You are using an older browser version. Please use a supported version for the best MSN experience.

The Four-Second Catastrophe: How Boeing Doomed the 737 MAX

The Wall Street Journal. logoThe Wall Street Journal. 17/08/2019 Andrew Tangel, Andy Pasztor and Mark Maremont
a group of men standing in front of a building © gary he/EPA-EFE/Shutterstock

Almost as soon as the wheels of Ethiopian Airlines Flight 302 spun free from the runway March 10, the instruments in front of Capt. Yared Getachew went haywire.

The digital displays for altitude, airspeed and other basic information showed dramatically different readings from those in front of his co-pilot. The controls in Capt. Getachew’s hands started shaking to warn him the plane was climbing too steeply and was in imminent danger of falling from the sky.

Soon, a cascade of warning tones and colored lights and mechanical voices filled the cockpit. The pilots spoke in clipped bursts.

“Command!” Capt. Getachew called out twice, trying to activate the autopilot. Twice he got a warning horn.

Another powerful automated flight-control system called MCAS abruptly pushed down the jet’s nose. A computerized voice blared: “Don’t sink! Don’t sink!” 

The pilots wrestled with the controls, desperate to raise the nose of their Boeing 737 MAX. Three times Capt. Getachew instructed co-pilot Ahmed Nur Mohammed, “Pull up!”

© Getty At the same time, a loud clacking warned the preoccupied pilots that the plane was flying too fast.

Four minutes into the flight, the pilots finally touched on the source of their problems, simultaneously calling out “Left alpha vane!”

Erroneous signals from that malfunctioning sensor tricked the onboard computers into believing the jetliner’s nose was angled too high, causing MCAS to push it down again and again.

It was too late. Flight 302 nose-dived at nearly the speed of sound, hitting the ground with such force that an airliner with 157 people aboard was largely reduced to fragments no bigger than a man’s arm.

Five months earlier, Lion Air Flight 610 had plunged into the Java Sea, killing 189 people, under similar circumstances.

Regulators have focused since the crashes on MCAS, its reliance on a single sensor and Boeing’s decision not to tell pilots about the new system. At the root of the miscalculations, though, were Boeing’s overly optimistic assumptions about pilot behavior.

Related video: How Boeing’s 737 MAX Troubles Ripple Through the Industry


In designing the flight controls for the 737 MAX, Boeing assumed that pilots trained on existing safety procedures should be able to sift through the jumble of contradictory warnings and take the proper action 100% of the time within four seconds.

That is about the amount of time that it took you to read this sentence.

Boeing bet nearly everything on those four ticks of the clock. The company’s belief in its engineering, and its reliance on pilots to be flawless cogs, enabled Boeing to speed the latest iteration of its most important airliner to market and ultimately saved money for its customers.

Now, the aerospace giant is sorting through the consequences: two crashes, a global grounding of the MAX fleet, frustrated airlines and the gravest threat to Boeing in its modern history.

The company is under investigation by federal prosecutors, securities regulators, aviation authorities and lawmakers. It faces more than 100 lawsuits from families of the 346 dead. It may have to further slow or temporarily halt production of the MAX if flight restrictions last much longer. And its troubles are disrupting travel for passengers as well as clouding the outlook for airlines, aerospace suppliers and their tens of thousands of workers.

© Getty Interviews with current and former Boeing employees, pilots, airline officials, federal regulators and documents reviewed by The Wall Street Journal show that Boeing repeatedly minimized the risks posed by MCAS, without detailed scrutiny or pushback from U.S. regulators. Engineers assumed pilots would be able to almost instantly counteract an MCAS malfunction, like the ones on the two doomed flights, by executing a long-established emergency procedure for a similar problem.

The assumptions dovetailed with a vital company goal. To make the plane as inexpensive as possible for airlines to adopt, Boeing was intent on persuading regulators that pilots of earlier 737s should be allowed to start flying the MAX without simulator training. That training would have been required if there were substantial safety differences between the models, boosting the plane’s cost to airlines since training cuts into time flying paying passengers.

