Design of hybrid-electric aircraft with fault-tolerance considerations

The potential benefits of hybrid-electric or all-electric propulsion have led to a growing interest in this topic over the past decade. Preliminary design of propulsion systems and innovative configurations has been extensively discussed in literature, but steps towards higher levels of technological readiness, optimisation algorithms based on reliable weight estimation and simulation-based mission analysis are required. This paper focuses on the integration of a method for evaluating the lateral-directional controllability of an aircraft within a design chain that integrates aeropropulsive interactions, accurate modelling of the fuel system, and mid-fidelity estimation of the structural weight. Furthermore, the present work proposes a strategy for powerplant management in scenarios with an inoperative chain element. Benefits of hybrid-electric propulsion on the design of the vertical tail plane are evaluated involving the analysis of multiple failure scenarios and certification requirements. The proposed application concerns a commuter aircraft.


Introduction
The complete elimination of risk in air transport operations is an unattainable goal as not all possible mitigation measures are economically practical. Risk management, being a central component of the safety management system, plays a fundamental role in addressing risk in practical terms 1 . Hazards are identified during this process, and thereafter an analysis is needed to assess the likelihood of hazardous occurrences and the severity of their effects on aircraft operation. As highlighted by Farokhi, the use of hybrid-electric architectures with a large number of propulsion elements produces an advantage in terms of thrust loss compared to conventional aircraft with 2-4 engines 2 . At the same time, as the number of failure points increases, the probability that one or more propulsive elements will fail increases, whereby adequate safety management considerations need to be pursued.
The estimation of benefits related to hybrid-electric powerplant can be reliably assessed only when the design chain integrates structure, aerodynamics, propulsion, mission and performance analysis in optimal synergy 3,4 . Hybrid propulsive architectures, made up of a multitude of mutually interconnected electric and thermal components, can behave very differently when a failure occurs with respect to conventional architectures. In addition, the probability of failure of electric components, such as thermal engines, motors, electric generators, and battery packs, must also be taken into

Theoretical background
Thanks to the increased number of design degrees of freedom in case of distributed electric propulsion, designers are motivated to investigate a large number of propulsive configurations, optimizing every available design parameter, before moving towards detailed analysis and design of subsystems. At this preliminary stage, the failure rate of propulsion systems and subsystems is generally not available. The identification of an optimal architecture based on the minimization of the failure rate would require information on the reliability of components, typically available later in the design process. For instance, the approach of Menu et al. 13 , which explores a potentially unlimited number of configurations by comparing their reliability, is suitable for automatic ranking of generated architectures in terms of safety attributes, but is not preferable at conception stage, where the main focus is on the compliance with aircraft requirements. Moreover, a similar approach also requires an adequate software data structure, detailed information, and high computational cost, usually unavailable at this stage.
On the other hand, designers cannot even completely renounce an analysis of failure effects if they want to balance risk and component oversizing. The approach proposed in this work focuses on evaluating the effects of a failure on performance, regardless of their probability of occurrence, in particular on the verification of aircraft lateral-directional controllability in the event of a failure affecting the propulsion system. The main advantage of this solution lies in the integrability within any design chain, allowing to adapt the geometry and the powerplant in order to guarantee the safe operability of the aircraft. Furthermore, the method is proposed to be general, being able to simulate the failure of each characteristic element of a propulsive architecture (i.e., thermal engines, electric motors, electric generators, battery packs). This represents the solution to a problem that is intrinsic in hybrid-electric architectures, where architectural complexity makes it non-trivial to identify the most critical scenarios for lateral-directional control. Ultimately, the algorithm arises from the need for a tool capable of evaluating lateral-directional controllability as a whole with the design activity of the aircraft.
In this comprehensive analysis, it is also crucial to carefully include aero-propulsive effects to allow for a full exploration of the benefits of electric or hybrid-electric propulsion. In this regard, the aerodynamic benefits of distributed electric propulsion and tip-mounted propellers have been deeply investigated, yielding an amplification of lift coefficient from twice to three times the flapped configuration in landing for the DEP wing 14,15 , whereas wingtip mounted propellers may reduce the induced drag up to 15%, depending on the wing platform and the lift coefficient 16,17 . The estimation of these effects is performed in accordance with Refs. 11,12 . HEAD's analysis toolbox analyses the flight performance with a simulation-based iterative process, checking the compliance with aeronautical regulations and design objectives. This approach to flight mission is realised by characterizing each single step of the whole flight mission through its aerodynamics, weights, and propulsive characteristics. Thus, the impact of hybrid-electric propulsion on aircraft performance can be faithfully measured.

