Originally Posted by
ozaub
Traditionally, aircraft designers negotiated certification rules with their regulator and, after agreed testing and analysis, senior company engineers assessed compliance. These engineers were called ''Designated Engineering Representatives'', appointed in their particular field of expertise as representatives of FAA. There were a few shameful abuses but generally the system worked.
On Boeing 787 delegation went further. It was first airliner approved under a new ''Organisation Designation Authorisation'' (ODA) arrangement, specifically intended to further reduce FAA involvement. Somehow hazardous lithium ion batteries slipped undetected through the new procedures.
NTSB was not impressed. Its Investigation Report 2014/AIR1401 concluded:
“Boeing’s electrical power system safety assessment did not consider the most severe effects of a cell internal short circuit and include requirements to mitigate related risks, and the review of the assessment by Boeing authorized representatives and Federal Aviation Administration certification engineers did not reveal this deficiency."
”Boeing failed to incorporate design requirements in the 787 main and auxiliary power unit battery specification control drawing to mitigate the most severe effects of a cell internal short circuit, and the Federal Aviation Administration failed to uncover this design vulnerability as part of its review and approval of Boeing’s electrical power system certification plan and proposed methods of compliance."
"Unclear traceability among the individual special conditions, safety assessment assumptions and rationale, requirements, and proposed methods of compliance for the 787 main and auxiliary power unit battery likely contributed to the Federal Aviation Administration’s failure to identify the need for a thermal runaway certification test.”
737 Max is second Boeing certification under ODA.
In 2015 DoT Office of Inspector General Audit Report AV-2016-001 on ODA found
“...one aircraft manufacturer (presumeably Boeing) approved about 90 percent of the design decisions for all of its own aircraft"
".... largest ODA oversight office—which is dedicated to Boeing and encompasses about 40 staff—is not currently included in FAA’s staffing model"
". .... FAA expects to add this office to the model by October 2015 and have an initial forecast available by fiscal year 2016. Until then, FAA does not know whether it has adequate staffing levels"
".....ODA oversight team findings are often not related to high-risk issues—e.g., issues that could directly impact the potential loss of critical systems or other safety concerns"
". ... industry representatives expressed concern that FAA’s focus was often on paperwork—not on safety-critical items.”
All rather alarming
A rather negative view of the systems being introduced by ODA, which assumes it will be worse than before.
A certifying authority either has to: use its own staff to verify every compliance document provided by the manufacturer, or; approve designees at the manufacturer to do some of this work, or; issue an approval to the manufacturer to self-comply some of this work. No certifying authority in the world uses the 1st method, as it would require a huge staff at a huge cost and puts no trust at all in the manufacturer. The FAA uses the second method, where employees of the manufacturer hold designations to do work on behalf of the FAA - not exactly an independent system as the designee wears two hats, but is a proven and safe system. Now in addition the designee system is further formalized and overseen by the FAA under the ODA system. EASA uses the third method, where the manufacturer holds an approval and is made responsible for its actions, has to have procedures in place, has to use independent Certification Verification Engineers to double check its own work, and is audited by EASA. Both the FAA and EASA are increasing the 'privileges' of the manufacturer based on risk philosophy; what is the point of the authority wasting its time on checking low risk and mundane items when it should be focusing its direct involvement on higher risk certification items - get the ODA or the DOA to do the mundane work to allow the authority to concentrate on safety issues.
These systems are known to be safe, but no system can ever be infallible as there is always people involved........