Next Article in Journal
The Relationship Between Safety Climate and Safety Performance in the Large-Scale Building Construction Industry in Ethiopia: A Structural Equation Model Using the NOSACQ-50 Tool
Previous Article in Journal
Exploring Vibrotactile Displays to Support Hazard Awareness in Multitasking Control Tasks for Heavy Machinery Work
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Safety
Volume 11
Issue 1
10.3390/safety11010027
safety-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Preliminary Safety Assessment of a Liquid Hydrogen Storage System for Commercial Aviation

by
Mirko Simonetto
1,*,
John-Alan Pascoe
1 and
Alexei Sharpanskykh
2
1
Department of Aerospace Structures and Materials, Faculty of Aerospace Engineering, Delft University of Technology, Kluyverweg 1, 2629 HS Delft, The Netherlands
2
Department of Control and Operations, Faculty of Aerospace Engineering, Delft University of Technology, Kluyverweg 1, 2629 HS Delft, The Netherlands
*
Author to whom correspondence should be addressed.
Safety 2025, 11(1), 27; https://doi.org/10.3390/safety11010027
Submission received: 20 December 2024 / Revised: 17 February 2025 / Accepted: 5 March 2025 / Published: 11 March 2025
Browse Figures
Versions Notes

Abstract

:
The development of liquid hydrogen storage systems is a key aspect to enable future clean air transportation. However, safety analysis research for such systems is still limited and is hindered by the limited experience with liquid hydrogen storage in aviation. This paper presents the outcomes of a preliminary safety assessment applied to this new type of storage system, accounting for the hazards of hydrogen. The methodology developed is based on hazard identification and frequency evaluation across all system features to identify the most critical safety concerns. Based on the safety assessment, a set of safety recommendations concerning different subsystems of the liquid hydrogen storage system is proposed, identifying hazard scopes and necessary mitigation actions across various system domains. The presented approach has been proven to be suitable for identifying essential liquid hydrogen hazards despite the novelty of the technology and for providing systematic design recommendations at a relatively early design stage.

1. Introduction

The aviation industry is increasingly exploring liquid hydrogen (LH2) as a promising, sustainable alternative to conventional fuels [1]. However, the unique properties of LH2, notably its extremely low cryogenic temperature (−253 °C) and high volatility, necessitate rigorous safety considerations in storage and handling [2]. The successful development of liquid hydrogen storage for aviation therefore needs to be guided by safety analyses. However, the lack of prior experience with this technology, as well as the limited information on final system architecture, due to the active technology development, complicates performing such safety analyses.
Ensuring the safety of hydrogen storage systems is critical to advancing hydrogen as a zero-carbon energy source, particularly for high-risk applications such as aviation, where liquefied hydrogen (LH2) is favored for its high energy density. The storage of LH2 presents unique technical challenges, including hydrogen embrittlement, boil-off phenomena, and pressure fluctuations. These issues necessitate the application of advanced thermal management techniques—such as vacuum insulation and multi-layer insulation (MLI)—alongside rigorous material selection and system design protocols to mitigate leak risks and structural fatigue [3,4]. Recent experimental investigations have yielded mixed results: while some studies indicate that long-term LH2 storage is technically feasible, others have identified ongoing difficulties in maintaining cryogenic conditions and managing boil-off rates [5,6,7]. Compounding these challenges are hydrogen’s inherent properties—its high flammability, broad flammability limits, low ignition energy, and propensity for inducing material embrittlement—which elevate the risk profile of storage systems. In the event of a loss-of-containment (LOC), these risks could culminate in catastrophic fires or explosions [8,9]. Consequently, there is a pressing need for the development of innovative tank designs and enhanced insulation technologies that integrate rigorous safety solutions. Safety assessments in hydrogen storage extend beyond design considerations. An analysis reported in Ref. [10] examined 628 incidents from the Hydrogen Incidents and Accidents Database 2.0 (HIAD 2.0), identifying technical and mechanical failures (23.1%), operational errors (19.2%), organizational deficiencies (9.0%), human errors (9.4%), and external/environmental factors (1.6%) as the primary causes of accidents. Moreover, a 2023 OECD study on cryogenic vessel incidents noted a declining trend in fatalities [11] caused by reduced incident reporting and limited root cause analyses [12].
Given that current cryogenic storage vessels were not originally designed for airborne applications, significant challenges remain in translating these insights to the aviation sector. General safety assessments typically follow a three-phase process:
  • Hazard identification;
  • Risk assessment;
  • Definition of control measures.
In many cases within H2 systems, the release of hydrogen is identified as the primary hazard, with risk evaluations based on the intensity and frequency of potential releases. These models are often based on a fixed parametric design of the system and in some cases, control measures such as exclusion zones and physical barriers are implemented to mitigate these risks [13]. When the design and failure behavior of a component are well understood, probabilistic methods—such as random sampling analysis combined with representative testing [14] and periodic inspections [15]—can be employed to realistically estimate failure risks over its service life, thereby enabling optimized and cost-effective design solutions.
Within the scope of more complex hydrogen systems, hydrogen refuelling stations (HRSs) play a significant role. To ensure their safe operation, comprehensive safety assessments have been conducted, focusing on potential risks such as hydrogen leakage and explosions. These evaluations typically combine traditional methodologies such as hazard and operability studies (HAZOPs) and failure modes and effects analyses (FMEAs) for accident scenario identification with advanced quantitative techniques that leverage historical data and simulation tools. For instance, Chauhan et al. [16] employed Computational Fluid Dynamics simulations to model accidental liquid hydrogen leakage, demonstrating how variables like wind direction, velocity, and leak rate influence the formation of flammable clouds. Similarly, Li et al. [17] used a full-scale 3D model to investigate hydrogen diffusion and explosion risks in mobile refueling stations, highlighting the importance of ambient wind and ventilation conditions in determining safe distances. Complementing these simulation studies, Kodoth et al. [18] applied various models to estimate leak frequencies, particularly addressing the challenges posed by limited accident data in newer HRSs. Additionally, Zhiyong et al. [19] utilized Quantitative Risk Assessment (QRA) to identify compressor leaks as a primary hazard, while Pirbalouti et al. [20] employed risk management by integrating bow-tie analysis with algorithms to better account for uncertainties in liquid hydrogen refueling stations. Collectively, these approaches underscore the multifaceted strategies employable to assess the risk in complex and defined systems.
Recently, systems safety assessments have also been applied to liquid hydrogen vehicles, including maritime vessels, heavy-duty trucks, and production plants. In maritime applications, risk-based studies employing quantitative risk assessments (QRAs) have compared the bunkering operation of liquid natural gas and LH2 using a leak frequency function fitted on the adopted equipment size, and the leak consequences are evaluated using physical models [21,22,23]. Structural evaluations and FMEA applied to LH2 storage in trucks have demonstrated that, with robust material selection and the careful management of cryogenic challenges, LH2 systems can achieve efficient energy storage and comply with existing safety codes while still offering room for improvement in pressure relief configurations [24]. Within production plant systems, comprehensive methodologies such as HAZOP, Probabilistic Risk Analysis, Event Tree Analysis, and QRA have been used to identify critical hazards like vapor cloud explosions and jet fires, with further investigations advocating for the integration of AI-driven risk assessments to address issues related to data reliability and leak risks [25,26].
Mitigating hydrogen hazards requires a comprehensive, multi-layered approach that integrates both engineered safeguards and proactive operational strategies. Leak mitigation strategies are at the forefront, employing physical barriers—such as explosion-proof enclosures and cryogenic containment—to prevent direct exposure to leaked hydrogen, while effective ventilation and dispersion controls reduce the risk of accumulation in confined areas [27,28]. Advanced leak detection systems, including hydrogen sensors and automatic shut-off mechanisms, are critical for early hazard identification, though they necessitate regular maintenance to avoid false alarms [29]. Complementary maintenance approaches, such as risk-based inspections aimed at countering issues like hydrogen embrittlement, further enhance the reliability and safety of hydrogen infrastructure [30]. Maintenance is key for airborne LH2 safety. A study [31] comparing a conceptual LH2 fuel system with the Airbus A320 shows that hydrogen-based aviation requires stricter safety protocols and more complex, costly maintenance, emphasizing the need for specialized expertise. Moreover, multi-stage monitoring systems that integrate multiple sensor technologies [32] in a real-time platform with predictive analytics [33] are seen as essential for early hazard detection, proactive risk management, and optimized emergency response in hydrogen systems.
Safety can be increased with the adoption of physical barriers and an efficient emergency response process. Numerical simulations have demonstrated that optimized barrier designs—such as air curtains and specific fence configurations—can effectively control hydrogen dispersion and reduce flammable cloud distances, despite environmental influences like wind direction [34,35,36]. The emergency response process is modeled to simulate emergency dynamics, pinpointing delays in incident reporting, personnel deployment, and shut-off activation. This analysis underscores the need for rapid, automated interventions to minimize risks and reduce incident severity [37]. Reducing reliance on human intervention through automation can minimize the hydrogen risk. Although database analysis indicates that human error significantly contributes to incidents [10], one case study showed that well-trained personnel would mitigate these risks, leaving technical failures as the dominant concern [38].
The review above shows that there is a substantial body of knowledge available in the literature concerning land-based applications of liquid hydrogen. However, it is not yet clear to what extent the learnings from these applications can be applied for the design of liquid hydrogen storage systems in aviation. For example, the lack of currently operating airborne liquid hydrogen storage systems prohibits a quantitative occurrence analysis. At the same time, because liquid hydrogen storage systems are still in active development, there is not yet a detailed design available that can be analyzed with traditional safety analysis tools. Instead, there is a need for an analysis methodology that can already inform early design and further development of liquid hydrogen storage for aviation, despite its novelty.
This paper addresses the challenge of integrating a systematic safety assessment methodology into the early design stages of liquid hydrogen (LH2) storage systems in aviation. Taking as context the composite conformal liquid hydrogen tank (COCOLIH2T) European project (more information available at the project website: https://www.cocolih2t.eu, accessed on 5 March 2025), our research focuses on how to proactively identify, categorize, and mitigate potential hazards beyond the classical risk assessment approach that mainly considers hydrogen release from component ruptures. Starting from an extensive review of multiple knowledge sources, the study aims to build a robust framework that integrates safety by design through targeted design changes and mitigation strategies. Historical incident data are leveraged to overcome the low number of registered incidents and component failures, while comprehensive and systematic functional failure mode analysis enables a preliminary safety analysis of the system, which can guide detailed design. This integrated framework not only enhances the performance and safety characteristics of next-generation LH2 tanks but also significantly contributes to the growing body of knowledge in the field of cryogenic systems safety.

2. Materials and Methods

The safety assessment process presented in this manuscript integrates both established methodologies and innovative approaches to rigorously evaluate self-contained fuel storage systems at early stages of development. As summarized in Figure 1, the process begins with the definition of system functions based on an in-depth technical review of previous liquid hydrogen storage implementations and an analysis of current system requirements.
Subsequently, potential failure modes and their associated physical effects were evaluated under various operating conditions by employing Functional Hazard Assessment (FHA) in conjunction with incident database analysis. This combined approach overcomes the lack of frequency data for components or subsystems that are not yet developed while focusing on design priorities and the architectural solutions to be implemented at the system level. To achieve this goal, safety recommendations derived from the hazard assessment were prioritized according to the impact and frequency of the identified failures, as determined through hazard severity evaluations and database analysis.
In this section, first, the system being assessed is defined. A significant focus is applied during this phase as each function of the system is fundamental for its safe operation. After that, the process to identify the hazard and propose and rank recommendations is outlined.

