Only after the Lion Air crash did Boeing put out an advisory about the software. My colleague James Fallows has noted that American pilots have also experienced the problem.

What makes the situation troubling, whether or not the system is ultimately implicated in the Ethiopian Air tragedy, is that the problems that could result from this system are not impossible to foresee.

The MCAS relies on sensors that can derive the angle of attack, which a Boeing publication notes is a very complex measurement. Erroneous or mismatched readings could lead to serious trouble. And that’s not normally how the software systems installed on planes work.

Once the problems with the system came to light last year, Southwest almost immediately took steps to address the problem and Boeing announced an update to the MCAS system, which the company had been planning with the Federal Aviation Administration.

“The FAA says it anticipates mandating this software enhancement with an Airworthiness Directive no later than April,” Boeing said. “We have worked with the FAA in development of this software enhancement.”

So, upon review, the FAA and Boeing decided that a software update should be mandatory for the plane. This kind of post-facto decision making would not be surprising in most other realms of software development. After all, Apple has issued five iOS updates since October.

The FAA has extremely strict regulations. This makes sense: It regulates tubes full of people flying in the sky, and any problems could be catastrophic. The stakes are higher than they are with, say, an iPhone app. Every component of every plane must go through a certification process, which MCAS did.

As planes have become much more dependent on computers over the past few decades, the industry is facing the tricky problem of how to certify these systems—and how to train pilots to handle their increasingly inscrutable failures. The FAA runs the Aircraft Certification Service, which “is concerned with the approval of software and airborne electronic hardware for airborne systems (e.g., autopilots, flight controls, engine controls).” It’s important to understand that aircraft makers don’t submit a form to check a box; the FAA is deeply involved.

My colleague James Somers described precisely how software is evaluated under this safety regime. “The agency mandates that every requirement for a piece of safety-critical software be traceable to the lines of code that implement it, and vice versa,” Somers wrote. “So every time a line of code changes, it must be retraced to the corresponding requirement in the design document, and you must be able to demonstrate that the code actually satisfies the requirement.”

In the United States, the current process has worked remarkably well. Across all the millions of flights by American airliners, there was exactly one passenger death from 2010 to 2019.