Cockpit Automation, Flight Systems Complexity, and Aircraft Certification: Background and Issues for Congress

The increasing complexity and automation of flight control systems pose a challenge to federal policy regarding aircraft certification and pilot training. Despite significant commercial aviation safety improvements over the past two decades, flight control automation and aircraft complexity have been cited as contributing factors in a number of major airline accidents, including two high-profile crashes overseas involving the recently introduced Boeing 737 Max variant in 2018 and 2019. These crashes have directed attention to Federal Aviation Administration (FAA) oversight of aircraft type certification and pilot training practices for transport category aircraft, particularly as they pertain to complex automated flight control systems. As aircraft systems have evolved over the past three decades to incorporate new technologies, Congress has mandated FAA to streamline certification processes, with the primary motivation being to facilitate the development of new safety-enhancing technologies.

Modern commercial aircraft rely on “fly-by-wire” flight control technologies, under which pilots’ flight control inputs are sent to computers rather than through direct mechanical linkages to flight control systems. The fly-by-wire software contains flight control laws and logic that, in addition to optimizing performance efficiency, protect the aircraft from commanded actions that could put the airplane in an unsafe state. Automated flight control systems have largely been viewed as having a positive effect on safety, and accident rates have improved considerably over the past two decades. However, the increasing complexity of automated flight systems has sometimes caused confusion and uncertainty, contributing to improper pilot actions during critical phases of flight and in some cases leading pilots to unintentionally place an aircraft in an unsafe condition. Besides designing these systems in a manner that minimizes pilot errors and the consequences of those errors, aircraft designers and operators face challenges regarding maintaining piloting skills for flight crews to be able to take over and manually fly the aircraft safely if critical systems fail. They also face challenges regarding documentation and pilot training effectiveness in building accurate mental models of how these complex systems operate. The primary goals of ongoing efforts to address these challenges are to enhance pilot situation awareness when using automation and reduce the likelihood of mode errors and confusion, while at the same time not overburdening pilots with intricate systems knowledge beyond what is necessary.

In the ongoing investigations of two Boeing 737 Max crashes, Lion Air flight 610 and Ethiopian Airlines flight 302, concerns have been raised about the design of an automated feature called the Maneuvering Characteristics Augmentation System (MCAS) and its reliance on a single angle-of-attack sensor even though the aircraft is equipped with two such sensors. These concerns led to the worldwide grounding of all Boeing 737 Max aircraft until the MCAS safety concerns can be resolved, significantly impacting both U.S. and foreign airlines that operate the aircraft. These recent aviation accidents have prompted reviews of the manner in which modern transport category aircraft are certified by FAA and its foreign counterparts, and in particular, the roles of regulators and manufacturers in the certification process.

The challenges of certifying increasingly complex aircraft are largely being met by delegating more of FAA’s certification functions to aircraft designers and manufacturers. This raises potential conflicts between safety and quality assurance on the one hand and competitive pressures to market and deliver aircraft on the other. Under Organization Designation Authorization (ODA), FAA can designate companies to carry out delegated certification functions on its behalf. Congress has supported the ODA framework and in recent FAA reauthorization legislation (P.L. 115-254) directed FAA to establish performance objectives and metrics for aircraft certification that both streamline the certification process and increase transparency and accountability for both FAA and the aviation industry. However, the Boeing 737 Max grounding has prompted reviews of the certification process to identify potential gaps in oversight. Foreign authorities have also put pressure on FAA to review its certification delegation practices, although similar approaches are used in Europe. The inquiries have led to broader discussions about aircraft certification practices and also about global training, qualification, and currency standards for airline pilots.

Cockpit Automation, Flight Systems Complexity, and Aircraft Certification: Background and Issues for Congress

October 3, 2019 (R45939)
Jump to Main Text of Report

Contents

Summary

The increasing complexity and automation of flight control systems pose a challenge to federal policy regarding aircraft certification and pilot training. Despite significant commercial aviation safety improvements over the past two decades, flight control automation and aircraft complexity have been cited as contributing factors in a number of major airline accidents, including two high-profile crashes overseas involving the recently introduced Boeing 737 Max variant in 2018 and 2019. These crashes have directed attention to Federal Aviation Administration (FAA) oversight of aircraft type certification and pilot training practices for transport category aircraft, particularly as they pertain to complex automated flight control systems. As aircraft systems have evolved over the past three decades to incorporate new technologies, Congress has mandated FAA to streamline certification processes, with the primary motivation being to facilitate the development of new safety-enhancing technologies.

Modern commercial aircraft rely on "fly-by-wire" flight control technologies, under which pilots' flight control inputs are sent to computers rather than through direct mechanical linkages to flight control systems. The fly-by-wire software contains flight control laws and logic that, in addition to optimizing performance efficiency, protect the aircraft from commanded actions that could put the airplane in an unsafe state. Automated flight control systems have largely been viewed as having a positive effect on safety, and accident rates have improved considerably over the past two decades. However, the increasing complexity of automated flight systems has sometimes caused confusion and uncertainty, contributing to improper pilot actions during critical phases of flight and in some cases leading pilots to unintentionally place an aircraft in an unsafe condition. Besides designing these systems in a manner that minimizes pilot errors and the consequences of those errors, aircraft designers and operators face challenges regarding maintaining piloting skills for flight crews to be able to take over and manually fly the aircraft safely if critical systems fail. They also face challenges regarding documentation and pilot training effectiveness in building accurate mental models of how these complex systems operate. The primary goals of ongoing efforts to address these challenges are to enhance pilot situation awareness when using automation and reduce the likelihood of mode errors and confusion, while at the same time not overburdening pilots with intricate systems knowledge beyond what is necessary.

In the ongoing investigations of two Boeing 737 Max crashes, Lion Air flight 610 and Ethiopian Airlines flight 302, concerns have been raised about the design of an automated feature called the Maneuvering Characteristics Augmentation System (MCAS) and its reliance on a single angle-of-attack sensor even though the aircraft is equipped with two such sensors. These concerns led to the worldwide grounding of all Boeing 737 Max aircraft until the MCAS safety concerns can be resolved, significantly impacting both U.S. and foreign airlines that operate the aircraft. These recent aviation accidents have prompted reviews of the manner in which modern transport category aircraft are certified by FAA and its foreign counterparts, and in particular, the roles of regulators and manufacturers in the certification process.

The challenges of certifying increasingly complex aircraft are largely being met by delegating more of FAA's certification functions to aircraft designers and manufacturers. This raises potential conflicts between safety and quality assurance on the one hand and competitive pressures to market and deliver aircraft on the other. Under Organization Designation Authorization (ODA), FAA can designate companies to carry out delegated certification functions on its behalf. Congress has supported the ODA framework and in recent FAA reauthorization legislation (P.L. 115-254) directed FAA to establish performance objectives and metrics for aircraft certification that both streamline the certification process and increase transparency and accountability for both FAA and the aviation industry. However, the Boeing 737 Max grounding has prompted reviews of the certification process to identify potential gaps in oversight. Foreign authorities have also put pressure on FAA to review its certification delegation practices, although similar approaches are used in Europe. The inquiries have led to broader discussions about aircraft certification practices and also about global training, qualification, and currency standards for airline pilots.


Background

The increasing complexity and automation of flight control systems pose a challenge to federal policy regarding aircraft certification and pilot training. Over the past 30 years, pilot confusion in the face of unintended or unanticipated behaviors of cockpit automation has been implicated in a number of accidents and safety incidents. High-profile accidents overseas in 2018 and 2019 led to the grounding of the worldwide fleet of Boeing 737 Max aircraft and prompted investigations and policy inquiries regarding the design and certification of commercial airplanes. These inquiries have focused on three key policy issues:

  • 1. the adequacy of standards and regulations pertaining to the design of cockpit interfaces between pilots and aircraft systems and to pilot training;
  • 2. appropriate policies, standards, and regulations regarding the safety design of aircraft systems and sensors to ensure adequate fault and error detection, fault tolerance, and redundancy; and
  • 3. the certification process for new aircraft technologies, and the roles of the Federal Aviation Administration (FAA) and other national regulators in certification.

Modern jet airliners rely on numerous automated features to assist and alert pilots as well as to prevent aircraft from getting into precarious and potentially dangerous situations. In many cases, pilots' lack of understanding or familiarity with the design and operation of these automated features has led to inappropriate use of automation or inappropriate responses when cockpit automation has gone awry. In other cases, latent flaws and unintended consequences of highly complex automated flight control systems designs have been implicated in commercial airplane accidents. The complexity of these automated systems has also raised questions about the manner in which new aircraft flight control system designs are evaluated and certified.

Two crashes involving the recently introduced Boeing 737 Max airplane prompted the grounding of the worldwide fleet of that model. The ensuing investigations into the process for certifying the Boeing 737 Max have triggered broader discussions about aircraft certification practices in general and also about global training, qualification, and flight currency standards for pilots flying commercial airplanes. The focus on aviation safety surrounding the Boeing 737 Max grounding has highlighted a number of long-standing challenges associated with systems design, failure and risk analysis, human-interface design of automated cockpits, aircraft-specific pilot training, and oversight of the certification processes under which these challenges are addressed in the design of new aircraft. These subjects are now the focus of a global policy debate.

Commercial Airline Safety Record

The two 737 Max crashes notwithstanding, the safety record of commercial airlines operating transport category airplanes1 is unsurpassed among modern transportation systems. Worldwide, the accident rate among scheduled commercial passenger operations for the 10-year period from 2008 through 2017 was 0.44 accidents per 100,000 flight departures, or roughly one accident in every 227,272 departures. The fatal accident rate was 0.16 per 100,000 departures, or roughly one fatal accident for every 625,000 departures.2 In Europe, Canada, and the United States, accident rates are even lower.

1996 White House Commission

The recent safety record of U.S. air carriers demonstrates a marked improvement from the decade of the 1990s, which saw a spate of U.S. air carrier accidents, including several fatal crashes (see Appendix A). In 1996, the crash of Valujet flight 592 raised congressional concerns over airline safety and FAA oversight of air carriers. In response, the Federal Aviation Reauthorization Act of 1996 (P.L. 106-264) eliminated FAA's role in promoting civil aeronautics and air commerce and mandated safety as its top priority. The legislation also established a framework of legal protections for voluntary safety reporting programs designed to encourage individuals to report safety concerns with protection from retribution.

Also in 1996, following the crash of TWA flight 800, a Boeing 747 en route from New York to Paris, President Clinton established the White House Commission on Aviation Safety and Security. The commission was chaired by Vice President Gore and is commonly referred to as the Gore Commission. The commission urged policymakers to make aviation safety, as well as aviation security, a national priority. In particular, it set a goal of "reducing the rate of accidents by a factor of five within a decade," and advocated for "a re-engineering of the FAA's regulatory and certification programs to achieve that goal."3 The plan included recommendations for

  • establishing standards for continuous safety improvement and targeting regulatory resources based on performance against those standards;
  • developing vigorous certification standards, and the development of additional certification tools and processes to encourage the introduction of new technologies;
  • establishing performance-based regulations rather than dictating procedures in order to "break the regulatory logjam";4
  • emphasizing human factors and training to "address issues relating to human interaction with changing technologies";5
  • developing standard databases of safety information that can be shared openly while protecting trade secrets and protecting industry employees who voluntarily disclose information about safety violations; and
  • developing better quantitative models and analytic techniques to inform management decisionmaking.

