![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 91 18" xmlns="http://www.w3.org/2000/svg"><path d="M 12.787 12.673 L 4.695 12.673 L 3.1 16.422 L 0 16.422 L 7.283 0.233 L 10.246 0.233 L 17.551 16.422 L 14.405 16.422 Z M 11.795 10.313 L 8.741 3.236 L 5.71 10.313 Z M 33.026 16.422 L 29.716 11.681 C 29.579 11.697 29.371 11.704 29.094 11.704 L 25.436 11.704 L 25.436 16.422 L 22.433 16.422 L 22.433 0.233 L 29.094 0.233 C 30.496 0.233 31.717 0.465 32.759 0.928 C 33.799 1.389 34.597 2.051 35.152 2.917 C 35.706 3.78 35.983 4.803 35.983 5.989 C 35.983 7.208 35.687 8.259 35.095 9.139 C 34.502 10.017 33.649 10.671 32.536 11.1 L 36.263 16.422 Z M 32.952 5.989 C 32.952 4.956 32.612 4.162 31.932 3.607 C 31.256 3.052 30.263 2.775 28.952 2.775 L 25.436 2.775 L 25.436 9.231 L 28.952 9.231 C 30.263 9.231 31.256 8.95 31.932 8.387 C 32.612 7.822 32.952 7.023 32.952 5.989 Z M 45.21 2.775 L 39.842 2.775 L 39.842 0.233 L 53.581 0.233 L 53.581 2.775 L 48.219 2.775 L 48.219 16.422 L 45.21 16.422 Z M 65.328 16.656 C 63.094 16.656 61.352 16.027 60.103 14.77 C 58.852 13.513 58.228 11.712 58.228 9.368 L 58.228 0.233 L 61.237 0.233 L 61.237 9.254 C 61.237 12.43 62.607 14.018 65.351 14.018 C 68.082 14.018 69.448 12.43 69.448 9.254 L 69.448 0.233 L 72.406 0.233 L 72.406 9.368 C 72.406 11.713 71.784 13.513 70.542 14.77 C 69.303 16.028 67.565 16.656 65.328 16.656 Z M 84.452 16.656 C 83.206 16.656 81.999 16.479 80.834 16.126 C 79.672 15.769 78.75 15.298 78.07 14.713 L 79.113 12.376 C 79.774 12.9 80.586 13.328 81.552 13.658 C 82.517 13.989 83.484 14.154 84.452 14.154 C 85.656 14.154 86.555 13.963 87.148 13.578 C 87.74 13.191 88.037 12.682 88.037 12.051 C 88.037 11.588 87.871 11.207 87.541 10.906 C 87.211 10.607 86.79 10.37 86.282 10.2 C 85.772 10.029 85.079 9.838 84.202 9.624 C 82.967 9.332 81.968 9.04 81.204 8.746 C 80.446 8.454 79.772 7.981 79.239 7.368 C 78.692 6.745 78.418 5.9 78.418 4.832 C 78.418 3.94 78.66 3.126 79.148 2.393 C 79.633 1.661 80.364 1.079 81.341 0.649 C 82.322 0.216 83.521 0 84.943 0 C 85.925 0 86.897 0.124 87.855 0.37 C 88.812 0.618 89.635 0.973 90.327 1.436 L 89.382 3.772 C 88.685 3.36 87.938 3.04 87.159 2.82 C 86.387 2.604 85.641 2.496 84.92 2.496 C 83.73 2.496 82.847 2.698 82.27 3.099 C 81.692 3.503 81.404 4.034 81.404 4.695 C 81.404 5.16 81.569 5.537 81.9 5.829 C 82.23 6.122 82.649 6.353 83.159 6.524 C 83.668 6.692 84.361 6.883 85.239 7.1 C 86.442 7.378 87.43 7.668 88.202 7.971 C 88.962 8.264 89.64 8.735 90.179 9.345 C 90.726 9.96 91 10.792 91 11.841 C 91 12.738 90.756 13.549 90.271 14.274 C 89.783 14.996 89.047 15.573 88.06 16.006 C 87.075 16.439 85.873 16.656 84.453 16.656 Z M 84.452 16.656" fill="rgb(45, 45, 45)" height="16.655689568565506px" id="sF6zVZNmi" transform="translate(0 0.675)" width="91.00000230951045px"/></svg>)
When a Helper System Takes Control: What the Aerospace Industry Really Teaches Us About Software Planning
How did an ambition to quickly meet market demand end up costing more than three hundred lives?
