Safety Assessment of Transport Aircraft Heavy Equipment Airdrop: An Improved STPA-BN Mechanism

Aviation safety has been an eternal theme, and safety assessment is taken as the important method to assess the aircraft safety, but it is difficult to assess the safety of a heavy equipment airdrop from a transport aircraft due to mission complexity and strong coupling. This study uses an improved STPA-BN methodology to assess the safety of transport aircraft heavy equipment airdrop. To this purpose, qualitative safety analysis is performed by STPA, and then quantitative safety assessment is performed by BN. In contrast to the-state-of-the-art, the distinguishing feature of the proposed design lies in the introduction of DS evidence theory, which makes the probability of nodes in BN a priori. More precisely, best-worst multi-criteria decision-making method (BWM) is skillfully incorporated into the DS evidence theory so as to tackle the conflict issue that exists in most existing designs. Importance analysis is utilized to determine the importance of the different risk nodes. A case of transport aircraft heavy equipment airdrop mission is used to test the effectiveness of the proposed method.


I. INTRODUCTION
Airdrops by military transport aircraft are used to deliver items including weapons, equipment, or humanitarian aid without requiring landing of the aircraft. The airdrop of large equipment weighing one ton or more is considered a heavy equipment airdrop, and this type of airdrop is frequently used in military missions [1]. A heavy equipment airdrop is a complex system with human-machine interaction, humanhuman interaction, and high mission requirements, and any problems related to the human-machine-environment may adversely impact the safety of the airdrop mission. There have been many accidents caused by the failure of airdrop missions [2], [3]. For instance, in 2016, the Ukrainian Air Force used an Il-76 aircraft to drop a BMD-2 paratrooper chariot during a training. The parachute was separated due to the accidental activation of the brake rocket on the parachute, causing the BMD-2 to fall to the ground. In the same year, the The associate editor coordinating the review of this manuscript and approving it for publication was Amjad Mehmood . U.S. Air Force used a C-130 transport aircraft for an airdrop mission, and three Humvees were crashed due to improper parachute rigging. In 2019, Russia crashed a BMD-2 during heavy equipment airdrop training because the parachute system did not turn on properly. Thus, there is significant interest in improving the safety of heavy equipment airdrops and developing methods to assess safety.
Methods focused on the risks of human contributions to the stability domain of this human-machine-environment closedloop system were proposed to study problems during a heavy equipment airdrop such as pilots operating too violently or air-dropper's inappropriate decision making [4], [5]. Focusing on mechanical risks, control methods have been proposed to study aircraft-cargo coupling characteristics, equipment blocking failure, equipment sliding disturbance, equipment stability under drastic changes during heavy equipment airdrop, and constraints between the extraction parachute and the equipment [6], [7], [8], [9], [10]. Focusing on risks posed by the environment, methods have been developed to improve the anti-interference of aircraft to ensure the robustness of heavy equipment airdrop to guard against effects of lateral wind, disturbed wind, and atmospheric turbulence during a heavy equipment airdrop [11]. All of the above-mentioned approaches model the overall or separated body methods or strategies for flight control during the heavy equipment airdrop process, but rarely consider how to assess the safety of the mission with a combination of qualitative and quantitative aspects. Safety assessment is generally composed of both safety analysis and assessment, but for a heavy equipment airdrop, it is necessary to carry out safety analysis before safety assessment. The risk factors affecting the heavy equipment airdrop safety can be found by safety analysis, and then safety assessment can be carried out based on risk factors.
