The first in a series on the historical parallels and lessons that unite the groundings of the DC-10 and 737 Max.
As the engine tore away from American Airlines Flight 191 — flipping up and over the top of the left wing — the jet’s hydraulic lines installed inside the McDonnell Douglas DC-10’s leading edge ruptured. An electrical generator went with the departing engine. It was a catastrophic failure of the highest order and one that McDonnell Douglas had convinced itself and the Federal Aviation Administration could not happen.
Taking off from Chicago’s O’Hare Airport on May 25, 1979, the trijet made it to about 325 feet as it began a violent to roll to the left. Lacking hydraulic pressure, aerodynamic forces had slammed a portion of the left wing’s slats back into the retracted position. The generator, which was left on the runway along with the engine, no longer provided electricity to signal the crew that its slats were asymmetrically configured. The severed electrical connection also disabled the aircraft’s stall warning system.
Related: The world pulls the Andon Cord on the 737 Max
With an engine missing, the crew went by the book. The nose was raised to V2, the best speed to safely climb away from the ground. In any trained engine failure this was the right call every time given the information they had — trade airspeed for altitude — but the crew couldn’t see that the number one engine was gone, nor that a portion of its wing slats had retracted without hydraulic pressure. Without those slats, that V2 speed target was six knots below the stall speed of the left wing. When the left wing stalled, the unpowered stickshaker designed to alert the pilot in the left seat remained silent. A second stickshaker on the first-officer’s side was a customer option that American hadn’t purchased.
Resource: Read the complete NTSB report on American Airlines 191
All two hundred and seventy-one people aboard the aircraft and two on the ground were killed when the DC-10 crashed into a trailer park and an open field northwest of the airport.
On June 6, all 138 DC-10s at eight U.S. airlines were ordered grounded by the FAA when it revoked the jet’s airworthiness certificate and would stay that way for 37 days in 1979. The FAA initially opposed the grounding and the crash forced a legal battle with the American Airline Passengers Association, which sought an injunction to halt DC-10 flying in the U.S. “pending fuller analysis,” according to coverage in Flight. Inspections in the days that followed the Chicago crash revealed cracks on the engine pylons on other aircraft. FAA Administrator Langhorne Bond had no choice but to withdraw the roughly 275-seat jet’s airworthiness certificate. Carriers and regulators around the world — totaling some 274 aircraft, including 74 in Europe — followed suit.
McDonnell Douglas called the order “an extreme and unwarranted act.”
Aviation history remembers the cause of Flight 191 as a faulty maintenance procedure devised by airlines to save time when removing an engine. Douglas Aircraft Company, the civil airliner arm of McDonnell Douglas, had called for splitting the task – removing the General Electric CF6 engine and then the pylon — but American saved 200 man-hours with a single maneuver. As a result, the flange that attached two of the jet’s three engines developed cracks. Several hundred takeoffs and landings later the engine separated on Flight 191’s takeoff.Subscribe to TAC
Indeed, the pylon damage was the central trigger for the engine detaching from the wing. However, the National Transportation Safety Board concluded the maintenance practice that damaged the pylon only contributed to the cause of the crash. In recreating the circumstances of Flight 191 in a simulator, the NTSB and pilots concluded that with the warning systems operating, the catastrophic loss of an engine and even the slat retraction were inherently survivable. “Each by itself would not have caused a qualified flight crew to lose control of its aircraft,” according to the Safety Board’s final report. It was the loss of the warning and indication systems that ultimately caused the airplane to veer out of control.
As part of the conditions of its return to service, the FAA ordered all DC-10s to incorporate a redundant stall warning system that relied on two angle of attack sensors and ensure the integrity of its wing slat position alerts. And within 1,500 hours of flying again, each DC-10 cockpit needed two stickshaker motors fed by data from both speed computers. (Locking slats wouldn’t be mandated until 1982 after two more incidents involving failed engines on the DC-10)
Related: Boeing plans redundant flight computer system for 737 Max return
The grounding of the DC-10 ignited a debate over system redundancy, crew alerting, requirements for certification, and insufficient oversight and expertise of an under-resourced regulator — all familiar topics that are today at the center of the 737 Max grounding. To revisit the events of 40 years ago is to revisit a safety crisis that, swapping a few specific details, presents striking similarities four decades later, all the way down to the verbiage.
In sheer numbers, the Max crisis is immeasurably more severe than the DC-10’s grounding. Some 387 737 Max airplanes have been withdrawn from service since China first moved to sideline the jet on March 10, 2019. Another 300 or more now sit undelivered at Boeing sites around the U.S.. And the crisis facing Boeing, the FAA and the global aviation industry is nearing a year since the October 29, 2018 crash of Lion Air 610.
