendency is not present on the 737 NG and represents a change in the aircraft’s handling characteristics.

Boeing’s solution is software. The Maneuvering Characteristics Augmentation System (MCAS) is a flight control law that automatically pushes the nose down when the angle of attack exceeds a threshold. MCAS is designed to make the 737 MAX handle like the 737 NG in high-angle-of-attack conditions. If MCAS works correctly, pilots trained on the 737 NG can fly the 737 MAX without additional type-rating training. This is commercially significant: a new type rating requires expensive simulator time for every pilot who transitions to the new aircraft.

MCAS reads the angle of attack from a single sensor. The 737 MAX has two angle-of-attack (AOA) sensors, one on each side of the fuselage. MCAS uses only one. The choice of which sensor to use alternates between flights: one flight uses the left sensor, the next uses the right sensor. If the active sensor provides an erroneous reading, MCAS has no cross-check. It will accept the reading and act on it.

When MCAS activates, it moves the horizontal stabilizer (the large control surface on the tail) to push the nose down. The initial design limits MCAS’s authority: it can move the stabilizer by a certain amount per activation. After the first activation, the system was modified to allow repeated activations, each moving the stabilizer further. The cumulative effect of repeated activations is a large nose-down trim change that the pilots must overcome by pulling back on the control column.

The pilots can counteract MCAS by using the electric trim switches on the control column to trim nose-up. They can also disable the electric stabilizer trim entirely by flipping two cutout switches. The procedure for a stabilizer trim runaway (the relevant emergency procedure) is in the flight manual. However, MCAS is not mentioned by name in the original flight manuals or pilot training materials for the 737 MAX. The pilots do not know MCAS exists.

The Chain

Lion Air Flight 610

October 29, 2018. Lion Air Flight 610, a 737 MAX 8, departs Jakarta, Indonesia. The aircraft’s left AOA sensor has been replaced the day before, following a report of erroneous readings on the previous flight. The replacement sensor is mis-calibrated. It reads approximately 21 degrees higher than the actual angle of attack.

Shortly after takeoff. MCAS activates. It reads the erroneous left AOA sensor, which reports a dangerously high angle of attack. MCAS commands nose-down stabilizer trim. The aircraft pitches down.

Next 10 minutes. The pilots fight the aircraft. MCAS activates repeatedly, each activation commanding additional nose-down trim. The pilots use the electric trim switches to counter each activation, trimming nose-up. The cycle repeats: MCAS pushes the nose down, the pilots trim it back up. The control column forces become increasingly heavy as the stabilizer moves further from the neutral position.

The pilots do not know what MCAS is. They do not know that a system is fighting their inputs. They experience the symptoms of a stabilizer trim runaway but the behavior does not match their training: the runaway stops when they press the trim switch, then resumes. A continuous runaway would be recognized immediately. An intermittent one, caused by a system that activates, waits, and activates again, is unfamiliar.

Approximately 13 minutes after takeoff. The aircraft enters a dive that the pilots cannot recover from. Lion Air Flight 610 crashes into the Java Sea. All 189 people on board are killed.

Ethiopian Airlines Flight 302

March 10, 2019. Ethiopian Airlines Flight 302, a 737 MAX 8, departs Addis Ababa, Ethiopia. The left AOA sensor fails shortly after takeoff, providing erroneous data. MCAS activates based on the erroneous reading.

Shortly after takeoff. The sequence is nearly identical to Lion Air 610. MCAS commands nose-down trim. The pilots counter with electric trim. MCAS reactivates. The pilots follow the runaway stabilizer procedure and flip the stabilizer trim cutout switches, disabling electric trim. With electric trim disabled, they attempt to manually trim the stabilizer using the manual trim wheels.

At the speed the aircraft is traveling, the aerodynamic forces on the stabilizer are too great for the pilots to overcome with the manual trim wheel. They cannot physically turn the wheel against the air load. They re-engage the electric trim to try to regain control. MCAS activates again.

Approximately 6 minutes after takeoff. Ethiopian Airlines Flight 302 crashes. All 157 people on board are killed.

346 people died in two crashes caused by the same system failure: MCAS responding to a single faulty sensor with no cross-check, no pilot awareness, and no effective recovery path at the speeds involved.

Boeing 737 MAX MCAS system architecture showing single-sensor dependency, stabilizer authority, and the pilot response loop

The diagram shows the MCAS control loop. The critical path is a single line from one AOA sensor to the stabilizer actuator, with no cross-check against the second sensor. The pilot’s counter-inputs (electric trim) are temporary corrections that MCAS overrides on its next activation cycle. The stabilizer cutout switches disable MCAS but also disable the electric trim that pilots need to regain control against aerodynamic forces.