“Our marching orders are no training impact on this airplane. Period,” Richard Reed, a former Federal Aviation Administration engineer, recalled a senior Boeing official telling him during a meeting in the early years of the MAX’s development.

The company had promised its biggest customer for the MAX, Southwest Airlines Co., that it would pay it $1 million per plane ordered if pilots needed to do additional simulator training, according to Rick Ludtke, a Boeing engineer who worked on the jet’s cockpit systems, and another person who had been involved in the airplane’s development.

Related: Boeing's 737 MAX (Photos)

A Boeing spokesman said the design and certification of MCAS, including reliance on pilots as the ultimate safety net, were part of a methodical six-year effort that followed accepted industry practices. He also said overall approval of the MAX met “stringent standards and requirements” set by federal regulators.

“We will continue to learn from the reviews and the lessons from these accidents to continue improving safety,” the spokesman said, citing the continuing investigations.

In trying to get the MAX flying again, Boeing will now rely on two sensors, give pilots information it had withheld about the existence of MCAS and lessen the system’s authority. It will also turn on safety alerts that had operated in only a small number of the planes and make emergency procedures no longer dependent upon textbook pilot reactions.

The FAA is reassessing some of its key assumptions. The agency said certification procedures are “well-established and have consistently produced safe aircraft designs,” but it is rethinking reliance on average U.S. pilot reaction times as a design benchmark for planes that are sold in parts of the world with different experience levels and training standards.

Boeing began developing the MAX in 2011 as bitter rival Airbus SE began making inroads with its A320neo. Boeing, needing a fuel-efficient single-aisle airliner to avoid losing market share, rushed to lock in deals before its board approved building the jet.

To use less fuel, the design called for larger engines that would be moved forward and higher than in the previous model. The changes affected how the plane handled, though. Its nose pitched up in certain high-altitude conditions, risking a stall, the term for a sudden loss of force called lift that keeps planes aloft.

Engineers developed MCAS, which stands for Maneuvering Characteristics Augmentation System, to manage that. The system operated behind the scenes, pushing down the plane’s nose by moving the horizontal stabilizer on the tail by small increments of 0.6 degree.

Boeing officials were focused on making the MAX fly as similarly as possible to earlier 737s. The fewer differences, the less likely the FAA would require pilots to undergo retraining.

Mr. Ludtke, the former Boeing cockpit engineer, said company managers put pressure on engineers to avoid tweaks in designs that could result in pilots needing to learn new maneuvers in a simulator.

At one point around 2013, Boeing officials fretted the FAA would require simulator training, the person involved with the plane’s development said. But the officials, including chief MAX engineer Michael Teal, opted not to work with simulator makers to simultaneously develop a MAX version because they were confident the plane wouldn’t differ much from earlier 737s.

© Getty “It was a high-stakes gamble,” this person said.

The Boeing spokesman said that as with any new version of an existing airplane, minimizing differences was a goal for the MAX. “But this design objective was only that—an objective—and was always subordinate to other requirements, including safety.” Boeing always had a plan to help develop a MAX simulator and didn’t delay it out of concerns the FAA might require pilot training, he said.

Some Boeing engineers who worked on the MAX said MCAS wasn’t seen as an important part of the flight-control system. They focused on other functions they deemed to be more critical to safety, such as an auto-landing system.

In meetings with Boeing officials at an FAA office in the Seattle area around 2013, the plane maker described the system as simply a few lines of software code, according to Mr. Reed, the former FAA engineer who participated in those discussions.

The company outlined how a single sensor that measured the angle of the plane’s nose would trigger MCAS, Mr. Reed recalled, but argued a failure wasn’t likely and the system would kick in only in extreme conditions.

“Let’s quit messing around about the chances of this happening being rare,” Mr. Reed remembered saying. “If it can happen, it’s going to happen.”

Boeing assigned MCAS a technical-hazard rating of “major” during everyday operations, meaning its failure was unlikely to result in death or the loss of the plane. Multiple sensors aren’t required by the FAA for that designation, on the assumption that the crew could handle any failure. Boeing said another sensor would have added unneeded complexity. Other systems on earlier 737s relied on single sensors, according to former Boeing engineers and others familiar with the designs.