Considering system and control theories, Leveson proposed the System-Theoretic Accident Model and Process (STAMP) in 2004, using control theory to address the safety problem, and is regarded as the emergence of a model complex system [12], [13], [17], [15], [16]. System safety can be assessed by the imposition of constraints on the interactions of components. System-Theoretic Process Analysis (STPA) is a hazard analysis technique based on STAMP that overcomes the shortcomings of traditional safety analysis methods such as fault tree [17], [18], Bow-Tie model [19], [20], failure mode and effects analysis [21] that cannot effectively analyze the interactions of human-environmentsoftware-hardware from a nonlinear perspective. STPA has been widely used in chemical, nuclear power, railway, aviation, and other industries. Heavy equipment airdrop is a large-scale complex system with strong human-machine interaction and coupling, so traditional linear safety analysis methods are not appropriate. STPA can effectively analyze the coupling effect of a system and the operation mechanism, so seems like a reasonable choice for safety analysis of a heavy equipment airdrop mission. STPA can use a hierarchical model to describe the relationships between components of a system and this can be applied to analysis of a heavy equipment airdrop to map safety constraints and requirements that should be applied to improve overall safety. Although STPA would allow qualitative safety analysis of a heavy equipment airdrop, this method cannot be used for quantitative assessment or probability calculation, so the probability of risk and the scope of influence of risks cannot be determined. Thus, STPA cannot be used for quantitative assessment of the safety of a heavy equipment airdrop mission.
Bayesian Network (BN) is often used in safety assessment. A combination of graph theory and probability theory, BN was proposed by Pearl in 1986 [22], [23], [24], [25]. BN can effectively express and describe uncertain knowledge, making it suitable for safety assessment. Feng [26] proposed and verified an aviation safety assessment method based on fuzzy mathematics and BN to analyze risk factors in complex models. Guo [27] applied fuzzy DBN to carry out risk assessment for fire risk of a storage area, and solved the problem of information distortion in the transmission process under uncertain environment to ensure the accuracy and effectiveness of risk assessment results. Liu [28] established a deep-water drilling risk assessment model based on fault tree and DBN, and determined the influence of risk factors through interaction and uncertainty analysis. Advances have been made to overcome the shortcomings of BN, but there are still many disadvantages in using BN for safety assessment. For example, the probability description of nodes using DS evidence theory can have a conflict problem and traditional DS evidence theory [29], [30] is unable to conduct information fusion, making it difficult to ensure accurate knowledge reasoning. With different opinions of experts, the judgment of results can differ, so the weighting of decisions by experts is also a challenge. The use of simple ''and'' ''or'' gates to measure the logical relationship of nodes can lead to information distortion. The criterion to determine the importance of the parent node is typically single, so it is unreasonable to use it as a judgment basis for safety prevention. Considering the shortcomings of using BN to assess the safety of heavy equipment airdrop, the main contributions of this work are as follows: 1) To the best of our knowledge, this is the study of the safety of a heavy equipment airdrop from a transport aircraft from a system perspective and using an improved STPA-BN methodology. The improved STPA-BN methodology can systematically carry out safety analysis and assessment, ensuring the objectivity and accuracy of the results. The success of heavy equipment airdrop can be improved by taking measures to minimize the risk presented by factors identified with STPA-BN; 2) Expanding on existing safety assessment methods, DS evidence theory was applied to the improved STPA-BN methodology, allowing the consideration of multi-source uncertain information, and ensuring the accuracy of prior probabilities for the risk nodes in Bayesian networks; 3) This improved STPA-BN methodology has improved computational efficiency because of the utilization of BWM. This methodology can effectively solve the problem of expert reliability assignment to improve the credibility of assessment results caused by cognitive uncertainty.
The remaining text is organized as followed. Section II presents the improved STPA-BN mechanism. Section III describes the general process of safety analysis of a heavy equipment airdrop mission. Section IV presents a safety assessment for a specific airdrop mission, and makes suggestions on strategies to reduce risk. Section V presents the conclusions from this work.

