This writeup is to
elaborate on the
problems the
DC-10 experienced.
The Cargo Door:
The
locking pins being too short was a
secondary cause of the two accidents mentioned. The
DC-10 was one of the first
pressurized aircraft to be designed whose doors opened out
instead of in.
The fuselage of a pressurized airplane is a
pressure vessel and as such is subjected to heavy loads at
high altitudes.
Earlier aircraft had doors that opened in because in order to seal the inner part of the door was wider than the outer part. This created a sort of
truncated cone shape. As the
pressure differential rose the doors were pressed into the holes and sealed tighter.
The
DC-10 was designed with doors that opened
outward in order to save space inside the cargo compartment and facilitate easier loading. This required a system of heavy
locking pins and a
mechanism to operate them.
In the early days of service of the
DC-10 airport employees had trouble closing the
new style of doors. if the
locking pins didn't line up the mechanism didn't
operate correctly. On the
accident aircraft in question the mechanism was then forced into place.
Douglas had designed the mechanism to close easily and work with minimal force. The flaw lay in the
linkage in the mechanism. When the door was forced shut it
overstressed the mechanism and the linkage bent. This meant that the
locking pins hadn't been inserted all the way even though the
indicator Douglas included showed "locked." The pressure at
altitude eventually overstressed the improperly locked door and blew it out, taking a large portion of
fuselage skin and structure with it.
It was later determined that the only difference between the aircraft that was lost and the aircraft that survived was the
seating configuration. Literally the saved aircraft was held together by its seat rails.
The changes
Douglas made to the
cargo door included a
simpler mechanism with
beefier linkage, a
longer throw, and
longer locking pins.
Airport employees were also
trained better.
Engine Pylons:
Eight weeks before the accident the
number one engine had been
removed and replaced on the
accident aircraft to comply with a
McDonnell Douglas service bulletin. This
R&R was completed using a
technique developed by
Continental Airlines to remove the entire engine and
engine pylon as a single unit, rather than the
recommended method of removing the engine and then the pylon. The method developed by
Continental involved placing an overhead
hoist at the
center of gravity of the pylon, removing the pylon
attach hardware and lowering the pylon/engine as a single
unit. American Airlines adopted this procedure, but used a forklift truck instead of an overhead hoist. This
method was difficult however as one incorrect move by the
forklift operator could crack the upper rear
pylon attach
flange. American Airlines had learned this on four other aircraft that had been damaged by this method. Nonetheless the
damage in that case was
easily detectable and the
cost,
labor, and
time savings were
considerable. What
American didn't know was that there was another way to damage the
upper rear attach flange that wasn't detectable to the human eye. A slight leak in the
hydraulic system on the
forklift could bend the attach forks of the pylon imperceptibly as the entire load lowered slowly. The attachment of the pylon had a very
close tolerance and this
bending meant that the
tolerance had been ruined and the aft upper flange would eventually
fail.
When the
accident aircraft had been
returned to service it was returned with this
fatal flaw.
8 weeks of scheduled service later the aft upper flange failed on
takeoff and the remaining attach points were quickly
overstressed and
failed as well. The
engine twisted upward due to
aerodynamic pressure and
departed the aircraft over the top of the
left wing taking a portion of the
leading edge skin with it.
This alone would not have caused the
loss of the aircraft. Indeed several aircraft have lost engine pylons
in flight and were able to
land safely. The
fatal flaw was in the design of the
leading edge slat system in the
DC-10 and in the company
engine out procedures in use.
In the
DC-10 all
flight controls are
hydraulically operated. This included the
leading edge slats. When the slats are
extended the
pressure trapped in the
hydraulic system locks them down, this is the only method of
down-lock on the
leading edge slats. When the
engine pylon separated from the
aircraft the
hydraulic system lines were
severed and
air loads forced the outboard slats on the left
wing to
retract. The aircraft was traveling well above the
stall speed for the given
configuration and
accelerating normally but when the slats
retracted the
stall speed for the left wing increased to 159
KIAS. The
first officer was flying the aircraft according to company
engine failure procedures which unfortunately allowed the aircraft to slow below this speed. The outboard section of the left wing
stalled and the aircraft began to
roll. The
pilots were unable to see the
left wing and engine and didn't know that the left wing
leading edge slats had
moved and as a result didn't recognize the
stall. Had they recognized it they could have
lowered the nose and accelerated above the
stall speed. Unfortunately the
stall warning system that would have
compensated for the
retraction of the leading edge
slats was
inoperative at the time due to the loss of the
electrical system of the number one engine.
