McDonnell Douglas D-10
United Airlines Flight 232, N1819U
Sioux City, Iowa
July 19, 1989
United Airlines (UAL) Flight 232, a McDonnell Douglas DC-10-10, was a scheduled passenger flight from Stapleton International Airport in Denver, Colorado to Philadelphia, Pennsylvania, with an en route stop in Chicago, Illinois. On July 19, 1989, at 14:09 Central Daylight Time (CDT), Flight 232 departed Denver with 285 passengers and 11 crewmembers on board.
About 1 hour and 7 minutes after takeoff (at approximately 15:16 CDT) the flight crew heard a loud bang followed by vibration and shuddering of the airframe. The flight crew checked the engine instruments and determined that the No. 2 engine (tail-mounted) had failed, and they initiated the engine shutdown checklist. While performing the shutdown checklist, the flight crew noted that the aircraft's normal system hydraulic pressure and quantity gauges indicated zero. The No. 2 engine failure had been caused by a catastrophic uncontained fan disk burst that resulted in engine debris damaging the aircraft's three hydraulic systems that were located in the tail section of the aircraft.
The airplane was minimally controllable via the use of asymmetric thrust control. The crew managed to maneuver the airplane to the vicinity of Sioux City, Iowa. At 16:00 CDT, after being cleared to land at Sioux Gateway Airport in Sioux City, Iowa, the airplane experienced a crash landing while attempting to land on runway 22. There were 111 fatalities, 47 serious, and 125 minor injuries from this accident.
United Airlines (UAL) Flight 232, a McDonnell Douglas DC-10-10, was a scheduled passenger flight from Stapleton International Airport in Denver, Colorado to Philadelphia, Pennsylvania, with an en route stop in Chicago, Illinois. On July 19, 1989, at 14:09 CDT, Flight 232 departed Denver with 285 passengers and 11 crewmembers on board.
History of Flight
The takeoff and en route climb to a planned cruising altitude of 37,000 feet were uneventful. About 1 hour and 7 minutes after takeoff (at approximately 15:16 CDT) the flight crew heard a loud bang followed by vibration and shuddering of the airframe. The flight crew noted from the engine instruments that the No. 2 engine (tail-mounted) had failed, and they initiated the engine shutdown checklist. While performing the shutdown checklist, the flight crew noted that the aircraft's normal system hydraulic pressure and quantity gauges indicated zero.
The first officer was flying the aircraft at the time of engine failure and advised the captain that he could not control the aircraft, which began a right descending turn. The captain took control of the aircraft and confirmed that it did not respond to control inputs. He then reduced thrust on the No. 1 engine, which resulted in the aircraft rolling to a wings-level attitude. The flight crew deployed the air-driven generator that powers the No. 1 auxiliary hydraulic pump; however, this action did not restore hydraulic power to the aircraft.
At 15:20 CDT, the flight crew radioed Minneapolis Air Route Traffic Control Center (ARTCC) and requested emergency assistance and vectors to the nearest airport. The ARTCC gave the flight crew vectors for the Sioux Gateway Airport in Sioux City, Iowa.
The passengers were informed of the engine failure, and the flight attendants were told to prepare the aircraft for an emergency landing. An off-duty UAL DC-10 training check airman, who was seated in the passenger cabin, came forward to the flight deck to assist the flight crew at approximately 15:29 CDT.
The flight crew made visual contact with the airport at about 9 miles from touchdown. Air traffic control had instructed the aircraft to attempt a landing on runway 31, which was 8,999 feet long. However, the aircraft was on approach to runway 22, which was 6,600 feet long and closed. Given the aircraft's position and difficulty in making left turns, the captain elected to continue the approach to runway 22 rather than attempt to maneuver to runway 31.
During the approach, the flight crew observed a high sink rate alarm prior to touchdown. Smooth oscillations in pitch and roll continued until just before touchdown when the right wing dropped rapidly. The check airman used the first officer's airspeed indicator and visual cues to determine the flight path and need for power change. He continued to manipulate the No. 1 and No. 3 engine throttles until the aircraft made contact with the ground.
