The troubled history of the DC-10 aircraft, especially in relation to questions raised as a result of its involvement in three major accidents between 1974 and 1989, provides a multidimensional case study in the ethics of engineering design and the uses of technology.
The DC-10 is a wide-bodied aircraft with two wing engines and a third engine distinctively placed in the tail fin. It was introduced into commercial service in 1972, during a time of unusually intense competition in the U.S. aviation industry. The market would support only two viable manufacturers, and because the Boeing 747 was well established, either Lockheed Corporation or McDonnell Douglas Corporation would have to withdraw and suffer a substantial financial loss. McDonnell Douglas won the competition, but evidence of its haste to beat Lockheed is reflected in these case studies.
Because airliners fly at high altitudes, the passenger cabin must be pressurized, up to 38 pounds per square inch. Because a heavy floor able to withstand this force would not be economical, the cargo hold is also pressurized. Thus the floor has to be strong enough to support only the weight of passengers, crew, seats, and so on. If, however, either part of the aircraft experiences a sudden decompression, the loss of equalizing pressure would cause the floor to buckle or collapse, resulting in damage to the control system, which is located in the interior spaces of the floor beams.
The 1972 Windsor Incident
Less than a year after the DC-10 was in service, a rear cargo door was improperly closed on a flight from Detroit, Michigan, and it blew open over Windsor, Ontario, causing the floor above it to collapse downward. Only the skill of the American Airlines pilot and a very lightly loaded airplane enabled the plane to land safely.
Ordinarily a problem of this magnitude would result in the Federal Aviation Administration (FAA) issuing an Airworthiness Directive (AD), a public document that has the force of law, requiring owners of a particular aircraft to modify their airplanes within a certain time. But the FAA charter contains a dual mandate: The FAA must not only ensure aviation safety but also promote the aviation industry. An AD at this time would have given Lockheed a competitive advantage by drawing attention to the DC-10 problem. Instead, John Sheaffer, the head of the FAA, finessed these conflicting objectives by making a "gentleman's agreement" with McDonnell Douglas to develop a fix for the cargo door and implement it through service bulletins sent only to owners of DC-10s, thus avoiding harmful publicity.
Two weeks after Windsor, Dan Applegate, head of project engineering at Convair, a subcontractor for the DC-10 cargo doors, expressed grave doubts about the "Band-Aid" fixes being proposed for the cargo door lock and latch system. He took his concerns to higher management in an effort to have Convair contact McDonnell Douglas and develop a more secure fix. Although he wrote a strong memo, management felt its hands were tied by a "reliance clause" in the contract, which stated that if Convair disagreed with the design philosophy it must make its concerns known in the design stage or pay for any later required changes. Because DC-10s were already rolling off the production line, Convair was faced with the prospect of paying for expensive retrofits to the DC-10 if it raised questions now. No approach to McDonnell Douglas was made.
The 1974 Paris Crash
When the service bulletins were sent out, many DC-10s were sitting on the McDonnell Douglas lot awaiting delivery. Ship 29, later sold to Turkish Airlines, was recorded as having all service bulletins for the cargo door performed, but in fact a critical item was omitted. Critics believe that an AD would have been taken more seriously.
On a fully loaded flight from Paris to London, on March 3, 1974, Ship 29 lost its rear cargo door shortly after takeoff, and the floor collapsed. Deprived of its control system, the plane crashed: Six passengers from the rear of the aircraft were found, still strapped in their seats, nine miles away; the cargo door that failed was nearby. French investigators collected more than 20,000 human fragments of the 346 passengers and crew. At the time, it was the worst aircraft accident in history.
The 1979 Chicago Crash
On May 25, 1979, American Airlines DC-10 crashed shortly after takeoff from Chicago when a wing engine broke loose and damaged the leading edge of the wing. Loss of the engine and damage to the wing resulted in decreased lift: One wing was pushing up harder than the other. A photo shows the plane, wings vertical, plunging to the ground.
