The University of Texas at Austin
Studies in Ethics, Safety, and Liability for Engineers
Kurt Hoover and Wallace T. Fowler
The Crash of American Airlines Flight 191
On May 25, 1979, American Airlines Flight 191 crashed into an open field shortly after take-off from Chicago O'Hare, killing all 271 aboard and 2 on the ground. The left, or Number 1, engine and pylon fell off the plane at the start of rotation to takeoff attitude. The separation damaged the hydraulic systems. The plane began to roll and because of the damaged systems the flight crew was unable to compensate. The DC-10 continued to roll to the inverted position and crashed in this attitude. The NTSB (National Transportation Safety Board) concluded that improper maintenance procedures on the engine and pylon were the major contributing factor to the accident. However, both the original design of the DC-10 and the FAA (Federal Aviation Administration) maintenance reporting procedure were cited as contributory factors to the accident.
Objectives of the Aircraft Manufacturer:
When engineers at a company like McDonnell Douglas design a new airplane, a primary design consideration is operational safety. No airline will buy an aircraft it considers unsafe. All new models of aircraft must be certified by the FAA. This certification is a rigorous process designed to ensure that all safety and performance standards are met, and certification is assumed to assure a large measure of operational safety.
Beyond FAA certification, safety does not play a major role in how a commercial airline selects a new airplane for purchase. By far the most important consideration is high fuel efficiency. Any design change which can decrease weight, reduce drag, or improve engine fuel consumption is very desirable. If a new model is not more fuel efficient than its predecessors, it will not sell. There are other factors such as performance, maintainability, safety, and size which are considered when designing a new plane, but these are of secondary importance.
Objectives of the Maintenance Procedures:
Maintenance procedures are designed to keep an aircraft airworthy and safe. Routine maintenance is an integral part of operating a fleet of aircraft. Maintenance on commercial aircraft is not like someone tinkering on their personnel car. Maintenance procedures are detailed, precise, and explicitly written down; it is expected that they will be followed to the letter.
Maintenance procedures are developed by the manufacturer in cooperation with the airlines. The airlines want two thing out of the procedures. First, the procedures must work and maintain the aircraft in good working order. Second, the procedures must be able to be implemented efficiently. Because the airlines are the ones which actually do the maintenance, they will sometimes develop more efficient maintenance procedures than those provided by the manufacturer. If both the engineers of the airline and the engineers of the aircraft manufacturer agree that the new procedures satisfy the original intent and do not have adverse effects, the new procedures can be substituted for the old ones.
Objectives of the FAA:
It is the responsibility of the FAA to oversee the maintenance and to establish procedures which allow problems and potential problems to be communicated between all the operators and manufacturers. In American society, the goal of private enterprise is to produce a profit. While this should not and usually is not done with blatant disregard for the public welfare, there is a natural tendency for companies to view operational questions from the perspective of minimizing costs and maximizing profits. It is the purpose of the government to regulate such activities and to protect the interests of the public. Thus, the relationship between a government regulating body, such as the FAA, and those it regulates is by nature adversarial; the two groups have conflicting goals and must compromise. It is the task of the FAA to establish procedures which do not compromise the public's safety yet which allow air travel to function in a smooth, predictable, and profitable manner.
Factors Affecting Flight 191
Problems with the Design:
When McDonnell Douglas designed the DC-10-10 they did not consider the effects on maintenance of the very small tolerances existent in the engine-pylon subassembly. The design of the pylon complied with strength requirements of the FAA regulations, but the design did not adequately consider the vulnerability of the structure to damage during maintenance. Clearances, in several places were unnecessarily small and maintenance difficult to perform. This indicated a lack of good judgement or a lack of an awareness of maintenance issues by the designers. Historically, pylons have to be removed and replaced for many reasons (accidents, fatigue, and corrosion, etc.). In addition, parts of the pylon structure must be accessed as part of regular maintenance schedules.
