Safety Report on the Treatment of Safety-Critical Systems in Transport Airplanes

Certification of systems that are critical to the safety of flight has been the focus of several recently completed National Transportation Safety Board accident investigations of transport-category airplanes: the rudder actuator in USAir flight 427 in 1999; the center wing fuel tank in TWA flight 800 in 2000; the horizontal stabilizer jackscrew in Alaska Airlines flight 261 in 2002; and the rudder system in American Airlines flight 587 in 2004. Each of these investigations raised questions about the certification process used by the FAA to determine compliance with airworthiness standards.

The purpose of this safety report is to discuss the concerns about certification raised in those investigations and to identify process improvements to FAA’s type certification of safety-critical systems in transport-category airplanes. The Safety Board recognizes that the findings in this report are presented during one of the safest periods in commercial aviation history and acknowledges that FAA’s certification process has contributed significantly to that level of safety. However, the Board notes that there is room for improvement.

The report includes three recommendations in two areas. The first area concerns the ways in which hazards to safety of flight are identified, assessed, and documented during the type certification process. The Safety Board’s analysis considered how compliance with Federal regulations is demonstrated and how the safety assessment effort is documented. Of particular concern were assessments of safety-critical systems that do not include certain structural failure conditions and human/system interaction failures.

The second area focuses on the ongoing assessment of safety-critical systems throughout the life of the airplane. The Board concluded that a program must be in place, once the type certification process is completed, to ensure the ongoing assessment of risks to safety-critical systems. Such a program must recognize that ongoing decisions about design, operations, maintenance, and continued airworthiness must be done in light of operational data, service history, lessons learned, and new knowledge, for designs that are derivatives of previously certificated airplanes.