Leeham News and Analysis
There's more to real news than a news release.
Bjorn’s Corner: Faster aircraft development. Part 12. Preliminary Design; Requirements Definition.
By Bjorn Fehrm and Henry Tam
October 17, 2025, ©. Leeham News: We do a series about ideas on how the long development times for large airliners can be shortened. New projects talk about cutting development time and reaching certification and production faster than previous projects.
The series will discuss the typical development cycles for an FAA Part 25 aircraft, called a transport category aircraft, and what different ideas there are to reduce the development times.
We will use the Gantt plan in Figure 1 as a base for our discussions. We added two milestones to our Program Plan, which we will refer to in the articles: Preliminary Design Review and Critical Design Review. Here is their definition according to NASA:
The Preliminary Design Review (PDR) demonstrates that the preliminary design meets all system requirements with acceptable risk and within the cost and schedule constraints, and establishes the basis for proceeding with detailed design. It shows that the correct design options have been selected, interfaces have been identified, and verification methods have been described. The PDR should address and resolve critical, system-wide issues and show that work can begin on detailed design.
The Critical Design Review (CDR) demonstrates that the maturity of the design is appropriate to support proceeding with full-scale fabrication, assembly, integration, and test. CDR determines if the technical effort is on track to complete the system development, meeting mission performance requirements within the identified cost and schedule constraints.
Figure 1. A generic new Part 25 airliner development plan. Source: Leeham Co. Click to see better.
*** Special thanks to Andrew Telesca for helping with this article***
Preliminary Design; Requirements Definition
As we progress through the preliminary design phase, the most critical aspect of certification is finalizing the requirements definition, especially for the technology risks identified in the conceptual design phase. The aim is to translate technology choices into certifiable design requirements and ensure the foundations are solid in areas that can quietly undermine programs, such as software and hardware development assurance and the integration of third-party systems.
In this article, we’ll look at:
- How certification requirements are established for new technologies
- Integrating supplied equipment, including “commercial off the shelf” (COTS) items, into our design
- Building the requirements foundation through development assurance
- Critical influences on execution (resolution) speed
How Certification Requirements are Established for New Technologies
In order to move forward with our carefully accepted list of technology innovation areas, we now need to build new requirements under which they can be certified. On the plus side, there are many regulatory tools that support this process. However, none of them are fast. Active engagement with the regulator’s project team is needed to craft a strategy tailoring the following key tools based on our specific needs:
- Special Conditions (SCs) – Used when existing regulations are not considered adequate to cover the potential hazards of novel technologies, so new regulations must be written.
- Equivalent Level of Safety (ELOS) Findings – Used when direct compliance with the language of a regulation cannot be met, but the design includes compensating design features that achieve the same safety intent.
- Exemptions – Used in cases where the regulation is impracticable to meet with the new technology, and there is a gap to the original safety intent, but the benefits of the technology allow a case to be made that it’s in the public interest to bypass some portion of the regulation.
- Means of Compliance Issue Papers / Certification Review Items – Used when the regulation is adequate as written, but the accepted methods of verifying that requirement has been met need to be adjusted – for example, because our hybrid-electric powertrain will likely have different stresses than a turbofan engine we will likely need to change how it is endurance tested to ensure we’re exposing it to true “redline” conditions.
- Industry Committees – When a new technology is being used by many applicants often the regulators want a consensus standard for how to ensure safety for that technology. In this case, rather than negotiating with individual applicants, industry standards committees such as ASTM and EUROCAE are used to propose new rules. Such committees move as fast – or as slow – as the industry members driving them.
The final output is an agreed certification requirements set, typically captured in documents including a G-1 Issue Paper (FAA) or A-1 CRI (EASA). These documents become the project’s contract between applicant and regulator—it allows us to go into detailed design with clear requirements that won’t change late in the game.
Integration of Supplied Equipment
No aircraft is built in isolation. Engines, avionics, and many other subsystems come from external suppliers, often already certified for other applications. Integrating them correctly is one of the most underestimated drivers of certification schedule.