Propulsive architecture scheme
In many cases, when the design process is analysed [18][19][20][21][22] , sometimes keeping the take-off weight constant in the hybridization process [23][24][25] , simplified assumptions are made on the powertrain system without modelling the relationship between the engine deck of the thermal power source and the power supplied by the electric power source. In other studies, generalised conceptual sizing methods for electric aircraft have been proposed without integrating the aero-propulsive interactions 19,25,26 . Regardless of the propulsive configuration, it is appropriate to consider common parameters and figures of merit able to describe complex and varied systems in the simplest and most general way, from the earliest stages of the design process. When approaching innovative configurations, a widespread idea is to use Propellers (P2) driven by Electric Motors (EM2), ensuring that each propeller rotates at its optimal speed. This type of coupling, addressed as secondary propulsion line, is generally aimed at powering high-speed propellers, often characterised by high solidity and small dimensions, as in the case of distributed electric propulsion. On the other hand, the coupling of a large Propeller (P1) with a gas turbine requires the presence of a gearbox. This propulsive line is addressed as primary propulsive line and it is generally coupled through a Gearbox (GB) to both a Thermal Engine (GT) and an Electric Machine (EM1). Finally, a Power Management and Distribution system (PMAD) acts as a hub in the power supply chain. An accurate and general model of the powertrain system should include every element contributing to the power management and its distribution (buses, power units, and so on), as shown in Fig. 1. Fig. 1 The most general propulsive system: Hybrid serial/parallel partial powertrain.
The main objective of the present work is the system reconfiguration after the failure of a certain element, hence some hypotheses can simplify the task without lacking generality. The power units deputed to the management of AC and DC currents are considered as one with the power user or supplier to which they are connected. In fact, for the reasons explained in Section 2.1, the authors propose to simulate the failure of the main propulsive components disregarding their failure rates. Since the correct operation of power electronics depends stochastically on that of the associated electrical machines, it is possible to reduce them to a single failure point. In order to not lose generality, the power loss associated with the converters is included in the evaluation of the efficiency of the connected electrical drivers. Furthermore, system components are considered ideal conductors. The operational diagram of the system is the one shown in Fig. 2. This figure also names the mechanical and electrical powers exchanged at each level. In particular, P Fuel is the power associated with the combusted fuel in accordance with its heating value, P GT is the power delivered by the gas turbines, P GB is the power exchanged by the primary gearbox and the primary electric machine, P E-ST is the power supplied by the e-storage system, P EM1 is the power of the primary electric machine, P EM2 is the power of the secondary electric machines, P S1 and P S2 are the total shaft powers on the primary and secondary propulsive lines, and P P1 and P P2 are the propulsive powers associated with primary and secondary propellers. Fig. 2 Operational diagram of hybrid-electric system.

Hybridization factors and operating modes
Two parameters are hence introduced to preliminarily describe the propulsive architecture. The shaft power ratio, φ, as called in Ref. 11 , is the ratio of shaft power provided by the secondary propulsive line with respect to the total shaft power of the propulsive system φ = P S2 P S1 + P S2 (1) The presence of battery and fuel cells as secondary power sources is a major topic in most of industrial and research projects. The theoretical and practical difficulty in coupling propulsive sources has led to the development of architecture models with no more than two different sources 11 . In the present case, regardless of the unit transforming the chemical power to mechanical or electric power, the e-storage is addressed as secondary power source, and the primary power source is the hydro-carbon fuel. The hybridization level can thus be measured with the supplied power ratio, which is the ratio of power provided by the e-storage to the total power provided to the propulsive power system: Based on the combination of possible hybridization factors, the architecture can vary in a wide range of possible concepts. For a complete description of the operating conditions, it is also necessary to define the energy path along the propulsion system. This is conveniently accomplished by defining 9 different operating modes 11 , identified by the direction of the incoming power in four different elements of the system, as reported in Table 1. The nomenclature of the elements is explained in Fig. 2, where the primary propulsion line powered by the gas turbine is coloured dark grey, and the secondary powered by the battery via the secondary electric machines is coloured light grey. Depending on the hybridization factors and the architecture considered, some operating modes may be non-physical. For example, the first operating mode is not feasible in case of supplied power ratio equal to one and shaft power ratio equal to zero, since the electric machine would work as a motor, but the mode requires it to be a generator by definition.

Powertrain equations
Each operating mode is associated with a system of ten equations to describe the power distribution along the powertrain. The equations are based on the energy conservation principle and can be written differently depending on which power value is known. In conclusion, nine different systems of ten equations are identified for each known power value. In general, this group of equations is referred to as powertrain equations. Different equation systems can be written depending on the known value from which the power distribution is derived 11,27 . In the present work, an engine deck is interpolated to obtain the starting power value. The engine deck is a data matrix providing information about the propulsive system in terms of shaft power or thrust, and the fuel burnt is calculated considering the Specific Fuel Consumption (SFC) or the Thrust Specific Fuel Consumption (TSFC) associated 2,28 . This data matrix is provided by the engine manufacturer divided into different power ratings referring to different flight segments.
Three groups of powertrain equations can be introduced depending on the assigned values of supplied power and drive power of the electric motors. As an example, the systems of linear equations presented below refer to the first operating mode, characterised by a specific energy flow. The primary electric machine works as generator, transforming mechanical power coming from the thermal engine into electric power; the battery supplies energy to the propulsive system, and the total power supplied reaches the propellers where thrust is eventually produced. The engine deck provides information about the gas turbine power, when the supplied power ratio is lower than one When the gas turbine is substituted by fuel cells or different open thermodynamic systems, the same approach applies. A similar set of equations can be written for the case of known electric motor drive power. This becomes indispensable when the thermal power source is absent, and no fuel is consumed. When the shaft power ratio is greater than zero, powertrain equations can be written provided the value of secondary electric drive power Finally, when the shaft power ratio is equal to zero, the equations can be referred to the primary electric drive power Eqs.
(3)-(5) describe the power distribution among powertrain components. The linear nature of powertrain equations is highlighted here, anticipating that this property will be exploited later in this discussion. It is also worth noting that the strong dependence is on both the efficiency, η, of each element and the hybridization factors. The definitions of each efficiency are detailed in Section 2.6.