Of particular note, the Gore Commission emphasized the streamlining of certification processes and regulations to accelerate the adoption of new aircraft technologies in the hope that this would bring operational safety improvements.

Safety Improvements over the Past Two Decades

Commercial airline safety in the United States improved following the Gore Commission report, despite some major commercial airline accidents in the late 1990s and early 2000s. Fatal accidents involving major U.S. passenger airlines during this period included the June 1, 1999, crash of American Airlines at Little Rock, AR; the Alaska Airlines crash off the coast of California on January 31, 2000; and the crash of American Airlines flight 587 near JFK International Airport in New York on November 12, 2001.

Commercial aviation safety data since 2002 show a marked improvement compared to the 1990s, particularly among major U.S. airlines (Figure 1). In more recent years, attention has shifted to the safety of the regional airlines6 that operate almost half of all scheduled domestic flights in the United States. In the 2000s, there were six regional airline accidents involving passenger fatalities, resulting in a total of 149 deaths, in addition to several crashes not involving passenger fatalities. Four of the six regional accidents resulting in passenger fatalities during the 2000s were attributed to human factors affecting flight crews, including pilots' failure to adhere to proper procedures, deficiencies in training, and fatigue.

Figure 1. U.S. Air Carrier Accident Rates Per 100,000 Departures

1980-2017

Source: CRS analysis of U.S. Department of Transportation, Bureau of Transportation Statistics, National Transportation Statistics 2018, U.S. Air Carrier Safety Data.

Notes: (R): Revised; (P): Preliminary; 2001 data include the four aircraft involved in the September 11 terrorist attacks.

Following the crash of a regional turboprop near Buffalo, NY, in February 2009 that killed all 45 on board, the Airline Safety and Federal Aviation Administration Extension Act of 2010 (P.L. 111-216) was enacted on August 1, 2010. That legislation mandated revised regulations generally requiring pilots to accumulate 1,500 hours of total flight time before being eligible to be a first officer aboard a commercial airliner in the United States. It also required pilots to accumulate an additional 1,000 hours of flight time in commercial airline operations before becoming a captain and serving as pilot in command. The legislation directed FAA to order improvements to airline training programs, including formal mentoring, leadership, and professional development programs for pilots; institute reforms to flight time and rest rules for pilots; and require that airlines establish formal approaches to safety management.

Following the February 2009 crash, more than nine years passed before U.S. air carriers suffered another passenger fatality. On April 17, 2018, a passenger was killed when uncontained engine failure on a Southwest Airlines Boeing 737 damaged the fuselage and broke a cabin window, causing a rapid depressurization of the aircraft cabin. Other incidents resulting in serious passenger injuries aboard U.S. air carrier flights in recent years have most often been linked to inflight turbulence. The small number of domestic air carrier accidents in the United States over the past decade has made it difficult for safety experts to identify meaningful accident trends without examining the safety performance of aviation systems in other countries. Low accident rates have also prompted researchers to look beyond accident data to trends in safety incidents and reported unsafe practices to identify and remediate safety deficiencies.

Worldwide Aviation Safety Trends

Worldwide aviation safety metrics point to continual improvements in commercial flight safety, corresponding to the trend in the United States. Worldwide, fatal accident rates for commercial airliners have dropped from about 4.2 per million flights in 1977 to less than 0.4 per million flights in 2017.7 Between 2014 and 2018, the fatal accident rate globally was 0.21 per million flights, but it was considerably lower in North America, Europe, and North Asia (Table 1).8

Table 1. Commercial Aviation Accident Rates

Per million flights, 2014-2018

World Region

Fatal Accidents

All Accidents

North America

0.11

1.58

Europe

0.07

0.79

North Asia

0.08

0.43

Africa

1.03

6.04

Asia-Pacific

0.26

2.26

Middle East and North Africa

0.31

2.19

Latin America and the Caribbean

0.25

2.16

Commonwealth of Independent States

1.06

4.22

Worldwide

0.21

1.08

Source: International Air Transport Association.

While airline safety has shown overall improvements over time, safety indicators in certain regions remain a considerable concern to some. In particular, both the International Civil Aviation Organization (ICAO), a United Nations agency,9 and the International Air Transport Association (IATA),10 an industry group, have expressed concern about safety in Africa and the Asia-Pacific region. IATA found that, between 2014 and 2018, both the overall accident and the fatal accident rates for airlines in Africa were more than five times the worldwide average at 6.04 accidents and 1.03 fatal accidents per million flights. Between 2014 and 2018, the Asia-Pacific region stood out as having the highest number of airline accidents and the highest number of accident-related fatalities among world regions, accounting for 77 accidents and 748 fatalities over this period.11 While the region includes countries like Australia and New Zealand that have safety records on par with North America and Europe, it also includes the Philippines, Indonesia, and other countries in Southeast Asia that lag on aviation safety performance. In both Africa and the Asia-Pacific region, lax regulatory oversight and poor flight crew performance have been identified as primary contributors to comparatively high accident rates.

Worldwide commercial airline safety has come under scrutiny following two high-profile crashes overseas involving the recently introduced Boeing 737 Max variant in 2018 and 2019. These accidents prompted the grounding of the entire worldwide fleet of 737 Max aircraft. Because FAA has the principal authority for certifying this aircraft, the crashes drew attention to FAA's certification process for that aircraft and raised broader questions about aircraft type certification practices for transport category aircraft.

Aircraft Complexity and Systems Safety

Many aviation safety experts attribute the safety advancements in commercial aviation over the past three decades, at least in part, to improvements in aircraft systems technology and flight deck automation. Paradoxically, these same factors have been implicated as causal or contributing factors in several aviation accidents and incidents.

Modern aircraft flight systems incorporate advanced autopilot systems as well as traditional flight controls that interface with computers instead of directly actuating flight control surfaces, such as the rudders, ailerons, and elevators that control an airplane's movement in flight (see Figure 2).

Flight data computers aboard the aircraft continuously analyze pilot inputs, aircraft states, and environmental factors, like winds, to maneuver the aircraft safely and efficiently. When the autopilot is engaged, flight control computers will command inputs to the flight control surfaces and aircraft engines to achieve the desired inputs in a manner that is optimized for efficiency. When pilots are flying manually, displays such as a flight director provide visual aids to pilots to achieve desired states of flight (e.g., a particular altitude, airspeed, or heading) most efficiently.12 The flight computers also continuously monitor pilot or autopilot inputs, aircraft states, and environmental states (e.g., winds) to ensure that the airplane continues to fly safely.

These systems and displays are designed to enhance safety by improving pilot situation awareness, reducing pilot workload, and monitoring aircraft and aircraft system states to prevent unsafe operations such as flying at too high of a pitch angle or at too steep of a bank. However, the complexity of the modern cockpit can present considerable challenges to pilots, potentially leading to confusion and errors, particularly in high-workload situations. If these errors go undetected or if they are compounded by other mistakes or other situational factors, they can potentially lead to a serious incident or accident under rare and unusual circumstances.

Worldwide, the most common causes of commercial jet accidents are (1) loss of control in flight and (2) controlled flight into terrain, two categories that often involve incomplete pilot situation awareness, poor judgment, and human errors in interaction with complex aircraft systems.13 The third most common type of accident, runway excursions (i.e., aircraft running off the end or side of a runway), also typically can be traced back to pilot performance and pilot understanding of aircraft performance, environmental factors, and flight control systems. Pilots require advanced training to understand the various features, modes, capabilities, and limitations of advanced flight control systems under various flight conditions.

Figure 2. Aircraft Control Surfaces and Axes of Motion

Source: CRS adaptation of graphic and information presented in International Civil Aviation Organization (ICAO), Airplane Upset Prevention & Recovery Training Aid for Transport Category Airplanes (Rev 3), https://www.icao.int/safety/loci/auprta/index.html.

Fly-by-Wire Systems

Airbus was the first manufacturer to incorporate computer interfaces between pilots and flight controls, commonly known as fly-by-wire technology, into commercial transport airplanes with the introduction of the A320, which entered service in 1988. In a fly-by-wire system, various sensors provide data to the flight control computers, which they, in turn, assess and analyze. The computers are linked to actuators, such as servo motors, that operate the flight controls and also to displays that provide pilots with information and alerts about aircraft performance and aircraft system states. Fly-by-wire technology offers a number of advantages over flight control systems operated using direct mechanical linkages between cockpit controls and the aircraft's control surfaces. First, the reduction in the number of mechanical parts and linkages can reduce aircraft weight considerably. Additionally, the systems can incorporate additional redundancies without adding as much weight as would be required with redundant mechanical systems.

Redundancy

Redundancy is achieved in a fly-by-wire system through multiple sensors and multiple flight data computers that can cross-check each other. Typically, triple redundancy is built into fly-by-wire flight control systems: three flight control computers continuously monitor pilot inputs and aircraft sensor data and cross-check for any anomalies in information or in computations based on inputs.

Flight Control Laws

The flight data computers also incorporate what engineers refer to as "flight control laws," logic embedded in the firmware and software that govern flight dynamics. These flight control laws can be designed to simplify the training required for a pilot to transition between different variants of an aircraft model and even different aircraft models. This is achieved by programming the flight control systems of an updated model of aircraft to perform similarly to those of existing aircraft despite differences in weight, power, and other factors that affect the aerodynamic performance. Minimizing handling differences between aircraft and designing cockpits of different models to have a similar look and feel can save airlines considerable time and money in training pilots to fly new aircraft. For this reason, manufacturers often seek to design aircraft to minimize the training requirements to transition to the new aircraft, known in the industry as "differences training." Another often-cited advantage of fly-by-wire system flight control laws is the capability to protect the aircraft from operating outside a defined envelope of parameters (such as limits with respect to pitch, bank, and airspeed) that define the boundaries of safe flight operation.

Flight Envelope Protection

An airplane's flight envelope refers to its performance limitations and design capabilities with respect to aircraft attitude,14 airspeed, and aerodynamic loads. In fly-by-wire aircraft, logic is built into the flight control computer systems to inhibit maneuvers that might place the aircraft outside this envelope of safe operational conditions. The flight envelope is multidimensional and is affected by factors such as aircraft weight, center-of-gravity, airspeed, altitude, and winds. It also depends on the aircraft's configuration (e.g., whether it is configured for takeoff, for landing, or for cruise flight, and the position of aircraft flaps and slats). For this reason, the flight envelope protection logic involves continuous monitoring of the state of the aircraft with respect to its flight envelope.

Flight control computers continuously receive and analyze data from airspeed sensors that take inputs from pitot tubes and static ports, angle-of-attack indicators that take data from vanes attached to the side of the fuselage, inertial units, gyroscopes, and accelerometers that sense aircraft attitude along all three axes (pitch, roll, and yaw) and acceleration along these axes, and, of course, altimeters and temperature sensors. Sensors also monitor engine thrust, fuel flow, and various other engine performance parameters, as well as aircraft configuration, including the position of various aircraft control surfaces like ailerons, vertical stabilizers, trim tabs, and wing flaps and slats. Every input made by the pilots when the airplane is being flown manually is also captured by sensors linked to the flight control computers.

