While it was designing its newest jet, Boeing decided to quadruple the power of an automated system that could push down the plane’s nose — a movement that made it difficult for the pilots on two doomed flights to regain control.
The company also expanded the use of the software to activate in more situations, as it did erroneously in the two deadly crashes involving the plane, the 737 Max, in recent months.
None of those changes to the anti-stall system, known as MCAS, were fully examined by the Federal Aviation Administration.
Although officials were aware of the changes, the modifications didn’t require a new safety review, according to three people with knowledge of the process. It wasn’t necessary under F.A.A. rules since the changes didn’t affect what the agency considers an especially critical or risky phase of flight.
A new review would have required F.A.A. officials to take a closer look at the system’s effect on the overall safety of the plane, as well as to consider the potential consequences of a malfunction. Instead, the agency relied on an earlier assessment of the system, which was less powerful and activated in more limited circumstances.
Ever since the crashes — in Indonesia last October and Ethiopia last month — investigators, prosecutors and lawmakers have scrutinized what went wrong, from the design and certification to the training and response.
In both crashes, the authorities suspect that faulty sensor data triggered the anti-stall system, revealing a single point of failure on the plane. Pilots weren’t informed about the system until after the Lion Air crash in Indonesia, and even then, Boeing didn’t fully explain or understand the risks. The F.A.A. outsourced much of the certification to Boeing employees, creating a cozy relationship between the company and its regulator.
But the omission by the F.A.A. exposes an embedded weakness in the approval process, providing new information about the failings that most likely contributed to the crashes in Indonesia and Ethiopia.
The F.A.A. is supposed to be the gold standard in global aviation regulation, with the toughest and most stringent rules for certifying planes. But the miscalculation over MCAS undermines the government’s oversight, raising further concerns about its ability to push back against the industry or root out design flaws.
While it is unclear which officials were involved in the review of the anti-stall system, they followed a set of bureaucratic procedures, rather than taking a proactive approach. The result is that officials didn’t fully understand the risks of the more robust anti-stall system, which could cause a crash in less than a minute.
“The more we know, the more we realize what we don’t know,” said John Cox, an aviation safety consultant and former 737 pilot.
The F.A.A. defended its certification process, saying it has consistently produced safe aircraft. An F.A.A. spokesman said agency employees collectively spent more than 110,000 hours reviewing the Max, including 297 test flights.
The spokesman said F.A.A. employees were following agency rules when they didn’t review the change. “The change to MCAS didn’t trigger an additional safety assessment because it did not affect the most critical phase of flight, considered to be higher cruise speeds,” an agency spokesman said. “At lower speeds, greater control movements are often necessary.”
A spokesman for Boeing said, “The F.A.A. considered the final configuration and operating parameters of MCAS during Max certification, and concluded that it met all certification and regulatory requirements.”
Some of the details of the evolving design of MCAS were earlier reported by The Seattle Times.
MCAS was created to help make the 737 Max handle like its predecessors, part of Boeing’s strategy to get the plane done more quickly and cheaply.
The system was initially designed to engage only in rare circumstances, namely high-speed maneuvers, in order to make the plane handle more smoothly and predictably for pilots used to flying older 737s, according to two former Boeing employees who spoke on the condition of anonymity because of the open investigations.
For those situations, MCAS was limited to moving the stabilizer — the part of the plane that changes the vertical direction of the jet — about 0.6 degrees in about 10 seconds.
It was around that design stage that the F.A.A. reviewed the initial MCAS design. The planes hadn’t yet gone through their first test flights.
After the test flights began in early 2016, Boeing pilots found that just before a stall at various speeds, the Max handled less predictably than they wanted. So they suggested using MCAS for those scenarios, too, according to one former employee with direct knowledge of the conversations.
But the system needed more power to work in a broader range of situations.
At higher speeds, flight controls are more sensitive and less movement is needed to steer the plane. Consider the effect of turning a car’s steering wheel at 70 miles an hour versus 30 miles an hour.
To prevent stalls at lower speeds, Boeing engineers decided that MCAS needed to move the stabilizer faster and by a larger amount. So Boeing engineers quadrupled the amount it could move the stabilizer in one cycle, to 2.5 degrees in less than 10 seconds.
“That’s a huge difference,” said Dennis Tajer, a spokesman for the American Airlines pilots’ union who has flown 737s for a decade. “That’s the difference between controlled flight or not.”
Speed was a defining characteristic for the F.A.A. The agency’s rules require an additional review only if the changes affect how the plane operates in riskier phases of flight: at high speeds and altitudes. Because the changes to the anti-stall system affected how it operated at lower speeds and altitudes, F.A.A. employees didn’t need to take a closer look at them.
The overall system represented a major departure from Boeing’s design philosophy. Boeing has traditionally favored giving pilots control over their planes, rather than automated flight systems.
“In creating MCAS, they violated a longstanding principle at Boeing to always have pilots ultimately in control of the aircraft,” said Chesley B. Sullenberger III, the retired pilot who landed a jet in the Hudson River. “In mitigating one risk, they created another, greater risk.”
The missed risks, by the F.A.A. and Boeing, flowed to other decisions. A deep explanation of the system wasn’t included in the plane manual. The F.A.A. didn’t require training on it. Even Boeing test pilots weren’t fully briefed on MCAS.
“Therein lies the issue with the design change: Those pitch rates were never articulated to us,” said one test pilot, Matthew Menza.
Mr. Menza said he looked at documentation he still had and did not see mention of the rate of movement on MCAS. “So they certainly didn’t mention anything about pitch rates to us,” he said, “and I certainly would’ve loved to have known.”
The system’s increased power was also compounded by its design: The software engaged repeatedly if the sensor suggested it was necessary to avoid a stall. In the Lion Air crash, data showed that the pilots, who weren’t aware of MCAS, fought for control of the plane, as it pushed the nose back down each time they pulled it up.
Few truly understood just how powerful the system would prove. It wasn’t fully disclosed until after the Lion Air disaster, killing all 189 people on board. On the Ethiopian Airlines flight, the pilots struggled to regain control after MCAS engaged at least three times.
Last month, during flight simulations recreating the problems with the Lion Air flight, American pilots were surprised at how strong MCAS was. They essentially had less than 40 seconds to manually override a system malfunction before a crash.
Updates to the software by Boeing, which the F.A.A. will have to approve, will address some of the concerns with the anti-stall system. The changes will limit the system to engaging just once in most cases. And they will prevent MCAS from pushing the plane’s nose down more than a pilot could counteract by pulling up on the controls.
Boeing had hoped to deliver the software fix to the F.A.A. by now but it was delayed by several weeks. As a result, the grounding of the jet is expected to drag on. Southwest Airlines and American Airlines have already canceled some flights through May.