You are on page 1of 15

Safe operation of mini UAVs: A review of regulation and best practices

D.Sanz*, J.Valente, J.Colorado, J.D.Hernandez, J.del Cerro and A.Barrientos

Center for Automation and Robotics - CAR UPM-CSIC C/ Jos Guti rrez Abascal, 2 - 28006 Madrid (Spain) e e

Abstract Nowadays, great eorts are being carrying out to establish a common policy that guarantees the safe operation of Unmanned Aerial Vehicles (UAVs). Large systems have been widely addressed, and their regulations clearly dened and specied for both Articial Intelligence (AI) and human-operation perspectives. Nevertheless, the current international normative is not uniform and neither well dened in relation with small and mini UAVs (mUAV). In this regard, national regulations are the valid ones, which in general are not consolidated yet. This fact is forcing mUAV developer to tackle this process from dierent approaches, that consequently do not contribute to improve on safety. This article proposed an unifying three-step structure that adapts and complements the safety regulation dened by ISO 31000 normative, aimed at enhancing from the context-limitations and deciencies observed from the literature review. The proposed three-step structure allows for the evaluation of safety issues from a global view, which means it iteratively considers all factors and tasks involved in the process: i) risk analysis, ii) hazard assessment and iii) damage reduction. This provides a solid structure for accounting and reducing the possible risks involving mUAVs operation. Keywords: Safety, Unmanned Aerial Vehicles, Risk assessment, Damage reduction.

1. Introduction In the last decades, the robotics community has assisted to an amazing increment of Unmanned Aerial Vehicles (UAV) employment. Most applications can be found in elds like surveillance, rescue or inspection, while other areas such as agriculture are demanding a new generation of autonomous machines -robots- with the capability to intelligently assist by means of cooperative labors. The introduction of mUAVs within civilian scenarios faces several challenges, not only concerning the technical requirements behind e.g., higher autonomy, but also in terms of safety. Safety can be dened as the state in which the system is not in danger or at risk, free of injuries or losses. Safety issues have become a legislation priority for the Air Authorities (AA) in charge of regulating mUAV operation within civilian spaces [1, 2]. In this regard, large-scale UAV systems have been broadly studied and discussed, but on the contrary, small-scale UAVs are plunged into a diuse legal status. The lack of safety policies is derived from the AA normative fragmentation, which it clearly remains a concern.
Preprint submitted to Accident Analysis & Prevention March 29, 2012

From prior work in [3, 4] we have observed how crucial would be to incorporate an unied safety-structure within the mUAV ight-mission architecture. Several data has been gathered from the experimental trials in order to evaluate possible causes of system failure. Figure 1 shows the most important elements to consider during the evaluation of mUAV situations of failure: i) the entire onboard equipment, ii) the software and algorithms provisioned, iii) the human supervision and monitoring, and iv) the base station components (e.g. communication data links, etc).

Figure 1: Description of a typical mUAV system and the implications for safe operation. i) Most important electronics components, ii) mUAV monitoring by human supervision, iii) base station components. Motivated by the countless problems encountered from prior works, here we propose a methodology that denes three basic steps that might be useful in avoiding hazardous situations. This article is organized as follows. Section 2 presents a comprehensive analysis and discussion about the current approaches on tackling safety normative. This allows for evaluating the future trends and alternatives for standardizing legislation in this area. Section 3 introduces the proposed three-step structure based on the ISO 31000 normative. Under this methodology, possible hazards are rst identied according to the characteristics of the system (see Subsection 3.1). Secondly, potential damage is estimated and assessed depending on the context of the application at hand. Subsection 3.2 details the proposed methodology for damage evaluation. Based on the aforementioned evaluation analysis, Subsection 3.3 provides specic solutions to avoid damage. The solutions basically depend on the origin and magnitude of the identied menaces. 2. Legal framework The rst point to be considered when evaluating the safeness of a UAV system, relates to the legal framework that applies to the system. These frameworks basically contain a preliminary analysis of the safety problem, which mainly consists on guidelines and procedures that avoid or minimize risks that may arise. The study and analysis of legislation require a hard work in terms

