Risk Analysis Method of Aviation Critical System Based on Bayesian Networks and Empirical Information Fusion

Abstract

The intrinsic hazards associated with high-pressure hydrogen, combined with electromechanical interactions in hybrid architectures, pose significant challenges in predicting potential system risks during the conceptual design phase. In this paper, a risk analysis methodology integrating systems theoretic process analysis (STPA), D-S evidence theory, and Bayesian networks (BN) is established. The approach employs STPA to identify unsafe control actions and analyze their loss scenarios. Subsequently, D-S evidence theory quantifies the likelihood of risk factors, while the BN model’s nodal uncertainties to construct a risk network identifying critical risk-inducing events. This methodology provides a comprehensive risk analysis process that identifies systemic risk elements, quantifies risk probabilities, and incorporates uncertainties for quantitative risk assessment. These insights inform risk-averse design decisions for hydrogen–electric hybrid powered aircraft. A case study demonstrates the framework’s effectiveness. The approach bridges theoretical risk analysis with early-stage engineering practice, delivering actionable guidance for advancing zero-emission aviation.

1. Introduction

The replacement of fossil fuels with clean energy is currently a focus of research in the transportation sector. Hydrogen, with its advantages of being clean, efficient, and renewable, is considered a promising candidate to replace traditional fossil fuels [1,2]. Hydrogen energy has been widely adopted in multiple fields such as aviation [3,4,5,6], vehicles [7,8,9], and shipping and so on [10,11,12]. Recent developments have positioned hydrogen-powered aviation as a key solution to the aviation industry’s decentralization challenge, with the potential to significantly reduce its impact on the climate [13,14].

As aviation has strict limits on the weight and size of power systems, the specific power and power density of existing hydrogen power systems are difficult to meet the requirements of aircraft flight, so another option is to utilize hybrid power systems [15]. The system development process requires a detailed risk analysis to ensure that the aircraft meets the safety constraints. However, the complex interactions due to the highly integrated components and the inherent physical properties of hydrogen are major constraints of the safety, and the lack of engineering data at the early stages of the design process to support quantitative analyses can make it difficult to accurately identify key risk factors in the system in detail, which may lead to serious design defects in the aircraft. However, most of the current research focuses on aircraft design and performance optimization, and very little research has focused on the risk analysis in hybrid propulsion systems [16,17,18].

In the field of civil aviation engines, risk capture analysis is indispensable. Chain-based analysis methods, such as Fault Tree Analysis [19], typically commence with the identification of the most severe accidents within a system. These methods systematically analyze potential hazards by tracing the chains of faults and their physical interrelations. Nowadays, with the gradual development of aviation technology and the enhancement of the integration of aircraft and engines, traditional failure model analysis methods, which start from failures, are no longer applicable for the capture of control defects of complex engine systems when dealing with complex control logic, common cause failures, and hidden design issues.

D-S evidence theory is capable of fusing multi-dimensional data without relying on preconditions and reasoning about uncertainty [20], therefore, D-S evidence theory is widely used in fault diagnosis, feature recognition and expert evaluation [21,22,23]. In the absence of empirical data support at the early stage of design, expert opinion is needed as a source of information to obtain the data regarding the basis of risk factors, so D-S evidence theory is needed to achieve the quantification of the impact of risk factors behaviors based on the results of expert evaluation. However, when applying Dempster’s combination rule to merge belief masses from inconsistent probability intervals, such as when expert opinions conflict, the rule can sometimes produce counterintuitive results. The possible cause of this result is that the multiplicative strategy used in the classical D-S evidence theory combination rule is too aggressive. When multiple experts make decisions, if an expert’s opinion significantly differs from others, it is necessary to reconsider the expert’s opinion or assign weights to the expert’s opinions. For this reason, this study adopts Proportional Conflict Redistribution Rule No. 6 (PCR6) to solve the problem of conflict between multiple sources of evidence and optimizes the D-S evidence theory approach, which can avoid the distortion of fusion results due to significant bias in expert opinions. Hydrogen–electric hybrid propulsion systems provide different control information to facilitate co-operation, so the defective control of the system will lead to multi-dimensional information stacking or even lead to the collapse of the system. Therefore, the design must consider the risk potential of the system in different usage scenarios and provide appropriate security constraints for it.

Systems Theoretic Process Analysis (STPA) [24,25] shifts the focus of safety from a failure-based approach to a control-based perspective, and is therefore widely used in risk identification [26,27,28,29,30]. It views hazard management and safety as control problems, rather than issues of failure prevention [31]. Thereby the safety constraints of issuing, implementing and executing control commands are strengthened. It analyzes sources of danger to impose safety constraints on component behavior, interactions, communication between components, external conditions and resistance to interference. Using control action errors as the starting point for analysis, STPA is able to directly demonstrate the root cause of system control deficiencies and essentially find the starting point of risk events that contribute to abnormal control behavior. As a result, STPA can capture risk critical factors more thoroughly with a control perspective.

However, STPA is limited to qualitative analysis and cannot quantitatively evaluate specific issues or assess the severity of unsafe control actions. Many scholars have quantified the results of STPA analyses through different quantification methods, among which the quantification of STPA through a Bayesian network (BN) can accurately capture the uncertainty relationship between unsafe events and make the analysis results more accurate [32,33,34,35]. The fusion result of expert evaluation obtained through D-S evidence theory is used as the probabilistic information of the BN model to construct the uncertainty relationship network structure of system risk factors [36,37], to achieve the quantitative analysis of the importance degree of risk factors and to complete the identification of key risk factor causes.

To analyze the potential risks of a hydrogen–electric hybrid aviation propulsion system, this paper proposes a risk assessment method that combines qualitative and quantitative approaches using STPA, D-S evidence theory, and BN. First, qualitative analysis is conducted based on STPA to identify unsafe control actions and loss scenarios within the study’s objectives. Subsequently, the D-S evidence theory, in conjunction with the PCR6 principle, is employed to process expert-assessed probabilities and establish the BN model’s prior probabilities, enabling quantitative analysis without actual data.

This study’s main contributions are as follows:

• An integrated risk methodology based on STPA, D-S evidence theory, and BN is proposed and applied to a case study for the risk analysis of a hydrogen–electric hybrid aviation propulsion system. First, STPA is used to identify system risk elements. Next, D-S evidence theory is employed to quantify these risk elements. Finally, a BN is constructed to model the interaction behavior network of risk elements, enabling a quantitative analysis of the system’s key risk factors.
• By applying D-S evidence theory and the PCR6 principle, expert-assessed probabilities are fused to obtain the prior probabilities of the BN model. Additionally, the BN network is objectively constructed based on the STPA model. This approach enables quantitative risk analysis with low dependence on empirical data.

2. Methodology

In response to the stringent safety analysis requirements for hydrogen–electric hybrid propulsion systems, this section proposes a solution based on STPA, DS, and BN. The method is primarily divided into two parts: identification of system risk scenarios based on STPA and construction of a risk network topology model based on BN, as shown in Figure 1.

The core concept of STPA is to view a system as a dynamic process interacting with its environment [38,39]. The process is as follows:

A control structure model is established based on the system’s control and feedback relationships. Potential unsafe control actions under different types of anomalies are analyzed and identified as system safety defects. The root causes and trigger scenarios of these unsafe control actions are traced within the control loop to analyze the fundamental reasons for their occurrence. The BN analysis nodes are determined based on the STPA results. The BN topology model is constructed, accounting for the uncertain influences of risks between components. D-S evidence theory is used to quantify the risk propagation process between components. The intensity of risk transfer influences between components is represented using fused probability values. Utilizing the constructed BN topology, both forward and backward probabilistic inference are performed to provide data support for risk analysis. It is important to note that the BN modeling process relies on the system’s functional architecture and the control structure established through STPA. Building the BN model based on system control decisions can effectively enhance the accuracy of the model.

