aerospace · 2011–2020 · The Boeing Company / FAA

Boeing 737 MAX & MCAS

How cost-driven scope decisions on a derivative-airframe certification program compounded into two fatal accidents.

13 min read · 5 sources cited

// background

In 2011, Boeing announced the 737 MAX — a re-engined derivative of its 737NG family — in response to Airbus's launch of the A320neo. The commercial logic was tight: airlines wanted a more fuel-efficient narrowbody, Airbus had moved first, and Boeing's incumbent 737 customers expected a same-type-rating successor that pilots could fly without major retraining. Boeing committed to its launch customers that the MAX would not require simulator training to transition from the 737NG. That commitment, made early, framed nearly every subsequent program decision.

The MAX's larger LEAP-1B engines did not fit under the 737's low wing in the same position as the previous CFM56s. Boeing moved them forward and slightly upward. The new mounting changed the aircraft's pitching behaviour at high angles of attack: under certain conditions the nose would tend to pitch up more aggressively than the NG. To preserve the NG's handling characteristics — and so preserve the same-type-rating commitment — Boeing added a software system called the Manoeuvring Characteristics Augmentation System (MCAS), which would automatically trim the stabiliser nose-down when sensors indicated a high angle of attack.

In its initial design MCAS was authorised to apply small trim inputs based on multiple sensor inputs. During development, its authority was expanded substantially and its activation was wired to a single angle-of-attack sensor, with no cross-check against the second sensor on the aircraft. The change was not communicated to airlines or pilots; the FAA's certification process did not re-evaluate MCAS at its expanded authority. The system was not described in the flight crew operating manual.

On October 29, 2018, Lion Air Flight 610 crashed into the Java Sea shortly after takeoff from Jakarta, killing 189 people. On March 10, 2019, Ethiopian Airlines Flight 302 crashed near Bishoftu six minutes after takeoff from Addis Ababa, killing 157. In both accidents, a single-sensor angle-of-attack failure triggered MCAS into a repeated nose-down trim cycle that the crews could not arrest. 346 people died across the two flights. The fleet was grounded worldwide on March 13, 2019, and remained grounded for 20 months.

The case has been investigated more thoroughly than almost any other modern engineering program. The FAA's Joint Authorities Technical Review (JATR) report, the U.S. House Transportation & Infrastructure Committee's final report, the NTSB's safety recommendations, and the Indonesian KNKT final report on Lion Air 610 are all public. The findings are unusually consistent across the four investigations and form the basis of this case.

// the decisions

1. Whether to position MAX as a 737 derivative or as a new airframe

2011. Airbus launches the A320neo and signs major customers within months. Boeing's choice is between (a) launching a clean-sheet narrowbody, which would take ~10 years and cost ~$15B, or (b) re-engining the existing 737 as a derivative, which keeps the same FAA type certificate, allows existing 737 pilots to fly it without simulator training, and ships in roughly half the time at a fraction of the cost. Launch customers, particularly Southwest, signal strongly that they want a same-type-rating successor.

options on the table

A.Clean-sheet narrowbody — full new certification, simulator-required transition, multi-year delay vs. Airbus.
B.737 MAX as a derivative under the existing type certificate, with a contractual commitment to launch customers that no simulator training would be required.
C.Derivative airframe with simulator training required — would have lost the same-type-rating advantage but kept full certification scope on hand-flying behaviour.

what they actually did

Boeing launched the 737 MAX as a derivative under the existing 737 type certificate. Internal documents later released to congressional investigators show that 'no simulator training' was treated as a hard requirement that downstream design and disclosure decisions were measured against. The commitment was reportedly worth ~$1M per aircraft to Southwest alone in avoided training cost.

consequence

The 'no simulator training' commitment became the program's load-bearing constraint. As MCAS evolved during development to address the new pitching behaviour, the reflex was to keep its existence and authority below the threshold that would trigger a training requirement. The House Committee's 2020 report found that the same-type-rating commitment 'directly influenced multiple decisions that compromised safety,' including the decision not to disclose MCAS to pilots.

lesson

When a program has a single non-negotiable commercial commitment, every downstream technical decision gets pulled toward it whether the team realises it or not. The PM's job is to identify the load-bearing commitment early and ask, openly, what it is allowed to override. If 'no simulator training' is allowed to override 'pilots are told what new automation is on the plane', the commitment is mispriced.

