Note: this accident was previously featured in episode 40 of the plane crash series on June 9th, 2018, prior to the series’ arrival on Medium. This article is written without reference to and supersedes the original.
On the 24th of February 1989, a routine overnight flight to New Zealand suddenly turned into an unimaginable nightmare when 32 square meters of its fuselage ripped away at 23,000 feet over the Pacific. Five rows of seats containing nine passengers were blasted out into the night, never to be seen again. For the 346 others who remained, the next 20 minutes would become a desperate battle for survival, as the pilots fought to get their stricken plane on the ground with two failed engines, a damaged wing, several inoperative systems, and, of course, a gaping hole in the side of the airplane.
In the end, through a remarkable display of airmanship, they made it, greasing the plane onto the runway in Honolulu. But the damage had already been done. Nine people were missing and presumed dead, while dozens were injured. It would be up to the National Transportation Safety Board to determine what caused this midair catastrophe, and prevent it from ever happening again.
The proximate cause, made obvious by the damage itself, was the in-flight opening of the forward cargo door, leading to a massive explosive decompression. But why had the door opened? Was it properly latched to begin with, or had it somehow come unlatched by itself? Why didn’t the locks prevent it from opening? In trying to answer these questions, the NTSB would have to dive down a rabbit hole of prior service bulletins, overlooked incidents, company documents, and regulatory decisions, which all pointed to a disturbing conclusion: that the design of the door was vulnerable, and Boeing and the FAA should have known it. But without the door itself, they couldn’t say for certain what made it come open — until, more than two years later, the discovery of the door at the bottom of the Pacific blew the case wide open, overturning some of the NTSB’s assumptions about what had gone wrong.
Just past midnight on the 24th of February 1989, the crew of a United Airlines Boeing 747 reported for duty at the airport in Honolulu, Hawaii, refreshed and ready to get back to work after a pleasant 34-hour layover in paradise. Despite the late hour, the terminal was packed, as a nearly full complement of 337 passengers lined up at the gate for flight 811 to Auckland, New Zealand and Sydney, Australia. Many were New Zealanders and Australians returning home from vacation; others were Americans whose vacations were just beginning. Some (including at least one particularly unlucky individual) had accepted an incentive to take flight 811 after a faster direct flight from Los Angeles to Auckland was overbooked. That decision bumped them down from a newer, longer-range 747 to the aging, well-worn early model 747–100 operating flight 811. Registered as N4713U, the plane was one of the first 747s ever built, and had been delivered to United Airlines new in November 1970. Although its age was beginning to show, United had no plans to retire it anytime soon.
In addition to the 337 passengers, flight 811 featured a crew of 18, including 15 flight attendants and three pilots. In command was 59-year-old Captain David Cronin, a veteran airman who had “flown everything” — in his words — and had over 28,000 flying hours, a remarkable number which many pilots will never reach. He was either two flights or two months short of retirement, depending on the source, and had been flying for United since 1954, before the company acquired its first jet airliner. Joining him was an experienced First Officer, 48-year-old Gregory Slader, who had a fairly impressive 14,500 flight hours but was new to the 747. And finally, rounding out the crew was 46-year-old Flight Engineer Randall Thomas, whose 20,000 hours of experience placed him only a tier or two below his venerated Captain. All things considered, the passengers of flight 811 could not have asked for a better crew.
Once all the passengers were on board, all the bags had been secured in the cargo hold, and fuel for the eight-hour journey had been loaded into the tanks, flight 811 taxied out and took off from Honolulu at 1:52 a.m. local time. Climbing away from the island, the pilots observed some thunderstorms in the distance, so they decided to leave the fasten seat belt signs on, just in case they encountered turbulence. They had no idea that this simple action would save the lives of many.
Seventeen minutes into the flight, now climbing toward 23,000 feet, the flight attendants were just about to start their drink service when passengers on the right side of the forward business class section on the lower deck heard a strange sound from somewhere beneath their feet. Moments later, there came a loud thump, powerful enough to be heard in the cockpit. “What the hell was that?” Captain Cronin asked.
Flight Engineer Thomas just barely had time to reply. “I don’t know,” he said — and then the plane was rocked by a bone-shattering explosion.
In the business class section, the right side of the plane opened up in a fraction of a second, ripping an immense hole in the fuselage. The floor collapsed beneath the right-side double seats in rows 8 through 12, which instantly disappeared into the screaming void along with their occupants. Debris flew back and slammed into every conceivable surface, peppering the №3 and №4 engines and the leading edges of the right wing, horizontal stabilizer, and vertical fin. Inside the cabin, the pressurized air forced its way out through the hole, ripping away anything that was not nailed down, and some things that were. Loose objects flew forward at immense speed; panels ripped out of the ceiling; overhead bins flew open and disgorged their contents. White fog suddenly appeared in the aisles, and the lights went out, plunging the cabin into darkness. The only sound was the all-consuming, indescribable roar of the wind.
For a moment, Captain Cronin thought it was all over. Just ten weeks earlier, Pan Am flight 103 had been blown up by a bomb over Lockerbie, Scotland, sending the severed cockpit plunging to earth with the flight crew inside, and for a moment, he thought that he too had gone the way of his Pan Am colleagues. But as the mist cleared and the noise subsided from incomprehensible to merely deafening, he came to his senses and realized that despite his fears, the plane was, somehow, still flying.