Suppliers may provide TSO’d/ETSO’d articles (Technical Standard Order, EU TSO), previously certified systems, or “commercial off the shelf” (COTS) components. Each category requires a different level of oversight. Even previously certified articles must be integrated in a way that preserves their original compliance basis. A TSO-approved air data computer, for instance, may need new safety assessments when paired with a different flight control system, or installed in a different physical environment.
COTS components may not have the quality controls in place necessary for the safety standards of our transport-category product. Overlooking these delta-certification efforts can lead to late discoveries, or even the need to change suppliers after the design is completed. As suppliers are brought on board in this phase, careful attention should be paid to the contractual clauses that govern their roles and responsibilities in the certification process.
Special Note: if our project includes changes to previously certificated products, it’s also important to consider our risks (and opportunities) under the Changed Product Rule (14 CFR 21.101 for the FAA). There are special rules for determining when a changed product can utilize the certification requirements for the original design effort, and when updates are required.
Development Assurance & Our Requirements Foundation
Development assurance (DA) is the glue that holds the certification of complex systems together. It ensures that software, hardware, and systems are developed with processes proportional to their safety impact—DO-178C for software, DO-254 for airborne hardware, and ARP4754A for systems.
Normal design practices are not enough here. DA explicitly addresses safety integration and unintended functions—failure paths that standard design methods might miss, especially for complex systems. In a complex development, the ability of the aircraft systems to perform their intended functions in a safe manner and without adverse or unintended behaviors cannot always be established through testing and analysis of the final design. Therefore, in order to minimize the risk of development errors, rigorous design practices must be implemented and followed.
These practices include the need to independently validate the requirements to ensure they are clear, correct, and complete. Verification methods must be established to ensure evidence is collected to show all requirements are met, including in corner cases and without unintended behaviors. Additionally, a layer of process assurance (also known as design quality assurance) is required – this entails independent auditing of the engineering effort ensuring that the agreed development methodologies have been followed in a consistent and robust manner.
For startups, this is often new territory, requiring investment in requirements management systems, configuration management, tool qualification, and assurance personnel – foundational building blocks that aren’t strictly necessary in early prototyping.
The key to going fast is right-sizing: scaling the rigor of assurance activities to the system’s Development Assurance Levels (DALs) so that rigor is targeted to where it’s critical for safety. Over-applying process burden wastes time; under-applying it risks rejection by the regulator. A balanced DA plan leverages foundations built in the conceptual design phase—requirements traceability, a defined safety process, and a clear design iteration plan.
If you’re coming out of this phase without a clear understanding of the required functions, systems interfaces, performance targets, and redundancy needs, you’re probably going too fast. If you’ve defined all your performance tolerances and monitor thresholds, you’re just setting yourself up for rework.
As we progress the project, integration of requirements into the design reviews is essential. Each review (PDR, CDR, etc.) must show traceability from safety requirements to design artifacts, supported by validation evidence. Without this, the design may progress fast on paper but stall at certification.
Managing Speed of Execution
When it comes to regulatory requirements and the impact on program schedule, success depends primarily on scope control and disciplined data development. Just like the previously shown curve on cost-commitment vs. realization, a fast program is one with a properly tailored set of regulatory requirements and processes.
Some key execution approaches that can also help are:
- Early Data Development – both regulators and industry committees struggle to finalize requirements if there is no data to support them. No one wants to be responsible (or liable) for a bad rule that was based purely on engineering judgment. If you want to get the right requirements in place, build a plan for rigorous testing of early prototypes that can serve as a basis for justifying your proposed rules.
- Make Disciplined Use of Assumptions – Sometimes, to design & build quickly, you need to progress a design without all the information necessary to conclude you’ve defined the requirements correctly. By writing requirements in this phase anyway – with the assumptions clearly documented – you can then collect the validation information needed in prototyping to confirm those assumptions and ensure the final requirements coming out of the detailed design phase will be correct and complete. This puts you on the true path to certification rather than a dead end.
