That's not how the FAA views it. There's no such thing as "safe to fly" or "not safe to fly." There are simply probabilities of accidents in different conditions. What constitutes an acceptable probability of accident is a judgment call.

The FAA has many, many safety rules, but which ones apply to a particular situation depend on a number of factors. For example, if you're flying by yourself in a small airplane, you don't even need a pilot's license! (solo student)

In the world of aircraft certification, on one end you have experimental aircraft that untrained people designed and built and may be extremely dangerous. The FAA is relatively hands-off on this as long as you put EXPERIMENTAL in big letters on the side and don't charge anyone for a ride. When you start to get into heavier, faster planes, like people who buy MiGs, there are rules about where they can operate that are intended to protect the public on the ground, but not the pilots/passengers. On the other hand, a new Boeing commercial jet is subject to intense scrutiny in almost every aspect. Obviously you see an enormous difference in accident rates between commercial airliners and experimental homebuilts.

One other dimension of this is grandfathering. Once a design is set, can be very expensive to change it. You might like the 737 to have better redundancy in its hydraulic system, and if Boeing ever designs a replacement for it, they will have to put that in. However, if every regulation the FAA made applied to existing designs, either the FAA would have to keep the new regulations to an absolute minimum, which would harm safety going forward, or Boeing would have to redesign their planes every year, or maybe even send all of the old planes to the scrapyard!

This is not economically feasible, so the FAA only grounds aircraft for very serious safety issues. Parts are allowed to have tolerances in service that they aren't allowed to coming off the production line. Similarly, old design aircraft are allowed to have features that a new design aircraft wouldn't.

What this allows the FAA to do though is to improve safety incrementally as new designs are created. Since it's so much cheaper to put in a new feature in a new design, it's economically feasible to provide safety for progressively more unlikely failure scenarios for these aircraft. Gradually, the old aircraft are retired, and safety gets progressively better.

The 737MAX notwithstanding (and you could make a strong argument that Boeing abused the grandfathering rules with that aircraft), the progressive and dramatic improvements in airline safety over the past 100 years is a testament to the wisdom of this approach.

> There's no such thing as "safe to fly" or "not safe to fly."

Except the type certificate issued by the FAA for a given aircraft is by definition the FAA saying that the type meets all applicable standards and is safe to fly. So is the granting of exceptions to any applicable requirements.

The FAA doesn’t say “eh maybe, it’s a judgement call” to an aircraft manufacturer when telling them whether or not the plane can board passengers. They may include various factors, probabilities, and judgement calls in their own determination of if the type gets certified or not, but ultimately there _is_ a determination made: either it can fly in a given context, or it cannot.

If the argument is “we learn and get better over time, and just because we approved something yesterday doesn’t mean we approve it today”, I fully agree with that, but within reason. And while I don’t agree with this mitigation being an acceptable exception, I also don’t think it’s “insane” or incredulous for Boeing to ask for it, given that the FAA already approved the same thing previously.

Even whether an aircraft should be issued a type certificate is a judgment call. The regulations are not perfectly precise, and there is always going going be a certain amount of back and forth on interpretation and waivers and alternate means of compliance etc.

Even given that a type certificate has been issued, whether or not it is legal to fly depends on the circumstances of the flight. Just as an example, under part 91 (private flying), complying with manufacturer's service bulletins is optional, but under part 135 (charter) or part 121 (airline), it's generally mandatory.

Therefore, is the FAA saying it's safe to fly a plane that doesn't hasn't completed its manufacturer service bulletins? No. They're saying the acceptable level of risk under part 91 is higher.

Should there be an expiration date on grandfathering of airliner type certificates? Should manufacturers be required to update designs for new production airliners after, let's say, 30 years? The original Boeing 737 entered service in 1968 so even working at a slow pace with minimal resources they could have redesigned and recertified it multiple times in that period.

Personally I think so. Type certifications should expire after some reasonable time, and require a full re-certification under current rules and with current design review practices. I think this would also have other benefits, by discouraging improvements to e.g. fuel economy or pilot procedures slightly less, since the cost of re-certification is inevitable rather than something that can be avoided.

Grandfathering aircraft that exist indefinitely makes sense to me, but I don't see why designs should be grandfathered indefinitely for new builds, when we have learned a lot and increased our expectations significantly in the intervening years.