II. THE IMPROVED STPA-BN MECHANISM
With consideration of the strong information uncertainty, high system complexity, and high safety requirements for a heavy equipment airdrop, a safety assessment model based on STPA-BN was established, as shown in Fig.1. This improved VOLUME 10, 2022 STPA-BN model includes STPA, BN, BWM and improved DS evidence theory. The utilization of Bayesian network for safety assessment of heavy equipment airdrop is required to carry out safety analysis based on STPA. After the identification of the risk factors for a heavy equipment airdrop by STPA, the Bayesian network safety risk model can be constructed based on the identified risk factors. The improvements to STPA-BN are the introduction of BWM and DS evidence theory to directly construct the model topology based on expert opinion, allowing the determination of probabilistic parameters and avoiding expert cognitive bias.

A. SAFETY ANALYSIS BASED ON STPA
STPA is a safety analysis method that is suitable for assessment of each stage of a system life cycle. STPA mainly describes the interactions between heavy equipment airdrop system components through a control structure diagram, with analysis of the potential hazards in each controller. STPA can be divided into four steps.
Step 1: Define the purpose of the analysis The purpose of STPA is to identify potential accidents and hazards leading to the failure of heavy equipment airdrop missions and to set the appropriate safety boundaries for accident prevention. The details are as follows: • Define system-level accidents; • Define system-level hazards; • Determine the safety boundaries of the system.
Step 2: Establish safety control structure After identification of system-level accidents and systemlevel hazards, STPA establishes a control feedback structure diagram including controllers, actuators, controlled objects, and sensors, as shown in Fig.2.
Step 3: Identify unsafe control actions (UCAs) UCAs include the components of the system and the interaction of the components. STPA provides four types of UCAs: 87524 VOLUME 10, 2022 • Not providing control action; • Providing incorrect control action; • Providing control action too early or too late; • Providing control action too long or too short.
Step 4: Identify potential cause Identifying causal factors that can lead to UCAs and hazards. The causal factors can be identified by STPA, and then a BN can be established to carry out safety assessment.
In summary, the purpose of the analysis is to identify potential accidents and hazards that would cause the failure of a heavy equipment airdrop to facilitate the systematic establishment of a safety control structure, to understand the operating mechanisms of the heavy equipment airdrop, to identify UCAs and their causal factors, and ultimately set the appropriate safety boundaries for heavy equipment airdrop.

B. SAFETY ASSESSMENT BASED ON BN 1) BAYESIAN NETWORK
After identifying the risk factors of heavy equipment airdrop based on STPA, a Bayesian network can be constructed by determining the significant risk factors. BN can be represented by a two-tuple that is BN=(G,P). G represents a directed acyclic graph (DAG), consisting of nodes and directed links and representing a set of variables and the dependences among variables. Nodes are divided into child nodes X i and parent nodes pa (X i ) that are connected by directed links. A (X i ) represents the set of non-descendant nodes X i , and the directed links represent causal relationships between variables. P represents a Conditional Probability Table (CPT), which reflects the logical relationships between nodes. When X i and pa (X i ) are conditionally independent, then The joint probability distribution in BN can be expressed as Due to the complexity and the uncertainty of a heavy equipment airdrop process, the probabilities of nodes cannot be accurately obtained. To address this, DS evidence theory can be effectively used to determine the probabilities of nodes. A limitation of traditional DS evidence theory, however, is the conflict problem. Using evidence with significant differences can produce results that differ from common sense. To address this limitation, BWM can be applied by determining expert weights to revise evidence.

2) BWM
In 2015, BWM was proposed by Rezaei to compare the best and worst criteria with other criteria to determine the weight of each criterion [31], [32], [33]. The steps of BWM are as follows: Step 1: Construct a set of decision criteria C = {C 1 , C 2 , · · · , C n }, which includes n criteria; Step 2: Identify the best criterion C B and the worst criterion C W ; Step 3: Compare the best criterion C B with other criteria in pairs, using a number between 1 and 9. Construct a comparison vector A B = (a B1 , a B2 , · · · , a Bn ), where a Bj indicates the preference of the best criterion C B over other criteria, a BB = 1; Step 4: Compare other criteria with the worst criterion C W in pairs, using a number between 1 and 9. Construct a comparison vector A W = (a 1W , a 2W , · · · , a nW ) T , where a jW indicates the preference of the other criteria over the worst criterion C W , a WW = 1; Step 5: Construct a mathematical minmax model to calculate the optimal weight of each criterion, which ω * = ω * 1 , ω * 2 , · · · , ω * n , with the objective function as follows: Remark 1: BWM utilizes pairwise comparison and only contains integers. The problem of fundamental distance can be solved by the use of fractions. The efficiency of computation is improved greatly by BWM. Compared with analytic hierarchy process (AHP), fewer pairwise comparisons are required [34]. AHP needs pairwise comparison of n criteria, i.e., n (n − 1) /2 pairwise comparisons, but BWM only needs 2n − 3 pairwise comparisons.