2. Expanding MCAS authority and tying it to a single AoA sensor

2012–2016. During flight testing, Boeing engineers find that MCAS as originally specified is insufficient to make the MAX's high-AoA behaviour match the NG's. The system's authority is increased — the maximum stabiliser trim deflection per activation grows roughly fourfold over the program — and its activation is simplified to depend on a single AoA vane rather than cross-checking both. The change is documented internally but is not flagged to the FAA's certification team as a safety-significant change to the System Safety Analysis.

options on the table

A.Keep MCAS at low authority and accept that more substantial pilot training (potentially simulator) might be required.
B.Expand MCAS authority and require dual-sensor activation as a basic redundancy precaution.
C.Expand MCAS authority and keep single-sensor activation, treating MCAS failure modes as covered by existing 'runaway stabiliser' procedures.

what they actually did

The third option. MCAS authority was expanded; activation remained dependent on a single AoA sensor; and the System Safety Analysis was not refiled to reflect the change. The JATR review later found that 'the system safety assessment for MCAS did not adequately account for' the failure modes that the expanded version actually had.

consequence

When AoA sensors failed in flight — as they did on Lion Air 610 (a sensor mis-installed during prior maintenance) and Ethiopian 302 (a bird strike) — the single failure cascaded into repeated, increasingly aggressive nose-down trim inputs that the crews struggled to counteract. The Indonesian KNKT report on Lion Air 610 identified nine contributing factors; the single-sensor architecture and the absence of crew awareness of MCAS were prominent among them.

lesson

Authority limits on automation should be a tracked safety property, not a design knob. When the authority of a system grows during development, the safety analysis has to be re-baselined — and the team that owns the analysis has to be empowered to halt the change if the new authority isn't justified. The compounding error in MCAS wasn't any single change; it was that no one re-asked the safety question after the authority changed.

3. Whether to disclose MCAS to airlines and pilots

2016–2017. MCAS exists, has been expanded, and is now load-bearing for the MAX's handling certification. The flight crew operating manual and pilot training materials are being finalised. Boeing's internal communications, later released by the House Committee, show explicit discussion of whether MCAS should be described to pilots — with the dominant concern being that adding it to the manual or training would trigger a simulator-training requirement and break the launch-customer commitment.

options on the table

A.Document MCAS fully in the FCOM, brief airlines, and accept whatever training requirement emerges from the FAA review.
B.Document MCAS in maintenance manuals only (not in pilot-facing materials), on the theory that pilots would handle MCAS failures via the existing 'runaway stabiliser' procedure.
C.Do not document MCAS at all in any pilot-facing materials.

what they actually did

The second option, in practice approaching the third. MCAS was not described in the pilot-facing FCOM or training materials at entry into service. Most airlines learned of MCAS's existence only after the Lion Air 610 accident in October 2018.

consequence

The Lion Air 610 and Ethiopian 302 crews were responding to a system whose existence and behaviour they had not been briefed on. Both crews recognised they had a stabiliser trim problem; neither had a mental model that MCAS was driving it. The House Committee report concluded that 'the lack of pilot awareness of MCAS was a critical and contributory factor.' 346 people died.

lesson

Disclosure decisions about safety-relevant system behaviour are not marketing calls. The question 'does the operator need to know this is on the plane?' has only one defensible default — yes. Reasoning that points to no — 'the existing emergency procedure covers it', 'it would trigger training requirements' — is the kind of reasoning that, once an incident happens, is legible to investigators as a chain of decisions made against safety. The PM lesson is structural: a disclosure call that interacts with a commercial commitment should be elevated, in writing, to a level senior to both functions, not adjudicated within the program team.

4. How the FAA delegated certification work back to Boeing

Throughout the MAX certification, large portions of compliance work were performed by Boeing employees acting under the FAA's Organization Designation Authorization (ODA) program. ODA delegation is standard FAA practice and is intended to leverage manufacturer expertise. The JATR review found that on the MAX, ODA-delegated personnel reviewing safety-critical systems experienced 'undue pressure' from Boeing program management, and that the FAA's own oversight of the delegated work was thin — particularly on changes (like MCAS's expanded authority) that occurred late in the program.

options on the table

A.FAA performs the safety analysis review directly with its own engineers (slower, requires FAA staff capacity FAA did not have).
B.FAA continues ODA delegation but installs structural safeguards: independent reporting line for ODA personnel, mandatory FAA re-review of authority/scope changes mid-program.
C.FAA continues ODA delegation under its existing process, relying on Boeing's internal safety culture to catch issues.