Related: 737 Max grounding threatens to unravel the aviation certification world order
In reflection on the events of the past year, The Air Current scoured TV and newspaper archives, official reports and books that reveal many of the common lessons and parallels (and key differences) between the groundings of the DC-10 and the 737 Max, separated by 40 years.
A race to the runway
Like the two crashes of the 737 Max, Flight 191 came at a time of inarguably improving air safety. Prior to the Chicago crash, the DC-10 had three fatal accidents, including what was then the worst air accident in aviation history that killed 346 people when a Turkish Airlines flight crashed in a forest outside of Paris in 1974. An improperly designed and improperly repaired cargo door latch had been implicated.
“A great many people, some within or connected to the aircraft industry, wondered whether the Chicago crash was a rare, though terrible, exception to a ruggedly stable pattern of safety in the skies, or a disaster created by an accident that was waiting to happen,” wrote John Newhouse in The Sporty Game, the 1982 pre-eminent work on the jetliner business.
Related: Revisiting The Sporty Game 36 years later
Douglas was determined to beat the L-1011 Tristar to the sky in 1970 and did so 10 weeks before Lockheed. The externally similar looking tri-jet occupied an identical spot in the market. And arriving first would be part of the competitive advantage, Douglas surmised. That expediency by Douglas (recently merged in 1967 with McDonnell) would invite some of withering criticism from those tasked with officially evaluating the jet after Flight 191, including that its design might’ve met the letter of the law, but fell far short of its spirit of safety.
Resource: Read the full 1980 report from the Committee on FAA Airworthiness Certification Procedures
In the wake of the 1979 crash and its subsequent grounding, the FAA convened a “blue-ribbon panel” of experts through the National Academy of Sciences, led by George Low then President of Rensselaer Polytechnic Institute and former NASA Administrator. Over six months, the panel of 13 independent experts was tasked with evaluating the design of the DC-10 and the U.S. regulatory system that approved its operation. The 118-page report was published in June 1980 and, according to the New York Times, found “critical deficiencies in the way the Government certifies the safety of American-built airliners.”
Four decades later, the Joint Authorities Technical Review (JATR) released a remarkably similar final report on Friday on its examination of the 737 Max’s flight control system and the regulatory structure at the FAA that cleared it — and the ill-fated Maneuvering Characteristics Augmentation System — for flight. The MCAS system and its erroneous activation on the 737 Max has been at the center of the investigation into twin crashes that killed a total of 346 people. The New York Times would call the panel’s findings “damning” for Boeing and the FAA. The JATR, which included regulators from nine countries along with the U.S., found “signs of undue pressure” on the delegated Boeing staff responsible for regulatory approvals of the MCAS system, which it said (without elaborating) “may be attributed to conflicting priorities and an environment that does not support FAA requirements.”
Resource: Read the full 737 Max Joint Authorities Technical Review
While not explicitly connected, Boeing’s CEO Dennis Muilenburg was stripped of his chairmanship of the board later that same day. He had in the past praised the “streamlined” regulatory process that accompanied the 737 Max’s development.
Christopher Hart, the former NTSB chair who led the JATR, called the grounding of the 737 Max an “unprecedented situation” principally “because this is the first grounding of an airliner that relates to not only the airplane, but the pilot as well.” But while broadly unprecedented in Hart’s view, the core issues and contemporary controversies have not changed. Industry and government are again faced with the question of how to create a regulatory system that is as integrated as the product it aims to evaluate and regulate.
The JATR concluded Boeing broadly met every regulation, but raised “the foundational issue” of whether or not regulations can go far enough to foster a safety culture without creating complacency. “To the extent they do not address every scenario, compliance with every applicable regulation and standard does not necessarily ensure safety. Moreover, as systems become more complex, the certification process should ensure that aircraft incorporate fail-safe design principles.”
The critique 40 years ago was a near carbon-copy. Maynard Pennell, retired Boeing executive and aerodynamicist drafted to the blue-ribbon commission for the review of the FAA and DC-10 told Newhouse: “Douglas met the letter of the FAA regulations, but it did not build as safe an airplane as it could have. This was not a deliberate policy on its part…Douglas was determined not to over-run or do more than required by regulation to do.”
Boeing and McDonnell Douglas merged in 1997.
Both the 737 Max and the DC-10 were deemed in full compliance with federal regulations in the wake of the accidents involving both aircraft. And neither ‘built as safe an airplane as it could have.’ But the assumptions that drove the compliance of each manufacturer were at the root of both the technical and organizational failure, according to the NTSB and JATR.
In the case of the DC-10, Douglas hadn’t foreseen the possibility of external damage to the pylon during maintenance and had satisfactorily convinced itself that the types of failures suffered by Flight 191 were fantastically remote. According to the NTSB, Douglas had assumed the possibility of an engine detaching in flight to be so unlikely and unpredictable that it only met the requirement to have the engine separate cleanly should the airplane land on its belly.
