Like flashing Master Warning lights on a flight instrument panel, the Boeing 737 Max fatal crashes in the past two years have signalled that an airworthiness certification oversight system that served the world’s most powerful aviation industry well for decades is no longer coping – and needs updating.

Meanwhile, silently but with eyes wide open, the rest of the world’s aircraft manufacturers and national aviation authorities (NAAs) wait for cues as to whether, lurking in their own safety oversight systems, there may be similar unnoticed faults and failings. The Lion Air and Ethiopian Airlines accident reports are now published and Boeing has completed internal reviews. The multinational Joint Authorities Technical Review (JATR) team has examined US Federal Aviation Administration (FAA) aircraft certification processes and put forward 12 recommendations.

Safety Regulation (2) c Michael Reynolds_EPA-EFE_Shutterstock

Source: Michael Reynolds / EPA-EFE / Shutterstock

FAA recognised Boeing failings were an international problem only after second accident

It took emerging findings from the second 737 Max crash for the FAA to recognise this as an international issue, not a domestic one. Boeing aircraft are ubiquitous, after all. But when the FAA did wake up, it called for an independent international inquiry. This became the JATR, led by Christopher Hart – a former chairman of the US National Transportation Safety Board – with representatives from the NAAs of eight nations, the EU, the FAA itself and NASA. The letter written in October 2019 by Hart to FAA Associate Administrator Ali Bahrami outlining the JATR’s findings might as well have addressed the entire aviation world. It says: “Some of the broader recommendations derive from the increasing complexity of aircraft systems, particularly automated systems and the interaction and the interrelationship between systems. As aircraft systems become more complex, ensuring that the certification process adequately addresses potential operational and safety ramifications for the entire aircraft that may be caused by the failure or inappropriate operation of any system on the aircraft becomes not only far more important, but also far more difficult.”

Besides, the existing certification oversight system, Hart observed, was originally built upon the concept of compliance with regulations, rather than meeting specified safety objectives. Regulations simply cannot keep up with technological advance and digital systems integration, let alone the potential for artificial intelligence (AI), hence the general move towards a performance-based regulation philosophy. This is a process that has begun in the FAA and the European Union Aviation Safety Agency, but as a new way of thinking and working, it will take some time to embed wherever it is applied. Meanwhile, there are some simpler recommendations. The “small government” philosophy in the USA means smaller agencies. But the JATR suggests: “The workforce levels should be such that decisions to retain responsibility for finding compliance are not constrained by a lack of experienced engineers.”

There is a stark reminder – highly applicable to the 737 Max crashes – of the continuing need to “incorporate fail-safe design principles”. This is just as important – if not more – in complex integrated systems. Systems design must not, says the JATR, “rely on pilot action as a primary means of risk mitigation”. Also, assumptions about pilot reaction to system failures need to be reviewed in the light of the complexity of aircraft systems and a new generation of pilots trained in different ways. The JATR acknowledges that a degree of co-operation between the agency and the manufacturer in the certification oversight process is inevitable and even necessary. But it warns: “The FAA should emphasise that the [delegation] system should allow for direct contact between the [Boeing engineers] and the FAA technical experts without fear of reprisal [if the Boeing engineers draw attention to weaknesses].” It observes: “There are signs of undue pressure on [Boeing engineers] performing delegated functions, which may be attributed to conflicting priorities and an environment that does not support FAA requirements.” Boeing, in extremely careful terminology, admits it has improved its lines of communication between its engineers, the FAA and its own management.