Engine model
The main purpose for the proposed simulation-based approach is estimation of the propulsive power. This can always be provided by means of a specific set of equations, starting from the engine deck and the efficiencies of each element of the propulsive system. When approaching simulation-based flight performance, the aircraft propulsive characteristics can be described by thrust or shaft power. Thrust already accounts for thermal, mechanical, and propulsive efficiencies of the thermal engine. Shaft power only accounts for the first and second efficiencies mentioned. When simulating the flight mission, also the characteristics influencing the flight dynamics need to be computed step by step during the flight path. Thus, the engine deck is usually defined in terms of power ratings (e.g., Take-Off, Automatic Performance Reserve (APR), Flight Idle, Ground Idle, Max Continuous, Climb, and Cruise). Each power rating should provide a response surface defining the values of power, the efficiency of each element of the powertrain, the fuel flow, and the emissions for a wide range of Mach number, altitude, throttle, and deviation from standard temperature. For hybrid-electric concepts, the engine deck provides the values of gas turbine power (see Fig. 3), and then the power managed by each power unit is estimated through Eq. (3) depending on the combination of powertrain efficiencies, supplied power ratio, and shaft power ratio. To query the engine deck, four different parameters are assigned: altitude, Mach number, throttle, and deviation from temperature based on International Standard Atmosphere (ISA) model 29 . Altitude, Mach number, and temperature depend on mission requirements. The throttle setting, on the other hand, can be assigned, but it should be compliant with mission constraints and sizing powers of the electric components of the powertrain. The throttle is set considering two different constraints: on the one hand, the optional condition of constant speed, which requires the equilibrium between thrust and drag; on the other hand, the maximum throttle permitted during a certain segment of the flight mission depends on the combination of supplied and shaft power ratios. In general, when the right combination of throttle, ISA temperature deviation, Mach number, and altitude is determined, the gas turbine power is obtained, and the value of propulsive power is calculated by Eq. (3), or by the corresponding equations in terms of electric drive power (see Eqs. (4), (5)), as well as the corresponding fuel flow.

System efficiencies
The propulsive efficiency is the fraction of the net mechanical output of the engine, which is converted into propulsive power 2 , η P1 and η P2 . The mechanical efficiency is the ratio of net mechanical power at shaft to the one entering the gearbox, η GB . The thermal efficiency η GT is the ability of an engine to convert the chemical energy in the fuel to a net kinetic energy gain of the working flow 2 . As for the electric components, η EM1 and η EM2 are the efficiencies of primary and secondary electric machines coupled with the respective power units, and η PM is the efficiency of the PMAD system.
Considering the particular powerplant discussed here and the engine decks proposed, the single efficiency of power units should be measured to provide the total propulsive power from the powertrain equations. For this purpose, lookup tables are introduced to describe the efficiency of each element as a function of multiple parameters. Designer's choices can establish some of these parameters, for example, the reduction ratio and the electric machine voltage. Some other parameters can be set or calculated, as the rotational speed is associated to a certain mechanical torque and power. Moving from these lookup tables, after establishing all the other parameters, the efficiency of each element is deduced as a function of the entering power. To preserve the linearity of powertrain equations, for each point of the engine deck, the efficiencies of the powertrain elements are calculated with an iterative process in three steps. The first step is the interpolation of the engine deck power with a set of Mach number, altitude, throttle, and temperature. The second step provides the entering and exiting power of each element by solving Eq. (3), Eq. (4) or Eq. (5) with efficiencies considered as first attempt. The third and last step is to update the efficiencies by interpolating lookup tables on the basis of the entering powers. From the same point of the engine deck, the power distribution along the propulsive system is calculated by solving powertrain equations with the new efficiencies. The last two steps are repeated iteratively until reaching the desired tolerance between two consecutive loops.

Validation of design chain
Aircraft sizing is a preliminary activity necessary to estimate the point performance of a new aircraft in terms of power loading and wing loading, to be compliant with Top Level Aircraft Requirements (TLARs) and certification requirements. Based on the estimated wing loading and power loading, whose combination defines the sizing point, a preliminary estimation of masses and geometries is performed with a procedure similar to the one proposed in Ref. 11 . Before outlining the design space, it is necessary to assume some preliminary values characterizing the aircraft. Therefore, an initialization of the variables is performed on a statistical basis starting from the TLARs. The design space is bounded by limitations on the minimum required power and minimum wing area, driven by TLARs and regulation constraints. The sizing point of the aircraft is chosen by the designer moving in this space, usually preferring a maximization of wing loading aimed for better performance. The introduction of the aero-propulsive effects (e.g., distributed electric propulsion or tip-mounted propellers) can enlarge the design space leading to new concepts, as proposed in Refs. 3,[30][31][32] . However, the sizing activity must be followed by a careful analysis phase based on the simulation of the prescribed mission profile, which verifies the compliance of the aircraft with all requirements at each time step. The methods described so far, as well as the use of engine decks and efficiency lookup tables, are functional to the analysis activity allowing an accurate evaluation of performance. Evaluations regarding lateral-directional controllability, which are discussed in the next section, are also a part of this analysis activity, being related to the simulation of critical scenarios. The analysis phase, more than a mere verification activity, also consists of a contextual re-design of the aircraft in terms of architecture, geometry, and installed powers where necessary, up to convergence to the optimal solution.
For the purposes of this work, a design chain entirely developed by the authors was employed. The software, implemented in MATLAB®, is called HEAD. A description of the sizing module has already been proposed by the authors in Refs. 12,33 , while readers can refer to Ref. 27 for more insights into the analysis module. Nevertheless, a validation of HEAD's sizing module is briefly proposed here, based on comparison with similar methods available in the Ref. 34 . The verification is based on a comparison with similar methods, in a context where there is a lack of information regarding flying hybrid-electric prototypes. The methodologies developed at FH Aachen and TU Delft 34 have served this purpose. Table 2 demonstrates the reliability of results for a conventional aircraft, the DO-228NG. To verify the method in case of unconventional platforms, a comparison is carried out on two additional concepts: a parallel hybridelectric concept and a full-electric concept. The comparison is based on the Payload-Range Energy Efficiency (PREE), which is the product of range and payload divided by the energy required to complete the mission. This parameter is emblematic given that the design activity of hybrid-electric configurations is aimed at quantifying the effect of the design parameters on the emissions. Fig. 4 provides the comparison of the methods presented in terms of PREE while varying range and supplied power ratio. The trends shown highlight that, by increasing the range or the supplied power ratio, HEAD provides a smaller PREE compared to the other methods. This behaviour is related to the use of class-II methods for the estimation of the masses, which consider additional penalties on structural weight due to the increase in on-board battery mass. Being the operative empty weight higher, the same goes for the energy required to complete the mission. The validation of the module for the flight mission simulation, already presented in Ref. 27 , is not further investigated here, going beyond the scope of this work. Instead, in the next section, a novel method for the verification of lateral-directional controllability at the design stage is described. The method is integrated into HEAD's analysis module, but the algorithm can potentially be reproduced and coupled with any hybrid-electric aircraft design chain.

