Using Scenarios to discuss liability issues of UAS

Giuseppe Contissa*, Paola Lanzi**, Migle Laukite*, Patrizia Marti***, Giovanni Sartor*, Marta Simoncini* *European University Institute ** Deep Blue srl *** Deep Blue srl and University of Siena http://www.aliasnetwork.eu/ info@aliasnetwork.eu This document provides an example of application of the scenario-based methodology developed by the ALIAS project to proactively identify liability issues to be taken into account in the design, development and deployment process of new automated technologies. The example proposed concerns UAS (Unmanned Aircraft System). Sharing this document with the ALIAS Network has the purpose to test the soundness of the scenario-based methodology proposed; to discuss the legal issues emerged from the analysis of the different scenarios and collect comments and ideas. The document is divided in two parts. The first part presents a brief introduction to UAS, while the second part contains the scenario.

1. Introducing UAS
According to the ICAO definition (Circular 328 / AN 190) an Unmanned Aircraft (UA) is an aircraft which is intended to operate with no pilot on board. By extension, an Unmanned Aircraft System is the combination of an UA and the associated elements enabling its flight, such as Pilot Station, Communication Link and Launch and Recovery elements. There may be multiple UAS, Pilot Stations or Launch and recovery Elements within a UAS. There are two classes of UAS: Autonomous Unmanned Aircraft Systems (AUAS) and Remotely Piloted Aircraft Systems (RPAS). The ICAO regulatory framework focuses on RPAS, as the only UAS that will be able to be integrated into the international civil aviation system in the foreseeable future. The reason for this choice is Article 8 of the Convention on International Civil Aviation, signed at Chicago on 7 December 1944, which stipulates: No aircraft capable of being flown without a pilot shall be flown without a pilot over the territory of a contracting State without special authorization by that State and in accordance with the terms of such authorization.. The Global Air Traffic Management Operational Concept (Doc 9854), confirms Article 8 and states: An unmanned aerial vehicle is a pilotless aircraft, in the sense of Article 8 of the Convention on International Civil Aviation, which is flown without a pilot-in-command on-board and is either remotely and fully controlled from another place (ground, another aircraft, space) or programmed and fully autonomous.

On the basis of these consideration fully AUAS are not considered in the current ICAO regulatory framework for civil aviation, that just focus on RPA. The EASA policy for UAS regulation and certification goes in the same direction as ICAO. It tends to adopt the same definition of UAS provided by ICAO (in which the UAS is intended as the sum of Unmanned Aircraft, Pilot Station and Communication Link) and to focus on the same class of UAS. The Policy Statement for Airworthiness Certification of Unmanned Aircraft Systems (E.Y013-01) declares that Agency is responsible for safety of UAS except: Article 1 (2) military, customs, police or similar services Annex II (b) aircraft [of any mass] designed or modified for research, experimental or scientific purposes, and likely to be produced in very limited numbers Annex II (d) aircraft that have been in the service of military forces, unless the aircraft is of a type for which a design standard has been adopted by the Agency Annex II (i) operating mass of no more than 150 kg Safety oversight of excluded UAS rests with Member States. With respect to the Operational Concept for the Use of the UAS in the civil airspace, the ICAO circular contains several elements of interest on the use of RPA: AIRPSACE (Art. 2.12) To date, most flights conducted by UAS have taken place in segregated airspace to obviate danger to other aircraft. Current UA are unable to integrate safely and seamlessly with other airspace users, the reasons for which are twofold the inability to comply with critical rules of the air, and the lack of SARPs (Standard and Recommended Practices) specific to UA and their supporting systems. Nevertheless (Art.2.3) integrating remotely-piloted UA into non-segregated airspace and at aerodromes can likely be achieved in the medium-term. The premise behind the regulatory framework and the means by which contracting States will be able to grant special authorizations is that these UAS will meet the identified minimum requirements needed to operate safely alongside manned aircraft. In particular mature Sense & Avoid Functionalities shall be introduced on board. At present they are available but are not considered mature enough to allow the UAS integration in non segregated airspace. PILOT LICENCE (Art.4.13) Remote pilots and other members of the remote crew must be properly trained, qualified and hold an appropriate license or a certificate of competence to ensure the integrity and safety of the civil aviation system. PILOT RESPONSIBILITY (Art. 2.14) The remote pilot of a UAS and the pilot of a manned aircraft have the same ultimate responsibility for the safe operation of their aircraft and therefore have the same obligation for knowledge of air law and flight performance, planning and loading, human performance, meteorology, navigation, operational procedures, principles of flight and radiotelephony. Both pilots must obtain flight instruction, demonstrate their skill, achieve a level of experience, and be licensed. They must also be proficient in the language used for radiotelephony and meet medical fitness levels, although the latter may be modified as appropriate for the UAS environment. USE OF PILOT STATIONS- (Art.3.9) An aircraft can be piloted from one of many remote pilot stations, during any given flight or from one day to another. Likewise, multiple aircraft can be piloted from a single remote pilot station, although standards may dictate a one-