At 16:00 CDT the aircraft touched down on the threshold to runway 22 slightly left of the centerline. The first ground contact was made by the right-wing tip, followed by the right main landing gear. The aircraft skidded to the right of the runway and rolled to an inverted position. Witnesses observed the aircraft catch fire and cartwheel, coming to rest after crossing runway 17/35. Firefighting and rescue operations began immediately, however the aircraft was destroyed by impact and fire. A video of the crash and the crash scene is available below:
There were 111 fatalities, 47 serious injuries and 125 minor injuries.
Engines
The engines installed on the aircraft were General Electric Aircraft Engines (GEAE) CF6-6D model turbofan engines. The fan disk failure was caused by a fatigue crack that initiated from a metallurgical defect located on the surface of the disk bore. The metallurgical defect formed during the initial manufacture of the titanium alloy material and was not detected by inspections performed during the manufacturing process (manufactured in December 1971 timeframe). The disk was installed in the CF6-6D engine, and the defect caused the initiation of a fatigue crack that eventually grew to a critical size and produced a catastrophic separation of the disk. Total service time and cycles accumulated on the fan disk at the time of the accident were 41,009 hours and 15,503 cycles.
Engine design and certification standards involve a combination of containment and reliability for the blade and rotor failures, respectively. The engine case is required to contain debris associated with the failure of any single blade from any of the compressor or turbine stages. Conversely, other rotating elements of the engine, such as fan disks and turbine rotors, are required to be sufficiently robust so as to never expect a failure in the life of that engine fleet. This concept, identified as "rotor integrity", is necessary since containment of disk debris is impractical due to the extremely high energies involved for most turbofan engine rotor failures.
In spite of the engine's blade containment and rotor integrity capabilities, service experience has shown that it is necessary to provide airplane protection for certain types of uncontained engine failures. This airplane level protection involves a combination of separation, shielding, or strategic location of vital systems throughout the airplane. High energy rotors (e.g., fan disks) can cause a hazard to the aircraft when they fail due to their ballistic nature and have historically represented one of the highest accident risks caused by turbine engine propulsion systems. Aircraft safety for this type of threat is provided by a combined effort of precluding rotor failures and by mitigating the effects in the event of a failure. Overall, safety is compromised if either of these two strategies is overlooked or not effective.
During the time the fan disk was in revenue service, the engine underwent overhauls that exposed the fan disk to piece part-level inspections six times. At each exposure, the disk was inspected in accordance with the CF6 engine manual instructions, which included a fluorescent penetrant inspection. The accident investigation determined that the fatigue crack was of sufficient size that the previous fluorescent penetrant inspections, if properly performed, should have detected it. The most recent fluorescent penetrant inspection on the fan disk occurred 760 cycles prior to the accident flight, at which time the surface crack is estimated to have been approximately 0.5" long.
The titanium alloy fan disk was manufactured in 1971 using a double vacuum arc remelt (VAR) process, which was the process used by the majority of engine manufacturers during this timeframe. At the time of its failure, it had been in service for 17 years. VAR is one type of process used in the manufacturing of titanium alloy fan disks. This method converts an electrode composed of the titanium source materials into an ingot form by melting the electrode. The electrode is melted in a water-cooled copper crucible under vacuum using electrical power to form an arc between the electrode and the molten pool. Consumption of the electrode occurs over a period of hours.
One method of improving the quality of titanium material is to go through successive operations such as double or triple VAR. The industry began to recognize, in the 1970's, that the rate of material defects in double VAR titanium used for high-energy rotating engine parts was significantly high and required corrective actions.
The FAA worked with industry to improve the titanium manufacturing processes that industry began to implement in the early 1980's. At that time, it was believed that it would be acceptable for rotors manufactured from the older (double VAR) processes to remain in service until part retirement, based on confidence that the manufacturing and piece part engine overhaul inspections were reliable and adequate for detecting defects/cracks prior to part failure.
