What MCAS Was Actually Designed to Do
The Boeing 737 MAX story has gotten complicated with all the noise flying around — blame shifting, litigation coverage, congressional theater. But strip it back and you find something simpler: a real aerodynamic problem, a genuine engineering solution, and a catastrophic miscalculation about what pilots needed to know.
As someone who’s spent years reading NTSB reports and accident investigation files, I learned everything there is to know about how automation failures actually unfold in cockpits. Today, I will share it all with you.
But what is MCAS? In essence, it’s a software system that automatically pushes the nose of the aircraft down during certain flight conditions. But it’s much more than that — it was Boeing’s answer to a physics problem nobody wanted to acknowledge publicly.
Here’s the aerodynamic reality. CFM International’s LEAP-1B engines — bigger, heavier, more fuel-efficient than the CFM56s they replaced — had to mount higher on the wing to clear the ground. That repositioning shifted the center of lift forward. At high angles of attack, when the nose pitches steeply upward, the 737 MAX wanted to keep pitching upward even more aggressively. In slow-speed edge cases, recovery felt wrong. The plane resisted.
Frustrated by the prospect of retooling an entire type rating and retraining thousands of pilots from scratch, Boeing engineers built MCAS — the Maneuvering Characteristics Augmentation System — using existing stabilizer trim hardware and new activation logic. The system automatically trims the horizontal stabilizer nose-down during high angle-of-attack events, mimicking how the original 737 NG handled. Pilots wouldn’t notice it was there. That was the design goal.
That phrase. Pilots wouldn’t notice. Remember it.
Mechanically, MCAS pulled data from a single angle-of-attack sensor mounted on the fuselage — one sensor, not two. When that sensor reported a high AoA reading, MCAS commanded a 2.5-degree stabilizer trim input every 5 seconds, up to a 10-degree maximum. Pilots could override it by pulling back on the yoke or pressing the electric trim switches. Standard redundancy, at least on paper.
Except nobody told pilots MCAS existed. Not in the flight manual. Not in the quick reference handbook. Not on a type-rating exam question. Transition courses from the 737 NG to the MAX didn’t mention it. Airlines received aircraft without documentation acknowledging the system operated at all.
That wasn’t an oversight. It was a deliberate regulatory strategy — one built on assumptions that collapsed catastrophically in the Java Sea.
How the System Failed on Lion Air 610 and Ethiopian 302
Lion Air Flight 610 departed Jakarta on October 29, 2018. Thirteen minutes later it was in the water. Ethiopian Airlines Flight 302 left Addis Ababa on March 10, 2019. Six minutes into the flight, it was gone. Same aircraft type. Same airline variant. Identical failure sequence. 346 people total.
On both flights, a single angle-of-attack sensor malfunctioned — probable causes include pitot-related icing and physical sensor damage — and started feeding the flight computer false data. The aircraft was flying normally at cruise parameters. The sensor said it was in a stall.
MCAS triggered immediately. Autopilot disconnected. The stabilizer began trimming nose-down on its own. The pilots felt the column pushing forward against them and pulled back — obvious response, correct instinct. They fought it. They won briefly. And then, five seconds later, MCAS activated again.
That’s what makes the 5-second interval so brutal. It isn’t a one-time correction. It’s a cycle. The system keeps commanding. The stabilizer keeps moving. The nose keeps going down.
Both crews did reach for the manual trim switches — the documented first line of defense. Here’s what the manuals didn’t explain clearly: at the airspeeds both aircraft had already reached, aerodynamic load on the stabilizer surface exceeds what the manual trim motor can overcome. The switches are geared for slower flight. MCAS was moving faster than the pilots could fight back. On both flights, the crews eventually abandoned manual trim. The stabilizer ran to its limit. The aircraft hit terrain.
The fundamental design failure wasn’t that automation existed. It was that the entire system staked lives on a single sensor with no cross-check requirement.
Where Pilot Response Broke Down
Probably should have opened with this section, honestly — because this is where the conversation gets weaponized and I want to be precise.
Neither crew executed the runaway stabilizer procedure that existed in their quick reference handbook. Two switches. Cutoff. MCAS dies. Pilots hand-fly home. That procedure was available. They didn’t use it in time.
