Lion Air Flight 610 is the accident that exposed a fundamental systems engineering failure in one of the world’s most commercially critical aircraft programs. The Boeing 737 MAX MCAS — Manoeuvring Characteristics Augmentation System — was a flight control system installed to address a handling characteristic of the re-engined 737, designed to activate when the angle of attack was high, and certified without pilots being told it existed.
When a single faulty angle of attack sensor provided an incorrect reading shortly after departure, MCAS activated repeatedly, driving the horizontal stabiliser to the nose-down limit. The crew fought it with electric trim. MCAS won. One hundred and eighty-nine people died in the Java Sea, thirteen minutes after takeoff.
This is not simply a software error. It is the story of a certification system that allowed a single-sensor, flight-critical control system to be designed, approved, and flown without pilots knowing it existed — and of the commercial and regulatory pressures that made that possible.
Lion Air 610 is the accident that proved that a certification system optimised for speed and cost can produce aircraft that are genuinely dangerous. MCAS was not a secret error. It was a design choice, a certification decision, and a commercial priority — each of which was individually defensible and collectively lethal.
Date | 29 October 2018 |
Flight | JT 610 |
Aircraft | Boeing 737 MAX 8 |
Operator | Lion Air |
Fatalities | 189 — all on board |
Category | MCAS / Design Certification / Systems Engineering / Single Sensor Failure |
Location | Java Sea, Indonesia |
The Event
- The 737 MAX is developed with larger, repositioned engines that alter handling characteristics at high angles of attack
- MCAS is designed to compensate for this characteristic, activating nose-down stabiliser trim when AoA is high
- MCAS uses a single AoA sensor as its input — a design that has no redundancy against sensor failure
- Pilot training for the 737 MAX does not include any reference to MCAS
- 28 October 2018: On the flight before JT 610, the aircraft experiences an MCAS activation — crew resolves it; event logged
- Aircraft is released to service without investigation of the previous event
- 29 October 2018: Departure from Jakarta; the left AoA sensor reads approximately 20 degrees high
- MCAS activates repeatedly; crew applies electric trim to counteract; MCAS reactivates
- After approximately 26 MCAS activation cycles over 13 minutes, the stabiliser reaches the full nose-down limit
- The aircraft becomes unrecoverable and enters the Java Sea at high speed; all 189 die
The aircraft had experienced an MCAS-related event on its previous flight — the flight before JT 610. That event was logged. The aircraft was released to service. The crew of JT 610 had no knowledge of the previous event or its relevance to their situation.
Systems Engineering Perspective
From a systems engineering perspective, Lion Air 610 represents the convergence of three distinct systems engineering failures: a single-sensor flight-critical system design, a certification assessment that understated the failure consequences, and a crew information gap that left the people flying the aircraft without the knowledge required to manage its failure modes.
MCAS was a single-sensor, flight-critical system with no redundancy against sensor failure, certified at a severity level that underestimated its failure consequences, and implemented without pilot knowledge. Each of these failures was independently sufficient to cause the accident. Together, they guaranteed it.
Single-Sensor Design — Redundancy That Wasn’t There
The 737 MAX has two angle of attack sensors — one on each side of the aircraft. Boeing’s MCAS was designed to use only one of them at any given time. This meant that a single faulty sensor — producing a high AoA reading — could activate MCAS and drive the stabiliser nose-down, with no cross-check, no validation, and no protection against the single-sensor failure mode.
The design violated the fundamental systems engineering principle that flight-critical systems dependent on a single measurement source must include protection against that source’s failure. The principle is not obscure — it is foundational. It was not applied.
Using a single sensor to drive a flight-critical control system is not a design shortcut. It is a design failure. The redundancy principle exists specifically to prevent this.
Certification Severity Understatement
Boeing’s safety assessment of MCAS classified it as a system with consequences that did not require the highest level of criticality designation. This assessment was based, in part, on the assumption that pilots would be able to recognise and counter an MCAS activation using the existing runaway stabiliser trim procedure.
This assumption was not validated. The runaway stabiliser procedure was designed for a different failure mode. The scenario — repeated MCAS activations at high airspeed with an incorrect AoA sensor — created forces on the stabiliser that the procedure could not address. The safety case was built on an assumption about pilot performance that the real world would not replicate.
A safety case that relies on pilot ability to respond to a failure mode the pilots have not been trained for is not a safety case. It is an untested assumption about human performance.