Airplane
The McDonnell Douglas DC-10 is a large, wide-body transport airplane, originally type certified in 1971. The flight control system is, for the time of design, conventional in that the flight controls are hydraulically powered and consist of ailerons and flight spoilers located on the wings, elevators on the horizontal stabilizer, and rudder on the vertical stabilizer.
Each axis in the flight control system is powered by at least two of the three airplane hydraulic systems. The airplane is equipped with three separate hydraulic systems, each independent of the other two, such that loss of any one system retains sufficient capability in each of the flight control axes, although in some cases, capability may be degraded. The airplane does not have a manual control capability (sometimes referred to as "manual reversion"), due to the high forces that would be necessary to move the control surfaces if they were unassisted by a hydraulic system.
There is limited space in the aft areas of the airplane for hydraulic system distribution, especially where the hydraulic lines are routed to the tail surfaces. The three hydraulic systems, while remaining functionally isolated, were located physically close to one another in certain areas. One result, which contributed to this accident, was that all three systems were vulnerable to damage from the engine debris, should the No. 2 engine experience a catastrophic failure.
Following failure of the center engine fan disk, debris struck and damaged the aircraft's three hydraulic systems. The loss of all three systems resulted in complete loss of control of the aircraft through normal flight control inputs. The only means available to maintain directional control of the aircraft was manipulation of the thrust from wing-mounted engines. The aircraft had a continuous tendency to turn right; and the flight crew could not maintain a stabilized flight condition.
Flight Crew
Following the crash of an Eastern Airlines Lockheed L-1011, near Miami, in 1972, the industry conducted a review of ways to mitigate poor crew performance, especially in emergencies. Subsequently, as a result of this review, United Airlines became the first commercial carrier to adopt a formal Crew Resource Management (CRM) program. CRM, rather than allowing an autocratic environment on the flight deck, encourages crew teamwork and, when/if necessary, assertion of authority by crewmembers that are, in the flight deck hierarchy, subordinate to the captain. CRM, when well practiced, results in high levels of crew communication, delegation of duties in order to manage all required tasks efficiently, and an overall attitude of cooperation and teamwork.
The flight crew collectively was very experienced, the captain in particular having over 7000 hours in the DC-10. Additionally, an off-duty DC-10 check captain was onboard as a passenger and was invited to the flight deck by the captain. The check airman assumed control of the throttles for the left and right engines, as throttle manipulation (use of asymmetric thrust) was the only means to attempt airplane control.
Following the accident, the NTSB conducted a number of simulator studies to assess the possibility of crew training to control the airplane in a UAL 232 situation. The studies revealed that the crew would not have benefited from such training, if it had existed, as the airplane was virtually impossible to control. The NTSB concluded that the airplane, while flyable, could not have been successfully landed on a runway with the loss of all hydraulic flight controls.
The NTSB stated, "The Safety Board believes that under the circumstances the UAL flight crew performance was highly commendable and greatly exceeded reasonable expectations."
Relative to CRM practices, and crew interaction during the emergency, the NTSB further commented on the flight crew's performance by stating, "The Safety Board views the interaction of the pilots, including the check airman, during the emergency as indicative of the value of cockpit resource management training, which has been in existence at UAL for a decade."
Following the accident, the captain made a presentation to an audience at a safety meeting hosted by the National Aeronautics and Space Administration (NASA), discussing the events of the flight and flight crew performance. The NASA transcript of that presentation is available at the following link: UAL 232 Captain presentation
The NTSB determined that the probable cause of this accident was the inadequate consideration of the human factors limitations in the inspection and quality control procedures used by the UAL engine overhaul facility. These limitations resulted in the failure to detect a fatigue crack originating from a previously undetected metallurgical defect located in a critical area of the stage 1 fan disk of the engine.