aircraft-at-a-time scenario. In both of these cases, the configuration of the system in operational use changes as one element or the other changes on a real-time basis. APPLICATION IN CIVIL OPERATIONS (Art. 3.12) UAS are popularly commended as being well suited to civil applications that are dull, dirty or dangerous, in other words, tasks that entail monotony or hazard for the pilot of a manned aircraft. However, there is a far broader potential scope for UAS, including, inter alia, commercial, scientific and security applications. Such uses mainly involve monitoring, communications and imaging. CERTIFICATION (Art. 6.1) RPAs are integrating into a well-established certification system and are subject to demonstrating compliance in a manner similar to that of manned aircraft. The fact that these aircraft cannot operate without supporting system elements (remote pilot station, C2 data links, etc.) brings new complexities to the subject of certification. One cannot assume that a single RPA will always be flown from the same remote pilot station using the same C2 data link. Rather, it is likely that each of these system elements will be changeable. It is even likely that for long-haul operations, the remote pilot station and C2 data links will be changed during flight and that as a remote pilot station is released from one aircraft it can then be used for another in real time.

2. The Scenario: Conflicting Purposes

This paragraph presents the scenario of a potential accident involving UAS. The scenario depicts an hypothetic situation that does not reflect real events actually occurred and whose realism may in some cases be questionable. The intent of the scenario is to raise possible issues concerning the liability attribution in this particular highly automated system that may of interest for the ALIAS project. The scenario is structured in a table that presents: information about the context of operations the story an analysis of the accident steps and components, whose main purpose is to highlight the key interactions at the basis of the event. For each key interaction the table reports information about the nature of the interaction itself, defined on the basis of the SHEL model (Edwards, 1972): L-L between humans, L-S involving the application of procedures and rules, L-H involving the interaction with the technology. It also provides the key resources involved at technical, human and organisational level. a discussion of the main elements of the scenario a discussion of issues on liability attribution raised by the scenario that can be relevant for the ALIAS project

TITLE: CONFLICTING PURPOSES CONTEXT OF OPERATIONS

RPAS are integrated in the civil airspace, thus can fly along with civil traffic in civil airspace with no need for the Unmanned Flight to be restricted within segregated and/or isolated airspace. They are equipped with reliable Detect & Avoid Functions that allow the detection and the avoidance of civil traffic in the vicinity of the unmanned aircraft. In case of risk of collision the UAS proposes an avoidance strategy to the remote pilot. If the pilot does not reply in a pre-defined lapse of time the UAS instructs the automatic avoidance manoeuvre, still maintaining the possibility for the pilot to return to a fully manual guidance. At the end of the manoeuvre the control of the unmanned aircraft goes back to the remote pilot. Each RPAS is connected to one or more Pilot Stations, depending on the distance to be flown. Each Pilot Station is connected to one or more Air Traffic Control Sectors.

