March 2026. Part of an expanding treatise on aviation risk methodology.
Welcome back to what was originally to be a relatively concise series of essays on aviation risk which has since morphed, through a combination of convincing non-rebuttal and a flagrant misinterpretation of the word ‘trilogy’, into something rather more sprawling. In the previous instalment I argued the case that Root Cause Analysis is itself a systemic risk — a framework that promises certainty where none exists, relies on simplicity where there is none to be found and directs corrective effort at whichever link in the causal or contributory chain happens to be politically convenient. If you missed it, the butterfly is still flapping and the rationale remains unchallenged.
In Part six of the widely acclaimed trilogy, I’d like to point the lens of reason at something even more sacred than the previously addressed deified bovines: the regulatory framework itself. Not simply the observation that the rules are old — everyone involved knows that the rules are old — but the rather more uncomfortable proposition that compliance with those rules is, in some adventurous environs, believed to be an equivalent for actual safety.
Some of It Is Purchased
Let’s start with the bit that should give you a clear understanding of priorities.
When the FAA finally modernised crew fatigue rules under Part 117 in 2014 — prompted by the Colgan Air 3407 accident that killed 50 people in 2009 (note the five year gap between accident and consequent regulatory change) — it applied the new “science-based” rules to passenger operations only. The regulatory text is admirably blunt about this: Part 117 “prescribes flight and duty limitations and rest requirements for all flightcrew members and certificate holders conducting passenger operations under part 121.” Cargo carriers were exempted. Same sky, same fatigue physiology, same physics of controlled flight into terrain, same potential victims on the ground under the flight path — different rules, because the freight lobby was effective and cardboard boxes don’t vote.
The FAA’s justification was a cost-benefit analysis: approximately $3 million in safety benefits versus $452 million in compliance costs to the cargo industry over twelve years. The maths is technically defensible only if you accept the premise that a pilot’s life is worth less when their payload consists of inanimate boxes not self-loading cargo. The FAA did not phrase it quite that way, but the regulatory architecture says it plainly enough.
Here’s the part where the hypocrisy-detector hits eleven. Pilot fatigue had appeared on the NTSB’s Most Wanted List of Transportation Safety Improvements since the list’s inception in 1990. More than 200 NTSB safety recommendations on fatigue had been issued since 1972. It took fifty dead people at Clarence Center, New York, to force regulatory action — and even then, the action applied to only half the industry. Three separate pieces of legislation have since attempted to close the cargo gap: the Safe Skies Act of 2012, the Safe Skies Act of 2021, and the Fatigued Pilot Protection Act of January 2026. None has been enacted. The cargo companies lobbied for the exemption. The cargo pilots opposed it. Guess who won? This is not an obscure regulatory footnote. It is a structural demonstration that the regulatory system optimises for affordable safety through the path of political feasibility, regardless of the press releases. This is not a US-specific phenomenon, there are similar examples everywhere.
The Tombstone Agency
Mary Schiavo, the US Department of Transportation’s Inspector General from 1990 to 1996, gave us the term that captures the pattern: “Our safety agency is called the tombstone agency.” Harsh? Lutte and Bowen examined FAA activity in the 1990s and published the results in a peer-reviewed study in 2000. They found that FAA regulatory, inspection, and enforcement activity increased measurably following US-based fatal accidents — but not following equivalent foreign ones. The regulator responds to political pressure, not to risk data. An American crash produces regulatory activity. A foreign crash producing identical lessons does not.
Although a clearer example of regulatory capture than regulatory staleness, the 737 MAX certification brought the pattern into high definition. The House Committee on Transportation and Infrastructure spent eighteen months investigating and concluded with what might be the most devastating sentence ever directed at an aviation regulator by a legislature: “…a horrific culmination of a series of faulty technical assumptions by Boeing’s engineers, a lack of transparency on the part of Boeing’s management, and grossly insufficient oversight by the FAA.” The Committee found “inherent conflicts of interest” in the FAA’s oversight structure. Boeing employees authorised to act on the FAA’s behalf failed to alert the FAA to safety issues. The FAA’s own review panel — the Joint Authorities Technical Review — recommended ensuring that Boeing’s designated engineers could work “without any undue pressure” and had “open lines of communication to FAA certification engineers without fear of punitive action.” Without fear of punitive action? From whom, you might ask. From the manufacturer whose aircraft they were certifying on behalf of the public. Certification engineers, carrying a delegation from the FAA with responsibilities to alert the regulator to ‘safety issues’ faced the prospects of ‘punitive action’ if they did.