2.1. Identify Risk Factors

A hierarchical control structure needs to be developed based on the aircraft system architecture, establishing the interaction relationships between components according to control and feedback methods. The smallest unit of the control structure is the control loop, which consists of a controller and a controlled process. For a general control loop, the controller issues commands to regulate the controlled process through control actions, typically represented by downward arrows; the controlled process feeds back its status to the controller via feedback signals, usually denoted by upward arrows. A single controller can manage multiple controlled processes, and a controlled process may also serve as a controller for other control loops. The system is abstracted into multiple control loops, which are integrated to construct a complete control structure model. Unlike other analytical methods, STPA partitions the system into levels based on control relationships, eliminating hierarchical structural boundaries. This allows individual components to have the capability to send input signals to an integrated system, enhancing the precision of identifying system fault states.

A controller comprises a control algorithm and a process model. The control algorithm represents the controller’s decision-making process for outputting control actions, selecting appropriate control instructions for different scenarios to send to the controlled process. The process model represents the underlying rationale supporting decision-making, adjusting in real-time based on feedback signals from the controlled process. In human–machine interaction events, both humans and machines can act as controllers. The process model for humans is referred to as a mental model, while the control algorithm corresponds to the operational steps performed by the human.

It is important to note that commands within the control structure model do not represent actual signal instructions but serve as a feedback mechanism. Analyzing complex systems with STPA is difficult to encompass all components within the analysis scope, and the numerous components and intricate interaction patterns pose difficulties for the feedback model and subsequent analyses. Therefore, the system can be abstracted into larger-granularity subsystems to analyze control feedback relationships. Based on system components, the analysis granularity is gradually reduced, details are added, and the control structure model is iterated until it meets the design requirements.

The control loops clearly demonstrate control relationships, from which we extract control actions that are valuable for safety analysis. Unsafe control actions refer to control actions that, under specific scenarios or in the worst-case environment, may lead to hazards. When identifying unsafe control actions, existing protective measures do not need to be considered. Worst-case scenario analysis assumes that protective measures are almost completely ineffective. In the following four situations, control actions may become unsafe control actions:

• Not providing causes a hazard.
• Providing causes a hazard.
• Being too early, too late or out of order causes a hazard.
• Stopping too soon or applying for too long causes a hazard.

Unsafe control actions have a standardized description method, facilitating a more precise identification of unsafe control actions in different situations. A general template for describing unsafe control actions can be used, which includes five parts: source, scenario, type, control action, and related hazards. The “source” generally refers to the controller providing the control action; the “scenario” refers to the situation where unsafe control actions may occur; the “type” refers to which category the unsafe control action falls into, as previously described; the “control action” refers to the specific control action being analyzed; and the “related hazards” refer to the system-level hazards that may result from the unsafe control action.

Loss scenarios can be traced in the control loop and the causal factors extracted from them. A general template for the control loops is needed for loss scenario identification, primarily composed of the controller, actuator, control process, and sensor. The control action sending process is defined as the control path, and the feedback signal sending process is defined as the feedback path. The controller’s control input needs to be considered as a factor in loss scenario analysis, and the controlled process’s control input and output also need to be considered as factors in the analysis. Based on the roles of each component in the control loop, loss scenarios can be identified. The methods for identifying loss scenarios, include unsafe controller behavior, causes of inappropriate feedback and information, loss scenarios involving the control path and scenarios related to the controlled process. Loss scenarios involve the failure states of subsystems or components, which are directly linked to unsafe control actions.

2.2. Establish the Risk Analysis Topology Network Model

The modeling of BN topological structures should strive to avoid subjective biases and ensure the completeness of system architecture representation. STPA has a clear logic for identifying unsafe control factors from control structures and tracing causal factors. The construction of BN network topological structures must be based on the entire process of STPA, ensuring that the analysis boundaries align with the system boundaries defined by STPA. BN nodes that represent risk states from the STPA findings are extracted. These node states are characterized by uncertainty, and different node states have varying impacts on the system. The methods of influence between nodes are determined based on system architecture, control loops, and control structure models, forming the network structure. By leveraging the control power distribution from top to bottom in the control structure as defined by STPA, different levels of BN nodes are established to demonstrate how component anomalies propagate during risk events. System architecture and functional requirements are used to further refine the BN model, enhancing its flexibility and richness in the modeling process.

BN represents node attributes or the dependence strength between nodes through probabilities. Probability information includes prior probabilities and conditional probabilities. Prior probabilities represent the likelihood of risk events associated with root nodes, while conditional probabilities indicate the dependence strength between parent nodes and child nodes. BN processes input probability information based on Bayesian principles and can achieve both forward and backward reasoning. The Bayesian principle is illustrated in Equation (1).

$$P(A| B)={\displaystyle \frac{P(B| A)\cdot P(A)}{P(B)}}$$

(1)

where $P(A| B)$ is the probability of event A occurring given that event B has occurred, called posterior probability. It represents updated beliefs about A after observing B. $P(B| A)$ is the probability of event B occurring given that event A has occurred. It quantifies how well A explains B, called likelihood probability. $P(A)$ is the initial probability of event A occurring before considering any evidence or additional information, called prior probability. $P(B)$ is the total probability of event B occurring, regardless of other events. It acts as a normalizing constant in Bayes’ theorem.

The accurate input of probability representing risk events is a key guarantee for ensuring the accuracy of BN calculation results. D-S can specify the uncertainty and incomplete information of the objects of study and supports the integration of multi-source probability information [40]. Objects of study typically involve multiple hypothesis events, which are integrated into the framework of discernment, represented by the symbol $\mathsf{\Theta }=(A,B,C,\dots )$. This framework effectively captures the various hypotheses and their interrelations, providing a structured approach to handle uncertainty and incomplete information in the analysis of complex systems. Where $A,B,C,\dots$ represent all mutually exclusive hypothesis events, $P(\mathsf{\Theta })$ represents the power set composed of all elements in $\mathsf{\Theta }$, defined as $2^{\mathsf{\Theta }}=P(\mathsf{\Theta })=\{\varnothing ,A,B,C,[A,B],[A,C],\dots ,\mathsf{\Theta }\}$ and $\varnothing$ denotes the empty set.

The mass function, also known as the basic belief assignment (BPA), maps the power set of the recognition frame to the interval [0, 1], denoted as $P^{\mathsf{\Theta }}\to [0,1]$. The mass function demonstrates the support for subsets and possesses the following two properties:

• The function value of the empty set is zero: $m(\mathsf{\Theta })=0$.
• The sum of the function values of non-empty sets is 1: ${\displaystyle \sum _{U\subseteq \mathsf{\Theta }}m}(U)=1$.

where $U$ represents a subset within the recognition framework; if $m\left\{U\right\}>0$, then $U$ is called a focal element. If all subsets are singletons, then the mass function is a Bayesian mass [41].

