This is a lengthy and detailed explanation of the problem and what Boeing chose to do about it. The writer is both a pilot and a software engineer. There are several important key take-aways here.
The fundamental problem is that in order to re-engine the 737 airframe with the much larger CFM LEAP engine, without making major structural changes to the airframe to increase ground clearance under the wing by changing wing dihedral and/or lengthening the landing gear, Boeing made aerodynamic compromises that made the aircraft dynamically unstable. This is a very bad thing in a commercial passenger aircraft.
In order to manage the dynamic instability, Boeing introduced the MCAS software system which allows the flight control computers to command the nose down in the event of what it considers a hazardous angle of attack. The aircraft has two redundant flight computer systems, but each reads only one of the two angle-of-attack sensors, and they do not cross-check with each other. Only one is active at a time.
The MCAS system provides feedback to the pilots by pushing the stick forward. By default it provides no other clear indication that MCAS has activated. This system can apply hundreds of pounds of force to the control stick, making it physically exhausting for the pilots to try to counter it.
Boeing deliberately kept documentation of MCAS to a minimum in order to maintain a bureaucratic fiction that the aircraft is "still just a 737" despite having twice the thrust and carrying 72% more passengers than the original 737, in order to avoid having to do an expensive new-type certification. But by any realistic aerospace engineering standard, the 737 MAX is a new aircraft that should have had a full airworthiness certification process. But that would have cost Boeing a lot of money. So Boeing lied.
Because the FAA is overloaded and has been suffering a "brain drain" to the provate sector, the FAA trusted Boeing to tell it whether the 737 MAX was airworthy and safe to operate, which is why Boeing got away with the lie.
I have heard many comments on the deficiencies of having a single AoA sensor for MCAS. But there's a white elephant in the room that doesn't seem to get mentioned. It might be more apparent if somebody bothered to ask a pilot what is observable on a plane that is about to stall; or perhaps better still, what does not occur when going into a stall.
When a plane is nose-diving into the ground, it picks up speed very rapidly. There are three pitot tubes to measure this; and they are cross-checked and fed to both flight control computers. When an AoA sensor indicates excessive up-angle, that would normally indicate a stall is imminent. But NOT if the airspeed is increasing - especially if it is increasing at an usually high rate! Right there you have a clear indicator of sensor failure - absolutely no need for two AoA sensors! Regardless, the correct response would be to have the automation disconnect itself, manual "law", sound the klaxon.
That the software for MCAS did not bother to query the normal flight-control-computer modules for speed delta is a damning reflection of shoddy software engineering (though the actual coding of the software may have itself been fine). Even a junior programmer should have thought to ask what "readily available" parameters could be used to gate the decision-making of the module.
It is indeed. It's putting the fox in charge of the henhouse.
The F-35 is much the same situation. DARPA did not independently pen-test any of the F-35's software suite. It just trusted Lockheed Martin's word that it was secure and safe ... which it turns out it most emphatically is not.
Excellent capsule summary. As someone who works in the aerospace industry every one of the items in your list pisses me off. Passenger planes should be aerodynamically stable by default. (Fighters and stunt planes are different; high maneuverability comes at the cost of some instability.) It boggles my mind that the AoA sensors weren't cross-compared; MCAS can manipulate flight control surfaces FFS! My experience with people working in flight controls is that they consider their systems to be DAL A+. (DAL A, where failure is "catastrophic," is the highest official level.) They wear a tinfoil hat over their tinfoil hat. They're paranoid as f*ck and they goddamn well should be. How anyone signed off on that design is beyond me. I sure as hell wouldn't want my name on it.
As you said, Boeing wanted to get to market fast and cheap. They also wanted to boost sales by pretending that little pilot retraining was required. It was a perfect storm of incentives to paper over significant differences and questionable design decisions. Heads should roll at Boeing for this. There should be criminal accountability.
(Note: I've never worked in aerospace except by osmosis. Some years ago when I was putting together engineering best practices for writing election software, my research group did a survey of existing software engineering methodologies. We concluded aviation software engineering had a very good track record and that we were going to pattern voting software engineering on the aviation model.)
@Rob Hansen "Pattern voting software on the aviation model?" It sounds good in theory, for sure. And I bet your group did a good job along those lines. But from what I've heard of voting software in general (most of it third hand from #SANS), it's riddled with issues that are hidden behind closed doors.