Problem definition
The design of a flying machine is strictly dependent on the regulations on which it must be certified to be operative. Airworthiness codes are constantly updated, and they must be able to merge technological improvements with an increasing level of safety. Researchers push towards disruptive concepts in aircraft design that must be compliant with current regulations. On the other side, the aviation safety agencies draw ideas from such unconventional configurations, amending and making modifications to the existing codes.
In this context, aircraft controllability is defined as the capability of an aircraft to respond to the pilot's control, with regard to flight path and attitude. As stated in CS-23 §23.143 7 and CS-25 §25.143 35 , the aeroplane must be safely controllable and manoeuvrable during all flight phases. This includes lateral-directional controllability, which in regular flight conditions can be defined as the ability of the aircraft to respond to the pilot's commands during manoeuvres that induce roll and yaw motions. Aircraft design must ensure controllability during all regular flight phases, as well as in OEI conditions. Such constraints imposed by regulation can significantly reduce the available design space and change the optimal design point for hybrid-electric aircraft 36 . In case of asymmetrical flight caused by a failure in the propulsion system, the definition of lateral-directional controllability is supported by the definition of minimum control speed. According to CS-23 §23.149 and CS-25 §25.149, the minimum control speed when airborne is the calibrated airspeed at which, when the critical engine is suddenly made inoperative, it is possible to maintain control of the aeroplane, with that engine still inoperative, and thereafter maintain straight flight at the same speed with an angle of bank not more than 5°. In conclusion, the lateral-directional controllability of the aircraft in case of a failure is verified when the minimum control speed reflects the limit imposed by the regulation of not exceeding 1.2 times the stall speed for CS-23 certified aircraft ( §23.149), or 1.13 times the stall speed for CS-25 certified aircraft ( §25.149).
Due to this higher sensitivity of hybrid-electric aircraft to operational constraints, a greater optimisation effort must be invested in the early stages of conceptual design. In case of conventional aircraft, the yawing moment can be evaluated starting from the thrust distribution on the remaining engines only, and the sizing process of the vertical tail plane is based on the failure of the engine responsible for the greatest contribution to the yaw. With the introduction of hybrid architectures with more than one power source and a high number of elements generically connected in series or in parallel, the very definition of OEI condition must undergo a revision. Depending on the mechanical or electrical interconnections between the components, the failure of a unit can have different influences on the powers exchanged by the residual units. Furthermore, when dealing with high degrees of hybridization, it is possible that the most critical condition -i.e., responsible for the maximum moment to balance or the greatest thrust loss -is associated with an electric motor or battery pack, rather than a thermal engine. Therefore, in a more general sense, the analyst's attention must shift from seeking the critical engine to seeking the most critical unit, meaning one of the following: (1) One thermal engine inoperative.
(4) One battery pack inoperative. Electric buses are not counted among the possible single points of failures by virtue of a high mean time to failure. Cables designed according to regulations are selected in such a way as to promote ease of maintenance and high reliability over the entire expected operative life of the aircraft 37 . It is worth anticipating here that the methodology illustrated below aims to achieve a fair level of generality, allowing to simulate all the scenarios listed above. In theory, it would also be possible to contemplate more complex scenarios, which simulate the loss of several elements at the same time. In this sense, it is appropriate to consider that the operation of the primary electric motor could depend on that of the coupled thermal engine, a situation that is not unlikely in the event of fire, explosion, or damage to the shaft, hence, their simultaneous failure will be treated. It would also be possible to evaluate the effects of the simultaneous occurrence of two or more stochastically independent failures. However, for the cases of interest, the number of total combinations of fallible elements is typically so high that it would be prohibitive to simulate all scenarios within iterative design processes. Since the purpose of this discussion is to provide a method that is suitable for integration into a preliminary design chain, more complex scenarios will be neglected in favour of a lower algorithm complexity. This is also justified by virtue of the low probability of their occurrence. Farokhi 2 estimated that the failure rate of a modern gas turbine engine is approximately 5×10 −5 /h. If distributed propulsion is achieved with 10 small-sized gas turbine engines, the probability that two or more of them fail is in the order of 10 −7 , or even lower if gas turbines are replaced with electric motors with lower failure rates 2 . Based on the definitions provided in Refs. 38,39 , such a scenario is classifiable as extremely remote or extremely improbable. Furthermore, as the power distribution helps reduce the fraction of thrust loss in the event of a failure, the latter hardly has the potential to be catastrophic. Therefore, it is concluded that multiple independent failures do not represent major risks and can be reasonably overlooked during the preliminary design activity.
The only failure points considered in this work are those listed above, in addition to the combination of the thermal engine plus the associated primary electric machine. To proceed in this direction, the methodologies presented so far are useful but not sufficient. In their classic formulation, powertrain equations consider the overall powers of electric motors, gas turbines, and battery packs. Their validity is therefore partly subordinated to the hypothesis of homogeneously distributed power on similar parts, meaning that the power of each isolated physical element must be obtainable by dividing the overall power by the number of units. The occurrence of a failure introduces an asymmetry in the propulsion system and new constraints that are not captured by the presented equations.