of discriminating the applying directives for each individual case, i.e., by considering an specic application, the robot characteristics, etc. This fact makes this survey not only to scopes out the common normative -generalist, referred to machinery or electronic equipment-, but also on the UAV specically. Furthermore, current air legislation for mUAVs is quite uncertain and diuse, hence making dicult the normative consolidation process. It is important to highlight that most of the current work devoted to advance on mUAV legislation, remains on a early stage. Most of the proposals in this direction are still a work-in-progress. 2.1. Common applying normative Common normative applying to drones - herein called mUAVs- is outlined in just four ISO documents. These documents correspond to: ISO 12100: Safety of machinery - General principles for design. ISO 14121: Safety of machinery - Risk assessment. ISO 31000: Risk management - Principles and guidelines. ISO 13849: Safety of machinery - Safety related parts of control systems. Each of these documents summarizes the same legal framework structure, in which the UAV system is considered as a whole, i.e., non-emphasis on the instruments onboard the vehicle. To complement on this, other normative could be applied in order to conceive the mUAV system not only as a vehicle, but also as a set of electronic devices. This complementary normative could be based on standards such as, i) IEC/TR 61000 and ISO 33.100, both focusing on Electromagnetic Compatibility (EMC), ii) ISO/IEC 18000 for radio frequency and communication specications, and iii) ISO 19133, which details issues regarding the tracking, location, navigation and geographic information in general. 2.2. General UAV normative: the international framework Since the Unmanned Aircraft Vehicles are relatively new, the normative and legislation is still under current development, and the discussions about it are still open to improvements. [5]. Because the military origins of UAVs, global standardization has turned out to be dicult. A major global eort started in 2005 with the Cross Atlantic cooperation among the US Federal Aviation Authority (FAA), the European Aviation Safety Agency (EASA) and Eurocontrol. The result of this cooperation has been consolidated as a commitment to coordinate the development and implementation of UAV ight operation standards, policy and regulations. The goal was to dene a formal policy for UAV certication. [6]. In the United States, the FAA imposes a two-step certication process before allowing any vehicle to operate within the National Air Space (NAS). The former step is the obtainment of the Airworthiness Certication, whereas during the latter step, the Certicate of Authorization (COAs - pr KO-AH) is obtained. As a result, only drones awarded with the COAs are allowed for operation [10],[2]. European legislation is quite similar. Nevertheless, as far as the Cross Atlantic cooperation was only focused on big-medium UAVs, EASAs scopes have been focused on addressing UAVs with a take-o weight (MTOW) over 330lb/150kg [11]. On the other hand, Light UAVs (LUAS) must be regulated by the corresponding EUs Air Authorities. However, the denition of LUAS embraces so many dierent types of drones, even those that are upper the MTOW limit. Tables


NAME Micro Mini Close Range Short Range Medum Range

MASS < 5kg 5-15Kg 25-150kg 50-250kg 150-500kg

RANGE < 10km < 10km 10-30km 30-70km 70-200km

ALTITUDE 150m 250m 3000m 3000m 5000m

ENDURANCE < 1h < 2h < 4h < 6h < 10h

Table 1: Small UAV classication according to [7, 8].


TYPE Micro Group A Group B Group C Micro Group A Group B Group C

MASS MTOM < 1.5Kg MTOM > 1.5Kg & < 7kg MTOM > 7Kg & < 20kg MTOM > 20Kg & < 150kg MTOM < 1.5Kg MTOM > 1.5Kg & < 7kg MTOM > 7Kg & < 20kg MTOM > 20Kg & < 150kg


RANGE < 500m from pilot


Class II

> 150m AGL

> 500m from pilot

Flight beyond VLOS

Table 2: Light UAV classication according to [9]. The most signicative dierence between Class I and Class II vehicles is that the second ones are subjected to the Rules of the Air and in coordination with the Air Trac Management (ATM).

1 and 2 present the most widely accepted small/light UAVs classication, which includes the following characteristics: i) mass, ii) maximum ght ranges, iii) relative altitudes and iv) ight endurance. These characteristics allows for the denition of topics dealing with [9]: Operational approval: it applies to drones class I. It consists on a proof demonstrating safe ight, licensing, training, and limitations of the system. Full regulations: it applies to drones class II. It requires the Certication of airworthiness, registration, design certication etc. Besides the aforementioned characteristics, other issues regarding the wing-type of the vehicle, e.g., rotatory or xed, and the ight control scheme, e.g., autonomous adaptive/nonadaptive, monitored, supervised, and direct, must be also considered. Apparently, the most advanced frameworks for regulating the safe operation of UAVs (either in civil or military elds) are located in the UK, France and Austria. Other advanced military programs exist in Germany, Croatia, Czech Republic and Sweden [12]. Nonetheless, the critical issue concerns to standardization, mainly because their frameworks dier by dierent regulations. In general, as an attempt for solving this issue, the following regulations are leading the normative: Australia (CASA): Civil Aviation Safety Regulations, CASR. Part 101 [13][14]. France (DGA): UAV Systems Airworthiness Requirements (USAR) [15] Israel (CAII): UAV Syst. Airworthiness Regulations [16].


