United Air Lines Flight 232 is the case study that defined what Crew Resource Management looks like when it saves lives. On 19 July 1989, a titanium fan disc in the tail-mounted Number 2 engine shattered due to an undetected metallurgical defect, sending fragments through all three of the DC-10’s independent hydraulic systems. The aircraft lost all primary flight control hydraulics — an event that the aircraft’s designers had assessed as so improbable it did not require a survivable emergency procedure.
It should have killed all 296 people on board. Instead, 185 survived. They survived because a crew of three — joined fortuitously by a fourth qualified pilot among the passengers — improvised a recovery technique that did not exist in any manual, trained for no scenario, and was guided by no checklist. They flew the aircraft using differential engine thrust alone, for 44 minutes, to a landing that was violent, incomplete, and genuinely miraculous in its outcome.
United 232 is the gold standard of CRM. It is also one of the most important case studies in hydraulic system architecture and the limits of redundancy design assumptions.
United 232 proved two things: that redundancy assumptions have physical limits, and that a crew working as a team can achieve outcomes that no procedure anticipated.
Date | 19 July 1989 |
Flight | UAL 232 |
Aircraft | McDonnell Douglas DC-10-10 |
Operator | United Air Lines |
Fatalities | 111 of 296 on board |
Category | Hydraulic System Failure / CRM / Uncontained Engine Failure |
Location | Sioux City Gateway Airport, Iowa, USA |
The Event
- DC-10 cruises at FL370 over Iowa on a routine flight from Denver to Chicago
- Stage 1 titanium fan disc in Number 2 (tail) engine fails catastrophically
- Disc fragments penetrate the tail section, severing hydraulic lines for all three independent systems
- All three hydraulic circuits lose pressure within seconds — no flight controls
- Captain Alfred Haynes, First Officer William Records, and Flight Engineer Dudley Dvorak begin improvising
- DC-10 instructor Denny Fitch, travelling as passenger, volunteers and comes to the flight deck
- Fitch takes manual control of the throttles; Haynes manages the flight deck
- Four crew members improvise differential thrust control for 44 minutes
- Aircraft arrives at Sioux City with uncontrollable right roll; right wing strikes the ground on touchdown
- Aircraft cartwheels, breaks apart, and catches fire; 185 of 296 on board survive
The NTSB later noted that any landing with survivors was considered essentially impossible given the aircraft’s condition. The 185 who survived owed their lives to the crew’s improvisation and to structural sections that remained intact during the breakup.
Systems Engineering Perspective
From a systems engineering perspective, United 232 exposes the most fundamental vulnerability in redundancy design: common-cause failure through shared physical location. The DC-10’s three hydraulic systems were designed to be independent. They were independent in terms of hydraulic fluid, pumps, reservoirs, and control logic. They were not independent in terms of physical routing — all three systems ran through the same tail section.
The design assumption was that no single failure could simultaneously sever all three systems. That assumption was correct for most failure modes. It was not correct for an uncontained engine failure generating high-velocity disc fragments that penetrated the entire tail section in milliseconds.
Redundancy that shares a physical location is not true redundancy — it is replicated vulnerability. United 232 exposed the difference.
The Hydraulic Architecture — Independent Systems, Common Location
The DC-10 incorporated three fully independent hydraulic systems — Left, Centre, and Right — each with its own reservoir, pumps, and lines. The design philosophy was that any two systems could fail and the third would provide sufficient control authority for safe flight. This was sound redundancy engineering for the failure modes considered.
The architectural vulnerability was the routing. All three hydraulic lines ran through the same tail section — the section that housed the Number 2 engine. A single physical event in that section could — and did — simultaneously sever all three. The redundancy was real for independent failures. It was absent for common-cause failures at the physical routing level.
Three independent systems sharing a common physical vulnerability are, for that vulnerability, a single system. The redundancy exists only for the failure modes that respect the system boundary.
The Fan Disc Defect — What Inspection Missed
The failed disc had accumulated 15,503 flight cycles. The titanium alloy contained a small hard alpha inclusion — a metallurgical defect introduced during the manufacturing of the titanium billet before the disc was machined. Hard alpha inclusions are zones of abnormally high nitrogen content that make the titanium brittle. Under cycling loads, a fatigue crack had propagated from this inclusion over years of operation.
The inspection programme used fluorescent penetrant inspection (FPI) at defined intervals. FPI had a known probability of detecting defects of this type at this size — a probability that was less than 100%. The defect had been present in the disc for years, possibly from the beginning of its service life, at a size below the reliable detection threshold of the inspection method.
This is the inspection reliability problem: no inspection method has perfect sensitivity. Safety cases that assume inspection as a barrier must account for the statistical probability of missed defects.
An inspection programme that has a known probability of missing a specific defect type is not a barrier for that defect. It is a probabilistic filter — and filters have a non-zero pass-through rate.
The Improvised Recovery — Outside the Design Envelope
No aircraft manufacturer had designed a procedure for total hydraulic failure on a DC-10. No simulator had been programmed to replicate it. No training manual addressed it. The possibility had been assessed as so remote as to require no emergency procedure.
What the crew discovered — and what has since been validated in simulator testing — is that differential thrust on the wing-mounted Number 1 and Number 3 engines could provide crude but usable pitch and roll authority. Increasing thrust on one engine pitched the nose up and rolled the aircraft toward the opposite side. Reducing thrust on both pitched the nose down.
The technique was approximate, oscillatory, and exhausting. The aircraft arrived at Sioux City in a right-bank attitude that made a normal landing impossible. But it arrived.