The BPA values for different subsets referred to by different pieces of evidence are different, and the conflicts of varying degrees among propositional evidence are one of the major factors influencing the results. The Conflict Factor (K) measures the degree of conflict between different pieces of evidence. It is the sum of the products of the BPA values of all mutually exclusive events between the two pieces of evidence, as shown in Equation (2).

$$K={\displaystyle \sum _{A\cap B\ne \varnothing }{m}_1}(A)\cdot m_2(B)$$

(2)

where $m_1$ and $m_2$ represent the BPA values of two evidence sources. Assuming that the BPA for evidence 1 is $m_1(A)=0.2$ and $m_1(B)=0.8$, and the BPA for evidence 2 is $m_2(A)=0.3$ and $m_2(B)=0.7$. There are two conflicting parts: the intersection of $\left\{A\right\}$ in $m_1$ and $\left\{B\right\}$ in $m_2$ is empty, which constitutes one conflicting part, and the intersection of $\left\{B\right\}$ in $m_1$ and $\left\{A\right\}$ in $m_2$ is also empty, which constitutes the other conflicting part. The conflict factor between the two pieces of evidence is calculated using Equation (3). The value of K closer to 1 indicates a more significant conflict between the two evidence sources, while when the value is closer to 0 it indicates a higher degree of agreement between them. Based on the K value, it is possible to identify evidence sources that exhibit significant conflicts with other data sources and verify the reliability of the data.

$$\begin{array}{ll}{K}_{1,2}\hfill & =m_1(\{T\})\cdot m_2(\{F\})+m_1(\{F\})\cdot m_2(\{T\})\hfill \\ \hfill & =0.2\times 0.7+0.8\times 0.3\hfill \\ \hfill & =0.14+0.24\hfill \\ \hfill & =0.38\hfill \end{array}$$

(3)

The fusion of highly conflicting data sources may lead to anomalies in fusion results. When the conflict between evidence sources becomes excessively high, the conflicting mass is forcibly allocated to non-empty sets, potentially causing extreme mass redistribution. Introducing a single high-conflict data source during the combination process might drive the fusion outcome to deviate from the majority consensus. However, if the conflicting evidence source contains information closer to ground truth despite conflicting with others, eliminating such source characteristics could result in critical information loss. Therefore, this study adopts the PCR6 principle for mass allocation [42], achieving the proportional redistribution of conflicts to relevant propositions while preserving the original weighting information of evidence sources. Equation (4) demonstrates the fusion process between two highly conflicting evidence sources $m_1$ and $m_2$.

$$m_{PCR6}(A)={\displaystyle \sum _{B\cap C=A}{m}_1}(B)\cdot m_2(C)+{\displaystyle \sum _{i=1}^2\frac{m_i{(A)}^2\cdot K}{{\displaystyle \sum _{X\subseteq \mathsf{\Theta }}{m}_i}{(X)}^2}}$$

(4)

The BN topological structure provides a visual representation of probabilistic input locations, facilitating the binding of probability information to nodes. Assuming a BN with n nodes, $Pa(Zi)$ denotes the parent nodes of $Z_i$. The joint probability of the event set $Z=\{Z_1,Z_2,Z_3,\dots ,Z_n\}$ is expressed as follows:

$$P(Z_1,Z_2,Z_3,\cdots ,Z_n)={\displaystyle \prod _{i=1}^{n}P}(Z_i|Pa(Z_i))$$

(5)

Forward modeling requires supplying prior probabilities and conditional probabilities to the BN model to perform predictive calculations. Prior probabilities are assigned to leaf nodes, whereas conditional probabilities are defined for intermediate and root nodes. For backward modeling, risk nodes are designated as evidence nodes with assigned evidence values, enabling backward inference of posterior probabilities across all nodes. Diagnostic inference based on posterior probabilities identifies critical components influencing risk events, systematically analyzes potential key safety factors, and prioritizes critical elements requiring focused attention in safety design.

2.3. Validity of the Model

Model validation is a necessary step to ensure the effectiveness of the risk analysis model architecture, providing reasonable confidence in the results of quantitative risk analysis. Model validation should adhere to the following three axioms [43,44,45,46,47].

Axiom 1: An increase (decrease) in the prior risk probability of a parent node will result in a corresponding increase (decrease) in the posterior probability of its child node.

Axiom 2: Changes in the prior risk probability of a parent node exert a consistent directional effect on the posterior probability of its child node.

Axiom 3: The combined effect of multiple parent nodes on a child node should be greater than the effect of any single parent node on the child node.

3. Case Study

3.1. Overview System

3.1.1. Hybrid Propulsion System Architecture

Due to the limited reserves of fossil fuels and the environmental pollution issues associated with their use [48], the aviation industry has been committed to the development and exploration of green aviation technologies.

Electric propulsion systems are well known in the automotive industry. In the aviation industry, tests of aircraft carrying passengers using these systems occurred in 1973 [49]. Due to current technological and material limitations [50], pure electric aircraft have limited endurance and range, thereby restricting their applications.

Some aviation experts have drawn on the successful practices of the automotive industry, opting to employ hybrid propulsion systems [51], which incorporate electric motors or a combination of electric motors and traditional heat engines, as replacements for conventional propulsion systems.

A project at the University of Cambridge designed an aircraft equipped with a four-stroke internal combustion engine and a brushless motor [52]. Embry-Riddle Aeronautical University designed an aircraft equipped with a 75 kW engine and a 30 kW electric motor, which is powered by the engine during takeoff and by the electric motor during cruising. Diamond Aircraft and Siemens collaborated to create a state-of-the-art hybrid airplane. This hybrid propulsion system features a single thermal engine complete with a generator, complemented by a pair of electric motor units, battery sets, a converter, and a tri-blade propeller for enhanced performance and efficiency [53].

The hybrid electric propulsion system can utilize both traditional power sources and electric components to provide power output for propulsion devices. Compared to pure electric aircraft [54], the energy density of fuel is much higher than that of batteries, further enhancing the aircraft’s range. During the takeoff and climb phases of the flight, the power demand of the aircraft is much higher than during the cruise phase. In comparison to traditional thermal engines, hybrid electric propulsion systems can rely on electric motors to complement power during these phases.

Traditional thermal engines for hybrid electric propulsion systems include fuel cells, turbine engines, and internal combustion engines. In order to meet the further requirements of green aviation and reduce carbon emissions during aircraft operation, the application of hydrogen fuel in hybrid aviation propulsion systems has been under considerable scrutiny [55]. Compared to various types of turbine engines, internal combustion engines require fewer technical requirements when using hydrogen as fuel [8]. Therefore, hybrid power systems combining electric motors and hydrogen internal combustion engines have broad application prospects [56].

The hybrid power system of electric motors and hydrogen internal combustion engines has three structural forms, namely series, parallel, and series–parallel configurations [57]. Different hybrid power combination modes offer varying levels of power [58] and have different spatial and weight requirements, necessitating the selection of a suitable structure for hydrogen internal combustion engine–electric hybrid engines. The basic structures of the hybrid power systems are outlined below.

• Series configuration

In a series hybrid power engine, electrical energy is used to power the aircraft. In the series configuration, the hydrogen internal combustion engine generates power for the generator, which directly supplies electricity to the electric motor and charges the battery or other energy storage devices. As the hydrogen internal combustion engine is not directly connected to the transmission, it can operate at optimal power settings. The structure of the series configuration is depicted in Figure 2.

2.

Parallel configuration

The parallel hybrid power engine connects the hydrogen internal combustion engine and the electric motor through a mechanical transmission device, providing power to the same drive shaft. Depending on the system mode, each energy source can individually or collectively drive the shaft. In the parallel configuration, the hydrogen internal combustion engine can directly provide thrust to the aircraft through the mechanical transmission device. Simultaneously, the battery can convert chemical energy into electrical energy to drive the electric motor, which outputs mechanical work through the transmission device to provide thrust to the aircraft. Typically, during the cruising phase of the aircraft, thrust is solely provided by the electric motor, while during takeoff and climb phases, the hydrogen internal combustion engine and the electric motor work together to provide power to the aircraft through the transmission device. The structure of the parallel configuration is depicted in Figure 3.

3.