STATUS (N) (P) (N) (P) (N) (P) (U) (P) (P) (U)



10 X X X X X X

11 X X X X X X X





X X* X X*

X X*

Table 3: Comparison of the current UAV proposals/legislation, where (1) corresponds to the classication of the drone according to its weight (< 150kg); (2) if the maximum ight speed is 36m/s; (3) if the maximum distance to the pilot is 500m; (4) if the maximum relative height is 121m; (5) if the maximum kinetic energy on impact is 95KJ; (6) if the minimum distance to populated areas is 150m; (7) if the minimum distance to any individual person is 100m; (8) if it is required an aero-plane modeling license; (9) if the drone should always ight under VLOS; (10) if it is not allowed to drive people or animals; (11) if an ATM civil certication for ying in a non-segregated airspace is required; (12) is an airworthiness ocial requirement; (13) if the drone must be equipped with FGS and lighting systems. Japan (JUAV): Safety standard for commercial-use, unmanned, rotary-wing aircraft in uninhabited areas, [17]. UK (CAA): Light UAV Systems Policy (LUAS) [18]. USA (FAA): AC91-57,AFS-400 UAS Policy 05-01 [19] Nevertheless, they regulate common aspects, mainly centered in the dynamics of the vehicle and the safety of the environment. In the rst aspect, common rules are dened, such as the maximum velocity (90kts 46m/s), the maximum kinetic energy on impact (95KJ), or the maximum height above the surface (400ft 122m). Other regulations are not standard, and dier depending on the country air authorities: ii) the maximum distance to the operator (e.g. 500m, 1km or Visual Line-of-Sight, VSL), and ii) position lights requirement. On the other hand, limitations in terms of operational environment have a common base, but they are implemented quite dierent on each country. Operational environment limitations refer to the regulation of aspects like: i) the maximum distance to populated areas (in general, between 150 and 500m) or ii) to outsider people (around 100m), iii) the maximum distance to airports and military zones (between 2Km and 5Km) and iv) the suitable areas for taking-o and landing (see Table 3).

2.3. On-going normative and proposals. Working groups and organisms involved A common normative does not seem to be feasible in a short/medium period [20]. Apart from the national air authorities, there are many groups gathering manufacturers, users, designers, researchers, etc.- attempting to establish a common frame to regulate safety on UAV operation.

The produced documents contain regulation issues in a form of recommendations, not in a form of ocial normative. However, the documents can be considered to be valid, since the majority of the UAV community has been involved with their preparation. The most active partners within the UAV community are: EUROCAE (Specically the Working Group 73), USICO, JARUS (Joint Authorities for Rulemaking on Unmanned Systems), ICAO (International Civil Aviation Organization) and UVS International. Recently, The Joint Aviation Authority (JAA) and Eurocontrol have assembled a UAV Task Force, aimed at issuing a proposal report according to the suggestions of the aforementioned partners [1], in relation to safety requirements. The proposal mainly determines that UAVs should comply with an equivalent level of safety (ELOS) compared to conventionally manned aircraft [21]. 3. Risk analysis Even fullling the normative, and observing every aspect of the legislation, risks are inherent to engineering processes. Therefore, it is mandatory to identify the hazards and evaluate their severity in order to delimit their eects [22]. The process of assessing the potential hazards is known as Risk Analysis (RA). The forthcoming subsections introduce the RA framework. Reviewing the literature, several alternatives that address RA issues are presented in [23], [24], [25], [26], and [27]. [24] proposes a PRAM structure (), where... Other works [26] introduce structures based on events, i.e. by following the top-down approach of Fault Tree Analysis (FTA), in where faults are modeled in terms of events that have been caused by anomalies, malfunctions, human errors, etc. In [27] a Common Cause Analysis (CCA) structure has allowed for identifying and associating common errors (events) in order to eliminate redundancies. In general, the methods based on events present a deductive structure that analyzes the system reliability in terms of eect-to-cause, either than a bottom-up or top-down manner. Some of these methods are the Failure Mode and Eects Analysis (FMEA), or the Failure Mode and Eects Criticality Analysis (FMECA) [28]. Most of the methods based on events do not include the specications of the system and the reduction procedures within the analysis process. This is a disadvantage. To solve this problem, the ISO 14.121-1 standard, depicted in Figure 2, seems to be an adequate incorporation. This scheme considers the specications of the system within the rst stage of the RA process, which should be revised after the analysis. Furthermore, the standard also includes how another characteristics of the system, such as obstacle avoidance maneuvers, could result into new hazards. This fact implies that this standard is able to take into account subsystems that might fail. In Figure 2, note that a statement of the boundaries step is dened after the denition of requirements and specications of the system. This step limits not only the system but also the operating framework (Section 3.1). Once the dangers are enclosed, the possible risks are found, i.e. failures, malfunctions, etc. The risk-search is driven according to the nature of the danger and the origin of the hazards. Finally, the risks found are evaluated according to ISO 13.849-1 and classied depending on their severity. The information gathered during the analysis is managed in order to minimize or avoid the risk. This Risk Reduction Procedure (RRP) is presented in Section 3.3. It is important to anticipate that this structure is non-linear, since the introduction of new techniques for

