Safety Management Programs Coming To OEMs
It’s about time.
“Dickson acknowledged the FAA should have had more complete details about the MAX’s flight control software system, including changes made during the aircraft’s development.
“There was incomplete and fragmented information, no doubt,” he said. “The full implications of the flight control systems were not understood, and mistakes were made. The information was not provided in the way it was needed to be provided. That alone degrades trust.”
“
Safety Management Programs Coming To OEMs
Sean Broderick June 23, 2020
The FAA is confident that its soon-to-be restarted plan to mandate safety management systems (SMS) for manufacturers will address some of the most glaring product certification deficiencies spotlighted during the Boeing 737 MAX crisis.
Mandating an SMS for manufacturers such as Boeing is one item in a package of FAA reforms proposed by the U.S. Senate in a bill unveiled June 16. The lawmakers’ call echoes one in a January report prepared by a special committee set up by the Transportation Department to review FAA certification. The FAA has committed to include an SMS rule among several changes it plans to introduce (AW&ST March 9-22, p. 46), and plans to release a draft rule this year.
- Safety management systems help identify risk before it causes problems
- Systems are independent of business units to eliminate financial pressures
- Previous rulemaking effort was paused, but the FAA plans to restart it this year
“I think it’s the most important step that we can take to improve aircraft certification,” FAA Administrator Steve Dickson told the Senate Committee on Commerce, Science and Transportation during a June 17 hearing.
The FAA already requires an SMS for scheduled airlines. Mandating an SMS for manufacturers would align the FAA with International Civil Aviation Organization (ICAO) Annex 19 standards, which have called for the organization-wide safety programs for aircraft manufacturers since 2013. A European Union Aviation Safety Agency effort to mandate an SMS for some manufacturers is also underway.
The FAA’s mandate would complete an effort the agency began in 2014 that was paused before a draft rule was published. Currently, the agency will review and “accept” a company’s SMS structure: if a company signals that it complies with National Aerospace Standard NAS 9927, “Safety Management Systems and Practices for Design and Manufacturing,” developed by the Aerospace Industries Association and General Aviation Manufacturers Association and based on ICAO’s guidance.
Dickson told lawmakers that mandating the inclusion of an SMS will help the FAA gain a more complete picture of a product’s development, providing a “holistic” view vs. a “transactional” one that may mask ramifications of design changes. Investigations into the 737 MAX’s certification have cited the agency’s lack of understanding around the model’s flight control system as a key factor in setting the stage for two fatal accidents that killed 346 people and led to the MAX’s March 2019 grounding.
Investigations into the accidents, Lion Air Flight 610 in October 2018 and Ethiopian Airlines Flight 302 in March 2019, cited fundamental misconceptions Boeing made about how pilots would react in certain emergency scenarios. Boeing’s assumptions were not properly vetted by human-factors experts, in part because the FAA did not have them playing key roles in aircraft certification. The agency has pledged to change this as well.
Boeing also made questionable decisions during the model’s development, prioritizing potential training costs over ensuring that customers were completely comfortable with their newest aircraft (AW&ST Jan. 27-Feb. 9, p. 20).
Dickson acknowledged the FAA should have had more complete details about the MAX’s flight control software system, including changes made during the aircraft’s development.
“There was incomplete and fragmented information, no doubt,” he said. “The full implications of the flight control systems were not understood, and mistakes were made. The information was not provided in the way it was needed to be provided. That alone degrades trust.”
The 2014 rulemaking effort was supported by an agency/industry advisory committee tasked with recommending how the FAA could apply a systems-safety approach to certification oversight. The committee’s 650-page report took deep dives into how the FAA oversees manufacturers, including Boeing’s Organization Designation Authorization, responsible for much of the 737 MAX testing and validation. It laid out specific recommendations for folding an SMS into product design regulations, including a three-year phase-in period.
Thanks to the nonmandatory program the FAA continued after the rulemaking stopped, manufacturers have examples to follow when SMS become mandatory. GE Aviation and Bell Helicopter were the first to establish SMS for their operations.
While an SMS is tasked with managing complex processes, its structure is straightforward. Its framework typically includes four components: policy, promotion, risk management and assurance. Policy is set at an organization’s most senior levels, ensuring cultural buy-in. Promotion helps solidify that buy-in and trains employees on their specific roles—both are key to creating a “just culture” that is critical to the success of an SMS. Risk management and assurance are the closely linked elements that determine risk and ensure it is managed.
An SMS creates a constant feedback loop that is independent of managerial and financial pressures. The independence is why Dickson and others believe SMS at the product development level will lead to safer designs. GE’s SMS structure helps illustrate why.
The company’s SMS program, launched in 2013 and accepted by the FAA in 2017, is administered by a 13-member flight safety office completely separate from its business units. Each engine program has a dedicated team led by a designated “accountable executive” responsible for implementing SMS at the product level. The teams meet monthly, at least, and safety concerns are reviewed by the accountable executive. A Product Safety Review Board holds quarterly, organization-wide SMS reviews.
The primary goal is to identify risks and mitigate them before they become issues, without interference from the business side.
“On the company side, the manufacturer puts safety responsibility where it belongs, and promotes transparency and voluntary employee reporting on safety issues,” Dickson said. “It refocuses accountability for product safety to the highest levels of the company.
“On the agency side, it allows us to oversee the system and the process, and it reinforces the sharing of data in a dynamic process between the manufacturer and the agency. It greatly improves the regulator’s ability to identify hazards and manage our oversight before a compliance bust actually occurs. We don’t have to wait for that because we’re getting a data feed throughout the process.”Sean Broderick
Senior Air Transport & Safety Editor Sean Broderick covers aviation safety, MRO, and the airline business from Aviation Week Network’s Washington, D.C. office.