Series–parallel configuration

The series–parallel power engine combines the characteristics of both series and parallel configurations. Like the parallel setup, the series–parallel power engine connects the hydrogen internal combustion engine and the electric motor through a mechanical transmission device, providing power to the same drive shaft. Not only can the hydrogen internal combustion engine directly supply thrust to the aircraft through the mechanical transmission device, as in the parallel configuration, but it can also convert mechanical energy into electrical energy through a generator, storing it in batteries. Simultaneously, the batteries provide energy to the electric motor, which then delivers thrust to the aircraft through the transmission device.

The structure of the series–parallel configuration is depicted in Figure 4.

The series–parallel hybrid power engine integrates the advantages of both series and parallel configurations, ensuring that all power components operate optimally in structure. Simultaneously, it is easier to achieve the goal of reducing fuel emissions and consumption. Compared to the first two hybrid power modes, the series–parallel mode more effectively combines the two power devices, allowing the power system to maintain high mechanical efficiency while reducing fuel consumption and emissions. However, its complex system control mode poses significant challenges to the safety and reliability issues in the application of aircraft.

3.1.2. Hydrogen–Electric Hybrid Aviation Propulsion System

Figure 5 illustrates the system architecture of the hydrogen–electric hybrid aviation propulsion system employing series–parallel configuration, which serves as the subject of this risk analysis. The primary components consist of the following:

• Engine control system;
• Hydrogen internal combustion engine controller;
• Electric motor controller;
• Generator controller;
• Hydrogen supply unit;
• Power supply unit;
• Hydrogen internal combustion engine;
• Electric motor;
• Generator;
• Planetary gear mechanism.

Figure 5. Framework of hydrogen–electric hybrid power system.

Figure 5. Framework of hydrogen–electric hybrid power system.

3.2. Obtaining STPA Results

3.2.1. Construct Control Structure Model

Section 3.1.2 establishes the foundational framework for constructing the control structure model, taking primary system components as analytical entities, and enabling the preliminary determination of the control structure model based on the command execution architecture of the system. The control structure model undergoes iterative refinement, where the preliminary model is progressively detailed through alignment with system architecture and functional decomposition. Control actions are translated into specific implementation modalities and augmented by the integration of critical analytical objects to enhance analytical depth and ensure process comprehensiveness. This optimization cycle continues until achieving termination criteria aligned with safety validation requirements. The control structure model focuses on the control and feedback behavior of the physical system. By selecting the controlling and controlled units, the control structure model is constructed in the form of control loops. Filtering out the non-control component relationships in Figure 5 yields the control and feedback relationships of the system architecture as shown in Figure 6. Based on Figure 6, the control structure model of the hydrogen–electric hybrid power system is established and presented in Figure 7.

3.2.2. Identify Unsafe Control Actions

The integrated analysis of Section 3.1.2 and system architecture identifies four safety-critical control actions requiring prioritized risk assessment:

• Pilot $\to$ Engine control system: Transmission of power demand commands.
• Engine control system $\to$ Low-level controllers: Distribution of control signals.
• Low-level controllers $\to$ Actuators: Execution of component-specific control signals.
• System state monitoring $\to$ Pilot: Feedback of operational status signals.

This framework extracts 11 distinct control actions from the control structure model, as systematically categorized in

Table 1. Extraction of control actions.

Number	Control Action
CA-1	The pilot issues propulsion system control commands to the engine control system.
CA-2	The engine control system transmits hydrogen internal combustion engine power demands to the hydrogen internal combustion engine control unit.
CA-3	The engine control system issues electric motor power commands to the motor control unit.
CA-4	The engine control system delivers generator operational requirements to the generator control unit.
CA-5	The engine control system regulates hydrogen supply unit activation/deactivation and flow rate modulation.
CA-6	The engine control system manages power supply unit initiation/termination and energy output adjustment.
CA-7	The hydrogen internal combustion engine controller executes hydrogen internal combustion engine startup/shutdown procedures and output power calibration.
CA-8	The motor controller governs electric motor engagement/disengagement and torque–power synchronization.
CA-9	The generator controller coordinates generator operational sequencing and power conversion optimization.
CA-10	Instrumentation systems acquire real-time operational telemetry from the hybrid powerplant.
CA-11	The pilot monitors visualized dynamic system parameters through cockpit human–machine interfaces.

.

The analysis of control actions is developed in four situations, and the wrong control actions that can lead to the occurrence of hazards in each situation were analyzed and categorized as unsafe control actions.

Table A1. Identification of unsafe control actions.