minimizing or even avoiding the risks, may introduce new hazards. This implies a recursive evaluation of the risks, where not only the performance of the solution is assessed, but also the eects upon the overall system behavior. The architecture for recursive evaluation of the risks is depicted in Figure 2. The problem with a recursive evaluation of risks might end up into an endless loop. To solve this, the loop has a limited number of iterations that force a redenition of the systems specications, in case it is not possible to adequate the risk level to the required one.

Figure 2: Simplied architecture for Risk Analysis (RA).

3.1. Risk identication Prior to analyzing the potential hazards of the system, it is necessary to dene the limits of operation by enclosing the possible consequences of an accident or failure [29]. It is possible to divide these limits according to their nature: physical, temporal, environmental, and behavioral. The requirements for both physical and temporal limits are partly derived from the manufacturers specications, and also from experimental tests carried out with the system.

Thus, restrictions are not only imposed to the equipment, but also to the environment and ight procedures. A detailed description of the limits of operation is summarized as follows: 1. Physical limits: unit and components. They refer to the kinematic and dynamic restrictions imposed by the drone. Their origin (self or imposed) is derived from the physical restrictions of the machine itself, or from the dispositions of the legal framework. For example, the maximum payload (or the equivalent Maximum Take-O Weight, MTOW), and the maximum speed are clearly dened by the drones characteristics, but other restrictions are not clearly dened: the maximum/minimum height, the maximum kinetic energy on impact, etc. These kind of limits are often dened by the most restrictive source. 2. Temporal limits: life time. Temporal restrictions are derived from the degradation or lost of eciency of the systems components. In this sense, short time and long time restrictions should be considered in order to guarantee their proper behavior. Short time restrictions are: the maximum ight time, the commands response time, and sensors acquisition time. Long time restrictions are: engines and battery degradation. 3. Environmental limits: ight location and conditions. Similarly to physical limits, environmental limits are imposed by the own drones or/and by the legislation. In the former, limits such as, wind speed, ambient light or the presence of dust/rain, should be evaluated. In the latter, limits such as, the minimum distance from populated areas or from airports/military installations, the inclusion of the drone in the non-segregated airspace or the GPS coverage, must be also considered. 4. Behavioral limits: operation and procedures. It mainly refers to the ight constrains applied to the operation, which consequently aect the procedures and actions of the pilot (both autonomous and manual). In case of manual ight, it might be included into this topic the distance limitation operator-vehicle, whereas in case of autonomous, the algorithmic and sensing capabilities of the vehicle. The introduced limitations play a signicant role in avoiding hazardous situations. Nevertheless, since they are static, they do not cover all the possible hazardous situations evolving the dynamics circumstances that may arise. It is possible to limit the hazards by constraining the characteristics of the ight, but attempting to avoid them, it is denitely a challenge. Assuming that the operation conditions satisfy the applied normative, and even considers the aforementioned limitations, the main hazard source concerns to the breakdowns. In the following, we enumerate how to decrease the rate of breakdowns by classifying their sources. This classication has divided breakdowns source in terms of: i) external sources, and ii) internal sources. 1. External sources are those whose behavior is not related or connected with the system. Since they are no manageable, their presence suppose an extra risk that should be considered. The interference of third-party agents (e.g. animals, humans, other equips, EMC emitters, etc.), the environmental conditions (e.g. Wind, temperature, GPS signal quality..) or the presence of dynamic obstacles, represent the main sources of external hazards. 2. Internal sources are those related to drones operation, or derived from one or more procedures associated to the application. This analysis is detailed in the Table 4, detailing the ight activities that may provoke a breakdown or a risk situation.

STAGE Preparation Startup Operation Maintenance Design Control

ACTIVITY Manufacture, Load, Transport, Assembly,Handle, Packaging Setup, Assemble, Adjustment, Connections, Test, Installation, Integration (e.g. payload mount/unmount) Piloting, Human intervention, Setup, Supervision, Human manipulation, Violations of safety procedures, Verication, OS hung up Settings, Cleaning, Conservation, Lubrication, Periodicity, Suitability, Cleaning, Charging process of batteries Materials, Components, Physical stability, Resistance, Compliance, Software Algorithmic stability, Time of response, Refresh rate, Accuracy, Error handling, Hysteresis, Software Virus

Table 4: Analysis of hazards external sources.