The manner in which the flight control automation responds to information from the various aircraft sensors depends, in part, on the manner in which the aircraft is being flown. If the airplane is being operated on autopilot and with autothrottles engaged, then the computers will largely operate directly to control the airplane to achieve objectives that the pilots have entered on a control panel, including things such as desired altitude, desired heading or course, airspeed, and climb or descent rates. If, on the other hand, pilots are operating the flight controls manually, the computers will provide them with information to guide maneuvers, and the flight envelope protections will override unsafe pilot actions such as commanding too much pitch up or too steep of a bank.

Under normal conditions, these flight envelope protections will limit pilots' actions. However, in some situations, the computers may disable some of these protections by switching the flight control systems to what are referred to as alternate or secondary laws, direct laws, and mechanical backup modes. In these alternative states there are fewer flight envelope protections, and the pilots have progressively more direct control over the airplane.15 Pilot understanding of these various flight envelope protections and, particularly, awareness of how flight control systems behave in the various modes has been a critical safety consideration in the design of fly-by-wire systems and highly automated cockpits.16

Impact of Cockpit Automation on Aviation Safety

The implications of modern flight deck automated systems design have been an issue of concern for more than two decades. In 1996, a human factors17 team convened by FAA released a comprehensive study of interfaces between flight crews and highly automated aircraft systems with a focus on interfaces affecting flight path management.18

The study was prompted by the April 26, 1994, crash of a China Airlines Airbus A300-600 at Nagoya, Japan, that stalled while attempting to perform a go-around during its landing approach, killing 264 of the 271 occupants. The event was triggered by the inadvertent activation of an autothrottle takeoff/go-around button, located on the throttle lever, during the approach to landing, and the flight crew's apparent lack of understanding as to how to disengage and override the autothrottle. The plane's autothrottle software had not been upgraded to disengage if certain manual inputs, including forward yoke movement, were made. This differed from the behavior of a training simulator that the accident pilot practiced on as well as the Boeing 747 that he had spent most of his career flying.

The FAA human factors team found that pilots often lacked adequate understanding of automated systems and were often surprised by the behavior of automated flight control features. Moreover, flight crew situation awareness suffered from a lack of complete understanding of what modes or states automated features were in and the behavior of automated features in these states. It also was affected by poor understanding of current status regarding flight path and aircraft attitude, terrain clearance, and airspeed. The team made recommendations regarding design and certification of automated systems; pilot training; flight crew situation awareness, communication, and coordination; and ways to encourage and measure safety enhancements.

The work prompted FAA to revise its certification requirements for flight guidance systems in 2006.19 Specifically, under 14 C.F.R. §25.1329, the design must incorporate quick disengagement controls for the autopilot and autothrust functions, and the effects of disengaging automatic features must be minor. Similarly, sensors or mode selections may not cause anything beyond a minor transient change to the aircraft's flight path under normal conditions. Automated flight guidance systems must also provide protections to avoid unsafe speeds or pitch or bank attitudes, and under no circumstances should the systems be capable of executing maneuvers that would produce hazardous forces or loads on the airplane. The regulations also require that controls be clearly labeled and designed to minimize flight crew errors and confusion. Additionally, flight crews must be alerted when automated flight guidance features disengage, and autopilot systems must not create potential hazards when overridden by manual flight control inputs.

Despite the changes made to address human factors issues in flight guidance system design, the interface between pilots and automated flight guidance systems remains at the crux of commercial aviation safety. This issue has been highlighted in several high-profile international aviation accidents that have occurred over the past decade.

Air France Flight 447

Air France flight 447, an Airbus A330, crashed in the Atlantic Ocean on June 1, 2009, en route from Rio de Janeiro, Brazil, to Paris, France, killing all 228 on board. After lengthy efforts to locate the wreckage and recover the flight data and cockpit voice recorders, found lying on the ocean floor at a depth of about 13,000 feet, a detailed investigation was launched to determine the circumstances and safety implications of the crash. The investigation, led by the French Bureau d'Enquêtes et d'Analyses pour la Sécurité de l'Aviation Civile (BEA), found that icing on the airplane's pitot tubes resulted in a temporary inconsistency in airspeed measurements that caused the flight computers to disconnect the autopilot and switch the flight control logic into a different mode, known as an alternate law, in which normal protections against aerodynamic stalls and steep banks were disabled.

Investigators concluded that the pilots failed to properly assess the situation and instead made inappropriate control inputs that destabilized the airplane, resulting in an aerodynamic stall.20 The crew failed to detect the stall and consequently did not make control inputs to recover from it. Investigators identified several factors that likely contributed to the flight crew's confusion and lack of appropriate response, including the lack of a clear display in the cockpit indicating airspeed inconsistencies identified by the computers, transient stall warnings that may have been considered spurious, the absence of visual information to confirm an approach-to-stall, possible confusion with an overspeed situation that, like a stall, could be accompanied by airframe buffeting, and difficulty in recognizing the shift to an alternate control law with no angle-of-attack protections. Several aviation experts cautioned that the Air France flight 447 disaster might be a harbinger of the latent dangers of highly complex, highly automated flight control designs.21

Asiana Airlines Flight 214

On July 6, 2013, a Boeing 777 operated by Asiana Airlines descended below the visual approach path and hit a seawall short of the runway at San Francisco International Airport. The impact tore the fuselage in two and ignited a post-crash fire. Three passengers were fatally injured and another 40 passengers, along with 9 crew members, suffered serious injuries. Others suffered less serious injuries.

The National Transportation Safety Board (NTSB) determined that the complexities of the airplane's autopilot and autothrottle systems contributed to the accident.22 The NTSB noted that Boeing documentation describing those systems and the airline's training in the use of those systems were inadequate and increased the likelihood of a mode error, a situation in which the pilots misunderstood the state of the automated system and its operation during the approach. Specifically, the flight crew interacted with the autopilot and throttles in a manner that put the system into a state in which the autothrottle no longer controlled the airplane's airspeed. However, the flight crew apparently failed to understand that this mode or state was contributing to a continual decrease in airspeed that, coupled with too steep an approach, left the airplane flying too low and too slowly.

The NTSB made a number of recommendations to improve flight crew understanding of the Boeing 777 autothrottle system and modes. It also called for a broader examination of the functionality of automated flightpath management systems and of the documentation and training guidance on the use of these systems.

Lion Air Flight 610 and Ethiopian Airlines Flight 302

On October 29, 2018, Lion Air flight 610, a Boeing 737 Max 8 aircraft, crashed into the Java Sea shortly after takeoff from Jakarta, Indonesia, killing all 189 on board. A preliminary report on that crash noted that on the accident flight and on a flight by the same aircraft the previous day, flight data indicated discrepancies between the angle-of-attack sensor on the left side of the aircraft, which had been replaced two days prior to the accident, and the sensor mounted on the right side of the aircraft.23 Multiple automatic nose-down trim commands occurred during the last six to seven minutes of the accident flight, which the pilots attempted to counteract unsuccessfully by applying nose-up pitch trim commands. At the end of the recorded flight data, the vertical stabilizer had moved to almost the full nose-down position, and the airplane was in a steep dive.

The second accident occurred on March 10, 2019, when Ethiopian Airlines flight 302 crashed shortly after departure from Addis Ababa, Ethiopia, killing all 157 on board. The preliminary report from that accident reveals several similarities to the Lion Air flight 610 crash.24 Notably, immediately upon takeoff and for the short duration of the flight, the left angle-of-attack sensor indicated an extremely high pitch (roughly 75 degrees nose up), while the angle-of-attack sensor on the right side appeared to report normal pitch variations of a few degrees consistent with a takeoff climb. Over the next few minutes the aircraft experienced a series of automatic aircraft nose-down trim commands. The flight data from the accident similarly ends with the pitch trim at almost a full nose-down position with the aircraft in a steep descent.

The Boeing 737 Max Grounding

The circumstances of the two Boeing 737 Max crashes led authorities in several countries, including China and the European Union (EU), to ground 737 Max airplanes as the crashes and the aircraft systems involved were investigated. Initially, FAA, Boeing, and U.S. air carriers did not follow suit. One day after the Ethiopian Airlines crash, FAA instead notified international civil aviation authorities that it anticipated mandatory design changes to be instituted no later than April 2019. However, on March 13, 2019, FAA issued an emergency order grounding all 737 Max aircraft. That order25 remains in place as Boeing seeks to fix identified flight control system issues in ways acceptable to FAA and safety regulators in other countries.

The concerns center on how the Boeing 737 Max flight control systems were implemented to counteract high angle-of-attack26 conditions that could result in unsafe high-pitch situations and potential aerodynamic stalls27 and the single sensor Boeing relied on to detect these high angle-of-attack conditions. Designers of the Boeing 737 Max took a different approach to designing high angle-of-attack protection systems because the use of larger-diameter engines compared to earlier 737 models necessitated mounting those engines further forward and higher.28 Under certain conditions, high engine power from these further forward-slung engines could pitch the aircraft up. To address this, Boeing engineered an automated feature, called the Maneuvering Characteristics Augmentation System (MCAS), to counteract such undesirable and potentially unstable pitch up events.

The Maneuvering Characteristics Augmentation System Design

The MCAS system, as equipped on the two accident airplanes, reportedly receives aircraft angle-of-attack data from only one of the airplane's two angle-of-attack sensors. The sensors are essentially sensitive wind vanes affixed to the side of the fuselage that precisely measure the relative airflow and thereby convey information about the aircraft's pitch angle relative to the airflow around it. On November 7, 2018, following the Lion Air flight 610 crash, FAA issued an emergency directive29 ordering U.S. operators of Boeing 737 Max airplanes to apply runaway stabilizer procedures, that is, approved pilot actions to address an uncommanded pitch-down event, in situations involving erroneous high angle-of-attack indications that might trigger repeated nose-down trim commands by the MCAS. In December 2018, FAA expanded the scope of the airworthiness directive, ordering the procedural change for all Boeing 737 Max airplanes worldwide.30

The control laws for the MCAS have been described as being separate from and not integrated with the other flight control laws and logic embedded in the 737 Max air data computers.31 In engineer-speak, the MCAS is characterized as a federated systems architecture, that is one packaged in a self-contained unit that carries out its own unique functions.32 The MCAS control laws as originally designed only received inputs from a single angle-of-attack sensor located on either the left or right side of the aircraft, although the airplanes were equipped with two such sensors, one on each side. The MCAS was added to the Boeing 737 Max as a means to address longitudinal (pitch) stability requirements. Reportedly, the system is only needed and will only activate in highly unusual circumstances.33 Under most normal flight conditions, the MCAS should not be needed. However, on both Lion Air flight 610 and Ethiopian Airlines flight 302, it is suspected that the MCAS did engage because it received faulty data from the angle-of-attack sensor falsely indicating that the aircraft was in a nose-high attitude. In response to sensor data indicating a nose-high pitch, the MCAS would actuate a nose-down pitch trim command. Moreover, if the pilots counteracted this nose-down actuation with a nose-up pitch trim, the MCAS would reset after five seconds, then repeat the nose-down pitch command again, and would repeat this cycle for as long as it continued to sense that the aircraft was in a nose-high attitude, even if based on errant sensor data.