what they actually did

The third. ODA delegation continued under existing process. The JATR explicitly found that the FAA was not aware of the late-program expansion of MCAS authority and would have wanted to re-evaluate it had it been informed.

consequence

Post-grounding, the JATR and the House Committee both recommended structural changes to ODA delegation, including independent reporting for delegated safety personnel and mandatory FAA re-review of scope changes. The Aircraft Certification, Safety, and Accountability Act (2020) implemented elements of those recommendations into law.

lesson

Delegated oversight only works if the delegate has independence from the program timeline. When the people performing safety-critical reviews report into the same program leadership pressuring schedule and scope, the review function is structurally compromised — even when individual reviewers are competent and act in good faith. PMs running programs with delegated assurance functions (audit, security review, safety review) have to keep the assurance function's reporting line outside the program management hierarchy.

// what to take away

01The MAX is not a story about a single bad decision. The JATR, the House Committee, the NTSB, and KNKT all describe a chain of individually-defensible decisions that compounded — and the chain ran through commercial commitments, certification scope choices, system-authority expansion, and disclosure decisions, in that order.
02The 'no simulator training' commitment to launch customers was the program's load-bearing constraint. Once it was treated as non-negotiable, every downstream design and disclosure decision was filtered through whether it would trigger training. The case is the canonical example of how a commercial commitment quietly becomes a safety constraint.
03Authority limits on automation should be tracked safety properties, not implementation details. When MCAS's authority expanded during development, the System Safety Analysis was not re-baselined — the JATR specifically identifies this as the failure that allowed the single-sensor architecture to remain.
04Delegated assurance (ODA, internal audit, security-review boards) only works if the assurance function reports outside the program. The post-grounding legislation explicitly addressed this. PMs in any industry with delegated review functions should treat the reporting-line question as a first-order safety control.
05The grounding cost Boeing roughly $20B in direct losses and far more in long-term position vs. Airbus, with a near-50/50 narrowbody market shifting decisively toward the A320neo family. The lesson is that the cost of a corner-cut on a safety-relevant disclosure or scope decision is, in expectation, far higher than the cost of surfacing the trade.

// timeline

Aug 30, 2011Boeing launches the 737 MAX as a derivative airframe; 'no simulator training' commitment to launch customers is part of the launch package.
2012MCAS introduced into the design to address high-AoA pitching behaviour.
2016MCAS authority expanded during flight test; activation tied to a single AoA sensor.
Mar 8, 2017FAA grants amended type certificate to the 737 MAX 8.
May 22, 2017First commercial 737 MAX delivery (to Malindo Air).
Oct 29, 2018Lion Air Flight 610 crashes into the Java Sea. 189 fatalities.
Mar 10, 2019Ethiopian Airlines Flight 302 crashes near Bishoftu. 157 fatalities.
Mar 13, 2019FAA grounds the 737 MAX after most other regulators have already grounded it.
Oct 11, 2019JATR report released, identifying systemic findings on MCAS, ODA, and certification process.
Oct 25, 2019KNKT (Indonesia) releases the final accident report on Lion Air 610.
Sep 16, 2020House Transportation & Infrastructure Committee final report released.
Nov 18, 2020FAA rescinds grounding order; MAX cleared to return to service after software, training, and certification changes.
Dec 27, 2020Aircraft Certification, Safety, and Accountability Act signed into law.

// sources

Joint Authorities Technical Review: Observations, Findings, and Recommendations — FAA / international civil aviation authorities, 2019
Final Committee Report on the Design, Development & Certification of the Boeing 737 MAX — U.S. House Committee on Transportation and Infrastructure, 2020
Aircraft Accident Investigation Report KNKT.18.10.35.04 — PT. Lion Mentari Airlines, Boeing 737-8 (MAX); PK-LQP — Republic of Indonesia, National Transportation Safety Committee (KNKT), 2019
Safety Recommendations to the Federal Aviation Administration (A-19-10 through A-19-16) — U.S. National Transportation Safety Board, 2019
Aircraft Certification, Safety, and Accountability Act (Pub. L. 116-260, Div. V) — United States Congress, 2020

Practice this kind of decision

The simulator runs scenarios that exercise these same lessons under time pressure. Pick a chapter that exercises scope + risk.