Company
Boeing 737 MAX
Boeing 737 MAX
MCAS was a single point of failure designed to save training costs. 346 people died.
Company
Boeing 737 MAX
Failure layer
Execution
Questions
2
346
Lives lost
$20B+
Total cost
20
Months grounded
2
Crashes in 5 months
Timeline
2011
Airbus launches A320neo with new engines. American Airlines considers switching from Boeing.
2012
Boeing decides to re-engine the 737 rather than design a clean-sheet replacement. Schedule pressure begins.
2015
MCAS (Maneuvering Characteristics Augmentation System) designed to compensate for engine placement. Relies on a single angle-of-attack sensor.
2017
First 737 MAX delivered to airlines. MCAS not prominently disclosed in pilot training materials.
Oct 2018
Lion Air Flight 610 crashes into the Java Sea. 189 people killed. MCAS activated repeatedly based on faulty sensor data.
Mar 2019
Ethiopian Airlines Flight 302 crashes 6 minutes after takeoff. 157 people killed. Same MCAS failure mode.
Mar 2019
Worldwide grounding of all 737 MAX aircraft. Longest grounding in commercial aviation history begins.
Dec 2020
FAA approves return to service after 20 months. MCAS redesigned with dual-sensor input and pilot override.
What happened
For most of the twentieth century, Boeing was the gold standard in commercial aviation. Engineers ran the company. Then came the 1997 merger with McDonnell Douglas — technically an acquisition by Boeing, but in practice a cultural takeover. The new leadership was explicit: Boeing needed to behave "less like an engineering firm and more like a business." Headquarters moved from Seattle, where the planes were built, to Chicago, where the money was managed.
In 2011, Airbus launched the A320neo with 15% better fuel efficiency. American Airlines, a Boeing loyalist, signaled it would switch. Boeing faced a choice: design a clean-sheet replacement for the 737 (7+ years, $15B+) or bolt new engines onto a 1960s airframe and deliver in 6. The board chose speed. Every decision that followed — MCAS, single-sensor architecture, minimal pilot disclosure — was downstream of that one commitment. Not downstream of malice. Downstream of schedule.
"Boeing was an engineering company that got bought by its own merger partner's spreadsheet culture."
The new engines did not fit under the 737's low-slung wings. Mounted forward and higher, they changed the aircraft's pitch characteristics — the nose tended to rise, risking aerodynamic stall. The solution was MCAS: software that automatically pushed the nose down when sensors detected a high angle of attack. Software to mask a hardware compromise.
MCAS had three fatal design flaws. It relied on a single angle-of-attack sensor — no redundancy. It could activate repeatedly, overriding pilot inputs with increasing authority. And Boeing did not prominently disclose it in pilot training materials. Airlines were told their pilots could transition to the MAX with an iPad course. No simulator time required.
Engineers raised the single-sensor risk internally. One test pilot wrote that MCAS was "running rampant" in simulator tests. Management classified these concerns through review processes that had been quietly reoriented around certification speed rather than safety margins.
"The system Boeing built to catch safety problems had been rewired to optimize for certification speed."
On October 29, 2018, Lion Air Flight 610 crashed into the Java Sea. All 189 on board died. MCAS had fired repeatedly on faulty sensor data, forcing the nose down while pilots fought to regain control. Less than five months later, Ethiopian Airlines Flight 302 crashed under nearly identical circumstances. 157 killed. Same failure mode. Same single point of failure. Same risk that had been flagged internally and classified as acceptable.
The fleet was grounded for 20 months. Boeing's total costs exceeded $20 billion. Congressional investigations exposed a certification process in which Boeing employees effectively supervised their own safety assessments on behalf of the FAA.
The stated metric was zero accidents per million flight hours. The actual metric — the one that drove daily decisions, resource allocation, and bonuses — was days to FAA certification. One measures safety. The other measures speed. When those two metrics diverge, the one attached to quarterly targets wins. Every time. 346 people paid for that divergence.
"The dashboards were green. The mission statement said safety. People died anyway. That is what execution misalignment looks like at scale."
Failure pattern
What actually drifted
The stated metric: zero accidents per million flight hours. The actual metric: days to FAA certification. One measures safety. The other measures speed. The second one drove daily decisions.
Key takeaway
“Engineers flagged MCAS risks internally. Management classified the concerns as "process feedback," not safety issues. The execution system had a mechanism for absorbing warnings without acting on them. ”
Related patterns
Execution
Volkswagen
11 million vehicles. $30+ billion in fines. Engineers chose fraud over honesty.
Execution
Wells Fargo
The cross-sell metric was perfectly aligned on paper. In practice, it inverted the mission.
For a cross-layer comparison, see Nokia (Architecture).
Diagnostic questions
Use these prompts to test whether the same failure mode is showing up in your own system review.
Question 01
Can someone hit every KPI while violating the company's stated values? If yes, the metrics are misaligned.
Question 02
What happens when an employee flags a conflict between their target and the mission? If the answer is 'hit the target anyway,' execution has already overridden intent.
The diagnostic uses the same four-layer model. It is the fastest way to see whether the problem you are living with starts in the same place.