This writeup is to elaborate on the problems the DC-10 experienced.

The Cargo Door:

The locking pins being too short was a secondary cause of the two accidents mentioned. The DC-10 was one of the first pressurized aircraft to be designed whose doors opened out instead of in.

The fuselage of a pressurized airplane is a pressure vessel and as such is subjected to heavy loads at high altitudes. Earlier aircraft had doors that opened in because in order to seal the inner part of the door was wider than the outer part. This created a sort of truncated cone shape. As the pressure differential rose the doors were pressed into the holes and sealed tighter.

The DC-10 was designed with doors that opened outward in order to save space inside the cargo compartment and facilitate easier loading. This required a system of heavy locking pins and a mechanism to operate them.

In the early days of service of the DC-10 airport employees had trouble closing the new style of doors. if the locking pins didn't line up the mechanism didn't operate correctly. On the accident aircraft in question the mechanism was then forced into place. Douglas had designed the mechanism to close easily and work with minimal force. The flaw lay in the linkage in the mechanism. When the door was forced shut it overstressed the mechanism and the linkage bent. This meant that the locking pins hadn't been inserted all the way even though the indicator Douglas included showed "locked." The pressure at altitude eventually overstressed the improperly locked door and blew it out, taking a large portion of fuselage skin and structure with it.

It was later determined that the only difference between the aircraft that was lost and the aircraft that survived was the seating configuration. Literally the saved aircraft was held together by its seat rails.

The changes Douglas made to the cargo door included a simpler mechanism with beefier linkage, a longer throw, and longer locking pins. Airport employees were also trained better.

Engine Pylons:

Eight weeks before the accident the number one engine had been removed and replaced on the accident aircraft to comply with a McDonnell Douglas service bulletin. This R&R was completed using a technique developed by Continental Airlines to remove the entire engine and engine pylon as a single unit, rather than the recommended method of removing the engine and then the pylon. The method developed by Continental involved placing an overhead hoist at the center of gravity of the pylon, removing the pylon attach hardware and lowering the pylon/engine as a single unit. American Airlines adopted this procedure, but used a forklift truck instead of an overhead hoist. This method was difficult however as one incorrect move by the forklift operator could crack the upper rear pylon attach flange. American Airlines had learned this on four other aircraft that had been damaged by this method. Nonetheless the damage in that case was easily detectable and the cost, labor, and time savings were considerable. What American didn't know was that there was another way to damage the upper rear attach flange that wasn't detectable to the human eye. A slight leak in the hydraulic system on the forklift could bend the attach forks of the pylon imperceptibly as the entire load lowered slowly. The attachment of the pylon had a very close tolerance and this bending meant that the tolerance had been ruined and the aft upper flange would eventually fail.

When the accident aircraft had been returned to service it was returned with this fatal flaw. 8 weeks of scheduled service later the aft upper flange failed on takeoff and the remaining attach points were quickly overstressed and failed as well. The engine twisted upward due to aerodynamic pressure and departed the aircraft over the top of the left wing taking a portion of the leading edge skin with it. This alone would not have caused the loss of the aircraft. Indeed several aircraft have lost engine pylons in flight and were able to land safely. The fatal flaw was in the design of the leading edge slat system in the DC-10 and in the company engine out procedures in use.

In the DC-10 all flight controls are hydraulically operated. This included the leading edge slats. When the slats are extended the pressure trapped in the hydraulic system locks them down, this is the only method of down-lock on the leading edge slats. When the engine pylon separated from the aircraft the hydraulic system lines were severed and air loads forced the outboard slats on the left wing to retract. The aircraft was traveling well above the stall speed for the given configuration and accelerating normally but when the slats retracted the stall speed for the left wing increased to 159KIAS. The first officer was flying the aircraft according to company engine failure procedures which unfortunately allowed the aircraft to slow below this speed. The outboard section of the left wing stalled and the aircraft began to roll. The pilots were unable to see the left wing and engine and didn't know that the left wing leading edge slats had moved and as a result didn't recognize the stall. Had they recognized it they could have lowered the nose and accelerated above the stall speed. Unfortunately the stall warning system that would have compensated for the retraction of the leading edge slats was inoperative at the time due to the loss of the electrical system of the number one engine.