Powertrain subsystems
The first step to take is the detailed definition of the propulsive architecture. The choice of the best configuration is a combination of reasons related to safety, reliability, maintenance, and weight of the wiring, but it can also be guided by the attempt to optimise performance in emergency conditions. In order to include these aspects within the design chain, it is important in principle to formalise the definition of the propulsive architecture. To this end, the propulsion system is conveniently divided into an arbitrary number of subsystems, where one subsystem is a generic set of units capable of mechanical or electric energy exchanges with each other. Each subsystem can be built with a number of thermal engines, electric motors, and battery packs, less than or equal to the amount available in the system. For example, with reference to the configuration shown in Fig. 5, one solution consists in the division into two subsystems: the first including all the propulsive units on the left-hand side, and the other for the right-hand side, each connected to one battery pack. More in general, the designer is left free to define the subsystems individually, symmetrical, or asymmetrical with respect to the aircraft's centreline. It is also possible to include the same unit into more than one subsystem, meaning that it is capable of exchanging power with all the units in the subsystems it belongs to.
The configuration shown in Fig. 5 represents one of the simplest solutions to realise, as well as one of the simplest to model. In fact, the designer could assume that the worst-case scenario coincides with the failure of one thermal engine, and that the secondary electric motors linked to that primary engine also lose all the power as a result. Under these hypotheses, it would be correct to assume a power loss equal to 50% of the total power available, as for conventional configurations. This approach, however, is highly simplistic and approximated in many situations, for three fundamental reasons. First, as already mentioned above, the most critical condition may not be linked to the thermal engine, which happens for architectures with a high degree of hybridization, or in the case of secondary tip propellers producing a large yawing moment by virtue of their distance from the Center of Gravity (CG). Distributed electric propulsion is another important example of electric motors whose failure could result in the worst-case scenario. Secondly, it neglects that implications of a failure may depend on the operating mode used just before the failure occurrence. This often results in too conservative assumptions; for example, if the secondary propellers were partially powered by the battery and partially by the thermal engine, the failure of the latter does not determine the complete loss of secondary thrust but only of a fraction of it. Third, more elaborate architectures can aspire to improved wiring management, lower weight, optimised arrangement of on-board components, high levels of reliability through the introduction of redundancies and, at the same time, better characteristics of directional controllability. An ideal architecture can allow for weight savings linked to the number of propulsion elements used, to their nominal power, to the size of cables, and to the possibility of aiming for a downsized tail plane. These reasons imply the need to accurately model hybrid propulsion networks in the early stages of the design process in order to maximise the benefits of hybrid propulsion, and this paper proposes a novel strategy for implementing a general but simple method within aircraft design chains. A final premise is that the approach to risk management should not disregard the way in which the power management and distribution system is designed. The risks associated with an excess of power generated by the failure can be prevented by redirecting part of the energy to other available units, or by reducing the power supplied by the battery.

Failure occurrence
When a failure occurs, it is necessary to carefully evaluate power losses of each of the affected parts. The decrease and redirection of energy pass through a version of powertrain equations that are modified according to the operating mode and the damaged element. Since the operating modes are 9 and the damageable elements are of 4 types, 36 failure scenarios are identified, each treatable with a specific approach. Nine more scenarios can be added, corresponding to the hypothesis of non-decoupling primary electric machine and thermal engine, for a total of 45 cases. The number of scenarios could be deliberately reduced in order to simplify implementation, based on the associated risk magnitude. With reference to the general scheme of Fig. 2, the first fundamental step consists in dividing the propulsion system into a certain number of subsystems. This can be done by means of a user interface that allows to select how many and which elements are connected to each subsystem. It is not required that an element belongs to a single subsystem, and there is no restriction on the number of subsystems or the elements that are part of them, as long as there is at least one unit of each type. A hybrid-electric subsystem will therefore consist of a number of battery packs ranging from 1 up to the total quantity available in the system, and the same applies to the number of thermal engines, electric motors, and generators. A full-electric system, on the other hand, can be broken down into an arbitrarily large number of subsystems, each with at least one battery pack and one electric machine. Finally, for a conventional configuration, the subsystems are trivially constituted by a non-zero number of thermal engines.
The worst-case scenario cannot be established a priori, so the algorithm simulates the failure of each element and then concludes which is the most critical. Two different criteria can guide the identification of the most critical case: (1) The minimum power or thrust criterion.
(2) The maximum yawing moment criterion. In the first case, the focus is on the element responsible for most of the propulsive power, which could be critical for the certification constraints on climb and take-off. The second case, on the other hand, is the most critical for directional control and is involved in the sizing of the vertical tailplane. The two cases may not coincide due to the different distances from the centreline of heterogeneous elements. The analysis of power distribution following the failure is performed by appropriate equations, similar to powertrain equations but less general. These equations basically consist in the redirection of the energy flow, assumed automatic or controlled. For the propulsion system shown in Fig. 5 and operating in mode 1, the failure of the thermal engine on the right wing would generate not only the loss of thrust of the corresponding primary propulsion unit, but also a reduction in the propulsive power associated with the corresponding secondary half-system, with the primary electric machine working as a generator. The lower the percentage of battery used is, the more critical this is. On the contrary, if the operating mode before the failure occurrence is 4, the failure of the thermal engine does not determine the complete loss of the primary propeller thanks to the energy coming from the battery. In this second case, a detailed study allows to be less conservative. For each subsystem, it is possible to solve powertrain equations and obtain the power vector associated with it. For operating mode 1, Eq. (3) is solved as many times as the number of subsystems, assigning the fraction of gas turbine power given by all thermal machines belonging to it where, p GT,AEO is the power related to a specific subsystem's gas turbine in All Engines Operating (AEO) conditions, P GT,AEO is related to the complete system, n 1 is the number of thermal engines in the subsystem only, and N 1 is the total number of thermal engines in the system. Overall powers are obtained by summing all single subsystem contributions, by virtue of the linearity of the equations. In the event of failure of a thermal engine operating in mode 1, the following set of equations is thus applied to all subsystems containing the damaged element. These equations are based on the hypothesis that the failure of the engine does not determine the failure of the associated generator The powers related to the scenario with all the operating engines have been reported with the subscript AEO, while those referring to the failure scenario have the subscript OEI. In Eq.  (8) where the share percentages of each primary propulsion unit belonging to the subsystem are named α 1 , where α 1,i is 1 if the engine is connected only to the subsystem under analysis, and it is 0 if it does not belong to it. The same thermal engine that powers two distinct subsystems will be associated with a value of α 1,i equal to 0.5 in both of them, and its failure will clearly determine a power loss equal to half the power of one engine, for both subsystems. To obtain the powers of single propellers, it is necessary to perform some final operations. In fact, the propulsive power of the primary propeller connected to the failed engine must be zero, since no power to the shaft even comes from the electric machine working as a generator. The propulsive power of the residual primary propellers, on the other hand, is Eq.(9) do not apply to subsystems unaffected by the failure, i.e., those not including the damaged element. Finally, the overall powers of the system are obtained from the sum of the powers of all subsystems. Each new failure scenario introduced involves having to model and implement a specific version of Eq. (7) and an ad-hoc procedure, for each operating mode, before being able to automate the process. Currently, the implementation realised by the authors is suitable for the 45 scenarios already discussed above.
For the sake of brevity, it would not be possible to analyse here in detail every combination of operating mode and type of failure. The discussion is therefore completed by one last example, related to the failure of a secondary electric motor operating in mode 4. The corresponding algorithm is schematised in Fig. 6. In the first instance, the loss of the electric motor on the secondary line does not cause variations in the value of the power delivered by the thermal engine, nor in the power exchanged by the primary electric motors in the same subsystem. The analysts, at this point, could make different assumptions. They can hypothesize that the quantity of electric power exchanged between the battery and the primary line is independent from that moved to the secondary motors. In this case, they can assume that the lost motor is running idle consuming the same amount of battery energy, or that this energy is redirected to the (n 2 f 2 ) residual motors by the PMAD system. Alternatively, they can assume that the battery power is reduced to avoid waste. The latter is the solution to be adopted when there are not residual units available for energy consumption, that is to say when the damaged electric motor was the only one in the subsystem. A change in operating mode can also take place automatically when needed to prevent energy overload. The authors propose here a solution that prefers the redistribution of the excess battery power towards all the motors belonging to the same (secondary) propulsion line. The first attempt consists in the redistribution of p EM2 among all the residual secondary engines, i.e., the total number minus one if there is no cross-connection between subsystems. This ensures the same shaft power as before the failure, limited by the reference power of the single motors. Beyond this limit, the PMAD system is assumed to redistribute the residual power between the primary electric motors, always keeping the power limit (indicated with subscript Ref) under control. Finally, when it is no longer possible to use the power associated with the damaged element, the battery power is properly lowered.