The biggest temptation at this phase will be to proceed with the design “at risk” to go fast – after all, we trust our engineers to have made smart choices, right? However, whether you’re a startup or an incumbent, the reality is that smart risk-taking is managed risk-taking.
Each time you choose to proceed with a known deficiency, ask yourself what you need to know to retire the risk, when you need to know to keep the risk contained, and what control is in place to ensure you don’t forget to close it when a whole new set of fires has taken over your attention. It’s a terrible feeling to look back at a PDR deck from three years earlier and realize that $50m issue you’re facing was recognized back then, but later forgotten.
So much to consider in designing a new aircraft.. thanks for this
detailed series.
Excellent series!
Can you please explain the second sentence of the paragraph:
“If you’re coming out of this phase without a clear understanding of the required functions, systems interfaces, performance targets, and redundancy needs, you’re probably going too fast. If you’ve defined all your performance tolerances and monitor thresholds, you’re just setting yourself up for rework.”
Thanks
I believe it means that the definition of specifications and performance metrics must be on a sliding scale of concreteness. At this stage it should be firm enough to have allowed for detailed design, but flexible enough to allow for changes that inevitably emerge from the ensuing processes.
That’s essentially been the art of development and certification cycle management, that Henry and Bjorn have put forward in this series.
I used the “concrete” analogy because it’s not unlike gauging and adjusting the curing time of a cement pour. It has to remain fluid long enough for screeding, leveling and positioning of tendons and other reinforcement. If it either cures too quickly, or if it doesnt sufficiently cure to acquire structure, you have a big mess on your hands. Same with management.
In the Macondo well (Deepwater Horizon) blowout incident, the management and concrete problems literally merged to become one and the same.
The concrete mixture was specified with a nitrogen foaming agent to lower its density, to avoid fracking the well, which was near the technological limit of pressure control. If the concrete slug pumped to the bottom fractures the bedrock, the well production rate would be sharply reduced. Or worse, could leak out through the fractures.
However it was decided to use leftover cement from the last well, which contained an anti-foaming agent. Therefore foaming the cement ensured it could not cure properly. Further they waited less than the specified cure time to run a positive pressure test, which damaged the uncured plug.
Many mistakes which individually might have been tolerated, but collectively resulted in disaster.
@Rob:
I like the comparison but in the case (pun) of Maconda. I would not call it a mistake(s). Each action was willful. The thinking (if you want to call it that) was the other layers in the cheese made up for it but they compromised all the layers to a straight line.
The gun world has finally used a term I found correct, ND or Negligent Discharge. No matter what the reason you got there, not ensuring you had an empty chamber as the last check was the cause.
I worked with concrete as well as saw some serious pours of it. One ramp spot job went bad due to the company not understanding how it needed to cure one of the new uber mixes (fantastic capability but also very sensitive to temps and methods).
Great summation. Any one of the major preventive measure done right would have stopped it. Pretty much if you could do it wrong it was done wrong on that well.
As a side note, I was introduced to the existence of the mfg that makes the well gauges (oil field standard). If I had to bet my life on a gauge, it was that gauge, incredibly reliable and virtually impossible to pressure damage.
Of all the aspect, the pressure reading the crew at the wellhead saw and was ignored what it was telling them and they died is really rough.
Its also the ultimate example of why regulations are good. Without them it does not take long to push over the edge of build into consequences.
Rob,
Thanks for the explanation, makes perfect sense.
You are on the money, Rob!
The paragraph talks about what you should have defined at this point vs. what you shouldn’t. You’ve got to balance having enough detail to progress the design while waiting to spend time specifying things you don’t yet have enough data to specify correctly.
Cantwell and Cruz have proposed legislation to improve situational awareness for commercial aircraft.