For that matter there are still plenty of DC-3s in active service, and those are all over 80 years old at this point. Not nearly as big a deal as it might sound - the biggest wear item on a commercial plane is actually cabin pressurization due to the long term fatigue characteristics of aluminum. DC=3s aren't pressurized.

I'm asking about changing policies for newly manufactured airliners, not specific airplanes that have already been built. No one has used a DC-3 for FAA Part 121 scheduled airline service in decades.

There are a number in regular commercial use (including passenger flights) in Canada which is a very similar regulatory regime. There are multiple US operators of the Basler turboprop conversion.

No need. That could be done be through the system of Airworthiness Directives (ADs) I think.

Excellent post overall, but I'd point out that almost all of the imported warbirds are in fact flying as experimentals, since obviously they are not FAA certified.

Correct, but there are additional requirements around a warbird that do not exist for an RV-14, for example. That's his point.

Yes, they both have an experimental airworthiness certificate, but when the FAA issues an experimental certificate, it comes with operating limitations (technically part of the airworthiness cert). The operating limitations you get depend on the specifics of the aircraft.

The more dangerous the plane is to people on the ground, the more severe the limitations. For example for the really dangerous ones, they'll give you a limitation of "Flight over a densely populated area or in a congested airway is prohibited."

When you discover a potential safety issue on an already certified type, you do have a process to declare it and have to provide a justification or solution for it. Even if it was overlooked during certification, you can’t just ignore it.

That’s also why service bulletins exist.

It doesn't change the risk (benefit) side of the cost/benefit equation, but it does change the cost side.

To illustrate why this matters, imagine a more extreme situation, where it was somehow discovered that a similar flaw existed in all Boeing and Airbus jets. If a single new jet were being developed that had a similar risk, it could be enough to prevent certification, but we wouldn't stop all air travel because of it - the cost would be too high.

Grounding just MAX jets obviously wouldn't have that degree of impact, but the cost to airlines and to passengers would still be significant.

So normalization of deviance is acceptable here?

Please explain how this is “normalization of deviance” any more than allowing newly-built 8s and 9s to fly is.

Please explain how it's not!

And exception is a deviance that must be tracked and taken care of adding mental load to the list of things a pilot has to do.

The normalization is pushing this deviance into a new system that isn't complete and therefore has no refit requirement over a large base of aircraft.

The 8s and 9s have the exact same issue and the FAA already approved the exact mitigation in those aircraft. Having different fixes for the same issue is more deviance, not less.

This is exactly how normalization of deviance leads to death.

The MAX8 does not have a fix, it has a complicated checklist of workarounds for dynamic behaviors that should be automated.

Then the next level of failure you're inducing is that ' 8 = 7 '.

The combined systems of the MAX8 are not and do not equal the combined systems of the MAX7. You have re-asses the mitigation on every airframe that differs or you end up with a field of people splattered everywhere. If Boeing actually does the reassessment as they should, it will be about as intensive as actually removing the issue and reducing the workload of the pilot in the first place.

That's why a lot of people are pissy about this, as Boeing is trying to say they did it once and that work transfers to a new system perfectly. Didn't work so well with the other MAX8's that splattered themselves.

Pretty sure two wrongs don't make a right. The unsafe planes should definitely be grounded but that would be expensive. Just because we screwed up before, and exempted planes, doesn't mean we should knowingly continue to ignore danger.

There’s no “two wrongs” here, per the FAA. There was one wrong (the issue) and then that issue is mitigated by a procedure (the issue is righted, at least partially).

Even if you disagree with this mitigation, every time a new MAX 8 rolls off the production line and enters service, the problem grows larger. Why is this okay, but not with the same for a MAX 7?

Again: either the mitigation is effective enough for MAX variants, or it’s not. I see no reason the two variants should be treated differently here.

>Again: either the mitigation is effective enough for MAX variants, or it’s not

No it is not. Here, you are doing just the normalization of deviance I'm talking about.

An airplane is parts, and an airplane is a system. Just because you use part X in system 1 doesn't mean a mitigation strategy for part X works the same in system 2. For example system 2 (or the MAX 7 in this case) could also have an addition dysfunction in cold weather that by itself is low risk, but when coupled with this procedure now represent a significantly higher risk of loss of aircraft event.

This is the the kind of problem that shows up in new/changed systems when accepting risk from previous systems at their previously measured outcomes.

rolling faulty max 8s is NOT ok, but it's expensive to fix, and boeing threatened congress (extortion) and got an exemption.

[edit- the fact boeing can extort congress is scary]