For 21 seconds, the cockpit voice recorder ceased recording, before it, along with the cabin lights, came back on as backup power kicked in. By then, the pilots were already trying to work through the problem. “The engine — ” someone started to say.
“Okay, uh, it looks like we’ve lost [the] number three engine,” said First Officer Slader, making a report to air traffic control. “And uh, we’re descending rapidly, coming back.”
“United 811 heavy, roger, keep center advised,” said the controller.
“Call the aft flight attendant,” Captain Cronin ordered. “[We’re] going down.”
“We’ve lost number three,” Flight Engineer Thomas repeated.
“Okay, emergency descent,” said Cronin. Recognizing that an explosive decompression had occurred, and that there was not enough oxygen to sustain the passengers and crew for long at 23,000 feet, Cronin had already put the plane into a steep emergency descent, diving down in search of breathable air, while simultaneously initiating a 180-degree turn back toward Honolulu.
“United 811 heavy, we’re doing an emergency descent,” First Officer Slader reported.
“United 811 heavy, roger,” said the controller.
“Put your mask on, Dave,” Slader said to his Captain.
All three pilots put on their oxygen masks, only to discover that nothing was coming through. “I can’t get any oxygen,” Cronin said.
“You okay? Are you getting oxygen?” Slader asked. “We’re not getting any oxygen.”
“No, I’m not getting oxygen either,” said Flight Engineer Thomas.
The pilots were just now discovering that the explosion had destroyed the oxygen supply, not only for them, but for the passengers and flight attendants as well. This failure was contributing to scenes of pandemonium in the cabin, where howling wind was sweeping down the aisles, throwing objects in every direction as passengers and crew alike gasped for air. One flight attendant ran to the nearest crew station, only to find that no oxygen bottle was installed there. Some passengers’ oxygen masks had not deployed; others pulled them down and put them on, only to discover that no oxygen was flowing. Short of breath and uncertain what was happening, some of the flight attendants were on the verge of panic. The huge hole in the fuselage was clearly visible from throughout the forward cabin, and it was unclear how far up the damage went; in fact, some cabin crew began to fear that the cockpit on the upper deck may have been destroyed, and that the plane was out of control. If that was the case, then there was nothing they could do — but even so, they had a job to perform, and now was not the time to give up.
Summoning whatever bravery they possessed, the flight attendants decided to prepare the passengers for a crash landing at sea. The lead purser attempted to broadcast instructions over the public address system, but it wasn’t working. Switching to plan B, they went for the backup megaphones, but there were only two of them — not enough for the 15 flight attendants to make themselves heard throughout the cabin. Most of them were forced to revert to plan C, which consisted of standing in the aisles and miming instructions, while holding up a safety card and frantically gesturing for passengers to read it.
Fortunately for the passengers and crew alike, the emergency descent had its intended effect, and before long the plane was approaching more livable altitudes.
“The cabin’s fifteen,” remarked Flight Engineer Thomas, noting that the pressure inside the cabin was equivalent to 15,000 feet.
“United 811 heavy, say your altitude now,” the controller requested.
“United 811 heavy we’re out of fifteen point five,” said First Officer Slader. Turning to the Captain, he said, “Go through the procedure for number three? I think we blew a door or something.”
“Tell the flight attendant[s] to get prepared for an evacuation,” Captain Cronin ordered. Turning back to the flight engineer, he said, “We don’t have any fire indications?”
“No, I don’t have anything,” said Thomas.
“Okay, we lost number three,” Cronin confirmed again.
“There’s no N1,” said Slader, referring to the fan rotation speed. The instruments clearly showed that the №3 engine was not generating power. Although there was no fire alarm, passengers on the right side could also see that this engine was in fact shooting flames out of both the front and the back, while №4 also appeared to be in dire straits, with a column of fire trailing behind it almost as far back as the tail. Both engines had clearly ingested debris, causing massive damage.
“Let’s shut it down,” Cronin decided. “There’s no N1.”
First Officer Slader quickly ran through the engine shutdown checklist, cutting fuel to №3. “That stopped the vibration anyway,” he commented.
Radioing air traffic control, Slader then said, “Center, United 811 heavy, we’re gonna level at 9,000 here while we assess our problem, and uh, we’re coming back direct Honolulu.”
“United 811 heavy, roger, keep the center advised,” said the controller.
But Captain Cronin and First Officer Slader knew that leveling off at 9,000 feet might be harder than it seemed. The controls were not responding normally to their inputs, even more so than they would expect with one engine out. “I think we lost the, uh — it’s like the leading edge on number…” Slader started to say.
“We might have some damage out there,” Cronin agreed. If only he knew!
“We got 180,000 pounds [of fuel],” Thomas pointed out, trying to draw the pilots’ attention to the fact that the plane was far above its maximum landing weight. They would need to dump fuel or risk breaking the landing gear on touchdown.
“We got a control problem here,” said Cronin, still focused on more immediate matters.
“Do we?” Slader asked.
In the background, the upper deck flight attendant could be heard yelling for the passengers to take their seats.
“Start dumping the fuel,” Slader said to the Flight Engineer.
“I am dumping,” Thomas replied, opening the fuel jettison valves.
“We’ve got a hell of a control problem here,” Cronin repeated. “I’ve got almost full rudder on this thing.”