3) IMPROVED DS EVIDENCE THEORY
DS evidence theory was proposed by Dempster and developed by Shafer as an uncertain reasoning method that can effectively integrate multi-source information. The theory is widely used in pattern classification [35], pattern recognition [36], threat assessment [37], multi-attribute decision making [38] and other fields [39], [40], [41], [42]. In DS evidence theory, represents the identification frame, the subsets are excluded in pairs, and 2 represents all the included identification objects in . ∀A ⊆ , if the function m satisfies 2 → [0, 1], then where Ø is the empty set, the function m is the basic probability assignment (BPA) in . m (A) represents the degree of confidence in the proposition A of the evidence. If m (A) > 0, A is the focal element in , commonly called a proposition. The DS evidence theory combination rules are as follows: where A j represents the j proposition, A i represents the set that contains proposition A. K represents the conflict, and a greater value of K correspond to greater conflict between pieces of evidence. We can determine the best and worst criteria through several characteristics. Then, a comparison matrix can be established to obtain each criterion weight based on BWM. The prior probability of the parent node is determined by experts, providing all evidence for DS evidence theory. The BPA of each expert for assessment can be determined based on each criterion weight coefficient, and then modified evidence can be obtained.
There is a problem that the traditional Dempster combination method may lead to unreasonable results contrary to people's intuition. Particularly, when K = 1, the evidence conflicts with each other, and 1 − K = 0 in Eq.(6), which means Eq.(6) is meaningless. Therefore, the combination rules need to be improved. Because traditional theories cannot determine conflict, Yager proposed to assign conflict to an unknown proposition k, which is expressed as [43] The Yager combination formula can solve conflict between data. It is not entirely reasonable to put the probability completely into the unknown domain as this negates some evidence and may lead to the final assessment result not meeting the ideal requirements or an impractical combination result. Therefore, the combination rules of Yager formula need to be improved.
Supposing the conflict between m i and m j is K ij , then Defining the averageness of the change degree of interevidence conflict is ε, andK is the average value of the conflict degree between each pair of evidence, then (12) n is the number of evidence. Based on the above definition, the combination formula is expressed as: The value of ε represents the averageness level of conflict changes among different pieces of evidence. The larger value of ε, the better of the averageness, indicating a relatively balanced degree of conflict changes. Each piece of evidence can be considered equally important, so the probability of interevidence conflict can be assigned to the evidence source. In contrast, the smaller value of ε, the worse of the averageness, indicating a degree of conflict change that is not balanced. This suggests significant disagreement between pieces of evidence that may make it impossible to make an effective judgment, so the assessment results are less definitive. If the assessment is consistent or inconsistent with people's intuition, the support degree can be evenly divided, and the high uncertainty of the results in low confidence in the assessment.

C. IMPORTANCE ANALYSIS
To verify the dependence of the analysis results on the parent nodes, importance analysis was conducted. The bidirectional reasoning function of the BN is key to importance analysis. By determining the prior probability of the parent nodes, the failure probability of the mission can be calculated based on reverse reasoning. In this work, the importance of the parent nodes can be determined from the probability importance and critical importance to determine key causal factors of failure of a heavy equipment airdrop.
The probability importance represents the probability change of the heavy equipment airdrop failure when the parent nodes change. This can be expressed by I Pr i .
P i (T |X ) represents the probability of mission failure when the prior probability of the parent node X i does not change, and P i∼ (T |X ) represents the probability of mission failure when the prior probability of the parent node X i changes.
The critical importance represents the probability change rate of the heavy equipment airdrop failure when the parent node X i changes. This can be expressed by I Cr i .
The greater I Pr i and I Cr i values, the more unstable the nodes and the greater impact on the airdrop process. By comparing the I Pr i and I Cr i values of different nodes, the importance of the nodes can be analyzed.

III. SAFETY ANALYSIS OF TRANSPORT AIRCARFT HEAVY EQUIPMENT AIRDROP
Study of the profile of a heavy equipment airdrop is essential to master operation. This process allows more effective safety analysis and facilitates the determination of risk factors. For a general heavy equipment airdrop mission, the safety analysis can be developed as follows.

A. PROFILE ANALYSIS
The use of an aircraft to drop equipment weighing more than 1 ton from the air to a designated location is considered a heavy equipment airdrop. The heavy equipment airdrop system includes: an extraction parachute system, main parachute system, hanging system, pallet system, mooring and binding system, directional anti-overturning system, landing release lock, buffer system, and other equipment. The airdrop occurs in six main stages including the loading of equipment, aircraft take off and arrive at the designated airspace, the moving of equipment out of the cargo hold, equipment drop, equipment buffer to ground, and return flight, as shown in Fig.3 and described in detail below.

1) THE LOADING OF EQUIPMENT
The maintenance personnel must reliably attach the equipment and parachute system on the pallet system, and then use an electric crane to move the pallet and equipment to the designated position of the cargo hold and fix it. Then, an extraction parachute system is installed and the extraction rope must be tightly connected with the pallet lock, with emergency lanyard chains and parachute rope cutters in case of emergency. When these tasks are complete, the workers close the cargo door.

