Safety Certification - A Cautionary Tale
Independent inspection and review are essential to the prevention of transport safety accidents. Despite cost pressures and the drive for change, this must not be forgotten.
The importance of independence
Impartiality and independence are critical to making transport systems safe. They are most important at times when the corporate drive for delivery and efficiency are greatest. The ongoing fall-out from the Boeing 737 Max airline crashes continues to serve as a modern day example of the crucial importance of maintaining these principles.
737 Max - a cautionary tale
As is now widely known, two crashes of the 737 Max planes in the Java Sea and Ethiopia in 2018 and 2019 were attributed to the failure of a sensor system which had the ability to place the airplanes into a dangerous nose-down attitude. A single sensor was used, meaning that one component failure could cause an uncontrollable descent. In addition to the 357 lives lost in the 737 Max crashes, Boeing estimated the cost of the accidents as over $19 billion and counting. Boeing had sought FAA certification of the airplane as an iteration of the established 737 to save time and cost, as this removed a requirement for additional training of pilots. However the larger size and position of the engines pushed the airplane nose up during certain manoeuvres. Boeing added the sensor system to address this fundamental design issue by taking over control from the pilot in such circumstances and pushing the plane’s nose down.
The fall out from these accidents continues, with a litany of critiques of Boeing’s safety management practice. On 14th October, a Boeing pilot involved in testing the 737 Max jetliner was indicted by a federal grand jury on charges of deceiving safety regulators who were evaluating the plane. The indictment accuses the pilot, Mark Forkner, of giving the Federal Aviation Administration false and incomplete information about the sensor system, meaning that it was not mentioned in critical manuals and training material. Congressional investigators have suggested that the pilot and Boeing downplayed the impact of the sensor system to avoid the need for pilot retraining.
This latest chapter in the story of the 737 Max accidents highlights the crucial balance between self-regulation and independent oversight, and the need to maintain the integrity of both in the face of what can be immense commercial pressures.
Safety and independence
From the outset of the industrial revolution in the UK, it gradually became clear that safety could not simply be left to ‘the market.’ Under the Factory Act of 1833, factory inspectors were appointed, invested with powers to enter premises and question workers. Safety performance began an inexorable improvement. As processes have evolved, the use of safety certification bodies has become more important, to complement the work of regulators and build the in-depth technical specialisms needed to provide trusted independent assurance.
The work of such bodies is becoming more important. Technology is leaping ahead exponentially and systems are becoming increasingly specialised, software based, and difficult for third parties to truly understand. Transport systems form part of critical national infrastructure which is increasingly network connected, leaving it open to cyber security attacks. ‘Automation’ drives fundamental safety requirements deeper and deeper into system design. The temporal distance between system design and operation makes it even more difficult to consider local safety requirements early enough in the design. This is particularly true as niche system suppliers have global markets to satisfy, each with its own specific rules and standards.
While all this is happening, underfunded regulators increasingly lack the in-depth competence to fully understand the advanced systems they are regulating and authorising. The move to self-regulation by Boeing was in part driven by the recognition that the regulator did not have the competent resources to fully assure the plane. All of these challenges must be negotiated in the face of intense global competition and funding pressures in the COVID damaged economies of the world.
How can it go wrong?
The rigour of independent certification was one of the areas of investigation in the inquiry into the Grenfell Tragedy in the UK, in which seventy-two people died in an horrific tower block fire in 2017. The inquiry heard evidence that the manufacturer of the flammable cladding panels used on Grenfell Tower used “hard tactics” in negotiations with a UK certifying body as it sought a certificate implying the panels were suitable for use on high-rise buildings.
Undermining of safety assurance is not always so overt. Long term success diminishes the authority of the safety engineer. Effective safety procedures in organisations can gradually be seen as pointless bureaucracy and assurance engineers can be seen as intransigent. Much of their role is about challenge and often their challenges raise difficult issues which trade-off cost, project delay and liability. Such engineers need both the technical expertise to really understand complex risks and the high emotional intelligence to work with others to effectively address them. The latter skills can be rare in a profession that has been found to be more prone to autism than any other. As a manager, it can be easy to dismiss long-term and somewhat intangible risks when the clock is ticking on an expensive project. Diligent safety specialists can find themselves marginalised to make room for more compliant people who are willing to make unreasonable and unwise compromises.
This dynamic is not just an area of consideration in the 737 Max crashes. If not properly organised and policed, the act of self-regulation and certification can drift off course in any arena. On the financial regulation side, this dynamic is at the route of current challenges to break the monopoly of the big four accounting firms, following a succession of scandals over recent years.
The way forward
Good safety ultimately needs to be delivered internally to an organisation. It must be competent and able to deliver its roles dependably. But in transport systems there is the potential for catastrophe and accident risk must be kept extremely low. Everyone has blind spots, and a second opinion is needed to catch them. Grenfell and the 737 Max show how unchecked focus on up-front cost, competition and delivery ultimately lead to drift and serious error. We also know that it is difficult to speak the truth to someone who doesn’t want to hear it, particular if they hold your career or contract in their hands. That’s why independence is enshrined in safety standards and legislation and must remain so. It encourages the right conversations to happen, for everyone’s long term benefit.
The fundamental truths here are fixed; nothing has changed in the modern world to invalidate them. The world is evolving and assurance needs to evolve with it. Independent checks need to be timely, targeted and efficient, but they are always needed. As Boeing has found to its cost, failing to get this right has real, major risks that manifest themselves tragically, unpredictably and at great expense.
In the next issue…
I hope you enjoyed the this edition of Tech Safe Transport. In the next issue I’ll be taking you through yet another topic on the safety of modern transportation. Please subscribe now so you don’t miss it.
Thanks for reading
All views are my own and I reserve the right to change my opinion when the facts change. If you have any thoughts or comments please feel free to send me a message on Twitter. Many thanks again to my rigorous, (independent) editor, Nicola Gray.
The social media photo image is"Lion Air Boeing 737 MAX 8 PK-LQK" by hokuriku_e7 is marked under CC PDM 1.0. To view the terms, visit https://creativecommons.org/publicdomain/mark/1.0/