Indeed, with the №3 engine shut down, №4 running poorly, and damage to the leading edge of the right wing, there was a massive asymmetry in terms of both thrust and drag, which was trying to pull the plane hard to the right. Captain Cronin had to continuously apply almost full left rudder just to maintain their heading.
Meanwhile, the troubleshooting continued.
“You dumping as quick as you can?” Slader asked Thomas.
“I’m dumping everything,” Thomas said.
“Ah, we got a problem with [the] number four engine,” said Cronin.
“Yeah, number four looks like it was out too,” Thomas agreed.
“Well, we got EGT [exhaust gas temperature], we got N1,” said Slader.
“The N1 looks low,” Thomas pointed out. “You don’t have all of it.”
This put Captain Cronin in a difficult situation. With a nearly full load of passengers, baggage, and fuel, flight 811 was too heavy to maintain altitude with only two working engines.
“Okay, what’s max EPR for number two, one and two?” Cronin asked, trying to figure out how much power he could squeeze out of their two remaining engines.
“Can you maintain 240 [knots]?” Slader asked.
“Yeah, just barely,” said Cronin. With the available thrust, it was difficult to go much faster, but if they slowed down, they would descend even quicker — or worse, the decreased speed could result in reduced rudder authority, causing the plane to spiral in around its dead engines.
“Yeah, but we’re losing altitude,” Slader continued.
“I know it,” said Cronin.
“We’re down to 670,000 now,” Thomas said, updating the pilots on their gross weight. “We’re dumping five thousand pounds a minute.”
Meanwhile, Slader confirmed that the controller had spotted them on radar, then reported, “Okay, it appears that we’ve lost the number three engine, and we’re not getting full power out of number four. We’re, uh, not able to hold altitude right now. [But] we’re dumping fuel, so I think we’re going to be able t — ”
“United 811 heavy, I show you six zero miles south of Honolulu at this time,” the controller said.
The question was: at their rate of descent, would they be able to cover those 60 miles before hitting the water? The pilots seemed to think so, but no one could be totally sure.
Now Flight Engineer Thomas said, “I haven’t talked to anybody yet, I couldn’t get to ’em. You want me to go downstairs to check?”
With the interphone apparently inoperative, the pilots had not been able to talk to the flight attendants, and no one knew exactly what was happening in the cabin. Now seemed like as good a time as any to find out.
“Yeah, let’s see what’s happening down there,” said Cronin.
“I think we lost a compressor, but ah…” Thomas said, speculating that perhaps an uncontained engine failure was the cause of their difficulties.
“I can’t hold, I can’t hold altitude!” Cronin interjected.
“Yeah, I told him that we’re gonna…” said Slader.
“What’s the max on there?” said Cronin. “I got takeoff power on this thing!” Incredibly, even with engines 1 and 2 on takeoff power, they were still descending.
“You got 250 knots now,” said Slader. “That’s good. Seven thousand, that’s — ”
“No fuel flow, no fuel flow on [the] number four engine,” said Cronin.
“How can we have no fuel flow if we got N1 and EGT?”
“We must be losing fuel like mad out of that number four engine,” Cronin said. Turning to Thomas, he asked, “You got the thing balanced on the fuel?”
“Ah yes, fuel’s balanced,” said Thomas. With his most urgent task complete, he said, “Okay, I’m going downstairs to see what the hell’s going on.”
“Go ahead and run down and see what’s happening,” Cronin agreed. For the first time since the start of the emergency, Thomas got up and left the cockpit — completely unaware of the magnitude of what he was about to discover.
Stepping into the first class cabin on the upper deck, he immediately noticed a large hole in the right side of the plane, stretching up to the window line. Numerous ceiling panels had been pulled down, and exposed ribs and stringers protruded jarringly into the gap. All the passengers appeared to be okay, but it was clear that there was more damage located out of sight.
Thomas hurried down the stairs to the lower deck, where, upon rounding the bend, he was confronted by an unbelievable scene of devastation. An immense, yawning chasm had opened up in the right side of the fuselage, a hole big enough to drive a car through. Part of the floor and several rows of seats were missing, having vanished through the breach. Pieces of mangled airplane structure were flapping openly in the wind. All around him, passengers were shouting, screaming, crying, and praying, some with blood running down their faces where they had been struck by debris. Flight attendants were frantically trying to get all the passengers into life vests. Oxygen masks swayed back and forth in the breeze. Witnesses recalled seeing Thomas turn very pale, mouth the word “fuck,” and run away back up the stairs.
Up in the cockpit, the pilots were dealing with engine №4, which had begun to break down after Cronin attempted to increase thrust. “We got a fire on the right side,” Cronin said, reacting to a fire alarm. “We’re on two engines now.”
Just then, a breathless Flight Engineer Thomas burst back into the cockpit. “The whole right side…” he exclaimed. “The whole right side is gone from about the one right back, it’s just open, you’re just looking outside.”
“Whaddaya mean, pieces…?” Cronin started to ask.
“Looks like a bomb,” said Thomas.
“Fuselage — ” Slader interjected.
“Yes, [the] fuselage, it’s just open,” said Thomas.
“Okay, it looks like we got a bomb that went off on the right side,” Cronin said, trying to summarize the situation. “The whole right side is gone?”
“From about the one back to, ah…”
“Anybody…?” Slader asked, wordlessly conveying his apprehension.