TYPE Mechanical hazards Power supply breakdowns Thermal hazards SOURCES Impacts, Emissions, Give-os, Collisions, Breaks, Friction, Pressure, Inadequate balance/stability, Mobile parts Violation of maximum absolute ratings, No energy, Perform variation, Short circuit, Polarization Overheat, Flames, Freeze, Abrasion, Explosions Saturation, Overows, Derives, Isolating inappropriate, Synchronization, I/O errors, Disconnection Electrostatic phenomena, Interferences, Ionizing radiations, Spectrum saturation Innite loops, Inadequate values, Values out of range, Delayed process, Sequencing, Overows, Synchronization CONSEQUENCES Run over, Crush, Cut or section, Drag or entrapment, Hook, Friction or abrasion, Impact, Injection, Puncture, piercing Decelerations, Accelerations, Burn, Overheating, Falls, Motor stop, Saturation Burn, Freeze, Battery problems, CPU auto switch-o, Injuries from radiation heat, Dehydration Overheating, Sensors confusion, Radiations, Control loose, Short circuiting Disorientation, Failures in active components, Overheating, Erroneous reception/send, Interferences in the communications, , Drone out of control, Sensors incongruence Drone out of control, Reception/send wrong parameters, Synchronization failures

Electronic hazards

Electromagnetic & Radiation Hazards

Algorithmic hazards

Table 5: Analysis of the hazards according to their nature. Because breakdowns depend on its sources, but in general they could be classied depending on its origin, Table 5 classies hazardous events according to their nature [30]. It should be noted that the risks are interrelated, so a hazard could be classied in several dierent groups. In addition, the consequences or problems caused may also be originated by dierent hazards. The classication in Table 5 has been carried out according to the hazard occurrence probability [31].

3.2. Risk assessment Once the candidate risks sources and their nature have been identied, the second step is to estimate the seriousness and severity of their eects. According to ISO 14121 -and most of the risk evaluation methods [32][33]-, hazard assessment is a function of two factors: the rst one

refers to the gravity of the damage, which evaluates in a fuzzy way the resultant-harm from an hypothetical incident. The second factor denes the probability of occurrence, determining the frequency of exposition to the risks. The relation between these factors determine the risk level of the component. The summation of the risk estimation for every component and procedure in the system outputs the global risk model. 1. Seriousness of damage: the seriousness of the damage evaluates the harm that could be provoked in an accident. Potential damage is a key factor to estimate the risk associated to a component, by dening the importance of the processes where the damage has his origins. Seriousness rate is composed by two factors: Firstly, the severity of the injuries or the damage to health. This aspect is also assessed in a fuzzy way, and generates a scaled output according not to the percentage of destruction, but with the evaluation of the impact/importance in the system. According to the international normative, only reversible and irreversible damages are considered in the scale. The second factor, which it is not considered in the legislation, corresponds to the number and aliation of the agents involved in the event. It should be distinguished critical and non-critical components, as well as if people or third-party elements have been aected. In this sense, the classication could be: components of the unit, the unit itself, the payload (in case it exists), external infrastructures or objects, the operator (the pilot or anyone involved in the UAV operation). 2. Probability of damage: This estimates the frequency of occurrence of a hazardous event. The incident rate, as a function of the system use, is the resultant value from the composition of three factors: Exposition to the danger: This data evaluates the quantity of risk the systems have been exposed to. To do this, the following issues should be taken into account: i) the exposition time (mean period T of exposition every time it is exposed), ii) the number of agents exposed, the kind of exposition (e.g. manual or not, normal operation or emergency mode), and iii) the frequency of exposition, meaning the time exposed to the risk over the total time of operation (e.g. to the collisions risk, total time when the drone is close to another object, over the total ight time). Probability of occurrence of a hazard event: The frequency of incidents in the components could be experimentally determined or/and provided by the manufacturers. The event rate is determined by means of statistics and history: statistical reliability, accident history and similarities with other systems. Ability to prevent the risk or limiting damage: The probability of damage occurrence depends on the capacity to avoid a hazardous situation or by limiting the harm in case of accident. The issues are related to the skills of the operator (e.g. reexes, agility, ability to escape), the speed of events ocurrance, the perception of risk (general information, direct observation, warning signs), the operator qualication/experience, and the suitability of the guards and safety systems (risk identication, agents involved, usability, possible interferences, etc.) According to all these factors, a general evaluation of the selected risk is performed. As depicted in Figure 3, the factors described above are combined in order to obtain the Performance Level (PL) required for managing the assessed hazard. This parameter refers to the general reliability required by the component/system in order to operate under safety conditions (probability of a dangerous failure per hour). Both quantity and quality aspects of the PL are

considered. Quantity aspects are: measurements of reliability, ability to resist failures, etc. Quality aspects are: the systems performance upon failure conditions, failure monitoring, and safety related to software implementations.