A US Government Accountability Office comparison in 2022 found the structural difference: where EASA independently evaluates the technical basis of manufacturer compliance findings, the FAA performs a completeness check. The GAO, with characteristic diplomatic restraint, did not characterise this divergence as politically motivated. I will leave the reader to draw their own conclusions about why the national regulator adopted the lighter touch but if you are equipped with a memory which is more RAM than ROM, I would refer you back about 380 words earlier for context.
None of this is ancient history. Technology moves at the speed of commercial incentive. Regulation moves at the speed of international consensus, which is roughly equivalent to the speed of smell. There are many examples showing that the ICAO Standards and Recommended Practices amendment cycle takes approximately seven years from initial proposal to applicability. Seven years. By the time a new Standard arrives, the threat it was designed to address has often moved on, mutated, or been overtaken by something the original proposal didn’t contemplate. Imagine being told by your Safety Regulator, when introducing a first-of-type aircraft onto the local registry, that ‘it’s too smart for our regulations — you’ll need to dumb it down.’ Ask me how I know.
Testing for Yesterday’s Emergency
Almost ubiquitously, every six months, airline pilots worldwide climb into a simulator and demonstrate their ability to handle an engine failure at V1 — the speed achieved during the takeoff roll beyond which you’re going flying whether you like it or not (with a few notable exceptions). This has been the centrepiece of the pilot proficiency check since the 1950s, which at that time made perfect sense. In the 1960s, jet engines failed at a rate of approximately 40 per 100,000 engine flight hours. A four engine jet probably accumulated 10,000 engine hours per year. That’s enough accumulated engine time each year to see four engine failures. If you were a line pilot in 1965, engine failure wasn’t so much a theoretical exercise as it was a recurring feature of your working life.
It isn’t any more. The modern fleet average for in-flight shutdowns is less than 1 per 100,000 engine flight hours — a forty-fold improvement. The GE90-115B, which powers the Boeing 777, has achieved a published rate of 1 per 1,000,000 engine flight hours. GE’s own assessment: a pilot will likely operate a GE90-powered 777 for an entire career without experiencing an engine-caused shutdown. Every engine type approved for 180-minute EDTO (Extended Diversion Time Operations, the regulations which permit aircraft to fly a long way from an available airfield) — the Trent XWB, the LEAP-1A, the LEAP-1B, the PW1100G, to name a few — must demonstrate an IFSD rate at or below 0.02 per 1,000 hours to obtain and sustain that approval. That threshold alone represents a twenty-fold improvement over the 1960s baseline but the best modern engines are doing many times better than that.
William Voss, then President of the Flight Safety Foundation, put it bluntly in 2012: “Our training has been trapped in the 1960s and is dangerously out of date.” That was fourteen years ago. What happened after he said it? IATA published its Evidence-Based Training Implementation Guide. ICAO published Doc 9995. Papers were written. Conferences were convened. And the V1 cut remains, in 2026, a foundational component of the proficiency check. The industry acknowledged the problem, produced the paperwork, and then largely continued doing what it had always done. Change is hard. That’s not to say that flight safety hasn’t improved. It has, markedly but not because of regulatory evolution.
Meanwhile, the things that actually destroy aircraft have changed. Dramatically.
Loss of control in flight — LOC-I — is the leading cause of fatal accidents in commercial aviation. IATA’s analysis of the decade 2009–2018 found 64 (43 passenger and 21 cargo) LOC-I accidents, of which 93% resulted in hull loss and 90% incurred fatalities. Ninety per cent. When a crew loses control of a modern airliner, almost no one survives.
Runway excursions are, according to the Flight Safety Foundation and EUROCONTROL, “the most frequent accident type in aviation” — 283 accidents between 2005 and mid-2019, roughly 23% of all accidents. In 2024 alone, the FSF recorded 20 runway excursion accidents, nearly triple the previous year and well above the five year average of 15.