The Boeing spokesman said a single sensor “satisfied all certification and safety requirements,” and potential additional training wasn’t considered when assessing MCAS hazards.

A Boeing 737 MAX airplane is stored on an employee parking lot adjacent to Boeing Field © Getty A Boeing 737 MAX airplane is stored on an employee parking lot adjacent to Boeing Field From the start, safety-assessment documents Boeing provided to the FAA assumed pilots would be able to handle misfires.

Regulators endorsed that determination, along with the single sensor. The FAA certification rules under which the MAX was allowed to fly assume pilots react correctly to certain emergencies 100% of the time.

As part of its calculus, Boeing decided it didn’t need to tell cockpit crews about MCAS or how it worked. During early design phases, Boeing referred to the system by name in a draft manual, parts of which were reviewed by the Journal, and explained generally what it was supposed to do. Those references disappeared before it was issued to airlines.

The company reasoned that pilots had trained for years to deal with a problem known as a runaway stabilizer that also can force the nose of the plane to dip. The correct response to an MCAS misfire was identical. Pilots didn’t need to know why it was happening.

Late in the design process, however, Boeing gave MCAS greater authority. Test pilots for the company and FAA discovered that the MAX’s controls didn’t stiffen as needed during certain lower-speed maneuvers, according to people familiar with the MCAS design. They suggested MCAS be expanded to work at lower speeds so the MAX could meet FAA regulations, which require a plane’s controls to operate smoothly, with steadily increasing amounts of pressure as pilots pull back on the yoke.

Related: Lion Air crash in pictures (Photos)

To adjust MCAS for lower speeds, engineers quadrupled the amount the system could repeatedly move the stabilizer, to increments of 2.5 degrees. The changes ended up playing a major role in the Lion Air and Ethiopian crashes.

After increasing the system’s potency, though, Boeing didn’t submit a new safety assessment to the FAA, according to people familiar with the matter. While a top FAA pilot knew about the changes, other officials were in the dark and some now say an updated safety assessment could have provided a chance to find problems.

The system’s evolution and lack of an updated safety assessment were earlier reported by the Seattle Times. The FAA has said Boeing wasn’t required to update the document.

The assumptions about pilot reaction stayed the same even though a misfire could now lead to a fatal battle between pilot and machine.

© Getty The Boeing spokesman said engineers determined the changes didn’t affect the overall hazard assessment, saying the company briefed the FAA and international regulators on MCAS, including its final configuration, several times.

Those specifics, including the system’s expanded authority at lower speeds, were mentioned in a letter and in a number of Boeing presentations to FAA officials monitoring the MAX, according to people briefed on the communications. But senior FAA officials in Washington weren’t told, and many others inside the agency continued to depend on Boeing’s initial descriptions of MCAS.

FAA training experts, unaware MCAS had been made more potent, ultimately decided the MAX’s handling characteristics were close enough to those of previous 737s that pilots could learn changes in a few hours on a laptop or tablet. It went into service in 2017.

Southwest Airlines, the jet’s first and biggest customer, followed Boeing’s lead and deleted MCAS from the manuals and emergency procedures it devised for its pilots. Other carriers didn’t mention it, either.

On Oct. 28, 2018, an alarm called a stick shaker went off on a Lion Air 737 MAX flight from Denpasar, Indonesia, to Jakarta, causing one of the pilots’ controls to vibrate heavily, warning of an aerodynamic stall.

MCAS pushed down the plane’s nose. Faulty data from a malfunctioning sensor had set off a false-stall alarm and caused MCAS to misfire.

The puzzled cockpit crew checked a quick reference handbook, running through other emergency steps before successfully regaining control of the plane by executing the checklist for a runaway stabilizer. That turned off MCAS and the crew flew manually for the rest of the trip.

Indonesian aviation officials said the pilots had difficulty finding a solution because they had trouble diagnosing the problem. “It’s instinct. Not in the book,” said Avirianto, the Transportation Ministry’s director of airworthiness and aircraft operations, who uses one name, like many Indonesians.

The cockpit crew and mechanics didn’t note the severity of the issue in maintenance logs. The next day, the same aircraft took off from Jakarta as Lion Air Flight 610 with the faulty sensor.

