The air transportation system in the United States is safer than comparable modes of public transportation. For major airlines (i.e., air carriers operating under Part 121 of the Federal Aviation Regulations [FARs]), the average number of fatalities per 100 million passenger miles is about 0.7, compared to about 1.8 for automobiles, about 11 for intercity buses, and about 17 for trains (BTS 1998a, 1998b, 1998c, 1998d; NHTSA, 1996). In terms of safety, travel on major airlines within the U.S. is matched only by travel on major airlines in other highly developed countries. Nevertheless, fatal accidents are always tragic, and complacency on the part of the FAA or industry is not an appropriate response. In fact, the FAA has already established a strategic goal of zero accidents.
The Federal Aviation Administration (FAA) plays a major role in promoting aviation safety.1 However, the FAA will face several important challenges in the future. If the aircraft accident rate remains constant or slowly decreases, the annual number of accidents will swell as the number of flights increases to meet consumer demands. The public has the right to expect high levels of safety, and it is incumbent upon industry and the FAA to improve the effectiveness of their safety programs. In part, this means reacting to major accidents by taking aggressive action to prevent similar accidents, but without detracting from ongoing safety programs to address other risks.
Almost all aircraft accidents are caused by a chain of events, the elimination of any one of which could have prevented the accident. The most common link in these chains involves human factors (pilots, air traffic controllers, maintenance crews, etc.). However, in some cases, one or more links in the accident chain are associated with the design of the aircraft. Either a design deficiency results in an equipment malfunction that leads to an accident, or a design enhancement could have prevented an unexpected event from resulting in an accident.
The FAA's Aircraft Certification Service (AIR)2 is responsible for promoting the safety of new aircraft by certifying that they meet established safety standards. Certification includes type certificates (certification of all-new aircraft designs), amended type certificates (certification of derivative aircraft designs based on previously certificated products), production certificates (certification of a manufacturer's ability to produce aircraft in conformance with a certificated design), and airworthiness certificates (certification of the airworthiness of each newly manufactured aircraft). AIR also promotes the continued airworthiness of existing aircraft by mandating modifications when operating experience indicates the presence of a real or potential hazard.3
As part of the FAA's efforts to improve aviation safety, AIR chartered the National Research Council to examine safety-related elements of the certification and continued air-worthiness process and to recommend an approach to improve AIR's risk evaluation and risk management. In response, the National Research Council's Aeronautics and Space Engineering Board formed the Committee on Aircraft Certification Safety Management. This report is the result of the study conducted by that committee. A complete list of the committee's findings and recommendations appears in Appendix A.
The study statement of task required that the National Research Council conduct an independent study that would accomplish the following goals:
Throughout this report, the word "promote" is often used to describe the FAA's role with regard to safety. As directed by legislation and Supreme Court rulings, the FAA promotes safety by overseeing industry activities. Every aircraft manufacturer, operator, repair facility, etc., is individually responsible for ensuring safety by providing products and services that are safe and comply with regulatory standards (see Chapter 2).
"AIR" is the designator used by the Federal Aviation Administration for the Aircraft Certification Service.
Develop an understanding of the most common causes of accidents and incidents encountered by civil aircraft (i.e., large transports, small airplanes, and rotorcraft) and determine whether these causes are related to the aircraft certification process, with special emphasis on the continued airworthiness of aircraft. Base the inquiry on available data from industry, investigative organizations, and regulatory agencies; and include factors such as manufacturing standards and airworthiness directives. Consider accidents and incidents in the last 10 years, at a minimum. More importantly, consider how accidents can be prevented in the next 10 years.
Develop an understanding of the ability of the current aircraft certification process to identify three kinds of risks: well quantified risks, qualitatively understood risks, and latent risks.
Develop an understanding of the risk assessment methodologies used by a representative set of manufacturers of aircraft and aircraft systems.
Define the key elements of a top-level aircraft certification safety management process that could reduce the risk of accidents in the next 10 years. Take into consideration expected changes in the commercial aircraft fleet, as well as the operational and economic effects of changes to the U.S. certification process on the aviation manufacturing industry, aircraft owners and operators, flight crews, and regulatory agencies in the United States and abroad.
Identify the elements of the recommended safety management process that are applicable to civil transport airplanes and describe how the process should be modified for other types of aircraft (i.e., small airplanes and rotorcraft).
Define potential barriers to implementing the recommended safety management process and how they might be overcome.
Define a strategy for assessing the effects of the recommended safety management process.
The vast majority of aircraft that will be operated in the next 10 years either have already been manufactured or will be manufactured to already certificated designs. Changes in the standards for certification are typically based on lessons learned from the continued airworthiness process. Therefore, the committee focused on continued airworthiness issues (i.e., the airworthiness directive system and AIR's role in establishing new or amended rules for aircraft design certification). The scope of this study did not include other safety-related topics, such as the process used by the FAA's Flight Standards Service to monitor compliance with airworthiness directives; the role of individual offices within the FAA; administrative procedures; training of flight crews; ground-based air traffic management systems; flight operating procedures; or the certification and monitoring of pilots, air car-tiers, maintenance facilities, etc. (which are the responsibility of the Flight Standards Service).