Figure 3: Evaluation of the hazard according to ISO 13849. Required Performance Level analysis1 . (S) stands for Severity of Damage, (F) for Frequency of Exposure to the hazard and (P) for the capacity to avoid or limit the risk. The PL goes from (A) to (E). The right side presents the range of failures/hour equivalent to the PL levels.

3.3. Risk reduction Once the possible hazards including the sources and possible eects have been determined, the last stage is to analyze and to establish possible methods for avoiding or limiting the possible harm. The reliability, robustness and performance requirements are extracted from the chart presented in Figure 4, according to the Performance Level (PL) previously introduced in Section 3.2. In the graph shown in Figure 4, from each PL grade it should be extracted a fuzzy gure for the MTTF (Mean Time To Failure), that express the mean time when the rst failure occurs either in a design or component. This determines the quality required for the components. On the other hand, the Diagnostic Coverage (DC) is the ratio between the number of dangerous failures detected and the occasions when the failure mode have been activated. Finally, the categories (Cat.) determine -in case of existing a controller- the control architecture required for guaranteeing an adequate safety level. According with ISO 12100-1:2003, there are three levels where is possible to interact for achieving these gures. Depending on the performance phase and the ability to reduce the risk, it is possible to nd: i) the elimination of the hazard or risk by inherently safe design (Chapter 4, of the ISO normative); ii) the reduction by implementing complementary methods that protect and prevent the system from failures and foreseeable misuse (Chapter 5), and iii) the imposition of safety procedures where the application of protective techniques and additional preventive measures are not practicable, neither reduce the risk adequately (Section 5.5 of ISO normative): 1. Design process: the rst stage in any design process is the denition of the requirements and the characterization of specications. It is a critical phase in which an inappropriate

Figure 4: Evaluation chart form MTTF, DC and Control Category denition after the PL analysis and set up. development may lead to the presence of risks and problems in the following stages. Thus, the proper selection of materials, components, procedures including their specications is a crucial issue. Simulation is a signicant tool to determine the behavior and time response of the component simulated. It allows for the identication of execution problems that are hard to determine using direct experimentation. Likewise, simulations are really useful in order to adjust the probability level introduced to the risk estimator when trying to locate the recurrent error sources. By prototyping using a test-bed, manufacturers and operators may verify, evaluate, and enhance the system performance, which it subsequently allows for the correction of the status of every hazardous component or element of the system. Both auto-check and visual inspection should be considered, in order to identify and corroborate possible problems before executing the mission. Finally, in between Design and Protection Measures, the Control issue is required. ISO 13849 provides a methodology based on the categorization of structures according to specic design criteria and specied behaviors that help during the control design. These categories are depicted in Figure 5 and correspond with the four categories extracted from the chart above (Figure 4). As shown in Figure 5, the complexity of the control structure is dened according to the safety requirements (or, in other words, with the hazard level). The higher the estimated hazard is, most sophisticated the scheme must be. In this sense, the simple structure of Category I is complemented with a supervisor (S) in Category II, allowing to auto-detect errors or failures in the own control system. Besides, it also adds a direct feedback information from the output to the control (L). Nevertheless, it could be not enough in really dangerous situations. For these cases, architectures with dierent levels of redundancy are required, like the ones described in Categories III and IV. This kind of scheme is able to detect the problem, but also to avoid it and continue working. These structures should be applied when considering: i) protective devices (e.g, control