2.1. Functional Definition of the Liquid Hydrogen Fuel Storage System

Defining the functions of a liquid hydrogen fuel storage system for aviation requires comprehensive knowledge of hydrogen behavior, the working principles of existing ground and vehicle storage systems, and the specific requirements for commercial aviation applications. In this chapter, the system configuration is discussed.
Different aircraft designs powered by liquid hydrogen fuel are under exploration, from blended wing–body configurations that enhance efficiency [39,40,41] to conventional commercial aircraft designs in which tanks are integrated within the fuselage [42,43,44], with the power train comprising either a turbofan or a fuel-cell-powered propeller. Additionally, a recent experimental trial assessing tank performance in unmanned systems is reported in Ref. [45], along with previous implementations documented in Refs. [42,46,47]. The cryogenic behavior of hydrogen has been extensively described in Refs. [48,49,50,51]. Integrating fuel storage within the aircraft is fundamental because the volumetric energy density of LH2 fuel is approximately four times lower than that of conventional fuels, necessitating a larger storage volume for the same energy content. Given the low operating pressure of LH2 tanks, conformal shapes are favored to optimize volume utilization, and their placement in the tail section is under investigation due to the protective advantages it offers against frontal impacts and potential rotor blade penetration.
A simplified representation of such a conformal, double-walled tank is shown in Figure 2, highlighting the interfaces with the aircraft. These interfaces include the structural attachment, the exchange of matter (such as fuel and pressure), and the exchange of information, including sensor readings and the actuation of valves or other fuel control devices.
A safe liquid fuel storage solution is composed of different subsystems that work together to comply with its main function. The system should interact with the environment while minimizing the risk regarding its operation. As seen in the introduction, liquid hydrogen storage solutions already exist for ground applications; however, the main step forward in the aviation context is being able to ensure the performance characteristics required for aviation (e.g., minimizing both mass and volume of the storage system) while mitigating various risks, a challenge in which material and design choices play a significant role. To evaluate and compare the performance of different solutions, the gravimetric efficiency of the storage system η t a n k is defined as the ratio of the usable fuel mass to the total mass of the filled tank.
η t a n k = W f u e l W f u e l + W t a n k
Within this system definition context, a minimum number of discernible functions for which the tank can be considered complete, independent, and safe were identified and are reported in Figure 3.
The list of defined fundamental functions of the system under analysis is organized in main groups, but each function is still interacting independently with each other function in a graph-like connection, given the low-level assumptions about the storage system architecture. An index in the Fx.x format is assigned to each function, allowing them to be referenced during the assessment process outlined in this methodology. The main functions are:
F1.
Contain fuel and maintain its thermodynamic state;
F2.
Ensure fuel transfer;
F3.
Ensure system monitoring and control;
F4.
Provide protection against natural and induced environments.
The first function class describes the core responsibilities within the fuel storage domain, incorporating passive and active features to maintain the necessary thermodynamic fuel state and ensuring it remains securely contained and does not reach unintended areas. Functions 2 and 3 serve as interfaces with other systems and the external environment, indicating their roles in the exchange of matter and information, respectively. Also, in this case, some of the functions are directly related to the expected behavior of fuel storage, while others are necessary for the safe operation of a liquid hydrogen system. The functions of tier 4 include passive measures to prevent primary hazards and have a cascade effect on each design and operational choices.
A comprehensive description of the functions is fundamental for understanding the purpose, the interaction with other functions and the eventual physical behaviors that may occur. In the following paragraphs, some of these are discussed to understand their importance. The mechanical storage system subsystem that would contain the hydrogen is divided in a first function F1.1, represented by the inner vessel that directly contains the liquid fuel, and F1.2, represented by the insulation systems, which include an external vacuum enclosure as part of the insulation. The third function, F1.3, within this context, represents the structural connections of the inner tank to the external vacuum enclosure and another shell protecting the outer vessel from impacts. This last layer might eventually be integrated with the aircraft structure and/or the vacuum enclosure, but its function has been distinguished in this case study. The concept under exploration does not explicitly feature a double-walled tank with vacuum insulation [52]; the usage of alternative designs combining polyurethane foam with vapor-cooled shields [53,54] might be addressed as well, but the added structural complexity needs to be accounted for within the failure mode of its representative function.
The function F1.4 is included as the interface of the inner tank with all the other connections and represents the ability to “close” the tank both to avoid involuntary releases of hydrogen and to stop fuel streams that are feeding hazardous circumstances. The purging function F1.6 needs to be kept as being able to operate in an uncontaminated environment should not be taken for granted; this includes purging from both hydrogen and other reactive gases.
The LH2 fuel is subject to evaporation, referred to as fuel boil-off, which has to be addressed by engineers with solutions such as venting systems, which are part of F2.3. These need to operate during normal operations or in abnormal conditions, where different amounts and pressures of fuel in gas form need to be released. These fuel release systems are a fundamental safety subsystem, as they provide explosion protection wherever other functions are compromised and might be complex as hydrogen releases need to be managed properly given the different operating environments. Eventually, fuel recirculation mechanisms might need to be employed during the parking of the aircraft. Another function significant for the hazard aspect of LH2 storage systems is function F2.4, which describes the interaction between different components, such as pipes and valves and pipes and the tank.
System control and monitoring functions interact significantly with other system functions. For example, function F3.1 monitors designated locations to ensure that material degradation remains within acceptable limits and that the functions of the first group (F1.x) continue to operate effectively. Function F3.2 is responsible for collecting data from the fuel systems, including measurements such as fuel level and the operational status of valves and other components. Finally, function F3.3 includes both the monitoring of these signals and the capability to operate fuel control devices. Functions of the fourth group (F4.x) are fundamental in hydrogen systems that prioritize safety and need to be considered in addition and relation to the other functions.
This description in terms of system functionality allows one to step back from the initial design, material, and component choices and enable the safety analysis to be performed before such choices have been finalized. Ideally, none of these functions should be failing for the safe functioning of the tank. However, as failure may occur, it is essential to study possible functional failures and their effects under the various expected operational environments and configurations.

Operational Scenarios

For a preliminary safety assessment, it is essential to consider various scenarios to analyze the system’s behavior and response to failures under different external conditions. From the storage system perspective, different operational modes were defined. These are labeled as service phases and are detailed in Table 1. In this study, the phases are interpreted in the context of testing fuel storage system demonstrators at low Technology Readiness Levels (TRLs), but they have deliberately been labeled to mirror the expected service phases seen by a high TRL system in actual operation. Nevertheless, more mature designs might require the definition of more specific service phases.
The defined service phases represent very distinct phases of the life cycle where a specific setting is defined for the system. In the context of demonstrator testing, the phases manufacturing and handling refer to the test preparation, maintenance refers to inspection operations and fueling, flight and dormancy refer to the different phases during the test operations. It may happen that the effect of some actions might not be perceived as dangerous within the same service phase, but their consequences could become apparent in later phases, potentially leading to unforeseen risks or failures. For instance, a collision during handling that results in a damaged tank or an incorrect purging after operation may lead to unexpected contact with hydrogen for maintenance operators.
Each of these phases will impose different functional demands on the storage system, which will be met through the combined subsystems’ efforts. For example, fueling relies on the functions of the second group “Ensure fuel transfer” as well as functions of the third group “Ensure system monitoring and control”. Furthermore, hazardous situations may occur when the required system functions are not fulfilled as expected. It is important to identify and study such situations systematically, considering also the type of environment the storage system may be in. The list of defined operational external scenarios labeled as environmental conditions is reported in Table 2. These represent expected environmental conditions, weather limit circumstances, or emergency scenarios caused by external causes (e.g., failure of other systems, unplanned intersection). For instance, the arc discharge condition considers both discharge from equipment or lightning strikes from the external environment. The provided list does not pretend to be comprehensive, and the addition of other factors might help in the identification of more hazards.
At this stage, after delineating the system’s functions and specifying its service phases across the various environments, it is possible to systematically evaluate the hazards associated with potential functional failures. The following section details the methodology employed in this assessment.

2.2. Safety Assessment Methodology

Ensuring the safety of complex systems requires a structured approach to identify, analyze and reduce potential hazards. This study presents a methodology designed to systematically assess safety risks, with the primary focus on ranking mitigation strategies and iterating on the system design. The approach aims to address key challenges associated with emerging technologies from the limited definition of system architecture to the lack of comprehensive failure data.
The proposed methodology follows classical hazard identification techniques, where the expert judgment is facilitated by a structured analysis in defining system improvements. A critical aspect of this approach is the blend between judgment and data-driven insights, which serves to enhance the reliability of safety evaluations, ensuring that safety-related decisions are both scientifically justified and methodologically transparent. An example detailing the steps of the assessment is reported in Section 3 of this manuscript.
One of the primary issues addressed by this assessment is the scarcity of reliable and extensive failure data for novel technologies, such as liquid hydrogen storage systems. In particular, while the consulted databases allow one to identify how often particular types of incidents occur, there are typically no statistics provided describing how often certain operations were conducted without incident. This makes it impossible to accurately calculate the frequency measure for most identified hazards. For this reason, the risk was determined using two substitute parameters denoted as incidence and relevance, which represent, respectively, the frequency and impact. The hazard assessment was performed to determine the relevance parameter, while the incident database analysis was used to determine the incidence parameter. A more detailed description of these parameters is provided in the next sections.
For each functional failure and hazard, one or more mitigation actions have been defined within the assessment process. These have been identified as “Safety Recommendations” and their risk level is determined with the parameters introduced above to rank and prioritize these actions. In some cases, the same safety recommendation was identified for different functional hazards.