It requires all military aircraft to participate in ADSB when operating in commercial airspace. And requires the military to share safety and incident investigation data with the FAA.
https://defensescoop.com/2025/10/17/congress-aviation-safety-proposals-technology-fatal-collision-dca/
Also requires all commercial aircraft to upgrade from TCAS to ACAS-X, which maintains a probabilistic future state-space model for the airspace surrounding an aircraft. It then issues crew advisories to deconflict risk and maximize separation.
Whereas TCAS detects intersecting flight paths and issues avoidance alerts, ACAS-X avoids aircraft states that contribute to risk.
https://www.youtube.com/watch?v=welw9-RPLSY
Fantastic.
TCAS when followed has been a life slavery literally.
For those not familiar I would not that TCAS has two levels, TA (Traffic Adversary) and the urgent RA (resolution adversary).
We still have the issue of unequipped and non broadcasting aircraft (Regan) – maybe integrate aircraft radar and primary radar into the system.
One aspect is these systems can’t function close to the ground on landing or takeoff.
“TCAS when followed has been a life slavery literally.”
Oh. 😉
Yep, Typo
This has been a good series. Some clarification about ELOS and Exemptions.
They are not separate.
Having worked many exemptions at an OEM that builds big aircraft an exemption is not granted by the regulator until the ELOS is well researched, analysis defined and proven. This can take a considerable amount of time and in new airplane certification work sometimes must be proven thru flight tests compliance and documentation submitted to the regulator for approval.
Hence why a TIA is withheld until compliance to the rules are shown.
Some if not all exemptions are time limited and must be reapplied for given operstor and regulatory experience.
Exemptions are not a rubber stamp just because the OEM requests one.
Boeing has leaned far too heavily on exemptions, deviations, and ELOS findings over the years, which might have made sense for legacy models under tight schedules, but it’s eroded trust with regulators and the flying public.
Airbus, Embraer, and others generally play the long game — full compliance and clean-sheet certification — which builds credibility and reduces long-term friction with authorities like EASA and FAA.
The irony is that Boeing’s constant push for shortcuts is now slowing their progress; every new project gets extra scrutiny and additional oversight because of their own past behavior. That’s a self-inflicted wound that will make their next major program rollout — like the rumored new narrowbody — a much tougher sell to regulators worldwide.
Don’t think that’s true at all. I agree with your first post, but not the second.
As has been discussed here numerous times, the extra scrutiny by the FAA is a procedural change that applies to everyone, not just Boeing.
That change has caught three Boeing aircraft that were in the middle of certification, which triggered a review of previously submitted materials. And has stepped up the rigor and sequence requirements of all submitted materials.
It’s not aimed at Boeing, there has been no such statement or evidence from either FAA or Boeing, to that end.
It would be great if these discussions did not devolve into bashing. It’s almost like you realized you forgot to bash in the first comment, which was fair and impartial. And so came back with an addendum.
@Rob:
I think you are wrong, Airdoc is right.
You present a fact and make a conclusion from it that is not a fact but an opinion. The FAA ops is also a reality of context.
The context is we had MCAS, we had 787 shim fits, odd software cut and paste was found on the 777X. Speculative was/is there may be more contributors but the 3 big ones is enough.
The FAA is slow, but you do not want to poke a bureaucratic bear.
So, the actions of Boeing lead directly to the party is over atmosphere at the FAA.
While its my take, if I was a regulator I wou9ld also look back on the pattern such as the 787 Battery debacle and, hmmm, we got snookered on that one (and others) as well and its a constant stream of exemptions.
Boeing set this up to turn into what it is now.
I don’t say its Ortbergs fault, he is living with the consequences.
I won’t even say exemptions done right is wrong. But its got a sour outlook and the best answer is slow it down and slow walk all of it with vast proofs.
The FAA is probably overreacting but the way not to get there in the first place is don’t poke the bear. All AHJs are looking harder and the FAA knows its work is going to get scrutinized in depth.
We disagree on this, and Airdoc was not right in his second post, although as noted I agree with the first.