Control Actions	Categories	Unsafe Control Actions
CA-1	A	UCA 1-1	The pilot failed to send the required control commands to the engine control system.
	B	UCA 1-2	The pilot sent unintended power adjustment control commands to the engine control system.
	C	UCA 1-3	The pilot issued power adjustment control commands to the engine control system at incorrect timing.
		UCA 1-4	The pilot’s control commands to the engine control system exhibited signal fluctuations or were unordered.
	D	UCA 1-5	The pilot stopped power adjustment before the aircraft met the required flight power demand.
		UCA 1-6	The pilot failed to stop power adjustment after the aircraft met the required flight power demand.
CA-2	A	UCA 2-1	The engine control system failed to send the necessary control commands to the hydrogen internal combustion engine controller.
	B	UCA 2-2	When adjusting the output power of the hydrogen internal combustion engine was required, the engine control system sent unintended control commands to the hydrogen internal combustion engine controller.
		UCA 2-3	When no adjustment to the hydrogen internal combustion engine power was needed, the aircraft control system sent unnecessary control commands to the hydrogen internal combustion engine controller.
	C	UCA 2-4	The engine control system sent control commands to the hydrogen internal combustion engine controller either too early or too late.
		UCA 2-5	The engine control system sent control commands to the hydrogen internal combustion engine controller with signal fluctuations or in an unordered manner.
	D	UCA 2-6	When changing the output power of the hydrogen internal combustion engine was required, the engine control system maintained the original control actions for too long.
		UCA 2-7	When changing the output power of the hydrogen internal combustion engine was required, the engine control system maintained the original control actions for too short a time.
CA-3	A	UCA 3-1	The engine control system failed to send commands to the electric motor controller as per the expected requirements.
	B	UCA 3-2	When adjusting the output power of the electric motor was required, the engine control system sent unintended control commands to the electric motor controller.
		UCA 3-3	When no adjustment to the electric motor power was needed, the aircraft control system sent unnecessary control commands to the electric motor controller.
	C	UCA 3-4	The engine control system sent control commands to the electric motor controller either too early or too late.
		UCA 3-5	The engine control system sent control commands to the electric motor controller with signal fluctuations or in an unordered manner.
	D	UCA 3-6	When changing the output power of the electric motor was required, the engine control system maintained the original control actions for too long.
		UCA 3-7	When changing the output power of the electric motor was required, the engine control system maintained the original control actions for too short a time.
CA-4	A	UCA 4-1	The engine control system failed to send the necessary control commands to the generator controller.
	B	UCA 4-2	The engine control system sent incorrect control signals to the generator controller.
	C	UCA 4-3	The engine control system sent control commands to the generator controller too early.
		UCA 4-4	The engine control system sent control commands to the generator controller too late.
		UCA 4-5	The engine control system sent control commands to the generator controller with signal fluctuations or in an unordered manner.
CA-5	A	UCA 5-1	The engine control system failed to send hydrogen supply commands to the hydrogen supply device as per the expected requirements.
	B	UCA 5-2	When hydrogen was needed, the engine control system provided incorrect hydrogen supply commands to the hydrogen supply device.
		UCA 5-3	When hydrogen was not needed, the engine control system sent unnecessary hydrogen supply commands to the hydrogen supply device.
	C	UCA 5-4	The engine control system sent hydrogen supply commands to the hydrogen supply device too early.
		UCA 5-5	The engine control system sent control commands to the hydrogen supply device with signal fluctuations or in an unordered manner.
	D	UCA 5-6	When changing the hydrogen flow rate of the hydrogen supply device was required, the engine control system maintained the original control actions for too long.
		UCA 5-7	When changing the hydrogen flow rate of the hydrogen supply device was required, the engine control system maintained the original control actions for too short a time.
CA-6	A	UCA 6-1	The engine control system failed to send power supply commands to the power supply device as per the expected requirements.
	B	UCA 6-2	When power was needed, the engine control system provided incorrect power supply commands to the power supply device.
		UCA 6-3	When power was not needed, the engine control system sent unnecessary power supply commands to the power supply device.
	C	UCA 6-4	The engine control system sent power supply commands to the power supply device too early.
		UCA 6-5	The engine control system sent control commands to the power supply device with signal fluctuations or in an unordered manner.
	D	UCA 6-6	When changing the power output of the power supply device was required, the engine control system maintained the original control actions for too long.
		UCA 6-7	When changing the power output of the power supply device was required, the engine control system maintained the original control actions for too short a time.
CA-7	A	UCA 7-1	After the engine control system issued commands, the hydrogen internal combustion engine controller failed to successfully transmit the commands to the hydrogen internal combustion engine.
	B	UCA 7-2	After the engine control system issued commands, the hydrogen internal combustion engine controller provided incorrect instructions to the hydrogen internal combustion engine.
		UCA 7-3	When the hydrogen internal combustion engine did not need to operate, the hydrogen internal combustion engine controller sent unnecessary instructions to the hydrogen internal combustion engine.
	C	UCA 7-4	The hydrogen internal combustion engine control system sent instructions to the hydrogen internal combustion engine too early.
		UCA 7-5	The hydrogen internal combustion engine controller sent control commands to the hydrogen internal combustion engine with signal fluctuations or in an unordered manner.
	D	UCA 7-6	When changing the output power of the hydrogen internal combustion engine was required, the hydrogen internal combustion engine controller maintained the original control actions for too long.
		UCA 7-7	When changing the output power of the hydrogen internal combustion engine was required, the hydrogen internal combustion engine controller maintained the original control actions for too short a time.
CA-8	A	UCA 8-1	After the engine control system issued commands, the electric motor controller failed to successfully transmit the commands to the electric motor.
	B	UCA 8-2	After the engine control system issued commands, the electric motor controller provided incorrect instructions to the electric motor.
		UCA 8-3	When the electric motor did not need to operate, the electric motor controller sent unnecessary instructions to the electric motor.
	C	UCA 8-4	The electric motor control system sent instructions to the electric motor too early.
		UCA 8-5	The electric motor controller sent control commands to the electric motor with signal fluctuations or in an unordered manner.
	D	UCA 8-6	When changing the output power of the electric motor was required, the electric motor controller maintained the original control actions for too long.
		UCA 8-7	When changing the output power of the electric motor was required, the electric motor controller maintained the original control actions for too short a time.
CA-9	A	UCA 9-1	After the engine control system issued commands, the generator controller failed to successfully transmit the commands to the generator.
	B	UCA 9-2	After the engine control system issued commands, the generator controller provided incorrect instructions to the generator.
		UCA 9-3	When the generator did not need to operate, the generator controller sent unnecessary instructions to the generator.
	C	UCA 9-4	The generator control system sent instructions to the generator too early.
		UCA 9-5	The generator controller sent control commands to the generator with signal fluctuations or in an unordered manner.
CA-10	A	UCA 10-1	The power system status signals failed to be successfully sent to the instrument equipment.
	B	UCA 10-2	The instrument equipment received incorrect power system status signals.
	C	UCA 10-3	The instrument equipment received power system status signals with fluctuations and in a disordered sequence.
		UCA 10-4	The status signals received by the instrument equipment were delayed compared to the actual power system status.
CA-11	A	UCA 11-1	The instrument visual information could not be successfully identified by the pilot.
	B	UCA 11-2	The instrument visualization system displayed incorrect information.
	C	UCA 11-3	The instrument equipment displayed information with fluctuations and in a disordered sequence.
		UCA 11-4	The data signals from the instrument equipment were delayed compared to the actual power system status.

A: Not providing causes hazard. B: Providing causes hazard. C: Too early, too late, out of order causes a hazard. D: Stopped too soon, applied too long causes hazard.

shows the results of the identification of unsafe control actions.

3.2.3. Analyze Loss Scenarios

Loss scenarios are the inducing factors identified within the control loop of unsafe control actions. Unsafe control actions and loss scenarios are not in one-to-one correspondence. Each unsafe control action corresponds to one loss scenario, and each loss scenario may correspond to multiple unsafe control actions. The identification of loss scenarios includes two aspects: (1) identifying loss scenarios that lead to unsafe control actions, and (2) identifying loss scenarios where control actions are improperly executed or not executed.

• Identifying loss scenarios that lead to unsafe control actions

Erroneous control actions issued by the controller can lead to hazardous events. Identifying these loss scenarios requires analyzing unsafe controller behaviors and inappropriate feedback information.

Unsafe controller behaviors aim to analyze the causes of unsafe control actions generated by the controller, including the following: the controller’s own failure, defects in control algorithms, abnormal control inputs, process model defects, etc. Among these, control algorithm defects are typically manifested as abnormal control action by the controller regarding factors such as the process model, historical control inputs, outputs, etc. For example: UCA 1-2: The pilot sent unintended power adjustment control commands to the engine control system. This unsafe control action may result from pilot decision-making failure. Therefore, a possible loss scenario is as follows: The pilot misinterprets correct signals from instruments, leading to an incorrect assessment of the aircraft’s status. Process model defects may arise from reasons such as the controller receiving abnormal signals or failing to correctly interpret signals after receipt. For example: UCA1-1: The pilot failed to send the required control commands to the engine control system. This unsafe control action may be caused by the pilot receiving erroneous signals from instruments, resulting in a misjudgment of the aircraft’s status. Therefore, a possible loss scenario is as follows: The pilot receives incorrect signals from instruments, unable to accurately assess the aircraft’s status.

Inappropriate feedback information aims to identify feedback information that causes the controller to issue unsafe control actions, including the following: failure to receive feedback or information, receiving incorrect feedback or information, etc.

2.

Identifying loss scenarios where control actions are improperly executed or not executed

The correct issuance of control actions does not guarantee proper execution. The improper execution of control actions can also lead to hazards. These loss scenarios include loss scenarios in the control path and loss scenarios related to the controlled process. Loss scenarios in the control path aim to analyze reasons why control actions are not correctly transmitted to actuators, explaining whether control actions are properly sent by the controller and properly received by actuators, including the non-execution of control actions and the improper execution of control actions.

Loss scenarios related to the controlled process aim to analyze reasons why the controlled process fails to execute control actions correctly, including the non-execution of control actions and the improper execution of control actions.

Based on the UCA analysis results in Table A1, the loss scenarios can be determined as shown in

Table A2. Loss scenario analysis results and root node probability information.

