On a summer afternoon in 2022, a Comco Ikarus C42 crashed at Worms aerodrome in Rhineland-Palatinate. The pilot, a 49-year-old student on one of his first solo flights, died at the scene. The Bundesstelle für Flugunfalluntersuchung documented that witnesses observed an uneventful approach to runway 24. At approximately 1.5 metres height, the pilot initiated a go-around. The aircraft pitched up steeply, the engine running at full power. Moments later, the C42 rolled left, departed controlled flight, and struck the ground nearly vertically [1].
The BFU report was completed without analysis and conclusion. It presents witness statements describing the sequence of events. It does not investigate why a routine go-around manoeuvre ended in a fatal stall. It does not examine whether the C42’s handling characteristics during go-around differ from other ultralight types in ways that increase pilot workload. It does not ask whether the cockpit ergonomics, which require pilots to release the centre stick to adjust flaps and trim during a go-around, contributed to the loss of control. It does not compare accident rates for this manoeuvre across ultralight designs.
The BFU explicitly closed the investigation at the level of factual description, without analysis or conclusions. EU Regulation 996/2010 and the German FlUUG frame safety investigation as prevention-focused and non-adjudicatory: the purpose is not to determine blame, liability, or claims [2], [3]. This framing is defensible and often necessary. But it creates an unintended asymmetry.
“Pilot error” assigns responsibility to a person who can no longer defend themselves, yet investigation reports treat it as a neutral causal description rather than blame. Asking whether cockpit design induced the error would shift responsibility toward the manufacturer — and that shift would be treated as apportioning blame. The no-blame framework thus allows attribution to dead pilots while shielding questions about design. The result is a facts-only record that cannot generate design feedback.
Two Systems, One Outcome
The American system uses different methods but produces similar gaps. The National Transportation Safety Board must determine probable cause for every accident. Title 49 CFR 831.4 requires the Board to identify the factor, or factors, that based on all available evidence the Board concludes most likely resulted in the accident [4]. This sounds like rigorous causal analysis. In practice, it creates pressure toward simple explanations.
The American framework requires a formal probable-cause finding. The European framework prioritises prevention over liability and can, in practice, result in facts-only reports without causal analysis. Neither system reliably distinguishes design-induced error from pilot error. The regulatory philosophies differ. The statistical outcomes converge.
General aviation investigators face enormous workloads. The NTSB investigates approximately 1,500 general aviation accidents per year with limited staff [5]. Complex systemic failures require months of engineering analysis, access to design data, and technical expertise in specific aircraft systems. Pilot error requires an interview, a weather briefing, and a flight record review. The same investigation budget produces fundamentally different depths of analysis depending on which path the investigator chooses.
The NTSB’s Party System compounds this asymmetry. Under 49 CFR 831.11, manufacturers and operators gain formal party status in investigations, which grants access to evidence, participation in technical groups, and influence over factual reports [6]. Pilots’ families and aircraft owners do not receive party status. The justification is that only manufacturers possess the technical expertise to assist investigations. The consequence is that potential defendants help investigate their own products.
Aviation attorneys who litigate accident cases have observed this pattern for decades. One firm’s analysis states plainly that as many as half the cases that the NTSB says were the result of pilot error simply were not [7]. The same analysis quotes a former NTSB employee who explained that the party system cannot challenge industry because investigators depend on manufacturers for technical information. The high rate of pilot error attribution is simply not accurate and far more often reflects a system failure. These statements come from practitioners who see what civil litigation discovery reveals after NTSB investigations close.
A USA Today investigation documented 80 lawsuits involving 215 deaths since 1994 in which manufacturers paid settlements or damages of at least one million dollars, many in cases where the NTSB had cited pilot error [8]. Juries with access to discovery materials reached different conclusions than investigators operating within the party system. The courtroom sees evidence that investigation files do not contain.
The European framework creates space for facts-only closure. The American framework creates structural incentives toward pilot attribution. Both systems undercount design defects. The regulatory frameworks differ substantially, but the statistical outcome converges.
The Certification Paradox
Modern airworthiness regulations explicitly recognise that design induces error. EASA CS 25.1302 requires flight deck design to reduce incidence of design-induced error [9]. The associated guidance material AMC 25.1302 includes the Human Error Template, which systematically assesses how cockpit designs can provoke pilot mistakes. Certification applicants must demonstrate that their designs do not create error traps through formal analysis of crew interface characteristics.