2.2.1. Functional Hazard Identification

The FHA methodology, introduced in SAE ARP4761 [55] and further described in other guidance manuals such as EUROCONTROL’s methodology [56] is a preliminary safety analysis process used in the aerospace, automotive, and other safety-critical industries. It helps identify potential hazards associated with system functions and assess their possible consequences on the overall system’s operation. It has been found to be an effective tool to mitigate risks early in the development process by decoupling functions from components, allowing engineers to focus on the inherent safety of the system functions independently of the specific hardware or software implementations. This separation enables a more flexible and thorough analysis of potential hazards, ensuring that safety considerations are integrated into the design from the beginning, regardless of the specific components used.
For each function of the tank system within the identified list, the effect of each failure mode listed in Table 3 needs to be discussed and investigated in the different service phases and environmental conditions defined previously. A list of possible effects of the other related functions and the effects on the system itself needs to be generated. The distinction between the different failure modes is introduced to have a broader range of possible events and consequences. The term malfunction is introduced to be assigned to complex functions that do not behave as expected, in circumstances where their behavior cannot be clearly classified as either functional or non-functional, which is typically possible for simpler subsystems, such as mechanical containment functions.
When all the combinations of failure and operational scenarios are considered, this systematic approach identifies thousands of functional failures. Additionally, single failures may lead to multiple hazards that must be accounted for separately, as different mitigation actions may be required. During this assessment, failures and consequent hazards are systematically identified to prevent the omission of minor or critical cases. In the analysis of each failure mode, the associated hazard effects are described based on the understanding of hydrogen behavior, which aids in determining the severity of the effects. Each identified functional hazard is assigned a specific index value, with a detailed description outlining the failure effects on functionality, people, property, and the environment. Hazards are subsequently classified by severity, based on their potential effects, using the standardized terms reported in Table 4, which follows the hazard severity classification defined in ARP4761. To calculate the relevance of these hazards, a weight value WFHA is assigned, corresponding to the severity of the failure effect. Engineering judgment is applied to determine the criticality level of the hazard resulting from the evaluated failure effect.
After the process of functional failure effect identification, one or more design requirements or actions to mitigate each identified hazard are suggested. Also, the hazard scope is determined to allow for a better understanding of the assessment once the number of assessed failures becomes significantly high. These “suggestions” form the basis for the refined safety recommendations list, which is compiled at this stage, joining and clarifying similar actions. Each of these newly defined recommendations is assigned an index that must be back-assigned to the identified failures source of those “suggestions” enabling one to connect different hazards to the same applicable safety recommendation.

2.2.2. Hazard Frequency Analysis

The hazard database analysis is introduced in this framework to quantify the failure rates of the system’s functional areas. Incident databases serve as a critical resource for learning from past operational and design errors, despite inherent limitations such as self-reporting biases and incomplete descriptions of events or systems. The data collection effort, conducted toward the end of 2023 for this case study, involves the integration of information from multiple incident databases into a unified incident database on hydrogen systems.
Collecting information from incident/accident databases is a practice already employed in the Regulation Codes and Standards (RCSs) for hydrogen [57]. The most relevant historical reference is the NASA review of accidents and incidents [58], which is also utilized within the ANSI/AIAA Guide to Safety of Hydrogen and Hydrogen Systems [59]. This database provides failure rates as a percentage of total failures, with the two most critical (over 10% of failures) represented by valve malfunction and leaks from connections. Furthermore, this study concludes that human factors play a substantial role, with 87% of failures involving operational, procedural, design, or planning errors. Over the following years, new hydrogen systems continued to be developed and implemented. However, the number of incidents and accidents reported in the databases indicates a decreasing trend, with only a handful of component failures directly relatable to liquid hydrogen storage [11]. This trend is attributed to greater system maturity and increased private development [10,12,60].
Since publicly available databases with component failure rates for liquid hydrogen storage systems are either insufficient or not representative enough, assessing the real failure frequency of incidents remains challenging. To address this issue, the failure of components or subsystems found on publicly available databases performing similar functions to the ones of the system under assessment were evaluated. While the reliability of each function depends on specific design choices and components, employing this assumption allows the preliminary analysis to focus directly on critical aspects by identifying a comparative failure occurrences parameter for the functions under examination.
For each incident database entry, identified failing components or subsystems are linked to their related system functions introduced in Section 2.1 based on technical judgment and function scope. Some entries are not directly relatable to the functional failures of the system under consideration and are therefore discarded. Throughout this process, providing a comprehensive description of each function and its scope is fundamental.
With the exception of sources excluded due to access restrictions or data inapplicability, the following databases were leveraged for this assessment: the NASA Public Lessons Learned System (LLIS), which contains 67 hydrogen-related incidents [61] among other reported events; the Pacific Northwest National Laboratory’s Hydrogen Tools (H2TOOLS) Portal, which offers 223 lessons learned directly related to hydrogen operations [62]; and the European Hydrogen Incidents and Accidents Database (HIAD), updated to September 2023, which includes 712 hydrogen-related incidents [63]. This last database is particularly valuable, as good-quality descriptions are reported for more than half of the entries. A report on this database is provided by Melideo and Wen [64], while Ref. [60] presents an overview of the features of the latest version. According to the HIAD reference entries, only five records in the database originate from the already included H2TOOLS database, while the remaining entries are derived from various sources, including scientific articles, news reports, self-reported incidents, and incidents documented by other organizations such as OSHA (Occupational Safety and Health Administration), ARIA (Analysis, Research, and Information on Accidents), eMARS (Major Accident Reporting System), as well as other databases, regulatory bodies, and safety organizations overseeing industrial incidents and occupational safety. The scraped and collated database entries result in approximately 1000 hydrogen-related incidents, each characterized by several attributes such as hazard index, source reference, failure title, description, contributing factors, and severity. The severity of incidents is classified based on hydrogen release outcomes, namely
  • Hydrogen release and ignition;
  • Unignited hydrogen releasel
  • No hydrogen release.
This information is directly available in some databases, while in others, it must be inferred from the event descriptions. However, for the purpose of determining functional failure frequency, this information is not utilized. A justification for this is provided in the results of the hazard database analysis reported in Section 3.1, which demonstrates that, regardless of the reported severity (which may depend on the response time to the incident), each entry originates from the identified failure condition and should therefore be given equal weight.
Once the entries are assembled in one place, the analysis consists of reading the event description, lessons learned, or attributed incident cause to identify what goes wrong and whether it is attributable to the failure of one of the functions defined in Section 2.1. This is not always possible; for example, when the incident is related to hydrogen solely due to its spontaneous formation (as may occur in chemical processes, waste management, or battery-related contexts) or when the event involved is entirely unrelated. In some cases, the event description does not provide sufficient information to determine the cause, or no incident is reported at all. In such instances, function reference attribution is not performed, and a “not applicable” index is assigned.
For all the other entries, the incidents from the databases are mapped to the functions of the fuel storage system in an iterative manner. This approach, while improving and establishing the identified functional classification, ultimately highlights the functions most frequently affected by failures. In the next section, a method to integrate this information into the identified hazards and safety recommendations is proposed.

2.2.3. Risk Assessment

Following the systematic evaluation of functional failures and the analysis of the hazard database incidents, the two constituent components of the risk index can be determined. As introduced before, these two components are referenced in this framework as relevance and incidence indexes, and they can be computed for each identified hazard or safety recommendation j so that the risk can be then calculated as their product.
r i s k j = i n c i d e n c e j · r e l e v a n c e j
When the risk index is assigned to the safety recommendations, it represents the potential of risk reduction within the application of such a recommendation. To calculate this parameter, the identified hazards that contributed to the generation of such recommendations and the failure occurrences of the corresponding functions need to be accounted for. Each safety recommendation addresses one or multiple functional failures, which have a hazard severity weight assigned, as described in Section 2.2.1. The relevance of the safety recommendation j is determined by averaging the hazard severity weights over the n hazards related to that safety recommendation.
r e l e v a n c e j = n w F H A , j n
A similar operation is now performed for the second component of risk, that is, the frequency-related parameter, represented in our assessment framework by the incidence parameter. Again, each safety recommendation j is related to n functional hazards, stemming from the initially defined list of system functions. For each of these system functions, a number of k hazard database entries were identified during the analysis described in Section 2.2.2. For each function t, the number of related hazard database events was counted, obtaining the failure occurrence (FO) parameter.
F O t = k event t
Since the number of occurrences varies significantly among the different functions, a normalization f n o r m ( x ) = f d i s c r e t ( ln ( x ) ) is applied, employing a logarithmic function followed by a discretization process, with the rules provided in Table 5. These rules were chosen to linearize the distance between low-occurring events and events reported several times, thus obtaining a range comparable with the relevance parameter.
At this point, the normalized FOs assigned to the functions are related forward to the safety recommendations. Each normalized FO is directly passed on to the related functional hazards, with the simplifying hypothesis that each failure arising from the same function has equal occurrence. Again, each safety recommendation j addresses one or multiple n functional failures, and also, here, an average of these related normalized FO indexes is calculated for each safety recommendation, obtaining the incidence parameter.
i n c i d e n c e j = n f n o r m ( F O j ) n
This approach provides a quantifiable metric that reflects the potential criticality of each recommendation-related hazard. By ranking the safety recommendations based on their risk factors, organizations can prioritize their efforts, ensuring that the most critical and high-risk areas are addressed first. This method not only optimizes resource allocation but also enhances overall safety outcomes by systematically lowering hazard levels in the areas that pose the greatest threats.

3. Results and Discussion

In this section, the preliminary safety assessment process introduced in this paper is applied to a case study liquid hydrogen storage system. The key steps are systematically outlined to enhance clarity and reproducibility, facilitating the broader application of this methodology in various contexts and providing a more comprehensive understanding of the significance of the results. The findings are then presented in three distinct areas. First, the identified hazards are categorized, with each category analyzed as a key action area. Second, the evaluated functional failure incidences, derived from incident database analysis, are examined to identify patterns in potential risks. Third, the major safety recommendations are outlined, highlighting critical measures to enhance system safety.
This manuscript includes a supporting materials file containing the list of identified liquid hydrogen storage system functions, along with their corresponding failure occurrence (FO) values derived from the hazard database analysis. The list detailing incident entries from the hazard database with assigned functions is present as well. Additionally, the file provides a systematically curated list of functional failures specific to this case study, along with their assessed hazard criticality values and references to the resulting safety recommendations. The final sheet presents the safety recommendation list, supported by the relevance and incidence of related hazards identified through this methodology. All data are organized in a tabular format to facilitate the streamlined implementation of the preliminary safety assessment approach proposed in this paper.

3.1. Functional Hazards Assessment in LH2 Systems

To reduce the likelihood and consequences of potential hazards, it is essential to first identify their causes and effects, enabling targeted mitigation at the source. Conducting a comprehensive threat analysis is particularly crucial for newly developed systems, where the hazard sources and their causal interconnections are not yet fully understood. A clear definition of the scope of the defined system function is necessary for an accurate hazard assessment, as the consequences of issues need to be described correctly. Eventually, the circumstance may lead to the unwanted release of hydrogen, whose behavior may vary significantly given the scenario. For this reason, the potential hazards associated with hydrogen release are examined, establishing a foundation for subsequent failure hazard assessment. After that, an example of a functional failure assessment is provided, including hazard identification and a suggestion of mitigation strategies. Finally, the systematically identified hazards for this case study are categorized into relevant risk areas and discussed in detail. This structured evaluation enables a more comprehensive understanding of the fundamental categories of danger in hydrogen storage systems, guiding effective safety measures.