STORY
A problem occurs in the nuclear reactor of an important nuclear power plant, causing a radiation leak. The national authorities arrange to immediately move the population in a range of 50NM from the nuclear power plant to a safer area and to close the lower airspace over the same region up to FL200. The ATC Centre keeps controlling the closed airspace in order to ensure that no traffic accidentally violates the segregation. The national authorities also decide to arrange non-military security missions to monitor the emissions of the nuclear reactor. The mission adopts a UAS that is equipped with sensors of the fall out and has a notable endurance in terms of flight time. Its autonomy is up to 15 hours. The UAS trajectory foresees that it takes off from a military airport that is about 300Km far from the nuclear power plant, orbits over the area at different distances (both horizontal and vertical) from the nuclear power plant and comes back to the airport. The whole mission should last about 5 hours. The mission develops completely in IFR airspace, but for the nuclear power plant area in which the UAS descends to low altitudes to survey the quality of the air and the fall out. Two Pilot Stations are necessary to ensure the coverage of the whole flight trajectory. They operate in BLOS (Behind Line of Sight) mode, meaning that the separation of the UA from both terrain and other traffic is based on instrumental support onboard. A Licensed Remote Pilot and a UAS Operator are available in both Pilot Stations. The Pilot Station managing the UA over the nuclear power plant area includes also a scientist (acting also as Mission Manager), that is in charge of the data collection. Turn shifts are foreseen in both teams every 4 hours. While the UA is overflying the area of the nuclear power plant and recording data, a problem occurs in a flight above, currently flying at FL280, out of the closed airspace.

Due to a problem of depressurisation on board the aircraft has to descend to FL100, thus entering into the segregated airspace. The pilot informs the air traffic controller of the problem and of the immediate descent to FL100 as prescribed by the emergency procedures to ensure the safety of the flight. The ATCO informs the pilot that the descent implies the infringement of a segregated airspace and may be potentially dangerous. The pilot declares that he has no alternative choices, than applying the emergency procedure and asks to land in the nearest airport. The controller coordinates the aircraft landing in a near airport out of the closed airspace and informs the remote pilot of the UA of the other traffic in the area. He informs both pilots that he will take care of the separation among the two aircraft. Some times later the air traffic controller notices that the orbital trajectory of the UA is likely to collide with the trajectory of the other aircraft. He has to define a safe strategy to avoid the collision, taking into account that both flights have constraints on vertical level and horizontal plane and that one of them is in emergency conditions. Thus he provides the UAS with a speed reduction instruction. The air traffic controller communicates the instruction to the remote pilot, who in turn instructs the UA. Unfortunately the instruction reveals insufficient. After the initiation of the manoeuvre the onboard Detect & Avoid system detects the potential conflict and proposes to descend. The remote pilot evaluates the manoeuvre with the operator responsible for the mission, who refuses the descend as potentially affecting the quality of the data collected. The pilot decides to further reduce the speed of the UA, believing this manoeuvre equally effective to guarantee the separation. Unfortunately the manoeuvre reveals ineffective to avoid the mid-air collision.

ANALYSIS OF ACCIDENTS STEPS AND COMPONENTS

L-S L: ATCO S: Procedure of traffic monitoring and separation L: ATCO H: ATCO system L: Pilot S: conflict avoidance procedure L: remote pilot H: UA LATENT CONDITION The air traffic controller is responsible for traffic monitoring and separation, regardless of whether they are manned or remotely piloted vehicles LATENT CONDITION The air traffic controller does not have precise information about the time of reaction of the UA and its trajectory. ACTIVE ERROR The air traffic controller provides the traffic with an avoidance instruction that reveals ineffective ACTIVE ERROR The remote pilot of the UA does not perceive that the instruction suggested by the ATCO will be ineffective and applies it.

L-H

L-S

L-S

L-H

L: remote pilot H: UA

ACTIVE CONDITION The UA Detect & Avoid System detects the potential conflict and proposes an avoidance manoeuvre to the pilot. ACTIVE ERROR The remote pilot and the mission manager evaluate the suitability of the avoidance manoeuvre suggested by the UA in the light of the mission objectives and conclude that it is inapplicable ACTIVE ERROR The remote pilot does not accept the manoeuvre suggested by the UA and instructs to further reduce speed.