This represents sophisticated understanding of human factors engineering. Regulators acknowledge that a switch in the wrong location, a display with poor contrast, or a control with unexpected response characteristics can induce errors that appear to be pilot failures but actually represent design failures. The certification standard recognises that pilots will make errors and requires designs that tolerate predictable human behaviour.
But CS 25.1302 applies only to large aeroplanes — aircraft flown by professional crews with type ratings and recurrent training. The certification specifications for general aviation tell a different story. CS-23 includes general provisions to minimise crew error, but lacks the methodological machinery of CS 25.1302: no Human Error Template, no systematic analysis of design-induced error traps [10]. CS-22 for sailplanes includes physical cockpit requirements but no equivalent framework [11]. The regulatory system recognises that cockpit design can kill pilots, but only mandates systematic protection for those who fly the safest aircraft in the safest operational environments.
Investigation authorities possess no equivalent framework even for the aircraft categories where certification requires human factors analysis. The ICAO ADREP taxonomy categorises accidents by event type [12]. Loss of Control In-Flight. Controlled Flight Into Terrain. Runway Excursion. System Component Failure Non-Powerplant. These categories describe what happened. They do not capture why it happened. No category exists for design-induced error. No field records whether cockpit ergonomics contributed to loss of control. No code distinguishes between pilot error in a well-designed cockpit and pilot error provoked by a poorly designed interface.
The certification system recognises design-induced error for large aeroplanes. It lacks equivalent methodology for general aviation. The investigation system does not capture it for either category. The gap between these frameworks allows design defects to appear repeatedly as isolated pilot failures across multiple accidents that are never connected.
The Piper Fuel Selector
The Piper PA-28 Cherokee has been in production since 1961. Early models included a fuel selector with three positions: Left tank, Right tank, Off. The selector design used a flat plate with no mechanical stop to prevent inadvertent selection of the off position when moving between tanks. A pilot reaching down to switch tanks could overshoot the intended position and shut off fuel flow without any tactile feedback indicating the error.
Since 2008, the NTSB has cited fuel selectors in 104 accidents. Sixty-three involved incorrect use or operation of the selector. Twenty-eight cited degraded function. Many resulted in engine failures during critical phases of flight when pilots had minimal time and altitude to diagnose the problem.
In 2019, Piper Aircraft sent the FAA a Preliminary Risk Assessment regarding these first-generation fuel selectors. The manufacturer recommended that the FAA issue an Airworthiness Directive to remove and replace the original design. The company that built the selector asked the regulator to mandate its replacement. This is an extraordinary action. Manufacturers rarely request mandatory corrective action against their own products.
As of May 2025, the FAA has not issued this AD. The FAA notes that Piper itself updated the fuel selector over time, resulting in current configurations that require extra effort to select off. But no requirement exists to retrofit the original design. Accidents continue. Each investigation finds pilot error in fuel management. The design remains in service on thousands of aircraft.
Consider what this pattern reveals. A manufacturer identified a design deficiency in its own product. The manufacturer requested mandatory corrective action from the regulator. The regulator declined. Accidents accumulate over years and decades. Each accident investigation cites the pilot for improper fuel selection.
The individual investigations are factually accurate. Pilots did select the wrong position. But the aggregate pattern reveals a design that creates foreseeable errors under normal operating conditions. No single investigation captures this systemic failure because each investigation examines only one event in isolation.
When Certification Barely Meets the Letter
The American Aviation AA-1 Yankee entered production in 1969 as a sporty two-seat aircraft with fighter-like handling and a sliding canopy. Flight schools purchased them in quantity because the AA-1 was faster, cheaper, and more appealing to students than competing trainers. The accidents began almost immediately.
The design philosophy behind the AA-1 prioritised manufacturing simplicity over aerodynamic optimisation. The company’s chief engineer, William Seidel, documented this candidly in a 1970 paper for the Society of Automotive Engineers [13]. He wrote that the flight characteristics of the original airplane were, in general, quite bad. The aircraft presented poor stall characteristics which resulted in sharp rolls to the left or right during a stall. The design used interchangeable parts extensively. Wings could be swapped left to right. Fin and horizontal stabilisers were identical. Ailerons and flaps were the same component. These manufacturing efficiencies required elimination of wing washout, which in turn required installation of stall strips to achieve certification.
