Official US Government Icon

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure Site Icon

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Certification of the Boeing 787 Aircraft and the Lessons Learned

STATEMENT OF

MARGARET M. GILLIGAN,
ASSOCIATE ADMINISTRATOR,
FEDERAL AVIATION ADMINISTRATION,

BEFORE THE HOUSE COMMITTEE ON
TRANSPORTATION AND INFRASTRUCTURE,
SUBCOMMITTEE ON AVIATION,

THE CERTIFICATION OF THE BOEING 787 AIRCRAFT AND THE LESSONS LEARNED,

JUNE 12, 2013.

Chairman LoBiondo, Congressman Larsen, Members of the Subcommittee:

Thank you for the opportunity to appear before you today to discuss the Federal Aviation Administration’s (FAA) certification of the Boeing 787 airplane.  There were two widely reported incidents earlier this year involving the malfunction of one of the Lithium-Ion batteries on in-service 787s that resulted in the FAA grounding the fleet and initiating a comprehensive safety review of the 787 critical systems, including design, manufacturing, and assembly.  Today, after extensive design and certification work, 787s are once again part of the commercial fleet, flying passengers safely around the world.  The comprehensive review will be completed this summer.

FAA Certification Process

The FAA certifies aircraft and components that are used in civil aviation operations.  Some version of our certification process has been in place and served us well for over 50 years.  This does not mean the process has remained static. Since 1964, the regulations covering certification processes have been under constant review.  As a result, the general regulations have been modified over 90 times, and the rules applicable to large transport aircraft, like the 787, have been amended over 130 times.  The regulations and our policies have evolved in order to adapt to an ever-changing industry that uses global partnerships to develop new, more efficient and safer aviation products and technologies.

As this committee knows, the FAA is using a risk based approach to improving aviation safety.   The FAA focuses its efforts on those areas that have the highest risk.  The FAA type certification team members, who I will discuss in more detail below, must review the applicant’s design descriptions and project plans, determine where their involvement will derive the most safety benefit, and coordinate their intentions with the applicant.  When a particular decision or event is critical to the safety of the product or to the determination of compliance, the FAA must be involved either directly or through the use of our designee system.  

The designee program was originally authorized by Congress in 1938 and is critical to the success and effectiveness of the certification process.   In aircraft certification, both individual and organizational designees support the FAA.  The FAA determines the level of involvement of the designees and the level of FAA participation needed based on many variables.  These variables include the designee's understanding of compliance policy; consideration of any novel or unusual certification areas; or where adequate standards may not be in place.  

There are some issues that will always require direct FAA involvement, including rulemakings required to approve special conditions and equivalent level of safety determinations.  The FAA may choose to be involved in other project areas after considering factors such as our confidence in the applicant, the applicant’s experience, the applicant’s internal processes, and confidence in the designees. 

Something that is not well understood about the certification process is that it is the applicant’s responsibility to ensure that an aircraft conforms to FAA safety regulations.  It is the applicant who is required to develop the plans and specifications and perform the inspections and tests necessary to establish that an aircraft design complies with the regulations.  The FAA is responsible for determining that the applicant has shown that the design meets the standards.  We do that through review of data and by conducting risk based evaluations of the applicant's work.  

When a new design of aircraft is being proposed, the designer must apply to the FAA for a type certificate.  While an applicant usually works on its design before discussing it with the FAA, we encourage discussions with the FAA well in advance of presenting a formal application.  Once an applicant approaches us, a series of meetings are held both to familiarize FAA with the proposed design, and to familiarize the applicant with the applicable certification requirements.  A number of formal and informal meetings are held on issues ranging from technical to procedural.  Once the application is made, issue papers are developed to provide a structured way of documenting the resolution of technical, regulatory, and administrative issues that are identified during the process. 

The applicant must show that its design meets applicable existing airworthiness requirements.   Title 14 of the U.S. Code of Federal Regulations Part 25 comprises the safety requirements for transport category airplanes.  The regulations also provide for the issuance of special conditions when the FAA finds that the existing airworthiness standards do not address new or novel design features.    

When the FAA proposes to apply special conditions to an airplane design, a notice of proposed special conditions is published in the Federal Register and the public has an opportunity to comment.  As is the case with other rulemakings, those comments are considered and addressed before the special condition is finalized.  This process is intended to allow important innovation, while maintaining the level of safety consistent with the existing regulations.  Special conditions address the unique risks associated with a particular new technology.  They do not replace general safety requirements, they supplement them. 

Once the certification basis is established for the proposed design, the FAA and the applicant develop and agree to a certification plan.   In order to receive a type certificate, the applicant must conduct a series of tests and reviews to show that the product is compliant with existing standards and the special conditions. This includes analysis, lab tests, flight tests, conformity inspections, and detail-and airplane-level compliance findings, all of which are subject to FAA oversight.  If the FAA finds that a proposed new type of aircraft complies with safety standards, it issues a type certificate. 