When the DC-10 was certified “structural separation of an engine pylon was not considered. Thus, multiple failures of other systems resulting from this single event were not considered,” according to the NTSB.
John Enders, then-President of the Flight Safety Foundation and a member of the DC-10 review in 1979, said “the committee felt that had Douglas gone further it would have recognized the vulnerability of other systems, including the leading-edge hydraulics.”
In analyzing its design and certification process, the NTSB found that Douglas’ fault analysis of the slat warning system included 11 possible faults and failures “all of which were correctable by the flight-crew.” However, the NTSB noted, “The basic regulations under which the slats were certified did not require accountability for multiple failures.” The NTSB concluded that the analysis “was not given to the FAA formally but was available for review.”
Related: Checklists come into focus as pace-setter for 737 Max return
The JATR concluded the same for Boeing. In the case of both Lion Air 610 and Ethiopian 302 — the second Max crash in March — Boeing hadn’t assumed a pilot would act outside of its four-second expectation to recognize and respond to an apparent malfunction of its stabilizer trim – regardless of the cause. Boeing, too, assumed that any fault was correctable by the flight crew as a last line of defense.
Stretched FAA resources and limited expertise
How these designs fell short meant that the process of approving both the DC-10 and 737 Max came under intense scrutiny. As Newhouse put it in 1982 – and could be said just the same in 2019: “What surprised, even alarmed, many people, especially interested members of Congress, was discovering how much the FAA’s certification process is delegated to the makers of airplanes that are candidates for certification.”
At the end of the 1970s, just as in 2019, the public and the U.S. Congress lamented the reality that the FAA wasn’t capable of certifying an entire aircraft itself. It’s been doing so for decades, and long before the DC-10 faced its most severe safety crisis.
“The committee finds that, as the design of airplanes grows more complex, the FAA is placing greater reliance on the manufacturer,” the blue-ribbon panel wrote in 1980. “The FAA’s human resources are not remotely adequate to the enormous job of certifying an airliner,” wrote Newhouse, and said the lure of more attractive salaries in the private sector meant 94% of approval work was delegated to the manufacturers. “The committee finds that the technical competence and up-to-date knowledge required of people in the FAA have fallen behind those in industry.”
The same is true in 2019. “The FAA, like most regulators in high tech industries where the technologies are rapidly advancing…has difficulty hiring and maintaining the engineers who are leading the frontiers of the technological innovations,” said Hart last week. “And that makes it challenging in terms of working collaboratively with the manufacturer to certificate their product.”
The DC-10 report faulted the FAA’s posture, saying its structure “results in a superficial level of technical oversight” and “inconsistent interpretations of regulations” depending on the regional office, stretched thin by new aircraft development and modifications to existing airplanes. Challenges with bureaucracy, communication and transparency in 1979, were again faulted with the 737 Max in 2019.
“The JATR team concluded that FAA resource shortfalls…may have contributed to an inadequate number of FAA specialists being involved in the B737 Max certification program. In some cases, [FAA’s Boeing Aviation Safety Oversight Office] engineers had limited experience and knowledge of key technical aspects of the B737 Max program.” As a result, the FAA had “inadequate awareness of the MCAS function” and its “limited involvement, resulted in an inability of the FAA to provide an independent assessment” of the certification of MCAS.
Despite all this and like the 1980 panel before it, Hart and the JATR blessed the delegated certification system. “What we’re trying to do is to figure out how to make that good system better,” he said. Both reviews made specific recommendations and similarly that the FAA be involved earlier in the design process and is (in 2019) “aware of all the design assumptions” and (in 1980) “special emphasis should be placed on the review…of fundamental design concepts.”
Ultimately, it seems, the belief by both the DC-10 and the 737 Max reviews are anchored on the the idea that if systemic design weaknesses are to never make it to the flying public it needs to be done so early, and not in the closing stages when an understaffed regulator and overwhelmed delegates are facing mountains of paperwork.
On the closing page of its 1980 report, the blue-ribbon committee made a recommendation stemming directly from the lessons it saw as crucial from the 1979 DC-10 crash. The report recommended that each commercial aircraft manufacturer “consider having an internal aircraft safety organization to provide additional assurance of airworthiness to company management.” [Emphasis theirs] McDonnell Douglas had created roving non-advocate review boards to assess program safety, according to a former Douglas executive, but it stopped short of a central organization. But the virtue of the recommendation didn’t end in 1980. Whether it realized it or not, Boeing’s Board of Directors on September 30, 2019 adopted the committee’s suggestion, forty years later.
Write to Jon Ostrower at email@example.comSubscribe to TAC
Checklists come into focus as pace-setter for 737 Max return
The first in a series on the historical parallels and lessons that unite the...