Through 1973, the Yankee had a spin fatality rate five times higher than any airplane then in production. The factory prototype AA-1A was itself lost during a spin test. Many accidents occurred during spin training, which flight schools conducted because the aircraft was marketed as a trainer. Once the AA-1 entered a fully developed spin exceeding three turns, recovery was usually not possible.
The FAA launched a special investigation and concluded that although the AA-1 barely met the letter of the certification regulations, there was a safety problem. This finding should have triggered immediate action. Instead, the reference to a safety problem was expunged from the final version of the report after the president of American Aviation put pressure on FAA leadership. The executive who applied this pressure later became chairman of Cessna Aircraft Company.
An Airworthiness Directive was eventually issued in 1973 requiring a prominent placard prohibiting spins [14]. The word got out to the pilot community that the Yankee could be a killer in a spin. Spin accidents declined. But the years of accidents before this AD appeared in NTSB statistics as pilot error. Pilots who entered spins during training, or who stalled at low altitude during approaches, were counted as having exceeded the aircraft’s limitations or failed to maintain control.
The design compromises that created these accidents were known to the manufacturer from the beginning. The certification system accepted an aircraft that barely met the letter of the regulations while presenting a safety problem serious enough for FAA investigators to document. When that documentation threatened the manufacturer’s interests, it was removed. The pilots who died in the interim were counted as having made errors.
The Coming Wave of Declarative Certification
The FAA’s MOSAIC rule and similar international initiatives will fundamentally reshape general aviation certification [15]. Aircraft of any mass may qualify for simplified approval pathways, as long as they are able to fly slow enough. Manufacturers will self-declare compliance rather than demonstrating it through detailed FAA oversight.
This represents deliberate regulatory choice. Prescriptive certification processes imposed costs that killed innovation in general aviation manufacturing for decades. The regulatory burden made new designs economically impossible for small manufacturers. MOSAIC attempts to restore market vitality by reducing government involvement in design approval.
The policy trade-off is explicit. Lower certification barriers will enable more designs to reach the market faster and at lower cost. Some designs will contain errors that traditional certification would have caught. The assumption is that the market, informed by accident data and operational experience, will select safe designs and eliminate dangerous ones through natural competitive pressure.
This assumption depends entirely on accident investigation systems that accurately identify design defects.
If investigation authorities cannot distinguish between pilot error and design-induced error, the feedback mechanism fails. Unsafe designs will generate accidents attributed to their pilots. Market signals will not reach manufacturers because the accident reports will not identify their products as deficient. Pilots will not know which aircraft types to avoid. The learning loop that makes aviation safe will break at exactly the point where reduced certification oversight requires it most.
Consider the ICON A5 as illustration. The light sport amphibian generated numerous accidents during its brief production run, which included multiple fatal crashes and several hull losses. Investigation reports consistently cited pilot decisions as causal factors. The aircraft’s useful load margins, handling characteristics near stall, and operational envelope created situations where normal pilot behaviour could lead to catastrophic outcomes.
Did the investigations accurately distinguish between pilot error and design-induced error? Did the certification process adequately evaluate handling qualities under realistic operating conditions? Did the manufacturer receive feedback that could have enabled design improvement before the company failed?
These questions matter because declarative certification systems will produce more designs like this. Some will fail. The question is whether investigation systems can identify why they failed in ways that prevent repetition.
Access to Design Data
NTSB investigators do not automatically receive aircraft type certificate data. The certification basis, compliance findings, equivalent safety determinations, and design trade-offs that shaped an aircraft’s characteristics may not be available during accident investigation. Manufacturers control this information and release it at their discretion under the party system.
German BFU investigators face similar constraints. Type data remains with EASA and the type certificate holder. An investigator examining a loss of control accident may not know what stall characteristics the aircraft was certificated to, what handling qualities were demonstrated during flight test, or what design decisions shaped the cockpit layout that the pilot was attempting to operate.
Without this information, investigators cannot determine whether an accident resulted from operation outside design parameters or operation within parameters that were inadequately specified. They cannot compare accident circumstances against certification assumptions. They cannot identify systematic gaps between certificated performance and real-world behaviour under operational conditions.
The party system gives manufacturers a structural advantage in controlling the investigation narrative. Manufacturers know what the design was intended to do. They know what certification data exists. They know which questions might reveal uncomfortable answers. They know which analyses to suggest and which to omit. Investigators may not even know what they do not know about the certification history of the aircraft they are examining.