3.1.1. Hazards Concerning LH2 Release

To accurately assess the hazards of a liquid hydrogen fuel storage system for aviation, it is crucial to understand hydrogen’s thermodynamic behavior and the potential consequences of improper fuel management or structural damage. These aspects have been extensively described and modeled in publications [49,65] and manuals [48,50]. Notably, hazards and risks associated with its release might vary significantly, depending on the system [2] and the hydrogen state [66]. In particular, it is possible to distinguish between the following cases:
  • Low flow rate release: This is usually caused by small leaks or significant permeation. It leads to a small release of gaseous hydrogen that may result in an asphyxiation hazard. Combustion may occur if the mixing ratio with air exceeds a critical level called the lower flammability limit, which is quite low, around 4–7 vol%H2 depending on temperature, and an ignition source is present, being established at an energy level of 0.02 mJ, requiring just a small electrostatic discharge [51]. The resulting flame has a low emissivity, making it invisible and difficult to recognize. The consequences of hydrogen accumulation without initial ignition are discussed later in the explosion paragraph, introducing the need for ventilation.
  • High flow rate release: This occurs when hydrogen is rapidly discharged through a breach in the equipment in a focused stream, which can be either gaseous or in a two-phase state. Aside from the risks arising from direct contact with the stream, which may cause cutting blasts, the main hazard associated with jet releases is the potential for deflagration, which refers to the accelerated propagation of flames and can lead to highly dangerous pressure waves.
  • Pool Vaporization: This type of hazard involves the spillage of liquid hydrogen, which then transitions to a gaseous state and accumulates [67]. The primary risk is an increased likelihood of combustion due to the accumulation of hydrogen gas, followed by severe cryo-burns if the fluid contacts skin.
  • Explosion: This scenario might occur as a result of different causes involving different physics. First, it is identified as a boiling liquid expanding vapor explosion (BLEVE), the explosion of liquefied gas vessels [68]. This happens following a catastrophic rupture of the vessel from other causes, and the outcome depends on the initial thermodynamic state. Ustolin et al. [69] modeled this phenomenon for LH2 storage systems and validated their results with prior experiments from the literature. The study concluded that, in the case of insulated vessels, means of rapid discharge or venting of the hydrogen need to be put in place, employing safety features such as pressure relief devices (PRD). Secondly, an explosion could occur from delayed ignition of mixtures of gaseous hydrogen with air. The potential for explosion in this case is concerning from the rapid combustion, which results in the release of pressure waves, leading to design choices which avoid confinement of gaseous releases in areas such as dead ends and ceilings. The risk associated with explosive releases is severe, with the potential for significant damage to the surrounding area [70].

3.1.2. Identification of Hazards Within LH2 Storage Systems

The functional hazard assessment methodology described in Section 2.2.1 is reproduced here for a selection of cases to better understand the steps that need to be taken to ensure that hazards concerning the analyzed system are extensively identified.
Phase 1: Failure assessment. First, one of the functions of the system has to be selected from the defined list, such as the one presented in Figure 3, and the analyst who is assessing its failure needs to have a clear understanding at a high abstraction level of its impact within the whole system. Once the functional failure mode is chosen from the list provided in Table 3 and the system is envisioned in one service phase from the one listed in Table 1 and one environment from Table 2, the outcomes can be assessed. This means figuring out what could eventually happen and registering the effect. Some examples of this are reported in Table 6, with the full list being available in the Supplementary Data. It can be noticed that for the same functional failure mode in the same service phase and environmental condition, multiple failure effects can be retrieved.
A complete, systematic assessment is performed through all the categories for each function and should be carried out by different people to ensure a spread of knowledge is applied and the problem is observed from multiple points of view. Table 6 contains information in a condensed form. For example, in natural language, the first row of Table 6 can be interpreted as “The malfunction of the function associated to providing operative information and control on the subsystem during the service phase of fuel filling in normal environmental conditions may lead to the incorrect reading of an open vent line, leading to hydrogen release during the operation. This hazard is identified by the index H109”. Another observation can be made on the presented examples: failures H109 and H110 are failures happening within the expected behavioral circumstances, while failure H111 happens because an not envisioned operation is performed. This has no further impact within the methodology but both cases have to be considered.
Phase 2: Hazard severity assessment, hazard categorization, and suggestion of recommendation. After the systematic assessment of the functional failures, the severity from each of them is assigned from the list in Table 4. As a general rule, if the circumstance can harm people directly, the highest level, Catastrophic, is selected. If the system is damaged, the severity level of Hazardous is selected. Major is selected when there is a significant problem that might lead to worse consequences if undetected, and finally, Minor is selected if only system performance is affected. The safety assessment of the system is still at its preliminary phase, so it makes sense to understand what are the action areas to address. For this reason, a direct and momentary category is assigned to the hazard itself as “Hazard type”, describing briefly what the hazardous condition would be that would lead to the failure effect described. The hazard arising from this condition has to be mitigated, or, better, avoided in the first place. For this reason, a design or operational recommendation is proposed. The same functional failures assessed in Table 6 are further processed in Table 7 to determine their severity, temporary hazard category and safety recommendation with these criteria.
After compiling the hazard assessment for the numerous combinations of functional failures, it may become evident that the defined function list needs to be expanded or that the descriptors require further clarification. For instance, safety-specific functions may need to be integrated or the responsibility within an specific action or a specific asset protection needs to assigned to one function to be distinguished from others. The iteration of the function definition and functional hazard assessment is recommended in this context to improve the identification of potential hazards.
Once the complete hazard list is available, the identified hazard types are grouped into smaller, more broad categories, which are discussed in the next chapter. The proposed recommendation is then compared with the existing refined safety recommendation list. If a similar recommendation is found, it is integrated, and the corresponding recommendation index is reported. If no similar recommendation exists, a new index is assigned to the recommendation.

3.1.3. Hazard Categories Within LH2 Storage Systems

The hazard categories, derived from the classification of identified hazards, are presented in this section to outline the key risk domains. The hazards coming from the functional failures obtained during the systematic FHA process introduced in Section 2.2.1 have been manually clustered by domain area into hazard categories, which are helpful to improve the perception of the safety concerns related to the analyzed system.
The following paragraphs summarize the results of this process, highlighting the various risks involved. Five main categories were identified, and Figure 4 presents two initial aspects of this analysis. On the left side, the number of hazards corresponding to each category is presented, showing that some domains exhibit a greater diversification of threats and therefore demand more intensive assessment efforts. On the right side, a relevance parameter was calculated as described in Section 2.2.3 for each hazard category, computing the hazard severity of each corresponding functional failure. It can be observed that all the categories have a similar relevance level, indicating that both high and low severity hazards were contained in each scope. The following five main categories were chosen to classify the hazards identified in this preliminary safety assessment.
C001—Permeation through containing walls: This hazard involves the gradual leakage of hydrogen through the containing material due to molecular diffusion or, more rapidly, through small defects, voids or damage. These micrometer-sized features are more common in composite laminates [71,72,73], but the degradation of metals as a consequence of embrittlement might result in a similar scenario [74,75,76]. While the adoption of composites for liquid hydrogen vessels is investigated for the potential of better performance in terms of weight reduction [77,78], metal is still the primary material used for fuel system devices such as pipings or valves. Although this type of release is generally slow and does not pose an immediate threat, the gradual build-up of flammable concentrations still necessitates careful management. The primary risk associated with this type of release is the potential for the loss of performance and the accumulation of hydrogen in unexpected areas. To mitigate this risk, it is essential to implement effective ventilation or recirculation systems while ensuring that the hydrogen permeation through the tank skin and the rest of the equipment remains within permissible levels during the service life of the vessel.
C002—Hydrogen release through openings: This category refers to the rapid release of hydrogen that can occur when the interface between components fails or there is a pass-through fracture in the equipment. This event occurs as a consequence of vibration, fatigue, fracture, the presence of internal damage or the contact with an external object. Such breaches lead to a rapid and violent release of hydrogen, which poses several intense risks depending on the areas that are reached. Therefore, it is crucial, among the other things, to ensure that component connections are robust and secure, preventing unforeseen vibrations and contacts. Mitigation strategies should focus on designing fuel component connections and components with high reliability and ensuring proper maintenance and inspection routines.
C003—Hazards related to fuel management operations: This class covers risks associated with the operational procedures involved in managing hydrogen fuel. These hazards can arise from both human errors and the mismanagement of unexpected circumstances by automated systems. The potential risks from the improper handling of fuel and operational mishaps could lead to unsafe conditions, hydrogen release, and damage to the storage system. To address these risks, it is important to establish and adhere to operational protocols based on hydrogen thermodynamics while also being able to adjust them according to the current state of the tank.
C004—Incompatible material or design: Hazards in this category are due to the use of materials or designs that are incompatible with hydrogen and its thermodynamic behavior. Such incompatibilities lead to significant material degradation or unexpected fluid dynamic behavior of hydrogen, potentially causing system damage and hazardous circumstances. To prevent these risks, it is crucial to follow established design guidelines and ensure that all materials used are suitable for hydrogen service. Materials with reduced risk of embrittlement, outgassing, or ignition are provided in Ref. [79], while the RCS introduced in the next section will provide guidance for safe equipment design, such as selecting the correct pipe diameters and venting system.
C005—Hazards related to external, unexpected events: This category includes risks that are not directly associated with the release of hydrogen but are still relevant to the overall safety of the hydrogen tank system, including undetected deteriorations of components, departure from intended behavior, events from external causation, mishaps of data streams or operation control. These can include issues like component malfunctions, sensor failures, unplanned workload or operators bypassing guidelines, which will eventually affect the system performance and safety. Effective mitigation requires addressing those deficiencies, whether they occur from normal use or accidentally, in order to ensure the reliability of the whole system.
Hazards from categories C002 and C003 are those with the overall highest relevance and granted significant consequences and thus require particular attention, also because they can occur abruptly if the aspect is not monitored and managed properly. These are followed by the hazards of category C001, which still pose a significant threat, given that people might be involved or the surrounding environment might be contaminated. Mitigating the hazards of category C004 is as straightforward as applying the correct guidelines, but this does not mean that the resulting system would be safe. Unexpected hazards of category C005 should not be neglected, as they may hinder the functionality of the overall system, leading to safety and performance deterioration.