Much of the engineering work done to address the safety concerns that led to the Boeing 737 Max grounding has focused on fixes to the MCAS system design and control laws. Where the original MCAS design relied on input from a single angle-of-attack sensor, the redesigned system will rely on two. Additionally, the new MCAS system will reportedly perform additional checks for reasonableness of data based on average values and for low-to-high data transitions that might indicate a catastrophic failure of the sensor. Boeing refers to this as a triple-validity check of the angle-of-attack sensor data. All 737 Max aircraft reportedly will also be fitted with angle-of-attack sensor disagree warnings to alert pilots when a sensor might be providing errant data. In addition to the redundancies being built into the MCAS sensor inputs, the MCAS control logic is reportedly being revised to limit the manner in which it applies nose-down stabilizer trim commands. Whereas the original system continued to apply repeated nose-down trim commands even if pilots tried to counteract it, the new system reportedly will not reset after a pilot makes electric pitch trim inputs. Also, the redesigned MCAS will not continue to trim the nose down to values close to the stabilizer trim limits, but instead will leave adequate nose-up pitch trim authority for pilots to work with.34

Scrutiny of the Boeing 737 Max Certification Process

The Boeing 737 Max grounding has prompted broader inquiries regarding the entire certification process for that aircraft and the steps being taken to certify Boeing's proposed design changes to sensors and the flight control system. FAA stated that it "is following a thorough process, not a prescribed timeline, for returning the Boeing 737 Max to passenger service. The FAA will lift the aircraft's prohibition order when we deem it safe to do so."35 FAA has convened a technical advisory board to review Boeing's MCAS software update and systems safety assessment and provide recommendations for steps needed to certify Boeing's changes and return the aircraft to service. Regulators in several other countries are pursuing reviews independently.

In April 2019, FAA convened a multinational Joint Authorities Technical Review (JATR) chaired by former NTSB Chairman Christopher Hart to conduct a comprehensive review of the Boeing 737 Max aircraft's automated flight control system certification. The JATR is composed of experts from FAA, the National Aeronautics and Space Administration (NASA), and foreign aviation authorities and was convened to "evaluate aspects of the 737 Max automated flight control system, including its design and pilots' interaction with the system, to determine its compliance with all applicable regulations and to identify future enhancements that might be needed."36 Representatives from air safety authorities in Canada and the European Union, as well as experts from Australia, Brazil, China, Japan, Indonesia, Singapore, and the United Arab Emirates, are participating on the JATR. The findings of the JATR review may help to develop international consensus regarding pilot interaction with Boeing 737 Max automated flight control systems and associated pilot training. The panel's work is separate from and not a required input to FAA and Boeing's ongoing work to address safety concerns identified by the two accidents and certify the aircraft for a return to service.

Separately, the Department of Transportation Office of Inspector General announced on March 27, 2019, that it was initiating an audit of FAA's oversight of the Boeing 737 Max certification. The focus of the audit is on FAA's process for certifying the Boeing 737 Max series of aircraft based on a detailed factual history of the activities that culminated in the aircraft's certification.

Additionally, the Department of Justice has reportedly launched a criminal probe based on a broad subpoena issued by a Washington, DC, grand jury immediately following the Ethiopian Airlines crash in March 2019.37 In June 2019, it was reported that the criminal investigation had expanded beyond the Boeing 737 Max to include certification work done on the Boeing 787 "Dreamliner," Boeing's most recent entirely new type design, which first entered commercial service in 2011.38 The Boeing 787 fleet was grounded by FAA for roughly a three-month period in early 2013, following a number of in-flight fires and electrical problems tied to lithium ion batteries installed on the airplane. This marked the first time an entire fleet of a particular aircraft type was grounded since 1979, when the entire fleet of McDonnell Douglas DC-10s was grounded over a problematic cargo door design. The grounding of the Boeing 787 prompted an NTSB investigation that questioned the certification process for and testing of lithium ion batteries and other emerging technologies, resulting in a series of certification recommendations, including a recommendation that panels of expert consultants be included early in the certification process for new technologies installed on aircraft.39

In September 2019, NTSB issued a number of safety recommendations to FAA and to Boeing urging action to address design assumptions about pilot response to uncommanded flight control system events like an MCAS activation in the certification process.40 NTSB urged Boeing to ensure that assessments of the 737 Max consider the effect of all possible cockpit alerts and indications on pilot recognition and response and incorporate these factors into cockpit design changes as well as pilot procedures and training. It similarly urged FAA to change certification standards to ensure that cockpit designs are evaluated to ensure that cockpit warnings and indicators are assessed for pilot recognition and response and this information is incorporated into procedures and training requirements. NTSB also recommended that FAA develop and implement evaluation tools, based on input from industry and human factors experts, to help inform aircraft design certification regarding pilot response to safety-significant failure conditions.

Boeing 737 Rudder Malfunctions in the 1990s

The current grounding of the Boeing 737 Max is not the first time the Boeing 737 has come under scrutiny. In the 1990s, two fatal accidents and another incident in the United States were attributed to uncommanded deflections of the airplanes' tail rudder. 737 aircraft of that era had rudder control systems that were powered by a single power control unit (PCU). Although the Boeing 737 fleet was never grounded over the issue, FAA ordered a fix that required all existing Boeing 737s to be retrofitted with a new rudder control system including two separate servo valves and a standby PCU with an override mechanism and a flight deck annunciator to alert flight crews of a rudder control system failure.

While the 737 rudder problems experienced in the 1990s and the current questions about the MCAS system on the 737 Max aircraft involve different systems, they raise some common issues and concerns with respect to safety design and aircraft certification. In the accidents involving the rudder system as well as the recent accidents that have raised concerns about the MCAS system, uncommanded and unexpected aircraft performance behaviors startled the flight crews. Moreover, these actions involved systems that lacked redundancy: a single rudder PCU and a single MCAS system that received inputs from a single angle-of-attack sensor. Additionally, the suspected triggering events that led to these uncommanded inputs involved rare and perhaps overlooked scenarios: a momentary rudder jam caused by mechanical interference and suspected errant angle-of-attack data supplied by a faulty sensor. Concerns over the design of these systems raise broader concerns about the need for built-in redundancies in systems designs as well as a need for thorough systems failure risk analyses during the design and throughout the life cycle of complex systems like modern airliners.

Sensor Data and Flight Control Automation as Factors in Aircraft Mishaps

In many accidents and incidents, including the crash of Air France flight 447 and possibly including the Boeing 737 Max crashes, faulty sensor data set off a chain of subsequent events that ended in tragedy. Faulty sensor data can give automated systems and pilots inaccurate or incomplete information about airspeed, altitude, pitch, bank, and other aircraft parameters that can result in inappropriate flight commands and a loss of situation awareness. Design considerations during aircraft development, including engineering assessments of potential fault conditions, may not adequately take the risk of sensor failures into account.

In the Air France flight 447 crash, airspeed data became unreliable after all three pitot tubes that measure air flow iced over, but a simple cross-check of the airplane's groundspeed based on Global Positioning Satellite (GPS) sensor readings coupled with computer models of winds at the airplane's altitude could have served as a means to detect the anomalies in the airspeed data and provide a rough approximation of what the actual airspeed was.41

Some researchers argue that certain critical systems on aircraft rely on data from too few sensors and fail to adequately aggregate and integrate available sensor data.42 Advances in sensor fusion, that is, taking and analyzing data from a more robust set of onboard sensors, may offer opportunities to improve sensor fault detection and flight control system recovery techniques.

Implications for Human Factors and Pilot Training

Automation-related aviation accidents such as those involving the 737 Max have brought complex human-systems interaction to the forefront of public policy. As noted, a number of accidents have also involved either failures of automated systems or pilot confusion over the operation of automated features resulting in improper interaction with these systems.

Research has shown that piloting skills associated with maneuvering aircraft using manual controls decline as a consequence of flying highly automated aircraft. Studies indicate that pilots often do not understand how automated features operate and the modes and states of automation in the cockpit. Additionally, some research has shown that pilots may overestimate their ability to take over and safely maneuver the aircraft in situations when automation fails, particularly given the likelihood of unanticipated distractions in the cockpit during a system failure.43 These studies have raised questions about approaches to training pilots on highly automated aircraft.44

Complicating matters further, automated systems on modern air transport airplanes are highly adaptable. As a consequence, different air carriers and individual pilots use various different automated features and modes to suit their particular operational needs and personal preferences. For example, some pilots might minimize the use of automation to stay more engaged with piloting the aircraft and avoid boredom and complacency, while others might rely more heavily on automation to reduce workload.45 Experts continue to debate whether greater standardization of operations and training is desirable.

In January 2016 a DOT Office of Inspector General audit found that while FAA had established certain requirements governing airline use of flight deck automation, it lacked a process to ensure that airline training and proficiency standards adequately addressed pilot monitoring capabilities.46 In response, Section 2102 of the FAA Extension, Safety, and Security Act of 2016 (P.L. 114-190) directed FAA to develop a process for verifying that air carrier flight crew training programs incorporate automated systems monitoring and manual flying skills when autopilot or autoflight systems are not engaged. It also required FAA to establish metrics to gauge pilot proficiency, and issue guidance for implementing and overseeing enhanced pilot training. Subsequently, the Air Carrier Training Aviation Rulemaking Committee, established by FAA in response to NTSB recommendations issued in the wake of the Asiana Airlines flight 214 crash, has made a number of recommendations addressing training elements pertaining to pilot monitoring, as well as training and procedures to enhance operational mode awareness and manually recover from unintended autoflight states. FAA is incorporating these recommendations into its guidance for airline training programs and is considering rulemaking to address the design of flight crew interfaces and cockpit alerting systems. 47

Implications for Aircraft Type Certification

Aircraft type certification refers to the process of reviewing engineering data and performing inspections and tests to certify compliance with regulatory requirements and minimum standards for aircraft design and airworthiness. In addition to certifying new aircraft types, FAA inspects and tests variants of existing aircraft types to assess whether they can be covered under an existing aircraft type certification or whether the changes in design, power, thrust, or weight are so extensive as to require a new type design.48 These are primarily responsibilities of the FAA Aircraft Certification Service.49 This process typically involves extensive examinations, inspections, engineering tests and evaluations, and flight tests in which an aircraft designer or manufacturer must satisfactorily demonstrate that the aircraft and its systems and components meet safety standards and are safe for flight.

Type certification is the first step in bringing a new aircraft or new aircraft technologies incorporated into the design of an existing aircraft to market. Once an aircraft design is type certified, a manufacturer must demonstrate that it can reliably reproduce that aircraft type to receive production certification to build deliverable aircraft. Upon final assembly, every completed aircraft must undergo examinations, inspections, and tests before it receives airworthiness certification and can begin routine operations for an airline or other operator (see Figure 3). Airworthiness certification has long been a delegated function carried out largely by FAA designees, be they employees of the manufacturer or consultants.

After an aircraft is delivered, FAA maintains oversight responsibility to identify operational or maintenance difficulties. Under normal circumstances, safety deficiencies involving aircraft in operational use are addressed through the continued airworthiness process. That process involves FAA working with manufacturers and operators to identify safety deficiencies, approve fixes, and issue airworthiness directives ordering operators to address safety concerns through inspections, repairs, and/or replacements of faulty components. For electronic systems this might involve hardware replacements or software or firmware updates.