“Some people are probably gone, I don’t know,” said Thomas. He didn’t want to believe it, but he did know; he had seen it. This wasn’t just a normal emergency — people were already dead. And if they couldn’t get the stricken plane on the ground in one piece, then more would surely follow.
The next several minutes were a whirlwind of activity, as the pilots worked with the controller and with each other to get their plane lined up for a straight-in approach to runway 8 Left at Honolulu International Airport. First Officer Slader explained to ATC that a bomb had exploded on board, that much of the right side of the plane was missing, that they had a fire in one of their engines, and that they would need all the medical equipment they could get. The controller in turn halted all other takeoffs and landings and rolled the fire trucks and ambulances to meet the crippled 747. All the while, the pilots carefully configured their plane for landing, while trying to keep within a narrow speed band — fast enough to maintain control, but slow enough to avoid overstressing an airframe that they feared could break apart at any moment. And as they discussed the flaps, the landing gear, the stall speed, the maneuvering speed, the evacuation, and much besides, the plane never stopped descending, dropping inexorably toward the threshold of the runway, whether they wanted it to or not.
At times, the pilots appeared less than confident: “I don’t know if we’re gonna make this,” Captain Cronin said. “I can’t hold altitude.”
“Okay, well we have 24 miles to go and we’re drifting down slowly, so…” Slader said.
“You’re gonna make it,” Thomas chimed in, adding encouragement.
In the cabin, passengers caught sight of the lights of the Hawaiian Islands, and for the first time, they felt the warm rush of hope.
The pilots now intercepted the glide slope to the runway and commenced the two-engine approach checklist.
“We have all our hydraulic systems,” Thomas commented.
“That’s a plus,” Cronin drily replied.
Slader began to extend the flaps incrementally, while Cronin called out any changes in the airplane’s handling characteristics. At one degree, the flaps worked fine, but at five degrees, a warning came on, informing the crew that the flaps had deployed asymmetrically. Both the flaps and slats on the outermost portion of the right wing had been damaged and would not extend. The pilots decided to leave the flaps at ten degrees, well short of the normal landing position, which would force them to approach at a speed of 210 knots — much faster than normal. To fly slower, they would have needed to extend the flaps farther, allowing the wings to generate more lift, but with an asymmetry it would be dangerous to do so.
In the final moments, the runway hove into view through the clouds, the landing gear deployed without a hitch, and everything seemed in order. Flight Engineer Thomas picked up the public address system — which was, by some miracle, now working — and for the first time, gave a passenger announcement: “Have about two minutes until we touch down,” he said. “We will be evacuating upon touchdown, once we come to a stop.”
The pitter-patter of conversation continued at a frenetic pace. Speed, glide slope, brakes, reversers…
“One hundred feet,” Thomas called out. “Fifty feet. Thirty. Ten!”
At a speed of 190 knots, flight 811 streaked over the runway threshold and touched down with unexpected grace. Captain Cronin slammed on the brakes and activated the thrust reversers on engines 1 and 2, holding the plane straight down the centerline. And just like that, the massive 747 slowly came to a stop. As the last sense of motion gave way to blessed stillness, 346 people breathed a collective sigh of relief. Despite great adversity, they had made it.
The evacuation went as smoothly as it could have, as all the surviving passengers and crew jumped down the slides and into the waiting arms of the first responders. In all, 38 people were injured, about half of them in the evacuation, and everyone would ultimately make a full recovery. The last to leave were the pilots, who immediately made their way around to the right side of the aircraft to observe the damage. What they saw there took their breath away.
From midway through the upper deck down to the bottom of the forward cargo door, the fuselage had been torn away over an area 3–4 meters wide and 9 meters tall, totaling 32 square meters. The G and H seats in rows 8 through 12 were gone, as was the floor beneath them, along with the entire cargo door and all the contents of the forward cargo hold. Farther back, the right wing had been severely pockmarked by debris impacts, and in fact a piece of a cargo container was found impaled in the leading edge. The №3 and №4 engines were severely damaged, their fan blades having been chewed to shreds after ingesting debris. Still farther back, dents and scuff marks on the horizontal stabilizer and the right side of the vertical stabilizer showed that flying debris had struck these, too — thankfully dealing them only a glancing blow, or control could easily have been lost.
Further damage was noted inside the cabin, where numerous panels were missing, floor beams had buckled, seats were stained with blood, and loose debris was jammed into every conceivable crevice. But perhaps the most striking detail was a plate from the galley which had been ripped toward the hole with such force that it embedded itself in the cabin wall.
As for the nine unfortunate occupants of the missing seats, their fate hardly bore contemplation. Hollywood films might give the wrong impression — there would not have been any frantic grasping and screaming as they were slowly sucked out of the plane, as the silver screen might have you believe. Instead, they were there one moment, and gone the next. One passenger seated right behind the breach summed it up succinctly: “It all happened so fast,” he said, “no one actually saw it.”
Eight of the passengers were ejected still in their seats, but it was noted that one of the victims was actually seated across the aisle, in seat 9F, which was still attached to the airplane; this person probably would have survived if they had been wearing their seat belt properly. Therefore, if you ever need an incentive to obey the fasten seat belt sign, look no further.