2) AIRCRAFT TAKE OFF AND ARRIVE AT THE DESIGNATED AIRSPACE
The pilot flies the aircraft to the designated airspace, conducts the descent list, and maintains a certain pitch angle to ensure that the pallet and equipment can exit the cargo hold safely. At this time, the cargo hold is depressurized, the auxiliary mooring setting of the pallet is released, and the air-dropper checks the status of the cargo hold before opening the cargo door and boarding door.

3) THE MOVING OF EQUIPMENT OUT OF THE CARGO HOLD
The air-dropper presses the ''Drop'' button after contacting the pilot, and the extraction parachute is detached and thrown from the hook of the extraction parachute bag at the rear of the cargo hold.

4) EQUIPMENT DROP
When the equipment leaves the aircraft, the extraction lock is opened, the extraction rope is straightened, and the guide umbrella is lifted. After the guide parachute is fully opened, the main parachute bag is lifted, and the deceleration parachute and the main parachute are opened sequentially to keep the main parachute and the deceleration parachute stably inflated. At the same time, the closing rope on the main parachute is stressed, so that the main parachute maintains a ''bulb'' shape. After the deceleration parachute is fully stretched, the closing rope is cut by the cutter, and the main parachute is fully expanded after secondary inflation to ensure the stable descent of the pallet system.

5) EQUIPMENT BUFFER TO GROUND
After the landing of the pallet, the buffer system is inflated by its own weight to achieve a buffering effect to protect the equipment. At the same time, the landing lock that connect the equipment to the parachute is released, and the equipment and the parachute are disengaged, preventing the dragging the equipment by the main parachute system. The directional anti-overturning system can adjust the equipment as appropriate for wind resistance and the prevention of overturning.

6) RETURN FLIGHT
After equipment is released from the cargo hold, the airdropper closes the cargo door and boarding door after the pilot's orders, and the pilot flies the aircraft back safely.

B. DETERMINATION OF THE PURPOSE OF SAFETY ANALYSIS 1) DETERMINATION OF SYSTEM-LEVEL ACCIDENTS
System-level accidents during a heavy equipment airdrop were identified based on STPA, and mainly include aircraft VOLUME 10, 2022 crash, equipment damage, or the failure of equipment to land in the designated location, as shown in Table 1.
Occurrence of one of the above circumstances results in mission failure, so these are considered system-level accidents. Aircraft crash (A-1) is the crash of the aircraft and the death of personnel in aircraft. Equipment damage (A-2) is equipment damage during moving in the cargo hold or after falling to the ground. The failure of equipment to land in the designated location (A-3) means that the goal of the mission has not been met.

2) DETERMINATION OF SYSTEM-LEVEL HAZARDS
After identifying potential system-level accidents, systemlevel hazards were next investigated. Identified system-level hazards include the pallet stuck in the cargo hold, pallet moving on its own in the cargo hold, the aircraft out of control, and poor performance of the equipment during its drop, as listed in Table 2. The pallet stuck in cargo hold (H-1) means the pallet does not move because the extraction parachute does not fall off, moves slowly after the extraction parachute, or the pallet gets stuck after moving for a certain distance. This can cause the center of gravity to be unstable, and the extraction parachute can interfere with the tail of the aircraft, resulting in the equipment not being airdropped to the designated location (A-2) or the aircraft crashing (A-1). The movement of the pallet on its own in the cargo hold (H-2) mainly includes the extraction parachute falling off on its own too early, or auxiliary mooring device defects, resulting in moving of the pallet, which will lead to the occurrence of A-1, A-2, A-3. Aircraft out of control (H-3) indicates a failure of the personnel to be able to operate the aircraft correctly, resulting in A-1, A-2, A-3. Equipment with poor performance resulting from the drop (H-4) is typically due to environmental factors or a defect of the main parachute system, causing the pallet to interfere with the paracord and canopy. This can cause the mis-positioning of the  equipment and interfere with stable descent, which will lead to A-2, A-3.

3) DETERMINATION OF SAFETY BOUNDARY OF THE SYSTEM
The safety boundary for a heavy equipment airdrop includes all elements involved in the mission. This includes all operators, such as pilots, air-dropper, emergency tethers, parachute cutters, and maintenance personnel, as well as the system components of the transport aircraft such as the electromechanical management system, the hydraulic system, flight control system, and the heavy airdrop system. The coordinated operation of human and systems is required for a successful equipment airdrop.

