In recent years, hydrogen, battery and hybrid technology have been extensively researched to understand their usage as an energy carrier for aviation. But, the integration of these technologies with the propulsion and the distribution unit of the aircraft brings new safety challenges. By applying a safety risk assessment tool called Bowtie, we can showcase these challenges simply and explain the complexity of the design process.
Bowtie is a risk management method used to visualize and analyze the risks associated with a particular hazard. It helps to identify and manage potential threats and to understand the effectiveness of control measures. The strength of the tool lies in its simplicity – it allows risk to be managed and communicated effectively.
We believe that, in a sector where we place safety at the heart of everything we do technically, that should extend to how we communicate – particularly as we introduce disruptive new technologies that carry their own ‘baggage’ in the public psyche from other sectors, such as electrification and autonomy from the automotive sector.
The key components of a Bowtie safety assessment are:
- Hazard: Something in, around or part of an organisation or activity which has the potential to cause damage or harm. A ‘top event’ is the release or loss of control over a hazard that is known as an undesired system state.
- Threat: Specific activities or events that are a direct cause of the top event.
- Controls: Preventative and mitigative controls, or measures to manage threats and consequences.
- Outcome: The potential outcomes or impacts (loss or damage) if the top event occurs.
The left-hand side of the Bowtie model contains preventative measures, which can eliminate the threat, or prevent the threat from causing the top event. On the right-hand side, are measures that reduce the likelihood of the consequence if the top event occurs, or mitigates the severity of the consequence.
This assessment reviews two distinct hazards associated with eVTOL aircraft and hydrogen-retrofit aircraft design. While the bowties represent a small, non-exhaustive subset of factors involved in the electric engine safety assessment process, they are designed to illustrate the complexity of the challenge and the opportunity for learning across these two use cases.
eVTOL design – the more the merrier
Loss of thrust is a key hazard that must be considered and designed against when integrating electric engines in eVTOL aircraft. In Europe, EASA ‘Category Enhanced’ aircraft must be able to meet the requirements of a Continued Safe Flight and Landing (CSFL) after a failure occurs.
Structural failure of electric propulsion system
For eVTOL aircraft, redundancy in the form of multiple electric motors is a key contributor to enhancing overall safety. When integrating multiple electric engines into a compact airframe, the high vibrational loading will increase the threat of structural failure of the electric propulsion system, resulting in loss of thrust.
To mitigate against this threat, designers will need to assess the system under a variety of static and dynamic load cases. Operators, meanwhile, will need to conduct routine and thorough maintenance on critical components.
An uncorrected loss of thrust will result in a crash landing, so the airframe design will need to meet crashworthiness requirements to protect the occupants and enable an emergency landing and safe evacuation.
The design should minimize deceleration loads on occupants, while ensuring the aircraft retains a survivable interior space, with doors that can be opened after a crash. NASA has already crash tested an eVTOL vehicle concept, trialling experimental systems to reduce impact loads on the occupants. These tests are crucial to validate computer simulations and increase overall crashworthiness.
Bird strike
As eVTOL aircraft operate in urban environments, at lower altitudes than conventional aviation, they are more susceptible to bird strikes. In the event that a bird strike compromises a single or multiple rotors, a flight control system will need to distribute power to the remaining motors to allow CSFL – utilising the redundancy that is afforded by having multiple propulsion systems.
A bird strike could lead to elements of the blade or motor failing, causing a cascade failure as debris impacts other parts of the aircraft. To reduce the potential severity of this event, designers are required to position critical systems outside the propeller release cone, aiming for safe separation of rotors.
Electrical failure
eVTOL aircraft have varying power requirements at different stages of flight. During critical flight stages, such as take-off and landing, the electrical propulsion system is placed under high stress, with higher temperatures as large power outputs are demanded for short periods of time.
In these situations, the battery and power distribution system are at an increased risk of failure. To combat high temperatures, a battery thermal management system should be incorporated.
An electrical system failure which leads to loss of thrust could also act as an ignition source, creating a fire that may spread to the battery in a tightly-packaged aircraft. To prevent this, arc and spark protection should be embedded within critical elements of the electric propulsion system.
Battery degradation over time can also increase the likelihood of thermal runaway, an exponential reaction that is much easier to design against than to suppress after it occurs.
Hydrogen retrofit design – sparking innovation
In the long term, future hydrogen-powered aircraft will have bespoke designs optimised to accommodate storage tanks. For near-term decarbonisation however, hydrogen will need to be retrofitted into turboprop aircraft with fuel cell propulsion technology, creating a challenge as designers must safely integrate these storage tanks into existing airframes.
Hydrogen accumulation
To safely store hydrogen, designers need to avoid unwanted accumulation of hydrogen within the aircraft and mitigate sources of ignition. Hydrogen can be ignited easily – with a relatively low minimum ignition energy (MIE) and a lower flammability limit, a smaller concentration of vapour in the air can produce a flash fire.
Ignition can come from many sources and, as such, hydrogen accumulation should be avoided, by installing hydrogen sensors – whether catalytic, electrochemical, thermoelectric or other types. Easy to install, these have a fast response time. Combining these sensors with passive and active ventilation techniques within the aircraft is a mitigation method to keep the hazard risk as low as reasonably practicable (ALARP).
Overheating
Within a hydrogen electric aircraft, a fuel cell is used to generate power from the hydrogen and a battery is used to distribute this power between the motors. Both pieces of equipment can overheat, resulting in a negative impact on aircraft systems.
Overheating in a fuel cell results in dehydration of the fuel cell stack, which degrades the cell and reduces operational performance. Degradation of the stack can lead to a range of hazards, including hydrogen leakage. A thermal management system, which can be either air, liquid, phase change, or a combination of all three, can ensure the fuel cell is maintained at optimal operating conditions and prevent overheating.
Overheating in batteries increases the risk of thermal degradation, exposing different types of potential ignition sources including spark discharge (electrical) and open flames (thermal). One mitigation method to reduce overheating in batteries is to integrate an effective battery thermal management system for the fuel cell.
Zonal classification is another useful mitigation strategy, classifying zones and equipment within and around the aircraft which could be sources of ignition. This strategy is especially useful when considering the refuelling and infrastructure requirement of the aircraft.
Safe by design risk reduction
Integration of electric engines into bespoke eVTOL and retrofitted hydrogen-fuelled aircraft provides significant safety challenges. In a sector innovating as fast as eVTOLs, following best practice and keeping risks ALARP will help ensure the aircraft are safe by design.
Safety engineering must be a critical capability of any organisation looking to install electric engines within its aircraft, including proven methodologies and toolkits to analyse and mitigate risks. These methods of assessment will allow safety to be interwoven into the design, and not to be just an afterthought.
We live in a world with an incredibly high expectation of safe air travel. In an era of fast-paced aircraft development, developing them to be as safe as commercial airlines is a must – and the only way for the Zero Emission Aviation market to operate at scale.
Customers will not board an aircraft they consider to be even remotely unsafe, so OEMs and authorities must work collaboratively to ensure both the safety of the public and the success of the market. Using the tools of safety engineering as a framework to drive effective communication could be key to enabling the zero emission flight transition.
For more information about AtkinsRéalis go to https://www.atkinsrealis.com/en/markets-and-services/markets/defense#aerospace