L-L

L: remote pilot L: mission manager

L-H

L: remote pilot H: UA

DISCUSSION
This scenario reports a potential accident that is due to ineffective decisions of the remote pilot. The scenario is apparently easy to analyse. The pilot does not follow the manoeuvre suggested by the UA Detect & Avoid System, thus causing the collision of the UA with a passenger flight. However looking more in detail at the story it is evident that the behaviour of the pilot is not due to negligence, nor to underestimation of the problem. Actually it is intended to accommodate a manoeuvre that allows to safeguard at the same time the safety of the operations and the successfulness of the UA mission. In particular the decision of the pilot comes from a number of elements: the remote pilot knows that the strategy proposed by the UA Detect & Avoid System does not take into account the objectives of the UA mission. As consequence it may affect the successfulness of the mission itself. in the opinion of the mission manager the manoeuvre suggested by the UA Detect & Avoid System would affect the quality of the data collected and the successfulness of the mission. On the basis of this consideration, the remote pilot perceives the strategy proposed by the UA as sub-optimal. the remote pilot believes that a further reduction of speed would be effective as well, saving at the same time the quality of the data collected for the mission.

ISSUES ON LIABILITY ATTRIBUTION

The scenario shows a clear case of conflicting purposes whose management affects the level of safety. In fact the safety of the operations is put against the successfulness of the mission: the success of the UAS mission can be affected by the avoidance instruction proposed by the Detect & Avoid system of the UA. Thus the pilot decides not to follow the UA suggestion and to instruct a different manoeuvre, that then reveals ineffective.

This scenario raises some interesting questions on the use of UAS and on liability attribution. 1. REMOTE PILOT LIABILITY

In the scenario the success of the UAS mission can be affected by the avoidance instruction proposed by the Detect & Avoid system of the UAS. Thus the pilot decides not to follow the UAV D&A suggestion and to instruct a different manoeuvre, that then reveals ineffective. This is a clear case of conflicting purposes: the safety of the operations vs the successfulness of the mission. Actually the pilot is between the UAS and the mission manager and tries to accommodate a solution that safeguards both the safety of the operations and the scope of the mission. According to the ICAO circular, the remote pilot has the ultimate responsibility for the safety of the operations. Can be the pilot and/or the mission manager considered liable for the accident? If yes, which kind of liability is involved? Since, according to the ICAO circular, the (remote) pilot has the ultimate responsibility for the safety of the operations, he is undoubtedly liable for the mid-air collision. Probably, his liability can be considered in terms of negligence since by balancing the safety of the operations with the successfulness of the mission he lowered the safety standard and the collision occurred. However, it should be taken into account that his negligent behaviour was based on the belief - supported by the air traffic controllers instructions - that the chosen manoeuvre would have been equally effective to guarantee the separation. In order to understand if the mission manager can also be considered liable for the safety failure, his role within the pilot station should be clarified. If he is there with no other task than signalling which data should be collected and where these should be taken, his interference with the decision of the remote pilot is not legally relevant. Since the mission manager has no competence on the safety of the flight and he is only a scientist of nuclear radiation, his suggestions on flight trajectories to the remote pilot can be considered not only not binding, but neither more convincing than the suggestions of a lay person. The fact that the remote pilot tried to preserve the successfulness of the mission, and that the mission manager insisted for this, can have legal effects only in order to understand the reasons why the remote pilot took such decided in that unsuccessful way. Therefore, this can help to recognise the good faith of the remote pilot and proportionally reduce his criminal liability. With regard to civil liability the company the pilot is working for should be vicariously liable. On the contrary, if the mission manager has specific directive tasks within the Pilot Station also with regard to the trajectories that plane should follow, in this case he can be considered to have actively contributed to the mid-air collision. In this case, he can be considered to have contributed to the collision. 2. REMOTE PILOT LIABILITY AND TRUST IN TECHNOLOGY

In this particular scenario the accident occurs because of an avoidance manoeuvre instructed by the pilot in contrast to the manoeuvre suggested by the UAS Detect & Avoid system. We can however imagine the opposite case in which the accident occurs as well, even if the remote pilot follows the UAV D&A suggestion.