Figure 3. Aircraft Certifications

Source: CRS analysis of 14 CFR Subchapter C – Aircraft.

FAA oversees aircraft type certification for aircraft designed in the United States. Other regulatory entities oversee type certification for products designed in other countries. Notably, the European Union Aviation Safety Agency (EASA) oversees the type certification process for aircraft and aircraft products designed in EU member countries and in several other European countries.

The FAA's Aircraft Certification Service (AIR), which grants type certification approval, has a staff of about 1,330, mostly engineers and inspectors, who oversee product development phases, the manufacturing processes covered under production certification, and the airworthiness certification of all completed aircraft. FAA's aircraft certification workforce is augmented by FAA designees, employees from aircraft and aircraft component design and manufacturing organizations, and consultants who carry out certain certification functions, such as tests and inspections, on FAA's behalf. Delegation of certification functions to manufacturing employees and engineering consultants is a long-standing practice, but over the last decade FAA has established new regulations governing the manner in which it oversees and interacts with entities to which it has delegated some of these responsibilities (see "Delegation of FAA Certification Functions" below).

Once a type certificate is issued, it typically remains valid indefinitely. In rare cases a type certificate can be voluntarily surrendered, or it can be suspended or revoked by FAA.50 As technology advances, type-certified airplane designs are updated and amended or supplemental type certifications may be granted to address modifications of the aircraft. Whether a new type certificate is required or an amended type certificate will suffice is governed by 14 C.F.R §21.19, which leaves it up to FAA to determine whether the proposed change "is so extensive that a substantially complete investigation of compliance with the applicable regulations is required."

Type Certification History of the Boeing 737 and the 737 Max

The history of any type certificate can be found in the aircraft's type certificate data sheet. This document, published by FAA, provides details regarding the evolution of a particular aircraft type design. The Boeing 737, Type Certificate Number A16WE, received its initial type certification in December 1967.51 Over the years, the Boeing 737 type certification has gone through more than a dozen updates as new variants have been introduced to incorporate new technologies and new capabilities, and has been revised more than 60 times to reflect changes to the certification basis. All of those changes have been reviewed and approved by FAA and, in part, by its certification designees, principally Boeing and its employees.

The Boeing 737 has changed in significant ways over the five decades since it was first certified. While certification reviews were conducted when changes were made to the design of the aircraft, FAA has never required these variants to undergo a completely new type certification process. Since the grounding of the Boeing 737 Max, media coverage has questioned why this airplane design was able to be certified based on a 50-year-old type and what design compromises needed to be made to conform new technologies, including bigger, more powerful engines and updated flight control systems, in the context of the existing type certificate.52

The grounding of the Boeing 737 Max fleet has raised other questions about the type certification process, and in particular about the relationships between FAA and delegated entities from private industry performing certification work. Journalists have charged that certification work on the 737 Max was extensively delegated to Boeing employees and rushed because of pressures within Boeing to market the aircraft as a competitor to the Airbus A320 Neo, which entered service in early 2016.53

Addressing Pilot Training in the Context of Aircraft Certification

Whereas FAA's Air Certification Service is responsible for aircraft certification, the FAA Flight Standards Service54 prescribes the standards for aircraft operations and verifies that operators, such as airlines, meet those standards. For each aircraft type design, the Flight Standards Service sets up an aircraft evaluation group to determine required training and operational procedures.

Flight standardization boards are the functional elements of aircraft evaluation groups that deal specifically with the training and flight operational procedures of particular aircraft. A flight standardization board has primary responsibility for determining pilot training standards and requirements for a particular aircraft. This includes determinations regarding the requirement for a pilot to obtain an aircraft type rating, and minimum training recommendations and requirements for establishing initial flight crew member competency for the aircraft.

For variants of an existing aircraft type, the flight standardization board may develop Master Difference Requirements tables that outline the specific differences among the various aircraft covered by the type certification as well as similar aircraft produced by the manufacturer of that aircraft. These tables form the basis for evaluating an operator's differences training curriculum for pilots who transition from one variant of an aircraft type to another or between aircraft with similar characteristics. The tables specify the training needed to learn and understand the differences between related aircraft types. The FAA operations inspector assigned to a particular airline or operator may then use this, along with more detailed flight standardization board reports, as a guide for review and approval of an operator's proposed training plan.

FAA Advisory Circular 120-53B55 provides guidance to flight standardization boards on evaluating training requirements for newly manufactured or modified aircraft, including differences training requirements for pilots transitioning between similar aircraft or aircraft variants. The guidance sets standards for assessing proposed pilot training programs, delineating training resource and training device needs and available alternatives, and encourages manufacturers to include common characteristics in related aircraft. The advisory circular discusses the need to assure pilot understanding of differences between aircraft variants. It also instructs FAA inspectors how to evaluate each aircraft operator's application of flight standardization board recommendations in its training program, including evaluation of operational differences among aircraft in a mixed fleet and the effects of those differences on training needs.

Potential Controversies Related to the Boeing 737 Flight Standardization Board

On April 16, 2019, the Boeing 737 flight standardization board issued a draft report for public comment. Notably, the draft report documented findings regarding the aircraft's MCAS based on studies and reexaminations of the system following the Boeing 737 Max grounding; prior Boeing 737 flight standardization board reports had not included information on the MCAS system. The master difference requirements updates associated with the introduction of the Boeing 737 Max had specified only computer-based, oral, or written instruction and testing on other new features of the Boeing 737 Max, with no requirement for simulator or in-flight training or testing for Boeing 737 type-rated pilots to qualify to fly the Boeing 737 Max. FAA has required no training of any type pertaining to the MCAS.

The draft report included language mandating that training on the MCAS system be incorporated into ground training for initial, upgrade, transition, differences, and recurrent training for pilots. It specified that this training must include a description of the MCAS system, its functionality, associated failure conditions, and flight crew alerting. The draft report stated that this training could be provided in the form of aided instruction, such as tutorial computer-based instruction, and that required checking may be accomplished by self-tests administered during this computer-based instruction, or through oral or written exam. The draft report, however, did not call for any flight simulator or in-flight instruction or checking related to the MCAS system.

On April 17, 2019, one day after the draft report was released, Canada's Transport Minister, Marc Garneau, said he favored simulator training over computer-based instruction.56 However, at the present time Canadian transportation authorities have not determined whether they will require simulator training related to the MCAS system for Boeing 737 Max pilots. Nonetheless, media coverage suggested that Garneau's comments signaled a growing rift between the United States and Canada over appropriate steps to address Boeing 737 Max training and operations.57 It was also reported that Air Canada, the only airline in North America that had a 737 Max simulator on hand, had already incorporated MCAS scenarios into its simulator training,58 even though such training has not been specifically mandated by Transport Canada.

Once finalized, the Boeing 737 flight standardization board report will form the primary basis for establishing and approving U.S. air carrier training programs regarding the automated flight control features of the Boeing 737 Max, including transition training between the 737 Max and other 737 variants. Historically, other countries have generally followed FAA guidance in establishing training programs for U.S. manufactured aircraft, but the controversies surrounding the Boeing 737 Max grounding have raised questions as to whether other countries will indeed adopt FAA's training recommendations or whether they will insist on more stringent training requirements.

Additional controversy over the Boeing 737 Max flight standardization board emerged following a U.S. Office of Special Counsel finding that numerous FAA safety inspectors, including inspectors assigned to the operational review of the 737 Max, were not sufficiently qualified to carry out those duties and that FAA had provided misleading information regarding FAA inspector qualifications and training in response to congressional inquiries.59 FAA, however, has reasserted its position that all inspectors who participated in the Boeing 737 Max flight standardization board were fully qualified to do so.

The Role of Industry Consensus Standards

Industry advisory groups and standards organizations play important roles in setting industry norms, best practices, and consensus standards that form the basis for aircraft design and production certification. The development of consensus standards represents a significant facet of industry input into the manner in which aircraft and aircraft systems are designed and the criteria against which they are evaluated for certification purposes. In some cases, consensus standards might be incorporated by reference into regulatory requirements. In other cases they might be referenced as means of compliance with specific FAA regulations. Often they serve as a preferred means of compliance because they have been broadly endorsed by industry experts and represent the approaches that are most often pursued and most familiar to FAA regulators.

The International Organization for Standardization (ISO), an independent nongovernmental organization, is responsible for developing internationally accepted standards. ISO Technical Committee (TC) 20 is responsible for establishing international standards for air and space vehicles, including vehicle materials and components, as well as equipment used in servicing and maintaining aircraft and space vehicles.60

SAE International, initially established as the Society of Automotive Engineers, provides input from U.S. experts to ISO TC 20 technical advisory groups on matters pertaining to aircraft design. Within SAE, the Aerospace Council houses technical committees that address all facets of aircraft and aircraft systems design, including avionics, instruments, and flight controls. SAE Technical Committee S-7 addresses issues related to flight deck design and aircraft handling qualities for transport category aircraft. The work of the committee encompasses flight deck panels, controls, and displays; flight deck safety equipment; and flight control systems and their handling qualities.

Given the increased importance of software in the design and operation of modern aircraft, another important industry consensus group is the Forum for Aeronautical Software.61 The forum was formed under a partnership between RTCA, a nonprofit organization founded in 1935 as the Radio Technical Commission for Aeronautics, and EUROCAE, the European Organization for Civil Aviation Equipment. The forum has developed a number of key guidance documents pertaining to the development of aviation software, including DO-178C, which serves as the primary reference for designing and evaluating software-based flight control and avionics systems. FAA Advisory Circular 20-115D62 recognizes DO-178C as acceptable guidance for meeting the type certification requirements for software aspects of airborne systems and equipment. Manufacturers can pursue alternative means of compliance to meet type certification requirements, but most follow the DO-178C guidance or parallel documents that are used for certification compliance in Europe. The RTCA/EUROCAE guidance is recognized worldwide as an industry standard for developing and certifying software for airborne systems.

Industry Input into FAA Oversight and Rulemaking

Besides developing industry consensus standards, companies provide direct input to FAA rulemaking by acting in an advisory capacity to FAA advisory and rulemaking committees. Advisory groups are established under the terms of the Federal Advisory Committee Act (FACA), which sets the legal framework for committees, task forces, and working groups to assist executive-branch policymaking.63 The FAA Aviation Rulemaking Advisory Committee (ARAC) provides FAA with information, advice, and recommendations concerning rulemaking activities. Under the ARAC, FAA has developed numerous taskings related to air carrier operations and aircraft certification procedures since the 1990s.

The ARAC comprises representatives from aviation associations, aviation industry, public interest and advocacy groups, and foreign civil aviation authorities. Engineers employed by manufacturers, representatives of airlines and other operators, and pilots and mechanics representing various labor organizations participate in the ARAC and its working groups. FAA also convenes a number of rulemaking committees that are exempt from FACA requirements but generally must adhere to Administrative Procedures Act requirements in performing work related to rulemaking. FAA personnel carry out the administrative functions of these committees and the subcommittees and working groups formed under them.