The NTSB also determined that the catastrophic disintegration of the fan disk resulted in the liberation of engine debris in a pattern of distribution and with energy levels that exceeded the level of protection provided by design features of the hydraulic systems that operate the flight controls of the DC-10.
The NTSB identified 21 findings for this accident. The findings are excerpted from the report, and available at the following link: NTSB Findings
The entire NTSB report (NTSB/AAR-90-06) can be viewed at the following link: NTSB Report
The NTSB issued a total of 29 safety recommendations for this accident investigation. Twenty-three of the recommendations were issued to the FAA, one was issued to the Air Transport Association, one was issued to the Aerospace Industries Association of America, Inc., and four were issued to the U.S. Air Force.
The following is a brief summary of the safety recommendations, which have been organized under seven categories:
- Nondestructive inspection of critical rotating parts: twelve of the safety recommendations related to inspections of critical rotating parts, both general and specific to this part failure, were issued. These recommendations included improving inspection processes by incorporating areas of emerging technologies that may improve reliability, requiring operators and industry to incorporate improved and redundant inspection processes for rotating parts and mandating GE service bulletin inspections of the CF6 fan disks.
- Aircraft control systems: two safety recommendations that addressed aircraft control systems were issued. The first recommendation encouraged additional research and development for backup control systems for new wide body aircraft, and the second was to conduct a safety review relative to the redundancy and protection of power sources for flight and engine control of currently certified aircraft as a result of lessons learned from the Sioux City accident.
- Engine uncontained failures: two safety recommendations that addressed engine uncontained failure were issued. The first recommendation was to analyze the dispersion pattern, fragment size, and energy level of uncontained debris and update AC 20-128 for future aircraft certification. The second was to create a historic database of engine rotary failures that would benefit design assessments and safety analysis.
- Record keeping: one safety recommendation was issued for record keeping. It recommended that the FAA conduct a comprehensive evaluation of aircraft and engine manufacturer record keeping and internal audit procedures.
- Cabin procedures: one safety recommendation was issued for cabin procedure. It addressed the importance of time management in preparation of the cabin for an impending emergency landing.
- Cabin restraint of passengers: two recommendations addressed cabin restraint of passengers. The first recommendation addressed requirements for infants and small children to be properly restrained during takeoff, landing, and turbulent conditions. The second recommendation addressed research to determine the adequacy of seatbelts to restrain children too large for safety seats and develop a suitable means of restraining such children.
- Airport procedures and equipment: nine safety recommendations were issued on airport procedures and equipment. These recommendations addressed fire fighting vehicles and rescue/firefighting activities at accidents in crop environments on airport property.
The complete text of the recommendations is available at the following link: NTSB Recommendations
The certification requirements for the DC-10-10 included Part 25 Amendment 1-22 and Special Condition (SC) 25-18-WE-7, dated January 7, 1970.
SC 25-18-WE-7 stated that in lieu of the requirements of 14 CFR 25.903(d)(1), the aircraft must incorporate design features to minimize hazardous damage in the event of an engine rotor failure or of a fire that burns through the engine case as a result of an internal engine failure.
The SC was issued because §25.903(d) was in the process of being revised. McDonnell Douglas provided a response to the SC that included an assessment for the hydraulic system design considerations. However, at the time of the design and assessment, there were no formal industry standards or FAA guidance on design precautions to be taken to minimize the hazards to an aircraft in the event of an uncontained engine or APU failure.
Relative to the engine certification, the relevant requirements were:
Prior to this accident, a CF-6 engine had never experienced a fan hub failure. The engine was certified in 1970 and operated successfully for millions of fleet service hours until 1989. Though it had been discovered that the manufacturing process (double VAR) of the fan disk produced a higher than desired rate of defects, it was believed that a program of detailed inspections would detect and eliminate components that had become unserviceable and preclude the need to mandate replacement of fan disks that had been manufactured using the double VAR process.