Analysis of lateral-directional controllability
As already highlighted above, it is not possible to disengage the failure tolerance analysis from a multidisciplinary approach to also keep the aerodynamics and performance of the aircraft under control. First, the vertical tailplane design is driven by the need to balance the maximum yawing moment, i.e., the one generated by the worst-case scenario in this sense. Therefore, the criterion to be used in this case is the maximum yawing moment. Once the worst-case scenario has been identified (that is, the critical unit is known), thrust distribution after the failure is inferred. Minimum control speed when airborne (V MC ) is defined as the minimum calibrated airspeed at which the aircraft is still controllable. Regulation for CS-23 aircraft requires the minimum control speed of the aircraft not to exceed 1.2V Stall,1 , where V Stall,1 is the stall speed at Maximum Take-Off Weight (MTOW). At this airspeed, the lateral, directional, and longitudinal controls must still be effective, and the aircraft must assume a bank angle, ϕ, of no more than 5° at equilibrium 7,35 . The aircraft is required to maintain straight flight at the same speed. To guarantee this condition, an appropriate deflection of ailerons (δ a ) and rudder (δ r ) must be provided, and thus the maximum deflection angles of the control systems have a primary role in the determination of V MC . The bank angle is needed as the intense force generated by the vertical plane can be balanced only by developing an adequate aircraft weight component in the same direction. Eq. (10) represents a convenient way to solve the problem in the unknowns δ a , V MC , and the sideslip angle β The rudder deflection angle has the effect of reducing the minimum control speed, which is beneficial, and for this reason it is not treated as unknown but set equal to the maximum deflection value. It is worth noting that the bank angle helps to balance the lateral force that arises due to the use of the side-directional controls, but 5° is not necessarily required. What is important is to check that ϕ does not exceed the imposed limit, and that at the same time the deflection angle of the aileron does not exceed the maximum deflection established by the designer. An excessive bank can result in a criticality for ailerons. Thus, the system consists of three equations with three unknowns if the bank angle is conveniently set to 5° or otherwise optimised, with a sign depending on the direction of the yawing moment. In Eq. (10), C N Eng represents the yawing moment coefficient related to the asymmetry in drag produced by windmilling propellers, and N Eng is the propulsive yawing moment. C L represents the rolling moment coefficient, C N is the yawing moment coefficient, C Y is the side force coefficient, and their derivatives with respect to δ a , δ r , and β appear in the equations that represent the equilibrium conditions along the lateral, roll, and yaw axes. All parameters are evaluated with respect to take-off configuration. The equations can be solved iteratively if the aerodynamic derivatives depend non-linearly on the deflection angles of the control surfaces.
Failure tolerance analysis consists of the phases illustrated in Fig. 7. First, a minimum control speed equal to the regulatory limit is assumed. This is used to calculate the thrusts distributed along the wing span, related to the scenario identified as the most critical (i.e., generating the maximum yawing moment N Eng ). Aerodynamic coefficients can be calculated by virtue of their dependency on flight condition. In the following, Eq. (10) is solved and a new value of V MC is obtained. To alleviate the yawing moment, the failure occurrence phase can be followed by a redistribution of the power among the units still operating. With an appropriate strategy, it is in fact possible to shift the propulsive power towards elements less distant from the center of gravity, without further penalties in residual power. If the failure affects a thermal engine or an electric machine, the supplied power ratio referring only to the subsystems contributing to the yawing moment is decreased in favour of the opposing ones, where it is increased by the same amount. When the event concerns a battery pack, the power reaching subsystems which are responsible for the yawing moment are lowered. In the latter case, the reconfiguration could result in a severe thrust penalty. However, splitting battery into multiple packs for safety reasons may reduce the relevance of the problem. In general, the redistribution process can be interrupted when a sufficiently low level of moment is achieved, possibly equal to that of the rudder at the same speed where, ρ ∞ is the air density, S W is the wing area, and b W is the wing span. Finally, the overall process is repeated iteratively until convergence is reached. Aero-propulsive interaction effects, which are particularly relevant when disruptive technologies such as DEP or wingtip propellers are adopted, can also be re-evaluated in detail at each iterative step. When the worst-case scenario is not predictable, the algorithm described in Fig. 7 can be repeated by simulating all failure scenarios one by one, eventually considering the maximum V MC value obtained. When the resulting minimum control speed is higher than 1.2V Stall,1 , designers can choose to pursue different strategies according to their preferences. For example, they can provide an automatic update of the vertical plane size to increase the directional control power. When this is the case, the aerodynamics of the aircraft is also updated and the whole calculation is repeated from the beginning. Propulsive architecture and mission strategy can also be changed in order to meet the requirement. Failure analysis is completed by the verification of the requirement for sufficient residual thrust. Take-off balanced field length is evaluated by simulating the take-off trajectory in the worst-case scenario with minimal residual thrust, and its compliance with the top-level requirement is monitored. The same applies to the ceiling altitude. Climb performance is evaluated to verify that the rate of climb and the climb gradient respect the certification limits in prescribed conditions. The 35 . The entire procedure can be integrated into the design chain providing that the installed power (electric or thermal, according to designer's preference) is increased if one or more constraints are not respected. In conclusion, the whole procedure can be summarised in the following main steps (see also Fig. 7): Step 1. Definition of TLARs and selection of the propulsive architecture.
Step 2. Aircraft sizing with initialization of geometry, rated powers, masses, and aerodynamic derivatives.
Step 3. Subdivision of the propulsion system into subsystems, as described in Section 3.2.
Step 4. Selection of a failure scenario (e.g., failure of one specific thermal engine).
Step 5. Determination of propulsive efficiencies and available power from the engine deck, as described in Section 2.5 and Section 2.6, in take-off conditions. Step 6. Calculation of power distribution in all subsystems, by means of powertrain equations as described in Section 2.4. Step 7. Recalculation of power distribution in the subsystems affected by the failure (e.g., Eq. (7)).
Step 8. If the operating mode and the scenario require it, application of further redistribution logics (e.g., Fig. 6 in case of failed secondary electric machine operating in mode 4).
Step 9. Calculation of the total residual thrust, and the propulsive yawing moment as the sum of the cross products of thrusts and distances from the center of gravity.
Step 10. Repetition of Steps 4 -9 for each failure scenario considered.
Step 11. Identification of the maximum yawing moment scenario.
Step 12. Calculation of the rudder yawing moment by Eq. (11) based on a first-attempt value of V MC .
Step 13. If no redistribution is applied after the failure occurrence, calculation of minimum control speed, aileron deflection angle and sideslip angle by Eq. (10).
Step 14. If a redistribution strategy is implemented based on supplied battery power, increase in the power supplied to subsystems affected by the failure, and reduction elsewhere. Hence, calculation of V MC by Eq. (10).
Step 15. In case of redistribution, repetition of Steps 4 -12 and 14 until the maximum propulsive yawing moment falls below the estimated available rudder moment, or until no further redistribution is possible.
Step 16. Repetition of Steps 4 -15 until the difference between two consecutive estimates of V MC falls below a desired convergence threshold.
Step 17. If the minimum control speed is above the certification limit, enlargement of the vertical plane size to improve directional controllability, and update of aerodynamic derivatives and weights. Alternatively, reduction of the safety margin with respect to the certification limit. Hence, repetition of Steps 4 -16.
Step 18. For the verification of the prescriptions on climb gradient, repetition of Steps 4 -10 in climb conditions and identification of the worst-case scenario based on the minimum residual thrust criterion.
Step 19. If one or more conditions are not met, resizing of the propulsion system (increase in installed power) and repetition of Steps 4 -18.
Step 20. If the result is not considered satisfactory by the designer, repetition of the whole procedure choosing a different propulsive architecture or partition into subsystems. For the present application, Steps 1 and 2 are carried out by means of the in-house software HEAD, but any design chain is suitable for the purpose if capable of characterizing the geometry, aerodynamics and masses of the aircraft. Additionally, hybrid-electric propulsion is required to be modelled by means of powertrain equations, as described.
The computational time can vary, from seconds to a few minutes, depending on the chosen convergence thresholds and the required level of detail, as well as on the computer characteristics. Fig. 8 reports the measured computation times as a function of the input size, here represented by the number of failure scenarios analysed. Time is evaluated on a computer with Intel Core i7-10875H 2.3 GHz, 32 Gb RAM. The worst-case time complexity has been measured by assuming a maximum number of iterations equal to 10 for the convergence on the minimum control speed calculation. The inferred linear complexity is justified by the fact that each scenario is simulated at each iterative step. However, running times are influenced by the specific methods used in HEAD for updating aerodynamic efficiency and propulsive characteristics. Moreover, the optimisation of computation times was beyond the authors' scope. Recalling that the purpose of the proposed method is to provide a quick tool for preliminary design application, linear complexity motivates the authors' suggestion to limit the number of failure scenarios to the most probable ones for an efficient implementation of the algorithm into a design chain.
Next section will present a sample application that intends to demonstrate the benefits of including failure-tolerance and lateral-directional controllability considerations with the level of detail described herein.