According to the NTSB, when the pylon is installed, only an .080-inch clearance was present between the bolt heads on the flange assembly and the clevis. With adverse tolerances, this clearance can be reduced to as little as .030-inches. Such a small tolerance requires that the flange assembly be brought into contact with the wing clevis, loaded, and deflected sufficiently to allow the bushing and bolt to be inserted through the clevis and spherical joint. Tests conducted after the crash showed that the load required to create the necessary deflection should not have fractured the flange. However, it was shown that other inadvertent contact during maintenance could easily have fractured the clevis. The basic design incorporated neither sufficient clearance to prevent inadvertent contact, nor sufficient structural strength to withstand inadvertent contact.
The design of the flight control and hydraulic systems also were flawed. The ability of the crew to control the craft in the event of combined failure of the hydraulic and electrical systems was not considered. When the engine fell away and severed the hydraulic system, the hydraulic pressure to the leading edge slat was lost and the slat retracted. This decreased the lift and increased the stall speed for the left wing. Under normal circumstances the near stall conditions on the left wing would have signaled the pilot to increase airspeed. However, the systems designed to alert the pilot to the need to increase airspeed were also damaged. Power was lost to the left stall-warning computer which would have indicated that the left wing was near or below stall speed because of the retracted slat. No contingency plan existed which allowed the right stall-warning computer to monitor the left stall sensors in case of a power loss to the left stall warning computer.
McDonnell Douglas considered the structural failure of a pylon and engine extremely improbable. Historically, although very rare, pylons have failed. Unlike the loss of a wing or horizontal stabilizer, loss of a pylon and engine should still leave an airplane aerodynamically capable of flight. According to the NTSB, McDonnell Douglas did not consider this scenario and thus did not analyze the possible trajectories of a pylon and engine on separation and the resultant damage to the aircraft.
Problems with the Maintenance Procedure:
The original service procedure developed by McDonnell Douglas specified that the engine was to be removed from the pylon before the pylon was removed from the wing. Removing the weight of the engine first would greatly decrease the chance of inadvertently damaging the pylon. However, American Airlines had developed a maintenance procedure which called for removal of both pylon and engine as a single unit. Under FAA regulations, carriers are permitted to develop their own step-by-step maintenance procedures for a specific task without obtaining the approval of either the FAA or the manufacturer. It is common for carriers to develop procedures which deviate from those specified by the manufacturer, when their engineering and maintenance personnel believe a task can be accomplished more efficiently using an alternate procedure.
American Airlines developed ECO R-2693 (Engineering Change Order) to increase both efficiency and safety in replacing the spherical bearing in the engine pylon. This procedure called for using a forklift to raise and lower the engine and pylon assembly as a single unit. Using this technique as opposed to the original McDonnell Douglas procedure would reduce the maintenance time per aircraft by 200 man-hours. More importantly it would reduced the number of disconnects (i.e. hydraulic lines, fuel lines, and electrical cables) from 79 to 27. This represented a real increase in maintenance efficiency since reconnects are both tedious and exacting. It was also felt that the new procedure increased safety, because anytime a system is disconnected and reconnected, the possibility for failure increases dramatically.
American Airlines did not conduct a thorough evaluation of its new maintenance procedure. Specifically, it did not ensure that the procedure could be carried out without difficulty or risk to the pylon structure. The maintenance procedure required the forklift operator to control the horizontal, vertical, and tilt movements with extreme precision. Such precision is frequently not achievable with a forklift. If the load applied by the forklift with respect to the c.g. of the assembly was not balanced, a force would be applied to the aft bulkhead joint. It was apparently this force which fractured the forward flange of the aft bulkhead.
Prior to American Airlines development of ECO R-2693, Continental Airlines had developed a similar procedure to remove the engine and pylon as a single unit. In December 1978, about six months before the Flight 191 crash, Continental damaged the aft bulkhead flange on a DC-10. An internal investigation concluded that the damage resulted from a maintenance error. A repair was designed and submitted to McDonnell Douglas for stress analysis approval. Because the damage occurred during maintenance, McDonnell Douglas was relieved of any responsibility to report the mishap to the FAA. In February 1979, Continental Airlines damaged a second bulkhead. Again investigation placed the blame on maintenance error. No extensive effort to evaluate the maintenance procedure was made. Like the previous Continental bulkhead, this one was repaired using the procedure approved by McDonnell Douglas.