Several things were criticized about the design but rather than the actual design parameters more was criticized about certification methods. Douglas had considered the loss of an engine pylon to be akin to that of a horizontal stabilizer or other primary structure and as such designed it to withstand any forseeable loads. In short it was assumed that any normal loads would not cause a pylon to separate just as any normal loads would not cause a wing to separate. The philosophy was that if a wing separated any effect on aircraft systems was pointless to study as the aircraft could no longer fly anyway and as such did not study the effects of a pylon separation on other systems. It was determined that this was well in accordance with certification methods at the time even though it was inherently flawed. Even though the separation of a pylon was improbable it was not impossible. It had happened before and this event would not (as in the case of an entire wing) cause the aircraft to be unable to fly. Douglas' failure to study the effects of this eventuality was cited as a contributing factor in the accident.

Changes made to the DC-10 as a result of this accident were relatively minor. The pylon design was considered adequate. Douglas was required to design in redundancies for the systems that had failed as a result of the loss of the number one engine and add warning systems to indicate asymmetrically deployed control surfaces.

The major changes that came as a result of this accident were to certification policies. All transport category aircraft were required to be designed with more consideration to ease of maintenance and inspection as well as the aforementioned changes in warning and control systems. Maintenance at large carriers, previously allowed a lot of leeway, were watched much more closely. Communication between the FAA and the maintenance facilities was much improved. A service bulletin had been issued that warned of damage to the aft upper pylon attach flange but the language used was vague and it wasn't mentioned in what way the aft upper attach flange could be damaged.

United Airlines Flight 232:

The DC-10 was one of the first transport category aircraft designed with no mechanical flight control redundancy. All reversal of flight controls was accomplished hydraulically. As a result the systems were designed with many built in redundancies. The loss of control surface reversal on United flight 232 was pure chance.

The DC-10 has three completely independant hydraulic systems. One of the built in safeguards was that each flight control surface had at least two hydraulic systems controlling it. If any one system failed the other one or two would provide adequate control. These systems were placed far apart in the aircraft for the exact eventuality that happened to the accident aircraft. The possibility of flying shrapnel from an engine explosion severing all three systems was considered low enough to be impossible and yet that is exactly what happened. When the number two engine exploded shrapnel was thrown into the horizontal stabilizer and aft fuselage and severed all three hydraulic systems leaving all flight controls inoperative.

The only available means of control that remained was differential thrust of the number one and number three engines. Roll and yaw control in this instance is quite easy. Some pitch control is possible because the engine hanging on the pylon creates a lever arm between the engine and the rest of the aircraft. when power on the engines is increased the nose rises, if decreased the nose lowers.

It was by sheer luck that the hydraulics were rendered inoperative and by sheer luck that Capt. Haynes, First officer Records, Flight Engineer Dvorak, and a United check pilot who happened to be deadheading that day, Capt. Fitch, were able to bring the wounded DC-10 in for a rather violent landing at Soux City Gateway Airport. Most of the passengers survived as did all four of the flight crew.

It is interesting to note that this accident was studied in the simulator extensively and even after the fact no one was able to even keep the aircraft flying, let alone land it. And Haynes, Fitch, Records, and Dvorak put the wounded DC-10 right on the end of the runway only slightly left of the centerline. Unfortunately the right wingtip touched down first and pulled the aircraft sideways it subsequently broke apart and exploded.

Nonetheless by crashing the aircraft at the airport, under some control, and in view of the airport crash trucks many lives were saved.

The engine failure was determined to have been caused by a fatigue crack in the stage 1 fan disc of the number two GE CF6-6 engine. The fan disc separated and was found in a field along the aircraft's route of flight. The fan disc had been inspected and returned to service 7 times. the NTSB concluded that human errors caused it to be returned to service with fatigue cracks caused by an undetected metallurgical defect.

Again the NTSB considered the design of the DC-10's hydraulic system to be adequate but still suggested that fail safes be added to prevent complete loss of flight control reversal. Changes to the DC-10 after this accident included changes to the hydraulic system routing and added fail safes to preclude a complete loss of control such as this. Changes to the inspection process at United's engine overhaul shop were also implemented to guard against human error and limitations in the inspection process.