Number	Loss Scenarios	Prior Probability	Posterior Probability
LS1	Inadequate flight training for the pilot; unfamiliar with necessary flight operations.	3.07 × 10−4	1.90 × 10−1
LS2	The pilot experiences physiological issues such as illness, blindness, seizures, or shock, preventing normal operation of the aircraft.	3.60 × 10−4	4.08 × 10−1
LS3	The control system’s operating equipment is damaged; unable to execute commands properly.	2.25 × 10−6	2.55 × 10−3
LS4	The pilot receives incorrect signals from instruments, unable to accurately assess the aircraft’s status.	1.27 × 10−6	1.38 × 10−3
LS5	The pilot misinterprets correct signals from instruments, leading to an incorrect assessment of the aircraft’s status.	4.95 × 10−4	3.06 × 10−1
LS6	Delay in instrument communication, causing signals to reach the pilot too late.	5.76 × 10−6	6.28 × 10−3
LS7	The pilot issues instructions to the engine control system, but the signal is lost upon reception by the control system.	1.44 × 10−8	1.57 × 10−5
LS8	The pilot issues instructions to the engine control system, but the signal is distorted upon reception by the control system.	4.94 × 10−8	5.38 × 10−5
LS9	The engine control system fails to correctly interpret the control instructions received from the pilot.	3.37 × 10−8	3.67 × 10−5
LS10	The engine control system does not receive status information feedback from the hydrogen internal combustion engine controller; unable to accurately assess its operational state.	2.10 × 10−7	2.29 × 10−4
LS11	The engine control system receives inaccurate status information feedback from the hydrogen internal combustion engine controller, leading to an incorrect assessment of its operational state.	3.98 × 10−7	4.34 × 10−4
LS12	After receiving feedback signals from the hydrogen internal combustion engine controller, the engine control system fails to successfully parse the feedback signals.	4.67 × 10−8	5.08 × 10−5
LS13	The signal generation device in the engine control system is faulty, resulting in the failure to transmit command signals to the hydrogen internal combustion engine controller or the transmission of incorrect signals.	1.48 × 10−7	4.59 × 10−5
LS14	The engine control system does not receive status information feedback from the electric motor controller; unable to accurately assess its operational state.	1.67 × 10−7	1.82 × 10−4
LS15	The engine control system receives inaccurate status information feedback from the electric motor controller, leading to an incorrect assessment of its operational state.	3.98 × 10−7	4.34 × 10−4
LS16	After receiving feedback signals from the electric motor controller, the engine control system fails to successfully parse the feedback signals.	5.86 × 10−8	6.38 × 10−5
LS17	The signal generation device in the engine control system is faulty, resulting in the failure to transmit command signals to the electric motor controller or the transmission of incorrect signals.	1.35 × 10−7	4.18 × 10−5
LS18	The engine control system does not receive status information feedback from the generator controller; unable to accurately assess its operational state.	2.10 × 10−7	2.29 × 10−4
LS19	The engine control system receives inaccurate status information feedback from the generator controller, leading to an incorrect assessment of its operational state.	2.40 × 10−7	2.61 × 10−4
LS20	After receiving feedback signals from the generator controller, the engine control system fails to successfully parse the feedback signals.	5.87 × 10−8	6.39 × 10−5
LS21	The signal generation device in the engine control system is faulty, resulting in the failure to transmit command signals to the generator controller or the transmission of incorrect signals.	1.35 × 10−7	4.18 × 10−5
LS22	The engine control system does not receive status information feedback from the hydrogen supply unit; unable to accurately assess its operational state.	1.67 × 10−7	1.82 × 10−4
LS23	The engine control system receives inaccurate status information feedback from the hydrogen supply unit, leading to an incorrect assessment of its operational state.	2.52 × 10−7	2.75 × 10−4
LS24	After receiving feedback signals from the hydrogen supply unit, the engine control system fails to successfully parse the feedback signals.	5.97 × 10−8	6.50 × 10−5
LS25	The signal generation device in the engine control system is faulty, resulting in the failure to transmit command signals to the hydrogen supply unit or the transmission of incorrect signals.	7.67 × 10−8	2.38 × 10−5
LS26	The engine control system does not receive status information feedback from the power supply unit, unable to accurately assess its operational state.	1.78 × 10−7	1.94 × 10−4
LS27	The engine control system receives inaccurate status information feedback from the power supply unit, leading to an incorrect assessment of its operational state.	1.90 × 10−7	2.07 × 10−4
LS28	After receiving feedback signals from the power supply unit, the engine control system fails to successfully parse the feedback signals.	5.97 × 10−8	6.50 × 10−5
LS29	The signal generation device in the engine control system is faulty, resulting in the failure to transmit command signals to the power supply unit or the transmission of incorrect signals.	1.23 × 10−7	3.80 × 10−5
LS30	The engine control system issues instructions to the hydrogen internal combustion engine controller, but the signal is lost or distorted upon reception by the controller.	2.25 × 10−7	2.45 × 10−4
LS31	The hydrogen internal combustion engine controller fails to correctly interpret the instructions received from the engine control system.	1.44 × 10−7	1.57 × 10−4
LS32	The hydrogen internal combustion engine controller does not receive status information feedback from the hydrogen internal combustion engine; unable to accurately assess its operational state.	1.30 × 10−7	1.41 × 10−4
LS33	The hydrogen internal combustion engine controller receives inaccurate status information feedback from the hydrogen internal combustion engine, leading to an incorrect assessment of its operational state.	2.37 × 10−7	2.58 × 10−4
LS34	After receiving feedback signals from the hydrogen internal combustion engine, the hydrogen internal combustion engine controller fails to successfully parse the feedback signals.	7.11 × 10−8	7.74 × 10−5
LS35	The signal generation device in the hydrogen internal combustion engine controller is faulty, resulting in the failure to transmit command signals to the hydrogen internal combustion engine or the transmission of incorrect signals.	2.91 × 10−7	9.02 × 10−5
LS36	The engine control system issues instructions to the electric motor controller, but the signal is lost or distorted upon reception by the controller.	1.99 × 10−7	2.17 × 10−4
LS37	The electric motor controller fails to correctly interpret the instructions received from the engine control system.	1.79 × 10−7	1.95 × 10−4
LS38	The electric motor controller does not receive status information feedback from the electric motor; unable to accurately assess its operational state.	1.12 × 10−7	1.22 × 10−4
LS39	The electric motor controller receives inaccurate status information feedback from the electric motor, leading to an incorrect assessment of its operational state.	2.37 × 10−7	2.58 × 10−4
LS40	After receiving feedback signals from the electric motor, the electric motor controller fails to successfully parse the feedback signals.	7.11 × 10−8	7.74 × 10−5
LS41	The signal generation device in the electric motor controller is faulty, resulting in the failure to transmit command signals to the electric motor or the transmission of incorrect signals.	2.19 × 10−7	6.80 × 10−5
LS42	The engine control system issues instructions to the generator controller, but the signal is lost or distorted upon reception by the controller.	1.58 × 10−7	1.72 × 10−4
LS43	The generator controller fails to correctly interpret the instructions received from the engine control system.	1.04 × 10−7	1.14 × 10−4
LS44	The generator controller does not receive status information feedback from the generator; unable to accurately assess its operational state.	1.12 × 10−7	1.22 × 10−4
LS45	The generator controller receives inaccurate status information feedback from the generator, leading to an incorrect assessment of its operational state.	2.13 × 10−7	2.32 × 10−4
LS46	After receiving feedback signals from the generator, the generator controller fails to successfully parse the feedback signals.	5.22 × 10−8	5.68 × 10−5
LS47	The signal generation device in the generator controller is faulty, resulting in the failure to transmit command signals to the generator or the transmission of incorrect signals.	1.54 × 10−7	4.77 × 10−5
LS48	The status signal generation device is damaged, causing signals to be lost or incorrect signals to be transmitted during emission.	4.74 × 10−6	5.16 × 10−3
LS49	The instrument receiving device fails to receive signals properly, resulting in signal loss or incorrect signal reception.	1.59 × 10−6	1.73 × 10−3
LS50	The instrument display is damaged; unable to function normally for identification.	6.73 × 10−5	7.33 × 10−2
LS51	The instrument is unable to convert received signals properly.	9.60 × 10−7	5.94 × 10−4
LS52	The internal program of the instrument equipment is erroneous.	2.91 × 10−7	1.80 × 10−4

.

