Aircraft Type Certification Authority Failure Through Delegated Safety Analysis at Boeing 737 MAX

The FAA certifies new aircraft types through a process in which the manufacturer demonstrates compliance with airworthiness standards. Under the Organization Designation Authorization program, the FAA delegates significant portions of the compliance analysis to employees of the manufacturer — Boeing engineers acting as authorized representatives performed certification testing and analysis on behalf of the FAA. The ODA framework was designed to address the practical reality that the FAA lacked the staffing to independently evaluate every system on every new aircraft. Boeing engineers assessed MCAS and submitted their findings to the FAA, which reviewed the submissions as the basis for the type certificate.

MCAS was developed to address a handling characteristic difference between the 737 MAX and earlier 737 models caused by the larger, repositioned engines. The system automatically pushed the aircraft's nose down under specific flight conditions to maintain handling consistency. Boeing's design connected MCAS to a single angle-of-attack sensor — without redundancy — and gave the system significant authority over the flight controls, capable of repeatedly commanding nose-down input. Boeing's safety analysis categorized MCAS as a system whose failure would be "major" rather than "catastrophic," a classification that determined the level of redundancy, pilot notification, and training required.

On October 29, 2018, Lion Air Flight 610 crashed into the Java Sea minutes after takeoff from Jakarta, killing all 189 people aboard. The investigation found that a faulty angle-of-attack sensor fed erroneous data to MCAS, which repeatedly commanded nose-down trim while the crew struggled to maintain control. On March 10, 2019, Ethiopian Airlines Flight 302 crashed six minutes after takeoff from Addis Ababa under nearly identical circumstances, killing all 157 aboard. The 737 MAX was grounded worldwide — the first global grounding of a commercial aircraft type.

Investigations revealed that Boeing's safety analysis had understated MCAS's authority over the flight control system. The original hazard assessment evaluated MCAS based on a design in which the system had limited authority and could only activate once per flight condition. During development, MCAS's authority was increased and the system was modified to activate repeatedly, but the safety analysis was not updated to reflect the expanded capability. The FAA's certification review relied on Boeing's original analysis — an analysis that no longer described the system as built.

The certification process evaluated Boeing's documentation of MCAS rather than independently evaluating the system itself. Boeing's safety analysis classified MCAS as a system whose failure consequence was "major" — a classification that, under certification standards, did not require the level of redundancy or pilot awareness that a "hazardous" or "catastrophic" classification would have mandated. The FAA reviewed this classification as submitted. When Boeing subsequently expanded MCAS's authority and activation logic during development, the safety classification was not updated, and the FAA was not informed of the design change in a manner that triggered re-evaluation of the hazard assessment.

The delegation framework created a structural conflict: the engineers performing the certification analysis reported to Boeing management, which had schedule and commercial pressures to complete certification without requiring additional pilot training — a key selling point for airlines ordering the 737 MAX as a replacement for earlier 737 models. FAA technical staff who raised concerns about delegation scope and oversight capacity described institutional pressure to defer to Boeing's analysis. The credential — the type certificate authorizing the aircraft for commercial service worldwide — was issued based on a safety analysis that did not describe the system as it was built, submitted by the entity that built it.

The 737 MAX was grounded for approximately twenty months. Boeing paid over $2.5 billion in a deferred prosecution agreement with the DOJ, including a criminal monetary penalty, compensation to airlines, and a fund for crash victims' families. Congressional investigations documented the delegation framework's structural conflicts and FAA's insufficient independent oversight. The Aircraft Certification, Safety, and Accountability Act of 2020 reformed the ODA program, requiring enhanced FAA oversight of delegated functions, protections for ODA unit members who raise safety concerns, and limitations on manufacturer influence over certification personnel. Boeing's CEO was replaced. Multiple nations' aviation authorities announced they would conduct independent evaluations rather than automatically accepting FAA certification.