Investigators would also discover that not all of the missing passengers made it very far. In a grim twist, fragmented human remains were found inside the №3 engine, indicating that at least one passenger was thrown straight back into the turbofan, dying instantly. Depending on your point of view, being ingested into the engine may have been preferable to the alternative, which was a four-minute plunge into the Pacific Ocean. In any case, the probability of surviving the fall was zero, and although the Coast Guard did spend 48 hours searching for the victims’ bodies, none were ever found.
When investigators from the National Transportation Safety Board arrived at the scene to examine the airplane, it quickly became apparent that the cargo door itself was almost certainly the source of the problem. The door had neatly separated from its frame without leaving much behind, save for the door-shaped gap where it used to be. Furthermore, none of the damaged areas of the fuselage showed any signs of metal fatigue or other structural issues. And despite the crew’s initial belief that they had been the victims of a terrorist attack, no evidence of a bomb was found. Instead, it appeared that as the plane climbed through 23,000 feet, the forward cargo door came open, swung upwards past its stop, and slammed into the side of the fuselage, causing it to break. Simultaneously, the massive decompression of the cargo compartment partially pulled down the floor, resulting in the ejection of the unfortunate passengers. Readers may recall that a similar event brought down Turkish Airlines flight 981 in 1974, when a cargo door failure collapsed the floor and severed the DC-10’s control cables. On flight 811 this fate was thankfully avoided because the 747, being a double-decker aircraft with its cockpit above the main cabin, had its control cables routed through the ceiling, not the floor.
Although the fact that this had occurred was self-evident, it raised many troubling questions. For obvious reasons, a cargo door should not open in flight, and there were numerous safeguards in place to prevent it. It is worth describing these safeguards in some detail before proceeding.
To close the forward cargo door on the Boeing 747, a ground handler will normally hold the door open/close switch in the “close” position, sending a “close” command to a series of three actuators. First, the main door actuator moves the door almost all the way closed, before power is transferred to a secondary actuator, which activates “pull-in hooks” that carefully draw the door flush with the fuselage. When in the fully closed position, C-shaped latch cams on the lower edge of the door clasp round latch pins attached to the door sill. Once these are in place, power is transferred again to a latch actuator, which rotates the cams around the latch pins until the door can no longer be pulled open. When the latch cams have reached the fully closed position, the master latch lock switch (henceforth the S2 switch) makes contact, cutting power to the latch actuator. Once the actuator stops, the ground handler must turn a manual locking handle to the “locked” position. This causes L-shaped aluminum “locking sectors” to move across the open mouths of the latch cams, preventing them from rotating back to the unlatched position, as shown above.
Once the locking handle is fully closed, pressure relief doors embedded in the cargo door will close, allowing the cargo hold to be pressurized. This action also causes the “door unsafe” warning light in the cockpit to extinguish.
Electrical power for this entire sequence is normally supplied by the ground handling bus, which can in turn be powered by the auxiliary power unit (APU), a backup generator in the tail; or by an external source. The ground handling bus is automatically depowered as soon as the engines are started or the plane leaves the ground, ensuring that the latch actuator cannot be activated in the air even in the event of a failure of the S2 switch.
If for whatever reason the door’s electric actuators should fail, it was also possible to latch the door manually using a socket drive. By attaching the socket drive in the designated location and cranking it 95 times, a mechanic could drive the latch cams to the closed position without using the actuator. This process could then be reversed to open the door.
While searching for reasons why these safeguards might have failed, the NTSB learned of an incident which occurred on board a Pan Am Boeing 747 in 1987. As that plane was climbing out of London, it failed to pressurize properly, forcing the pilots to return to the airport. Upon landing, the forward cargo door was found cracked open, with the locking handle in the locked position and the latch cams in the open position, a combination which should have been impossible. Further investigation revealed that before the flight, the latch actuator was not working, so a ground handler used a socket drive to latch the door manually. The door appeared to be closed and the warning light in the cockpit had extinguished. However, damage to the aluminum locking sectors indicated that the latch cams had subsequently been back-driven to the open position, bending the locking sectors out of the way and allowing the door to open while the locking handle was still in the locked position. This presumably occurred while the plane was still on the ground, and was only detected when the plane failed to pressurize after takeoff.
As for who or what moved the latch cams back to the open position, Boeing and Pan Am believed that it was probably a ground handler. Multiple independent electrical failures were required to generate an erroneous “open” command to the latch actuator after the door was locked, but a human could do this simply by re-inserting the socket wrench and attempting to open the door. Most probably, they concluded, someone had tried to open the door again, having forgotten to unlock it first.
This finding revealed a critical weakness in the design of the locking system: namely, that the locking sectors were ineffective as a failsafe, because they could not actually restrain the latch cams from moving to the open position while the door was locked. Furthermore, Boeing had known about this issue since 1975, and the manufacturer had previously issued a service bulletin to 747 operators with instructions for increasing the thickness of the locking sectors, but the modification was optional, and records showed that both United Airlines and Pan Am had declined to embody it.
As a result of this incident, Boeing recognized that the weakness of the locking sectors represented a potential safety of flight issue, so the company released an alert service bulletin — the most urgent form of notification it could publish — urging 747 operators to add steel doublers to the cargo door locking sectors to increase their strength. Eleven months later, and 16 months after the Pan Am incident, the Federal Aviation Administration followed this up with a mandatory airworthiness directive, requiring 747 operators to carry out the upgrade within either 18 months or two years, depending on the exact model. The directive also required 747 operators to inspect the door every time it was opened or closed manually, and required that only certified mechanics, not ground handlers, be allowed to manually open or close the door.