- Failure of the fan disk resulted in liberation of debris in a pattern of distribution and with energy levels that exceeded the level of protection provided by the design features of the aircraft hydraulic systems. The three hydraulic systems, although physically isolated, were vulnerable to a single failure event due to their close proximity to on another, which compromised their independence (zonal hazard).
- Inadequate consideration was given to the human factors limitation in inspection and quality control procedures for fluorescent penetrant inspection of the stage 1 fan disk at the UAL overhaul facility, which resulted in the failure to detect a fatigue crack.
- Aircraft hydraulic system (critical system) isolation was acceptable for uncontained engine debris in the event of an engine failure.
- The defined inspection techniques for rotors produced using the double VAR process was adequate to identify defects and prevent catastrophic failures due to metallurgical defects.
- The combination of airplane level safety strategies for system isolation and segregation, together with engine level blade containment and rotor integrity, provides an adequate level of protection.
- Japan Airlines B-747 crashed at Gunma Prefecture, Japan, on August 12, 1985. An aft pressure bulkhead ruptured in flight, resulting in a sudden decompression event and failure of a portion of the fuselage tail, vertical fin, and failure of all four aircraft hydraulic systems due to loss of fluid. The flight crew had no primary flight controls and attempted to maintain aircraft directional control by manipulating engine thrust. The aircraft subsequently crashed into a mountain. Aircraft hydraulic system isolation was compromised by the lack of physical separation of all four systems, which came together in the tail section of the aircraft in an area that sustained damage due to the bulkhead rupture.
See accident module
14 CFR Part 33: No rule changes
14 CFR Part 25: No rule changes
AC 20-128A (and its appendix 1) defines a method of compliance with the CFR that requires design precautions to minimize the hazards to an aircraft in the event of the uncontained engine or auxiliary power unit (APU) failure. AC 20-128 was issued in 1988 following a change to 14 CFR 25.903(d) in Amendment 23 and incorporated much of the same information contained in FAA Order No. 8110.11, dated November 19, 1975. The FAA Order and AC were not available at the time of the DC-10-10 certification. The certification requirements for the DC-10-10 included Part 25 Amendment 1-22 and Special Condition (SC) 25-18-WE-7, dated January 7, 1970.
When AC 20-128 was initially published, it contained the same information that was in FAA Order No. 8110.11. Based on the Sioux City accident, other service events, and a better understanding of the hazards associated with uncontained engine and APU failures, the FAA subsequently revised AC 20-128. The adjacent graphic is a diagram of horizontal stabilizer damage caused by the No. 2 engine debris and the estimated fragment spread angle of the rotor that is described in AC 20-128.
The fan disk that failed on UAL 232 was manufactured using a double VAR process, which was the process used by the majority of engine manufacturers during the timeframe the disk was manufactured. In the early 1980's timeframe, the FAA and industry began efforts to improve the manufacturing processes by transitioning to enhance manufacturing processes for titanium rotors (e.g., triple VAR). The follow-on activities from the Sioux City accident resulted in additional research and studies of the manufacturing and inspection processes and higher industry standards to further reduce the likelihood of manufacturing quality defects during the manufacturing process. These improved processes and standards are being applied today.
The fan disk that failed on UAL 232 had a metallurgical defect that was introduced at the time of manufacture but was not detected by the manufacturing inspections. The NTSB investigation concluded that the size and location of the defect might not have been detectable using the type of inspections performed during the manufacturing process. The defect resulted in a crack that continued to grow in revenue service and was not detected in the six subsequent fluorescent penetrant inspections performed during the life of the part.
The accident investigation determined that the inspection techniques used as part of the manufacturing process for titanium rotating components require further enhancements to provide a higher probability of detecting metallurgical defects. The investigation also determined that the fluorescent penetrant inspection process has significant potential limitations that must be considered if it is to be applied as the primary inspection technique for critical rotating parts such as fan disks.
The follow-on activities from the Sioux City accident include FAA and industry research and studies on improving the inspection processes during manufacture and overhaul of titanium alloy as well as other material rotors. An example is the blue etch surface inspection to detect surface breaking defects that has been included in the manufacturing process. These enhancements and higher industry standards are being applied today.