Human Factors Perspective
United 232 is the definitive positive CRM case study — the counterpoint to Tenerife, United 173, and Korean Air 801. Where those accidents show what happens when CRM fails, United 232 shows what becomes possible when CRM succeeds at the highest level under the most extreme conditions.
Leadership Under Catastrophic Uncertainty
Captain Alfred Haynes’ management of the United 232 emergency has been studied and taught in aviation safety programmes around the world. His approach embodied the principles of CRM before those principles had been widely implemented: he solicited input from every qualified source, he shared authority openly, he maintained situational awareness at the system level rather than becoming fixated on any single task, and he communicated with ATC, the cabin crew, and the passengers with extraordinary composure.
Haynes later said: ‘If I hadn’t used CRM, if I’d tried to do it myself, we wouldn’t have made it.’ This statement from one of aviation’s most capable pilots is the most succinct validation of CRM ever recorded.
Haynes’ statement — ‘if I hadn’t used CRM, we wouldn’t have made it’ — is the most important three sentences in CRM history. They came from a pilot who had every reason to trust his own capability, and chose to trust his team instead.
The Unexpected Resource — Denny Fitch
United DC-10 instructor Denny Fitch was travelling as a passenger. When he heard the emergency announcement and understood the nature of the failure, he offered his services. Haynes accepted immediately — a decision that was not procedurally required, not trained, and not obvious.
Fitch took the throttles and spent the next 44 minutes developing and refining the differential thrust technique, freeing Haynes to manage the full scope of the emergency. The crew had effectively created a fourth crew member out of a resource that the procedures did not recognise.
Communication With the Cabin — Managing 285 Passengers
The crew briefed the cabin crew on the situation with sufficient information for them to prepare an appropriate evacuation plan, without creating panic. The cabin crew was professional, prepared, and effective — an outcome that required accurate information and adequate preparation time.
The decision about what to tell passengers, and when, is one of the most difficult in emergency management. United 232 demonstrated that honest, useful information delivered at the right time enables survival outcomes that misinformation or silence cannot.
System Interaction Breakdown
1. Redundancy Defeated by Common-Mode Physical Failure
Three hydraulic systems failed simultaneously because they shared a physical location. The safety case for total hydraulic failure had been built on an independence assumption that was not physically valid for high-energy fragmentation events in the tail section. The design worked for everything the designers anticipated. It failed for one thing they had assessed as essentially impossible.
Redundancy designs must include physical separation as a requirement, not just logical independence. United 232 is the case study that established this principle.
2. Inspection Missed the Defect — For Years
The hard alpha inclusion in the fan disc had been propagating a fatigue crack for an unknown number of cycles. The inspection programme, at its mandated intervals and using the specified technique, did not detect it. This is not an inspection failure in the sense of procedure not followed — it is an inspection system failure in which the procedure, correctly followed, had insufficient sensitivity to detect the defect.
3. Uncharted Emergency Handled by Improvisation
The crew faced an emergency for which no procedure existed. The survival of 185 people is attributable to their ability to improvise an effective response using fundamental aerodynamic knowledge. This is the argument for knowledge-based training as a complement to procedure-based training — because the procedures run out before the emergencies do.
Procedures prepare crews for expected emergencies. Knowledge prepares crews for unexpected ones. United 232 required knowledge.
Significance in Aviation Risk
1. Physical Separation of Redundant Systems
Aircraft design certification requirements were revised to require that redundant hydraulic and flight control systems be physically routed through separated structural zones, such that no single physical failure event can simultaneously affect all redundant systems.
2. Fan Disc Inspection — Complete Redesign
The inspection programme for titanium fan discs was fundamentally revised. Inspection intervals were reduced. Fluorescent penetrant inspection was supplemented with eddy current methods. Manufacturing quality control for titanium billets was elevated to prevent hard alpha inclusions from entering the supply chain.
3. Differential Thrust as Formal Emergency Technique
The differential thrust technique improvised by Haynes and Fitch was formalised, validated in simulation, and incorporated into emergency training for all applicable aircraft types. A technique born in extremis became a standard tool.
4. CRM Receives Its Greatest Validation
United 232 is the positive evidence that CRM works. Every subsequent CRM training programme has referenced this crew’s performance as the model. The accident transformed CRM from a post-Tenerife theoretical framework into a demonstrated, life-saving operational practice.
Related Aviation Risk Lab Content
Pillar Pages
Systems Engineering: Systems Engineering
Crew Resource Management: Crew Resource Management
Maintenance and Airworthiness: Maintenance And Airworthiness
Related Case Studies
Case Study 5: American Airlines 96 — The Door That Nearly Did It First: AA 96 1972
Case Study 9: Japan Airlines 123 — The Bulkhead That Held for Seven Years: Jal 123
Case Study 33: US Airways 1549 — The River Landing: Usair 1549
Closing Perspective
United 232 is simultaneously a failure case study and a success case study. It is a failure because a manufacturing defect in a fan disc killed 111 people; because a hydraulic routing architecture had a vulnerability that 35 years of flight operations had not exposed; because the inspection programme could not detect what it needed to detect.
And it is a success because the crew transformed an unsurvivable emergency into a survivable one through teamwork, improvisation, and the deliberate, conscious application of every resource available to them — including one that wasn’t in the crew list. One hundred and eighty-five people are alive because of what those four men did in the cockpit of N1819U on 19 July 1989.
The systemic legacy of United 232 is the physical separation requirement for redundant systems; the redesign of fan disc inspection; and the immortal validation of Crew Resource Management. The human legacy is Captain Haynes’ statement that he couldn’t have done it alone.
United 232 proved that the system can be wrong about what is ‘essentially impossible’ — and that a crew that works as a team can survive what the system said couldn’t happen.
Related Posts