So the question becomes why — and the honest answer involves three things happening simultaneously at 500 feet per minute descent.
Task saturation is real and measurable. An uncommanded nose-down input on an aircraft you’ve flown for fewer than 200 hours, with no documented system to explain the behavior, generates a cognitive load spike that eats through decision cycles in seconds. The pilots knew something was wrong. They didn’t know the name of it. “Runaway stabilizer” is a generic procedure — it doesn’t say MCAS anywhere. Most experienced crews would try manual trim first. That’s the logical step. That’s what the procedure lists first. At high speed, it doesn’t work.
I’m apparently the type who reads the failure mode documentation before trusting a system, and that approach works for me while assuming “invisible automation is safe” never does. Don’t make my mistake of thinking Boeing’s confidence in that assumption was justified. They’d built it into the certification logic itself.
The systemic failure here isn’t personal to either crew. MCAS existed outside the training curriculum by design. Boeing, the FAA, and airlines all agreed it was invisible enough that pilots didn’t need awareness of it. That shared assumption propagated into two crashes before anyone corrected it.
A crew that had studied MCAS activation logic, practiced the runaway stabilizer procedure with MCAS specifically called out, and understood exactly what automation was fighting them — that crew might have recognized the pattern faster. That’s not an excuse for the design. That is an indictment of how the system entered service without the knowledge required to survive it.
What Boeing Changed After the Grounding
The software fix was, in retrospect, obvious. Boeing installed dual angle-of-attack sensors and added cross-check logic requiring both sensors to agree within 5.5 degrees before MCAS can activate. Single-sensor faults no longer trigger the system. Consensus required.
Activation authority dropped from 10 degrees maximum stabilizer trim to 5. Smaller inputs, more recovery time. The electric trim switches now cut MCAS authority completely when pressed — not adding competing commands, but killing MCAS input entirely. One press. Done.
On the EIAS display, pilots now get an “AoA Disagree” alert when the two sensors diverge. That’s information. That’s exactly what the Lion Air and Ethiopian crews never saw.
Training changed too. Every MAX pilot now covers MCAS explicitly — what it does, what triggers it, what an MCAS runaway looks and feels like. The runaway stabilizer procedure now references MCAS by name. It’s not a generic checklist item anymore. That’s what makes the 737 MAX endearing to us aviation safety observers — watching a system actually incorporate hard lessons instead of burying them.
FAA and EASA both mandated these changes before return-to-service approval. The recertification process ran from March 2019 to November 2020 — 20 months of simulator testing, flight validation, and regulatory review across multiple jurisdictions. So, without further ado, let’s look at what came out the other side.
Is the 737 MAX Safe to Fly in 2025
Yes. The numbers support it.
Since return to service in late 2020, the 737 MAX has logged over 25 million flight hours. No hull losses tied to MCAS. More than 4,000 aircraft operating across global routes. That’s not a public relations figure — that’s the accident rate metric the industry actually uses, and it reads zero.
The fixes work because they address the actual failure chain, not a sanitized version of it. Dual-sensor consensus prevents erroneous activation. Reduced authority limits damage if something unexpected still occurs. Trained crews know what they’re dealing with before they climb into the seat.
But here’s what has to stay true going forward: this aircraft is safe because it operates within a specific maintenance and training regimen the FAA and EASA now require and audit. Not inherently foolproof — no aircraft is, including the 777 and the A350. Safe because the failure mode was identified, fixed, and integrated into how operators actually run the airplane day to day.
As someone who’s spent years reading accident investigations, I learned everything there is to know about how safety improvements actually stick — and they stick when automation becomes transparent, when authority gets limited, and when pilots understand what the system is trying to do before something goes wrong at 400 knots.
The 737 MAX went through that process. Painfully. In full public view. The result is an aircraft that pilots understand, that regulators trust, and that passengers can board with the same rational confidence they’d carry onto any modern narrowbody jet.
Two years ago that wasn’t a given. Now it is.
Stay in the loop
Get the latest aviate ai updates delivered to your inbox.