Controlled flight into terrain accounts for only 6% of accidents but 28% of fatal ones. ICAO has designated all three as Global High-Risk Categories of Occurrences in every edition of the Global Aviation Safety Plan since 2020.
So the industry obsessively tests for an event that modern engines have rendered vanishingly rare. The events that actually dominate the fatality record get a rather different treatment.
The Training-Testing Gap
To be fair — and it pains me to be fair when I’m on a roll — stall prevention is a mandatory proficiency check item under the FAA, EASA, and Transport Canada. Approach-to-stall recovery is tested. That’s a LOC-I countermeasure, and credit where it’s due.
But here’s the distinction that matters. Full-envelope upset recovery — the kind of developed upsets at unusual attitudes and bank angles that actually characterise fatal LOC-I accidents — is trained but not tested. Both EASA and the FAA require upset prevention and recovery training. Neither includes it as a recurrent proficiency check item. The regulator mandates the lesson but doesn’t set the exam. If your child’s school taught mathematics but never tested it, you’d have questions. The aviation industry has been doing precisely this with the manoeuvres most likely to prevent the most lethal category of accident, and the response has been a collective institutional ‘meh’.
Runway excursion is the same story, told differently. ICAO now requires a Runway Overrun Awareness and Alerting System on all new aircraft above 5,700 kg — an ICAO Standard, effective for aircraft certified from January 2026. EASA has deferred implementation to July 2026. The FAA has not adopted the requirement at all. The International Federation of Airline Pilot Associations (IFALPA) — the global pilots’ federation, which represents the people who actually sit in the seat — has stated that ROAAS training “should be part of both the initial and the recurrent training.” No regulator identified in this research has acted on that recommendation or made testing of the capability mandatory.
The technology to address the leading cause of hull losses is being installed in aircraft. Yet the humans who must respond to its warnings instinctively are not required to demonstrate they know how to use it. If you can explain the ‘logic’ of that arrangement, you’re a better regulatory philosopher than me.
The Compliance Trap
Here’s where the compliant–safe equivalence gets genuinely dangerous, and here is the thread that connects everything in this series — from two-dimensional risk matrices through the false confidence of risk registers to the fiction of root causes.
Prescriptive regulation facilitates a binary outcome: you are either compliant or you aren’t. This is administratively convenient. It can also be profoundly dangerous, because it allows an organisation to be fully compliant and systemically unsafe at the same time. If the regulation specifies a maintenance inspection interval that was appropriate for the metallurgy and operating environment of 1975 but has not been updated for the composites and duty cycles of 2025, an operator who complies with the specified interval is doing exactly what the regulator requires. The regulator is satisfied. The auditor ticks the box. The certificate is renewed. Compliance is achieved.
And then something fails, and the investigation discovers that the prescribed interval was inadequate for the actual operating conditions — conditions that have changed incrementally over decades while the regulation stood still. At that point, the post-mortem will undoubtedly conclude that ‘lessons must be learned.’ The regulation will be amended. Another tombstone will be added to the regulatory lexicon.
In fairness, the industry has recognised this problem. ICAO’s introduction of Safety Management Systems — formalised in Annex 19 — was an explicit acknowledgement that prescriptive compliance alone cannot deliver acceptable safety outcomes in a complex, modern aviation system. SMS is intended to be performance-based, data-driven, and proactive. In theory, it shifts the focus from ‘are you following the rules?’ to ‘are you actually safe?’
In practice, SMS has too often been bolted onto the same prescriptive framework it was supposed to transcend. The regulator still audits against prescriptive standards, at their worst using the SMS database and risk register as places to go trawling for regulatory breaches. The operator still treats SMS as another compliance requirement — a set of forms to fill in, hazard registers to maintain, and safety committees to convene. Even relatively recent regulation that claims to be ‘outcome-focused’ — such as EASA’s — is supplemented by interpretative guidance material which has effectively become prescriptive lore. The spirit of SMS is organisational learning and proactive risk management. The letter, as implemented in many jurisdictions, is a bureaucratic overlay on a fundamentally unreformed regulatory architecture.
