September 2, 2021
What went right when UA328 landed safely following engine failure
On February 20, United Airlines Flight 328 (UA328) experienced a significant engine failure shortly after takeoff on its planned route from Denver to Honolulu. Media coverage of the incident focused on debris falling from the sky over a Denver suburb and passenger video of the flaming engine. What received less media attention, however, were all the things that went right, despite the engine failure, for UA328 to land successfully back at Denver International Airport.
Travel on western scheduled airlines continues to be the world's safest mode of transportation, despite the various risks involved. To many, this is counterintuitive, but it makes sense when considering the evolution of aviation.
Following over a century of experience in the skies, aircraft and their components have been designed to minimize the chances of a catastrophic loss through redundancies and systems engineering. If the events of UA328 show us anything, they exemplify the forward-thinking process of designing components and systems with potential failure in mind, so that even when failures occur, the plane and the passengers can return safely to the ground.
Planning for engine failure
Aerospace systems are designed with failure in mind.
This analytical approach to redundancy for critical systems — including engines — is one of the keys to aviation safety.
In the early days of aviation, engine failures were more frequent. They were simply expected. To fly long distances over water, where there are no emergency landing possibilities, airplanes were designed with three or four engines of sufficient size such that they could fly with any two engines failing on a particular flight. Twin engine airplanes were required to stay within 60 minutes flying time of an emergency landing field.
While the probability of a single failure cannot be eliminated, modern aircraft by design include redundancies in critical functions to prevent a complete loss as a result of that single planned-for failure. Today, engines have become far more reliable, so that a twin-engine aircraft is permitted to fly with an emergency airfield as far away as four hours, making over-water flights from the US mainland to Hawaii possible with this type of aircraft.
Certification agencies such as the FAA have been willing to accept catastrophic failures (i.e., loss of the aircraft, crew, and passengers) when they are extremely improbable (less than 10-9 per flight hour). Less severe failures are acceptable at higher frequencies.
Engines cannot be designed to never fail, but they can be designed to limit the consequences of a failure. For example, if a blade failure occurs — as in the case of UA328 — critical systems are routed by design to minimize the probability of a cascading loss of additional critical systems or the entire aircraft. Kevlar reinforcement in engine nacelles help contain any engine debris that might be shed radially. Parts and expected loads are analyzed to see whether they should be required to be periodically replaced or how often they should be inspected. With every incident, the data that returns enables engineers and designers to constantly improve these systems, making them safer and more robust.
Pilots & crews are also an integral part of the design
While most pilots will spend their entire careers without experiencing an actual engine failure, every pilot will train for these failures. Procedures are developed, tested, and practiced in simulation. In addition to training to meet failures effectively, airline crews are also trained to work together (i.e., Crew Resource Management) so that even if they have never met before that flight, they can still follow procedures together.
This type of human-machine synergy was put to the test in real life on February 20 as the flight crew of UA328 prepared for an emergency landing by completing additional critical system checks. They elected not to dump fuel for safety and time reasons, determining that the magnitude of the overweight landing was not significant enough to outweigh other considerations, and the captain accomplished a single-engine-inoperative approach to the runway and landed without further incident.
While an engine failure like what happened in the case of UA328 can be spectacular, especially given the forces involved — a single modern turbofan installed on a large airliner might produce 115,000 pounds of thrust (equivalent of 71,000 horsepower) on takeoff — it's important to acknowledge the less spectacular design thinking, preparation, and training that led to a safe resolution of the incident.
When engine parts and systems behave as designed during a planned-for failure, trained flight crews and air traffic control personnel work together to manage the situation, and an airplane that's lost an engine lands with no injuries or significant structural damage, that should be considered a successful failure.
How Exponent Can Help
Exponent's multidisciplinary team of aeronautical, mechanical, electrical, and materials engineers has extensive experience investigating failure modes, conducting design reviews, and analyzing the causes of failures, from the materials and components level to overall systems. Exponent's experience evaluating how things fail, and the chain of events that follow, can be useful to explain the extant failure, outline appropriate responses, and develop safeguards to prevent future failures.