Design and Certification

Aircraft certification is the process by which a nation’s aviation authority determines that an aircraft design is safe to operate. It is the bridge between engineering and the flying public — the system that stands between the drawing board and the runway and asks, at every step, ‘what if this fails? how bad would it be? how probable is it?’ When certification works well, aircraft that enter service are genuinely safe. When it fails, the consequences are measured in accidents and — eventually — in the regulatory reforms that follow.

The Comet crashes of 1954 revealed that certifying a pressurised fuselage without understanding pressurisation fatigue was a fatal gap in knowledge. The DC-10 cargo door produced two catastrophic accidents because a certification agreement allowed a known defect to be administratively rather than physically resolved. The Boeing 737 MAX killed 346 people because a flight-critical system was certified at a severity level that did not reflect its actual failure consequences.

Design and certification is not a bureaucratic exercise. It is the most consequential safety engineering activity in aviation — the moment when the design decisions that will determine life and death on a thousand future flights are assessed, approved, and locked in.

What Is Design and Certification?

Aircraft certification in most jurisdictions follows a process of: design approval (demonstrating through analysis, test, and similarity that the design meets applicable standards), production approval (demonstrating that the manufacturing process reliably produces aircraft conforming to the approved design), and continued airworthiness (tracking fleet experience and issuing corrective actions when in-service experience reveals safety issues).

The applicable standards — FAA FAR Part 25, EASA CS-25 for large transport aircraft — define the specific requirements for structural strength, flight performance, propulsion, electrical systems, and dozens of other parameters. Compliance can be demonstrated by test, analysis, or similarity. The standards themselves evolve — usually in response to accidents that reveal gaps in the existing standard.

Key Topics and Concepts

This page draws together research, case studies, and analysis across the following areas:

Damage Tolerance Design

The philosophy — born from the Comet crashes — that structures must be designed to tolerate cracks, not just to be designed without them. Damage tolerance requires that cracks grow slowly enough to be detected by inspection before reaching critical size.

Failure Mode and Effects Analysis (FMEA) in Certification

The systematic identification of all failure modes and their certification-level consequences. The tool that should have prevented MCAS’s single-sensor design.

Catastrophic Failure Probability Requirements

The regulatory standard that catastrophic failures must be less than 10⁻⁹ per flight hour — ‘extremely improbable.’ The standard that was cited for both the MCAS severity assessment and for in-flight thrust reverser deployment before Lauda Air 004.

Certification by Analysis vs Test

The distinction between demonstrating compliance through engineering calculation and demonstrating it through physical test. The Comet used static proof testing — inadequate for fatigue failure. The choice of compliance method must match the failure mode.

Human Factors in Certification

The requirements for cockpit design, warning system design, and checklist design to support human performance. Air Inter 148’s V/S vs FPA mode ambiguity was a certification-level human factors failure.

Regulatory Delegation and Self-Certification

The practice by which certification authorities delegate some certification activities to the manufacturer. The Boeing 737 MAX investigation exposed the risks of this delegation when applied to safety-critical system assessment.

Type Certificate and Supplemental Type Certificate

The legal documents that represent certification approval for an aircraft type and for modifications to it. Every aircraft in service has a Type Certificate that defines its certified configuration.

The Systems View

Design and certification is the point in the aircraft’s lifecycle where the largest safety gains — and the largest safety losses — are possible. A certification that fails to identify a critical failure mode has created a structural safety deficit that will persist for the aircraft’s entire operational life, to be discovered only when operational conditions activate the failure mode. The obligation of the certification system is to be more thorough than the failure modes it has not yet imagined.

Design and certification is the point in the aircraft’s lifecycle where the largest safety gains — and the largest safety losses — are possible. A certification that fails to ident…

Featured Case Studies

The following case studies on Aviation Risk Lab directly explore design and certification failures, near-misses, and systemic lessons:

de Havilland Comet — Certification Without Fatigue Understanding: Comet 1954

Turkish Airlines 981 — A Known Defect, No Mandatory AD: Turkish 981

Lion Air 610 — MCAS Certification Failure: Lion Air 610

Lauda Air 004 — ‘Extremely Improbable’ Proved Wrong: Lauda Air 004

Air Inter 148 — HMI Ambiguity in a Certified Design: Air Inter 148

American Airlines 587 — Certification Basis Missing a Load Case: Aa 587

Closing Note

Every aircraft that is safe to fly is safe because a certification process identified the failure modes, assessed their consequences, and required design features that prevent or mitigate them. Every aircraft that has killed people because of a design failure is the evidence of a certification process that missed something. The obligation is to miss less — and the accident record of aviation is the primary input for understanding what the certification process needs to find.