There is no evidence that increased FAA scrutiny is directed at Boeing exclusively. You are welcome to post any proof of this that you have.
To even do so would be illegal. The law requires federal regulatory agencies to treat all vendors equally. If you have evidence that FAA is not following the law, I’m sure Boeing would be very interested.
I do agree that the FAA increased scrutiny was triggered by neither Boeing nor FAA adequately scrutinizing the MCAS changes in the 737 MAX certification. The natural and appropriate response to that is to increase rigor.
But that is a procedural matter that would remain even in the absence of Boeing. FAA would not relax their procedures if Boeing wihhdrew their certification requests tomorrow. That premise is fundamentally incorrect.
Well back to how you take something.
So, I never said it was aimed at Boeing specifically, I did say it was triggered by Boeing specifically as did Airdoc.
Bureaucracy is even (at least in the US it was). But we have exactly one LCA mfg in the US do we not?
Arguably Gulstream and Textron are affected with new products.
But if they copy existing tech then its all been done and approved and they will face the same FAA aspects for anything new or different.
Simply put, Boeing killed the Goose. Now they have to mine the ore to get the gold.
You reference provide documentation, wow. This is where the divergence happens. You take facts and come to conclusions.
The details have been listed. Its obvious what it means (at least to two of us). Boeing appears to be complying (which they were not before and there is a public FAA letter to that affect on the 777X program).
Boeing can only blame themselves and new management does not change what has manifested from previous horrid management.
I hate to see it, many times some of the best solutions come from a back and forth. Much like the alarmed stairway access hatch though in that case it was a brilliant architect who had the idea (Gordon was fantastic, truly a man who took his role seriously).
The AHJ was not a help, but in the hatch case, they were happy to consider and then approve a solution rather than just reject it. The AHJ knew Gordon took their issue seriously and were open to the fix.
Boeing burned the bridge and now has to live with the consequences even if Ortberg did not create it.
I am not anti Boeing. I have delighted in Washington State being a center of LCA. Rain and all. Aviation was our whole world growing up and is still a huge part of our lives up here.
Other mfgs going through an FAA approval process are gong to be affected by the same thing, but that does not change how it affect Boeing.
You can go back to the nail in the battery as a test. Supported by no facts.
You remind me of our managers. I always wanted a incident debrief to focus on what we did wrong. Why? You don’t learn anything from what you did right, you had that part. Boeing done a lot wrong.
Much like Top Gun. Honest assessment of how you handled a fight.
Its not personal. You don’t get better by ignoring what you did.
I do not think Boeing is ignoring it. But it does not change the fact it has shifted and they will have to live with it.
And as a last aspect. I once had someone tell me I went home patting myself on the back all the time (yea I worked really hard on being right and making sure the ducks were lined up)
Nope, I went home and thought about what I had done wrong. Sometimes a small bit, sometimes a bigger bit. And then what I needed to do not to repeat the wrong.
Boeing gets no more pass than I did and still do with myself.
You have some great observations, you undermine yourself when you won’t take a hard look (in this case at Boeing). Frankly I don’t get it.
Some of it verges the opposite of Bryce and company. Boeing and no one at Boeing did any wrong.
Just to clarify, I never said that Boeing did nothing wrong.
What I said is that FAA has improved their processes and is not going back, which has nothing to do with Boeing or any other vendor. If Boeing disappeared tomorrow, FAA would not go back.
Guy Norris has said the same, and many other observers as well. It’s the common view, as opposed to the view expressed here that FAA actions are somehow retributive.
That’s just not true, nor is there any evidence for it. I keep inviting that evidence, but there is none, and no one ever responds to that invitation.
If one accepts that, then logically you can state that Boeing was the trigger for the FAA changes, but is not the driver, which both you and Airdoc have implied.
That is where we part ways. I don’t believe the FAA is “after” Boeing, or whatever other perjorative term you wish to use. I do believe they have identified the holes in their process that allowed the MCAS changes to slip through, and have closed them. As well they should.