Case study
This last section is devoted to presenting results investigated for the purposes of the EU-funded ELICA project 40 . The project works on the conceptual design of a 19-passenger hybrid-electric commuter aircraft targeting near-zero CO2 emissions. To this end, the preliminary configuration shown in Fig. 9 with 8 distributed propellers was considered and a failure analysis was conducted according to the methodology proposed in this work. The propulsive architecture is similar to the one shown in Fig. 5, characterised by 4 distributed electrically driven propellers per half-wing, uniquely associated with a gas turbine and a battery pack, for a total of two battery packs and two thermal engines on board. The two primary propellers were arranged at 33% of the half-wing span, while the 4 DEPs between 52% and 100% half-wing span. Values of Φ = 0.05 and φ = 0.8 were selected for take-off (meaning 5% of energy from battery and 80% of distributed propulsive power on secondary shaft during take-off phase). The main parameters which define the aircraft geometry are reported in Table 3.   Table 4 lists the maximum powers that can be exchanged by each single element of the propulsion system. Table 5 lists the values of the aerodynamic derivatives useful for the calculation of V MC by Eq. (10). The aerodynamics of the vertical tail plane has been checked with the experimental validation proposed in Ref. 41 .  Table 6 shows the results of a simulation of each possible failure scenario, both in terms of generated yawing moment and loss of propulsive power. Propulsive power in AEO condition is 1255.5 kW. The failure of a gas turbine visibly represents the worst-case scenario. Conversely, due to the low value of supplied power ratio, batteries do not appear to be a critical issue in this case. The case of failure of an electric machine is more complex. In principle, it cannot be excluded that the worst-case scenario is associated with distributed electric motors because of their large distance from the center of gravity. Nevertheless, as assumed for the present application, the imbalance can be considerably reduced by assuming that the power previously supplying the failed motor is redistributed on residual electric motors belonging to the same subsystem. This is done until the reference power of single electric motors is reached. After that, it is assumed that the still exceeding power can be released into the primary propulsive line, forcing the primary electric machine to work as a motor. The operating mode of the subsystem therefore changes from 1 to 4, for which the algorithm has already been shown in Fig. 6. This procedure has resulted in an increase in the overall efficiency of the system, capable of justifying the slight increase in thrust after failure occurrence. Similar is the case of failure of a generator, where the output power from the gas turbine is redirected to the primary engines, avoiding drops in efficiency due to energy transformations.

