Safety considerations and time constant determined extended operations for fuel cell-powered aircrafts

Proton exchange membrane fuel cells (PEMFC) are seen to be promising for achieving the transformation from traditional aircrafts to All Electric aircrafts (AEA). While several field studies already proved the feasibility of a fuel cell-powered aircraft, the limiting factor for the implementation in the civilian aircraft sector is widely thought to be the specific power of the fuel cell system. Moreover, potentially, this specific power is notably affected by the aviation safety code. This study aims to quantify and relieve this effect by introducing a novel extended operation strategy. This strategy takes advantage of the degradation time constants of the fuel cell system in case of sub-system failure. The results show the great influence of the aviation certification code on system specific power. The extended operation strategy seems working notably. However, for practical implementation, individual failure probabilities on a component level need to be studied more extensively.


Introduction
In the future, civil aircrafts need to address the rising passenger traffic while reducing the overall emission of climatedamaging emissions. In 2011, the European Commission published the "Flight Path 2050" [1], and drew a set of environmental goals for aviation. Accordingly, until the year 2050, a reduction of CO 2 , NO x and noise emissions shall be achieved, respectively, by 75%, 90% and 60% referring to a typical aircraft of 2000.
It is widely accepted that using fuel cell systems (FCS) in civil aircrafts can improve the design in multiple ways, such as reducing noise, emissions and fuel consumption and, thus, is better suited for reaching the stated goals than traditional aircrafts. The usage of fuel cells in Auxiliary Power Units (APU) as full or hybrid system is the topic of several studies and seen as promising [2][3][4][5]. Using FCS as power unit for the main propulsion is at the moment limited to experimental, small aircrafts. In 2008, the Boeing Company performed the first fuel cell-powered manned aircraft flight [6]. The demonstrator propeller aircraft was a two-seater motorglider equipped with a hybrid power system consisting of a proton exchange membrane fuel cell system (PEMFCS) as the main power supply and a Li-Ion battery for assistance during take-off and climb. Romeo et al. achieved with the hybrid fuel cell/battery powered ENFICA-FC (ENvironmentally Friendly Inter City Aircraft powered by Fuel Cells) a maximum average cruising speed of 135 km/h [7]. Rathke et al. pursued the same hybrid power supply strategy in the DLR-H2 motor-glider aircraft [8]. The next generation of the DLR-H2, the HY4, is a four-seat aircraft and took flight in 2016 [9]. The HY4 is powered by an 80 kW motor and achieves a maximum speed of 200 km/h. These field studies show that a fuel cell-powered propulsion system for small airborne applications is already possible.
For large civil aircrafts, safety is of a great importance; thus, before a new aircraft design goes into operation, a thorough certification process is mandatory. The certification regulations are stricter and require a higher degree of redundancy for vital systems compared to small, experimental aircrafts. Increasing the degree of redundancy of FCS will probably decreases the specific power of the whole system notably. The specific power and the lifetime of a fuel cell system are often viewed as the limiting factors for application in weight-sensitive fields like aviation. While the 1 3 specific power of FCS has been rising over the past decade by optimization of components and fabrication processes, the required reliability for aviation purposes is lacking to a notable extent.
In this work, the increase in specific power of fuel cell systems for large civil aircrafts is sought from a different approach, instead of focusing on the fuel cell system design. After quantifying the magnitude of the influence of the aviation safety code on the fuel cell system specific power, strategies are investigated to reduce these effects, among which is a novel extended operation strategy.

Effects of the airplane safety certification code on system design
Certification regulations in Europe are issued for the grand majority of aircrafts by the European Union Aviation Safety Agency (EASA) and are specified for large aircrafts in "Certification Specifications and Acceptable Means of Compliance for Large Aeroplanes" commonly abbreviated as CS-25 [10]. Table 1 shows the allowed probability of occurrence for different failure modes defined in the CS-25. Furthermore, the degree of redundancy for a given system must be greater than one if a failure of the system would be considered as "catastrophic", e.g., failure of the main power supply.
In order to comply with the given probability of occurrence, redundancy is one possible method among other methods such as failure detection and monitoring, fault isolation and reconfiguration, authority limiting, and flight crew action to intervene. In this study, compliance of the PEMFCS to the CS-25 will only be met by system redundancy.
In general, the more redundant systems are present, the more weight is transported, thus reducing the specific power of the fuel cell system and the payload. With the given probability of occurrence p in Table 1 and a given failure rate w , the theoretical degree of redundancy ( DOR theo ) can be calculated with Eq. 1.