3.3. Modeling BN Model

3.3.1. Constructing BN Topology Model

The construction of a BN topology structure is primarily based on STPA results. STPA results determine the BN nodes, node states, and dependency relationships between nodes. Loss scenarios are seen as leaf nodes, representing the starting points of risk events. The system overall failure is considered as the root node. Multiple manifestations of component failures described in loss scenarios are integrated to form intermediate nodes. These intermediate nodes represent the failure states of components or functional units, analyzed from different perspectives. Through intermediate nodes, the risk status of local system functions and their impact on system-level risks can be better observed. Connections between nodes are defined by uncertain relationships between nodes, demonstrating how loss scenarios evolve into system overall failure under multi-factor interactions. The connectivity follows a hierarchical structure: root nodes point to intermediate nodes, and intermediate nodes point to leaf nodes. Notably, interdependencies may exist between intermediate nodes, requiring dependency relationships to be established based on system architecture to ensure analytical accuracy. Each node possesses two states: T (True) and F (False). T denotes affirmation, while F signifies negation. The T state indicates that the event described by the node occurs, and the F state indicates that the event does not occur. The BN topology model is shown in Figure 8.

Based on node information, intermediate nodes are established to summarize functional abnormalities across broader scopes. Different colors represent distinct hierarchical levels of intermediate nodes, with abstraction increasing progressively from root nodes to leaf nodes. Initially, primary intermediate nodes merge root nodes of the same type. Subsequently, nodes such as “Error processing signal”, “Error sending signal”, “Receive error signal” and “Receive signal failure” categorize different types of failure modes. Finally, the nodes “Cause of unsafe control action” and “Unsafe control action executed” integrate these into two failure scenarios.

3.3.2. Calculate Probability Information

The input probabilities for BN nodes are obtained by collecting expert opinion probabilities through expert evaluations and fusing them using D-S evidence theory. The expert’s industry experience and position are common criteria for the multi-level assessment of the relative quality of expert opinions [59,60,61]. This study requires each participating expert to possess a minimum of at least 10 years industry experience, and to hold one of the following positions: Engineer, Project Supervisor, or Project Manager.

Table 2. Expert information.

Expert	Industry Experience (Years)	Position
Expert 1	11	Engineer
Expert 2	15	Project Supervisor
Expert 3	10	Engineer
Expert 4	13	Project Manager
Expert 5	16	Project Supervisor

presents relevant information about the five selected experts.

Below is an introduction to the specific rules for expert evaluation and the basic procedures for processing expert data.

Experts may quantify their judgments about risk event likelihood using numerical values within the range [0.1, 0.9]. Table 3 categorizes this range into different levels of assessment criteria to constrain expert scoring within defined bounds. To account for variations in domain knowledge among experts, two submission options are provided:

• Numerical Probability: Submit a specific value representing the perceived likelihood of a risk factor.
• Declarative Option: Submit “DK” (Don’t Know) to abstain from evaluating events beyond their expertise.

Table 3. Expert evaluation of probability references.

Interval	Possibility
0.1–0.3	Very Low Probability
0.3–0.5	Low Probability
0.5–0.7	Moderate Probability
0.7–0.9	High Probability

Table 3. Expert evaluation of probability references.

Interval	Possibility
0.1–0.3	Very Low Probability
0.3–0.5	Low Probability
0.5–0.7	Moderate Probability
0.7–0.9	High Probability

The expert evaluation results need to be fused using the D-S evidence theory to generate a comprehensive probability value representing the collective expert opinion. Due to space constraints, this analysis focuses on the evaluation results of experts for node LS1 to demonstrate the complete fusion process of expert opinion probabilities.

The collected expert opinions are as follows: {0.45, 0.33, 0.25, 0.2, 0.4}.

The conflict factor K between expert opinions is calculated. For example, $K_{1-2}$ denotes the conflict factor between Expert 1 and Expert 2.

Using Equation (2), the conflicting factors between expert opinions were calculated and presented as a conflict heatmap, as shown in Figure 9.

The total conflict degree $K_i$ is computed for each expert. Taking Expert 1 as an example, the total conflict degree $K_1$ is derived by summing all pairwise conflict factors involving Expert 1.

$$\begin{array}{ll}{K}_1\hfill & =K_{1-2}+K_{1-3}+1-4+K_{1-5}\hfill \\ \hfill & =0.49+0.47+0.475+0.483\hfill \\ \hfill & =1.918\hfill \end{array}$$

(6)

Then, the contribution factor ${\omega }_i$ of each expert to propositions {T} and {F} is calculated, taking Expert 1 as an example.

$${\omega }_1\{T\}={\displaystyle \frac{m_1{(\{T\})}^2\cdot K_1}{{\displaystyle \sum _X{m}_1}{(X)}^2}}\approx 0.769$$

(7)

$${\omega }_1\{F\}={\displaystyle \frac{m_1{(\{F\})}^2\cdot K_1}{{\displaystyle \sum _X{m}_1}{(X)}^2}}\approx 1.149$$

(8)

The contribution of each expert to propositions {T} and {F} is calculated by the expert contribution factor, and the contribution of each expert is combined and normalized to obtain the BPA reallocation result for propositions {T} and {F}. The allocation result transforms the average expert assessment of state likelihood into a nodal probability distribution.

The allocation results need to be further converted into a failure probabilities value, which is used as the input information to construct the BN model. The BPA result of the expert for proposition {T} is passed through Equation (9) and the corresponding failure probability is calculated.

$$FP=\left\{\begin{array}{ll}{\displaystyle \frac{1}{{10}^{2.301\times \left(\frac{1-{m^{\prime }}_T}{{m^{\prime }}_T}\right)}}}\hfill & \mathrm{if} {m^{\prime }}_T\ne 0\hfill \\ 0\hfill & \mathrm{if} {m^{\prime }}_T=0\hfill \end{array}\right.$$

(9)

By the above method, the calculation results are all displayed in

Table 4. Calculation results.

Expert	Expert 1	Expert 2	Expert 3	Expert 4	Expert 5
$K_i$	1.918	1.762	1.690	1.658	1.846
${\omega }_i\left\{T\right\}$	0.769	0.344	0.169	0.098	0.568
${\omega }_i\left\{F\right\}$	1.149	1.418	1.521	1.560	1.278
${m^{\prime }}_T$	0.219
${m^{\prime }}_F$	0.781
FP	0.31 × 10−5

.

The probabilities of different nodes are obtained in different ways, the a priori probabilities of all root nodes are obtained as the failure probabilities obtained by transforming the expert opinions, and the conditional probabilities of all intermediate nodes are constructed by using 0 and 1. When all the parent nodes are in state F, the conditional probabilities are set to be T: 0, F: 1; and when no less than one of the parent nodes is in state T, the conditional probabilities are set to be T: 1, F: 0.

The probabilities of different nodes are obtained in different ways; the a priori probabilities of all root nodes are obtained as the failure probabilities obtained from the transformation of expert opinions. All root node prior probabilities are shown in Table A2. The conditional probabilities of all intermediate nodes are constructed by using 0 and 1. The conditional probabilities of the root node are set to T: 0, F: 1 when all parent nodes are in state F; when no less than one parent node is in state T, the conditional probabilities are set to T: 1, F: 0. The conditional probabilities of the root node are set to T: 1, F: 0 when all parent nodes are all F, which represents the failure probability of the system in the case of no failure, so it is necessary to input the state T into the failure probability; the rest of the nodes represent the intensity of the parent node alignment impact, so it is necessary to input the assignment result of the expert evaluation directly.