Despite cracking bulkheads on two airplanes with its modified maintenance procedures, Continental never examined the underlying assumptions or safety of the modified procedure. Because the cause of both incidents was determined to be the improper actions of maintenance personnel and not the maintenance procedure, no formal action was initiated directed toward examining the procedure.
Problems with the FAA and the Regulatory Procedures:
FAA regulations at the time of the flight 191 accident did not require minor repairs to be reported. Even major repairs required only FAA notification and a copy of the final repair report be sent to the FAA. The FAA did not inspect the repair, nor investigate the cause of the damage. In this case, the FAA had no idea that DC-10 were being serviced using a possibility dangerous procedure. In addition. the other operators of DC-10s were not aware of the difficulties experienced by Continental Airlines.
There was no mechanism available to deal with such a situation. None of the involved parties, McDonnell Douglas, Continental, or the FAA were required to investigate or report on the damage to the pylon in December 1978. Even when a second similar failure occurred, neither McDonnell Douglas or Continental chose to investigate the root causes. Traditionally, FAA regulations were applied only to operations problems. Maintenance related problems, while potentially just as dangerous, were traditionally ignored by the FAA and left to the airlines to handle.
Cause of the Accident:
Like all airline accidents, the crash of Flight 191 was investigated by the NTSB. It is the duty of the NTSB to determine the probable cause of the accident and suggest corrective measures to reduce possible reoccurrences. The NTSB determined the probable cause of the crash was asymmetric stall and the resulting roll, of the aircraft due to the uncommanded retraction of the left wing outboard leading edge slats; in addition the failure of the stall warning and slat disagreement indicator systems made it difficult for the crew to determine the nature of the problem. All these failures were the result of the No. 1 engine and pylon separating from the aircraft due to improper maintenance procedures.
Through numerous simulations of the accident, the NTSB determined that it would have been possible for a flight crew to recover the airplane in a situation like that encountered by the crew of Flight 191, IF the crew had been fully aware of the situation and IF the crew had followed a very specific course of corrective action. In the case of Flight 191, no one had ever anticipated such a complex series of failures and procedures to handle the situation had never been developed. Also, because of the failure of the stall warning and slat disagreement indicators, it is likely that the crew was never fully aware of the situation, at least until it was to late to save the airplane. The NTSB strongly disagreed with McDonnell Douglas' assessment that the probability of engine detachment and subsequent system failure was extremely low for the DC-10. Finally, in the opinion of the NTSB, the crew of Flight 191 flew the aircraft in accordance with prescribed emergency procedures.
Flaws in the Design:
The NTSB believed that the design of the DC-10-10 was flawed and lacked sufficient redundancy in the stall warning system. In addition, the leading edge slats did not include a mechanical locking device to prevent slat movement following a failure of the primary controls; FAA certification was based on acceptable flight characteristics with an asymmetrical leading edge slat condition. The pylon attach points were vulnerable to damage during maintenance. Finally, because the structural separation of the engine was considered extremely improbable by McDonnell Douglas, multiple failures resulting from engine separation were not considered.
Flaws in the Maintenance Procedure:
The modified engine maintenance procedure used by American Airlines to service the engines of its DC-10s was not thoroughly examined before it was implemented. Inspection of all DC-10s after the accident revealed similar cracks in nine airplanes. The ECO developed by American Airlines did not emphasize the degree of accuracy required to properly place the forklift and no evaluation of the ability of the maintenance staff to correctly carry out the procedure was ever made. When the maintenance staff had difficultly carrying out the procedure, no attempt was made to notify engineering of the difficulties.
Flaws in the Accident Reporting and Regulatory Mechanism:
Continental Airlines, using a similar maintenance procedure, had developed and corrected similar pylon cracks. Because the airline classified the damage as a maintenance error, neither the airline nor the the manufacturer reported the damage to the FAA. Furthermore, since the cause was determined to be maintenance error, no further investigation was carried out. American Airlines developed its ECO without the benefit of Continental's experience. The NTSB believed that it was the FAA's responsibility to make sure that such information was made available to all interested parties in a timely manner. However, at the time of the accident, FAA regulations concerning maintenance were generally vague, inadequate, and frequently unenforceable.