3.2. Incident Database Analysis Applied to LH2 Storage Systems

In this section, some results of the incident hazard database analysis are presented, along with additional observations regarding the hazards’ occurrence. Within the assessment of safety, it is essential to identify and quantify the most significant threats and determine which failure modes occur with higher frequency, thereby requiring greater attention. To achieve this, incident and accident databases are utilized. These databases have been developed as tools to provide evidence-based recommendations for the design and development of new systems exposed to similar hazards. Previous studies have reported relevant lessons learned and statistical insights derived from such databases in the context of hydrogen-related operations [10]. For this preliminary safety assessment, the available data were used to establish a comparative hazard frequency metric, referred to as the incidence parameter. This parameter, introduced in Section 2.2.3, is computed in Figure 5 for the functionally generated hazards belonging in the identified hazard categories. From this perspective, the release of material through an opening emerges as the most frequently occurring hazard among those identified.
The full list of hazard database entries is reported in the Supplementary Material in a reduced format with respect to the original source, while maintaining the reference, event summary, lesson learned, and severity based on release and assigned function data fields. So it is possible to understand the relation between the event description and the selected failing storage system functions in order to be able to reproduce this framework to another new system. By analyzing the database by the function index, subsystem developers can systematically examine potential failure modes and associated hazards within their specific domain. Still, it is important to note that the content of the underlying hazard databases is continuously updated, so analysts should download the latest version from the sources to conduct new analyses.
Figure 6 presents the absolute count of the database incident entries associated with the different system functions, split for the different hazard databases, following the assignment process introduced in Section 2.2.2. The incidents listed in the hazard database were classified by the observed hydrogen release but the incidents reported were in most of the cases those with the most critical event, such as hydrogen release and ignition. This result might be biased by how and when these incidents were detected and subsequently reported on publicly available databases, giving more attention to perceivable failures or failures that led to significant consequences. For this reason, and for the matter of assessing the incidence parameter of the functional failures, each reported incident is considered at the same level. This independence from the release behavior attributes all hazard causes to the function as the primary initiating event. Therefore, a clear description of the incident event is crucial to assign the incident entry to the function whose failure mode was the primary cause of the hazard. For this reason, ambiguous incident entries and entries unrelated to the system under analysis were excluded.
The analysis revealed that vessel integrity (F1.1) and piping connection (F2.4) failures are the most frequent causes of incidents involving LH2 storage systems, differentiating from historical NASA reports that emphasize the podium valves, connections, and safety disk leaks [58]. Still, the safety-related function for fuel dumping and pressure release (F2.3) is represented by a significant number of incidents. These are slightly overtaken by failures of function F1.3 (provide structural support and avoid accidental contact) but in this case, a lot of incidents were registered as involuntary collision. Notable mention has to be applied for the significant number of incidents registered within the fueling function F2.1. Special attention must be given as well to the setup of maintenance operations F1.5 and the ability to fully remove hydrogen through purging processes F1.6. Failure to monitor hydrogen concentration F3.2 and ensure proper system operation F3.3 have been identified as the cause of several fatalities.
Regarding the functions of the fourth tier, particularly in terms of preventing hydrogen accumulation F4.2 and ignition sources F4.1, these functions were assigned when no other functional failures were identifiable from the incident description. In most other incidents, hydrogen accumulation and/or ignition are always present and contribute to the hazard; however, the primary cause in those cases is a failure of another function as reported, which leads to the release of hydrogen. While these safety functions are of complementary importance, they should not be overlooked. Some incidents in this domain originated from not selecting inert materials, which at some point deteriorated further, leading to exposure of electrical contacts, accumulation of hydrogen in unintended areas, or lightning directly striking the hydrogen storage vessel.

3.3. Safety Recommendations for LH2 Storage Systems

Following each hazard assessment, a mitigation strategy was proposed, culminating in a comprehensive list of safety recommendations. By implementing these recommendations, the identified risks associated with hydrogen tank systems can be effectively mitigated, thereby enhancing overall safety. Figure 7 illustrates an example of the relationship between the identified functional failures obtained as in Section 3.1.2, their origin functions with their normalized failure occurrence (FO) obtained as described in Section 2.2.3, and the corresponding safety recommendation.
Table 8 presents the recommendations ranked according to the risk levels identified during this analysis. providing insight into the criticality of the safety measures required for the development of a secure liquid hydrogen (LH2) fuel storage system. The remaining recommendations are available in the Supplementary Material. The identified safety recommendations emphasize maintaining operational safety, system integrity, and risk mitigation during development and testing. A primary requirement is verifying that the tank structure remains impermeable to hydrogen leakage under cryogenic conditions. This necessitates rigorous leak testing of structural elements, components, and fittings under simulated operational environments to ensure leakage is eliminated and permeation remains within acceptable thresholds. To mitigate risks from fitting failures, critical factors such as inaccurate load estimations, vibrational stresses, and inadequate surface preparation must be systematically controlled. Structural fittings should be securely fastened and reinforced to prevent excessive displacement and mechanical failure.
Certain safety recommendations align directly with established regulatory frameworks, which provide detailed implementation guidelines. For ignition hazard prevention, a recommendation may direct compliance with specific standards, such as “Ensure that all electronically exposed connections are explosion-proof and compliant with DoD 6055.09-STD code requirements”, referring to the ammunition and explosive safety standard [80] from the United States Department of Defense (DoD), which outlines guidelines and measures to minimize ignition risks in hazardous environments. Recommendation S009 makes reference to the compressed gas association (CGA) standardization organization, which provides calculation tools for vent lines in the Standard for Hydrogen Vent Systems [81], while in other cases cases a recommendation may point out a viable implementation of the technology, such as outlining safe and economically viable refueling methodologies and strategies [65,82,83]. Furthermore, in order to develop components that are able to fulfill their function safely, designers can already consult and follow a significant body of relevant RCSs, as reported already in the collection of [84], with special attention to Refs. [59,79,80,81,85,86,87,88,89,90], while a more extended but still not complete list to start building the knowledge baseline for these risk mitigation interventions is provided within the supporting material of this paper.
The identified safety recommendations, when implemented, help ensure the safety, reliability, and integrity of the LH2 storage systems throughout their development and testing phases. A simplified aggregation of the recommendations is reported in the following groups:
  • Prevent leaks: Implement measures to minimize the likelihood of hydrogen leaks from equipment and piping and fixtures.
  • Prevent accumulation of hydrogen: Ensure proper ventilation to avoid the build-up of hydrogen, reducing the risk of explosive mixtures through effective ventilation systems. Ensure potential releases of hydrogen do not reach regions occupied by people.
  • Prevent ignition sources: Eliminate or control potential ignition sources to prevent fires or explosions in hydrogen-rich environments.
  • Prevent component failures, monitor degradation: Use materials that are resistant to hydrogen embrittlement, select components that are reliable, and ensure that system and components are robust and regularly inspected.
  • Continuous monitoring and detection alarms: Perform regular monitoring and inspections for the health condition of the vessel to address potential failures promptly, and monitor for hydrogen leaks, providing evacuation alarms.
  • Follow and review design guidelines: Ensure design is in accordance with the latest regulations codes and standards (RCS), and provide third party review of the design choices.
  • Ensure effective operational protocols: Follow stringent operational guidelines, reduce human reliance on safety actuations, implement training to reduce human error and ensure safe operations, and establish evacuation plans, exclusion zones.
  • Ensure fail safe capabilities: Provide that the system can revert to a safe condition in the case of accidental damage, allowing for hydrogen to be released in a safe manner in the most extreme situation.
In the context of the system testing operations, which involves various scenarios of human interaction, it is crucial to prioritize personnel safety by implementing adequate protective measures during the operations, such as the definition of unsafe zones established around the system and with the usage of remote-controlled shut-off valves for emergencies where a physical proximity to the system can be deemed as hazardous. Remote de-fueling systems should be implemented to allow for safe fuel removal in emergency conditions, and the testing operations must be conducted in a well-ventilated environment. Integrating and validating structural health monitoring algorithms, such as using vacuum sampling or other sensors, can improve the early detection of potential failures. Redundancy in safety features is deemed essential during the design development phase. Implementing fail-safe designs, such as backup systems or parallel safety features, can significantly reduce risks related to hydrogen release or structural damage. Determining the necessary level of redundancy requires a thorough analysis of the proposed system architecture and should be addressed in future design efforts as the system advances to a more mature design.

3.4. Discussion

The presented work uses a classical hazard identification methodology applied to specific functions of liquid hydrogen storage systems to determine targeted mitigation strategies valuable during the early stage of designs. Attention in specific areas with a higher incident incidence was applied by mapping (LH2) failure events belonging to different systems to the functions of the system under investigation. The results are provided from a system point of view, highlighting relevant recommendations for this case. On the other hand, other perspectives, such as focusing on a well-defined function, can offer a more focused result. The hazard identification analysis relies on the the use of the FHA method and requires a significant amount of work to generate a viable number of entries, as it requires so-called “expert judgment”. The same applies to the hazard database analysis, where expert judgment was used to categorize the incidents for the different functions. Both assessment operations rely on the description of the function, operating within some volume domain interacting with the other functions within the current architecture iteration.
Recent advances in text generation algorithms offer an opportunity to automate these assessment operations, where a distributed and homogenous number of hazards could be generated and the categorization of hazards from incidents could go through iterations, integrating the function descriptors, but this was not analyzed within the presented case study of this manuscript, where the number of identified hazards might not be relevant, but their criticality is. Other improvements that the authors would suggest are to include more than one recommendation for each assessed hazard to obtain further risk mitigation. Additionally, iteration is suggested for the functional identification and assessment process to update system functions and architecture. For example, one debatable aspect could be whether protection from external penetration should be assigned to function F1.2, considering that failure in this area could lead to insulation loss, or to function F1.3, which provides the protection for collision. When both interactions between the functions and their scope are clarified this can be answered without necessitating the opinion of the expert judgment.
The hazards identified in this study were evaluated using the relevance and incidence measures, based on which the corresponding risk levels were determined and risk-reducing safety recommendations were proposed. The risk levels are influenced by the considerations made during the definition of the functional failure effect severity and by the relations established between the identified hazards and the incident databases used in this study. The effectiveness of the proposed safety recommendations depends on the quality, scope, and thoroughness of the system’s functional analysis and the identified functional failures. The assessment presented in the present case study does not pretend to be complete and specific, but rather a basis for further iterations and advancements.
The development of technology using the proposed approach in a systematic way prioritizes safety from its inception, integrating safety considerations early in the design process. A significant challenge identified in the case study was the absence of available data, particularly concerning the frequency of failures and the categorization of subsystems yet to be developed. To address this, the proposed methodology combines classical safety approaches with design flexibility. By consulting multiple sources, the assessment of potential hazards is well informed and structured to minimize subjectivity. This adaptable approach can be applied to other emerging systems to guide design decisions effectively. This study demonstrated that for the context of the systems safety assessments for aviation, not only the damage development [91,92] of the tank itself needs to be accounted for to establish the airworthiness of a liquid hydrogen powered aircraft [93]; other significant subsystems need to be monitored as well to ensure an overall safe operation and those are identified by the iteration of the presented methodology.

Review Activity of the Case Study

Once the hazards have been described and analyzed comprehensively, the impact of the safety assessment performed depends on how well the proposed recommendations are acknowledged and how efficiently they are implemented within the design. In the context of the case study of this paper, for each owner (i.e., the person responsible for the design) of the different subsystems, a personalized list of safety recommendations was produced given the assigned system components. To improve the understanding of the assigned safety recommendations, to understand the risk mitigation level of the current design iteration and to foster creativity with the actions to be implemented, the following questions were been reviewed for each assigned recommendation entry.
  • Do I agree with the purpose of this safety recommendation?
  • Is this recommendation relevant for the demonstrator or TRL9 development level?
  • I think that the current design implementation is good/satisfactory/unsatisfactory to comply with the issued safety recommendation.
  • Is this recommendation already covered by other measures whose redesign can further improve safety in this direction?
Since the aim of this paper is to present the safety analysis methodology and its outcomes, the results of the review activity and the design action that followed are not reported here. Still, this activity has been shown to add great value toward a better understanding of the safety of the system, communicating the results to the project partners, iterating the design, and reducing the possibility of encountering unknown hazards.