Figure 5: Control architectures derived from the risk analysis. Categories I, II and III/IV, respectively. devices, sensing systems, locking devices, etc.), ii) control units (e.g, a logic block, data processing units, etc.) and iii) control elements (e.g, relays, safety switches, valves, etc.). Nevertheless, the inclusion of these schemes should be not the unique measure included. Redundancy structures, hardware supervisors, watch-dogs, or ruggedization methods clearly improve on the fail-tolerance of the system. 2. Prevention/Protection: Guards are elements not included in the core of the system, but added in order to provide a protection service. Guards are in charge of limiting the damage of the drones elements, and also to third party agents. They are conceived as physical both passive and active- sentinels, capable of absorbing kinematic energy or limiting the movement of the vehicles. Examples of these kinds of elements are propeller protections, landing legs, parachute, airbags or protection nets. It is important to note that even if the guards are not able to provide a full safeness range, the capacity of decreasing the exposition to the danger or reduce its eects is equally valid. This is why warning systems like horns or lightings are considered preventive elements, since they allow to increase the reaction time and the risk perception. 3. Safety procedures: Procedures are required when it is not possible to adequately avoid neither to minimize the risks. They refer to all these activities related to every stage of the system, which are key to guarantee a minimum safety level during the ight. First of all, verication and signaling are mandatory steps before ying. Verication refers to check batteries, scan frequencies in order to avoid interferences, measure wind speed, etc. Signaling refers to the process of notifying about the ight area to authorities and people directly or indirectly involved during the mission. After the mission, a ight report should be lled out, in order to have a temporal register of the events. This is useful for the maintenance process, making possible to obtained experimental data about motors functions, battery use, and other equipment onboard. Maintenance plays a fundamental role for the global safeness. Some of the activities that maintenance involve are: cleanliness, reparations, replacement, adjustment, calibration and verication. 4. Conclusions Legislation in the mUAV eld is not consolidated yet, and the lack of an unied normative is leaving each mUAV developer to tackle this process from dierent approaches. It clearly does

not lie in the safety interests. The proposed three-step methodology provides a global approach to this issue, by performing three actuation levels: risk identication, assessment and reduction. This sequence allows to prevent or reduce many potential risks, as well as a context-adapted response to face hazardous events. The advances presented herein are a step towards formulating future standards for developing and deploying harmless mUAV systems. Acknowledgements This work have been supported by the Robotics and Cybernetics Research Group at Technique University of Madrid (Spain), and funded under the projects ROTOS: Multi-Robot system for outdoor infrastructures protection, sponsored by Spain Ministry of Education and Science (DPI 2010-17998), and Robot Fleets for Highly Eective Agriculture and Forestry Management, (RHEA) sponsored by the European Commissions Seventh Framework Programme (NMP-CP-IP 245986-2 RHEA). The authors want to thank all the project partners: Agencia Estatal Consejo Superior de Investigaciones Cientcas - CSIC (Centro de Autom tica a y Rob tica, Instituto de Ciencias Agrarias, Instituto de Agricultura Sostenible), CogVis o GmbH, Forschungszentrum Telekommunikation Wien Ltd., Cyberbotics Ltd, Universit` di a Pisa, Universidad Complutense de Madrid, Tropical, Soluciones Agrcolas de Precisi n S.L., o Universidad Polit cnica de Madrid - UPM (ETS Ingenieros Agr nomos, ETS Ingenieros e o Industriales), AirRobot GmbH & Co. KG, Universit` degli Studi di Firenze, Linstitut de a recherche pour lingnierie de lagriculture et de lenvironnement - IRSTEA, CNH Belgium NV, CNH France SA, Bluebotics S.A. y CM Srl. References
[1] JAA/EUROCONTROL, Uav task-force nal report. a concept for the european regulations for civil unmanned aerial vehicles (uavs), JAA/EUROCONTROL, Tech. Rep., May 2004. [2] W. Scheneider Jr., Unmanned aerial vehicles roadmap 2002 -2027, Oce of the Secretary of Defense. Department of Defense of the United States of America, Tech. Rep., Feb. 2004. [3] A. Barrientos, J. Colorado, J. Del Cerro, C. Rossi, D. Sanz, and J. Valente, Aerial remote sensing in agriculture: A practical approach to area coverage and path planning for eets of mini aerial robots, Journal of Field Robotics, vol. 28, no. 5, pp. 667689, 2011. [Online]. Available: [4] J. Valente, D. Sanz, A. Barrientos, J. Del Cerro, A. Ribeiro, and C. Rossi, An air-ground wireless sensor network for crop monitoring, Sensors, vol. 11, no. 6, pp. 60886108, 2011. [Online]. Available: [5] K. Hayhurst, J. Maddalon, P. Miner, M. DeWalt, and G. McCormick, Unmanned aircraft hazards and their implications for regulation, in 25th Digital Avionics Systems Conference, 2006 IEEE/AIAA, oct. 2006, pp. 112. [6] UAVM. (2010, August) What is the current regulatory status for civil uav commercial ight? [Online]. Available: [7] P. van Blyenburgh, Unmanned aircraft systems: The current situation, in EASA UAS Workshop, Feb. 2008. [8] M. Arjomandi, Classication of unmanned aerial vehicles, The University of Adelaide, Australia, Tech. Rep., 2007. [9] U. International, Unmanned aircraft systems: The current situation, in UAS ATM Integration Workshop EUROCONTROL, May 2008. [10] R. Loh, Y. Bian, and T. Roe, Uavs in civil airspace: Safety requirements, Aerospace and Electronic Systems Magazine, IEEE, vol. 24, no. 1, pp. 517, jan. 2009. [11] EASA/EC, Regulation 1592/2002 - annex 1 essential airworthiness requirements, EASA, Tech. Rep., 2002. [12] FLYGI, Rules of military aviation (rml). Military Flight Safety Inspectorate - Swedish Armed Forces., Sweden, Tech. Rep., Sept. 2000. [13] CASA, Ac 101-3: Unmanned aircraft and rockets model aircraft, Civil Aviation Safety Authority, Australia, Tech. Rep., July 2002. [Online]. Available:

[14] , Civil aviation safety regulations (casr), part 101, Civil Aviation Safety Authority, Australia, Tech. Rep., Jan. 2004. [15] DGA, Uav systems airworthiness requirements (usar), Delegue General pour l Armement , Ministre de la d fense, e France., Tech. Rep., Jan. 2005. [16] CAAI, Uav systems airworthiness regulations, Civil Aviation Administration of Israel, Israel, Tech. Rep., 2006. [Online]. Available: [17] JUAV, Safety standard for comercial-use, unmanned, rotary-wing aircraft in uninhabited areas, Japan UAV Association, Tech. Rep., Jan. 2005. [Online]. Available: [18] D. Haddon and C. Whittaker, Uk-caa policy for light uav systems (luas), Civil Aviation Authority, UK, Tech. Rep., May 2004. [Online]. Available: [19] FAA, Afs-400 uas policy 05-01, Federal Aviation Authority, USA, Tech. Rep., Sept. 2005. [20] A. Maneschijn, A framework and criteria for the operability of unmanned aircraft systems, Ph.D. dissertation, Stellenbosch University, Dec. 2010. [21] R. Clothier, R. Walker, N. Fulton, and D. Campbell, A casualty risk analysis for unmanned aerial system (uas) operations over inhabited areas, in AIAC12 Twelfth Australian International Aerospace Congress, 2nd Australasian Unmanned Air Vehicles Conference, Melbourne, 2007. [Online]. Available: [22] P. Hokstad and T. Steiro, Overall strategy for risk evaluation and priority setting of risk regulations, Reliability Engineering &amp; System Safety, vol. 91, no. 1, pp. 100111, 2006. [Online]. Available: [23] R. Stephens and W. Talso, System safety Analysis Handbook: A Source Book for Safety Practitioners, 2nd ed. System Safety Society, Aug. 1999. [24] FAA, Faa system safety handbook. chapter 9: Analysis techniques, Federal Aviation Administration, USA, Tech. Rep., Dec. 2000. [25] C. Chapman, Project risk analysis and managementpram the generic process, International Journal of Project Management, vol. 15, no. 5, pp. 273 281, 1997. [Online]. Available: [26] J. Kuchar, Safety analysis methodology for unmanned aerial vehicle (uav) collision avoidance systems, in USA/Europe Air Trac Management R&D Seminars, 2005. [27] S. Celik, Safety process implementation for unmanned aerial systems, in Achieving Systems Safety, C. Dale and T. Anderson, Eds. Springer London, 2012, pp. 4353. [28] J. Murtha, An evidence theoretic approach to design of reliable low-cost uavs, Masters thesis, Virginia Polytechnic Institute and State University, Blacksburg, Virginia (USA)., July 2009. [29] C. Casarosa, R. Galatolo, G. Mengali, and A. Quarta, Impact of safety requirements on the weight of civil unmanned aerial vehicles, Aircraft Engineering and Aerospace Technology: An International Journal, vol. 76, no. 6, pp. 600606, 2004. [30] K. Hayhurst, J. Maddalon, P. Miner, G. Szatkowski, M. Ulrey, M. DeWalt, and C. Spitzer, Preliminary considerations for classifying hazards of unmanned aircraft systems, Tech. Rep. NASA TM-2007-214539, National Aeronautics and Space Administration, Langley Research Center, Hampton, Virginia, Tech. Rep., 2007. [31] M. Dermentzoudis, Establishment of models and data tracking for small uav reliability, Masters thesis, Naval Postgraduate School, Monterey, California (USA)., June 2004. [32] FAA, Faa system safety handbook. appendix b: Comparative risk assessment (cra) form, Federal Aviation Administration, USA, Tech. Rep., Dec. 2000. [33] K. Dalamagkidis, K. Valavanis, and L. Piegl, Evaluating the risk of unmanned aircraft ground impacts, in Control and Automation, 2008 16th Mediterranean Conference on, june 2008, pp. 709716.