How to attribute the liability in this latter case of overtrust? Which kind of liability? In this case liability issues regard both the remote pilot and the technology at stake. As the remote pilot is concerned, he not only has the ultimate responsibility for the safe operation of the aircraft, but he also has the chance to decide alternative avoidance strategies. Indeed the UAS autonomously instructs the avoidance manoeuvre only if the pilot does not reply in a pre-defined lapse of time. Therefore, in case of over-trust, it should be understood why the remote pilot considered the UA suggestion safe and on this basis his negligence can be assessed. The issue at stake is the problem of over trust in technology and the allocation of liability in this case depends on the situational interaction between humans and technology. Therefore, it should be understood whether the complete operators trust in technology depends on the fact that he did not exercise due diligence, or at which conditions a certain behaviour is over trusting in technology, and who establishes this. Consequently, a remote pilot could be deemed liable if he does not demonstrate that when accepting the avoidance strategy he has performed the risk assessment function correctly and he in fact had some serious and reasonable grounds to trust the technological support completely. If the UA Detect & Avoid System fails to perform an avoidance manoeuvre, we need to consider the regulation of in-flight accidents: the air companies are strictly responsible towards the passengers, but there have to share the damage according to their relative faults. We need thus to distinguish the extent to which the fault of the automatic systems can be compared with the fault of the pilot. An idea would be to consider the UA as a hybrid cognitive system including the remote pilot as well as the Sense & Avoid System and to apply to it the same standards as the standard which are applicable to human pilots. Liability issues regard the problem of establishing who is responsible for accidents/incidents that are due to technical malfunctions, although the system has been certified as safe and resilient. In theory, both standard-setters and certification bodies can be deemed liable for safety failures. Actually, this means recognising that safety assessment procedures matter; therefore who contributes to define what is safe should be considered responsible for this judgment. 3. PUBLIC AUTHORITY LIABILITY

In the scenario, at the very beginning of the story, the National Authority decides to limit the closure of the airspace up to FL200 and coordinates the UAS mission to collect data in the region. Can the State be charged as liable for the accident, as negligent in the evaluation of the risks associated to the nuclear emissions and to possible interactions between UA and other traffic? The National Authoritys decision is due to a problem occurred to a concerned nuclear power plant and it is based on the assessment of the risk of radiation in the surrounding area. In order to limit health risks, the National Authority decided to evacuate population from that site and to close the relevant airspace. In doing so, this Authority has to respect the proportionality principle, which requires that public measures may not impose obligations on

a citizen except to the extent to which they are strictly necessary in the public interest to attain the purpose of the measure. This means that any public measure should be suitable for the purpose of facilitating or achieving the pursued goal, necessary in the sense that the authority concerned has no other mechanism (with the same effectiveness) at its disposal which is less restrictive of freedom, and proportional in a strict sense, namely the measure may not impose an intolerable burden on the individuals that it affected. In this case, the airspace closure and the evacuation of the area limit the freedom of movement of people, therefore these measures should be the least intrusive possible in order to be legitimate. The decision on the airspace that needs to be closed is based on the mere assessment of the nuclear radiation conditions and it is not competence of the concerned National Authority to accommodate that decision with the flow of the air traffic: the goal of the National Authority is to protect citizens against radiations and not to manage air traffic. As the decision to authorise the UA mission is concerned, the coordination between the UA and other air traffic is not up the National Authority but it is competence of both air traffic controller and the remote pilot. The State as such cannot be considered liable, because it had no competence on this issue. Furthermore, since the UA mission is carried out in a close airspace area, the State cannot be considered imprudent in the management of the nuclear radiation crisis. 4. ATC LIABILITY

In the scenario the air traffic controller monitors all the traffic in the sector (including the UA), detects the potential conflict and suggests an avoidance instruction intended to take into account the constraints of both flights. The instruction reveals ineffective and the UAS Detect & Avoid System activates, with the epilogue described above. Which is the role of the air traffic controller in this case? Can he be considered liable? In case, which kind of liability is involved? The air traffic controller had the responsibility of taking care of the separation between the aircrafts. In the scenario the air traffic controller monitors all the traffic in the sector (including the UA), detects the potential conflict and suggests an avoidance instruction intended to take into account the constraints of both flights. The instruction reveals ineffective and the UA Sense & Avoid System activates, with the epilogue described above. This means that he was charged with liability for failure of his instructions to guarantee the safety of the air traffic management. Since he informed both pilots of his taking care duty with regard to minimum distance separation, both pilots therefore relied on the information and instructions delivered by the air traffic controller. The failure of assuring air traffic safety can therefore be considered as a case of negligence, since the air traffic controller failed to respect the necessary due care standard. In particular, by giving the speed reduction instruction (instead of the descending one) the air traffic controller failed to supervise the manoeuvre of minimum distance separation maintenance and he can be charged with liability for faulty supervision.