Yashika Vahi
Community Manager
Table of contents
Share
Competing With Airbus: How Software Was Used to Mask a Hardware Shift in the 737 MAX airplane
Imagine you’re riding a bicycle. Sometimes, when you go fast or hit a bump, the front wheel wants to lift up. So someone adds a small helper. It doesn’t take over the bike. It just nudges you back when you lean too far.
That’s how MCAS was supposed to work. On the Boeing 737 MAX airplane, MCAS stood for Maneuvering Characteristics Augmentation System. A long name for a simple idea:
“If the airplane’s nose starts pointing too high, gently push it back down.”
Boeing built the 737 MAX to compete with Airbus’s A320neo—a fuel-efficient airplane airlines loved. To save fuel, Boeing installed larger engines. Because the plane sits low to the ground, those engines had to be mounted higher and further forward.
That small change caused a new behavior: in rare situations, at steep angles, the plane wanted to tilt its nose upward more than older 737s.
Airlines wanted pilots to fly the MAX like older 737s. Regulators wanted it to behave like older 737s. Boeing wanted fast certification and minimal retraining. So MCAS was added.
Quiet. Invisible. Rarely active.
A helper.
The airplane had two sensors that measured how steeply it was flying. MCAS listened to only one at a time.
That meant if that one sensor was wrong, MCAS would still act.
On October 29, 2018, one of those sensors was wrong. Lion Air Flight 610 had bad sensor data just after takeoff. MCAS believed it. It pushed the nose down. The pilots pulled it back up. MCAS pushed again. And again. The system had authority—it could move the plane repeatedly. The pilots were fighting an invisible force they didn’t fully understand. The plane crashed into the Java Sea. 189 people died.
Four months later, on March 10, 2019, it happened again. Ethiopian Airlines Flight 302. Another bad sensor. Another MCAS activation. Another fight for control. 157 people died. Total: 346 lives.
This happened because:
a helper trusted one voice
had too much power
repeated itself
at the worst possible moment
without humans fully prepared
The helper didn’t know it was wrong.
And no one stopped it fast enough.
What MCAS Really Teaches About Product Planning
When you strip away the tragedy and the headlines, MCAS teaches a set of brutally clear planning lessons.
The first is simple: no single sensor should ever be able to trigger a dangerous action by itself. If one sensor says something alarming, the system should pause, check, and ask for confirmation.
The second lesson is that human factors are not documentation. Pilots weren’t “untrained” in the casual sense. They were placed in situations where recognizing what was happening, understanding why, and responding correctly had to occur in seconds. Product planning must treat human understanding, alerts, workload, and stress as core design elements.
The third lesson is about limits. Any automated system that can move controls, apply force, or repeat actions must have strict boundaries. How far can it go? How often can it act? What makes it stop? MCAS had authority without hard-enough brakes on that authority. Aviation responded by bounding the system tightly—because unlimited automation is not safety.
The fourth lesson is the most uncomfortable: design for failure at the worst moment. Not during calm cruise. Not during training scenarios. But right after takeoff. Low altitude. High speed. Multiple alerts. No time to think. If a system can’t be trusted then, it can’t be trusted at all.
And finally, aviation learned that independent safety review is part of the product. Not everyone should be invested in shipping. Some teams must exist only to challenge assumptions: What if this sensor lies? What if the pilot misunderstands? What if this triggers again and again?
The problem is clear. Boeing spent a lot of time on execution but none on planning and the cost didn’t just end up hurting their business, it ended up sacrificing hundreds of lives.
So If your product automates decisions, overrides humans and operates faster than people can think then you’re building an MCAS-class system. And the lesson isn’t “don’t automate.”
It’s this:
Never give software authority without brakes. And never plan only for calm conditions.
The difference between safety and catastrophe is planning that assumes the system will be wrong and survives anyway.
That’s what real product planning looks like.