4. Conclusions

The adoption of liquid hydrogen as an alternative fuel introduces new safety challenges that require intense risk mitigation efforts. In this study, a structured approach was developed to evaluate the safety risks associated with a liquid hydrogen storage system, with a particular emphasis on identifying hazards before any QRA analysis. By incorporating a generalized methodology for hazard identification and domain causation frequency analysis, this work aims to support early-stage design improvements and enhance safety measures. The methodology leverages ARP4761 as a framework for structured system risk evaluation. By focusing on the system functions and the related failure modes, the methodology allows for effective and comprehensive hazard identification in a new fuel storage system at an early design stage, using a systematic approach that is not tied to specific known component failures.
The integration of diverse incident data in the methodology provided a robust foundation for improving the accuracy of risk assessment in novel applications. The categorization of incidents from hazard databases to system functional domains was used to direct the attention on the most critical areas and to calculate a risk mitigation parameter.
The implemented approach ensures that most conceivable system failure modes are considered during the preliminary design process and their risk is mitigated from a technology perspective. This study provides a foundational approach for the preliminary safety assessment of new systems, contributing to both academic research and industry guidelines. Future work should focus on the automation and iteration of this process on different design architectures and the integration and relation with more quantitative risk assessment.
This study’s findings informed the project consortium of necessary design modifications and operational requirements, highlighting the importance of third-party design and operational reviews in mitigating risks in safety-critical systems. The results provide a foundation for detailed safety analyses and future clean aircraft development. As the aviation industry moves toward sustainable fuel alternatives, the insights and methods from this work will help researchers, engineers, and policymakers ensure the safe implementation of liquid hydrogen technologies in aircraft.

Supplementary Materials

The following supporting information can be downloaded at https://www.mdpi.com/article/10.3390/safety11010027/s1, Table S1: List of RCS applicable to LH2 storage; Table S2: Hazard database concerning LH2 storage; Table S3: Function of LH2 storage system; Table S4: FHA case study; Table S5: List of safety recommendations obtained from the case study.

Author Contributions

Conceptualization, J.-A.P. and A.S.; methodology, data curation, writing—original draft preparation, M.S.; writing—review and editing, J.-A.P. and A.S.; project administration, J.-A.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research was carried out as part of the COCOLIH2T project, which received funding from the European Union and the Clean Hydrogen Joint Undertaking under Grant Agreement 101101404.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in this study are included in the article/Supplementary Material. Further inquiries can be directed to the corresponding author.

Acknowledgments

The project is supported by the Clean Hydrogen Partnership and its members. Views and opinions expressed are, however, those of the author(s) only and do not necessarily reflect those of the European Union or Clean Hydrogen Joint Undertaking. Neither the European Union nor the granting authority can be held responsible for them.

Conflicts of Interest

The authors declare no conflicts of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Abbreviations

The following abbreviations are used in this manuscript:
BLVEBoiling Liquid Vapour Explosion
CGACompressed Gas Association
COCOLIH2TCOnformal COmposite LIquid Hydrogen Tank
DoDDepartment of Defence
FHAFunctional Hazard Assessment
FMEAFailure Mode and Effects Analysis
FOFailure Occurrence
HAZOPHAzard and OPerability study
HIADHydrogen Incidents and Accident Database
LH2Liquid Hydrogen
LOCLoss Of Containment
MLIMulti Layer Insulation
PRDPressure Relief Device
QRAQuantitative Risk Assessments
RCSRegulation Codes and Standards
TRLTechnology Readiness Level