Had the pilots known that the wing was damaged, they would have been able to take corrective measures to control the plane. But they could not see the wing from the cockpit and had to rely on instruments. Ironically, the needed warning devices were powered by the engine that broke off, and there was no provision for a backup power supply. The crash killed all 271 persons onboard the DC-10 and two persons on the ground.
The separation of the engine was caused by a maintenance procedure designed to save more than 200 person-hours of work. The engine is held in place by a large pylon attached to the wing, and the McDonnell Douglas removal procedure required that the engine (weighing 5,000 kilograms) be removed first, followed by the pylon (900 kilograms). The new procedure used a forklift to bear the weight of the engine, allowing engine and pylon to be removed as a unit. The pylon is not designed for the stresses this procedure can introduce and developed cracks, which eventually led to it and the engine breaking away from the wing.
It is normal for airlines to develop innovative maintenance procedures without FAA approval. McDonnell Douglas knew that Continental Airlines and American were using the forklift procedure and that it required extreme precision in positioning. It also knew that Continental had reported two cases of cracks to the pylons that required repair. Neither the FAA nor American learned of these potential dangers because FAA regulations do not require such reporting. But an engineer's first professional obligation is to protect the public from harm, and engineers at McDonnell Douglas and Continental had clear evidence of the danger of this procedure and should have investigated further and warned others. For a professional, following the regulations is not good enough when there is clear evidence of danger.
The 1989 Sioux City, Iowa, Crash
On July 19, 1989, a United Airlines DC-10 tail engine disintegrated in flight, resulting in the loss of fluid in all three hydraulic systems. The 170-kilogram front fan disk, rotating at high speed, broke apart, and the fragments took out everything in their path. Without hydraulics, none of the control surfaces on the wings and tail could be operated. The plane could only be crudely maneuvered by varying the speed of the two wing engines. Remarkably, the pilots managed to crash-land at the Sioux City, Iowa, airport, with only 111 deaths among the 296 passengers.
The other wide-body jet with a large tail engine, the Lockheed L-1011, has four independent hydraulic systems, one of which has a shutoff valve forward of the engine. If there is a leak, the valve closes the line, preventing further fluid loss. After the accident, the FAA issued an airworthiness directive requiring a shutoff valve for the DC-10.
All three DC-10 crashes were caused by failures that need not have resulted in the loss of the aircraft. The inadequately protected control system of the DC-10 allowed these otherwise predictable problems to cause the crashes that took 728 lives. It would be satisfying to find engineers and managers who clearly disregarded the safety of air travelers, but the reality is a complex and ambiguous interplay of engineering, design, financial, legal, historical, and organizational factors that allowed an underprotected aircraft to enter the stream of commerce. Without the intense economic competition with Lockheed, there might have been more attention to the cargo door design, redundancy added to warning systems, and a shutoff valve placed in the hydraulic lines. Add to this Douglas Aircraft Company's complete dominance of the aviation industry from the 1930s to the 1950s, which may have fostered a climate of complacency about the problems with the DC-10. (McDonnell Douglas had been formed in 1967 from the merger of Douglas Aircraft and McDonnell Aircraft Corporation.) The regulatory safety net, as always, was catching up to the problems posed by the new generation of wide-body jets.
After each of these crashes the FAA required changes in design, procedures, or training. Critics call this "tombstone technology," meaning that safety changes are made only if there are enough deaths to prove the changes are needed. But safety is defined as "of acceptable risk," which changes over time, and often it takes a severe accident to determine what level of risk is socially acceptable. Safety entails higher costs, and regulators must try to balance the safety and cost factors in evaluating complex, sophisticated technology that has a substantial interface with large numbers of people. Inevitably, mistakes will sometimes be made and innocent people will die before adequate regulations are in place.
JOHN H. FIELDER
Fielder, John H., and Douglas Birsch, eds. (1992). The DC-10 Case: A Study in Applied Ethics, Technology, and Society. Albany: State University of New York Press.