Before the Sioux City accident, conventional rotor life management methodologies used by the majority of engine manufacturers did not explicitly address the occurrence of material and manufacturing anomalies. Parts were lifed assuming no defects. Following the Sioux City accident, the FAA recognized the possibility that even with the very best manufacturing and inspection processes, material and manufacturing defects could occur and that these defects could potentially degrade the structural integrity of high-energy rotors. The FAA has worked with industry to develop guidelines and criteria that incorporate a damage tolerance approach in the design and life management of high-energy rotors. This information was published in AC 33.14-1 and has resulted in a titanium alloy rotor design that has greater robustness from catastrophic failure if it were to have a material defect introduced at manufacture.
FAA /Industry Teams and Activities
As a result of this accident, there were a number of follow-on initiatives involving FAA, engine and aircraft manufacturers, and foreign airworthiness authorities to address many of the deficiencies identified in the NTSB safety recommendations and lessons learned. These initiatives resulted in revisions to existing AC material, publication of new ACs, and the implementation of new industry standards. These initiatives did not focus on the DC-10 aircraft and CF6 engine. They were global in nature and applied to large transport aircraft and engines throughout the commercial aviation industry. The following is a partial list of the initiatives and policy changes that resulted from the UAL 232 Sioux City accident.
- Engine Hazard Working Group (EHWG)
a) FAA/Industry/Foreign Airworthiness Authority team was formed to address the question of transport engine non-containment as it relates to aircraft survivability. Assessed blade, disk fan blade containment.
b) Final report dated April 1, 1991. - FAA Titanium Rotating Components Review Team (TRCRT)
a) Initiative dedicated to data collection, review, and analysis concerning the design, manufacture and inspection of turbine engine titanium rotor disks, hubs, and spools.
b) Report to industry in May 1991. - SAE Committee on Uncontained Turbine Engine Rotor Events
a) Committee issued report #SP1270.
b) The report is the result of FAA AIR letter following UAL 232 accident and addressed NTSB safety recommendations A-90-172 and A-90-170. - ARAC Powerplant Installation Harmonization Working Group (PPIHWG)
a) Addressed NTSB safety recommendation A-90-170 and worked on AC 20-128A/B. - Jet Engine Titanium Quality Committee (JETQC)
a) FAA-sponsored committee to implement a system to report and develop a database of all inclusions found in titanium alloy billet, bar and forgings.
b) Comprised of FAA and engine manufacturers. - Aerospace Industries of America (AIA) Rotor Integrity Subcommittee (RISC)
a) Committee of industry specialists to address FAA TRCRT recommendations.
b) Standing committee to address rotor integrity issues.
c) Committee helped the FAA develop the damage tolerance framework for engine rotors. - Transport Aircraft Safety Subcommittee (TASS)
a) In 1989, the FAA Administrator established TASS, which reports to FAA Research, Engineering and Development Advisory Committee.
b) Reporting to TASS was:
• Airworthiness Assurance Task Force (AATF)
• Systems Review Task Force (SRTF) - Engine Titanium Consortium
a) Chartered to review and improve manufacturing and in-service inspection processes for all rotating rotors. - AIA Materials and Structures Committee (MSC)
a) FAA/Industry team was founded n 1992 to establish and implement the best manufacturing practices of titanium rotors.
AC/POLICY
AC 20-128 (no longer available) addresses design precautions for minimizing hazards to aircraft from uncontained turbine engine and auxiliary power unit rotor failures. This AC existed at the time of the Sioux City accident and was subsequently revised.
AC 33.15-1 addresses the best manufacturing procedures for titanium alloy rotating engine components. This AC was issued subsequent to the Sioux City accident and was one of the products of the post-Sioux City accident FAA and industry initiatives.
Engine
- AD 89-20-01, CF6-6 series, final rule request for comments, issued September 15, 1989. Requires ultrasonic inspections of stage 1 fan disks for metallurgical defects that could adversely affect the service life of the disk.