The flight crew immediately faced the same problem. The nose repeatedly pushed down. The crew counteracted the system some two dozen times, using thumb switches on the controls. But the pilots never ran the full emergency procedure that would have turned off MCAS.

After 11 minutes in the air, the crew lost control, and the plane crashed into the sea.

Several days after the crash, Kevin Greene, the FAA’s chief engineering test pilot for the MAX, told about a dozen agency officials on a conference call that MCAS was suspected of having played a role in the accident, according to a person familiar with the agency’s response.

“What’s MCAS?” one FAA official asked, according to people familiar with the call. The FAA declined to make Mr. Greene available for comment.

Agency officials were surprised to learn documents on file at its Seattle-area office failed to mention how the souped-up version of MCAS worked, according to people familiar with the matter. Those papers described MCAS as having one-fourth the control it now had and made no mention that it fired repeatedly.

Around the same time, an internal FAA assessment determined the brawnier MCAS posed an unreasonably high safety risk, one that could result in a similar malfunction on another MAX within months.

Boeing decided for the first time to detail MCAS’s function in a bulletin to airlines. The manufacturer and the FAA also reminded pilots of the emergency procedure. This was supposed to buy Boeing time to work on a permanent solution: a software fix that would include comparing data from both onboard sensors.

Despite the confusion that enveloped the Lion Air cockpit, FAA leaders still backed Boeing’s reliance on swift, unerring pilot response, according to an FAA official who was part of the deliberations. The company and the FAA assured the public the MAX was meanwhile safe to fly.

In the weeks after the crash, outside pilots, FAA officials and U.S. safety investigators were brought in to help Boeing engineers recheck their assumptions about pilot response, people familiar with the matter said.

Simulator tests revealed that an MCAS misfiring produced more alarms than pilots would see with a typical runaway stabilizer, the person familiar with the FAA response said.

What surprised FAA officials, this person said, was a demonstration that showed what happened if pilots failed to take action as expected under Boeing’s design assumptions—more than two MCAS misfires could push the plane’s nose down so much that it became uncontrollable and likely to end in catastrophe.

“It made us realize that this was pretty serious,” the person said.

Still, the pilots in those simulator sessions responded as expected, people familiar with the results said, executing Boeing’s emergency procedure properly and in time.

© Getty “Nobody…walked away saying, ‘There’s a mistake here,’” one of the people familiar with the MCAS design said. Still, the tests left company officials with the feeling: “OK, we see that that is confusing, and somehow we got two flight crews who responded differently than we would have expected.”

The FAA agreed no urgent changes were required. The MAX fleet kept flying without restrictions or additional pilot training.

Historically, Boeing’s engineering philosophy has put aviators at the center of every new design—ensuring pilots could override computer commands—while simultaneously embracing automation to reap the safety benefits. The year before the Lion Air crash was the safest world-wide in the history of commercial air travel. U.S. airlines suffered a single passenger fatality over roughly a decade.

From 747 jumbo jets in the 1970s through the latest wide-body 777 and 787 models, the concept thrived. Boeing prided itself on building airliners that allowed crews to overcome almost any automated function without having to take extra steps to disable underlying systems. Even as automation helped pilots cope with problems from engine failures on takeoff to excessive speed during landings, they retained ultimate control.

Since the late 1990s, though, U.S. accident investigators have recognized that real-world reactions by pilots don’t always measure up to FAA expectations.

“No consideration is…given to imperfect human performance,” Benjamin Berman, a former National Transportation Safety Board staffer who investigated the 1994 crash of a USAir 737 near the Pittsburgh airport, argued in a 2003 paper.

FAA rules typically assume “the human will intervene reliably every time,” Mr. Berman added, calling it “an unrealistic assumption for human performance.”

In 1996, an FAA study of a subset of experienced propeller-plane pilots found that only one out of 26 reacted to a similar stabilizer emergency within four seconds.

A 2008 study for the FAA, one of the most recent, found commercial pilots in simulator tests sometimes became confused when confronted with unfamiliar failures and reiterated that certification standards were unrealistic.