C. CONTROL FEEDBACK STRUCTURE
After identifying heavy equipment airdrop system-level accidents and system-level hazards, the control feedback structure of heavy equipment airdrop was established. Profile analysis of the heavy equipment airdrop revealed that the controllers include the pilot, air-dropper, maintenance personnel, emergency personnel, and umbrella cutter. These controllers are essential for the operation of various systems of the aircraft, and monitor the state of the aircraft and equipment through various sensors to ensure smooth implementation of the airdrop process. The control feedback structure of the heavy equipment airdrop is shown in Fig.4.

1) CAUSES OF INCORRECT FEEDBACK INFORMATION OF UNSAFE CONTROL ACTIONS
The causal factors of incorrect feedback information were analyzed from the receiving and transmission stages of feedback information, as follows: •The receiving stage of incorrect feedback information: airspeed head faulted; radio altimeter faulted; the screen of pilot instrument panel has shadow or fault; cargo hold monitor faulted; air-dropper display has shadow or faulted; extraction parachute monitor faulted; airborne radar faulted.
•The transmission stage: fault in the transmission channel between the pitot tube and the instrument panel; fault in the transmission channel between the radio altimeter and the instrument panel; fault in the transmission channel of the cargo hold monitoring signal and the airdrop display screen; fault in the transmission channel of the extraction parachute monitor and the airdrop display screen; mixed data information. VOLUME 10, 2022

IV. SAFETY ASSESSMENT OF TRANSPORT AIRCARFT HEAVY EQUIPMENT AIRDROP
A heavy equipment airdrop was selected as an example for safety assessment before a mission. On November 4, 2019, C-17 military aircrafts were used to transport M2 for fire support by the United States during a military operation in the Syrian war. The use of UAVs, fighters, and a satellite and airborne warning and control system (AWACS) increase the complexity of the battlefield environment. Heavy equipment airdrop is required to send the M2 to the rear of the battlefield to provide fire support, as shown in Fig.5. Risk prevention is necessary for safety assessment of a heavy equipment airdrop, allowing use of this process for missions in combat scenarios.

A. CONSTRUCTION OF BN
Safety analysis of a heavy equipment airdrop was carried out based on STPA, and the risk factors corresponding to active control and incorrect feedback of UCAs were determined. According to the safety analysis, many ''human-machineenvironment'' risk factors are involved in heavy equipment airdrop operation, as ''human-machine-environment'' factors. The use of STPA for heavy airdrop safety analysis is for a general mission and the causal factors identified are applicable to most airdrop scenarios. Therefore, this specific safety assessment is required for accident prevention. Experts reached consensus on the main risk factors affecting safety based on the risk factors identified by STPA. Pilots, the air-dropper and maintenance personnel perform most tasks during heavy equipment airdrop, so their abilities and psychological states are important for overall safety. Of course, emergencies can occur during a heavy equipment airdrop. The skills and psychological status of the pilot, the skills and psychological status of the air-dropper, and the skills of maintenance personnel are human factors that could affect safety, especially during an emergency. Good communication and timely personnel interaction during a heavy equipment airdrop mission resulted in no need to consider other     parachute rope, main parachute system, cushion airbag were selected based on STPA. Additionally, the safety analysis suggested a need to consider the influence of environmental risk factors on the airdrop safety. Pre-survey revealed a rugged terrain with wind in the airspace. Wind can lead to severe disturbance of the aircraft and affect the area where the equipment lands. Bad terrain can cause damage to equipment. Therefore, it is necessary to select wind and bad terrain as risk nodes in the Bayesian network assessment. The motion state of the transport aircraft, the operation process of the crew, and the dynamic change of the environment can increase the uncertainty of safe operation and can lead to the aggregation and fission of risks. Therefore, these risk factors are considered child nodes for Bayesian network safety assessment, as shown in Fig.6. The nodes of BN are described in Table 4.