Compliance is met if the probability of occurrence is greater or inferior than the boundary of the failure condition as stated in Table 1, so that the rounded DOR must be chosen accordingly.
Determining the probability of failure occurrence of a fuel cell system for aviation application is beyond the scope of this work and experimental data is unfortunately to the best knowledge of the authors not accessible to the public. Gerbec et al. performed a process safety analysis for a commercial, transportable PEMFCS and have gathered failure rate parameters from different sources stated in Table 4 [11]. They performed a hazard and operability study and concluded that the analyzed PEMFCS has a discrete failure rate of w d = 3.56 × 10 −4 h −1 for a run at the nominal power. The reliability of the fuel cell system decreases with its lifetime. The discrete failure rate is the (1) DOR theo = log (1−w) (p). Capability of the aeroplane is reduced Large reduction in safety margins or functional capabilities 10 −7 > p > 10 −9 (Extremely Remote) Ability of the crew to cope with adverse operating conditions Physical distress or higher workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely Serious or fatal injury to a relatively small number of the occupants Catastrophic Continued safe flight and landing of the aeroplane is prevented p < 10 −9 (Extremely Improbable) most likely value whereas the mean failure rate defines the failure rate over the whole lifetime of 8760 h and is greater by two magnitudes ( w m = 2.47 × 10 −2 h −1 ). This shows the great importance of prediction algorithms for the remaining useful life (RUL) of fuel cell systems, as for aircraft applications, the unreliable end-of-life state should be avoided. State-of-the-art RUL prediction has become increasingly accurate for PEMFC, reaching 98.96% with only as few as 100 h of training time for dynamic operation states via a grey neural network with particle swarm optimization [12]. As no better data could be found in the open literature and it is assumed that the end-of-life state is avoided, further calculation of system redundancy will be based on the discrete failure rate w d .
The state-of-the-art specific power of a fuel cell system for general purposes in this work refers to FCS = 1.6 kW kg −1 [13]. Dividing the specific power by the DOR results in the effective specific power FCS,eff . Table 2 shows the resulting system redundancy as a function of the failure mode for different failure rates. It can be seen that the failure rate from Gerbec et al. results in a practical system redundancy of three for vital systems. As the DOR follows a log-function, a rather high increase in reliability is necessary to reduce the DOR significantly. To reach the minimum DOR of 2.0 for vital systems, a reliability of 99.997% is necessary. A further reduction of the failure rate by one magnitude is needed to reach this goal.
The resulting specific power of a redundant FCS according to certification regulations as a function of the failure mode for varying failure rates is shown in Table 3. The effective specific power is notably reduced by the necessary system redundancy from 1.6 to 0.53 kW/kg for vital systems based on the discrete failure rate w d of 3.56 × 10 −4 h −1 . Figure 1 summarizes Tables 2 and 3 and shows the areas of compliance with the different failure modes and the boundary conditions as graphs. It is clear that the DOR and the system reliability follow a logarithmic relation. Note that for the minor failure mode a DOR of one is met at w = 1 × 10 −5 as this equals the relative probability of occurrence. It can be seen that the sensitivity of the DOR and thus, specific power to the system reliability increases with higher system reliability.

Subsystem failure analysis
As shown in the above section, the DOR for fuel cell systems in aviation is in most cases greater than two. Thus, a redundancy analysis on sub-system level is possible, as transition from system to sub-system analysis is only possible  if there are more than the required two redundant systems [14]. This can potentially reduce overall system mass, as reliable components can require less redundancy than the system altogether. Further improvement is possible with a fault tolerant system design, as presented by Scott et al. for a novel PEMFC stack which could bypass faulty cells [15]. The PEMFCS consists of different subsystems, which themselves consist of different components. In the open literature, the failure rate for some of the fuel cell system equipment can be found and are presented in Table 4. To the authors' best knowledge, no reliability data for fuel cell systems in aviation environments are present in the open literature, so the presented data in Table 4 for a commercial, transportable PEMFCS will be taken as closest approximation. It can be argued that this approximation is valid, as high efforts are made to reduce the environmental and operational effects in the aircraft (e.g., hydraulic dampeners to reduce vibrations, temperature regulation, etc.). Based on the reliability data, the resulting DOR for the equipment can be calculated according to Eq. (1) and is shown in Table 4. Note that in Table 4 the degree of redundancy is given in decimal values to judge whether a slight decrease of the failure probability could result in a change to the next redundancy integer value. Furthermore, the values for the hazardous and catastrophic failure mode are identical. However, in the hazardous column the value is the upper bound; while in the catastrophic column, the value is the lower bound.