There are many accidents where “pilots theoretically should have been able to save the day, but they took the wrong action, or no action,” said Tony Lambregts, a retired FAA engineer who studied the interaction between people and machines.

Boeing compounded the problem with the MAX, he said, by initially not notifying pilots MCAS existed. “The pilots were hopelessly unprepared to deal with that,” Mr. Lambregts said. “They hadn’t been adequately instructed and trained for it.”

One thing Boeing failed to account for, pilots and some FAA officials said, is that there are different methods for straightening up a jetliner whose nose is pointed too far down. Some pilots use switches on the controls in different ways, and many may instinctively pull back on the yoke to bring the nose up.

In earlier 737s, pulling back on the yoke also turned off a different automated flight-control system and allowed the pilots to manually fly. Boeing didn’t tell pilots that the MAX was different: When they pulled back on the controls, the nose could rise, but it didn’t shut off MCAS, which could keep misfiring, pushing the nose down. MCAS’s design required the change, according to people familiar with the matter.

As details of the Lion Air crash trickled out, pilots pressed Boeing about why they had been kept in the dark.

In late November, Boeing officials, including Mike Sinnett, the vice president for product strategy, Craig Bomben, a senior pilot, Allan Smolinski, sales director for the Americas, and John Moloney, director of transportation policy, visited American Airlines’ pilot union in Fort Worth, Texas.

The pilots wanted to know why Boeing had excluded MCAS from their manuals, except for a mention in the glossary, when they were expected to be the ultimate, non-automated backstop for the system.

“We are the human element,” Capt. Mike Michaelis, then-chairman of the union’s safety committee, told them, according to a recording.

© Getty Mr. Sinnett asked the pilots why they needed to know whether MCAS or another problem was pushing down the plane’s nose.

“We struggle with this,” Mr. Sinnett said. “If there are three or four or five things that could cause a runaway stabilizer, why do you need to know which one it is before you operate the procedure?”

“This particular one is masked by so many other distractions,” one pilot responded. “I think it’s very unique.”

With no mention of MCAS, or the ways it could fail, in the manual, many pilots might have a difficult time coming up with the correct response in an emergency.

Four months after the meeting, Ethiopian Airlines Flight 302 would prove the point in deadly fashion.

In warning airlines about MCAS after the Lion Air crash, Boeing and the FAA made note of the alerts that could help diagnose a malfunction, including one alert that was a feature on earlier 737 models, called the “AOA Disagree.”

It was supposed to tell pilots when the MAX’s two “angle-of-attack” sensors showed different readings. Even though MCAS used data from only one, other onboard systems could compare both and warn pilots.

“Please be informed that if there are any other associated message like AOA DISAGREE or there is an airspeed difference the runaway stabilizer checklist must be done first before proceeding to the other checklists,” Capt. Theodros Asfaw Tilahun, a management pilot for Ethiopian Airlines, emailed colleagues on Nov. 8, shortly after the Lion Air crash.

Trouble was, that alert feature wasn’t activated on MAX jets operated by Ethiopian and many other airlines. A contractor had made mistakes in software meant to activate them, but Boeing had told only certain airlines.

Boeing, which maintains the alerts aren’t critical safety items, instead billed them as part of an optional package. The Boeing spokesman said Ethiopian didn’t purchase it, noting that one of the plane maker’s bulletins, after the Lion Air crash, indicated the alerts would only work with that package. The airline didn’t respond to requests for comment.

Among the recipients of the email about the nonexistent alert was Mr. Getachew, the captain who wrestled with a misfiring MCAS on March 10. During that desperate struggle, the crew turned off MCAS, only to later switch it back on.

About five minutes after takeoff, the doomed 737 MAX slammed into the brown earth of a farm near Bishoftu, Ethiopia, at more than 550 miles an hour.


A visit to the world's tiniest nation (The Atlantic)

How the 'neithers' could decide Northern Ireland's political fate (The Guardian)

Opinion: Obama warned Trump but he didn't listen (The Atlantic)

Why these gay penguins and their hope for a baby have captured the world's attention (The New York Times)


More from The Wall Street Journal

image beaconimage beaconimage beacon