FAA Certification of the Boeing 787

Using the framework described for obtaining a type certificate for a proposed airplane design, I would like to provide some information about the certification of the Boeing 787.  Boeing first applied for a type certificate for this aircraft on March 28, 2003.  The FAA formed a certification team comprised of certification engineers, inspectors, flight test pilots, flight test engineers, human factors specialists, technical advisors, specialists from the FAA Technical Center, and several of our Chief Scientists in various disciplines.  The team was supplemented by experts from other aviation authorities, industry technical organizations such as RTCA and SAE, and government, such as the DOT’s Volpe Center.  As a result of regular meetings between the FAA and Boeing teams, FAA identified a number of design features of the proposed airplane where the current standards did not address the new or novel features, including the lithium ion main and auxiliary power unit (APU) batteries.  At that time, there was a general standard – an FAA regulation - for the design of nickel cadmium and lead acid batteries, but these standards did not fully address the safety issues associated with lithium-ion battery systems.  Therefore, the FAA developed a special condition to establish a comparable level of safety with the standards that were in place at the time of certification.

In order to develop the special conditions necessary to achieve the equivalent level of safety required for certification, we reviewed the available lithium battery literature.  This also included consideration of the hazards of other battery technologies, such as nickel cadmium batteries.  This review and analysis resulted in an issue paper, which led to publication in the Federal Register of proposed special conditions on April 30, 2007.  The special conditions identified requirements to produce a level of safety equivalent to existing requirements in place for other types of batteries.  The special conditions became effective in November 2007 and supplemented the existing part 25 requirements.

The development and approval of the special conditions focused on two related safety concepts; the function the system performs, and the hazards associated with its failure.  The primary governing rule, part 25.1309, establishes general requirements for system safety.  There is also an Advisory Circular that accompanies the rule that describes methods applicants can use to describe and analyze systems to demonstrate compliance. System descriptions and functional hazard assessments help us understand what happens to system functions when failures occur. 

With respect to the lithium ion batteries, from a functional standpoint, they were not critical because they were only intended to provide power if some of the six generators on the airplane failed. 

In summary, the certification of the Boeing 787 required extensive FAA involvement over an eight year period.  A total of 150 issue papers were developed.  Engineers spent thousands of  hours on the certification.  There were over 900 hours of flight testing during the process.    The certification process was detailed and thorough, but, as is the case with newly certified products, we often learn more about the product after it is certified and gains service experience.  As we obtain pertinent information, identify potential risk, or learn of a system failure, we analyze it, we find ways to mitigate the risk, and we require operators to implement the mitigation.  And that is what happened in the case of the 787.

787 Incidents and the Decision to Ground the Fleet

New products and technologies, in all industries, often have operating failures when they first go to market.  Aviation is no different, but the consequences of failure can be so much more significant, that mitigations of potential failures are built into the certification process.  On January 7, 2013, when a battery on the 787 operated by Japan Airlines (JAL) overheated and started a fire on an empty aircraft at Boston Logan Airport, FAA immediately investigated the incident.  On January 11, 2013, FAA announced a comprehensive review of the 787’s critical systems, including the design, manufacture and assembly of the aircraft.  The Japan transport ministry and the National Transportation Safety Board also opened investigations. On January 16, an All Nippon Airways (ANA) 787 made an emergency landing at Takamatsu Airport after flight crew received a computer warning that there was smoke inside one of the electrical compartments.  ANA said that there was an error message in the cockpit indicating a battery system malfunction. 

Far and away the most important fact concerning these incidents is that no one on board the aircraft was injured.  Even when the battery system failed in flight, the incident did not result in injury to anyone on board.  This is in part because the FAA certification process requires manufacturers to assume that system failures will occur and to design mitigations for those failures to protect the aircraft so that no injury occurs to persons on board the aircraft.  From a certification standpoint, that goal was met.

After the second event, we gathered all the data we had.  Given the limited operational experience we had with the airplane, the fact that the two battery events occurred in quick succession, and that one of the events occurred in flight, we decided to ground the fleet.  This would allow us to take the time necessary to develop and implement the right safety solution without compromising safety.

Prior to January, the FAA had not grounded an aircraft fleet since the DC-10 in1979, so this is not an action the agency takes lightly.  Unlike that previous fleet grounding, the 787 was grounded, despite the fact that the incidents, thankfully, did not result in death or injury to passengers or crew. 

The accident rate for commercial aircraft operations is at an all time low.  Neither the public nor the FAA has the tolerance for that accident rate increasing.  Failures of systems on airplanes with hundreds of thousands of flight hours provide us with a tremendous amount of service data we can use to put an operational incident into the appropriate context and determine the corresponding mitigation.  When the number of flight hours that can be evaluated is limited, FAA’s ability to develop an appropriate mitigation is more challenging.