3.4. Result Analysis and Discussion

Airplanes cannot operate without safety constraints. The quantitative results of the BN network can provide information on what kind of scenarios can occur in an airplane and what factors mainly lead to risky events. In order to control aircraft risk within acceptable limits, it is inevitable to strengthen the safety constraints in the vulnerable areas of aircraft risk.

According to the BN topology and probability information, to construct the BN model, probabilistic information needs to be brought to the corresponding position in the BN and the forward calculation needs to be completed, as shown in Figure 10.

The risk node is set as the evidence node, and the probability of risk state is set to 1. This indicates that the fault in the hydrogen–electric hybrid system has been identified. The probability of causation for each node related to risk events is calculated. A higher probability of causation indicates that the abnormal state represented by the node is more likely to cause a fault in the hydrogen–electric hybrid system. The posterior probabilities of all nodes are calculated and presented in Figure 11.

Evidence information is reverse inferred in a Bayesian manner and allocated step-by-step towards the root node, displaying the relative likelihood of occurrence for each risk factor within the risk event. Progressing from leaf nodes to the root node, the subject described by the posterior probabilities converges towards specific component failure forms. The posterior probability of the LS1-LS52 root nodes represents the relative likelihood that causal scenarios identified in the STPA results will trigger system failure. Intermediate nodes display the likelihood of risk events caused by abnormal functional units with varying scopes of impact. The BN results enable the observation of a multi-level cascading risk propagation network leading to system failure, as well as the relative likelihood of system hazards being triggered by the events represented by each node.

The posterior probabilities of root nodes are detailed in Table A2, and Figure 12 visualizes these values to facilitate a direct comparison of the posterior probabilities among nodes. The posterior probabilities of nodes LS2, LS5, LS1, LS50, LS6, LS48, LS3, LS49 and LS4 are significantly higher than that of other nodes. Therefore, these loss scenarios are the root cause of system failures.

Sensitivity analysis is commonly used in BN model robustness testing, through which risky key components can be identified. The risky nodes of the BN model are selected to enter the evidence information, and the a posteriori probabilities of other nodes are calculated by the reverse of the evidence nodes. The rate of change (RoV) value of the a posteriori probability compared to the a priori probability is calculated by Equation (10), which is used to show the strength of the association of the node to the risky node, and the larger value of the RoV means that the failure form represented by the node is more significant to the risky event.

$$\mathrm{RoV}={\displaystyle \frac{P(A| E)-P(A)}{P(A)}}$$

(10)

where $P(A| E)$ is the posterior probability of variable A given evidence E.

RoV values illustrate the extent to which these underlying causal events influence risk events. The sensitivity ranking for the key nodes mentioned is LS2, LS3, LS4, LS49, LS50, LS48, LS6, LS5 and LS1.

In addition, observing the posterior probability of the intermediate nodes, the posterior probability of the human factor is significantly higher than that of the other nodes. Human factors are an important concern in the field of civil aviation safety, and even though there are some safety risks associated with the hydrogen–electric hybrid propulsion system, the main cause of risky events for airplanes is still personnel issues. Secondly, damage to instrumentation equipment is also a major cause of risk. The safety assurance level of instrumentation equipment in aviation is lower than that of power systems, so the failure rate is higher than that of power systems. When instrumentation equipment failure occurs, although it does not directly affect the driving of the aircraft, the pilot is more prone to misjudgment, which may lead to serious aircraft safety events.

3.5. Validation

The effectiveness of the BN model can be tested through three axioms. Below is a partial node validation process.

Axiom 1: Change the prior probability of a parent node and observe the changes in the posterior probability of its child nodes to determine whether Axiom 1 is satisfied. Here, the node “Pilot operation error” is selected for analysis. The parent nodes of this node are LS1, LS5 and “Fails to correctly convert status signal”. By resetting the probability of “Y” in the parent nodes to 100% and 0%, respectively, and comparing the results with the child node probabilities under the original conditions, the outcomes shown in

Table 5. Test of axiom 1 for the node “Pilot operation error”.

State	Parent Node	Child Node
Y	CS1	Pilot operation error
	prior	8.03 × 10−4
	100%	1
	0%	4.96 × 10−4
Y	CS5	Pilot operation error
	prior	8.03 × 10−4
	100%	1
	0%	3.09 × 10−4
Y	Fails to correctly convert status signal	Pilot operation error
	prior	8.03 × 10−4
	100%	1
	0%	3.07 × 10−4

are obtained. The results in the table demonstrate that Axiom 1 can be verified.

Axiom 2: Set equal-amplitude changes in the subjective probabilities of parent nodes and observe the corresponding trend in the probability changes in the child node. As shown in Figure 13, the node “Pilot operation error” is selected, with curves illustrating the trend of its state changes influenced by variations in parent node probabilities. Each curve in the figure evidently shows that the child node has a consistent rate of change with the parent node, validating Axiom 2.

Axiom 3: Select the node “Cause of unsafe control action” along with its parent nodes “Human factor” and “Error sending signal” as an example for validating Axiom 3. By increasing the probability of the parent node “T” to 1 separately and collectively, and comparing the results as shown in

Table 6. Test of axiom 3 for the node “Cause of unsafe control action”.

Human Factor	Error Sending Signal	Cause of Unsafe Control Action	Percentage Variation
1.16 × 10−3	8.04 × 10−4	7.51 × 10−4
1	8.04 × 10−4	0.645	85,810.41%
1.16 × 10−3	1	0.799	106,382.55%
1	1	0.8	106,467.36%

, Axiom 3 is validated.

4. Conclusions

This study establishes a risk analysis method based on STPA, D-S evidence theory and BN. The proposed framework integrates qualitative and quantitative approaches to achieve comprehensive risk analysis for hydrogen–electric hybrid aviation propulsion systems. This method is applicable during the early aircraft design phase and enables quantitative risk factor identification without relying on extensive empirical data. The methodology consists of two main stages: (1) Risk element identification via STPA: Construct a control feedback model based on the system’s hierarchical control structure; extract critical control actions and potential UCAs. Analyze system loss scenarios triggered by UCAs. (2) BN construction and risk quantification: Define BN nodes, states and interdependencies based on STPA results to build the BN topology; apply D-S evidence theory with the PCR6 rule to fuse expert evaluations and assign prior probabilities to BN nodes; perform backward inference by setting system failure as evidence to compute posterior probabilities of nodes; identify critical risk nodes driving system failures through posterior probability analysis.

Furthermore, STPA can identify risks based on system control structures and demonstrates efficient risk identification capabilities for automated systems and human–machine interaction systems under complex working conditions. D-S evidence theory can integrate multi-source information such as historical data and expert experience to derive failure probabilities that closely approximate objective reality, requiring only existing data to build the foundational dataset for risk analysis. BN models excel at capturing and quantifying risk influence networks, making them suitable for the quantitative risk analysis of interdependent risks in large-scale complex systems. In summary, the method proposed in this paper, after proper modifications tailored to specific application scenarios, may be applicable to the risk analysis of complex systems in other domains.

In future studies, sufficient simulated data and real operational data can be accumulated. These datasets can serve as updated input sources for risk analysis models. By assigning weights to multi-source data involved in fusion (reflecting their relative information contribution ratios), Dempster–Shafer evidence theory can be utilized for multi-source information integration. Iteratively executing this risk analysis process will yield increasingly robust results.