Delegation of FAA Certification Functions

Congress has generally supported increased utilization of FAA's delegation and designation authorities in order to engage design and manufacturing organizations and their employees more directly in the aircraft certification process, often working as proxies for FAA and its aircraft certification inspector workforce. Nonetheless, legislative language in the 2012 FAA reauthorization (P.L. 112-95) and the 2018 FAA reauthorization (P.L. 115-254) has sought reviews of these practices to assess the efficiency and safety implications of these practices. FAA explains that because it does not have the resources to perform all the necessary certification activities and keep up with an expanding aviation industry, it must rely on delegating certain certification functions to qualified individuals and entities. FAA asserts that using designees for routine, well-established certification tasks allows it to focus its limited resources on safety-critical certification issues as well as new and novel technologies.64

Since the 1920s, federal aviation safety agencies have relied on private individuals to participate in examination, inspection, and testing of aircraft during the product certification process. In the 1940s, programs were established to appoint designees to perform certain product certification approvals. These included designated engineering representatives and designated manufacturing inspection representatives employed by aircraft, aircraft engine, and aircraft component manufacturers. In the 1980s, FAA established a designated airworthiness representative (DAR) program that expanded the role of individuals in performing airworthiness certification functions, and allowed organizations to serve as DARs under a program known as Organizational Designated Airworthiness Representatives (ODARs). These actions were taken under FAA's long-standing authority under 49 U.S.C. §44702(d), which allows for the delegation of activities related to aircraft type certification, production certification, and airworthiness certification, including examination, testing, and inspection necessary to issue a certificate, and certificate issuance to a private person. In this context, "person," as defined in 1 U.S.C. §1, includes corporations, companies, partnerships, and other business entities in addition to individuals.

FAA notes that "[w]hen acting as a representative of the Administrator, these persons or organizations are required to perform in a manner consistent with the policies, guidelines, and directives of the Administrator. When performing a delegated function, designees are legally distinct from and act independent of the organizations that employ them." Under 49 U.S.C. §44702(d), FAA has the authority to rescind a delegation issued to a private person at any time for any appropriate reason. Moreover, any person affected by the action of an entity delegated certain FAA certification functions may petition FAA for reconsideration, and FAA may, at its own initiative, consider the actions of a delegated entity at any time. If FAA determines that the delegated entity's actions are unreasonable or unwarranted, it may change, modify, or reverse them.

Organization Designation Authorization

FAA formally established the Organization Designation Authorization (ODA) program in 2005. This prompted a significant change in the manner in which FAA delegates its certification functions and the manner in which it oversees aircraft and aircraft systems certification activities. The ODA program serves as a formal framework under which FAA may delegate authority to organizations or companies, including aircraft manufacturers such as Boeing; engine manufacturers such as Pratt and Whitney, General Electric, and Rolls Royce; and avionics and flight control systems suppliers such as Honeywell and Collins Aerospace.65

Rulemaking Advisory Committee and Delegation of Certification Functions

In the 1990s, the Aircraft Certification Procedures Issues tasking for the Aviation Rulemaking Advisory Committee sought industry input regarding FAA's delegation of aircraft and aircraft system certification activities. In 1998, the Aviation Rulemaking Advisory Committee recommended that FAA establish Organization Designation Authorization (ODA), generally authorizing companies to conduct a broad array of delegated functions on behalf of FAA. The ARAC recommendation, similar to one issued by the Gore Commission two years earlier, was based on a draft developed by the Delegation Systems Working Group, which was chaired by a Boeing employee.66

Evolution of the ODA Program

Over the past 15 years, the ODA program has been expanded. Based on recommendations from the certification process committee and mandates from the 2012 FAA Modernization and Reform Act (P.L. 112-95), FAA adopted several initiatives for improving and expanding the ODA program. In a 2015 statement, the Government Accountability Office (GAO) observed that, while industry stakeholders favored expanding the ODA program, employee unions raised concerns that FAA lacked adequate resources to implement and oversee ODA expansion.67 However, two years later in March 2017, GAO reported that FAA had carried out its ODA action plan, launched an audit training initiative for personnel supervising ODA inspections, and had expanded delegation under ODA to authorize designees to approve instructions for continued airworthiness, emissions data, and noise certification.68 According to GAO, FAA, in collaboration with industry, had also developed an ODA scorecard to measure outcomes related to its ODA initiatives, including manufacturer compliance with standards set for delegated activities and FAA oversight.69

Following oversight hearings during the 115th Congress,70 Congress expressed general support for the ODA framework, but included in the FAA Reauthorization Act of 2018 (P.L. 115-254) extensive language directing FAA to further improve the efficiency and effectiveness of the ODA program, expanding upon the reform efforts that were initiated in part by provisions in the 2012 FAA reauthorization act. While policymakers have had a long-standing interest in certification reforms under the ODA framework, following the Boeing 737 Max grounding and crashes, FAA certification oversight and the ODA program specifically have been brought into the public spotlight. In some instances, journalists have characterized the ODA process as a mechanism for aircraft and aircraft component manufacturers to "self-certify" that their products meet applicable safety regulations and certification standards,71 a view that FAA officials say grossly distorts how the program was designed and how it functions in practice.72

Aircraft Certification Reforms

In response to the mandates in the 2012 law, P.L. 112-95, FAA chartered two aviation rulemaking committees, one to address certification processes and the other to examine regulatory consistency. Among the recommendations set forth by the Certification Process Committee was expanding delegation under ODA to include processes for certifying aircraft noise and emissions and for approving instructions regarding continued airworthiness of delivered aircraft. The recommendations also included initiatives to address FAA tracking of certification activities, updating certification regulations, and improving consistency of regulatory interpretations.

The 2018 FAA act, P.L. 115-254, mandated a number of aircraft certification reforms. The law directed FAA to establish an advisory committee, the Safety Oversight and Certification Advisory Committee, to develop policy recommendations for the aircraft certification process and for FAA safety oversight of certification activities. It also directed FAA to establish performance objectives and metrics for aircraft certification that both streamline the certification process and increase transparency and accountability for both FAA and the aviation industry. Among these objectives, the law seeks full utilization of FAA's delegation and designation authorities as well as full implementation of risk management principles and a systems safety approach.

Following the Boeing 737 Max grounding, however, FAA's delegation and designation authorities in particular have come under scrutiny. Lawmakers have also questioned certain aircraft manufacturing practices and, in particular, have sought to curtail a perceived practice of marketing certain aircraft safety enhancements and features as options available at additional cost. Notably, the Safety is Not for Sale Act of 2019 (S. 1178), introduced by Senator Markey, would require aircraft manufacturers to include certain nonrequired safety-enhancing equipment at no additional charge in the sale of new aircraft to U.S. air carriers. Equipment included under this proposal would include attitude indicators, traffic alerting systems, terrain advisories and warnings, weather advisories, aircraft configuration advisories, supplemental cockpit indicators, enhancements that improve aircraft crashworthiness, monitoring and detection systems, aircraft stability and control enhancements or alerts, and fire extinguishing systems. The legislation also would require FAA to establish performance standards for angle-of-attack indicators, angle-of-attack disagree alerts, and backup fire suppression systems for airliners.

Interrelationships Between FAA and the Aerospace Industry

The interrelationships between FAA and manufacturers are complex and extend well beyond delegation of certification functions and the ODA program (see Table 2). In the case of manufacturers, companies like Boeing exert considerable influence over the development of industry standards as well as influencing regulatory changes through participation in standards organization committees and FAA advisory and rulemaking committees. Additionally, through delegation authority and the ODA program, manufacturers and their employees carry out certain certification functions on behalf of FAA. Through these channels, manufacturers can offer their knowledge and expertise to the safety regulation and certification processes. While FAA retains oversight of all of these activities, the perception of industry "self-regulation" may reflect broader concerns about FAA capabilities and resources to conduct adequate oversight of the certification process and related standards development activities and industry practices.

Table 2. Summary of Aircraft Manufacturer Roles Related to Standards, Regulations, and Certification

Activity

Description

Standards Development

Participation on committees and working groups of various national and international standards organizations responsible for setting industry standards for aircraft and aircraft systems design.

Advisory and Rulemaking Committees

Participation on advisory and rulemaking committees established to inform FAA of industry and stakeholder positions on regulatory and oversight matters and to develop consensus recommendations regarding FAA policies, regulations, and oversight.

Delegated Certification Activities

Carrying out certain delegated functions related to design, production, and airworthiness certification of aircraft and aircraft parts on behalf of FAA.

Source: CRS analysis.

International Coordination on Certification and Training Oversight

Under international air safety agreements and a framework set forth by ICAO, other countries generally accept the airworthiness determinations of and the safety certifications issued by FAA for aircraft, aircraft engines, and other aircraft components designed or manufactured in the United States. These agreements are usually reciprocal: FAA typically accepts similar determinations made by its overseas counterparts for aviation products developed outside the United States.

Because Boeing, based in Chicago, and Airbus, based in Toulouse, France, jointly control a large majority of worldwide sales of commercial passenger jets, FAA and the European Union Aviation Safety Agency (EASA) fulfill important roles in certifying passenger airliners operated worldwide. FAA generally accepts EASA certification of commercial aircraft manufactured by Airbus, and, reciprocally, European countries under EASA accept FAA certification of U.S.-manufactured aircraft, such as those built by Boeing. While the two regulatory agencies, like the industry giants that they regulate, generally cooperate on safety matters, they sometimes hold differing views regarding safety design. Following the Boeing 737 Max grounding, some international groups and observers have questioned FAA's certification processes and its extensive use of designees to conduct certification work,73 although similar programs are in place in Europe.74 FAA, EASA, and other civil aviation oversight entities have working arrangements with respect to each other's certification and safety oversight activities.75 For example, FAA might insist on certain additional testing or engineering evaluations to demonstrate safety of a modification to an aircraft design type certified by EASA. In such an instance, FAA would negotiate with EASA and the developer to specify the details of the additional testing and engineering analysis and, if agreed to, may send observers to witness tests and review engineering work.

The continuing controversy surrounding the Boeing 737 Max is testing these international arrangements. Aviation authorities in other countries might insist on design fixes, inspections and validation tests, and documentation and training different from what FAA agrees to before allowing airlines to resume Boeing 737 Max operations. While the multinational Joint Authorities Technical Review (JATR) was formed to develop international consensus on these matters, differing views among major international aviation safety organizations could have significant implications for how these agencies cooperate moving forward, both on review of the Boeing 737 Max and on future aircraft certification activities. EASA has already insisted on an independent review of proposed design changes to the Boeing 737 Max, and if its conclusions differ significantly from those of FAA, evidence of a schism between key international regulators could create further uncertainty for both aircraft manufacturers and operators.76

There is less international coordination in regulating pilot qualifications. In the United States, pilots must hold an Airline Transport Pilot (ATP) certification to be hired by an airline. This certification usually requires 1,500 hours of total flight time to attain. In contrast, some foreign airlines hire individuals with little or no experience through ab initio programs that provide training to become an airline pilot. Under these programs, pilots can begin flying as first officers once they receive a commercial pilot certification that can be attained with around 250 hours of total flight time, and it is not unusual for entry-level first officers to have only a few hundred hours of total flight experience. Although the captain of Ethiopian Airlines flight 302 had more than 8,000 hours of total flight experience, the flight's first officer had less than 400.77

Questions concerning pilot experience have significant implications for how aircraft manufacturers address pilot interface design issues and training requirements for highly automated jet airplanes. If even experienced pilots might struggle to understand information presented to them and maneuver the airplane to expected professional standards when faced with a non-normal condition or emergency situation, pilots with limited experience may lack the training to handle potential failure scenarios. A central consideration in designing cockpits and cockpit procedures is how much detailed systems information pilots should be given to handle possible in-flight failures. On one end of the spectrum, some aircraft designers might argue that pilots can get by mainly with just procedural knowledge of the actions to take when faced with an urgent situation or event. On the other end of the spectrum, some aviation safety experts advocate providing pilots with more thorough knowledge of aircraft systems, particularly critical flight control systems, to help them make better-informed choices when working through a novel event or condition. This debate has important implications for how automated cockpit systems are developed and the training pilots receive.