The Implicit Contract with Pilots
Every certificated aircraft carries an implicit promise. Within the operating limitations specified in the approved flight manual, the aircraft can be operated safely by a pilot of average skill using normal technique. This is not merely a marketing claim. It represents the regulatory standard. Airworthiness codes require that aircraft be controllable and manoeuvrable without requiring exceptional piloting skill, alertness, or strength throughout the approved operating envelope.
The pilot who operates within published limitations and exercises normal judgment has every right to expect that the aircraft will respond predictably and safely. When an aircraft’s design creates error traps, exceeds the capabilities of average pilots, or produces behaviour that violates reasonable expectations, the implicit contract is broken.
Investigation systems that attribute design failures to pilot error also violate the implicit contract with the pilot community. They tell pilots that the fault lies with them rather than with the product they purchased and operated as instructed. They protect manufacturers from accountability for deficient designs. They prevent the improvements that would make the next pilot safer.
The retired pilot who flies his Bonanza within published speeds and encounters an in-flight breakup is not guilty of pilot error simply because he owned the aircraft and was at the controls. The student pilot who stalls a C42 during a go-around is not guilty of pilot error if the aircraft’s pitch attitude and cockpit ergonomics create workload that exceeds what normal training addresses. The UL pilot whose rescue system lacks a passenger-accessible handle is not guilty of failing to brief a passenger when the design made such briefing inadequate for the emergency that occurred.
What Would Real Investigation Require
Effective design error investigation would require structural changes to current systems.
Investigation authorities would need routine access to type certificate data, certification basis documents, and compliance findings. When an accident involves potential design factors, investigators should be able to compare the event against what the manufacturer promised and demonstrated during certification. The gap between certified performance and accident circumstances would become visible rather than hidden.
Taxonomy systems would need categories that capture design-induced error. The CICTT occurrence categories describe events adequately. Contributing factor codes should distinguish between pilot deviation from proper procedure and pilot execution of proper procedure that the design made inadequate. Statistical aggregation could then reveal which aircraft types generate design-induced errors at elevated rates.
Statistical analysis would need to identify patterns across multiple accidents involving the same type. A single loss of control proves nothing about design. Systematic elevation of loss of control rates compared to similar aircraft in similar operations may indicate design factors that individual investigations cannot capture. This requires databases structured to support cross-type comparison.
Manufacturer party status would need counterbalancing mechanisms. If manufacturers participate in investigations because they possess relevant expertise, then independent experts with no financial stake should also participate. The party system creates asymmetric access that currently favours entities with interests adverse to complete causal analysis. Balance would require either limiting manufacturer involvement or expanding participation to include parties without conflicts of interest.
Certification authorities and investigation authorities would need systematic communication pathways. When investigators identify potential design factors, certification authorities should review whether the type certificate holder met its compliance obligations. When certification authorities issue airworthiness directives addressing safety defects, investigation authorities should review whether previous accidents might have involved the same defect before it was recognised.
The Cost of Getting It Wrong
Aviation became the safest form of transportation through systematic learning from failure. Every accident taught something. Every lesson became a regulation, a design improvement, a training emphasis, or a procedural change. The system worked because investigation authorities identified true causes and communicated them effectively to the people who needed to act.
This feedback loop breaks down when design errors hide in pilot error statistics. Manufacturers face reduced accountability because their products escape identification as deficient. Pilots operate aircraft that may contain latent defects never identified by investigation systems that lack access to design data and incentive structures that favour thorough analysis.
The stakes increase as declarative certification expands. Traditional certification processes caught design errors before aircraft entered service through detailed review and flight test demonstration. Declarative systems will not provide this filter. The burden shifts to investigation systems that are structurally unprepared to carry it.
Every pilot who boards an aircraft operates on trust. Trust that the design was sound. Trust that the certification was thorough. Trust that when failures occur, someone will identify the true cause and prevent recurrence. This trust represents the foundation of general aviation as a safe activity accessible to people of normal skill and training.
Investigation systems that cannot distinguish design error from pilot error betray this trust. They protect manufacturers at the expense of the pilots who fly their products. They deprive the aviation community of the information needed to make informed decisions about which aircraft to fly and which to avoid.
The choice is not between blaming pilots and blaming manufacturers. The choice is between understanding what actually happened and accepting convenient explanations that serve institutional convenience rather than aviation safety.