The theoretical DOR results in Table 4 are presented as decimal values so that values close to the next integer DOR value can be identified. It can be seen in Table 4 that for most of the subsystems in a catastrophic failure mode, double redundancy is enough to meet the safety requirements. For three of the subsystems a triple redundancy is required, namely the solenoid valve in high-demand mode, the FC PEM stack and the control system. The DC motor, the motor driven centrifugal pump and the control system are very close to the next integer DOR value. A more accurate analysis is recommended to rate these subsystems accordingly. In the major and minor failure mode, no sub-system exceeds single redundancy to meet the safety requirements. If a transition in failure mode from catastrophic to hazardous is achieved, the DOR could be tremendously reduced, as the redundancy can be smaller instead of greater than the required theoretical redundancy. For practical applications, a failure analysis of the whole system is recommended which surpasses the scope of this work.
In the next section, a novel idea is proposed to mitigate the discussed effects of the safety regulations on the specific power of the fuel cell system even further. The governing idea of the proposed idea is to achieve the required system safety through other means than redundancy.

Time constant determined extended operations
Extended Operation (ETOPS) certification grants an aircraft the possibility to keep a greater distance to diversion airports, allowing shorter flight routes and operation over water and remote lands [21]. Non-ETOPS-certified aircrafts must stay 60 flight minutes at one-engine inoperative cruise speed to the next airport, while for ETOPS certified aircrafts this can increase up to 330 flight minutes at one-engine inoperative cruise speed.
In the paper, a new concept named Time Constant Determined Extended Operation (TCD-ETOPS) is proposed, with the purpose to reduce the safety certification effects on system specific power. The time constant of a specific degradation mechanism indicates the time scale of the power loss of the FC. Continued safe flight and landing of the aircraft in case of sub-system failure is possible, if the diversion airport is within the Time Constant Determined Extended Operation (TCD-ETOPS) of the failure caused degradation. If the time scale of the degradation allows for the aircraft to reach the destination airport without further inconveniences, the respective failure mode category can be lowered according to [10]. In this case, a greater failure occurrence probability is allowed and therefore a reduction of system redundancy and thus, system mass is possible as shown in Table 4. A graphical visualization of the TCD-ETOPS for aircrafts can be seen in Fig. 2, where the failure condition of the FCS is defined when reaching 10% initial power loss. In Fig. 2, the TCD-ETOPS is greater than the time needed to reach the destination airport; thus, a failure occurrence would have little impact on the flight operation. In this example, the TCD-ETOPS is greater than the total travel time, so that a downgrade of the failure mode of this failed sub-system would be possible.
To quantify the TCD-ETOPS, the impact of a failure on the fuel cell system and the remaining useful life (RUL) under failure condition will be analyzed. Failure of a subsystem in the fuel cell system leads to an adverse operational state which promotes degradation and eventually induces a failure of the system on a shorter or longer time scale.
Only singular failure modes which affect the power output of the fuel cell will be considered. The PEMFC system will fail to provide the aircraft with electric power due to many failure modes, of which the ten most significant are: overheating, leakage, fractured, extruded, stress corrosion cracking, erosion, deposits, cavitation, inadequate structural support, and failing to function as intended [22].
In this study, for demonstration reason, the failure analysis will be on the sub-system level. The worst-case scenario is chosen that a failure of a component counts as a failure of the whole sub-system. This is done to compare the results more readily to safety certification codes. Furthermore, only a complete failure will be considered, as to the authors' best knowledge these data are not yet present in the open literatures about the different failure modes of the subsystems and their respective quantified effects on fuel cell degradation. Natural occurring degradation is not considered, as the effects are negligible compared to failure induced degradation.
Some of the degradation that can occur is reversible, so that the remaining lifetime of the PEMFCS can be prolonged after certain degradation conditions. Knights et al. found that the voltage losses due to low humidification are reversible only to a certain extent, as inadequate water content promotes physical degradation of the membrane which itself is irreversible [23]. Le Canut et al. reports that a full voltage recovery after CO poisoning is possible by providing the anode with pure hydrogen [24]. In these cases, the power of the degraded FCS can be restored after a TCD-ETOPS event, possibly delaying or mitigating the replacement of the degraded FCS. If this is carried out during flight operation, the degradation can potentially be slowed further, extending the TCD-ETOPS range of the aircraft.