At the time of the United 811 accident, the 18-month compliance period for the airworthiness directive had not yet expired. Despite this, TWA and Pan Am had already modified all of their 747s with the new locking sectors — but United Airlines had not. Only six of their 31 747s had been modified, and the accident airplane, N4713U, was not one of them. Although the modification itself was quite easy — the required parts could be manufactured by the airline on site, and the total cost was only about $3,000 — the process required 15 hours to complete, which was longer than the planes normally spent on the ground between flights. Therefore, in order to avoid disrupting flight schedules, United had decided to perform the work when the planes were taken in for routine heavy maintenance rather than carrying it out immediately. N4713U was scheduled to be modified in April 1989, but unfortunately it never made it.
In its report, the NTSB strongly criticized Boeing, United Airlines, and the FAA for failing to treat the design flaw with the urgency that it deserved. Investigators questioned the rigor of Boeing’s testing process, given its failure to detect that the locking sectors were not strong enough to prevent the door from unlatching. The NTSB contended that the FAA had certified the door as failsafe in part based on the assumption that the door could not be opened while it was locked, without ensuring that this assumption was backed by hard data. The FAA, for its part, contends in its own account of the accident that the locking sectors were never intended as a failsafe. In the agency’s view, the original purpose of the locking sectors was to prevent a ground handler from locking the door if it was not latched, not to prevent the door from unlatching should something or someone attempt to open it while it was locked. Only after such events actually happened in service did Boeing appreciate that the strength of the locking sectors was important.
Regardless, once the Pan Am incident occurred, there should have been no more excuses. The fact that the flight departed London with its cargo door unlatched, without any indication of this fact, represented an unacceptable breach of the door’s design principles. Nevertheless, the FAA took 16 months to issue an airworthiness directive, and then gave airlines at least 18 months to comply, even though the modifications were cheap and easy. The NTSB felt that the FAA could easily have justified a much shorter modification timeline, given the potential seriousness of the issue.
Considering that N4713U was still flying with its original, flimsy locking sectors, at the time of the accident, investigators wondered whether United 811 could have been a straightforward repeat of the 1987 Pan Am incident. However, upon interviewing the ground crew, they learned that before flight 811, the electric door actuators were working normally, and no one had attempted to operate the door manually. In order to explain what happened, then, the NTSB developed the following three main theories.
Scenario 1: The S2 switch failed, allowing the latch actuator to receive power from the ground handling bus after the door was locked, and a short circuit provided the actuator with an erroneous “open” command while the plane was still on the ground. The door was then held closed by friction during the climb until the pressure differential grew strong enough to force it open.
Scenario 2: The weight-on-wheels switch and bus cutoff switch both failed, allowing the ground handling bus to be powered in the air, while a faulty S2 switch and short circuit caused the latch actuator to drive the latch cams open in flight. The decompression then occurred immediately.
Scenario 3: Weeks or months before the accident, a ground handler attempted to manually open the door while it was locked, or a faulty S2 switch allowed a ground handler to attempt to electrically open the door while it was locked. The locking sectors were bent out of the way, causing damage which was not detected. On flight 811, this damage made it possible to move the locking handle to the “locked” position when the door was unlatched. The door was then held closed by friction during the climb until the pressure differential grew strong enough to force it open.
One of these theories was almost certainly correct — but without access to the door itself, which was presumed lost at sea, the NTSB would only be able to make an educated guess as to which.
Nevertheless, investigators did what they could. The S2 switch, critical to two of theories, had been ejected along with the door to which it was attached, as had the latch actuator and most of the wiring associated with it. That made scenario 1 virtually impossible to prove or disprove. Scenario 2, on the other hand, had some concrete evidence against it. The switches which detected whether the plane was on the ground and whether the engine generators were online were found to be working normally, and no anomalies were detected in the wiring which was supposed to isolate the ground handling bus. This finding made it very unlikely that the door could have unlatched in the air, all but ruling out scenario 2, but it did little to clarify the probability of scenarios 1 and 3.
Scenario 3 was appealing for a number of reasons. For one, it was the only scenario which did not rely on multiple specific electrical failures; instead, it relied on multiple human errors. As anyone who deals with accident investigation should know, human errors are far more ubiquitous than mechanical ones, a fact which immediately weighted the probabilities in favor of scenario 3. Furthermore, the investigation conducted by Boeing and Pan Am into the 1987 cargo door incident had showed that such errors had happened before. And finally, although the airworthiness directive called for an inspection every time the door was opened manually, this line had accidentally been deleted when United Airlines was incorporating the provisions into its manual. As a result, when N4713’s cargo door was last opened manually, probably sometime in November or December 1988, no inspection was conducted, potentially allowing damage to go unnoticed.
There was just one potential problem: the damage to the locking sectors caused by back-driving the latch cams on the Pan Am plane was not severe enough to have allowed the locking sectors to later move into the locked position while the cams were unlatched. In fact, the damaged locking sectors would still run into the cams unless they were close to the correct, latched position. If a ground handler had locked flight 811’s cargo door while it was unlatched, as scenario 3 proposed, then the damage on N4713U must have been much more severe than that which was found on the Pan Am 747. But without access to the door, the NTSB could not prove whether this damage existed or not.