If you’ve been following along in this meandering and increasingly voluminous treatise, you might notice a theme. The system provides false assurance. The risk register says the risk is managed. The root cause analysis says the problem is fixed. The regulatory audit shows the operation is compliant. And yet.
The Industry That Knows
Perhaps the most telling indictment of the regulatory framework is not anything a critic has said. It’s what the industry has done.
Quietly, without fanfare, and with the diplomatic discretion of organisations that depend on regulators for their operating certificates, the aviation industry has built an entire parallel safety architecture. Not in defiance of regulation — nothing so dramatic. More an adjunct, simply because regulation alone wasn’t seen as adequate.
IATA’s Operational Safety Audit — IOSA — launched in 2003, mandatory for IATA membership since 2006. In 2024, IOSA-registered carriers had an accident rate of 0.92 per million flights, versus 1.70 for non-IOSA carriers. Since 2005, the long-run comparison is 1.40 versus 3.49 per million sectors. That’s not a marginal improvement. That’s a different universe of safety performance. And here’s the part that should give every compliance-testing national regulator a sleepless night or two: more than 40 governments now use or intend to use IOSA in their own oversight programmes. Forty sovereign states effectively saying: our own certification isn’t enough, so we’ll borrow the airline industry trade body’s audit instead. Only way to announce dissatisfaction with legacy regulation more profoundly would be by writing an expanding treatise…
The Flight Safety Foundation’s Basic Aviation Risk Standard — BARS — is even more explicit. It was established in 2009 because resource companies, who are often very well risk aware, with a need for aircraft services in remote environments discovered that a valid air operator’s certificate which confirmed regulatory compliance did not adequately determine operational fitness for the actual job. BARS describes itself as “a risk-based model framed against the actual threats posed to aviation operations” as opposed to “outdated and prescriptive formats previously used.” Those are not my words. That’s the Flight Safety Foundation, diplomatically explaining that the existing regulatory framework was inadequate for keeping people alive. Fatalities in onshore resource aviation: 247 between 2010 and 2016. Twenty-six from 2017 onwards.
The IATA Safety Audit for Ground Operations (ISAGO) filled the gap in ground handling — a domain where many states impose no specific safety certification at all — addressing an estimated 27,000 ground accidents per year and $10 billion in annual costs.
Perhaps most tellingly, the Commercial Aviation Safety Team — in which the FAA itself was a founding participant — won the Collier Trophy in 2008 for achieving an 83% reduction in US fatal accident risk by doing what the prescriptive framework could not: sharing data across competitors and acting before people died.
Read that again. Aviation’s highest safety honour went to an organisation that succeeded precisely because the existing regulatory framework couldn’t.
Compliance Is Not Safety
The tools we use to manage risk can themselves become sources of risk. Regulation is perhaps the most consequential example. A rulebook that was world-leading in 1975 does not become dangerous because it was wrong. It becomes dangerous because the world moved on and the rulebook didn’t — and because the entire compliance infrastructure built around it continues to provide misguided assurance that everything is fine.
When the political economy of rulemaking allows a $452 million cost argument to override 200 NTSB safety recommendations about fatigue spanning thirty years, the system is not optimising for safety. When the regulator’s response to risk data depends on which country the accident happened in, the system is not optimising for safety. When the industry’s highest honour goes to an organisation that exists because regulation couldn’t do the job, the system is not optimising for safety. It is optimising for an absence of change.
The most insidious risk in aviation is not the risk you’ve assessed, registered, and mitigated. It’s not the root cause you’ve ‘identified’ and allegedly corrected. It’s not the regulation you’ve complied with. It is the patently erroneous but nevertheless comfortable, institutional certainty that having done all of these things means you are safe.
You’re not. You’re compliant. There’s a philosophical and practical chasm in between, and that gap is where the next systemic failure lives.
In our next exciting episode (Part 7 of 3!) we’ll look at projecting the status quo linearly to infinity, differential risk, the cost of decisions not taken, some real examples of compliance vs risk and discuss the justification for setting the acceptable minimum at a level above ‘compliant’.