Several things were
criticized about the
design but rather than the actual
design parameters more was criticized about
certification methods.
Douglas had considered the loss of an
engine pylon to be
akin to that of a
horizontal stabilizer or other
primary structure and as such designed it to withstand any
forseeable loads. In short it was
assumed that any
normal loads would not cause a pylon to separate just as any normal loads would not cause a
wing to separate. The
philosophy was that if a wing separated any effect on
aircraft systems was
pointless to study as
the aircraft could no longer fly anyway and
as such did not study the effects of a
pylon separation on other systems. It was determined that this was well
in accordance with certification methods at the time even though it was
inherently flawed. Even though the separation of a pylon was
improbable it was
not impossible. It had happened before and this event would not (as in the case of an entire wing) cause the aircraft to be
unable to fly. Douglas' failure to study the effects of this eventuality was cited as a
contributing factor in the accident.
Changes made to the
DC-10 as a result of this accident were
relatively minor. The pylon
design was considered
adequate. Douglas was required to design in
redundancies for the systems that had failed as a result of the loss of the
number one engine and add
warning systems to indicate
asymmetrically deployed control surfaces.
The major changes that came as a result of this accident were to
certification policies. All
transport category aircraft were required to be designed with more consideration to
ease of maintenance and
inspection as well as the
aforementioned changes in warning and
control systems.
Maintenance at
large carriers, previously allowed a lot of
leeway, were watched much more closely.
Communication between the
FAA and the maintenance facilities was
much improved. A
service bulletin had been issued that warned of damage to the
aft upper pylon attach flange but the language used was
vague and it wasn't mentioned in what way the
aft upper attach flange could be damaged.
United Airlines Flight 232:
The
DC-10 was one of the first
transport category aircraft designed with no
mechanical flight control redundancy. All
reversal of flight controls was accomplished
hydraulically. As a result the systems were designed with many
built in redundancies. The loss of
control surface reversal on
United flight 232 was
pure chance.
The DC-10 has
three completely independant hydraulic systems. One of the built in
safeguards was that each
flight control surface had at least two
hydraulic systems controlling it. If any one system
failed the other one or two would provide
adequate control. These systems were placed
far apart in the
aircraft for the exact eventuality that happened to the accident aircraft. The possibility of
flying shrapnel from an
engine explosion severing all three systems was considered
low enough to be impossible and yet that is exactly what happened. When the
number two engine exploded
shrapnel was thrown into the
horizontal stabilizer and aft fuselage and severed all three
hydraulic systems leaving all flight controls
inoperative.
The only available means of control that remained was
differential thrust of the number one and number three engines.
Roll and
yaw control in this instance is
quite easy. Some
pitch control is possible because the engine hanging on the pylon creates a
lever arm between the engine and the rest of the aircraft. when power on the engines is
increased the nose rises, if decreased the
nose lowers.
It was by
sheer luck that the hydraulics were rendered inoperative and by sheer luck that
Capt. Haynes,
First officer Records,
Flight Engineer Dvorak, and a United
check pilot who happened to be
deadheading that day,
Capt. Fitch, were able to bring the
wounded DC-10 in for a rather
violent landing at
Soux City Gateway Airport. Most of the
passengers survived as did all four of the
flight crew.
It is
interesting to note that this accident was studied in the
simulator extensively and even after the fact no one was able to even keep the aircraft
flying, let alone
land it. And Haynes, Fitch, Records, and Dvorak put the wounded DC-10 right on the end of the
runway only
slightly left of the centerline. Unfortunately the right
wingtip touched down first and pulled the aircraft sideways it subsequently
broke apart and
exploded.
Nonetheless by crashing the aircraft
at the airport, under
some control, and in view of the airport crash trucks
many lives were saved.
The
engine failure was determined to have been caused by a
fatigue crack in the
stage 1 fan disc of the number two GE
CF6-6 engine. The
fan disc separated and was found in a field along the aircraft's
route of flight. The fan disc had been
inspected and returned to service
7 times. the
NTSB concluded that
human errors caused it to be returned to service with fatigue cracks caused by an undetected
metallurgical defect.
Again the
NTSB considered the design of the
DC-10's
hydraulic system to be
adequate but still
suggested that
fail safes be added to prevent
complete loss of flight control reversal. Changes to the DC-10 after this accident included changes to the hydraulic system routing and added fail safes to
preclude a complete loss of control such as this. Changes to the
inspection process at United's engine overhaul shop were also implemented to guard against human error and
limitations in the inspection process.