The question has arisen, has closing the holes slowed certification too much? The verdict is still out on that, it’s going to be a process for FAA to relax, they will need to be assured they aren’t increasing risk by doing so.
Its a major wrong assessment of what I am putting down.
I do not believe the FAA actions are retribution.
That is totally different than Boeing causing the dominoes to fall.
The FAA is being extremely cautious. Nor do I blame it all on Boeing. The FAA let it get to where it did, they hold a large part of the fault.
What is funny is the reaction to the FAA betraying its so called Gold Standard. The standards themselves are very good (or were) but the FAA implementation never has been nearly as good as the standards.
The corruption of Congress has a major role as well. Fixing that has been impossible. Underfunding the FAA is no help but then all the money in the world does not fix the FAA internal problems.
Not getting caught up in more issues is their current ops mode and it affects Boeing directly.
@ Airdoc
+1
Absolutely: short cuts ultimately make long delays…as well as costing (tens of) billions of dollars.
An example is the recently-announced MAX cockpit “upgrade” (sort of)…which is driven by necessity rather than choice. It would have cost a lot less — both financially and reputationally — if a proper upgrade had been done years ago:
-*-*-
“Boeing is decisively overhauling the avionics suite across its 737 MAX family, a move designed to regain trust from regulators, airlines, and the flying public after years of scrutiny.
“While the MAX has been a sales success post-grounding, lingering concerns over software and system reliability have kept some buyers and pilots cautious.”
“These avionics improvements are more than technical fixes; they are a message to the market. Airlines are placing renewed orders for the MAX, but many are factoring in pilot training, certification updates, and system transparency before committing. By enhancing the aircraft’s electronic backbone, Boeing hopes to reassure buyers that the MAX now embodies the reliability and safety standards expected of modern airliners.
“From a financial standpoint, these enhancements could support higher residual values and stable lease rates. Aircraft with upgraded avionics are more attractive to lessors because they reduce long-term operational risk and regulatory hurdles.
“For operators, the promise of fewer flight interruptions and smoother certification processes translate into lower operating costs, making the MAX a more compelling choice in the crowded narrowbody market.”
https://www.aviationtoday.com/2025/10/16/boeing-bets-big-on-avionics-to-rebuild-max-confidence/
As noted previously, the 737 MAX cockpit improvements were enabled by the cross-monitoring of the flight computer systems, which previously had been fully independent.
Boeing is merely taking advantage of new opportunities for improvement, that didn’t exist in earlier generations. There will likely be more introduced improvements over the life of the aircraft.
They have to be individually certified and so take time for introduction. But they are not required or mandatory. Nor were they a result of a shortcut. That’s just not a truthful narrative.
Often aircraft manufacturers have competing teams designing aircrafts to the same spec (payload, range, mass, cost). Then as their respective designs get frozen they select a winner. This winner is then refined 2 more times until there is a go-ahead. (aero tweak, structural optimizations, increased MTOW/Range, repair allowances) as mass creeps up as more details are included into the full 3D aircraft model.
In PDR /CDR it may worth to mention about design considerations and how they handled.
Now official that the cause of the 737 windscreen impact and outer layer shattering, was a Windborne weather balloon.
“The system is designed to be safe in the event of a midair collision. This is the purpose of the FAA Part 101 and ICAO weight limits. Our balloon is 2.4 pounds at launch and gets lighter throughout flight.
We are working closely with the FAA on this matter. We immediately rolled out changes to minimize time spent between 30,000 and 40,000 feet. These changes are already live with immediate effect.
Additionally, we are further accelerating our plans to use live flight data to autonomously avoid planes, even if the planes are at a non-standard altitude.
We are also actively working on new hardware designs to further reduce impact force magnitude and concentration.”
Good company that admits responsibility and immediately takes action to avoid a recurrence.
https://avherald.com/h?article=52e80701&opt=0