Results and discussion
As already highlighted above, gas turbines unquestionably represent the critical elements, also due to the fact that, when operating the system in mode 1, their malfunction entails a loss of power on both propulsion lines. Therefore, the minimum control speed must be deduced from the simulation of this scenario. Fig. 10 represents both propulsive and aerodynamic yawing moments as the flight speed varies, where V MC is identified as the intersection of the two trends. The aerodynamic moment is made up of both the contribution of control surfaces and that due to the sideslip angle. The aircraft stall speed, which benefits from the aero-propulsive effects, is 43.1 m/s. The maximum take-off mass is 7982 kg. As shown in Fig. 10, the failure of one gas turbine would yield a yawing moment that is higher than the aerodynamic moment, leading to a minimum control speed above the regulatory limit. In light of this, a proper system reconfiguration was carried out in compliance with power limits and the required OEI performance during climb and take-off. Therefore, in the event of a thermal engine failure, power is redistributed by increasing the battery contribution on the same half-wing affected by the failure. In Table 7, the failure of the gas turbine on the left half-wing is analysed in detail, by considering the powers exchanged by each propulsive element before and after failure occurrence. In case of redistribution, the battery power towards the right half-wing is eliminated in favour of a proportional increase in battery power on the left half-wing. The overall effect is a redistribution of propulsive power and a significant reduction in both net yawing moment and minimum control speed. Values of minimum control speed, both before and after redistribution, are also reported in Table 8. Bank angle was conveniently set to − 5° for the resolution of Eq. (10). Bank angle (°) -5.00 -5.00 As highlighted above, without any further power redistribution immediately after failure occurrence, V MC would be higher than the limit established by regulation. For this reason, it could be necessary to enlarge the vertical tail plane or to opt for less conventional configurations. In this sense, a T-tail could be a valid alternative, but with the disadvantage of a large structural weight penalty. However, one of the main advantages of a hybrid-electric propulsion architecture lies in its flexibility and it is appropriate to fully exploit it. One solution to the problem is to lengthen the fuselage to increase rudder control power for the same aerodynamic force, but the weight penalty would be significant. This result makes it even more appropriate, if not necessary, to introduce a redistribution that aims to minimise the control moment request.

Conclusions
(1) The present work wished to introduce an innovative method for the failure analysis suitable for hybrid-electric aircraft. In particular, the authors have proposed an accurate method, that is easy to implement, general, and customizable according to the design needs. The method tries to fill a gap in literature due to the almost infinite multitude of architectures that a hybrid platform can adopt. The definition of One Engine Inoperative condition has been generalised, after which a strategy has been proposed to simulate the failure for any architecture, degree of hybridization, and operating mode. The method couples the calculation of thrust and propulsive power distribution with that of minimum control speed when airborne, including aerodynamic effects and regulatory restrictions.
(2) Future improvements can be achieved by implementing the simulation of more complex scenarios, including also multiple, stochastically independent failures. In future, considerations on failure rates can be integrated into the algorithm, through an automatic preliminary selection of the most probable scenarios based on assumed failure rates.
(3) The work has also encouraged the definition of a power management and distribution logic, on the basis of which power distribution can be optimally reconfigured in order to reduce the criticality of non-operating conditions. In this sense, the sample application presented in the last section, related to a hybrid-electric 19-passenger commuter, has highlighted the potential of hybrid platforms. The worst-case scenario corresponding to the failure of a thermal engine has led to a minimum control speed of 47.2 m/s, below the regulatory limit, if the battery power is redirected for balancing the yawing moment. On the contrary, minimum control speed has resulted to be excessively high when no redistribution is adopted, which confirms both the advantageous flexibility of hybrid architectures and the need for an accurate method for failure tolerance analysis.
(4) The proposed method can be used in the conceptual design of the vertical tail of hybrid aircraft with distributed electric propulsion.