ICAO sets general training and licensing standards for pilots internationally, but it is up to individual countries to set formal requirements for their pilots.78 The strong demand for airline pilots in countries where air travel is growing rapidly has resulted in some airlines hiring pilots without extensive training and experience to operate revenue passenger flights. In general, international standards for multi-crew and commercial pilot licenses call for a minimum of 240 flight hours of experience, much lower than the 1,500 now required to fly for an airline in the United States. Economic factors make it unlikely that requirements and standards similar to those applicable to U.S. pilots will be implemented worldwide in the near future. While FAA has some limited regulatory authority over airlines that fly into the United States, it does not have minimum pilot experience requirements for foreign flight crews and defers to the country of aircraft registry in these matters. FAA also has limited influence over aircraft-specific training requirements of countries whose airlines purchase airplanes from Boeing and other U.S. manufacturers. Nonetheless, FAA has asserted its position that foreign pilots have become too dependent on cockpit automation. FAA has urged ICAO to address perceived pilot training deficiencies and recommended that ICAO update standards and guidance to include additional training to prepare airline pilots to operate aircraft manually when automated systems fail.79

Appendix A. U.S. Air Carrier Accidents in the 1990s Involving Passenger Fatalities

During the 1990s there was a spate of U.S. air carrier accidents including several fatal crashes involving passenger flights:

  • the February 1, 1991, runway collision between USAir flight 1493, a Boeing 737, and Skywest Airlines flight 5569, a commuter turboprop, at Los Angeles International Airport;
  • the March 3, 1991, crash of United Airlines flight 585, a Boeing 737, on approach to Colorado Springs, CO;
  • the April 5, 1991, crash of an Atlantic Southeast Airlines turboprop on approach to Brunswick, GA;
  • the January 3, 1992, crash of a CommutAir turboprop on approach to Saranac Lake, NY;
  • the March 22, 1992, crash of USAir flight 405, a Fokker F28 jet, taking off from LaGuardia Airport in New York, NY;
  • the June 7, 1992, crash of American Eagle flight 5456, a turboprop on approach to Mayaguez, Puerto Rico;
  • the June 8, 1992, crash of a GP Express turboprop on approach to Anniston, AL;
  • the December 1, 1993, crash of Northwest Airlink flight 5719, a turboprop on approach to Chisolm-Hibbing, MN;
  • the January 7, 1994, crash of United Express flight 6291, a turboprop on approach to Columbus, OH;
  • the July 2, 1994, crash of USAir flight 1016, a McDonnell Douglas DC-9 on approach to Charlotte, NC;
  • the September 8, 1994, crash of USAir flight 427, a Boeing 737 on approach to Pittsburgh, PA;
  • the October 31, 1994, crash of American Eagle flight 4184, an ATR 72 turboprop, near Roselawn, IN;
  • the August 21, 1995, crash of an Atlantic Southeast Airlines turboprop near Carrollton, GA;
  • the December 20, 1995, crash of American Airlines flight 965, a Boeing 757, on descent into Cali, Colombia;
  • the May 11, 1996, crash of ValuJet flight 592, a McDonnell Douglas DC-9, in the Florida Everglades after departing from Miami International Airport;
  • the July 6, 1996, uncontained engine failure aboard Delta Airlines flight 1288, a McDonnell Douglas MD-88, during takeoff at Pensacola, FL;
  • the July 17, 1996, crash of TWA flight 800, a Boeing 747, shortly after departure from John F. Kennedy International Airport in New York, NY;
  • the November 19, 1996 runway collision between United Express flight 5925, a turboprop and a privately owned turboprop at Quincy Regional Airport, IL;
  • the January 9, 1997 crash of Comair flight 3272 near Ida, MI, en route from Cincinnati, OH, to Detroit, MI; and
  • the June 1, 1999, crash of American Airlines flight 1420, a McDonnell Douglas MD-82 landing at Little Rock, AR.

Author Contact Information

Bart Elias, Specialist in Aviation Policy ([email address scrubbed], [phone number scrubbed])

Footnotes

1.

By regulation, the transport category of airplanes includes all multiengine airplanes designed with 19 or more seats or having a maximum takeoff weight greater than 19,000 pounds (see https://www.faa.gov/aircraft/air_cert/design_approvals/transport/). Prior to 2016, the transport category encompassed all airplanes with a maximum takeoff weight greater than 12,500 pounds or having 10 or more passenger seats. Smaller aircraft may be certified by FAA as transport category aircraft if the designer or manufacturer seeks such certification.

2.

Boeing, Statistical Summary of Commercial Jet Airplane Accidents, Worldwide Operations, 1959-2017, https://www.boeing.com/resources/boeingdotcom/company/about_bca/pdf/statsum.pdf.

3.

White House Commission on Aviation Safety and Security, Vice President Al Gore, Chairman, Final Report to President Clinton, February 12, 1997.

4.

Ibid.

5.

Ibid.

6.

The regional airline industry primarily supplements mainline air carrier service through code-sharing agreements to provide domestic air service between small and midsized airports and larger hub airports.

7.

See Aviation Safety Network, Fatal Accidents Per Million Fights, 1977-2017, https://aviation-safety.net/graphics/infographics/Fatal-Accidents-Per-Mln-Flights-1977-2017.jpg.

8.

International Air Transport Association (IATA), Safety Report 2018, Edition 55, April 1, 2019, https://www.iata.org/publications/Pages/safety-report.aspx.

9.

International Civil Aviation Organization (ICAO), State of Global Aviation Safety: ICAO Safety Report 2019 Edition, https://www.icao.int/safety/Documents/ICAO_SR_2019_29082019.pdf.

10.

International Air Transport Association (IATA), Safety Report 2018, Edition 55, April 1, 2019, https://www.iata.org/publications/Pages/safety-report.aspx.

11.

Ibid.

12.

For an overview of modern flight deck automation see Stephen M. Casner, The Pilot's Guide to the Modern Airline Cockpit (Ames, IA: Iowa State University Press, 2001).

13.

Boeing, Statistical Summary of Commercial Jet Airplane Accidents, Worldwide Operations, 1959-2017, https://www.boeing.com/resources/boeingdotcom/company/about_bca/pdf/statsum.pdf.

14.

An aircraft's attitude refers to its orientation relative to the horizon or horizontal plane of gravitational force acting on the aircraft.

15.

For an overview of flight envelope protections and flight control laws, see SKYbrary, Flight Control Laws, https://www.skybrary.aero/index.php/Flight_Control_Laws.

16.

See, e.g., Commercial Aviation Safety Team, Safety Enhancement 30, Revision-5: "Mode Awareness and Energy State Management Aspects of Flight Deck Automation," Final Report, August 2008, https://www.cast-safety.org/pdf/cast_automation_aug08.pdf.

17.

According to the Human Factors and Ergonomics Society, human factors is described as the scientific discipline concerned with understanding interactions among humans and other elements of a system and the application of scientific knowledge and theory about human abilities to optimize human well-being and overall system performance (see https://www.hfes.org/about-hfes/what-is-human-factorsergonomics).

18.

Federal Aviation Administration, Federal Aviation Administration Human Factors Team Report on: The Interfaces Between Flightcrews and Modern Flight Deck Systems, June 18, 1996, http://www.tc.faa.gov/its/worldpac/techrpt/hffaces.pdf.

19.

Federal Aviation Administration, "Safety Standards for Flight Guidance Systems," 71 Federal Register 18183-18192, April 11, 2006.

20.

Bureau d'Enquêtes et d'Analyses pour la Sécurité de l'Aviation Civile, Final Report on the Accident on 1st June 2009 to the Airbus A330-203, Registered F-GZCP, Operated by Air France, Flight AF 447, Rio de Janeiro – Paris, July 2012, https://www.bea.aero/docspa/2009/f-cp090601.en/pdf/f-cp090601.en.pdf.

21.

See William Langwiesche, "The Human Factor: Should Airplanes Be Flying Themselves?," Vanity Fair, October 2014, https://www.vanityfair.com/news/business/2014/10/air-france-flight-447-crash; Roman Mars, "Air France Flight 447 and the Safety Paradox of Automated Cockpits," 99% Invisible, Slate, June 25, 2015, http://www.slate.com/blogs/the_eye/2015/06/25/air_france_flight_447_and_the_safety_paradox_of_airline_automation_on_99.html.

22.

National Transportation Safety Board, Descent Below Visual Glidepath and Impact With Seawall, Asiana Airlines Flight 214, Boeing 777-200ER, HL7742, San Francisco, California, July 6, 2013, Accident Report NTSB/AAR-14/01, June 24, 2014, https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR1401.pdf.

23.

Komite Nasional Keselamatan Transportasi, Republic of Indonesia, Preliminary KNKT.18.10.34.04, Aircraft Accident Investigation Report, PT. Lion Mentari Airlines Boeing 737-8 (MAX); PK-LQP, Tanjung Karawang, West Java, Republic of Indonesia, 29 October 2018, November 2018, https://reports.aviation-safety.net/2018/20181029-0_B38M_PK-LQP_PRELIMINARY.pdf.

24.

Federated Democratic Republic of Ethiopia, Ministry of Transport, Aircraft Accident Investigation Bureau, Aircraft Accident Investigation Preliminary Report, Ethiopian Airlines Group, B737-8 Max, Registered ET-AVJ, 28 NM South East of Addis Ababa, Bole International Airport, March 10, 2019, Report No. AI-01/19, http://www.ecaa.gov.et/documents/20435/0/Preliminary+Report+B737-800MAX+%2C%28ET-AVJ%29.pdf.

25.

Federal Aviation Administration, Emergency Order of Prohibition, Operators of Boeing Company Model 737-8 and Boeing Company Model 737-9 Airplanes, March 13, 2019, https://www.faa.gov/news/updates/media/Emergency_Order.pdf.

26.

Angle-of-attack refers to a measure of the angle of the airplane's wing in relation to the relative wind along the path of travel. It differs from aircraft pitch, which refers to the angle of the wing in relation to the horizon.

27.

An aerodynamic stall refers to a condition in which the angle-of-attack is so great that air cannot flow smoothly over the upper surface of the wing and generate lift.

28.

Andrew Tangel, Andy Pasztor, and Mare Maremont, "The Four-Second Catastrophe: How Boeing Doomed the 737 MAX," Wall Street Journal, August 16, 2019.

29.

Rob Mark, "FAA Issues Emergency Airworthiness Directive Against Boeing 737 Max 8," Flying, November 7, 2018, https://www.flyingmag.com/faa-emergency-airworthiness-directive-boeing-737-max-8/.