- AD 89-20-01 R1, CF6-6 series, final rule request for comments, issued November 24, 1989. Amends AD 89-20-01 by adding 50 additional stage 1 fan disk serial numbers to the tables in the AD, requiring removal and ultrasonic inspections (USI) for metallurgical defects. The FAA determined that this additional population of stage 1 fan disks was manufactured using the same process as the disk that failed on UAL 232.
- AD 91-12-09, CF6 series, final rule request for comments, issued May 21, 1991. Further analysis indicates that metallurgical defects located in certain locations on the stage 1 fan disk may not be detectable by USI. This AD requires a new inspection procedure using eddy current inspections.
- AD 91-15-03, CF6 series, final rule request for comments, issued June 25, 1991. Adds additional stage 1 fan disks to the inspection program.
NOTE: The inspections required by the engine ADs identified a second CF6 fan disk that had a metallurgical defect located in a low-stress region of the part. This disk was subsequently removed from service.
Aircraft
- AD 90-13-07, DC-10 series, final rule following NPRM, issued June 4, 1990. Requires modification of aircraft hydraulic systems to prevent total loss of hydraulic power and flight control systems.
- AD 91-23-14, DC-10 series, effective January 9, 1992. Requires the hydraulic shut-off valve be wired to the master caution warning system.
- AD 95-14-06, DC-10 series, effective August 18, 1995. Requires various modifications to the flight controls, hydraulic systems, and landing gear to enhance the controllability of these aircraft in the event of catastrophic damage to all aircraft hydraulic systems. These changes were prompted by recommendations from the Systems Review Task Force.
Airplane Life Cycle:
- Design / Manufacturing
- Maintenance / Repair / Alteration
Accident Threat Categories:
- Lack of System Isolation / Segregation
- Uncontained Engine Failure
Groupings:
- Loss of Control
Accident Common Themes:
- Human Error
- Flawed Assumptions
- Pre-existing Failures
Flawed assumptions
The No. 2 fan disk on the accident airplane had been manufactured using the double VAR process, which at the time of the accident was known to result in a higher defect rate than the triple VAR process which had been adopted. In order to allow double VAR manufactured parts to remain in service, a program of regular inspections had been adopted to monitor the airworthiness of those parts. It had been assumed that the inspection program would detect and remove defective parts from the fleet. In the case of this accident, this fan disk was inspected multiple times, and the crack which eventually caused the disk failure was never detected.
Human error
The No. 2 fan disk was subjected to multiple inspections prior to the accident, and the crack in the fan bore which initiated the failure was never discovered. It was estimated by the NTSB that the crack had grown to almost one-half inch in length at the time of fan disk failure.
Pre-existing failures
It was determined by the investigation that the No. 2 fan disk was manufactured with a defect (internal occlusion) that resulted in a crack that reached the inner bore of the disk hub. This crack went undiscovered during multiple inspections, and eventually led to the failure of the fan disk.
The UAL Flight 232 Sioux City accident has links to at least three other airplane accidents/incidents, all of which occurred prior to the Sioux City accident. The first was the National Airlines DC-10 accident that occurred on November 3, 1973, near Albuquerque, New Mexico. During cruise, the fan assembly of the No. 3 engine disintegrated, resulting in loss of the inlet, fan case and many of the fan blades. Engine debris struck the fuselage, right wing root area, and engines No. 1 and No. 2. Engine debris that impacted the airplane caused damage to two of the aircraft's three hydraulic systems and failure of a passenger window. Debris from the failed engine punctured the No. 1 engine oil tank which was close to being empty by the time the airplane had completed its emergency landing.
See accident module
The second link is to Eastern Airlines Lockheed L-1011 that occurred on September 22, 1981. During climb out from Newark, New Jersey, the crew noticed an engine vibration indication for the number two (center) engine. The fan bearing on the center engine subsequently failed, liberating the fan assembly inside the tail compartment of the airplane. Three of the four hydraulic systems were lost due to massive system damage caused by the fan liberation. An uneventful diversion to New York's Kennedy Airport was accomplished.