References

  1. Fuel Cells and Hydrogen 2 Joint Undertaking. In Hydrogen-Powered Aviation, a Fact-Based Study of Hydrogen Technology, Economics, and Climate Impact by 2050; Publications Office of the European Union: Luxembourg, 2020. [CrossRef]
  2. Ustolin, F.; Campari, A.; Giannini, L.; Baboi, E.; Paltrinieri, N. Identification of Consequences of Failure for Hydrogen Equipment. Chem. Eng. Trans. 2023, 98, 189–194. [Google Scholar] [CrossRef]
  3. Mazzoni, F.; Biga, R.; Manrique-Escobar, C.A.; Brusa, E.; Delprete, C. Design space exploration through liquid H2 tank preliminary sizing and design of experiments analysis. Int. J. Hydrogen Energy 2024, 95, 1252–1260. [Google Scholar] [CrossRef]
  4. Moradi, R.; Groth, K.M. Hydrogen storage and delivery: Review of the state of the art technologies and risk and reliability analysis. Int. J. Hydrogen Energy 2019, 44, 12254–12269. [Google Scholar] [CrossRef]
  5. Aziz, M. Liquid Hydrogen: A Review on Liquefaction, Storage, Transportation, and Safety. Energies 2021, 14, 5917. [Google Scholar] [CrossRef]
  6. Dafedar, A.A.; Verma, S.S.; Yadav, A. Hydrogen Storage Techniques for Stationary and Mobile Applications: A Review. In Proceedings of the Recent Advances in Sustainable Technologies; Springer: Singapore, 2021; pp. 29–40. [Google Scholar]
  7. Züttel, A. Hydrogen storage methods. Naturwissenschaften 2004, 91, 157–172. [Google Scholar] [CrossRef]
  8. Jankuj, V.; Spitzer, S.H.; Krietsch, A.; Stroch, P.; Bernatik, A. Safety of Alternative Energy Sources: A Review. Chem. Eng. Trans. 2022, 90, 115–120. [Google Scholar] [CrossRef]
  9. Zanobetti, F.; Pio, G.; Jafarzadeh, S.; Ortiz, M.M.; Cozzani, V. A Comparative Assessment of the Inherent Safety of Hydrogen-Fuelled Power Systems. Chem. Eng. Trans. 2024, 111, 493–498. [Google Scholar] [CrossRef]
  10. Campari, A.; Nakhal Akel, A.J.; Ustolin, F.; Alvaro, A.; Ledda, A.; Agnello, P.; Moretto, P.; Patriarca, R.; Paltrinieri, N. Lessons learned from HIAD 2.0: Inspection and maintenance to avoid hydrogen-induced material failures. Comput. Chem. Eng. 2023, 173, 108199. [Google Scholar] [CrossRef]
  11. OCED. Risk-Based Regulatory Design for the Safe Use of Hydrogen; OCED Publishing: Paris, France, 2023. [Google Scholar] [CrossRef]
  12. Wen, J.X.; Marono, M.; Moretto, P.; Reinecke, E.A.; Sathiah, P.; Studer, E.; Vyazmina, E.; Melideo, D. Statistics, lessons learned and recommendations from analysis of HIAD 2.0 database. Int. J. Hydrogen Energy 2022, 47, 17082–17096. [Google Scholar] [CrossRef]
  13. Tang, X.; Pu, L.; Shao, X.; Lei, G.; Li, Y.; Wang, X. Dispersion behavior and safety study of liquid hydrogen leakage under different application situations. Int. J. Hydrogen Energy 2020, 45, 31278–31288. [Google Scholar] [CrossRef]
  14. Mair, G.; Becker, B.; Wang, B.; Gesell, S. Monte-Carlo-analysis of minimum load cycle requirements for composite cylinders for hydrogen. Int. J. Hydrogen Energy 2019, 44, 8833–8841. [Google Scholar] [CrossRef]
  15. Becker, B.; Mair, G. Risks and safety level of composite cylinders. Int. J. Hydrogen Energy 2017, 42, 13810–13817. [Google Scholar] [CrossRef]
  16. Chauhan, A.; Liu, H.; Mohammadpour, J.; Abbassi, R.; Salehi, F. Towards safer hydrogen refuelling stations: Insights from Computational Fluid Dynamics on LH2 leakage. J. Loss Prev. Process Ind. 2024, 90, 105355. [Google Scholar] [CrossRef]
  17. Li, Y.; Wang, Z.; Shi, X.; Fan, R. Safety analysis of hydrogen leakage accident with a mobile hydrogen refueling station. Process Saf. Environ. Prot. 2023, 171, 619–629. [Google Scholar] [CrossRef]
  18. Kodoth, M.; Aoyama, S.; Sakamoto, J.; Kasai, N.; Khalil, Y.; Shibutani, T.; Miyake, A. Leak frequency analysis for hydrogen-based technology using bayesian and frequentist methods. Process Saf. Environ. Prot. 2020, 136, 148–156. [Google Scholar] [CrossRef]
  19. Li, Z.; Pan, X.; Ma, J. Quantitative risk assessment on a gaseous hydrogen refueling station in Shanghai. Int. J. Hydrogen Energy 2010, 35, 6822–6829. [Google Scholar] [CrossRef]
  20. Pirbalouti, R.G.; Dehkordi, M.K.; Mohammadpour, J.; Zarei, E.; Yazdi, M. An advanced framework for leakage risk assessment of hydrogen refueling stations using interval-valued spherical fuzzy sets (IV-SFS). Int. J. Hydrogen Energy 2023, 48, 20827–20842. [Google Scholar] [CrossRef]
  21. Charalampos Tofalos, B.J.; Jang, H. Safety comparison analysis between LNG/LH2 for bunkering operation. J. Int. Marit. Saf. Environ. Aff. Shipp. 2020, 4, 135–150. [Google Scholar] [CrossRef]
  22. Depken, J.; Simon-Shultz, M.; Baetcke, L.; Ehlers, S. Comparing the safety of bunkering LH2 and LNG using quantitative risk assessment with a focus on ignition hazards. Int. J. Hydrogen Energy 2024, 83, 1243–1250. [Google Scholar] [CrossRef]
  23. Depken, J.; Dyck, A.; Roß, L.; Ehlers, S. Safety Considerations of Hydrogen Application in Shipping in Comparison to LNG. Energies 2022, 15, 3250. [Google Scholar] [CrossRef]
  24. Ahluwalia, R.; Peng, J.K.; Roh, H.S.; Papadias, D.; Wang, X.; Aceves, S. Liquid hydrogen storage system for heavy duty trucks: Capacity, dormancy, refueling, and discharge. Int. J. Hydrogen Energy 2023, 48, 34120–34131. [Google Scholar] [CrossRef]
  25. Mohammadfam, I.; Zarei, E. Safety risk modeling and major accidents analysis of hydrogen and natural gas releases: A comprehensive risk analysis framework. Int. J. Hydrogen Energy 2015, 40, 13653–13663. [Google Scholar] [CrossRef]
  26. Patel, P.; Garaniya, V.; Baalisampang, T.; Arzaghi, E.; Abbassi, R.; Salehi, F. A technical review on quantitative risk analysis for hydrogen infrastructure. J. Loss Prev. Process Ind. 2024, 91, 105403. [Google Scholar] [CrossRef]
  27. Gao, X.; Chen, G.; Pu, W.; Xiong, C. A mechanistic framework for the leakage risk reduction of mobile hydrogen refueling stations based on inherent safety concepts. Int. J. Hydrogen Energy 2024, 83, 1370–1384. [Google Scholar] [CrossRef]
  28. Wang, L.; Lyu, X.; Zhang, J.; Liu, F.; Li, X.; Qiu, X.; Song, Q.; Lin, J.; Ma, T. Analysis of hydrogen leakage behavior and risk mitigation measures in a hydrogen refueling station. Int. J. Hydrogen Energy 2024, 83, 545–552. [Google Scholar] [CrossRef]
  29. Gao, X.; Huang, L.; Ren, J.; Lan, Y.; Li, M.; Xiao, H. Numerical study of the effect of barrier wall on liquid hydrogen leakage and dispersion. Int. J. Hydrogen Energy, 2025; in press. [Google Scholar] [CrossRef]
  30. Campari, A.; Ustolin, F.; Alvaro, A.; Paltrinieri, N. A review on hydrogen embrittlement and risk-based inspection of hydrogen technologies. Int. J. Hydrogen Energy 2023, 48, 35316–35346. [Google Scholar] [CrossRef]
  31. Meissner, R.; Sieb, P.; Wollenhaupt, E.; Haberkorn, S.; Wicke, K.; Wende, G. Towards climate-neutral aviation: Assessment of maintenance requirements for airborne hydrogen storage and distribution systems. Int. J. Hydrogen Energy 2023, 48, 29367–29390. [Google Scholar] [CrossRef]
  32. Collina, G.; Bucelli, M.; Paltrinieri, N. Multi-stage monitoring of hydrogen systems for improved maintenance approaches: An extensive review. Int. J. Hydrogen Energy 2025, 105, 458–480. [Google Scholar] [CrossRef]
  33. Chizubem, B.; Subbiah, A.; Izuchukwu, O.C.; Musa, K.S. Real-time monitoring using digital platforms for enhanced safety in hydrogen facilities—Current perspectives and future directions. Int. J. Hydrogen Energy 2025, 98, 487–499. [Google Scholar] [CrossRef]
  34. Collina, G.; Tzioutzios, D.; Liu, Y.; Bucelli, M.; Paltrinieri, N. Investigation of Safety Barrier Role in Hydrogen Related Undesired Events. In Proceedings of the 34th European Safety and Reliability Conference (ESREL), Cracow, Poland, 23–27 June 2024. [Google Scholar]
  35. Rong, Y.; Peng, J.; Gao, J.; Zhang, X.; Li, X.; Pan, X.; Chen, J.; Chen, S. Numerical Investigation on the Liquid Hydrogen Leakage and Protection Strategy. Processes 2023, 11, 1173. [Google Scholar] [CrossRef]
  36. Jiang, Y.; Xing, Z.; Xu, Q.; Wu, J.; Peng, M.; Liu, Y. Research on fence protection for liquid hydrogen leakage in the storage tank area. J. Energy Storage 2024, 95, 112481. [Google Scholar] [CrossRef]
  37. Wang, C.; Wang, L.; Su, C.; Jiang, M.; Li, Z.; Deng, J. Modeling and performance analysis of emergency response process for hydrogen leakage and explosion accidents. J. Loss Prev. Process Ind. 2024, 87, 105239. [Google Scholar] [CrossRef]
  38. Bulat, H.H.; Kaymakçı, Ö.T.; Ilhan, H. Human factors in hydrogen storage: An analysis of safety implications. Int. J. Hydrogen Energy, 2024; in press. [Google Scholar] [CrossRef]
  39. Boretti, A.; Huang, A. Physical storage in conformal composite tanks presents clear advantages over material-based solutions for hydrogen-powered aerospace applications. Int. J. Hydrogen Energy 2024, 68, 1297–1301. [Google Scholar] [CrossRef]
  40. Drube, T.; Gerlach, J.; Leach, T.; Vogel, B.; Klebanoff, L. Exploring variations in the weight, size and shape of liquid hydrogen tanks for zero-emission fuel-cell vessels. Int. J. Hydrogen Energy 2024, 80, 1441–1465. [Google Scholar] [CrossRef]
  41. Jagtap, S.S.; Childs, P.R.; Stettler, M.E. Conceptual design-optimisation of a subsonic hydrogen-powered long-range blended-wing-body aircraft. Int. J. Hydrogen Energy 2024, 96, 639–651. [Google Scholar] [CrossRef]
  42. Spencer, R. Certification considerations for the configuration of a hydrogen-fuelled aeroplane. Aeronaut. J. 2023, 127, 213–231. [Google Scholar] [CrossRef]
  43. Tiwari, S.; Pekris, M.J.; Doherty, J.J. A review of liquid hydrogen aircraft and propulsion technologies. Int. J. Hydrogen Energy 2024, 57, 1174–1196. [Google Scholar] [CrossRef]
  44. Kotzem, M.; Wöhler, S.; Burschyk, T.; Hesse1, C.; Hellbrück, S.; Zill, T. Conceptual aircraft design of a research baseline with direct liquid hydrogen combustion. In Proceedings of the 34th Congress of the International Council of the Aeronautical Sciences (ICAS), Firenze, Italy, 9–13 September 2024. [Google Scholar]
  45. Gavrilovic, N.; Mertika, S.; Moschetta, J.M.; Schimpf, J.; Park, G.; Kim, S.Y. Experimental Study on a Liquid Hydrogen Tank for Unmanned Aerial Vehicle Applications. J. Aircr. 2024, 61, 1–12. [Google Scholar] [CrossRef]
  46. Brewer, G.D. Hydrogen Aircraft Techology; CRC Press: Boca Raton, FL, USA, 1991. [Google Scholar] [CrossRef]
  47. TM-2009-215521; Hydrogen Fuel System Design Trades for High Atitude Long-Endurance Remotely Operatied Aircraft. NASA Glenn Research Center: Cleveland, OH, USA, 2009.
  48. Neugebauer, R. (Ed.) Hydrogen Technologies; Springer: Cham, Switzerland, 2022. [Google Scholar] [CrossRef]
  49. Al Ghafri, S.Z.S.; Swanger, A.; Jusko, V.; Siahvashi, A.; Perez, F.; Johns, M.L.; May, E.F. Modelling of Liquid Hydrogen Boil-Off. Energies 2022, 15, 1149. [Google Scholar] [CrossRef]
  50. Peterson, T.; Weisend, J.G., II. Cryogenic Safety: A Guide to Best Practice in the Lab and Workplace; Springer: Cham, Switzerland, 2019. [Google Scholar] [CrossRef]
  51. Kotchourko, A.; Jordan, T. Hydrogen Safety for Energy Applications; Butterworth-Heinemann: Oxford, UK, 2022. [Google Scholar] [CrossRef]
  52. Eytan, J.; Adler, J.R.M. Hydrogen-powered aircraft: Fundamental concepts, key technologies, and environmental impacts. Prog. Aerosp. Sci. 2023, 141, 100922. [Google Scholar] [CrossRef]
  53. Yin, L.; Yang, H.; Ju, Y. Review on the key technologies and future development of insulation structure for liquid hydrogen storage tanks. Int. J. Hydrogen Energy 2024, 57, 1302–1315. [Google Scholar] [CrossRef]
  54. Kameni Monkam, L.; Graf von Schweinitz, A.; Friedrichs, J.; Gao, X. Feasibility analysis of a new thermal insulation concept of cryogenic fuel tanks for hydrogen fuel cell powered commercial aircraft. Int. J. Hydrogen Energy 2022, 47, 31395–31408. [Google Scholar] [CrossRef]
  55. ARP4761; Guideline and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. SAE International: Warrendale, PA, USA, 1996.
  56. SAF.ET1.ST03.1000-MAN; Air Navigation System Safety Assessment Methodology (SAM), Edition 2.1. EUROCONTROL: Brussels, Belgium, 2006.
  57. Badia, E.; Navajas, J.; Sala, R.; Paltrinieri, N.; Sato, H. Analysis of Hydrogen Value Chain Events: Implications for Hydrogen Refueling Stations’ Safety. Safety 2024, 10, 44. [Google Scholar] [CrossRef]
  58. TM X-71565; Review of Hydrogen Accidents and Incidents in NASA Operations. NASA Lewis Research Center: Cleveland, OH, USA, 1974.
  59. G-095-2017; Guide to Safety of Hydrogen and Hydrogen Systems. AIAA: Reston, VA, USA, 2017.
  60. Jennifer, W. Statistics, Lessons Learnt and Recommendations from the Analysis of the Hydrogen Incidents and Accidents Database (HIAD 2.0); Fuel Cells and Hydrogen 2 Joint Undertaking: Brussels, Belgium, 2021. [Google Scholar]
  61. llis.nasa.gov; NASA Office of the Chief Engineer. NASA: Washington, DC, USA, 2023.
  62. h2tools.org; Pacific Northwest National Laboratory, supported by the U.S. Department of Energy’s Office of Energy Efficiency and Renewable Energy: Richland, WA, USA, 2023.
  63. European Hydrogen Incidents and Accidents database HIAD 2.1; Joint Research Centre, European Commission: Petten, The Netherlands, 2023.
  64. Melideo, D.; Wen, J.P.M. HIAD 2.0—Hydrogen Incident and Accident Database. In Proceedings of the 8th International Conference on Hydrogen Safety (ICHS), Adelaide, Australia, 24–26 September 2019. [Google Scholar]