B. PRIOR AND CONDITIONAL PROBABILITIES
There are many nodes involving human factors in the BN of a heavy equipment airdrop, and it is impossible to objectively grasp the status of X 1 , X 2 , X 3 , X 4 , and X 5 . We can determine the prior probability of parent nodes by means of expert consultation. The experts are listed in Table 5. Considering the length of time studying airdrops, participation in an airdrop mission, and educational level, we selected the 5 th expert as the most authoritative expert and the 3 rd expert as the least authoritative expert. The weight of experts can be obtained by BWM based on the establishment of a comparison matrix, as shown in Table 6. The expert weight vector can be obtained: ω * = 0.152, 0.121, 0.040,0.202, 0.485.
Taking the parent node X 1 as an example, suppose that the proposition A 1 represents the occurrence of X 1 , where A 2 represents that X 1 has not occurred, with the following evidence:      The prior probabilities of other nodes can be similarly obtained. Data collection allows the determination of the prior probabilities of nodes related to mechanical reasons and environmental reasons, as shown in Table 7.
Because of the great uncertainty of child nodes, it is difficult to determine the CPT. Here, the expert voting method was adopted, and the ''k/n'' voting gate was introduced to determine the CPT, in which Y 1 is the ''2/5'' voting gate, Y 2 is the ''2/4'' voting gate, Y 3 is the ''1/2'' voting gate, and O is the ''2/5'' voting gate. The CPT of Y 1 is shown as an example in Table 8.

C. SAFETY ASSESSMENT
The BN of heavy equipment airdrop can be visualized using Genie, as shown in Fig.7. The probability of the heavy equipment airdrop failure is 0.0045, experts all agree the result is acceptable. The posterior probability of each node was obtained based on reverse reasoning of the BN, as shown in Fig.8, and the data are shown in Table 9.
To study the impact of various risk factors on the heavy equipment airdrop, posterior probability analysis is carried out. The posterior and prior probabilities of nodes, and the differences between these probabilities are shown in Fig.9.
The blue and red lines respectively represent the values of the prior and posterior probabilities, and the orange bars represent differences between these probabilities. A greater difference between the posterior probability and the prior probability corresponds to a greater impact of the node on the safety of the heavy equipment airdrop mission. The results showed ranking of risk factors affecting the safety of heavy airdrop missions in the order of X 10 >X 4 >X 2 >X 5 >X 3 >X 11 >X 1 > X 9 >X 8 >X 7 >X 6 . The difference between the posterior probability and the prior probability of wind is the largest, which means the windy weather has the greatest impact on the safety of the heavy equipment airdrop, with less of an effect of terrain threat. Compared with mechanical factors (main parachute system reliability, flap reliability, extraction parachute rope reliability, and cushion airbag reliability), there is a larger influence of human factors, including the skills and psychological qualities of pilots, the air-droppers, and the maintenance personnel. Therefore, airdrop safety requires improved monitoring of the environment, effective training of personnel, and rigorous maintenance of transport aircraft and equipment airdrop systems.

D. IMPORTANCE ANALYSIS
Differences between the posterior and the prior probabilities of parent nodes are main determinants of the failure of a heavy equipment airdrop. The stability of the parent nodes is also a key factor for accident prevention. Assuming that the instability of each risk factor is 10%, the relationship between the instability of the risk factors and the safety of the heavy equipment airdrop can be studied by importance analysis to assess the stability of the parent nodes. The greater the importance value, the greater the instability of the nodes. The probability importance and critical importance results were obtained, as shown in Fig.10.
From the importance analysis presented in Fig.10, the results of the critical importance and probability importance analysis of the parent nodes are completely consistent with the results of the differences between the posterior and the prior probabilities, indicating the effectiveness of this method. X 10 is the most unstable node, indicating that the environment plays an important role in a heavy equipment airdrop. Apart from the wind factor, the other instable risk factors are mainly human-related. Other risk factors are related to the stresses on the pilots and maintenance personnel during the airdrop process. The integration of a massive amount of information is required, with continued assessment of information accuracy. The stress of the airdrop process suggests the need to test the ability and psychological quality of pilots and air-droppers. There are fewer accidents due to mechanical causes and more frequent accidents caused by human factors. Therefore, there is a significant need to strengthen personnel quality to improve human performance under the stressful conditions of a heavy equipment airdrop. The success rate of heavy equipment airdrop can be improved by eliminating the instability of risk factors.

V. CONCLUSION
The goal of this work was to establish STPA-BN method for the safety assessment of a heavy equipment airdrop. The results seem consistent with common sense, demonstrating the effectiveness of the STPA-BN method. The results show that human errors are key factors leading to the failure of heavy equipment airdrop. Thus, it is necessary to strengthen personnel training, with increased training of pilots and assurances that pilots and air-droppers have the necessary psychological qualities to ensure the safe implementation of a heavy equipment airdrop.