A string of missteps may have made the Boeing 737 Max crash-prone

As airlines and safety regulators worldwide scramble to understand why two Boeing 737 Max 8 jets crashed in chillingly similar accidents, more indications are pointing to how an automated anti-stalling system may be linked to the model’s unusually deadly debut.

The safety feature—the Maneuvering Characteristics Augmentation System (MCAS)—appears to have sent both planes into their fatal dives as pilots struggled to keep aloft. The 737 Max 8 and 9 were grounded by regulators around the world last week.

• Indian Railways has earned $3 million in just parking charges from taxi aggregators

Here are key details that have been reported—most significantly by the Seattle Times—about a series of engineering, regulatory, and political missteps that preceded software being installed on a widely used plane without pilots apparently fully understanding its risks.

New planes, no new training

Boeing designed the 737 Max 8 to be similar enough to existing 737s that it could keep the same “type rating”—meaning, as the Times reported, that pilots who already flew 737s wouldn’t have to be retrained on a new plane and airlines would save a lot of money.

• US employers, Indian employees—everybody wants a piece of Canada

Yet the Max 8 is different from previous 737s in one major way: It has larger engines placed farther forward on its wings. The new design increased the risk that the plane could stall if pilots angled the nose too high. To counteract this risk, Boeing introduced the MCAS, which automatically nudges the nose down if onboard sensors detect that the plane risks stalling.

The software is designed to work automatically and only in extreme situations. Boeing decided pilots didn’t need any new training to understand MCAS. In fact, they didn’t even mention the system in flight manuals. Dennis Tajer, spokesman for the American Airlines pilots union, told Quartz that the training prior to the Lion Air crash for pilots qualified to fly the 737-800 amounted to “an iPad lesson for an hour.”

Tug-of-war at the stick

When the MCAS activates, it automatically tilts the horizontal tail at the back of the plane, lifting up the rear of the plane and nudging the nose down. If the system gets triggered erroneously—and the plane dives for no reason—a pilot can pull back on the control column to lift the nose up again.

But every time a pilot straightens the plane out, the MCAS resets. That means the system can be triggered again, nudging the nose down and forcing the pilot to once again yank on the control column to set the plane back on track.

Preliminary findings from the black box of the Lion Air flight show that the pilot and the MCAS repeated this tug-of-war cycle 21 times in the minutes before the crash.

Failure of FAA oversight

The US Federal Aviation Administration (FAA), along with European aviation regulators, sets the tone for much of the world’s flight safety standards. The FAA has delegated many of its safety inspections to airplane manufacturers like Boeing, claiming that the agency doesn’t have the budget to complete all the work itself.

Boeing did much of the work of certifying that the 737 Max 8 was safe to fly. In fact, the Seattle Times reports that FAA managers pressured safety engineers to delegate more and more of the safety analysis to Boeing to get the plane approved faster. In some cases, FAA engineers didn’t even read the technical documents Boeing sent them—managers delegated the task of reviewing Boeing’s findings back to Boeing. The task of reviewing the safety of the MCAS fell to Boeing.

Today (March 18), the Wall Street Journal and Bloomberg reported that US federal authorities are weighing a criminal probe into how the 737 Max was cleared to fly. Both cited anonymous sources confirming what would be a highly unusual prosecution.

Underestimating the MCAS risk factor

The safety analysis that Boeing and the FAA collaborated on concluded that a faulty activation of the MCAS under extreme flight conditions would be a “hazardous failure”—meaning it could cause serious or fatal injuries to a few passengers, the Seattle Times reported. The analysis stopped short of the “catastrophic failure” classification that predicts a total loss and many deaths.

In anticipation of a “hazardous failure,” planes are supposed to rely on sensors that have less than a one-in-10- million chance of failing. Generally, that means taking measurements from two sensors.

The 737 Max 8 does have two sensors onboard to measure its “angle of attack,” the measure of the angle between its wings and the flow of air that determines a plane’s risk of stalling. Boeing designed the MCAS to only use readings from one of the sensors. Black box data from the Lion Air crash shows that readings from the two angle-of-attack sensors differed by 20 degrees even while the plane was taxiing on the runway, indicating that the instruments were faulty from the start.

Warning lights optional

Boeing designed a warning light that would alert pilots when the sensors measuring their plane’s angle of attack differed widely, which would give notify them of a faulty MCAS activation.

The manufacturer does not install the warning light as a standard feature on the 737 Max 8. Airlines have to pay extra for it.

Ceding more control to the computer

The safety analysis Boeing sent to the FAA reported that the MCAS could only move the plane’s horizontal tail 0.6 degrees (out of a physical maximum of a little less than five degrees). But during later flight tests, Boeing discovered that 0.6 degrees of movement wasn’t enough to avert a high speed stall, the Seattle Times reported. Boeing eventually increased the limit to 2.5 degrees.

Despite quadrupling the amount that the MCAS could move the plane’s tail, Boeing never updated the documents it sent to the FAA. FAA engineers only found out about the change after the Lion Air crash, when Boeing sent a notice to airlines explaining how the system worked.

“The FAA believed the airplane was designed to the 0.6 limit, and that’s what the foreign regulatory authorities thought, too,” an FAA engineer told the Times. “It makes a difference in your assessment of the hazard involved.”

US government shutdown delays a software fix

After the Lion Air crash in October 2018, Boeing promised a software patch to make the MCAS safer by January. The fix has since been delayed until April, the Wall Street Journal reported, because of “engineering challenges,” “differences of opinion” between federal and Boeing officials, and the record 35-day US government shutdown, during which “consideration of the fixes was suspended.”

The 61,000-member pilots’ association sounded the alarm in a Jan. 2 letter to Donald Trump, warning that during a shutdown, “there are also airline and aircraft manufacturing oversight activities that either stop or are significantly reduced. These safety and oversight inspections will potentially allow for the introduction of safety issues that put passengers and airline crews at risk.”

Boeing’s proposed solution

Yesterday (March 17) Boeing unveiled a plan for “a flight control software enhancement for the 737 MAX” that has been in the works since the Lion Air crash.

With the new software patch, the MCAS will take readings from both angle-of-attack sensors. The software won’t be able to move the plane’s horizontal tail as far, and when activated, it will only nudge the nose down once.

Boeing also plans to train pilots on the system and mention the MCAS in flight manuals.

Read more of Quartz’s coverage of the Boeing 737 Max crisis.

Sign up for the Quartz Daily Brief, our free daily newsletter with the world’s most important and interesting news.

More stories from Quartz:

• Why Trump’s Golan Heights move should worry India and Taiwan

• What the Viking Sky cruise evacuation tells us about cruise ship safety