Grounding the 787 fleet gave the FAA the ability to consider necessary mitigations without compromising passenger safety.  The fact that the incident was limited in nature helped us focus our analysis and agree upon a mitigation that could be implemented. 

Post Grounding Review

The comprehensive review of the Boeing 787 and the root cause analysis of the two battery incidents was a data driven process.  Based on past accident investigations, we know that, while it is sometimes not possible to determine the actual cause of an incident, that does not prevent us from developing effective mitigations to prevent further malfunctions. 

Boeing, with support from industry and government battery experts, conducted a comprehensive review of the design of the battery systems.  Based on the information obtained from the review, the focus of mitigation efforts was on the possible causes that could result in an internal short within the cells and the battery.  The changes Boeing proposed addressed the initiation of a short, propagation of the malfunction from one battery cell to another, and containment of the event should another propagation occur.  FAA specialists were involved in developing the mitigation effort throughout the process. 

On April 19, 2013, after Boeing completed the certification plan and demonstrated compliance with the standards, the FAA approved Boeing’s design for modifications to the 787 battery system.  The changes were designed to address risks at the battery cell level, the battery level, and the aircraft level.  A team of FAA certification specialists observed the rigorous tests we required Boeing to perform.  They devoted weeks to reviewing the detailed analysis of the design changes.

On April 26, 2013, the FAA issued an Airworthiness Directive (AD) superseding the previously issued AD mandating that operators install of the main and auxiliary power (APU) unit battery enclosures and environmental control system ducts; and replacing the main battery, APU battery, and their respective battery chargers.  This AD also requires revision of the maintenance program to include an airworthiness limitation reflecting a requirement to replace certain parts related to the battery enclosure.

To assure proper installation of the new design, the FAA closely monitored modifications to the U.S. fleet and staged teams of inspectors at modification locations.  Further, as the certifying authority, FAA continues to provide support to other authorities around the world as they finalize their own acceptance procedures.

Lessons Learned from the 787 Certification Process

The FAA has a standard review of the process of every design we certify.  Short term, we often find administrative and procedural issues that are immediately evident and can be implemented for the next certification.  For example, with respect to the 787, while the “multi-tiered supplier” dynamic is not new to industry, the FAA has determined that we need to spend more time overseeing communication and ensuring a clear line of accountability of all required changes down the supplier chain.  We also look for ways to improve the integrity of the process with the addition of independent review of the work done.

While understanding the lessons learned as the result of a technical failure can take time because the root cause is not readily evident, the FAA has demonstrated its ability to develop mitigations which ensure the safety of passengers and crew.  In cases such as the flammability of the center fuel tank or the 737 rudder malfunctions, mitigations had to be developed that we were confident protected the passengers and crew without knowing the exact root cause of the particular problem. For example, it was not possible to know what caused the spark that caused the explosion in the center fuel tank and brought down TWA Flight 800.  The safest path to mitigation was to find a way to inert the center fuel tank, so that, regardless of what caused the spark, no harm could result.  With respect to the 737 rudder system, which was the cause of two fatal accidents in the 1990s, operational, procedural, training and design changes were implemented to protect flights from potential malfunctions. 

Technical Expertise

Finally, I would like to address the concern expressed by some that FAA’s use of aviation experts who do not work for the FAA suggests that we do not have the requisite expertise to resolve technical problems as they arise.  Such concerns are unfounded.  The aviation industry is filled with intelligent, innovative people.  Certification of aviation products and systems is not limited to the participation of a single certifying entity and a single manufacturer.  It is a worldwide industry and any new airplane design contains parts and products made by hundreds of companies in dozens of countries.  Certification of an airplane, in the United States or abroad, requires the efforts of the best and brightest minds.  FAA seeks the participation of industry experts who can add a level of safety or knowledge that can improve the process or the product.  Likewise, when, as an industry, we face a problem, bringing together the best and the brightest minds to work on solving the problem and making industry-wide safety improvements, should be considered a best practice.  Limiting the use of technical experts because of who they work for is the equivalent of imposing limitations on problem solving.  That is not a limitation that FAA would ever support.

Mr. Chairman, I hope this hearing helps the Committee understand the complexity of the certification process and the commitment of industry and FAA to support both the certification of new and innovative technologies and work to resolve problems as they arise.  I am proud of the safety record we have achieved together.  I am confident we have the best people in place to meet the challenges ahead.

This concludes my prepared statement.  I will be happy to answer your questions at this time.

Witness
Margaret M. Gilligan, Associate Administrator, Federal Aviation Administration
Testimony Date
Testimony Mode
FAA