The third link is to the Japan Airlines B-747 accident that occurred on August 12, 1985. The airplane experienced a sudden decompression at 24,000 feet over Japan when the aft pressure bulkhead failed. The accident investigation identified failure of the aft pressure bulkhead due to a repair that had been previously made. The bulkhead failure ruptured part of the fuselage vertical fin and caused the loss of all four aircraft hydraulic lines that resulted in loss of all aircraft primary control functions. The flight crew maintained minimal control of the airplane by manipulating thrust from the engines, but the airplane subsequently crashed into a mountain.
The Japan Airlines accident is linked to the Sioux City accident because the pressure bulkhead failure caused loss of all four aircraft hydraulic systems. The Japan Airlines and United Airlines Sioux City accidents showed that the lack of independence of the hydraulic systems from a single failure event such as a zonal hazard can result in an unsafe condition. System isolation can be comprised by lack of physical separation even though functional isolation exists.
See accident module
Technical Related Lessons:
Fan hub failures of large, high bypass turbofan engines constitute a potentially catastrophic threat to the airplane (Threat Category: Uncontained Engine Failure)
- In this accident, the titanium fan disk fractured and separated into two large pieces and other smaller pieces. The fan debris penetrated the horizontal stabilizer and severed hydraulic lines, causing complete loss of hydraulic fluid and the associated loss of motive power to the entire flight control system. The loss of flight controls left the airplane uncontrollable via conventional means. Only through exceptional skill and coordination was the flight crew able to establish minimal airplane control via the use of asymmetric thrust. The lack of precise control during the landing phase of flight contributed to the loss of control on short final approach and the accident during landing.
A double vacuum arc remelt (VAR) manufacturing process for critical, high energy rotating titanium engine components is inadequate to consistently produce defect-free parts (Threat Category: Uncontained Engine Failure)
- It was discovered by industry that the use of a double VAR process did not consistently produce defect free parts. Industry had elected to transition to a triple VAR process and had implemented an inspection process to monitor double VAR manufactured parts still remaining in the fleet, until such time as they could be replaced. The #2 fan disk on the accident airplane had been manufactured using the double VAR process and had been inspected several times prior to its failure.
System redundancy and isolation should include assessment of both physical and zonal hazards. (Threat Category: Lack of System Isolation/Segregation)
- In the case of this accident, the airplane's hydraulic systems were physically isolated from one another, but due to space constraints in the tail section of the airplane, were in close proximity to one another. All three systems were therefore vulnerable to fan disk failure. Damage from the fan hub fragments resulted in the loss of all hydraulic fluid and associated loss of the flight control system.
Common Theme Related Lessons:
Reliance on repetitive inspections of critical engine components has inherent reliability limitations (Common Theme: Flawed Assumptions)
- Due to the critical nature of the fan disk, maintenance practices require that it be subjected to regular, detailed inspections to look for various types of damage, or indications that the disk is no longer serviceable. The #2 fan disk on the accident airplane had been inspected several times prior to the accident, and no damage had been discovered. The NTSB estimated that the crack which led to the disk failure had been approximately one-half inch long at the time of failure. It was assumed that the detailed, regular inspections would result in detection of a flaw that would require removal of the disk from service prior to failure.
The type and frequency of non-destructive tests being employed should consider detection reliability, as well as the consequences of failure to detect a flaw. (Common Theme: Human Error)
- The #2 fan disk on the accident airplane had undergone a fluorescent penetrant inspection several times prior to the accident. No cracks or other damage were detected during any of the inspections. The NTSB estimated the crack that caused the disk failure had grown to approximately one-half inch at the time of failure yet was still undetected. Some non-destructive inspection techniques require varying levels of human interpretation of the inspection results and have varying degrees of reliability for identifying defective parts.