In the open literature, several decay rates for different degradation modes can be found. Whiteley et al. published a list of 15 degradation parameters with their respective degradation rates which can be seen in Table 5 [25]. Among these parameters ice formation, flooding and excess heat have by far the greatest degradation rate.
Guida and Minutillo calculated the mass of a hydrogen tank, air compressor and heat exchanger for a fuel cell system in a more electric aircraft (MEA) to consist in 47%, 11% and 8% of total system mass, respectively [31]. As the goal of this study is weight reduction of the PEMFCS, the power conditioner and the control system will be neglected as the The failure condition is met at 10% initial power loss possible weight reduction is insignificant compared to other weight intensive subsystems. Furthermore, failure of the PEMFC stack will not be considered for weight reduction due to the limiting factor being the power output and not system safety. For much the same reason, occurring degradation due to failure of Hydrogen and Air Management failure will not be considered, as the power loss would occur instantly. Thus, only the failure impact on fuel cell degradation of the remaining water and thermal management subsystems are modeled.
Linking the degradation parameter stated in Table 5 to the complete failure of individual subsystems quantitatively is rather complex as the severity of the degradation is unclear and because closed loops in between the degradation parameters occur. It is assumed that closed loops between the degradation mechanism are accounted for in the stated degradation parameters in Table 5. Thus, only the first occurrence of a quantitatively known phenomena in the flowchart will be considered. Furthermore, it is assumed that the chosen degradation parameters do not influence each other, insuring a linear model. As some degradation conditions cannot exist simultaneously (e.g., Humidity too high and Humidity too low) the greater one is chosen for further calculations. The blue squares in Figs. 3 and 4 indicate that a degradation parameter in Table 5 quantifies those phenomena while the grey squares indicate further degradation mechanisms which are not included in the model.
Jouin et al. defined the State of Health (SoH) of a fuel cell according to the initial power loss: 0-5% is good health, 5-10% is acceptable and greater than 10% power loss is  [33]. For analysis simplicity, power loss in this work is only considered as voltage loss. Hence, the failure condition is defined as 10% and 40% of initial voltage loss of a standard 0.7 V cell. The results of the time constant determined extended operation analysis are presented in Table 6. It can be seen that failure of both systems leads to a rapid degradation of the fuel cell system. The failure condition of 10% power loss is met after 10.2 and 16.8 min for failure of the water and thermal management, respectively. The 40% power loss criterion is met after 40.5 and 67.2 min for failure of the water and thermal management respectively. This indicates that a failure of these subsystems would result in a rapid fuel cell degradation which would affect most conventional aircraft operation. The TCD-ETOPS for a failure of the thermal management, however, exceeds the 60-min time mark before 40% initial power loss is reached. Therefore, the safety criteria to be within 60 min of the next airport at one-engine inoperative cruise speed is potentially met for the thermal management for dual engine aircrafts.
This study shows the worst-case scenario, as only complete failures on the sub-system level are considered. More effort should be made to model precisely the effects of partial failure on a component level and their respective probability of occurrence in aerial conditions. Further measures like fault isolation and reconfiguration could aid in further reducing the redundancy on the component level. Taken these less severe and of higher probability partial failure events into account, the proposed TCD-ETOPS concept projects a promising effective way on increasing the specific power of aviation fuel cell systems aboard future passenger airplanes.

Conclusion
In this work, two tasks are carried out. After first quantifying the safety certification effects on fuel cell system specific power, a novel TCD-ETOPS concept is proposed to compensate the redundancy effects in dragging down the increase of the fuel cell system specific power.
The results show that, • Reliability of fuel cell system greatly influences redundancy and specific power of the fuel cell system. • State-of-the-art failure rates of PEMFCS result in a DOR of 3 for vital systems, reducing the specific power of the FCS to FCS,eff = 0.53 kW kg −1 from the initial FCS = 1.6 kW kg −1 .Edit Reference • Redundancy analysis on FCS component level is very promising for reducing system mass • The innovative Time Constant Determined Extended Operation Range (TCD-ETOPS) is proven theoretically promising in further boosting system specific power. • 10% of cell voltage loss after 10.2 and 16.8 min after failure of water and thermal management, respectively. • Further lowering the degradation to 40% initial power loss, the about time lengths are then extended to 40.5 and 67.2 min after failure of water and thermal management, respectively. This potentially satisfies the safety criteria to be within 60 min at one-engine inoperative cruise speed of the next diversion airport for the thermal management for dual engine aircrafts.  Future research needs to address the different failure modes of a PEMFCS and their relation to the failure induced degradation.