30.

Federal Aviation Administration, "Airworthiness Directives; The Boeing Company Airplanes," 83 Federal Register 62697, December 6, 2018.

31.

Testimony of Captain Daniel F. Carey, President, Allied Pilots Association, before the House Subcommittee on Aviation, Committee on Transportation and Infrastructure, Hearing on: Status of the Boeing 737 MAX: Stakeholder Perspectives, June 19, 2019, https://transportation.house.gov/imo/media/doc/CA%20Carey%20Hearing%20testimony%20.pdf.

32.

Ibid.; Christopher Watkins and Randy Walter, "Transitioning From Federated Avionics Architectures to Integrated Modular Avionics, IEEE/AIAA 26th Digital Avionics Systems Conference, October 21-25, 2007, https://ieeexplore.ieee.org/document/4391842.

33.

Fred George, "Pilots Say MCAS Software Updates Prove Effective in Simulator Demo," Aviation Week and Space Technology, April 22-May 5, 2019, pp. 16-18.

34.

Ibid.

35.

Federal Aviation Administration, FAA Statement, June, 26, 2019, FAA Updates on Boeing 737 MAX, https://www.faa.gov/news/updates/?newsId=93206&omniRss=news_updatesAoc&cid=101_N_U.

36.

Federal Aviation Administration, FAA Updates on the Boeing 737 MAX, https://www.faa.gov/news/updates/?newsId=93206.

37.

Andrew Tangel, Andy Pasztor, and Robert Wall, "Prosecutors, Transportation Department Scrutinize Development of Boeing's 737 MAX," Wall Street Journal, March 18, 2019, https://www.wsj.com/articles/faas-737-max-approval-is-probed-11552868400.

38.

Steve Miletich, "DOJ Probe Expands Beyond Boeing 737 MAX, Includes 787 Dreamliner," Seattle Times, June 28, 2019, https://www.seattletimes.com/business/boeing-aerospace/federal-prosecutors-issue-subpoena-for-boeing-787-dreamliner-records/.

39.

National Transportation Safety Board, "NTSB Issues Recommendations on Certification of Lithium-Ion Batteries and Emerging Technologies," May 22, 2014.

40.

National Transportation Safety Board, Safety Recommendation Report: Assumptions Used in the Safety Assessment Process and the Effects of Multiple Alerts and Indications on Pilot Performance, September 19, 2019, https://www.ntsb.gov/investigations/AccidentReports/Reports/ASR1901.pdf.

41.

Shigeru Imai, Erik Blasch, Alessando Galli, Wennan Zhu, Frederick Lee, and Carlos A. Varela, "Airplane Flight Safety Using Error-Tolerant Data Stream Processing," IEEE Aerospace and Electronic Systems Magazine, vol. 32, no. 4, April 2017, pp. 4-17.

42.

Carlos Varela, "Too Many Airplane Systems Rely on Too Few Sensors," International Business Times, April 9, 2019, https://www.ibtimes.com/too-many-airplane-systems-rely-too-few-sensors-2784148.

43.

Michael Gillen, "Diminishing Skills?," Aero Safety World, July 2010, pp. 30-34.

44.

"Increased Reliance on Automation May Weaken Pilots' Skills for Managing Systems Failures," Flight Safety Foundation Human Factors & Aviation Medicine, vol. 55, no. 2, March-April 2005.

45.

Hemant Bhana, "Trust but Verify," Air Safety World, July 2010.

46.

Department of Transportation, Office of Inspector General, Audit Report: Enhanced FAA Oversight Could Reduce Hazards Associated With Increased Use of Flight Deck Automation, AV-2016-013, January 7, 2016, https://www.oig.dot.gov/sites/default/files/FAA%20Flight%20Decek%20Automation_Final%20Report%5E1-7-16.pdf.

47.

See Air Carrier Training Aviation Rulemaking Committee (ACT ARC) Products, https://www.faa.gov/regulations_policies/rulemaking/committees/documents/index.cfm/document/information/documentID/3182.

48.

See 14 CFR Part 21, Subpart B – Type Certificates.

49.

https://www.faa.gov/about/office_org/headquarters_offices/avs/offices/air/.

50.

See 14 C.F.R. §21.51.

51.

Department of Transportation, Federal Aviation Administration, Type Certificate Data Sheet A16WE (Revision 6), October 10, 2018, http://www.airweb.faa.gov/Regulatory_and_Guidance_Library/rgMakeModel.nsf/0/179cdacd213801658625832a006b2e37/$FILE/A16WE_Rev_64.pdf.

52.

See, e.g., Jack Nicas and Julie Creswell, "Boeing's 737 Max: 1960s Design; 1990s Computing Power and Paper Manuals," New York Times, April 8, 2019, https://www.nytimes.com/2019/04/08/business/boeing-737-max-.html; Jeremy Bogaisky, "Should Boeing Have Replaced the 737 Instead of Re-engining It?, Forbes, March 15, 2019, https://www.forbes.com/sites/jeremybogaisky/2019/03/15/should-boeing-have-replaced-the-737-instead-of-re-engining-it/#36999dd10618.

53.

See, e.g., John Cassidy, "How Did the FAA Allow the Boeing 737 Max To Fly?," The New Yorker, March 18, 2018, https://www.newyorker.com/news/our-columnists/how-did-the-faa-allow-the-boeing-737-max-to-fly; Dominic Gates, "Flawed Analysis, Failed Oversight: How Boeing, FAA Certified the Suspect 737 MAX Flight Control System," The Seattle Times, March 17, 2019, https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/.

54.

See https://www.faa.gov/about/office_org/headquarters_offices/avs/offices/afx/.

55.

Federal Aviation Administration, Advisory Circular: Guidance for Conducting and Use of Flight Standardization Board Evaluations, AC No.: 120-53B, Change 1, October 24, 2016, http://rgl.faa.gov/regulatory_and_guidance_library/rgadvisorycircular.nsf/8ce3f88c034ae31a85256981007848e7/73c2d4ffcdd33ca986257c1b00533848/$FILE/AC_120-53B_CHG_1_incorporated.pdf.

56.

Alan Levin, "Canada, Disregarding FAA, Insists on Simulator Training for 737," Bloomberg, April 17, 2019, https://www.bloomberg.com/news/articles/2019-04-17/canada-disregarding-faa-insists-on-simulator-training-for-737.

57.

See, e.g., Andy Pasztor and Kim Mackrael, "U.S.-Canada Rift Widens over Training for Boeing 737 MAX Pilots," Wall Street Journal, April 18, 2019.

58.

Ibid.

59.

U.S. Office of Special Counsel, Whistleblower Reveals FAA Safety Inspectors Lacked Sufficient Training to Certify Airline Pilots, September 24, 2019, https://osc.gov/News/Pages/19-18-FAA-Inspectors-Training.aspx.

60.

See https://committee.iso.org/home/tc20/.

61.

See https://www.rtca.org/content/forum-aeronautical-software.

62.

Federal Aviation Administration, Airborne Software Development Assurance Using EUROCAE ED-12( ) and RTCA DO-178 ( ), Advisory Circular 20-115D, July 21, 2017.

63.

See CRS Report R44253, Federal Advisory Committees: An Introduction and Overview, by Meghan M. Stuessy.

64.

Federal Aviation Administration, About the FAA Designee Program, https://www.faa.gov/other_visit/aviation_industry/designees_delegations/about/#q2.

65.

A complete listing of ODA certificate holders can be found at https://www.faa.gov/other_visit/aviation_industry/designees_delegations/designee_types/media/odadirectory.pdf.

66.

Federal Aviation Administration, Aviation Rulemaking Advisory Committee, Aircraft Certification Procedures Issue Area, Delegation Systems Working Group, Task 1 – Delegation Functions, March 29, 1993-September 14, 1998, https://www.faa.gov/regulations_policies/rulemaking/committees/documents/index.cfm/document/information/documentID/486.

67.

U.S. Government Accountability Office, Aviation Certification: Issues Related to Domestic and Foreign Approval of U.S. Aviation Products, GAO-15/550T, April 21, 2015.

68.

U.S. Government Accountability Office, Aviation Certification: FAA Has Made Continued Progress in Improving Its Processes for U.S. Aviation Products, GAO-1-508T, March 23, 2017.

69.

Ibid.

70.

See Building a 21st-Century Infrastructure for America: State of American Aviation Manufacturing, (115-2) Hearing Before the Subcommittee on Aviation of the Committee on Transportation and Infrastructure, House of Representatives, February 15, 2017, https://www.govinfo.gov/content/pkg/CHRG-115hhrg24210/pdf/CHRG-115hhrg24210.pdf; FAA Reauthorization: Perspectives on Improving Airport Infrastructure and Aviation Manufacturing, Hearing Before the Subcommittee on Aviation Operations, Safety, and Security, Committee on Commerce, Science, and Transportation, United States Senate, Senate Hearing 115-64, March 23, 2017, https://www.govinfo.gov/content/pkg/CHRG-115shrg26596/pdf/CHRG-115shrg26596.pdf.

71.

See, e.g., Aaron C. Davis and Marina Lopes, "How the FAA Allows Jetmakers to 'Self Certify' That Planes Meet U.S. Safety Requirements," Washington Post, March 15, 2019, https://www.washingtonpost.com/investigations/how-the-faa-allows-jetmakers-to-self-certify-that-planes-meet-us-safety-requirements/2019/03/15/96d24d4a-46e6-11e9-90f0-0ccfeec87a61_story.html?noredirect=on.

72.

See Woodrow Bellamy III, "FAA Officials Refute Criticism of Certification Process for 737 MAX," Avionics International, August 1, 2019, https://www.aviationtoday.com/2019/08/01/faa-officials-refute-criticism-certification-process-737-max/.

73.

See, e.g., Josh Spero and Patti Waldmeir, "European Pilots Body Criticises 'Flawed' 737 Max Certification," Financial Times, May 23, 2019, https://www.ft.com/content/9abe75e8-7d49-11e9-81d2-f785092ab560.

74.

See European Union Aviation Safety Agency, Design Organisations Approvals, https://www.easa.europa.eu/easa-and-you/aircraft-products/design-organisations/design-organisations-approvals.

75.

See https://www.faa.gov/aircraft/air_cert/international/.

76.

"Aviation's CEOs Warn of U.S.-Europe Split on Boeing Max Return," Crain's Chicago Business, September 6, 2019, https://www.chicagobusiness.com/manufacturing/aviation-ceos-warn-us-europe-split-boeing-max-return.

77.

Chris Woodyard, "Boeing 737 Max Crash: Did Foreign Pilots Have Enough Training to Fly Commercial Jets?," USA Today, July 6, 2019, https://www.usatoday.com/story/news/nation/2019/07/06/boeing-737-max-crash-grounded-problems-flight-training-pilots-faa/1641781001/.

78.

See https://www.icao.int/safety/airnavigation/Pages/peltrgFAQ.aspx.

79.

"FAA Urges ICAO to Address Erosion of 'Manual' Piloting Skills," Flight Global, September 25, 2019, https://www.flightglobal.com/news/articles/faa-urges-icao-to-address-erosion-of-manual-piloti-461057/.