Earlier Versions Of Boeing's MCAS Included Crucial Safeguards That Were Kept Off The 737 MAX

Engineers working on Boeing's 737 MAX flight control system left out key safeguards that were included on an earlier version of the same system used on a military tanker jet, according to the Wall Street Journal

The MCAS system in question has been determined by investigators to have been the cause of two deadly 737 MAX crashes that killed a total of 346 people. Investigators have implicated the MCAS system in the Lion Air jet crash of October 2018 and of an Ethiopian Airlines jet in March of this year. MCAS stands for the Maneuvering Characteristics Augmentation System.

The engineers responsible for creating MCAS more than a decade ago for the military tanker jet designed the system "to rely on inputs from multiple sensors and with limited power to move the tanker’s nose". This design was to include "deliberate checks" against the system acting in error. 

A person familiar with the matter said:

 “It was a choice. You don’t want the solution to be worse than the initial problem.”

But when the MCAS system was put into the 737 MAX, it only relied on input from just one of the plane's two sensors used to measure the angle of the plane's nose. The 737 MAX version was also tougher for pilots to override. 

Boeing's coming fix for the 737 MAX is expected to make it more like the one that was initially used in the tanker. Boeing declined to explain the difference between the system on the tanker planes and the 737 MAX. Instead, it just commented:

“The systems are not directly comparable.” 

But the Journal makes it clear that the design contrasts between the two aircrafts "highlight how different teams of Boeing engineers wound up including protections on one airplane but not on a later model of another aircraft."

Boeing says that the MAX, with its new coming safeguards, will be among "the safest airplanes ever to fly". The new system will rely on two sensors and will fire once - instead of repeatedly - each time it activates. 

After the Lion Air crash, military officials had expressed concerns that the tanker, known as the KC-46A Pegasus, would share the same problems as the MAX. An Air Force spokesperson said that senior officials met with Boeing who confirmed that the tanker's MCAS system complied with military requirements that would prevent a single sensor from causing a system to fail. 

The MCAS used for the tanker was developed in the early 2000s. The tanker plane was a military offshoot of Boeing's 767 and included pods on its wings used for refueling. The pods also added lift and would cause the tanker's nose to pitch up in some conditions. The MCAS software was designed to automatically push down on the tanker's nose if necessary, helping the tanker meet FAA standards.

One key difference between the old system and the new one is that the system on the tanker moves the plane's horizontal stabilizer once per activation and not repeatedly. 

Tanker engineers also gave the MCAS system "limited power" to nudge the plane's nose down to ensure specifically that pilots would be able to recover if the system accidentally pushed the plane into a dive. This means that the MCAS system had little authority over the stabilizer, which made it easier for pilots to counteract. 

Large new fuel efficient engines used on the 737 MAX had a similar effect to the pods on the tanker: they caused the plane's nose to pitch up in certain extreme flight conditions, endangering the plane's ability to win FAA certification. 

Again, MCAS was suggested by engineers as a possible solution. And Boeing said that a single "angle of attack" sensor was deemed sufficient for the MAX MCAS systems, which would rely on pilots in the event of a misfire:

Boeing said it isn’t aware of any consideration to rely on both sensors that measure the angle of the plane’s nose when its engineers designed MCAS for the 737 MAX. A single “angle of attack” sensor was deemed sufficient, and Boeing has said it complied with safety and regulatory requirements. Other systems on earlier 737s relied on single sensors, former Boeing engineers and others familiar with the designs have said.

Boeing instead relied primarily on pilots as the backstop should that plane’s MCAS misfire. MAX engineers determined pilots would quickly identify an MCAS misfire as an emergency known as a runaway stabilizer, then counteract the system with a longstanding cockpit procedure.

In addition the the extra sensors, the tanker version of the MCAS system allowed pilots to take control and override the system simply by pulling back on controls. 

Will Roper, an assistant Air Force secretary who is the branch’s procurement chief said: “We have better sensor data. But most importantly, when the pilot grabs the stick, the pilot is completely in control.”

On the MAX, however, MCAS was required to remain active even if the pilots pulled back on the control, making it more complicated to stop the system from forcefully and repeatedly pushing down on the nose. 

In the new system, pilots will be able to override MCAS by pulling back on the controls. 

The 737 MAX fleet remains grounded worldwide.