In a March 27, 2019 appearance before the Senate Subcommittee on Aviation and Space, Daniel K. Elwell, Acting Administrator for the Federal Aviation Administration (“FAA”) sought to clarify the FAA’s role in the certification of the safety of aircraft systems. In doing so, he emphasized that the principal responsibility for safety lies with the aircraft manufacturers, with FAA performing merely a review function to determine “if the applicant [for certification] has shown that the overall design meets the safety standards. We do that by reviewing data and by conducting risk based evaluations of the applicant’s work,” Statement of Administrator, before the Senate Committee on Commerce, Science and Transportation, Subcommittee on Aviation and Space on the State of Airline Safety: Federal Oversight of Commercial Aviation, March 27, 2019 (“Statement”). The problem with this explanation may not be the adopted approach, but the lapses in FAA’s realization of its part of the bargain.
In the opening discussion of the safety certification system’s underlying philosophy, the Acting Administrator explained that “the FAA focuses its efforts on areas that present the highest risk within the system . . .,” Statement, p. 3, with FAA purportedly “involved in testing and certification of new and novel features and technologies,” Statement, p. 5, a category within which the Maneuvering Characteristics Augmentation System (“MCAS”), thought to be a cause of the recent accidents in Ethiopia and Malaysia is included. In fact, as discussed in a comprehensive article of March 17, 2019, “Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system,” posted in the Seattle Times by Dominic Gates, the Seattle Times Aerospace reporter (“Seattle Times Article”), Boeing’s “system safety analysis” of the MCAS:
-
Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.
-
Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.
-
Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.
Nevertheless, the Acting Administrator goes on to divest FAA of responsibility.
The Acting Administrator explains that “under this program, the FAA may delegate a matter related to aircraft certification to a qualified private person,” Statement, p. 3. Specifically, the Organization Designation Authorization (“ODA”) program is the means by which the FAA may authorize an “organization” to act as a representative of the FAA, allowing that organization to conduct inspections and tests and issue certificates on behalf of the FAA. Currently, there are 79 ODA holders. ODA certification processes allow an applicant greater flexibility and control over schedules than applicants whose projects are directly managed by the FAA. Not surprisingly, Boeing was Co-Chair of the ODA program. But the ODA program did not make everyone at FAA happy.
A former FAA safety engineer who was directly involved in certifying the MAX said that halfway through the certification process, “we were asked by management to re-evaluate what would be delegated. Management thought we had retained too much at the FAA.”
Seattle Times Article. Even through the certification process for the 737 Max aircraft purportedly took five years (see Statement, p. 6), eventually the Acting Administrator opined that “time yield[ed] more data to be applied for continued analysis and improvement.” Statement, p. 6. And indeed, as revealed in the Seattle Times Article,
[B]lack box data retrieved after the Lion Air crash indicates that a single faulty sensor — a vane on the outside of the fuselage that measures the plane’s “angle of attack,” the angle between the airflow and the wing — triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.
Seattle Times Article. That information caused Boeing to submit, on January 21, 2019, “a proposed software enhancement to the FAA for certification.” Statement, p. 7. By the time of the second incident in March 2019, FAA’s review was still ongoing. Id. This is because “FAA’s initial review of flight safety data for the U.S. operators [of the 737 Max] showed no systemic performance issued,” Statement, p. 8.
All that changed with the Ethiopian air crash in March 2019. That incident provided FAA with the impetus to follow in the footsteps of the vast majority of European regulators, and force a collaborative effort with Boeing to definitively locate the source of the fatal problems. This sequence of events serves to remind the public that, while much progress has been made in aviation technology and safety innovation in recent years, FAA’s regulatory role over aircraft safety is still critical, and its even partial abdication a precursor to unfortunate consequences.