System Safety Analysis

In a March 27, 2019 appearance before the Senate Subcommittee on Aviation and Space, Daniel K. Elwell, Acting Administrator for the Federal Aviation Administration (“FAA”) sought to clarify the FAA’s role in the certification of the safety of aircraft systems. In doing so, he emphasized that the principal responsibility for safety lies with the aircraft manufacturers, with FAA performing merely a review function to determine “if the applicant [for certification] has shown that the overall design meets the safety standards. We do that by reviewing data and by conducting risk based evaluations of the applicant’s work,” Statement of Administrator, before the Senate Committee on Commerce, Science and Transportation, Subcommittee on Aviation and Space on the State of Airline Safety: Federal Oversight of Commercial Aviation, March 27, 2019 (“Statement”). The problem with this explanation may not be the adopted approach, but the lapses in FAA’s realization of its part of the bargain.

In the opening discussion of the safety certification system’s underlying philosophy, the Acting Administrator explained that “the FAA focuses its efforts on areas that present the highest risk within the system . . .,” Statement, p. 3, with FAA purportedly “involved in testing and certification of new and novel features and technologies,” Statement, p. 5, a category within which the Maneuvering Characteristics Augmentation System (“MCAS”), thought to be a cause of the recent accidents in Ethiopia and Malaysia is included. In fact, as discussed in a comprehensive article of March 17, 2019, “Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system,” posted in the Seattle Times by Dominic Gates, the Seattle Times Aerospace reporter (“Seattle Times Article”), Boeing’s “system safety analysis” of the MCAS:

  • Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.

  • Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.

  • Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.

Nevertheless, the Acting Administrator goes on to divest FAA of responsibility.


Continue Reading