Improvements to Prevent Future Similar Accidents:
As a result of the NTSB investigation, changes have been made on the DC-10-10, in airline maintenance procedures, and in FAA regulations. All models of the DC-10 have been equipped with a second shaker stick motor and crossover information redundancy has been incorporated into the flight control system. Modified engine maintenance procedures developed by American Airlines and Continental Airlines are now in use. The FAA has revised its regulations concerning maintenance and now requires the maintenance accidents be reported.
Personal Note from Family
I see through my yearly internet search that you utilize the crash of American 191 N110AA as a learning tool for your engineering students. I think your historical example lacks one thing - the omnipresent pain that such a catastrophic engineering failure brings to surviving family members. When a one-inch bolt broke on the left pylon of American 191, I was walking home from the 4th grade. Instead of Tom & Jerry cartoons on my TV, that afternoon I got to watch as firefighters tried to identify my father's incinerated remains.
Ethics and Safety Issues
A great many ethical and safety issues are raised by examining the crash of American Airlines Flight 191. In the simplest terms, maintaining good ethical conduct requires a person to differentiate between what is right and what is wrong and follow the course that the person determines is correct. Frequently, it is not so simple; right and wrong are not clearly marked, and a person must use his best judgement. Some of the ethical questions associated with the crash are listed below.
- Did the FAA ignore its responsibility to the airline passenger by not requiring that all serious structural damages by reported, regardless of cause?
- Why did all parties involved, manufacturer, airlines, and FAA, seem to consider maintenance as a secondary issue?
- Should McDonnell Douglas have reported the maintenance difficulties to the other airlines operating DC-10-10s?
- Should McDonnell Douglas have warned the other airlines of the maintenance problems experienced by Continental Airlines?
- Was it the responsibility of the engineers who developed ECO R-2693 to make sure that their procedure worked and could be properly implemented?
- Was it the responsibility of the maintenance personnel to communicate difficulties with ECO R-2693 to the engineering staff?
- When considering possible failure modes, how small must the probability of an event be to ignore the event?
- Should manufacturers be required to be omnipotent? Should they be required to predict all possible scenarios in which their product will be used, misused, maintained, or mis-maintained?
- Should there be a separate certification for maintenance procedures for vehicles used in public transportation?
- "National Transportation Safety Board Airline Accident Report, NTSB-AAR-79-17". American Airlines, Inc., DC-10-10, N110AA, Chicago-O'Hare International Airport, Chicago, Illinois, May 25, 1979.
- Aviation Week and Space Technology. July 4, 1979. pp. 12-19.
- Aviation Week and Space Technology. July 11 1979. pp. 47-59.
- Aviation Week and Space Technology. July 18, 1979. pp. 34-47.
- Aviation Week and Space Technology. July 25, 1979. pp. 31-37.
- Aviation Week and Space Technology. August 2, 1979. pp. 32-47.
Flight 191 Maintenance Problem: Assignments
The problems which led to the crash of American Airlines Flight 191 were complex, involving the airlines, the manufacturer, and the FAA. Most of the problems involved a lack of communications at various levels and failure to identify problems until after a disaster had occurred.
Read the General Information provided on the Flight 191 maintenance problem. Consider each of the following questions carefully in light of that information and write a complete and grammatically correct paragraph answering each.
- Why did Flight 191 crash?
- Could knowledge of the maintenance problems encountered by Continental Airlines have prevented the crash of Flight 191?
- Considering the knowledge that pylons are frequently removed during maintenance, why was the engine-pylon clearance so small?
- Should McDonnell Douglas have paid more attention to American Airlines revised maintenance procedures?
- When the engineers at American Airlines developed the revised maintenance procedure, did they give sufficient thought to the implementation of this procedure?
- Why didn't American Airlines maintenance workers report their difficulties in following the new procedures to anyone? Why didn't someone from management or engineering check on the implementation of the new procedures?
- Was McDonnell Douglas justified in considering the separation of an engine as an extremely unlikely event, and thus not analyzing the situation and developing contingency plans.
- The whole mechanism of FAA review of both airlines and manufacturers is based on an adversarial nature. Is this system the best, or might a team effort result in better protection of the public?
- Should the DC-10 design have incorporated more redundancy features in the flight control systems?
- Should maintenance procedures be more closely inspected? If so, how can the expected resistance of the airlines and the increased cost of such inspections be handled?