Crew Information Gap — A System They Didn’t Know Existed
Boeing’s decision not to include MCAS in the Boeing 737 MAX Flight Crew Operations Manual was a commercial decision: adding new systems to the FCOM would require type rating differences that would cost airlines additional training expense. MCAS was described in one sentence in a document that was not a standard crew reference.
The crew of JT 610 was flying an aircraft with an active, flight-critical control system that they had never been told existed. When it activated, they had no framework for understanding what was happening, no specific checklist, and no procedure designed for the failure mode they were experiencing.
Human Factors Perspective
The human factors dimension of Lion Air 610 is primarily a story of information asymmetry — a crew flying an aircraft whose behaviour they could not understand because the system causing it had been deliberately withheld from their training and operational documentation.
Information Asymmetry as a Safety Failure
The crew fought the MCAS activation with the tools available to them. They applied the runaway stabiliser trim procedure — the closest applicable procedure. They could not understand why the stabiliser kept retrimming. Without knowledge of MCAS, they had no framework for the failure mode they were experiencing. The information required to save the aircraft existed — in Boeing’s design documentation. It had not reached the crew.
A crew that does not know a system exists cannot manage that system’s failure. Information asymmetry between the aircraft designer and the aircraft crew is a flight safety failure.
The Previous Event — Missed Learning Opportunity
The previous flight’s MCAS event was documented in the aircraft’s technical log. An investigation of that event, with appropriate urgency, would have identified the failure mode before JT 610 departed. The maintenance and operational oversight system that should have triggered that investigation did not.
The Runaway Stabiliser Procedure — Wrong Tool
The applicable emergency procedure for MCAS malfunction was the runaway stabiliser trim procedure — an existing, trained procedure. At the airspeed reached by JT 610, the aerodynamic forces on the stabiliser made manual trim physically impossible after electric trim cutout. The procedure that was available was insufficient for the specific failure mode.
System Interaction Breakdown
1. Single AoA Sensor Driving Flight-Critical System
One sensor. No cross-check. No validation. One fault value activating a flight-critical system 26 times in 13 minutes.
If a system is critical enough to override pilot control inputs, it is critical enough to require redundant, cross-validated sensor inputs.
2. Certification Based on Untested Pilot Response Assumption
The certification accepted a severity classification that depended on pilot ability to manage a failure mode they had not been trained for.
3. Flight-Critical System Not Disclosed to Crews
A commercial decision was made not to disclose MCAS to crews or include it in type training. This decision left crews without the information required to manage the system’s failure modes.
Any system that can override pilot control inputs must be disclosed to the pilots operating the aircraft. There is no commercial justification for this exception.
Significance in Aviation Risk
1. Dual-Channel AoA Validation Mandated
MCAS was redesigned to require agreement between both AoA sensors before activating, with limits on the number of activations and the authority of any single activation.
2. Complete System Disclosure Required
The principle that flight-critical systems must be fully disclosed to crews and included in type training — regardless of commercial cost — was established with regulatory force.
3. FAA Delegation Review
The FAA’s practice of delegating certification of individual systems to the manufacturer was fundamentally reviewed following Lion Air 610 and Ethiopian 302, resulting in a new oversight framework.
Related Aviation Risk Lab Content
Pillar Pages
Design and Certification: Design And Certification
Systems Engineering: Systems Engineering
Automation and Technology: Automation And Technology
Related Case Studies
Case Study 26: Ethiopian Airlines 302 — MCAS Again, Five Months Later: Ethiopian 302
Case Study 24: XL Airways 888T — When the Test Flight Flew Into the Sea: Xl Airways 888t
Case Study 5: American Airlines 96 — The Door That Nearly Did It First: AA 96 1972
Closing Perspective
Lion Air 610 is the 21st century’s most important aviation certification failure. A flight-critical system was designed with a single point of failure, certified at a severity level that underestimated its failure consequences, and operated by crews who did not know it existed.
Every one of these failures had a root cause in a commercial and regulatory environment that had created incentives for speed and cost reduction in the certification process. The aircraft had to be certified quickly to compete with the Airbus A320neo. Type rating differences were commercially unacceptable. The safety assessment was conducted by the manufacturer under FAA oversight delegation.
One hundred and eighty-nine people are at the bottom of the Java Sea because a commercial aircraft programme was not designed with the engineering rigour that its flight-critical systems required. The redesigned MCAS, the revised certification framework, and the mandatory crew disclosure requirements are the systemic response. They came five months too late for Lion Air 610.
Lion Air 610 proved that commercial pressure in the certification process is not just an ethical concern — it is a flight safety risk with measurable consequences. The 189 dead are the measurement.
Related Posts