In the end, the NTSB could not conclusively rule out any of the scenarios, but they did decide that, on the weight of probability, they preferred scenario 3, with scenario 1 in a distant second, and scenario 2 in an even more distant third. The only chance to remove the ambiguity was to recover the door, but while talks were ongoing between the NTSB, the FAA, Boeing, and United Airlines over who would pay for a hypothetical search, investigators were not confident that such a search would happen, let alone that the door would actually be found in the depths of the Pacific. With this reality in mind, the NTSB published its final report in 1990, concluding that the probable cause of the accident was prior mishandling of the door by ground personnel, resulting in damage to the locking sectors which allowed the door to be locked when it was not properly latched. Contributing factors included the design of the locking mechanism, with locking sectors that were too weak to restrain the latch cams, and the failure of the FAA, Boeing, and United Airlines to act with sufficient urgency after this design deficiency was identified as a safety of flight issue in 1987.
However, not everyone agreed that scenario 3 was the most probable explanation. A parallel investigation was carried out by New Zealanders Kevin and Susan Campbell, the parents of 24-year-old crash victim Lee Campbell, who came to slightly different conclusions. Although the Campbells concurred with the NTSB’s findings regarding the door’s design weaknesses and the regulatory failures, their analysis of the evidence led them to favor the all-but-ruled-out scenario 2 — an electrical malfunction leading to an in-flight opening of the cargo door.
Although they were not trained investigators, the Campbells were both competent and dedicated. Ron Schleede, the lead NTSB investigator on the case of flight 811, spoke highly of Kevin Campbell, stating in a 1990 article that “This guy has done his homework.” He went on to emphasize that the Campbells’ theory had not been ruled out, and might never be, but that they would not necessarily settle on the same accident scenario.
At the core of the Campbells’ argument was that an electrical malfunction was more likely than the NTSB believed. First of all, if a ground handler had at some point manually back-driven the door open while it was locked, they would have had to make at least 75 turns of the socket drive, all without realizing that the locking handle, located right in front of them, was in the wrong position. Furthermore, in the case of the Pan Am flight, the latch cams were found fully open, which would have required 95 turns of the socket drive. Although such a massive error was not impossible, it was improbable enough to draw skepticism. A more reasonable scenario was that the S2 switch was faulty, providing power to the latch actuator while the door was locked; a ground handler could then have activated the actuator electrically without unlocking the door first. This was a relatively simple error, but it assumed the presence of a malfunction of the S2 switch. And if that malfunction was assumed to be present, then only a single short circuit was required for the latch actuator to activate erroneously without anyone committing an error at all.
In further support of this theory, maintenance records showed that both N4713U and the Pan Am plane involved in the 1987 incident had histories of cargo door malfunctions. On both airplanes, the doors sometimes failed to open or close using the electrical switch, indicating the presence of discontinuities, faulty switches, or even shorts. In the case of N4713U, these issues had been reported several times between September and November 1988 before being fixed. Similar issues recurred in December, two months before the accident. This information raised the probability of an electrical malfunction.
Although this evidence probably best fit scenario 1, the Campbells appear to have settled on the similar scenario 2, primarily because witness accounts indicated the presence of a grinding or buzzing sound prior to the explosion, which could have been the sound of the actuator unlatching the door. However, given the lack of identified failures that would allow the latch actuator to be powered in flight, it seems somewhat unclear in hindsight why the Campbells advocated for this scenario and not the simpler scenario 1.
In any case, while the NTSB never ruled out these scenarios, the investigators did not agree that this evidence tilted the balance in favor of either scenario 1 or scenario 2.
Nevertheless, negotiations over a potential search for the door continued, and in 1991 an agreement was finally reached to split the cost evenly between the NTSB, the FAA, United Airlines, and Boeing. The four parties to the investigation then hired a US navy salvage ship to search for the door on the ocean floor near where radar data indicated that it had entered the water. The gamble soon paid off, as sonar identified the presence of a debris field in the expected location. A submersible subsequently identified a cargo container, part of the missing fuselage, and the door itself, which was recovered in two pieces on September 14th and October 1st respectively. Now came the moment of truth: what was the position of the latch cams and locking sectors? If scenario 3 was correct, then the locking sectors should be damaged and in the locked position. If not, then the answer was either scenario 1 or scenario 2.
As soon as the door was brought up from the depths, NTSB investigators rushed to examine it. What they found blew the case wide open. There was clearly no pre-existing damage to the locking sectors, immediately ruling out scenario 3, the theory which they had earlier elevated to the rank of probable cause. Instead, it was obvious that the locking sectors were moved into the locked position while the latch cams were properly closed, only for the cams to later rotate back to the open position, pushing the locking sectors out of the way. The available evidence also proved beyond reasonable doubt that it was the latch actuator which had done this, not a ground handler with a socket wrench.
Further examination of the switches and wiring on the recovered door revealed that the S2 switch might indeed have been faulty, although the damage was too severe to say for certain. Additionally, numerous wires connected to the latch actuator were frayed or damaged, providing potential paths for a short circuit. No direct trace of such a short circuit was found, but neither was the majority of the wiring, and tests showed that at the power levels involved, a short circuit would not necessarily leave any physical evidence. Given the extent of the deterioration, however, it was entirely believable that such a malfunction could have occurred.