Choose one of the following statements, research the topic, and write a two page paper in which you explore the impact of the topic on the crash of Flight 191.
- American Airlines Flight 191 crashed when the Number 1 engine and pylon separated from the airplane during rotation and damaged the hydraulic systems. The pylon had been damaged while routine maintenance was being performed using a a procedure designed by American Airlines. Apparently maintenance personnel were not aware that the structure had been damaged. What types of procedures would you recommend to avoid similar occurrences in the future?
- The crew of Flight 191 acted properly and was not at fault. However, it is possible that the crew could have saved the aircraft had they had correct information and special training. How far should airlines go in developing training for "rare occurrence" emergencies?
- The most important consideration in designing a new commercial airline is increased economic efficiency. Explore the conflict between safety and economics.
- McDonnell Douglas did not adequately consider the vulnerability of the pylon structure to damage during maintenance because the manufacturer's maintenance procedure would not damage the pylon. How far should the manufacturer go in exploring "every possible" scenario of improper maintenance?
- The DC-10-10 flight control system lacked redundancy which would have allowed cross feeding of sensor information to the opposite flight control computer if one was damaged. The slats also lacked mechanical locking mechanisms to prevent accidental retraction. Also, the manufacturer did not consider the separation of an engine likely, and therefore did not analyze what would happen if separation occurred. Explore the design and maintenance changes which resulted from the accident investigation.
- American Airlines developed ECO R-2693 without adequately considering the difficulties of implementation. What failures in communication affected the development of the ECO and ultimately led to the crash of Flight 191.
Divide the class into small groups, no more than three to a group. Each group is to choose one of the five roles outlined below and develop a statements outlining the position represented by those in your role in the events preceding the crash of Flight 191. Develop two statements: (1) what you think was the position of those in your role, and (2) the position that those in your role should have taken.
- American Airlines Management: You want your airline to make as much profit as possible. You would not knowingly cut corners on safety, but you are always on the look out for methods of reducing costs. While recognizing the importance of FAA inspections, you generally feel that the government makes your business more difficult. Your company is not against actions to improve passenger safety, but some FAA regulations seem arbitrary and in your opinion produce little results and lots or paperwork and lost time.
- American Airlines Engineers: Your management is always instructing you to look for ways to improve efficiency. Consequently, when you come up with a procedure which not only decreases maintenance time, but limits the number of reconnects and increases safety you eagerly implement it. Company custom dictates that engineer due engineering, and maintenance personnel due maintenance. Thus once you develop your procedure and transmit it to maintenance, you do not normally think about it again.
- American Airlines Maintenance Personnel: Your job is to make any repairs to and perform regular maintenance on the companies airplanes. The procedures you follow are very specific and normally do not require you to ask questions. Occasionally engineering provides you with new procedures designed to increase efficiency. Sometimes these procedures work, sometimes they do not. If there is a major problem engineering is informed, but this step is usually taken as a last resort.
- McDonnell Douglas: You are want to sell as many planes as possible. Beyond FAA requirements, the airlines are not really concerned with safety. Improved operating efficiency is what sells a plane. If a customer damages an airplane during maintenance, there is no reason for you to publish this information. No law required publication and it was the customers fault; you do not want your airplane to be judged guilty by association.
- FAA: Your duty is to make sure that commercial air travel is safe. It is your responsibility to protect the passenger. Unfortunately, few people appreciate your efforts. The manufacturers and airlines consider you an annoyance, while the public generally ignores you. At least until your regulations impede them personally. You must balance safety and economic efficiency.
Working in three person groups, consider the role of the FAA in the commercial airline industry. Research the charter and purpose of the FAA. Consider how the agency addresses the dual role of functioning as both a technical and bureaucratic organization. In the United States the system is by nature adversarial, is there an alternative relationship? How do political forces effect the operation of the agency? What would happen if the agency did not exist?
Working in three person groups, consider the maintenance problems associated with the crash of Flight 191. When McDonnell Douglas designed the DC-10-10, did it take routine maintenance into consideration? How could the airplane have been improved from a maintenance standpoint? How could the engineers at American Airlines have improved ECO R-2693? How could communication between the maintenance personnel and the engineering personnel at American Airlines have been improved?