When veteran American Airlines pilot Bryce McCormick first examined McDonnell-Douglas’s new DC-10 airliner in March of 1972, he expressed immediate concern over its hydraulic-only flight controls. (Previous generations of commercial aircraft had always featured manual backup systems.) So confident were McDonnell-Douglas engineers in the redundancy of the DC-10’s three independent hydraulic systems that the plane’s emergency procedures manual did not even acknowledge the possibility of a complete failure. Yet McCormick envisioned scenarios that could impair all three hydraulic systems, making it difficult if not impossible to fly the airplane. He insisted upon (and got) extra time in American Airlines’ flight simulator where he practiced flying and landing the enormous aircraft using the engine throttles alone.
Much like airline pilots, emergency managers are conditioned to think in terms of redundant systems, contingency plans, and emergency procedures. Yet too often our thought process goes only as far as ensuring that we have backups for critical resources. For example, we know that our EOC should have two independent feeds from the public power grid. And we need a backup generator that is properly maintained and tested regularly under load. We may even do a periodic test of the automatic transfer switch, making sure our internal power distribution system changes over smoothly to generator power. But how often do we consider what we’ll do if that transfer switch fails at a critical time? What will we do if it happens during a major storm when we have no power from the public grid? Do we have a procedure for bypassing the malfunctioning switch and do we have technical staff on hand, qualified to do that work? Perhaps more importantly, have we thought through how to keep our EOC functioning at even a minimal level in the event of a total infrastructure failure?
In June of 1972, only three months after his time in the DC-10 flight simulator, Captain McCormick was at the controls of American Airlines Flight 96 when the aft cargo door blew out, decompressing the fuselage and collapsing a portion of the cabin floor. Because lines for all three hydraulic systems were routed through the framework of the cabin floor, McCormick immediately lost all control of the tail engine and flight control surfaces, nosing the airliner into what would quickly become a fatal dive. Drawing on his mental preparation and flight simulator practice, McCormick and his copilot rapidly worked out how to use the wing engines and flight surfaces to regain a margin of control, bringing the plane out of its dive and turning the damaged jet back towards Detroit’s Wayne County Airport. “In a feat of airliner piloting that has to date never been equaled, and on his first try at landing, McCormick kept the crippled DC-10 under control to the runway threshold,” wrote James R. Chiles of the incident in his book Inviting Disaster. “In every other instance in which airliners in flight faced the kind of mechanical crisis that Flight 96 did—pilots losing most of the flight controls—those airplanes all crashed, killing either everybody on board or most of them.”
As emergency managers, it behooves us to think more like Bryce McCormick, looking beyond our easy assumptions to ask what we’ll do when the worst case scenario hits. Most of us lack the resources to plan for and test every possible contingency. But what we can do is identify our mission critical systems and functions, consider what event sequences might take those systems out, and come up with very basic, straightforward plans for dealing with such complete system failures. In some cases, the solution will be an alternate process or system. And in other cases it will mean we can no longer function safely, at which point we have to hand off our emergency functions to other agencies and facilities. One way or another, the additional time we invest in figuring out worst-case-scenario strategies means that when the unthinkable happens, we will be better prepared to shift gears, regain control, and deal with the situation at hand.
Bryce McCormick’s ability to envision and plan for critical failure saved the lives of everyone on board American Airlines Flight 96 in 1972. Only two years later, passengers aboard a Turkish Airlines DC-10 were not so lucky when their aircraft experienced an identical in-flight structural failure. Without benefit of McCormick’s simulator experience, Turkish Airlines Flight 981’s pilots crashed their plane into a forest outside Paris, killing all 346 people aboard.
By thinking like airline pilots (what has to work in order to keep us in the air, and what will we do if it stops working) we will always be better prepared to carry out our public safety goals. We cannot take for granted that our backups will work, and we need to think not only in terms of operational continuity but also a graceful emergency landing when things go terribly wrong.