FAA Certification Needs Tweaks, Not Overhaul, Special Committee Says

aircraft
Credit: Boeing

WASHINGTON—The FAA’s certification process is not fundamentally flawed and “was followed” during the Boeing 737 MAX certification, but shortcomings in key guidance, global perspective, safety assessments, and agency staffing should be addressed to improve the system, an independent committee’s report found. 

Commissioned by the U.S. Department of Transportation (DOT) but left to reach its own conclusions, the Special Committee to Review the FAA’s Aircraft Certification Process spent more than six months evaluating FAA’s product-approval protocol, using the 737 MAX as a “case study,” co-Chair Lee Moak told reporters Jan 16. Its 68-page report includes 29 recommendations covering several broad areas.  

Among the key takeaways: neither delegation nor FAA’s entire certification process is broken, and derivatives are not inherently less safe than new designs. 

“FAA certification as a whole ... is safe. It’s effective,” Moak said. 

The delegation system “is an appropriate and effective tool for conducting aircraft certification,” the report said. The FAA must ensure designees are not influenced by “undue pressure,” such as deadlines or cost concerns, that may compromise safety. Moak underscored that the committee had no specific examples of such pressure, while acknowledging that its mandate did not include an “investigative” angle. 

The committee concluded that the FAA “followed regulations and guidance materials in determining that the project qualified as an amended type certificate project,” it said.

Even if Boeing was required to certify the MAX as a new design, it “would not have produced more rigorous scrutiny ... and would not have produced a safer airplane,” the report added.  

Among the reasons: flawed assumptions based on longstanding FAA guidance led Boeing to determine that pilots would react a certain way during emergency scenarios linked to the MAX’s maneuvering characteristics augmentation system (MCAS). Two fatal MAX accident sequences showed that Boeing was wrong, but the assumptions and related safety analyses were tied to the MCAS’s introduction, not the fact that the MAX is a derivative. 

“MCAS was identified and tested in both Boeing’s and the FAA’s certification flight tests,” the report continued. “The FAA’s regulations and protocols did not require testing of MCAS for combinations of mechanical and human failures. Boeing and FAA inspectors determined that a malfunctioning MCAS system would present itself as runaway stabilizer trim, an occurrence with specific non-normal checklist procedures and for which pilots are trained to address.” 

Had Boeing factored in flight-crew errors when evaluating MCAS’s risk, certain failure modes—including the single-data-source angle-of-attack sensor [SSA] failure that triggered both MAX accident sequences—would have been classified as higher. That would have likely triggered design changes. 

“Systems Safety Analyses [SSAs] should recognize that human errors are generally inevitable and consider the consequences of an equipment failure compounded with a foreseeable human failure,” the report said.  

The committee also reiterated findings from other reports that the FAA’s certification process is too U.S.-centric. “The FAA should acknowledge the international profile of operators of U.S. State of Design aircraft and implement the necessary changes for its aircraft certification system to take into account differences in operations, training, and oversight across states,” the report said. The agency is already making changes in this area by using 737 pilots from a variety of non-U.S. carriers to evaluate changes to the MAX flight control system logic and related training.

The committee urged FAA to go further, codifying requirements directly in type certificates. 

“The FAA ... should consider including operational requirements as part of the type certificate in order to better communicate minimum standards and promote advanced training and qualification programs,” the report said. “This would allow transfer of operational and training requirements through the validation process.” 

Moak’s committee also spotlighted FAA’s staffing levels as a risk factor.  

“The FAA cannot accommodate the growth and complexity in certification workload without effectively understanding and managing its personnel requirements and influencing cultural changes in the workforce to adapt to the changing nature of the work,” one finding said. “Current funding levels may be insufficient to support effective resource management. Priorities include proper skill identification, skill development, and attracting talent.” The committee recommended more aggressive outreach to younger professionals, but did not suggest more funding from Congress, despite the finding’s language. 

The report’s conclusions did not sit well with some U.S. lawmakers conducting their own probes into the FAA and Boeing who believe that legislative action is the most prudent course of action.

“Our committee’s investigation has already revealed multiple junctures at which the current certification process failed, and as I’ve made clear, I intend to propose legislative fixes to ensure safety always comes first,” said House Committee on Transportation and Infrastructure Chair Peter DeFazio (D-Oregon), citing the 346 fatalities in the two MAX accidents as proof of gaps that need addressing in the U.S. “I appreciate the special committee’s review of the certification process and I will take the recommendations into account as Congress considers changes.”

A NASA official that advised the committee offered a different perspective during the group’s deliberations. “All complex safety systems built and maintained by humans will experience malfunctions and human error that put safety at risk,” the report said. “NASA encouraged the committee to review safety systems with this in mind.”

FAA Administrator Steve Dickson “welcomed” the recommendations, calling out the system-safety concerns specifically. “I was pleased to see that the committee recommended we advance the use of Safety Management Systems throughout all sectors of the aviation industry,” he said. “The agency will carefully consider the committee’s work, along with the recommendations identified in various investigative reports and other analyses, as we take steps to enhance our aircraft certification processes.”
 

Sean Broderick

Senior Air Transport & Safety Editor Sean Broderick covers aviation safety, MRO, and the airline business from Aviation Week Network's Washington, D.C. office.

Comments

5 Comments
Recognizing this is a very broad overview of the problem, it does not identify the obvious causal factors in the design and certification process. It appears that the MCAS was installed to avoid a requirement for additional simulator training of the pilots. The difference requiring the simulator was a stick force lightening at aft CG and high power. The lightening still met the rule. Are pilots now unable to adapt to that without special training? Would an AFM note have been sufficient as a replacement for a system that was turned into a serious hazard in an attempt to provide synthetic longitudinal stability enhancement? Are we training pilots to be autopilots or do we expose them early to airplanes that are harder to fly, using natural adaptability of the pilot as a beneficial quality as one of the fundamentals of aviating?
“Systems Safety Analysists [SSAs] should recognize that human errors are generally inevitable and consider the consequences of an equipment failure compounded with a foreseeable human failure,” the report said. Ummmm ... was this supposed to be a “new” finding?
“Systems Safety Analysists [SSAs] should recognize that human errors are generally inevitable and consider the consequences of an equipment failure compounded with a foreseeable human failure,” the report said. Ummmm ... was this supposed to be a “new” finding?
It would nice to have a link to the report in order to read the recommendations.
However I think that Part 21requirements may have to be reconsidered even if they require FAA (and EASA) a lot of additional staffing.
The big question is if you can really trust the manufacturers ODA systems considering the immense pressure they are subject sometimes from OEM top management .....
You can't
Even if Boeing was required to certify the MAX as a new design, it “would not have produced more rigorous scrutiny ... and would not have produced a safer airplane,” the report added....

So how is going to be certifícate again or under a new TC? and the recertification will review al these flaws and error in software and hardware? ... last sentence of the caption above tells everything...