Aviation cannot afford the cheaper option.
If you find value in Engineering Airworthiness, consider subscribing for free.
If you think someone might benefit from it, feel free to share it.
References
[1] Bundesstelle für Flugunfalluntersuchung, “Untersuchungsbericht BFU22-0471-3X, Unfall vom 09.06.2022, Worms, Comco Ikarus C 42 B.” [Online]. Available: https://www.bfu-web.de/DE/Publikationen/Untersuchungsberichte/2022/FBericht_22-0471-3X_C42_Worms.pdf
[2] European Parliament and Council, “Regulation (EU) No 996/2010 on the investigation and prevention of accidents and incidents in civil aviation,” Oct. 20, 2010. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32010R0996
[3] Bundesrepublik Deutschland, “Gesetz über die Untersuchung von Unfällen und Störungen bei dem Betrieb ziviler Luftfahrzeuge (FlUUG),” Aug. 26, 1998. [Online]. Available: https://www.gesetze-im-internet.de/fluug/
[4] Code of Federal Regulations, “49 CFR 831.4, Nature of investigation.” [Online]. Available: https://www.ecfr.gov/current/title-49/subtitle-B/chapter-VIII/part-831/subpart-A/section-831.4
[5] NTSB, “General Aviation LOC and the NTSB Most Wanted List,” 2016. [Online]. Available: https://www.ntsb.gov/news/events/Documents/2016_loc_SS_2_Weener.pdf
[6] Code of Federal Regulations, “49 CFR 831.11, Parties to the investigation.” [Online]. Available: https://www.ecfr.gov/current/title-49/subtitle-B/chapter-VIII/part-831/subpart-A/section-831.11
[7] Katzman Lampert & Stoll, “Why Jurors and Jurists Should Doubt the NTSB.” [Online]. Available: https://katzmanlampert.com/why-jurors-and-jurists-should-doubt-the-ntsb/
[8] T. Frank, “Safety Last: Lies and Coverups Mask Roots of Small-Plane Carnage,” USA Today, Jun. 12, 2014. [Online]. Available: https://eu.usatoday.com/story/news/nation/2014/06/12/lies-coverups-mask-roots-small-aircraft-carnage-unfit-for-flight-part-1/10405323/
[9] EASA, “CS 25.1302, Flight Deck Design, and AMC 25.1302, Human Error Template,” in Easy Access Rules for Large Aeroplanes. [Online]. Available: https://www.easa.europa.eu/en/document-library/easy-access-rules/online-publications/easy-access-rules-large-aeroplanes-cs-25
[10] EASA, “CS-23, Normal, Utility, Aerobatic and Commuter Aeroplanes.” [Online]. Available: https://www.easa.europa.eu/en/document-library/certification-specifications/group/cs-23-normal-utility-aerobatic-and-commuter-aeroplanes
[11] EASA, “CS-22, Sailplanes and Powered Sailplanes.” [Online]. Available: https://www.easa.europa.eu/en/document-library/certification-specifications/group/cs-22-sailplanes-and-powered-sailplanes
[12] ICAO, “ADREP Taxonomy, Occurrence Categories.” [Online]. Available: https://www.icao.int/safety/airnavigation/AIG/Pages/Taxonomy.aspx
[13] W. C. Seidel, “The Development of American Aviation Corporation’s Yankee,” SAE Technical Paper 700242, 1970. [Online]. Available: https://doi.org/10.4271/700242
[14] FAA, “Airworthiness Directive AD 73-13-07, Grumman American AA-1,” 1973.
[15] FAA, “Modernization of Special Airworthiness Certification (MOSAIC), Final Rule,” 14 CFR Parts 1, 21, 22, 36, 43, 45, 61, 65, 91, 119, and 147, Jul. 2025. [Online]. Available: https://www.federalregister.gov/documents/2025/07/24/2025-13972/modernization-of-special-airworthiness-certification
Subscribed because of posts like this. Thank you Malte. Its true, the aviation community needs to have acces to "the information needed to make informed decisions about which aircraft to fly and which to avoid" ... and maybe what to get changed about their own aircraft (AD or not) for safer flight.
Excellent topic. It may be a language thing, but an error does not imply guilt.
Sometimes it takes more than average skills to stay within operating limitations where you can safely operate with average skills. Especially at the lower end of the speed envelope, where weight, balance trim and configuration can change operating limitations significantly.