STUDY PROCESS AND APPROACH
The members of the Committee on Aircraft Certification Safety Management had expertise in aircraft design, manufacture, operations, maintenance, and certification; aviation safety; accident investigation; and risk management. Biographical sketches of committee members appear in Appendix B.
To accomplish its task, the full committee met five times for discussions with personnel from regulatory agencies, manufacturers, operators, and pilots and for private deliberations. Small groups of committee members conducted additional fact-finding trips to meet with representatives of the rotorcraft industry, the European Joint Aviation Authorities (JAA), and various organizations in Washington, D.C. Participants in these meetings are listed in Appendix C. The committee collected, reviewed, and discussed a great deal of information provided by the FAA and industry, including information on the FAA's Safety Performance Analysis System, National Aviation Safety Management Program, and the Aviation Safety Initiative Review.
To fulfill its charge, the committee had to come to grips with the interactions among flight safety, certification, and the application of new technology. These three elements can be unsnarled by understanding the role of the regulatory authority. Regulations generally do not stipulate how certification standards should be met. In part, this is because design processes typically do not lead to a single "best" solution to meet a given set of certification standards. However, writing effective regulations that focus on the characteristics of systems and aircraft instead of specific design procedures can be difficult unless the state of the art is well understood. Maintaining a high level of understanding is a constant challenge for engineers in many disciplines; it is especially challenging for personnel, such as FAA regulators, who generally are not directly involved in research and technology development.
As the air transportation system evolves and public use of the system increases, the perception of risk by the public, industry, and government also evolves. In preparing this report, the committee has attempted to define a practical approach that will facilitate an orderly evolution of standards and procedures and will be consistent with public expectations and the technical capabilities of both the FAA and the aircraft industry.
This report often refers to the three major participants in the aircraft certification and continued airworthiness process: manufacturers, operators, and the FAA. Each of these participants includes many smaller constituencies, each with its own special concerns. Improving the safety management process will, in many cases, require changes in regulations, corporate policies, and labor contracts. A cooperative approach to formulating these changes will ensure that they are broadly endorsed and can be implemented in a timely fashion. This will require balancing the concerns of all constituencies, including FAA managers and inspectors;
manufacturers of aircraft, engines, and systems; airline managers, pilots, and mechanics; managers of independent repair facilities; members of the traveling public, and others.
ORGANIZATION OF THIS REPORT
This report is focused on the committee's primary task: defining the key elements of an improved aircraft certification safety management process for large transport airplanes and recommending how potential barriers to implementing the recommended process could be overcome. Chapter 2 provides background information on the role of AIR, on how that role has evolved, and on specific regulatory actions that are part of the current safety management process. Chapter 3 provides background information on the causes of incidents and accidents.
Chapter 4 describes the recommended safety management process, which includes a mechanism for monitoring its own effectiveness. Chapter 4 focuses on improving the continued airworthiness of large transport airplanes, and it also includes several recommendations for improving the effectiveness of the certification process. Chapter 5 describes the relationships between human factors, environmental factors, and aircraft systems in accidents and incidents, followed by comments on several current initiatives to reduce accidents and incidents associated with human error. Chapter 6 recommends approaches for overcoming five key barriers to the implementation of the recommended safety management plan. Chapter 7 describes special characteristics of the small aircraft and rotorcraft communities and the special concerns that these characteristics raise with respect to the recommended safety management plan.
The appendices contain supplemental information. Appendix A is a summary list of all findings and recommendations. Appendix B contains short biographies of all committee members. Appendix C contains a list of participants in committee meetings. Appendix D contains additional information on probability and the application of reliability analysis tools, such as fault tree analysis, to aviation. Appendix E is an example of a "knowledge base" system (i.e., a knowledge-based database system). Appendix F is a sample legislative amendment that would authorize the certification of approved design organizations.
BTS (Bureau of Transportation Statistics). 1998a. Airlines: Scheduled Service Accidents, Fatalities and Rates. U.S. Department of Transportation. Online. Bureau of Transportation Statistics Homepage. Available: http://www.bts.gov/NTL/data/tables/chap09/tab9-5/tab9-5.txt. June 6, 1998.
BTS. 1998b. Average Length of Haul, Domestic Freight and Passenger Modes. U.S. Department of Transportation. Online. Bureau of Transportation Statistics Homepage. Available: http://www.bts.gov/programs/btsprod/nts/chp1/tbl1x12.html. June 6, 1998.
BTS. 1998c. Bus Profile. U.S. Department of Transportation. Online. Bureau of Transportation Statistics Homepage. Available: http://www.bts.gov/programs/btsprod/nts/apxa/bus98.html. June 6, 1998.
BTS. 1998d. Railroad Passenger Safety Data. U.S. Department of Transportation. Online. Bureau of Transportation Statistics Homepage. Available: http://www.bts.gov/programs/btsprod/nts/chp3/tbl3x35.html. June 6, 1998.
NHTSA (National Highway Traffic Safety Administration). 1996. Motor Vehicle Occupants and Nonoccupants Killed and Injured, 1986-1996. U.S. Department of Transportation. Online. Available: http://www.nhtsa.dot.gov/people/ncsa/overvu96.html#Summary. June 6, 1998.