Then, on June 13th, 1991, something incredible happened on board a United 747 at the gate at JFK Airport in New York. While in the hangar undergoing maintenance before the flight, a circuit breaker related to the cargo door popped in the plane’s electrical equipment bay, and technicians couldn’t reset it, nor could they open the cargo door electrically. After moving the plane to the gate, troubleshooting continued. The door was cranked open manually; this time, the circuit breaker was able to be reset. The door was then cycled electrically several times without incident. Technicians then began an inspection of the wiring. In the process, they pulled a plug out of a junction box to inspect it, and when they plugged it back in, the cargo door opened by itself without anyone touching the door switch. In fact, the actuator continued to run even after the door was fully open, and technicians were only able to stop it by pulling the circuit breaker.
Realizing that this event could be related to United 811, United Airlines personnel immediately informed the NTSB, and investigators were dispatched to the scene. Once there, they found that several wires related to the cargo door had been damaged where they passed through a kink in a conduit, causing a short circuit. This finding proved beyond doubt that latent electrical malfunctions which could lead to an uncommanded cargo door actuation were present in the United Airlines fleet. Subsequent inspections revealed that undetected wiring problems and faulty S2 switches were in fact widespread throughout the 747 fleet at multiple airlines, not just United.
Now armed with this incontrovertible evidence, in 1991 the NTSB issued a new final report superseding the previous one. This time, the agency chose scenario 1, writing that the probable cause of the accident was “a faulty switch or wiring in the door control system which permitted electrical actuation of the door latches toward the unlatched position after initial door closure and before takeoff.”
Looking back, there were a number of systemic biases which might have caused the NTSB to underestimate the probability of this sequence of events during their original analysis. One of these was that investigators failed to adequately question the conclusions reached by Boeing and Pan Am after the 1987 incident. The two companies’ investigation into the incident lacked sufficient depth to uncover information which supported the electrical malfunction theory, but the NTSB did not conduct further investigation either, since the incident occurred outside their jurisdiction.
Secondly, the true extent to which the wiring in America’s passenger fleet had deteriorated was not widely known in 1989. Later investigations would reveal that wiring in every type of airplane at every airline was in a worrying state of decay, and that the rate of electrical malfunctions was much higher than anyone thought, in part because many of them were able to pass unnoticed. Had the NTSB been properly aware of this fact, they might have weighted the probabilities differently. Instead, the extent of the problem was only revealed during the inquiry into the 1996 crash of TWA flight 800, which eventually led to a major overhaul of wiring maintenance practices throughout the industry.
The story of the investigation into United 811 therefore stands as a reminder of why the NTSB uses the term probable cause. The NTSB is not a court of law; although investigators will do their best to find answers, they are not required to possess incontrovertible proof before making a decision. Instead, their decisions are made based on the weight of the available evidence. Usually that evidence is very strong, but when it is not — for example, if key components are missing — one must pay attention to less probable scenarios that investigators do not rule out. Indeed, the NTSB is quite careful about not discarding theories which have not been proven false, even if they prefer another explanation. And in the case of flight 811, when new evidence emerged to support one of those less preferred theories, the NTSB did its job and changed its conclusion.
Following the accident on board flight 811, a number of safety improvements were made. The FAA swiftly updated its existing airworthiness directive, requiring that the modifications to strengthen the locking sectors be carried out within 30 days. The agency also issued a new airworthiness directive requiring 747 operators to upgrade their door opening systems, and re-rig the door warning system so that the “door unsafe” light draws on the position of the latch cams as well as the locking handle. A number of changes were also made to improve the ease and convenience of accessing crew and passenger oxygen and putting on life vests, and to keep overhead bins from coming open in an emergency. And lastly, the FAA initiated a review of the certification of various doors on a wide range of aircraft types, intended to ensure that similar design flaws had not been overlooked elsewhere.
As for the crew and the plane, both had positive endings. All three pilots received the Secretary of Transportation’s Award for Heroism, which Captain Cronin took with him into his retirement shortly after the accident. Captain Cronin and First Officer Slader passed away in 2010 and 2016 respectively, to the great sadness of the many passengers who owed them their lives. And despite all appearances, the plane itself was not a casualty of the event. The $14 million repair cost was still less than buying a new 747, so United refurbished it and returned it to service. It was eventually abandoned in 2001 and scrapped in 2004.
The tragedy of United Airlines flight 811 highlighted vulnerabilities in the design, certification, and continuing airworthiness processes which allowed a known design flaw to persist long after it could have been eliminated. It is an argument in favor of strong, proactive action from manufacturers, regulators, and airlines alike. When safety is on the line, the FAA should not wait to issue an airworthiness directive, nor should airlines wait until the end of the grace period to comply. This accident could so easily have been avoided if any of the companies and organizations involved had proactively decided to act sooner. All the knowledge was there; the only deficiency was willpower. And because of that lack of will to act, nine people lost their lives in a most horrific manner, swept from the plane and cast to their deaths in the blink of an eye. Perhaps those who make such decisions should put themselves in their place next time they must weigh the cost of taking quicker action. After all, there are costs that come with waiting, too.
Support me on Patreon (Note: I do not earn money from views on Medium!)
Visit r/admiralcloudberg to read and discuss over 230 similar articles