  65. Wetzel, F.J. Improved handling of liquid hydrogen at filling stations: Review of six years of experience. Int. J. Hydrogen Energy 1998, 23, 339–348. [Google Scholar] [CrossRef]
  66. Pio, G.; Salzano, E. Accidental Combustion Phenomena at Cryogenic Conditions. Safety 2021, 7, 67. [Google Scholar] [CrossRef]
  67. Ustolin, F.; Ferrari, F.; Paltrinieri, N. Prediction of Condensed Phase Formation during an Accidental Release of Liquid Hydrogen. Chem. Eng. Trans. 2022, 91, 439–444. [Google Scholar] [CrossRef]
  68. van Wingerden, K.; Kluge, M.; Habib, A.; Ustolin, F.; Paltrinieri, N. Medium-scale Tests to Investigate the Possibility and Effects of BLEVEs of Storage Vessels Containing Liquified Hydrogen. Chem. Eng. Trans. 2022, 90, 547–552. [Google Scholar] [CrossRef]
  69. Ustolin, F.; Tolias, I.C.; Giannissi, S.G.; Venetsanos, A.G.; Paltrinieri, N. A CFD analysis of liquefied gas vessel explosions. Process Saf. Environ. Prot. 2022, 159, 61–75. [Google Scholar] [CrossRef]
  70. Kim, W.; Shentsov, V.; Makarov, D.; Molkov, V. Simulations of Blast Wave and Fireball Occurring Due to Rupture of High-Pressure Hydrogen Tank. Safety 2017, 3, 16. [Google Scholar] [CrossRef]
  71. Sápi, Z.; Butler, R. Properties of cryogenic and low temperature composite materials—A review. Cryogenics 2020, 111, 103190. [Google Scholar] [CrossRef]
  72. Hohe, J.; Neubrand, A.; Fliegener, S.; Beckmann, C.; Schober, M.; Weiss, K.P.; Appel, S. Performance of fiber reinforced materials under cryogenic conditions—A review. Compos. Part A Appl. Sci. Manuf. 2021, 141, 106226. [Google Scholar] [CrossRef]
  73. Zhang, J.; Lei, L.; Zhou, W.; Li, G.; Yan, Y.; Ni, Z. Cryogenic mechanical and hydrogen-barrier properties of carbon fiber composites for type V cryo-compressed hydrogen storage vessels. Compos. Commun. 2023, 43, 101733. [Google Scholar] [CrossRef]
  74. Sobola, D.; Dallaev, R. Exploring Hydrogen Embrittlement: Mechanisms, Consequences, and Advances in Metal Science. Energies 2024, 17, 2972. [Google Scholar] [CrossRef]
  75. Ustolin, F.; Paltrinieri, N.; Berto, F. Loss of integrity of hydrogen technologies: A critical review. Int. J. Hydrogen Energy 2020, 45, 23809–23840. [Google Scholar] [CrossRef]
  76. Tao, P.; Zhou, W.; Miao, X.; Peng, J.; Liu, W. Review of Characterization on Hydrogen Embrittlement by Micro-Sample Testing Methods. Metals 2023, 13, 1753. [Google Scholar] [CrossRef]
  77. Grogan, D.; Leen, S.; Semprimoschnig, C.; Ó Brádaigh, C. Damage characterisation of cryogenically cycled carbon fibre/PEEK laminates. Compos. Part A Appl. Sci. Manuf. 2014, 66, 237–250. [Google Scholar] [CrossRef]
  78. Hosseini, S.; den Otter, A.; Zevenbergen, J.; Atli-Veltin, B.; Dransfeld, C. Methodology for the identification of hydrogen gas permeation path in damaged laminates. In Proceedings of the 20th European Conference on Composite Materials: Composites Meet Sustainability. EPFL Lausanne, Composite Construction Laboratory, Lausanne, Switzerland, 26–30 June 2022; Volume 5, pp. 306–313. [Google Scholar]
  79. SAND2012-7321; Technical Reference for Hydrogen Compatibility of Materials. SANDIA: Livermore, CA, USA, 2012.
  80. 6055.9-STD; Defense Explosives Safety Regulation. Department of Defense: Arlington, VA, USA, 2024.
  81. G-5.5; Standard for Hydrogen Vent Systems. CGA: Chantilly, VA, USA, 2021.
  82. Hoelzen, J.; Flohr, M.; Silberhorn, D.; Mangold, J.; Bensmann, A.; Hanke-Rauschenbach, R. H2-powered aviation at airports—Design and economics of LH2 refueling systems. Energy Convers. Manag. X 2022, 14, 100206. [Google Scholar] [CrossRef]
  83. Mangold, J.; Silberhorn, D.; Moebs, N.; Dzikus, N.; Hoelzen, J.; Zill, T.; Strohmayer, A. Refueling of LH2 Aircraft—Assessment of Turnaround Procedures and Aircraft Design Implication. Energies 2022, 15, 2475. [Google Scholar] [CrossRef]
  84. Li, K.; Guo, X.; Shen, T.; Gao, Y.; Han, Y.; Zheng, J. Review of Standards for Liquid Hydrogen Storage Vessels. In Proceedings of the Pressure Vessels and Piping Conference, Bellevue, WC, USA, 28 July–2 August 2024. [Google Scholar] [CrossRef]
  85. BPVC.VIII.1; ASME Boiler and Pressure Vessel Code, Section VIII: Rules for Construction of Pressure Vessels, Division 1. American Society of Mechanical Engineers: New York, NY, USA, 2023.
  86. 29CFR1910.103; Hydrogen. Code of Federal Regulations: Washington, DC, USA, 2022.
  87. Doc 100/20; Hydrogen Cylinder and Transport Vessels. Hydrogen Cylinder and Transport Vessels. EIGA: Brussels, Belgium, 2020.
  88. 15916; Basic Consideration for the Safety of Hydrogen Systems. ISO: Geneva, Switzerland, 2015.
  89. 55; Compressed Gases and Cryogenic Fluids Code. NFPA: Quincy, MA, USA, 2023.
  90. H-7; Standard Procedures for Hydrogen Supply Systems. CGA: Chantilly, VA, USA, 2024.
  91. Schlegel, D.; Vater, M.; Spitzer, S.; Gude, M.; Hurtado, A. Multi scale systematisation of damage and failure modes of high-pressure hydrogen composite vessels in aviation, Part 1: Methodology. Int. J. Hydrogen Energy 2024, 95, 796–805. [Google Scholar] [CrossRef]
  92. Schlegel, D.; Vater, M.; Spitzer, S.; Gude, M.; Hurtado, A. Multi scale systematisation of damage and failure modes of high-pressure hydrogen composite vessels in aviation, Part 2: Analysis. Int. J. Hydrogen Energy 2025, 98, 52–66. [Google Scholar] [CrossRef]
  93. Luterbacher Mus, R.; Rodeck, R.; Wende, G. Initial and Continued Airworthiness: Commonalities and Differences Between Civil and Military Aviation. Aerospace 2025, 12, 23. [Google Scholar] [CrossRef]
Safety 11 00027 g001
Figure 1. The process for preliminary safety assessment of a LH2 storage system followed in this research.
Figure 1. The process for preliminary safety assessment of a LH2 storage system followed in this research.
Safety 11 00027 g001
Safety 11 00027 g002
Figure 2. Schematic representation of the interfaces of the liquid hydrogen fuel storage system.
Figure 2. Schematic representation of the interfaces of the liquid hydrogen fuel storage system.
Safety 11 00027 g002
Safety 11 00027 g003
Figure 3. List of essential functions for a liquid hydrogen tank system used within an aviation vehicle.
Figure 3. List of essential functions for a liquid hydrogen tank system used within an aviation vehicle.
Safety 11 00027 g003
Safety 11 00027 g004
Figure 4. Distribution of the hazards identified in this study and their respective hazard relevance level among the five classified categories.
Figure 4. Distribution of the hazards identified in this study and their respective hazard relevance level among the five classified categories.
Safety 11 00027 g004
Safety 11 00027 g005
Figure 5. Hazard incidence levels across the five classified hazard categories.
Figure 5. Hazard incidence levels across the five classified hazard categories.
Safety 11 00027 g005
Safety 11 00027 g006
Figure 6. Counts of the analyzed hazard database incidents associated with the liquid hydrogen storage system functions.
Figure 6. Counts of the analyzed hazard database incidents associated with the liquid hydrogen storage system functions.
Safety 11 00027 g006
Safety 11 00027 g007
Figure 7. Representation of the relation between a safety recommendation, in this instance S021 and the hazards from which it originated.
Figure 7. Representation of the relation between a safety recommendation, in this instance S021 and the hazards from which it originated.
Safety 11 00027 g007
Table 1. Operational mode list defined for assessing failures in such conditions.
Table 1. Operational mode list defined for assessing failures in such conditions.
Service Phase
Manufacturing
Handling
Fuelling
Flight
Dormancy
Maintenance
Table 2. List of operational scenarios defined for assessing failures in such conditions.
Table 2. List of operational scenarios defined for assessing failures in such conditions.
Environmental Conditions
Normal operation
Saturated gas environment
Mechanical contact
Arc discharge
Power loss
Fire
Table 3. List of functional failure modes used for hazard identification.
Table 3. List of functional failure modes used for hazard identification.
Functional Failure Mode
Partial loss of function
Loss of function
Malfunction
Unannounced loss of function
Function provided when not needed
Table 4. Weights assigned to functional failure severity classes.
Table 4. Weights assigned to functional failure severity classes.
Functional Failure SeverityWFHA
Catastrophic2
Hazardous1
Major0.5
Minor0.1
No effect0
Table 5. Discretization function f d i s c r e t ( y ) rules used to linearize the FO parameters for further determining the safety recommendations incidence parameter.
Table 5. Discretization function f d i s c r e t ( y ) rules used to linearize the FO parameters for further determining the safety recommendations incidence parameter.
Function InputOutput
y < 21
y < 31.25
y < 41.5
y >= 42
Table 6. Example entries of functional hazard identification. The failure mode, service phase and environmental conditions are abbreviated to focus on functional failure effect.
Table 6. Example entries of functional hazard identification. The failure mode, service phase and environmental conditions are abbreviated to focus on functional failure effect.
IDFun.Fail. ModeServ. PhaseEnv.Functional Failure Effect
H109F3.3Malf.Fuel.Norm.Actuation state of vent line is incorrectly registered; unexpected release.
H110F3.3Malf.Fuel.Norm.Pressure limitations cannot be enforced, unintentional pressure level is reached, and tank gets damaged.
H111F3.3Malf.Main.Norm.Failing in preventing inadvertent actuation leads to hydrogen release.
Table 7. Example entries of hazard assessment following the failure effect identification. Hazard is categorized, and a recommendation is proposed.
Table 7. Example entries of hazard assessment following the failure effect identification. Hazard is categorized, and a recommendation is proposed.
IDHazard SeverityHazard TypeProposed Recommendation
H109MajorSensor problemActuation state of fuel release device should be monitorable and the actuation direction checked.
H110HazardousFuel managementEnsure the automatic enforcement of operational limitations.
H111CatastrophicOperational errorEnsure dangerous actuation given the system state are blocked.
Table 8. Top identified safety recommendations ordered with ascending risk index.
Table 8. Top identified safety recommendations ordered with ascending risk index.
IDDescriptionRisk
S031Prevent fuel leaks through fittings by using pressure locking, failproof strategies, and systematic inspections, while avoiding welded connections, inadequate surface preparation, incorrect usage, vibration.3.14
S002Prevent collisions and crashes of the storage system during operations by installing sufficient mechanical barriers.3.00
S050Ensure discharge paths for lightnings are provided, and the surface of the vessel and the attached component is ESD-compliant as indicated in AIAA G-095.3.00
S005Ensure the tank wall permeation rate stays below the dormancy threshold under panel cryogenic conditions. Test tank wall samples for permeation under the operative cryogenic conditions.2.67
S021Implement technologies for hydrogen release as a fail-safe for emergencies, ensuring safe fuel dumping is always possible. Provide remote operation.2.64
S024Designate an unsafe zone around the system during testing and install ventilation barriers to safeguard operators in the event of a hydrogen release.2.50
S047Establish a procedure for purging and purge the verification of tank and tubing.2.50
S003Ensure that the frequency of valve failure remains consistently below a defined frequency threshold per flight hour for all applicable fluid flow conditions.2.36
S035Provide redundancy in PRDs, ensuring they are installed on all isolated lines and connected properly to the vent line.2.29
S009Design a safe venting system as defined in related standards such as CGA 5.5 to prevent risks such as backfire or detonation.2.25
S022Prevent overfill by using diverse technologies for hydrogen metering and by pre-calculating the applicable flow from the fuel source.2.25
S034Verify fuel and its quality (purity, vapor mass fraction, spin state) before filling to prevent accumulation of unwanted substances.2.25
S049Ensure the control system can enforce operative limits determined following the system specifications.2.25
S040Ensure that the percentage of tank wall voids due to improper manufacturing process conditions remains below a critical threshold and is not localized.2.00
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Simonetto, M.; Pascoe, J.-A.; Sharpanskykh, A. Preliminary Safety Assessment of a Liquid Hydrogen Storage System for Commercial Aviation. Safety 2025, 11, 27. https://doi.org/10.3390/safety11010027

AMA Style

Simonetto M, Pascoe J-A, Sharpanskykh A. Preliminary Safety Assessment of a Liquid Hydrogen Storage System for Commercial Aviation. Safety. 2025; 11(1):27. https://doi.org/10.3390/safety11010027

Chicago/Turabian Style

Simonetto, Mirko, John-Alan Pascoe, and Alexei Sharpanskykh. 2025. "Preliminary Safety Assessment of a Liquid Hydrogen Storage System for Commercial Aviation" Safety 11, no. 1: 27. https://doi.org/10.3390/safety11010027

APA Style

Simonetto, M., Pascoe, J.-A., & Sharpanskykh, A. (2025). Preliminary Safety Assessment of a Liquid Hydrogen Storage System for Commercial Aviation. Safety, 11(1), 27. https://doi.org/10.3390/safety11010027

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop