UAV Hazard

Certification Strategy for Small Unmanned
Aircraft Performing Nomadic Missions in 90

the U.S. National Airspace System
Maciej Stachura, Jack Elston, Brian Argrow, Eric W. Frew, and

Cory Dixon
Contents
90.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2178
90.2 Motivation and Application Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2180
90.3 COA Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2182
90.3.1 COA Area Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2182
90.3.2 Airworthiness Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2185
90.3.3 Lost Communications and Emergency Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2187
90.4 Using COAs and FAA Interaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2191
90.4.1 COA Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2191
90.4.2 Activating COA Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2193
90.4.3 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2193
90.5 Case Study/Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2194
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2197
M. Stachura () • J. Elston • E.W. Frew

Department of Aerospace Engineering Sciences, University of Colorado, Boulder,
CO, USA
e-mail: stachura@colorado.edu; elstonj@colorado.edu; eric.frew@colorado.edu
B. Argrow
Director Research and Engineering Center for Unmanned Vehicles, University of Colorado,
Boulder, CO, USA
e-mail: brian.argrow@colorado.edu
C. Dixon
College of Engineering and Applied Science, University of Colorado at Boulder, Boulder,
CO, USA
K.P. Valavanis, G.J. Vachtsevanos (eds.), Handbook of Unmanned Aerial Vehicles, 2177
DOI 10.1007/978-90-481-9707-1 63,
© Springer Science+Business Media Dordrecht 2015
2178 M. Stachura et al.
Abstract
This chapter discusses the specifics of the Certificates of Authorization (COA)
that were obtained for the second Verification of the Origin of Rotation in Torna-
does Experiment (VORTEX2) project and how the operations were conducted to
satisfy the COA requirements. A strategy is outlined for operating these nomadic
missions with small UAS within the confines of FAA regulations. This includes
information on getting FAA COAs for a large area, specifically focusing on area
selection, airworthiness, and emergency procedures, which are the keys to these
applications. Interacting with the FAA once COAs have been granted is very
important to the success of such a mission and is included in this chapter along
with some lessons learned to improve future projects with similar goals.
90.1 Introduction
On 6 May 2010, on the plains of west Kansas, the Tempest unmanned aircraft
system (UAS) made the first ever intercept of a supercell thunderstorm as part of
the VORTEX2 field campaign (Elston et al. 2011b). This was surpassed on 10 June
2010, on the plains of eastern Colorado, with the first ever UAS intercept of a
tornadic supercell (Elston et al. 2011b). With more than 100 scientists and engineers
deploying more than 40 instrument platforms, VORTEX2 was the largest effort
in history dedicated to the study of tornadoes (Oceanic and Association 2010).
Two field campaigns were conducted 1 May–13 June 2009 and 1 May–15 June
2010; the Tempest UAS was deployed for the 2010 field campaign. The VORTEX2
participants maintained a completely nomadic program, roaming the Great Plains
to track supercell thunderstorms. Supercells are the most violent form of severe
convective storms, often producing the most violent and damaging tornadoes. The
purpose of VORTEX2 is to study these storms for a better understanding of the
ingredients that create supercells and to try to answer the question of why some
supercells produce tornadoes while others do not (VORTEX2 SPO).
The development of the Tempest unmanned aircraft system (Fig. 90.1) addressed
a variety of scientific, technical, logistical, and regulatory issues. Science drivers for
the Tempest UAS focused on the need to sample pressure, temperature, humidity,
and wind velocity in the rear-flank downdraft of supercell thunderstorms. Current
models suggest that this area plays a causative role in tornadogenesis, and these
models cannot be evaluated without in situ data. In turn, the science drivers lead to
the requirement to sample the storm in areas where little is known about the flight
conditions that will be encountered. As a result, the Tempest aircraft was developed
for robust flight across a range of expected flight conditions. The dynamic nature of
supercell thunderstorms necessitated a mobile concept of operations such that the
unmanned aircraft could be stowed and transported by ground and then launched
as quickly as possible. Finally, additional limitations were imposed by the Federal
Aviation Administration (FAA) in order to satisfy regulatory requirements for the
operation of unmanned aircraft systems.
90 Certification Strategy for Small Unmanned Aircraft 2179
Fig. 90.1 The Tempest

unmanned aircraft (note the
funnel cloud on the horizon,
aligned with the midpoint of
the aircraft)
The operations of unmanned aircraft systems in the U.S. National Airspace

System (NAS) are governed by the Federal Aviation Administration, with guidelines
established in Interim Operational Approval Guidance 08–01, Unmanned Aircraft
Systems Operations in the U.S. National Airspace System (Policy 08–01) (Davis
2008). This document was created to define requirements and procedures for the
operation of unmanned aircraft systems and it specifies that special approvals
are required for the operation of UAS in the NAS (outside of active restricted,
prohibited, or warning areas) because unmanned aircraft systems, are not compliant
to many sections of Title 14 of the Code of Federal Regulations (14 CFR) (http://
www.gpoaccess.gov/cfr/) and thus require an alternate means of compliance. This
compliance is demonstrated by receiving a certificate of waiver or authorization
(COA) or by obtaining a special airworthiness certificate–experimental category,
the only two available methods of approval.
For public institutions, defined as one that is intrinsically government in nature,
approval for operations of UAS is obtained through the COA process (Davis 2008).
A COA defines operational requirements, emergency procedures, airworthiness
requirements, an area of operations, and ground crew proficiency requirements for
the operation of a single class of UAS. The overarching goal of the COA application
is to demonstrate that the operations of the UAS have an equivalent level of safety
to manned operations. In contrast to public institutions, private institutions and
commercial companies (Ballinger and Bossert 2007) must also obtain a special
airworthiness certificate, typically an experimental airworthiness certificate, for
legal operations of their unmanned aircraft systems.
A recent FAA Aviation Rulemaking Committee (Tarbert and Wierzbanowski
2009) reported “a comprehensive set of recommendations for small UAS regu-
latory development.” These regulatory recommendations have yet to be adopted,
even in part. The regulations that must be satisfied for the operation of UAS
remain those developed for manned aircraft resulting in a COA application pro-
cess for UAS that is not straightforward. Prior to the 2006 “grounding” of
UAS for those operating without a COA or an experimental certificate, many
small UAS operators claimed permission to operate according to FAA Advi-

sory Circular AC 91–57 (Van Vuren 1981), which provides guidelines for the
operation of hobbyist model aircraft according to the rules of the Academy of
Model Aeronautics (AMA). With the creation of the Unmanned Aircraft Pro-
gram Office (UAPO) in 2006 came enforcement of the COA and special air-
worthiness certificate requirements for public and civil UAS, respectively. The
UAPO and the FAA Air Traffic Organization (ATO) were unprepared for the
widespread misunderstanding of the COA application process, the subsequent
onslaught of COA applications, and an almost complete misunderstanding of the
requirements for civil entities to obtain UAS certification (Murphy and Argrow
2009).
Although the UAPO has worked to clarify regulations and submission require-
ments, rather than define a complete set of sufficient conditions for receiving
a COA, the UAPO approach is to evaluate submitted UAS, operations, and
procedures individually. As a result, information provided from the online appli-
cation portal (http://www.faa.gov/about/office org/headquarters offices/avs/offices/
afs/afs400/afs407/) can be vague, and determining the appropriate level of detail and
requirements for each section of the application often requires several submissions,
rejections, and subsequent iterations of the application.
In the interest of illuminating this process, this chapter describes the construction
and subsequent use of 59 COA applications for the Tempest UAS used during the
VORTEX2 field experiment. This chapter presents the information used to complete
the COA application process and identifies decision and methods employed for
a successful application, including the specification of operations area, how the
airworthiness of the system was derived, the emergency procedures that were used,
and the evolution of the actual operations and reporting requirements under the
COA. The guidance given in this document follows that of Policy 08–01 (Davis
2008). It must be stressed that the information described here only pertains to the
Tempest UAS, and the specific details included in our applications were based on
the judgements of the authors and do not reflect definitive standards for a successful
application.
90.2 Motivation and Application Strategy
The primary engineering objective for the Tempest UAS deployment was to develop
a small UAS networked into a mobile command, control, and communications
(C3) infrastructure that could meet the requirements for supercell penetration,
specifically in the rear-flank downdraft (RFD), a region considered critical to the
understanding of tornado formation. The UAS would also have to meet requirements
for portability, with the mobility to target and track supercell thunderstorms,
then enable rapid launch, storm penetration, and recovery of the unmanned air-
craft.
Fig. 90.2 Three sampling scenarios designed for use in the 2010 VORTEX2 campaign (Elston
et al. 2011b) (a) S1 = standard inflow launch parallel to storm motion (b) S2 = inflow launch
perpendicular to storm motion (c) S3 = outflow launch parallel to storm motion
Although the engineering requirements for the Tempest UAS were ultimately
driven by the meteorological science objectives, for VORTEX2 the purpose was
to demonstrate the feasibility of a small UAS for supercell sampling, so the
science objectives were secondary to the engineering objectives. The primary
science objective was to collect in situ measurements of pressure, temperature, and
humidity, targeted in the rear-flank downdraft (RFD) and its outflow (VORTEX2
SPO). The RFD generally forms on the southwest portion of the storm, and when
the downdraft approaches the ground, it spreads horizontally to form the RFD gust
front. The focus of the Tempest UAS science mission is to fly into the RFD from
the east or the south, crossing the gust front during the ingress.
Figure 90.2 from Elston et al. (2011b) illustrates three sampling scenarios. In S1
the UA is launched from the east of the supercell, then flies beneath the hook of
the mesocyclone, near the tornado indicated by the small red triangle, into the RFD.
The UA then proceeds to fly multiple transects, where the different colors of the
trajectories indicated transects at different altitudes. For S2, the UA approaches the
mesocyclone hook from the south, crossing the RFD gust front with its horizontal
outflow before the UA makes contact with the main downdraft of the RFD and the
tornado. S3 is the most difficult of the three scenarios, with an approach from the
southwest which means that the UA is chasing supercells that typically move on
northeast to easterly tracks.
Development of the concept of operations (CONOPS) for the Tempest UAS, and
subsequent COA applications, focused on safe, assured operations by maintaining
situational awareness of the UAS and airspace at all times. The main barrier to safe
operation that satisfies FAA regulations is the ability to perform “sense and avoid”
whereby the operational airspace is continually monitored and deconflicted, i.e., the
UAS is kept clear of other airborne traffic. Though the FAA allows different options
for providing sense and avoid, (e.g., stationary visual observers on the ground, visual
observers in a chase aircraft, ground-based radar, radio transponders, and direction
from air traffic control), stationary ground observers were used as the only solution
during VORTEX2.
A second major factor in the COA application process was the dynamic, mobile
pace of operations required to sample supercell thunderstorms. The conditions for
supercell thunderstorm formation can become evident several days in advance.
However, pinpointing the location and trajectory of a particular storm is difficult.
Further, the onset of tornado formation cannot be predicted reliably in advance
(the whole point of the VORTEX2 mission). Tornadogenesis within a supercell
thunderstorm has been observed to occur in as little as 13 min from the first
manifestation of potential tornadic activity (Erickson and Brooks 2006). As a
result, successful operation during VORTEX2 required the ability to establish flight
profiles with minimal advance notification. The standard provisions for most COA’s
require at least 48 h notification to activate a COA area through Notice to Airman
(NOTAMS) along with contacting other groups such as ATC or military operations
groups depending on the area. This provision would make these types of operations
impossible.
Many of the FAA requirements that needed to be satisfied affected directly the
design of the Tempest system. These design decisions were a direct result of a
previous project, the Collaborative Colorado-Nebraska Unmanned Aircraft System
Experiment (CoCoNUE), that acted as a precursor to the VORTEX2 campaign
with the goal of using a UAS to sample across an air mass boundary. One of the
important lessons learned during these experiments is that maintaining eyes on the
aircraft from a chase car (an FAA requirement to ensure airspace deconfliction) is
only feasible if the aircraft is tasked to orbit the chase car. This coupled with the
requirement of a stationary ground station led to the use of a tracker vehicle which
needed to maintain a data link with the aircraft to share its GPS position and led
to the use of an ad hoc network to allow the UA to simultaneously communicate
with both the ground station and the tracker vehicle; see Elston (2011) for more
information on the communication subsystem.
Some subsystems had to be added to the Tempest UAS to either satisfy FAA
requirements or to increase safety to expedite the COA process including a 900 MHz
tracking antenna with Yagi for up to 20 miles of range to ensure communication over
the maximum range of COA area from stationary ground station, a 2.4 GHz data
link with ad hoc communication and multi-hop routing protocol for communication
from the aircraft to both the tracker vehicle and the stationary ground station, a
COTS autopilot and airframe for self-certification, a tracker vehicle to stay with the
UA, and a scout vehicle to check the roads ahead for the tracker vehicle.
90.3 COA Application
90.3.1 COA Area Selection
Certificates of authorization are issued for specific areas of operation. The FAA
requires that the UA position be known with enough accuracy that air traffic
controllers can inform nearby aircraft. To satisfy this requirement, UAS operators
are generally required to file a Notice to Airmen (NOTAM) 72–48 h in advance

of operations. The NOTAM specifies the location and time of the flight within the
area specified by the COA. Several institutions have obtained COAs to perform
prolonged flights over large distances by filing specific flight plans 72–48 h before
the intended operation (Ambrosia and Hinkley 2008). In contrast, the work mo-
tivating this work required flight within 3,000 ft of the ground with much shorter
notification constraints. Therefore, the focus of COA area selection presented here
is on flights with small UAS through class G and E airspace without a predetermined
flight plan.
Since NOTAMs could not be issued far in advance, COA application size was
kept small enough to insure that the position of the UA was known relatively well
and to minimize the workload on air traffic controllers who must notify pilots
approaching the active COA airspace. Given the context of the VORTEX2 mission
(Elston et al. 2011b), it was desirable to operate the UAS in an area over 24,000
square miles (62,000 sq km) in size (the green box in Fig. 90.3). Based on informal
discussion with the FAA Unmanned Program Office, it was determined that this area
was too large for a single COA.
To obtain permission for flying in this large area, the authors followed the
example of the University of North Dakota’s successful COA applications in
multiple locations across their state (Douglas Marshall and Benjamin Trapnell,
personal communication, 17 Dec 2008.), where they broke an area into several
COA areas made up of approximately 10 10 mile (16 16 km) polygons. In
the case of the Tempest COAs, the domain of operation was split into 59 areas
approximately 20 20 miles (32 32 km) in an attempt to balance the size of
the areas with the number of COA applications that would be needed to cover the
complete mission domain (Fig. 90.3). In a debrief to the Denver Air Route Traffic
Control Center (ARTCC) following the VORTEX2 operations, air traffic controllers
indicated that circular areas are the preferred shape to issue a conventional NOTAM,
specified by a radial distance from a geographic point. (Denver ARTCC, personal
communication, 14 Oct 2010.) Future applications and renewals will follow this
guidance.
After selecting the maximum size of the bounding polygon, the following
additional items were considered to determine its shape: population density, major
roads, airports, and airspace (Fig. 90.4). These were used to restrict the polygons
to regions that could be shown to have low potential for property damage or
human injury in the case of a failure of the UAS. The specific values were chosen
heuristically with the expectation that they would satisfy the FAA UAPO. The
minimum limits are 3 miles (5 km) from any town of significant size (population
>1,000), 3 miles (5 km) from any airport, 1 mile from any major road (such as an
interstate highway), and within class E or G airspace.
The FAA determines the maximum altitude for operations based on an estimate
of the ability of an observer with a class 2 medical certification to see the UA
and be able to ensure airspace deconfliction with other aircraft. The Tempest
COA applications requested a flight ceiling of 3,000 ft above ground level (AGL).
However, with its 10.5-ft (3-m) wingspan and slender fuselage, the FAA imposed a
2184
Fig. 90.3 Vortex 2 operations area (red), desired UAS operations area (green box), actual COA areas (blue polygons)
M. Stachura et al.
Fig. 90.4 Considerations for the sizing, shape and location of each polygon, with green arrows
indicating minimum distances and obstacles including 5 miles or more from both airports and
built-up areas, 1 mile from major highways, and consideration for Victor airways, which the FAA
does not allow loitering in
ceiling of 1,000 ft (300 m) AGL for operation of the Tempest UAS, with some areas
limited to a 400-ft (120-m) ceiling based on proximity to specific airport approach
airspace. Victor airways must also be considered, and in some cases impact the
decisions to provide permission for flights over 400 ft (120 m) AGL.
90.3.2 Airworthiness Statement
Policy 08–01 (Davis 2008) outlines the procedure to create an airworthiness

statement and lists several standards that have acceptable criteria for the self-
certification of a public aircraft. The Tempest airframe airworthiness statements
are based upon the Department of Defense (DoD) handbook MIL-HDBK-516A
(http://www.everyspec.com/MIL-HDBK/MIL-HDBK+(0500+-+0599)/MIL HDBK
516A 2069/), which is superseded by MIL-HDBK-516B (http://www.ev
eryspec.com/MIL-HDBK/MIL-HDBK+(0500+-+0599)/MIL-HDBK-516B 10216/).
Although the following discussion refers to MIL-HDBK-516A, the reader should
refer to the more recent MIL-HDBK-516B when preparing a new COA application.
These handbooks were created for the certification of military aircraft, including
manned and unmanned aircraft that carry ordnance, so the user must determine the
criteria that are relevant for civilian applications. Sections 4–19 of MIL-HDBK-
516A contain criteria specific to the different systems and operational procedures
that must be addressed for airworthiness, though it is clear that Sections 9, 17, and
18 of MIL-HDBK-516A do not apply to unmanned aircraft.
The Tempest airworthiness document submitted to the FAA contained the
heading of each subsection (e.g., 12.x) followed by statements explaining how each
criterion is addressed to guarantee airworthiness. In many cases the subsection was
not pertinent to the Tempest UAS, and it was sufficient to include a statement
indicating this fact. Examples of criterion in MIL-HDBK-516A that were not
necessary to satisfy for the Tempest UAS are structural fatigue, flight envelope,
aircraft stability, and avionics architecture. It is, however, necessary to outline the
procedures and analyses that are used to guarantee these criteria or steps used to
mitigate risks from possible failures.
Airworthiness of the Tempest UAS was demonstrated based on three main
factors. First, the airframe was developed in collaboration with a commercial manu-
facturer with experience designing and constructing competition radio-controlled
sailplanes. In particular, Skip Miller Models (Skip Miller) modified an existing
design based on specifications for the VORTEX2 mission. Successful demonstration
in remote control dynamic soaring (RCS 2011), where aircraft routinely obtains high
air speeds and accelerations, validates the ability of the construction techniques used
in the Tempest airframe to provide sturdy and durable aircraft. Second, the commer-
cial Piccolo SL autopilot (Cloudcap) used for the Tempest UAS has an established
record of success, both in military systems and other unmanned aircraft that have
obtained COAs, including other UAS operated by the authors. Third, the complete
Tempest UAS avionics system, which includes redundant wireless communication
channels, onboard supervisory computer, ground control station, and operator
interface, has been demonstrated through flight operations of other aircraft (Brown
et al. 2007; Frew et al. 2008; Houston et al. 2012). An appendix with examples of
checklists, flight logs, maintenance logs, and operational procedures was included
in the COA application to document those items used to support safe operations and
maintenance. General guidelines for preparing an airworthiness statement based on
lessons learned from VORTEX2 and other flight operations are given in Elston et al.
(2011a). Excerpts from the Tempest UAS airworthiness statement are given here
to show the level of detail required. Heading titles correspond to the sections of
MIL-HDBK-516A.
6. Flight Technology
6.1 Stability and Control
The airframe used for the Tempest UA is the Tempest glider, commercially available
from Skip Miller Models. The Piccolo Light autopilot control system ensures stable
flight characteristics when coupled with a stable aircraft such as the Tempest UA as
required in Sect. 6.1.2.3. The envelopes, as outlined in 6.1.6, will be safe because
the Tempest airframe is a commercially available glider.
6.2 Vehicle Control Functions (VCF)

The physical components of the VCF (i.e., the servos, control links, control surfaces,
and electrical connections) employ high-grade commercial components sized for the
maximum GTOW. All control surfaces are fully articulated during preflight checks
to visually verify clearances. The control link to the Piccolo Plus on the Tempest
UA is a single point of failure, but contingencies are in place in case of failure as
outlined in the Lost Communication section. Preflight checklists for the Tempest UA
are used to minimize the risk of failure as per 6.2.2.36. The emergency procedures,
as outlined in the Emergency Procedures section, are appropriate and address the
full range of possible emergencies as required in 6.2.55.
The Tempest subsystems are powered by a lithium-ion battery packs. Power
is monitored from the UAS ground station to indicate primary power loss. The
contingency is to immediately power-down any payload and return the Tempest
UA for immediate landing. In the unlikely event of complete power loss, the UA
servos reset the control surfaces to a default setting for spiral glide to the ground
to prevent an uncontrolled excursion outside the primary area of operations. The
VCF software is provided commercially by Cloudcap for the Piccolo Plus autopilot.
This software is extensively tested and is safe in all normal flight conditions. For
emergency situations, the procedures used are outline in the Emergency Procedures
document.
9. Crew Systems
The Tempest is unmanned; therefore, there are no crew systems.
90.3.3 Lost Communications and Emergency Procedures
Lost communications and emergency procedures are specified as part of the COA
application. The contents of these sections of the COA application pertain to
the operations during abnormal and emergency situations. It is impossible to
develop guidelines and procedures to deal with all situations, so the Tempest UAS
application enumerated them as best as possible and stated that the judgement, skill,
and training of all persons involved in flight operations were necessary to bring an
abnormal or emergency situation to a safe conclusion.
The policies and procedures used for the Tempest UAS were developed and
refined through previous flight experiences with other aircraft (Brown et al. 2007;
Frew et al. 2008; Houston et al. 2012). In general, the response to an in-flight
emergency or severe change in weather is to bring the UA back to the main landing
site and to begin landing procedures, using either manual or automatic landing. The
COA applications stated that all incidents and accidents would follow reporting
and notification processes and requirements as laid out in FAA Orders 8020.11,
7210.56, and in NTSB 830. During the VORTEX2 mission, there were no incidents
that required reporting under these rules.
The Tempest UAS COA application was written specifically for a three-person
team piloting an unmanned aircraft system using a Piccolo autopilot system
(Cloudcap). FAA regulations require a two-person team consisting of a pilot in-
command (PIC) and a trained, medically certified observer (Davis 2008). Typical
Tempest UAS operations consist of the PIC acting as a mission commander and
two pilots at control (PACs): the PAC-M with manual flight control through a
handheld console and the PAC-O who monitors and controls the UA when it is
in semiautonomous mode. Only one of these copilots will be the acting PAC at
a given time; therefore, the PIC can perform one of the roles. For Tempest UAS
flights during VORTEX2, the PIC always served as the PAC-M.
90.3.3.1 Emergency Procedures

Enumerating all the emergency procedures contained in the Tempest COA
application is prohibitive here. The emergency procedures for the Tempest UAS
COA application follow the general guidelines (Elston et al. 2011a) derived from
experience with the Tempest and other UAS. Overall emergency procedures were
designed to maintain safe operations when possible with aerodynamic termination
utilized if the aircraft becomes uncontrollable.
The COA application states that a handheld VHF radio will be used to broadcast a
distress message in some emergency situations to aid in maintaining a safe airspace
when traffic is present in the COA airspace. Distress messages will be broadcast
on the specified CTAF/UNICOM frequency of the airport listed in the operational
summary of the COA application. The distress message will contain the following
information and will be given in the order listed below. Once broadcasted, the
message will be repeated every 5 min, upon changes in condition or known location
or upon any update requests received. Once the urgent condition is over, a final
message will be broadcast to notify any traffic that the emergency condition is over.
1. PAN-PAN, PAN-PAN, PAN-PAN
2. “Local traffic”
3. “This is unmanned aircraft Tempest”
4. The nature and type of the distress
5. Pilot’s intention request
6. Last known position and heading
7. Altitude
8. Hours and minutes of propulsion battery remaining
9. Weather
10. Other useful information such as visible landmarks, aircraft color, and that no
people are onboard
The emergency procedures outlined in the Tempest UAS COA application are
broken down into categories. Operation emergency procedures describe how the
UAS team responds to incidents involving personnel of the general operation of the
aircraft. For example, this section outlines how to respond if the pilot is unable to
perform duties or if the aircraft leaves the COA boundary. Ground control station
emergency describes procedures for responding to ground control station failures,
such as loss of power in the various components. Finally, Tempest UA describes

responses to emergencies derived from the aircraft, such as loss of power or failure
of the navigation solution. The following sections provide an overview of some of
the main procedures included in the Emergency Procedures.
Operational Emergency Procedures

• Pilot/Operator/Observer Is Unable to Perform Duties
If a crew member becomes incapacitated during a UA flight, then the duties of
that person will be transferred to another certified crew member depending upon
the status of the current flight and availability of crew members.
• Loss of Visual Line of Sight by Observer
If the observer loses line of sight (LOS) to the aircraft, then another team
member will act as the observer if they have LOS. If no team member has LOS,
then the PIC will initiate landing procedures if the airspace is deemed safe or the
PIC will command aerodynamic termination if the airspace is not deemed safe.
• Loss of Communication Between PIC and Observer(s)
If there is a loss of communication between the PIC and observer with
handheld radios, a backup method such as cell phones shall be used.
• Loss of Communication with ATC
Operations of the Tempest UAS will be conducted in class E or G airspace un-
der VFR conditions. Due to these conditions, it is assumed that communications
with the local ARTCC or Terminal Radar Approach Control (TRACON) will
not be required, but a handheld VHF radio will be used to maintain situational
awareness and direct communication to local air traffic if necessary.
• UA Leaves COA Boundary Uncontrollable
In this situation, the first priority of the PIC is to maintain as safe an airspace
as possible surrounding the UA. Procedures described here should include
broadcasting a PAN-PAN message and using all reasonable effort to maintain
VLOS and to terminate the flight.
Ground Control Station Emergency

• Operator Interface Software/Computer Failure
Failure of the operator interface software or the computer running it means
that the PAC-O no longer has situational awareness of the UA and can no longer
command or control the UA. Procedures for this emergency consider both the
case where the UA is in VLOS of the PAC-M and beyond. Communication
procedures to the team members are outlined, along with appropriate steps
to safely terminating the mission, including automated return to the location
of the ground control station, automated landing, remote landing, and finally
aerodynamic termination.
• Ground Station Failure
Procedures for ground station failure consider the devices connected (e.g.,
pilot console, ground station GPS) and the possibility of device disconnection
or failure. They also address the possibility of total ground station failure.
Appropriate actions include switching of flight modes, turning off DGPS, or
terminating the mission.
Unmanned Aircraft Emergency

• Engine-Out
In the case of engine failure, if the aircraft altitude is high enough, the standard
landing procedure is initiated. If the altitude is too low, the aircraft is brought
down quickly and safely and with the observer helping locate landing areas that
consider cases when property, people, or other manned aircraft are in the vicinity.
• Autopilot/Servo Power Loss
Complete loss of power to the autopilot (or servos if on a separate power
source) is a catastrophic failure, resulting in the UA being uncontrollable and
unpredictable in its flight path. In this situation, the first priority of the PIC is
to maintain as safe an airspace surrounding the UA as possible and issuing the
appropriate distress messages.
• Degrading Performance of the Autopilot
Degrading or poor performance of the autopilot can be caused by bad or failed
sensors, actuators, or by improperly set or adjusted feedback gains. It is expected
that most failures that show as degraded autopilot performance are primarily due
to the failure of onboard sensors such as the rate gyros, accelerometers, a poor
or bad GPS solution, circuit board temperature failure, or failure of the air data
system (dynamic and static pressure). Procedures include assessing the failure
and determining the appropriate action in a per-sensor manner.
90.3.3.2 Lost Communication and Lost Link Procedures

The Tempest UAS uses a primary communication channel for command and control
uplink as well as data downlink. The primary communication link is provided by
a 1-W 900 MHz spread-spectrum modem manufactured by Microhard Corp. and
is supplied with the Piccolo SL autopilot system as original equipment. The same
modem is used in the autopilot and in the Ground Control System (GCS). A lost link
on the 900-MHz primary link is considered a lost communication event. Depending
upon the operational mode of the UA, the Piccolo autopilot detects two types of lost
communications: one is when the aircraft is under manually piloted mode and the
other is when the Piccolo is operating under semiautonomous control. In either case,
in the event of a lost communication emergency, the UA is no longer under control of
the PAC and collision avoidance capability has been compromised. In this situation,
the first priority of the PIC is to maintain as safe of an airspace surrounding the UA
as possible. This is done by broadcasting a PAN-PAN message to any nearby traffic
as described in the Emergency Procedures document.
When the autopilot is under manual pilot (or manual-assisted) control, a lost link
is determined by the UA as not receiving any decodable manual pilot control packets
for 2 s, referred to as the pilot time out. Once this condition is met, the autopilot will
automatically switch to autopilot mode and enter into the closest waypoint plan at
the time of the pilot time out.
If communications fail entirely for 10 s (defined as the communication time out),
either under manual or semi-autonomous modes, the autopilot will take automatic
action depending upon the status of the GPS time out. If the GPS time out has
been asserted prior to the communication time out, then when the communication
time out occurs the autopilot will issue an aerodynamic termination. If the GPS
time out has not occurred, then the autopilot will switch from the current flight
plan to the emergency waypoint plan, defined by the lost communication entry
point. If communication is reacquired during the orbiting phase of the emergency
flight plan then the PAC can initiate landing procedures. If communication is not
reacquired after 2 min of orbiting at the lost communication waypoint, the autopilot
will automatically switch to the autoland segment of the emergency flight plan, and
will begin an autonomous landing.
Finally, since the operation of the Tempest UAS will be well within the
communication range of the 900 MHz link, failure of the communication link will
tend to be hardware based. Therefore, after a lost communication event is detected,
a crew member who is not currently tasked as the observer or PIC will be directed
by the PIC to inspect the communication hardware in the GCS to make sure there is
no visible problems with the 900 MHz antenna, its location, or in the cabling.
90.4 Using COAs and FAA Interaction
This section describes additional provisions included in the actual COAs issued for
the Tempest UAS and notification procedures prior to flight. In general, there is
little interaction between the FAA Unmanned Program Office and the applicant once
the COA application was submitted. As a result the final approved Certificate of
Authorization could contain additional provisions or changes from the application.
Further, the COA describes procedures for interacting with air route traffic control
centers (ARTCCs) prior to flight.
90.4.1 COA Provisions
Fifty-nine distinct Certificates of Authorization were issued for the Tempest UAS
participation during VORTEX2. The COAs included some changes from the
original application and additional provisions that were not stated in the application.
The original Tempest UAS COAs required notification 72–48 h in advance of flight
operations. However, during the VORTEX2 campaign, the uncertainty of forecast-
ing the time and location of target supercell thunderstorms required shortening the
advance notice window. After submitting evidence to the UAPO and the ARTCCs in
the COA areas, “pen-and-ink” (A pen-and-ink change is terminology used by FAA
to indicate a minor change to a previously issued COA document.) changes were
made to the Tempest UAS COAs to shorten the notification requirements to 2 h.
Table 90.1 describes the main provisions directly stated in the COA document.
These include weather conditions suitable for flight operations, documentation
and additional clearances required by the UAS operations team, and operational
requirements. The main significant difference between the final COA and the
Table 90.1 Summary of Weather minimums

Main FAA Requirements for
Tempest UAS Operations Visibility of 3 statute miles
UA must maintain 500-ft below and 2,000-ft lateral separation
from clouds
Daytime operations only: 1 h before sunrise until 1 h after sunset
Required documentation
Vehicle airworthiness document
Class 2 medicals for both the PIC and observer
PIC knowledge of FAR Part 91 (class G airspace)
Current private pilot certificate for the PIC (class E airspace)
Hard copy of COA document
Operational requirements
PIC must have 3 qualified events in the last 90 days
Single UA operation only
No dropping anything from the UA
No loitering in Victor airways
No operation in GPS test area or degraded RAIM
PIC and observer must be in constant two-way communication
UA cannot exceed 1,000 ft vertical and 1/2 or 1 mile horizontal
from observer
NOTAM must be issued 2 h prior to flight operations
Incidents, accidents, and COA boundary deviations must be
reported 24 h prior to any additional flights
Monthly reports of operations must be submitted to the FAA
application was a reduction in allowable flight altitude (reduced from 3,000 to

1,000 ft) and allowable lateral separation (reduced from 1 to 1/2 mile). Through
personal communications, the FAA UAPO indicated that these limits represented
their judgement of the ranges at which the aircraft could be seen visually by the
ground observer.
The specific requirements and procedures for UAS operations are contained in
the COA document. These are the same procedures outlined in Policy 08–01 (Davis
2008) applied to the specific UAS and COA area that include specific statements of
requirements for crew proficiency (e.g., PIC, observer, medicals, knowledge of FAR
61.105, 91.(3,7,13,17,111,113), limits, and currency and instructions for contacting
an ARTCC or TRACON. The COAs required the pilot in command to have a
current private pilot certificate. This requirement was in place to insure that the
PIC understood the operational procedures of aircraft in the U.S. National Airspace
System, not because the Tempest UAS handled like a manned aircraft. The PIC and
the observer, who monitored the aircraft at all times, were also required to pass class
2 medical certification.
90.4.2 Activating COA Areas
Several steps are required prior to flight operation in order to notify air route traffic
control centers and local airfields of pending UAS flights. The first step in activating
a COA is to issue a Notice to Airmen (NOTAM) (https://pilotweb.nas.faa.gov/
PilotWeb/) describing the planned activity. For the VORTEX2 mission, NOTAMs
could be issued for up to four different COA areas with 2- h advance notice. Because
the ARTCCs notify all pilots of NOTAMs in a given area, it was not feasible to issue
NOTAMs for all 59 COA areas. The-2 h advance notice was at the limits of the
meteorologists’ abilities to predict thunderstorm evolution. As a result, NOTAMs
could be rescinded and issued for different areas as needed, resetting the 2- h wait
time before flight operation could commence.
Although the COA areas in the applications were specified by the coordinates of
the bounding polygon, NOTAMs are issued based on radial distance and direction
from Very High Frequency Omni-Directional Radio Range Tactical Air Navigation
Aid (VORTACs). As a result, a better general strategy for COA applications is the
use of circular regions that can be specified easily from a VORTAC. Because the
COA areas and VORTACs are stationary, all pertinent information needed to issue a
NOTAM for a specific COA could be determined in advance. The example NOTAM
in Table 90.2 has all of the necessary information for other pilots operating in the
NAS. The NOTAM, number 09/003, informs of UAS operations in a 3NM radius
centered around a point that is 15NM from the BJC VORTAC off the 330ı radial.
The operations are conducted 400-ft AGL and below from time 1500Z to 2100Z
on 3 September 2010. See FAA Order JO 7930.2M, section 6-1-7b (http://www.
faa.gov/documentLibrary/media/Order/NTM.pdf) for more details on NOTAMs for
UAS.
The final step in the notification process occurred 30 min before flight operations
could commence. At this point it was necessary to contact by telephone the
Denver ARTCC and any nearby airport or military operations desks. They will
require both the COA number and the NOTAM number associated with the
flight.
90.4.3 Reporting
There are three types of reports required by the FAA for UAS operation: accident
(NTS 2010), incident (NTS 2010), and monthly operational. These are all accessed
through the secure FAA web portal (https://ioeaaa.faa.gov/oeaaa/). There are also
real-time reporting requirements for loss of communication and/or violation of
COA boundaries, which are covered in the Emergency Procedures section. Monthly
operational reports were submitted for all active COAs within five business days of
Table 90.2 NOTAM 09/003 – AIRSPACE UNMND AC 3 NMR BJC330015

Example
400/BLW. 03 SEP 15:00 2010 UNTIL 03 SEP 21:00
2010. CREATED: 31 AUG 22:42 2010
a b c
d e f
Fig. 90.5 Composite radar, flight path, and COA boundary for supercell intercepts during the
VORTEX2 campaign (Elston et al. 2011b) (a) 6 May 2010, sampling scenario S3 (b) 26 May
2010, sampling scenario S2 (c) 6 June 2010, sampling scenario S1 (d) 7 June 2010, sampling
scenario S3 (e) 9 June 2010, sampling scenario S2 (f) 10 June 2010, sampling scenario S2
the end of each month. They were submitted even if no operations took place under
a specific COA. The reports required information about the COA along with number
of operations and total hours.
90.5 Case Study/Lessons Learned
A synopsis of a typical deployment will be presented next to better illustrate

the timing and pace of nomadic operations. This will be followed by some of
the lessons learned along with specifics on what can be improved for future
nomadic sampling missions within the confines of FAA regulations. There were six
successful flight experiments flown into storms during the VORTEX2 deployment.
Figure 90.5 contains trajectories of six different flight experiments that were done
during the VORTEX2 campaign utilizing different sampling scenarios.
The planning phase of the deployment was conducted from 36 to 2 h prior to
launch of the UA. This began with VORTEX2 PIs using data and models to predict
storms the evening before flight experiments. It continued the next morning with
examining any new data and setting a departure time and initial destination. The
entire armada would then begin driving to the destination, with any changes to the
target area being relayed to the individual team leaders.
At approximately 2 h prior to the predicted launch time, the meteorology lead
of the UAS team would select 4 COA areas that were most likely to be within the
target area, and these would be activated using NOTAMs. It should also be noted
that there were other notifications that may have to go out depending on the specific
COA areas such as nearby airports or Air force bases. Since these were very specific
to each COA area, they will not be mentioned in detail here. These groups required
anywhere from 2 h to 5 min notice prior to launch. Also, during this phase of the
deployment, NOTAMs could be cancelled and new ones put in if the storm changed
direction. However, 2 h lead time was required from whenever the new NOTAM was
issued.
At 1 h prior to launch the flight preparations would commence for all parties
utilizing checklists. An example of one such checklist is given in Table 90.3 for the
ground control station operator. Somewhere in this time up to 10 min to launch the
meteorology lead would select a launch area and begin preparing the flight plan.
The team would then arrive at the location, finishing prepping the UA, deploy all
mobile ground vehicles, and launch the UA.
During the flight experiment the flight plan would be changed depending on both
RADAR imagery of the storm and in situ data from the UA. Following the flight
experiment the UA would return to base, land, and all postflight checklists would
be utilized. This would include cancelling any active NOTAMs, notifying any flight
service groups as required by the COAs, and logging all necessary data for monthly
COA reports. For a more detailed description of the entire CONOPS, see Elston
et al. (2011b).
The system designed for VORTEX2 led to six successful and safe flight
experiments with no deviation from FAA rules for UAS. There were however several
important lessons learned that could lead to improved operations in the future and
more useful data for the scientific community.
The first major issue that was encountered was the issue of predicting which COA
areas the storms would pass through. The standard provisions require activating a
COA area between 48 and 72 h prior to flight operations. The initial solutions was to
simply activate all 59 COA areas 2 days before we planned on flying. However, this
was found to be unsustainable for ATC since each COA area required a separate
NOTAM, and this many would overwhelm their system. In order to address this
issue, we worked with the FAA to reduce the activation time to 2 h. Permission was
also given to activate up to 4 COA areas at a time. However, the dynamic nature
of the storms made even this difficult to predict. An example of when this issue
came up was during sampling the June 10th storm; the team had to wait for the start
of time of the NOTAM while there was already a tornado on the ground from the
storm. Being able to deploy sooner than the required-2 h time could potentially lead
to more useful data. The FAA has since reduced this time to 1 h for the 59 COA
areas.
Table 90.3 Example of One

of the Checklists Used
Operator checklist
After power on
Turn off van Wi-Fi
Start averaging groundstation GPS
Disable engine
Set the pilot address
Copy commands and verify all loops are auto
Uncheck auto center and zoom as appropriate
Verify COA area altitude and mission limits altitude
Set up flight plans: lost comm, take-off, landing
Zero air data with GPS altitude
Test pitot-tube airspeed
Turn on APS, verify tracking, and set to take-off orientation
Start up B.A.T.M.A.N on focus through ssh
Preflight
Check Piccolo voltage
Check Servo voltage
Check UA GPS
Set the tracked waypoint to 10
Check Piccolo 900MHz link
Verify sonde operation
Launch, start NetUAS timer
Start APS tracking
Notify tracker of handover
Postflight
Kill engine
Save config if it was changed
Close OI and save log files to a new (reliable) location
Run NetUAS log save scripts
Turn off Piccolo GCS
The second major issue we encountered was the boundaries of the COA areas.
Figure 90.5a, b, f were successful sampling missions that got as far as the active
COA boundary and could not sample any further losing out on some more data
that may have proved useful. There were also several other potential missions that
never flew because the storm was just outside of the COA area, including a very
promising one on June 11th. The solution to this problem is not as obvious. The
FAA did not want us to have a COA area larger than 20 20 miles since that would
be too large an area to keep traffic out of. Also, there is the issue of avoiding airports,
we arbitrarily chose 5 miles and major roads. A potential solution to this issue is to
grant a single large COA spanning the entire 200 200 mile area and restrict us
to activating only a 20-mile diameter circle in that area at a given time where we
are responsible for avoiding airports and major roads. This gives the meteorologist
more precision to work with when activating COA areas. It was also found that
ATC prefers circular areas for the NOTAMS since they can just list a center point
and radius in the NOTAMs.
Conclusion
The capabilities of current UAS to perform these nomadic science missions
currently exist, and the main bottleneck for these missions is satisfying FAA
regulations to perform safe operations. It is important to work with the FAA to
reach a compromise that satisfies both the scientific and engineering goals of the
project while being able to prove the necessary level of safety for operating in
the National Airspace System. This chapter used experience from the VORTEX2
UAS campaign to present information on obtaining COAs, working with the FAA
to conduct successful flight operations, and some lessons learned that could lead
to improved operations in the future.
References
V.G. Ambrosia, E. Hinkley, Nasa science serving society: improving capabilities for fire character-
ization to effect reduction in disaster losses, in IEEE International Geoscience and Remote
Sensing Symposium, IGARSS 2008, Boston, vol. 4, 2008, pp. IV-628–IV-631. doi:10.1109/
IGARSS.2008.4779800
M. Ballinger, D. Bossert, Faa certification process for a small unmanned aircraft system: one
success story, in AIAA Infotech@Aerospace 2007 Conference and Exhibit, Rohnert Park, CA,
2007
T.X. Brown, B.M. Argrow, E.W. Frew, C. Dixon, D. Henkel, J. Elston, H. Gates, Experiments
using small unmanned aircraft to augment a mobile ad hoc network, in Emerging Technologies
in Wireless LANs: Theory, Design, and Deployment, chapter 28, ed. by B. Bing (Cambridge
University Press, Cambridge, 2007), pp. 123–145. ISBN-13:9780521895842
Cloudcap, The cloudcap website (2011), http://cloudcaptech.com
K.D. Davis, Interim Operation Approval Guidance 08–01: Unmanned Aircraft Systems Operations
in the U.S. National Airspace System, FAA Unmanned Aircraft Systems Program Office, 2008
J. Elston, Semi-autonomous small unmanned aircraft systems for sampling tornadic supercell
thunderstorms. Ph.D. thesis, University of Colorado, 2011. data/publications/11 thesis.pdf
J. Elston, M. Stachura, B. Argrow, C. Dixon, Guidelines and best practices for faa certificate
of authorization applications for small unmanned aircraft, in AIAA Infotech@Aerospace
Conference, St. Louis, MO, 2011a
J.S. Elston, J. Roadman, M. Stachura, B. Argrow, A. Houston, E.W. Frew, The tempest unmanned
aircraft system for in situ observations of tornadic supercells: design and vortex2 flight results.
J. Field Robot. (2011b). Accepted http://www.journalfieldrobotics.org/Home.html
S.A. Erickson, H. Brooks, Lead time and time under tornado warnings: 1986–2004, in 23rd
Conference on Severe Local Storms, St. Louis, MO, 2006
E.W. Frew, C. Dixon, J. Elston, B. Argrow, T.X. Brown, Networked communication, command,
and control of an unmanned aircraft system. AIAA J. Aerosp. Comput. Inf. Commun. 5(4),
84–107 (2008)
A. Houston, B. Argrow, J. Elston, J. Lahowetz, P. Kennedy, The collaborative colorado-nebraska
unmanned aircraft system experiment. Bull. Am. Meteorol. Soc. 93(1), 39–54 (2012)
R. Murphy, B. Argrow, Uas in the national airspace system: research directions. Unmanned Syst.
27(6), 23–28 (2009)
National Oceanic and Atmospheric Association, Vortex2: verification of the origins of rotation in
tornadoes experiment (2010), http://www.nssl.noaa.gov/vortex2/
Part 830 notification and reporting of aircraft accidents or incidents and overdue aircraft, and
preservation of aircraft wreckage, mail, National Transportation Safety Board, 2010
RCSpeeds (2011). http://rcspeeds.com/aircraftspeeds.aspx?rpt=LL
Skip Miller, The skip miller models website (2010), http://skipmillermodels.com
B. Tarbert, T. Wierzbanowski, Comprehensive Set of Recommendations for Suas Regulatory
Development, FAA Small Unmanned Aircraft System Aviation Rulemaking Committee, 2009
R.J. Van Vuren, Advisory Circular 91–57: Model Aircraft operating Standards, FAA Air Traffic
Organization, 1981
VORTEX2 SPO, Vortex2 scientific program overview (2007), http://www.vortex2.org/Documents/
vortex2-spo-2007-0131.pdf
Hazard and Safety Risk Modeling
91
Konstantinos Dalamagkidis
Contents
91.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2200
91.2 Equivalent Level of Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2201
91.2.1 Manned Aviation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2201
91.2.2 Derivation of an ELOS for UAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2202
91.3 UAS Accident Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2205
91.4 Ground Impact Fatality Risk Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2206
91.4.1 Ground Impact ELOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2208
91.4.2 Exposure to Ground Impact Accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2209
91.4.3 Probability of Fatality of Exposed Persons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2210
91.4.4 Frequency of Ground Impact Accidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2215
91.5 Midair Collision Fatality Risk Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2216
91.5.1 Midair Collision ELOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2216
91.5.2 Exposure and Risk of Fatality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2218
91.5.3 Conflicting Trajectory Expectation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2219
91.5.4 Collision Probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2219
91.6 Model Choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2220
91.7 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2223
91.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2226
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2227
Abstract
This chapter presents aspects of risk modeling with a focus on UAS. It provides
an overview of the current level of safety of manned aviation in terms of accident
statistics. These are then mapped as target levels for UAS under the “Equivalent
Level of Safety” principle to provide a glimpse at what that may entail for UAS
regulations. Different methodologies are presented for estimating the risk of
ground impact and midair collision accidents and how these estimates can be
K. Dalamagkidis
Institut für Informatik I6, Technische Universität München, Garching bei München, Germany
e-mail: dalamagkidis@tum.de
DOI 10.1007/978-90-481-9707-1 35,
2200 K. Dalamagkidis
translated to system requirements. The chapter also provides guidelines on the

use of different risk models and then applies a selection of them to five different
UAS in two distinct scenarios, to compare the results of different choices.
91.1 Introduction
The primary goal of regulating UAS operations is to assure an appropriate level

of safety for those directly involved or indirectly affected. Many national aviation
agencies have stated that the goal is to achieve an “Equivalent Level of Safety” with
that of manned aviation, also known as the ELOS principle.
Since many UAS are based on military or general aviation aircraft, they share
aspects of the design and construction of the airframe and mechanical components.
This of course does not mean that unique designs have not evolved as well. The key
difference between manned and unmanned aviation lies in the separation of the pilot
from the cockpit and the level of automation introduced. This difference introduces
new failure modes and, as a result, an increased perceived risk that needs to be
evaluated and mitigated. Nevertheless, it is noteworthy that manned aviation has also
benefited from increased automation. According to Haddon and Whittaker (2002),
a considerable percentage of modern commercial aviation operations – including
landing – takes place autonomously with the pilots responsible only for monitoring
the computers.
This chapter is an analysis of what the ELOS requirement may entail for UAS
regulations. To accomplish this, the safety performance of manned aviation is first
evaluated. Then, an analysis is carried out to derive a model for estimating UAS risk
as the number of fatalities following an accident. Methods to derive estimates for
the parameters that affect risk and the rationale for choosing between the alternatives
are also presented. This analysis targets two major accidents types, ground impact
and midair collisions. It should be noted that actual regulations will need to take
into account a number of issues and as a result may in the end diverge significantly
from the conclusions of this chapter.
This chapter cites material from two publications of the U.S. Range Commanders
Council. The first is the RCC 321-07 titled “Common Risk Criteria Standards
for National Test Ranges,” while the second is RCC 323-99 titled “Range Safety
Criteria for Unmanned Air Vehicles.” Both are to be used by range commanders
to ensure that operations within their ranges adhere to safety standards that are
acceptable by the military. The following is quoted from the first chapter of Range
Safety Group, Range Commanders Council (2007a):
The policies and criteria in this document are intended for use by members of the
DoD national ranges and Major Range and Test Facility Base (MRTFB). These policies
and criteria apply to launch and reentry hazards generated by endoatmospheric and
exoatmospheric range activities including both guided and unguided missiles and missile
intercepts, space launches, and reentry vehicles. This does not include aviation operations
or UAV operations. The RCC Document 323-99 (Range Safety Criteria for Unmanned Air
Vehicles) provides criteria for unmanned air vehicles.
91 Hazard and Safety Risk Modeling 2201
Although this distinction is made, it was felt that in certain cases, the reader would
benefit from a presentation of certain, selected information from RCC 321-07. This
is because either this information is general and applies to most risk/reliability
assessments or valuable insight is to be gained from contrasting it with information
specific to UAS.
91.2 Equivalent Level of Safety
According to Joint JAA/Eurocontrol Initiative on UAVs (2004) and European

Aviation Safety Agency (2009), one of the guiding principles for UAS regulation
should be equivalence, and based on that, they assert the following:
Regulatory airworthiness standards should be set to be no less demanding than those
currently applied to comparable manned aircraft nor should they penalize UAS systems
by requiring compliance with higher standards simply because technology permits.
This principle has been widely adopted by most national aviation agencies world-
wide and is known as the ELOS requirement. For example, the Range Commanders
Council in its guidance on UAS operations states:
Any UAV operation or test must show a level of risk to human life no greater than that for
an operation or test of a piloted aircraft.
Range Safety Group, Range Commanders Council (1999a).
It should be noted that there is significant criticism aimed at the usefulness of

this principle in general. This is because of the difficulty inherent in specifying
what exactly the ELOS requirement entails and more importantly quantifying it.
In any case, in an effort to better define what the ELOS could be, the next section
investigates the requirements of current regulations for manned aviation.
91.2.1 Manned Aviation Requirements
Manned aviation is regulated through a code of requirements, which often refers

to standards for various aircraft subsystems as well as for all stages of design,
manufacture, and operation (Haddon and Whittaker 2002). Use of standards ensures
that the components of the system are reliable enough so that the whole system is
compliant with a set target level of safety (TLS). Regulations normally also contain
safety targets found in paragraph 1309 of current CS or the corresponding AMC
sections. These targets are typically presented as a risk reference system. Such a
system categorizes events based on their severity and assigns a maximum rate of
occurrence for each event category.
Figure 91.1 presents the risk reference system proposed in the 1309 AMC section
of EASA CS 25. There, a failure condition that includes injuries and/or fatalities is
categorized as hazardous and as such it should be extremely remote (<107 events
per flight hour) (European Aviation Safety Agency (EASA) 2007). On the other
Catastrophic Hazardous Major Minor No safety effect
Probable > 10−5 h−1

Remote < 10−5 h−1
Extremely remote < 10−7 h−1
Extremely Improbable < 10−9 h−1
Fig. 91.1 Risk reference system for large manned aircraft (the grayed areas signify unacceptable
risk) (Source: European Aviation Safety Agency (EASA) (2007))
Table 91.1 FAR Part 23 aircraft classes and corresponding acceptable failure condition
probability based on severity, as defined in AC 23.1309-1C (Source: Federal Aviation Adminis-
tration (1999))
Aircraft class Minor Major Hazardous Catastrophic
Class I (<2;720 kg, SRE) 103 104 105 106
Class II (<2;720 kg, STE, MRE) 103 105 106 107
3 5 7
Class III (>2;720 kg, SRE, MRE, STE, MTE) 10 10 10 108
3 5 7
Class IV (commuter) 10 10 10 109
SRE, single reciprocating engine; MRE, multiple reciprocating engine; STE, single turbine engine;
MTE, multiple turbine engine
hand, the same publication considers multiple fatalities to be of catastrophic severity

with a likelihood requirement of 109 or less.
The risk reference system presented in Fig. 91.1 does not apply to all aircraft,
and variations exist for smaller or different types of aircraft. This is because it
was found that applying certification standards developed for transport category
aircraft to smaller ones led to unrealistically high equipment reliability requirements
(Federal Aviation Administration 1999). In addition to that, the results of accident
investigations showed that the main accident cause in manned aviation is pilot error.
As such, high equipment reliability would have only a minor effect on overall
aviation safety. In 1999, the FAA issued AC 23.1309-1C that contains AMC for
aircraft certified based on FAR Part 23. With this AC, four classes of aircraft within
that category where defined, each with different acceptable probabilities for failure
conditions, as shown in Table 91.1.
91.2.2 Derivation of an ELOS for UAS
Use of the same risk reference system like the one presented in Fig. 91.1 or even
Table 91.1 is not straightforward because of the wide range of UAS sizes and
characteristics. In addition to that, UAS depend on the onboard flight control system
and/or the communication link to operate. This requirement introduces additional
failure modes that may increase the total number of accidents for the same reliability
requirement. On the other hand, since UAS do not carry passengers, the number of
Table 91.2 Fatality rates from all accidents based on analysis of NTSB accident data (National
Transportation Safety Board (NTSB) 2008b) between 1983 and 2006
Rates per hour Air carrier Commuter General aviation Total
Accident 2:43 106 2:37 105 8:05 105 5:05 105
Fatalities aboard 8:68 106 1:64 105 2:77 105 2:06 105
Ground fatalities 3:37 107 8:30 106 6:54 107 1:31 106
people exposed to risk can be significantly lower. As a result, the probability of

injuries and fatalities after an accident is greatly reduced when compared with that
of general aviation or transport aircraft. The average number and severity of injuries
per accident is also expected to be lower.
Since failure frequency requirements prescribed for manned aircraft of the same
size cannot be used directly, other means to derive such requirements for UAS
need to be employed. A different approach frequently used in safety engineering
is to define safety constraints for a specific accident based on the desired likelihood
of the worst possible outcome (Range Safety Group, Range Commanders Council
1999b). This can in turn be used to determine maximum failure frequency. For UAS
operations, the worst outcome of most accidents is the occurrence of one or more
fatalities, and as a result, the ELOS can be based on that. Although the ELOS may be
based on the frequency of accidents that result in one or more fatality, such an ELOS
would also be inadequate since it fails to consider the effect of multiple fatalities.
Although current manned aviation regulation does not impose limits on fatality
rates, a statistical analysis of historical data can provide valuable insight on the
fatality rates of manned aviation and be the basis for defining the ELOS for UAS.
An analysis of NTSB accident data from 1983 to 2006 is presented in Table 91.2. It
should be noted that the exact rates may vary depending on the type of aviation
(general, regional/commuter, air carrier). Moreover, the period over which the
data are averaged can also play a role (Clothier and Walker 2006), since there is
significant variation from year to year, as shown in Fig. 91.2. This is also evident
from a U.S. Navy survey (Range Safety Group, Range Commanders Council 1999b)
that found an average of 18, 7, and 4.7 ground fatalities per 10 million flight
hours for U.S. Navy, commercial aviation, and general aviation, respectively. The
survey included data from 1980 to 1998 for U.S. Navy flights and from 1982 to
1998 for civil aviation. In most cases, an individual, annual risk of fatality of 106
is considered sufficiently low and below that of other typical everyday activities
(Range Safety Group, Range Commanders Council 2007b).
Other approaches have employed serious but nonfatal injuries as the basis
for their safety assessments, especially when due to the nature of the accident
fatalities are unlikely. As an example, Range Safety Group, Range Commanders
Council (2007b) proposes the use of casualty limits, the latter defined as the people
sustaining injuries of a certain severity and over. A study of NTSB data provided in
Range Safety Group, Range Commanders Council (2007b) shows that in aviation,
the ratio of casualties to fatalities shows little variation and is close to 2:5. Based on
this ratio, casualty limits can be derived from those used for fatalities. A common
10−4
10−5
Total fatality rate per hour of flight
10−6
10−7
10−8
19
19
19
20
19
19
19
20
19
19
19
20
83
90
97
04
83
90
97
04
83
90
97
04
Gen. Aviation Commuter Air. Carrier
Fig. 91.2 Fatality rates from general aviation, commuter, and air carrier accidents as a function
of time. Based on analysis of NTSB accident data (National Transportation Safety Board (NTSB)
2008b) between 1983 and 2006
casualty limit is that of 104 casualties per event, which has been used by a number
of agencies like the NASA, the U.S. DoD, and the Space Licensing and Safety Office
of Australia (Range Safety Group, Range Commanders Council 2007b). The same
limit was chosen in Range Safety Group, Range Commanders Council (2007a),
complemented by an individual casualty risk probability limit of 106 . Nevertheless,
the use of fatalities has also been advised as a supplemental metric, to better assess
the risk involved in an activity (Range Safety Group, Range Commanders Council
2007b).
The aforementioned proposed casualty and fatality limits can be contrasted with
estimated rates from other sources or activities, provided in Table 91.3, as well as
aviation accident statistics given in Table 91.2. When comparing these rates, one
must consider that in some activities, a higher risk may be acceptable because
of the perceived benefits of participation. It should also be noted that these rates
refer to collective risk (Range Safety Group, Range Commanders Council 2007b),
i.e., the averaged risk for the entire population. Depending on a person’s location,
activity, and other factors, the actual individual risk may be significantly higher
or lower.
Table 91.3 Estimated injury, casualty, and fatality rates from different sources or activities
Activity/source Injury rate (h1 ) Casualty rate (h1 ) Fatality rate (h1 )
Motor vehicle accidents 1:35 105 1:13 106 1:40 107
a
(all)
Motor vehicle accidents 8:80 106 6:73 107 5:89 108
(occupant)a
Pedestrian involved in 5:10 107 8:92 108 1:04 108
collision with motor
vehiclea
Unintentional fallsa 2:45 105 2:20 106 6:06 108
7 8
Natural environment a
1:31 10 1:44 10 7:59 109
6 8
Bicycles and 1:50 10 8:98 10
accessoriesb
Household appliances 4:23 107 1:81 108
(ranges, refrigerators,
washers)b
Baseball, basketball, 2:59 105 3:44 107
and football combinedb
London Blitz (civilian N/A 1:04 106 6:22 107
only)c
a
The number of injuries and fatalities are from the Web-based Injury Statistics Query and Reporting
System available from the Centers for Disease Control and Prevention, National Centers for Injury
Prevention and Control and correspond to emergency department admissions in the year 2005.
The rates were derived based on an estimated population of 296;410;404 and assuming that every
individual (regardless of age, sex, or location) is exposed to hazards involving each activity/source
an average of 3 h per day. The casualty rate is based on injury cases that required hospitalization
or transfer to other facilities such as trauma centers
b
The data are from the National Electronic Injury Surveillance System maintained by the U.S.
Consumer Product Safety Commission and concern the year 2007. The reported data did not make
a distinction between incidents requiring hospitalization and incidents involving deaths. The rates
are derived the same way as above, with the exception of the baseball, basketball, and football
activities, where an average exposure of 3 h per week is assumed instead
c
For the London Blitz, the civilian casualties were drawn from historical sources, and the rate was
obtained by dividing by the population of London in 1939 and by the number of days the Blitz
lasted, assuming continuous exposure
Significant differences can be expected between the effects of various accident

types. As a consequence, the ELOS and the risk analysis that will follow need be
derived for each accident separately. The following section provides an overview of
the accidents of interest in the case of UAS.
91.3 UAS Accident Types
UAS operations are subject to various hazards that can lead to three primary
accidents: unintended or abnormal system mobility operation (U.S. Department of
Defense 2007), midair collision, and early flight termination (Clothier et al. 2007).
Unintended or abnormal mobility operation refers to accidents that occur when

the UAS is still on the ground. In this case, the UAS may move unexpectedly,
potentially seriously injuring ground crew members. Such accidents usually happen
because of operator error. They may occur when the UAS operator does not have
a view of the UAS and incorrectly assumes that everyone has cleared the area.
This accident type will not be further investigated since the risk can be adequately
mitigated with better management of operations and stricter adherence to standard
operating procedures.
Midair collisions may occur between two UAS systems or between a UAS and
a manned aircraft. Depending on the nature of the collision, they can result in the
loss of one or both of the aircraft. A secondary accident usually following midair
collisions is ground impact of debris that may injure people and damage property.
Finally, early flight termination, either controlled or uncontrolled, will result in
ground or water impact. Under controlled flight termination, it may be feasible to
select the point of impact and possibly the speed and orientation of the aircraft. In
that case, this capability can be used to reduce the probability of fatalities as well as
damages to property and the aircraft itself.
Potential damages resulting from all these accidents include injury or fatality of
people on the ground or onboard another aircraft, damage or loss of the vehicle,
and damage to property. An indirect damage is environmental pollution either from
the payload of the aircraft or as a result of fuel leakage and/or fire following the
accident. This is especially important for UAS that will carry chemicals toxic to
human beings, for example, those used in agricultural applications.
A possible damage that is often ignored is that of societal rejection or outrage
that may disrupt future operations. This can occur as a consequence of a high
accident rate (even if no injuries occur) or if the accident involves cultural-/societal-
sensitive areas like national parks or monuments, schools, and churches. Figure 91.3
summarizes possible accidents and corresponding damages stemming from the
operation of UAS in the NAS.
The following sections present models to evaluate UAS risk for the two major
accident types: midair collisions and ground impact.
91.4 Ground Impact Fatality Risk Modeling
The expected frequency of fatalities (fF ) can be calculated by the following

equation:
fF D Nexp P .fatalityjexposure/fGIA (91.1)
where Nexp is the number of people exposed to the accident, P .fatalityjexposure/
is the probability a person will suffer fatal injuries given exposure to the accident,
and fGIA is the rate of ground impact accidents. The P .fatalityjexposure/ depends
on the resilience of the human body to injury as well as the level of sheltering.
A similar formulation to the model of (91.1) is provided in Range Safety Group,
Range Commanders Council (1999b):
Primary Accidents Ground Mid-air Unintended

impact collision movement
Secondary Accidents Falling

debris
and/or
Injury or Damage to Impact

fatality property on society
Damage/Loss Impact on
of system environment
Fig. 91.3 Primary and secondary accidents that can result from the operation of UAS and their
possible outcomes
fF D Aexp P .fatalityjexposure/fGIA fshelter (91.2)
In (91.2), Nexp is replaced by the product of the lethal area (Aexp ) by the population
density (). An additional term, the sheltering factor fshelter , is introduced that takes
values from 0, denoting that everyone is sheltered from the impact, to 1, denoting
that nobody is sheltered. This formulation implies a type of “absolute sheltering,”
where any person considered sheltered is not affected by the impact.
In certain cases, the exposed population can be divided in groups. Each group is
assigned a different probability of fatality given exposure. This can occur when, for
example, part of the population is inside buildings and part is outside. In this case,
(91.1) can be expressed as follows:
X
fF D fGIA Ni; exp Pi .fatalityjexposure/ (91.3)
i
where subscript i refers to the i th group. Although this approach offers better
accuracy, it also requires the availability of a library that contains the number of
people in each location and the level of their sheltering or at least estimates thereof
(Range Safety Group, Range Commanders Council 2007b).
Since the acceptable fF is provided by the ELOS requirement, if the Nexp and
P .fatalityjexposure/ can be estimated, it is possible to determine the target level
of safety (TLS) for ground impact accidents given by fGIA . Although (91.1) is
simple and straightforward, calculation of the terms involved in it is not. In fact,
there is a number of options that have been proposed for calculating both Nexp and
P .fatalityjexposure/. The following section will start with the calculation of the fF
term based on the ELOS principle.
91.4.1 Ground Impact ELOS
In determining the fatality rate requirement after ground impacts, special consid-
eration should be given to the fact that UAS is unmanned. This means that only
the number of fatalities on the ground is to be taken into account. According to
Table 91.2, this number represents only a very small percentage of the total fatalities,
about 6 %. The ground fatality rate calculated is in the order of 106 h1 , although
a more conservative ELOS can be derived based on the ground fatality rate of air
carriers, which is in the order of fF D 107 h1 .
It should be noted that Table 91.2 considers all accidents. An alternative analysis
can be used by considering only accidents where an in-flight collision with terrain
or water occurred (approximately 35 % of the total). The updated fatality rates
based on NTSB data for the period 1983–2006 are presented in Table 91.4. In this
case, the proposed ELOS would be in the order of fF D 108 h1 , although it
does not include fatalities after emergency landings, ditching, and other situations.
If the latter are included, the ELOS is closer to fF D 107 h1 as shown in
Table 91.5.
For the subsequent analysis, the value for fF is set to 107 h1 , which is the same
with that proposed in Range Safety Group, Range Commanders Council (2007b).
However, it should be noted that lower or higher acceptable fatality rates have also
been proposed in the past. In Weibel and Hansman (2004), although an ELOS of
107 h1 was derived, a target of 108 h1 is proposed instead. This choice was
made in an effort to account for the fact that the benefits of UAS operations are
not evident to the general public, and as a result, the tolerance for fatalities will be
lower. In Clothier et al. (2007), analysis is based on multiple acceptable fatality
likelihoods ranging from 106 to 109 h1 . The Range Safety Criteria for UAS
proposed a fatality rate of 106 h1 or less based on the U.S. Navy survey discussed
previously (Range Safety Group, Range Commanders Council 1999b), but their
requirements are for military operations that allow higher fatality rates. Finally the
NATO USAR adopted a TLS of 106 h1 for catastrophic UAS accidents (Joint
Capability Group on Unmanned Aerial Vehicles 2007), which corresponds to an
equal or higher fatality rate.
Although stricter requirements may be attractive, they can seriously impede
commercialization of UAS as well as their integration in the NAS.
Table 91.4 Fatality rates for accidents where an in-flight collision with terrain or water occurred.
Based on analysis of NTSB accident data (National Transportation Safety Board (NTSB) 2008a)
between 1983 and 2006
Accident 2:06 107 9:33 106 2:84 105 1:77 105
Table 91.5 Fatality rates for accidents where one or a combination of in-flight collision with
terrain or water, hard/forced landing, runway overrun, or ditching occurred. Based on analysis
of NTSB accident data (National Transportation Safety Board (NTSB) 2008a) between 1983 and
2006
Accident 5:64 107 1:56 105 5:18 105 3:21 105
7 8 8
Therefore, a conservative evaluation of the risk from emerging hazards is preferable,

since it can be later accommodated as flight hours accumulate and confidence in risk
estimates improves.
91.4.2 Exposure to Ground Impact Accidents
Assuming a uniform population density in the area affected by the crash, Nexp can
be calculated as the product of that area (Aexp ) by the population density ():
Nexp D Aexp (91.4)
The population density used in (91.4) is typically estimated using the average
population density over the area the UAS will operate. Although use of the actual
population density will offer better precision, a standard population density can be
used as a reasonable estimate instead. Specifically, EASA has proposed the use of a
standard density of 200 ppl/km2 (European Aviation Safety Agency (EASA) 2005).
This density was derived taking into account typical civil aviation operations, where
a significant percentage of flight time is spent over less densely populated areas. For
UAS designed to loiter over populated areas, a higher density will be necessary to
avoid underestimating the risk involved. A worst-case scenario of impact at the most
densely populated area within the area of operations may also be used to provide
a conservative estimate of (Range Safety Group, Range Commanders Council
1999b).
There are several ways to determine the Aexp based on impact characteristics.
For a vertical crash, this area may be approximated by the frontal area of the aircraft
augmented by a small buffer to account for the width of an average human (Weibel
and Hansman 2003). For a gliding descent, it can be approximated by (91.5), where
the wingspan and length of the aircraft have been increased by the radius of an
average person (Clothier and Walker 2006):

Hperson
Aexp D Waircraft Laircraft C (91.5)
sin.glide angle/
It should be noted that in some cases instead of the area exposed to the impact, a
casualty or lethal area is mentioned. In this case, attention should be given on how
these areas are defined. This is because in some cases they are the same as Aexp ,
while other times they are defined as the areas within which 100 % casualties or
fatalities are expected, respectively.
For example, Range Safety Group, Range Commanders Council (2007b) defines
a casualty area as the area where everyone is expected to receive injuries of
such severity that they will require hospitalization. On the other hand, the same
organization in Range Safety Group, Range Commanders Council (1999b) defines
the lethal area merely as an area of concern, obtained by
Aexp D .Laircraft C 2 ft/ .Waircraft C 2 ft/ (91.6)
for a vertically falling vehicle and

Aexp D Laircraft C Lglide C Lstop C 2 ft .Waircraft C 2 ft/ (91.7)
where Lglide is the gliding distance at an altitude of 6 ft and Lstop is the distance
required for the aircraft to come to a stop.
91.4.3 Probability of Fatality of Exposed Persons
The human body is capable of sustaining a certain level of force or injury, and as
a result, presence of a person in an area affected by a crash does not guarantee a
fatality. Moreover, obstacles such as trees and buildings may provide shelter, thus,
increasing the chances of survival. It is evident, therefore, that the probability of
fatality of a person exposed to a crash need be modeled taking into account the
aforementioned factors, namely, human vulnerability and sheltering. This section
presents some of the approaches available. Nonetheless, a detailed account of the
problem of human vulnerability is beyond the scope of this chapter.
Despite the observations above, the most commonly used estimate for the
probability of fatality of an exposed person is the number one (Range Safety Group,
Range Commanders Council 1999a). This is because it is a conservative measure
that is not susceptible to criticism. On the other hand, it can easily be argued that
this measure can be overconservative especially in the case of small UAS.
According to the Range Commanders Council, an exception may be made to

the use of unit probability in the case of very light systems (Range Safety Group,
Range Commanders Council 1999b). In this case, a limit must be defined that
divides UAS into two categories, those that do and those that do not cause fatalities.
The limit can be based on that used for inert debris, specifically a kinetic energy
during impact of 15 J (11 ft lb) for casualty (i.e., reversible injury) and 34 J (25 ft lb)
for fatality (Range Safety Group, Range Commanders Council 2007b). The 15 J
criterion has been found to be close to the threshold of serious injury for a child
(Haber and Linn 2005), and, as a result, it can be stated that it is a conservative
measure that protects the entire population.
In an effort to take into account the fact that a person may survive a UAS
impact, Weibel et al. introduced a penetration factor for calculating the probability
of fatality (Weibel and Hansman 2004). This factor depends on the characteristics
of the UAS and aims at taking into account sheltering. Dalamagkidis (2010) argued
that Weibel’s estimate for smaller vehicles is overconservative while at the same
time it underestimates the lethality of larger systems. It was also mentioned that the
usefulness of the “penetration parameter” was limited since no method was provided
to consistently estimate it.
In a 1968 study, Feinstein et al. investigated the effects of blast, debris, and other
factors to people (Feinstein et al. 1968). To correlate the probability of fatality with
kinetic energy, log-normal curves were derived for impacts to different body parts.
Additionally, an averaged curve was proposed, given by

ln Eimp ln a
P .fatalityjexposure/ D Z (91.8)
b
where Z is the cumulative normal distribution whose value is typically obtained

from tables, a D 103 J is the energy required for a probability of fatality of 50 %,
and b D 0:538 is a parameter that affects how fast the probability rises as a function
of kinetic energy.
A drawback of Feinstein’s model is that it is difficult to adjust it to take into
account sheltering. This is because if parameter b was increased so that the curve
slope is decreased, the probability of fatality for low kinetic energies would increase.
As a result, any change of the b parameter to take into account sheltering would
require an adjustment of the a parameter as well.
A model to estimate P .fatalityjexposure/ as a function of kinetic energy at
impact (Eimp ) that also takes into account sheltering in addition to human vulnera-
bility was proposed in Dalamagkidis et al. (2008) and then revised in Dalamagkidis
et al. (2012). The model is a variation of the logistic growth model that aligns well
with other human vulnerability models including models such as Feinstein’s. That
model is given by
1k
P .fatalityjexposure/ D q h i p3 (91.9)
1 2k C ˇ˛ Eˇimp
s
0.8
Probability of Fatality
0.6 ps = 1
6
=s
p
0.4
Conservative
0.2 Dalamagkidis
Feinstein
Weibel
0
101 102 103 104 105 106 107 108 109
Kinetic Energy in Joules
Fig. 91.4 A comparison of the vulnerability models of Feinstein, Dalamagkidis, and Weibel as
well as the conservative approach of unit probability above the 34 J kinetic energy threshold
p3
where k D min 1; Eˇimp
s
is a correction factor k, used to improve the estimates
given for low kinetic energies, especially those close to, or below, the threshold limit
of 34 J.
The sheltering parameter ps determines how exposed is the population to an
impact and takes values in the range .0; 1/. It is a function of the amount of
obstacles in the crash trajectory of the aircraft that can absorb impact energy or
deflect debris as well as the ability of people to take shelter behind such obstacles.
It takes an average value of 1, with higher values, meaning better sheltering and
a lower probability of fatality for the same kinetic energy. The ˛ parameter is
the impact energy required for a fatality probability of 50 % when ps D 6.
Finally the ˇ parameter is the impact energy threshold required to cause a fatality
as ps goes to zero. Based on the fatality limit of Range Safety Group, Range
Commanders Council (2007b), the ˇ parameter can be considered to be a constant
with value 34 J.
The fatality probability models presented in this section are compared in
Fig. 91.4.
91.4.3.1 Kinetic Energy Estimation

Many human vulnerability models involve the kinetic energy at impact or other
functions of impact speed and object mass. This speed may vary depending on the
UAS and the descent characteristics, and as a result, a suitable estimate must be
used. A useful conservative substitute for the impact speed is terminal velocity.
The latter can be calculated from (91.10), where m is the vehicle mass, g is
the acceleration of gravity, ˛ is the air density, A is the cross-sectional area
of the vehicle, and Cd is its drag coefficient. The latter two parameters are not
always available, since they vary with the orientation of the aircraft during a
descent:
m2 g
Eimp D (91.10)
˛ ACd
The use of the maximum between the terminal velocity and the velocity not to
exceed provided by the manufacturer is proposed as an alternative in Range Safety
Group, Range Commanders Council (1999b).
In Haddon and Whittaker (2002), Joint JAA/Eurocontrol Initiative on UAVs
(2004), and European Aviation Safety Agency (EASA) (2005), instead of the
terminal velocity, the use of the maximum operating velocity (vop ) increased by
40 % is proposed, instead. This choice overcomes the problem of accurately esti-
mating the parameters required to calculate the terminal velocity, greatly simplifying
calculations. The kinetic energy can then be calculated as
Eimp mv2op (91.11)
It may also be argued that when the mass of the impacting object is comparable
or larger than that of the body part struck, not all of the object’s kinetic energy
will be absorbed. In fact, after the impact, the object will continue to move, in
unison with the body, retaining some kinetic energy. The energy absorbed during
the collision can be calculated based on momentum conservation by Sturdivan et al.
(2004):

1 2 m1
E D m 1 v1 1 (91.12)
2 m1 C m2
where m1 and v1 are the mass and velocity of the object and m2 refers to
the effective mass of the body part struck. As a result, when m1 m2 , the
effective energy is equal to the kinetic energy of the projectile. It should be
noted that when body movement is constrained (e.g., from a wall), then (91.12)
no longer applies and the entire kinetic energy is to be used (Sturdivan et al.
2004).
Irrespective of which of the aforementioned methods is used to calculate the
kinetic energy of the impacting object, if a person is sheltered within a building or a
vehicle, some of the kinetic energy will be exhausted to penetrate the shelter. As a
result, the energy used in the vulnerability model may be also adjusted to take into
account the effects of sheltering. The following section provides a more detailed
account of the factors that need to be considered when incorporating the effects
of sheltering, either by kinetic energy adjustments or by estimating the value of a
parameter in the vulnerability model.
91.4.3.2 Sheltering Estimation

In certain situations, even when some sheltering is available, a conservative estimate
of no sheltering may be used (Range Safety Group, Range Commanders Council
1999b). Nevertheless, this could lead to overconservative results, especially when
a significant percent of the population is protected by vehicles and buildings.
When estimating the sheltering effect, all the contributing factors need to be
evaluated. These factors include the position of the body (standing, sitting, or prone),
the sheltering provided by buildings or other structures, and the level of danger
awareness.
Body position is normally taken into account in the vulnerability model. This is
typically achieved by averaging the injury expectations calculated for different body
positions. It should be noted that even when a specific area implies that the majority
of the exposed population will be in a specific position (e.g., prone for a beach),
using just the prone position parameters may be too conservative (Cole et al. 1997).
Buildings, vehicles, and other objects may reduce the risk of injury by absorbing
part of or even the entire impact energy. For buildings the kinetic energy required
to penetrate the structure needs to be considered (Range Safety Group, Range
Commanders Council 2007b). This energy can be as low as 23 J for a roof made
by a sheet of 24 gage corrugated aluminum and can exceed 560 J for roofs
made of light concrete on 22 gage corrugated steel decking (Range Safety Group,
Range Commanders Council 2007b). Although the examples given concern vertical
impacts, in most cases, side impacts will also need to be considered (Range Safety
Group, Range Commanders Council 2007b). Additionally, if an object manages
to penetrate a structure, it is possible for material from the damaged structure to
fall, causing secondary hazards (Range Safety Group, Range Commanders Council
2007b).
It should be noted that the aforementioned limits concern an irregular, compact,
tumbling steel fragment (Range Safety Group, Range Commanders Council 2007b).
As a result, a UAS may require additional energy to penetrate the same roof. This is
because they are constructed from lighter, less dense materials, because their kinetic
energy is going to be distributed over a larger area and because some energy may
also be expended for fragmentation instead of penetration. If the types of structures
in an area vary significantly, it is possible to group buildings into different classes
and apply the approach of (91.3), assuming that the distribution of the population
within the buildings is known or can be estimated. Accurate prediction of the effect
of sheltering with the aforementioned methodology is difficult. This is because
it requires precise knowledge regarding the construction of all structures in the
affected area as well as the people and their activities during impact. To overcome
this limitation, it is generally acceptable to make estimates based on average or
worst-case scenarios. Compatible with the worst-case scenario is to assume that all
buildings offer the sheltering effect of the worst buildings.
Besides the approach of subtracting the energy required to penetrate the structure
from the energy available to cause a fatality that was mentioned in the previous
section, a more conservative approach is also possible. The latter assumes that if an
object has sufficient energy to penetrate a structure, everyone inside is going to be a

casualty or fatality (Range Safety Group, Range Commanders Council 2007b).
Danger awareness may also significantly improve the odds of a person surviving
a UAS impact. This is because a person that is aware of the UAS can react sooner
and either avoid the UAS entirely or take better shelter. To account for this, as
well as the fact that the risk is taken on a voluntary basis, it has been proposed
to use a larger allowable risk of fatality or casualty (Range Safety Group, Range
Commanders Council 2007b). On the other hand, it is unlikely that people other
than the UAS operating crew will have that benefit.
91.4.4 Frequency of Ground Impact Accidents
The frequency of ground impact accidents (fGIA ) is a function of the reliability of

the UAS. If a limit for it is known or estimated from (91.1), then the UAS can be
designed to meet set TLS. For example, in Range Safety Group, Range Commanders
Council (2007b), a limit of 107 aircraft impacts per mission is proposed that could
be used to obtain a limit for fGIA . Alternatively, if the actual fGIA is known, it can be
used to determine whether an existing system with known reliability would violate
safety limits.
The actual fGIA can be estimated from the history of the UAS itself, provided
that a sufficient number of flight hours have accumulated. If the UAS has a
long history, the most recent data are to be preferred, since older data may
not represent its current performance (Range Safety Group, Range Commanders
Council 1999b).
An issue arises with newer systems, with few flight hours that may have not
exhibited a failure that led to an accident yet. In this case, if the UAS is based
on a previous model and shares a significant amount of design characteristics, its
reliability can be assumed to be the same with that of the previous model (Range
Safety Group, Range Commanders Council 1999b). Otherwise, the fGIA can be
estimated using Table 91.6 (Range Safety Group, Range Commanders Council
1999b). The aforementioned table was derived under the assumption of stochastic
system behavior, exponential failure distribution and no significant changes in the
system or its environment. As a result, care should be taken when using Table 91.6,
especially in the case of UAS that are experimental or still in development, since
these assumptions may not hold. In that case or when there is a need for a
conservative estimate, worst-case assumptions can be made. Such assumptions may
take the form of one crash per flight or per flight hour (Range Safety Group, Range
Commanders Council 1999b).
If a formal reliability assessment has been carried out for the particular UAS
model that included a Failure Mode and Effects Analysis (FMEA) or similar study,
then its conclusions can also be used to estimate fGIA (Range Safety Group, Range
Commanders Council 1999b). That estimate may be increased by a safety margin
to account for failure modes that may have been overlooked or underestimated.
Table 91.6 Estimate of the expected frequency of ground impact accidents for new UAS. The
value shown represents a confidence of 95 % that the actual fGIA is less than or equal to fOGIA
(Source: Range Safety Group, Range Commanders Council (1999b))
Flight hours without crash fOGIA
10 3 101 h1
30 1 101 h1
100 3 102 h1
300 1 102 h1
91.5 Midair Collision Fatality Risk Modeling
The expected frequency of fatalities (fF ) following midair collision accidents can
be calculated by the following equation:
fF D E.fatalityjcollision/fMaC (91.13)
D Nexp P .fatalityjcollision/P .collisionjCT/fC T (91.14)
where E.fatalityjcollision/ is the expected number of fatalities after a crash

and fMaC is the rate of midair collision accidents. The former can be calcu-
lated as the product of the number of people exposed to the accident (Nexp )
by the probability a person will suffer fatal injuries given exposure to the acci-
dent (P .fatalityjcollision/). The fMaC term can be calculated as the product of
the probability of collision given that two aircraft are in conflicting trajectories
(P .collisionjCT/) by the frequency of occurrence of conflicting trajectories (FC T ).
As in the case of ground impact accidents, since the acceptable fF is provided
by the ELOS requirement, it is possible to determine the target level of safety (TLS)
for midair collision accidents given by fMaC . Moreover, if the actual frequency of
occurrence of conflicting trajectories is known from historical data, the maximum
acceptable value of P .collisionjCT/ can be determined, which maps directly to the
capabilities of the sense and avoid system.
91.5.1 Midair Collision ELOS
In order for an ELOS to be derived, accident statistics involving midair collisions

are required. The NTSB has defined two categories of relevant accidents: in-flight
collisions with obstacles like birds, trees, and power lines and midair collisions
with other aircraft. The results from the analysis of NTSB data involving these two
accidents are tabulated in Tables 91.7–91.9.
In contrast to the ground impact accidents, the ELOS for midair collision
accidents should include the total number of fatalities. This is because onboard
fatalities are possible when the accident is between a UAS and a manned aircraft.
Table 91.7 Fatality rates for accidents where an in-flight collision with obstacles (e.g., birds,
trees, power lines) occurred. Based on analysis of NTSB accident data (National Transportation
Safety Board (NTSB) 2008a) between 1983 and 2006
Accident 1:34 107 3:22 106 1:33 105 8:17 106
Total fatalities 9:73 107 2:71 106 6:32 106 4:29 106
Table 91.8 Fatality rates for accidents where a midair collision with another aircraft occurred.
Based on analysis of NTSB accident data (National Transportation Safety Board (NTSB) 2008a)
between 1983 and 2006
Accident None 2:76 107 5:90 107 3:74 107
Fatalities aboard None 6:96 107 1:04 106 6:82 107
Ground fatalities None 1:91 108 2:86 108 1:87 108
Total fatalities None 7:15 107 1:07 106 7:01 107
Table 91.9 Fatality rates for accidents where either a midair collision with an object or another
aircraft occurred. Based on analysis of NTSB accident data (National Transportation Safety Board
(NTSB) 2008a) between 1983 and 2006
Accident 1:34 105 3:48 106 1:38 105 8:53 106
7 6
Total fatalities 9:73 10 3:42 10 7:40 106 4:99 106
Total fatalitiesa 5:97 109 7:53 107 1:13 106 7:40 107
a
Excluding fatalities aboard after collisions with objects other than aircraft
From the NTSB accident data in Table 91.9, it can be argued that the fatality
rate following midair collisions with aircraft or other obstacles is in the order of
fF D 106 h1 . A more conservative estimate of fF D 107 h1 can be reached
from the same table, if the onboard fatalities after a collision with obstacles other
than aircraft are ignored. By deriving the expected number of fatalities after a
midair collision accident, it is then possible to determine the maximum acceptable
frequency of such accidents.
Another approach is to assume that in the case of midair collisions, the fatality
expectation is the same, regardless of whether a UAS was involved in the accident.
Although this assumption is more conservative, it simplifies subsequent analysis,
since one may directly obtain the accident TLS for midair collisions. Based on the
NTSB data of Table 91.9, the average rate of midair collisions involving manned
aircraft is 7:40 107 , and under ELOS requirements, a maximum midair collision
rate of fMaC D 107 h1 can be proposed for UAS.
Table 91.10 Maximum acceptable accident frequency depending on ATC type, flight phase, and
aircraft threatened. The collision accident criteria to be applied corresponds to the one for the
highest category of aircraft threatened (Source: INnovative Operational UAS Integration (INOUI)
(2009))
ATC type Flight phase >2;730 kg MEP/SET <2;730 kg SEP <2;730 kg
9
Area control En route inbound 3 10 3 108 3 107
9
En route outbound 1 10 1 108 1 107
9
En route transit 3 10 3 108 3 107
9
Approach Departure 1 10 1 108 1 107
9
Init and interm app 3 10 3 108 3 107
9
Final approach 3 10 3 108 3 107
9
Tower Landing 8 10 8 108 8 107
9
Line-up 3 10 3 108 3 107
9
Start-up/push-back 8 10 8 108 8 107
9
Takeoff 8 10 8 108 8 107
Taxiing 6 108 6 107 6 106
MEP, multiengine piston; SET, single-engine turbine; SEP, single-engine piston
Other accident frequency limits proposed for UAS take into account both the
manned aircraft threatened and the phase of flight. Such an approach was taken by
INOUI that proposed the limits presented in Table 91.10.
Finally, it should be noted that not all collisions lead to catastrophic accidents.
The large variability of aircraft sizes and designs, whether manned or unmanned,
and the fact that not all their systems are critical for remaining airborne, means
that certain collisions may be survived by one or even both of the aircraft involved.
Nevertheless, since it is nearly impossible to account for every possible collision
scenario and its effects, every collision is considered a catastrophic accident for
both aircraft.
91.5.2 Exposure and Risk of Fatality
The number of people exposed to the accident, as well as the probability of them
sustaining fatal injuries, depends on the aircraft that are involved in the accident and
the passengers they carry. As a result, it is difficult to get a good estimate without a
priori knowledge of all air traffic in the area of operations.
A more general estimate can be derived by noting that the product of Nexp and
P .fatalityjcollision/ is in fact the expected number of fatalities per accident. Using
the NTSB accident data of Table 91.9, this product is higher for commuter aviation
where it takes a value of one, while on average it is closer to 0:58. Moreover, if
the onboard fatalities after a collision with obstacles other than aircraft are ignored,
the expected number of fatalities per accident drops to below 0:09. It should be
noted that this estimate can be considered conservative because in contrast with
the accident data it was derived from, the midair collisions of interest will always
involve at least one aircraft that is unoccupied.
91.5.3 Conflicting Trajectory Expectation
In Weibel and Hansman (2004), the midair collision risk assessment was based on
the use of a gas model of aircraft collisions to estimate the number of expected
collisions per hour of flight (fMaC ) from
Aexp d
fMaC D (91.15)
V t
where Aexp is the exposed area of the threatened aircraft, d is the distance traveled,
V is the airspace volume, and t is the time required to travel the distance d .
It should be noted that this model estimates the number of midair collision
hazards due to insufficient spatial and temporal separation given predetermined
flight paths or simply the number of potential collisions. An additional term is then
required to take into account the fact that one or both of the aircraft in a collision
course may attempt maneuvers to avoid each other. As a result, the expected number
of collisions should be calculated from
Aexp d
fMaC D P .collisionjCT/ (91.16)
V t
„ƒ‚…
E.CT/
where CT denotes a conflicting trajectory.

The use of the model in (91.16) to assess E.CT/ presents significant difficulties
since it requires the exact trajectories (both in space and time) of all air traffic in the
area where UAS operations will take place. This requirement is almost impossible to
meet because air traffic is dynamic and never identical from day to day. Furthermore,
not all traffic is monitored by ATC. In addition to that, in the event of a deviation
from the predefined trajectory, the number of collision hazards following that event
may change. Thus, a worst-case E.CT/ may be assumed, instead.
Based on the analysis in Weibel and Hansman (2004), high E.CT/ is found
in proximity of major airways. The highest was found at FL370, where it is
approximately 4105 CT/h. Since the results were obtained by averaging data over
a 24- h period, a process that can hide higher peaks, a worst-case E.CT/ D 104 ,
or even higher can be chosen to also account for future traffic growth.
91.5.4 Collision Probability
Even when two aircrafts are on conflicting trajectories, a collision is not guarantied.
One or both of the pilots may take action to avoid a hazardous situation by
maintaining the required separation between the two aircrafts. As a result, the
collision probability depends on the collision avoidance capabilities of all the
aircraft involved as well as the measures taken to assure proper separation. If
a maximum allowable collision probability is known, it can be used instead of
the maximum acceptable accident frequency to determine minimum performance

requirements of UAS sense and avoid systems. In fact its use offers advantages
because it maps better to what such a system should be capable of accomplishing. To
evaluate the actual Pmax .collisionjCT/, every possible scenario involving a potential
conflicting trajectory can be simulated. The results are then aggregated and tested
to see whether the target safety levels are accomplished.
It should be noted that when evaluating the sense and avoid system, the worst-
case E.CT/ may be overconservative. This is because it corresponds to Class A
airspace where separation is provided by and is the responsibility of ATC. In
the analysis presented in Weibel and Hansman (2004), the worst-case conflicting
trajectory expectation falls by about an order of magnitude in Class E airspace.
If the target safety level is assumed to be a collision rate of 107 h1 , then the
“see and avoid” capability requirement may be based on achieving Pmax .collisionj
CT/ D 1 %. Nevertheless, the same cannot be assumed for Class G airspace because
traffic in that region is not always monitored and accurate estimates on its density
are not possible. In addition to that, and especially in very low altitudes, the risk of
collision with birds, power lines, trees, and buildings may be higher than that of a
collision with other air traffic.
91.6 Model Choice
Tables 91.11 and 91.12 summarize the parameters involved in modeling risk from
UAS ground impact and midair collision accidents, respectively, as well as the
alternatives presented for estimating their values. It is evident that there are several
choices available to an engineer tasked with assessing the risk of UAS operations.
The subject of this section is what criteria should drive the selection of one
alternative over another.
There is a multitude of modeling options available to estimate risk, each with
different levels of detail and accuracy. According to Range Safety Group, Range
Commanders Council (2007b), any model used for risk/reliability assessment
should be based on four basic standards: transparency, clarity, consistency, and
reasonableness.
A number of different models may be used in a risk evaluation involving
UAS operations depending on the objective and requirements of the risk study in
question. A common use of risk models in the UAS domain is for building a safety
case that is then used for obtaining a permit to operate in the national airspace
system. As a result, the models used must be clearly presented so that they can be
reviewed by the regulators, and the assumptions and limitations contained therein
must be succinctly expressed. This would lead to compliance with the clarity and
transparency standards.
Typically, the regulatory framework does not specify the use of a particular
modeling choice over another. Nevertheless, every choice must be defensible. This
is achieved by compliance with the consistency and reasonableness standards. The
former refers to the use of models that are in use and accepted by the scientific
Table 91.11 A summary of the methods presented to estimate the terms involved in ground
impact risk modeling when their values are not known a priori, Eq. (91.1). Some terms can be
estimated with multiple methods
Term Estimate
fF Based on ELOS requirements with typical values in the range of 106 –109 h1
Nexp The product of the population density () and the area affected by the impact
(Aexp )
(i) Assuming uniform population density
(ii) Using a standard population density (e.g., 200 ppl/km2 )
(iii) Assuming a worst-case scenario of impact at the most densely populated
area
Aexp (i) The area presented by the aircraft perpendicular to its path and augmented by
the width of an average person
(ii) The aforementioned area, including the area the aircraft traverses on the
ground until it stops
P .fatality/ (i) Probability of one as a conservative estimate
(ii) Zero or one, based on whether the kinetic energy at impact (Eimp ) exceeds a
pre-specified threshold (e.g., 34 J)
(iii) From a vulnerability model based on kinetic energy at impact (Eimp ),
e.g., Feinstein et al. (1968)
(iv) From a vulnerability model that also includes the effects of sheltering,
e.g., Weibel (2005) or Dalamagkidis et al. (2012)
Eimp (i) Kinetic energy at terminal velocity
(ii) Kinetic energy at VNE (velocity not to exceed)
(iii) Kinetic energy at 140 % operational velocity
(iv) The difference between kinetic energy at impact and kinetic energy remain-
ing post-impact (combined human/object)
(v) The kinetic energy calculated with one of the aforementioned means,
reduced by the energy required to penetrate sheltering
Sheltering (i) Using a conservative value that assumes little or no sheltering
(ii) Based on average sheltering provided by structures, vehicles, and other
objects
(iii) Based on the building with the worst sheltering
(iv) Using a database containing structure characteristics and population distri-
bution
fGIA (i) From previous accident statistics, if sufficient flight hours have accumulated
(ii) Assuming an exponential accident distribution for new vehicles without
accidents so far
(iv) Using a conservative estimate of one crash per flight or per flight hour
(v) Based on the results of a formal UAS reliability assessment
community. The latter means that model selection should be based on rational
criteria, risk is not underestimated, and a potential review would not raise concerns.
As a result, the easier and in fact a common approach is to make conservative
estimates.
Conservative estimates are also attractive because of their simplicity and of
the associated ease of achieving clarity and transparency. In general, even when
high fidelity modeling is possible, a balance must be struck between precision
Table 91.12 A summary of the methods presented to estimate the terms involved midair collision
risk modeling when their values are not known a priori, Eqs. (91.13) and (91.14)
Term Estimate
fF (i) Based on ELOS requirements with typical values in the range of
106 –108 h1
(ii) As above but considering only fatalities on the ground for calculating ELOS
(valid when the accident involves only UAS)
E.fatality/ (i) Estimated from historical data, e.g., based on NTSB data from Table 91.9,
it takes values in the range 0:02–1
(ii) Estimated from the product of Nexp and P .fatality/
Nexp The number of people onboard the aircraft involved in the collision as well as in
the area exposed to debris
P .fatality/ (i) Use of the number one as a conservative estimate
(ii) Estimate from historical data, if available
fMaC (i) From historical data with typical values in the range of 105 –107 h1
(ii) As the product of P .collision/ with fC T
P .collision/ (i) A conservative estimate of probability one
(ii) Estimated based on the capabilities of the S & A system
fC T (i) Based on the gas model of aircraft collisions using actual traffic data
(ii) Using worst-case air traffic density either at the flight level of operations
or the entire airspace
and limitations relevant to cost, resources, and time (Range Safety Group, Range
Commanders Council 2007b).
On the other hand, conservative estimates may lead to irrationally high reliability
requirements and/or very strict operational restrictions. This occurs as a conse-
quence of a problem known as compounding conservatism, where use of successive
conservative estimates can lead to overconservative results (Range Safety Group,
Range Commanders Council 2007b). To illustrate this issue, consider the modeling
of a ground impact accident scenario using (91.1). In addition, assume that the
actual population and area affected by the crash are overestimated by 50 and 20 %,
respectively, and the probability of fatality is considered to be 1 when in fact it
is only 20 %. In this case, the fatality expectation will be nine times higher than
what it really is. Moreover, if conservative estimates are used for evaluating the
possible hazards that may lead to a crash, the reliability requirements for the various
aircraft parts can be higher by two or more orders of magnitude. Although such an
aircraft would be capable of performing well within the target safety levels, the
higher production and maintenance costs could mean that it may never get built.
The problem of compounding conservatism may be addressed by avoiding to take
conservative estimates and, instead, opting for the best available estimate (Range
Safety Group, Range Commanders Council 2007b). Such an approach has also
been advocated by the U.S. Nuclear Regulatory Commission (Range Safety Group,
Range Commanders Council 2007b). Of course, when best or mean estimates are
used, the uncertainties and possible inaccuracies affecting the final result should
be clearly documented (Range Safety Group, Range Commanders Council 2007b).
This would also allow adjustments at a later stage to account for newer data as
they become available. Moreover, if the uncertainties can be quantified through
simulation, sensitivity analysis, or other methods, then confidence intervals can be
determined. The latter can then be used to adjust results so that proposed reliability
targets can be achieved with arbitrary confidence.
As an example, it will be assumed that a probability of fatality of 0:4 was
estimated for a particular accident scenario. Further analysis of the model showed
that for a confidence level of 95 %, the actual value is expected to be between 0:3
and 0:5. In this case, the 0:5 value may be used instead of 0:4 to determine UAS
reliability requirements. If higher confidence is required, the range will be larger
and the value used more conservative.
In certain cases – especially when required data are missing – a safety case
can be made by comparing the UAS under investigation with a different system
already authorized to fly (Range Safety Group, Range Commanders Council 1999b).
Qualitative arguments may also be made without a complete analysis of the risk
involved (Range Safety Group, Range Commanders Council 1999b). For example,
the UAS may be too light to cause an injury or the area of operations may be so
sparsely populated that the risk to the general public is too low under any conditions.
The modeling techniques described in the previous sections produce an average
risk estimate from the operation of a UAS, especially when best estimates are used
instead of conservative. What should be mentioned is that in certain cases when
using a casualty or fatality metric, particularly catastrophic accidents involving
multiple fatalities can occur without violating the target safety levels on average
(Range Safety Group, Range Commanders Council 2007b). Such accidents of
course are best to be avoided, and as a result, it is useful to incorporate catastrophe
aversion in the models used (Range Safety Group, Range Commanders Council
2007b). The latter is accomplished by assigning activities that can be particularly
dangerous to lower acceptable probabilities of occurrence. This in turn is may be
done either by creating a risk profile if sufficient data are available or easier by using
k
functions of the Nexp type for expressing the affected population (Range Safety
Group, Range Commanders Council 2007b). Of course the latter methodology
should be employed with care and for high risk activities only, so as not to
unnecessarily inflate the risk in other less dangerous activities. A risk profile gives
the function between the number of expected casualties and the expected frequency
for each casualty size due to various future incidents (Range Safety Group, Range
Commanders Council 2007b). Although this profile is useful for obtaining a better
view of the associated risks, it is usually costly and time consuming to obtain.
91.7 Case Studies
Using the methodologies described in Sect. 91.4, it is possible to derive the

reliability requirements with respect to ground impact for various types of UAS
and under different scenarios.
Table 91.13 Characteristics of five UAS of various sizes, used for the case analysis (Source: FSF
editorial staff (2005) and U.S. Department of Defense. Office of the Secretary of Defense (2005))
Oper. Oper.
Weight (kg) Dimensions (m) speed (m/s) altitude (ft)
RQ-4 Global Hawk 11; 612 35.4 (wingspan) 177 65; 000
MQ1 Predator 1; 021 14.8 (wingspan) 70 20; 000
RQ-2 Pioneer 205 5.2 (wingspan) 41 15; 000
RQ-11 Raven 1:9 1.3 (wingspan) 15 1; 000
Rmax IIG 94 3.12 (rotor diameter) 5:6 500
Table 91.14 The parameters used for each test case and a description of a possible corresponding
scenario
Pop. density
Scenario (ppl/km2 ) ps Description
1 – Optimistic 50 7 Low population density area. It is also assumed that
people are afforded significant sheltering either by natural
obstacles (e.g., trees) or they can be trained to avoid or
take cover when required. This scenario may correspond
to surveillance of a remote military installation or to a
forest monitoring application
2 – Pessimistic 5,000 1 This scenario features very high population density.
Additionally the sheltering factor used corresponds to no
protection from sheltering at all. This case corresponds to
the scenario of a search and rescue operation in a
metropolitan area, where several people are in open areas
preoccupied with other tasks
To illustrate the differences between vulnerability models, an optimistic and a

pessimistic scenario were investigated using five UAS. The systems were chosen to
span all sizes, and their basic characteristics are shown in Table 91.13. A description
of the scenarios and the parameters used are provided in Table 91.14. Although
the results are subject to the uncertainties inherent in the parameters and the
models themselves, they should be accurate in terms of order of magnitude and
for comparisons between different vulnerability models as well as between UAS
types and sizes.
For each case, the probability of fatality was first estimated. To illustrate the
different results that may be reached due to the choice of a model, three different
modeling options were employed:
1. The probability of fatality was based on the vulnerability model of (91.9) using
a kinetic energy estimate based on (91.11).
2. Using the same model as above, but with a more conservative kinetic energy
estimate based on terminal velocity.
3. The probability of fatality is 0 or 1, based on the kinetic energy threshold of
34 J, initially presented in Sect. 91.4.3. The kinetic energy is calculated using the
terminal velocity.
Table 91.15 Fatality probability with respect to ground impact accidents for five UAS under the
pessimistic scenario. Four different means of obtaining the fatality probability are used
P .fatalityjexposure/
Eq. (91.9)a Eq. (91.9)b 34 kJ limitb
UAS model (%) (%) (%)
RQ-4 Global Hawk 100.0 100.0 100.0
MQ1 Predator 100.0 100.0 100.0
RQ-2 Pioneer 100.0 100.0 100.0
RQ-11 Raven 97.4 100.0 100.0
Rmax type IIG 100.0 100.0 100.0
a
Using vehicle kinetic energy estimated from (91.11)
b
Worst-case vehicle kinetic energy estimate
Table 91.16 Reliability requirement for five UAS with respect to ground impact accident under
the pessimistic scenario. Five different fatality probability estimates are used
Required time between ground impact accidents in hours
UAS model Eq. (91.9)a Eq. (91.9)b 34 kJ limitb P D1
RQ-4 Global Hawk 28;002;000 28;002;000 28;002;000 28;002;000
MQ1 Predator 7;879;500 7;879;500 7;879;500 7;879;500
RQ-2 Pioneer 1;738;500 1;738;500 1;738;500 1;738;500
RQ-11 Raven 280;485 287;987 288;000 288;000
Rmax type IIG 566;023 566;069 566;069 566;069
a
b
For the first three options and under both scenarios, parameter ˛ was chosen to be
100 kJ and ˇ equal to 34 J.
In addition to the probability of fatality, the required system reliability was also
calculated for each of the aforementioned fatality probability models as well as for
the conservative estimate of probability of 1. The UAS reliability requirement has
been given in minimum hours between ground impact accidents, and its calculation
is based on a target level of safety of 107 fatalities per hour of flight. The system
reliability requirement was derived since it allows a comparison with the current
performance of manned and unmanned aviation. The results for each UAS and each
case are summarized in Tables 91.15–91.18.
In the pessimistic scenario, the probability of fatality associated with each UAS
is, almost in every case, 100 %. As a result, there are no differences between
the reliability requirements calculated from the different models. Considering that
current manned aviation accident rates are in the order of 107 h1 for air carriers
and 105 h1 for general aviation (Table 91.4), it is obvious that for operations in
high population density areas, certain UAS will need to exceed this performance.
In the optimistic scenario, the most striking differences between vulnerability
models can be seen! This is due to the effect of the sheltering factor, which is not
taken into account when using a threshold kinetic energy. Smaller systems feature
Table 91.17 Fatality probability with respect to ground impact accidents for five UAS under the
optimistic scenario. Four different means of obtaining the fatality probability are used
P .fatalityjexposure/
UAS model Eq. (91.9)a (%) Eq. (91.9)b (%) 34 kJ limitb (%)
RQ-4 Global Hawk 94.5 95.1 100.0
MQ1 Predator 75.4 81.1 100.0
RQ-2 Pioneer 49.0 72.5 100.0
RQ-11 Raven 3.6 10.7 100.0
Rmax type IIG 9.8 26.5 100.0
a
b
Table 91.18 Reliability requirement for five UAS with respect to ground impact accident under
the optimistic scenario. Five different fatality probability estimates are used
Required time between ground impact accidents in hours
UAS model Eq. (91.9)a Eq. (91.9)b 34 kJ limitb P D1
RQ-4 Global Hawk 264;481 266;239 280;020 280;020
MQ1 Predator 59;394 63;909 78;795 78;795
RQ-2 Pioneer 8;514 12;598 17;385 17;385
RQ-11 Raven 102 309 2;880 2;880
Rmax type IIG 554 1;501 5;661 5;661
a
b
fatality probabilities of 10–25 % that are further reduced to 4–10 % when using a
less conservative estimate for the kinetic energy at impact. This is also evidenced
in the system reliability requirement, which is at least an order of magnitude
smaller compared to that obtained using the threshold function. The benefits are
evidenced in larger systems as well, where the reliability requirement is lower by a
factor up to 3.
91.8 Conclusion
This chapter has investigated ways to calculate the target level of safety requirement
for UAS based on the current levels of safety of manned aviation. As mentioned
before, actual regulations will need to depend on a number of factors, and as a
result, it is possible that they will contradict the results shown. Nevertheless, the
methodologies are still useful for getting an idea of the relevant risk imposed by
UAS as well as for arguing a safety-based authorization for operations.
Moving beyond the actual risk model and target safety level chosen, it is normally
necessary to obtain design specifications and requirements on the hardware and
software components that comprise the UAS rather than restrictions on the UAS as
a whole. The way to derive these requirements is beyond the scope of the chapter,
but it normally involves a lengthy, formal process of identifying the hazards, the
resulting failure conditions and their likelihoods, and then working backwards,
derive requirements for the system, subsystems, and individual components. Even
when a UA is designed in such a way that safety requirements are met for every
conceivable application, additional risk mitigation measures may still need to be
taken depending on the actual operating scenario.
References
R. Clothier, R. Walker, Determination and evaluation of UAV safety objectives, in Proceedings of
the 21st International Unmanned Air Vehicle Systems Conference, Irvine, 2006, pp. 18.1–18.16
R. Clothier, R. Walker, N. Fulton, D. Campbell, A casualty risk analysis for unmanned aerial sys-
tem (UAS) operations over inhabited areas, in Proceedings of the 12th Australian International
Aerospace Congress and 2nd Australasian Unmanned Air Vehicles Conference, Melbourne,
2007
J.K. Cole, L.W. Young, T. Jordan-Culler, Hazards of falling debris to people, aircraft, and
watercraft. Sandia report, SAND97-0805, Sandia National Laboratories, 1997
K. Dalamagkidis, On integrating unmanned aircraft systems into the national airspace system, in
Tutorial Presentation in 3rd International Symposium on Unmanned Aerial Vehicles (UAV’10),
Dubai, UAE, 2010
K. Dalamagkidis, K. Valavanis, L. Piegl, Current status and future perspectives for unmanned
aircraft system operations in the U.S. J. Intell. Robot. Syst. 52(2), 313–329 (2008)
K. Dalamagkidis, K. Valavanis, L. Piegl, On Integrating Unmanned Aircraft Systems into the
National Airspace System: Issues, Challenges, Operational Restrictions, Certification, and
Recommendations. Intelligent Systems, Control and Automation: Science and Engineering,
vol. 36, 2nd edn. (Springer, Dordrecht/New York, 2012)
European Aviation Safety Agency (EASA), A-NPA, No. 16/2005, policy for unmanned aerial
vehicle (UAV) certification (2005)
European Aviation Safety Agency (EASA), Certification specification 25 (CS25). Amendment 3
(2007)
European Aviation Safety Agency, Airworthiness certification of Unmanned Aircraft Systems
(UAS). Policy statement, E.Y01301 (2009)
Federal Aviation Administration, Equipment, systems and installations in part 23 airplanes. AC
23.1309-1C (1999)
D.I. Feinstein, W.F. Haugel, M.L. Kardatzke, A. Weinstock, Personnel casualty study. Technical
Report Project No. J 6067, Illinois Institute of Technology Research Institute, 1968
FSF Editorial Staff, See what’s sharing your airspace. Flight Saf. Dig. 24(5), 1–26 (2005)
J.M. Haber, A.M. Linn, Practical models of human vulnerability to impacting debris, in Proceed-
ings of the First IAASS Conference: “Space Safety, a New Beginning”, Nice (ESA SP-599),
2005, pp. 543–548
D.R. Haddon, C.J. Whittaker, Aircraft Airworthiness Certification Standards for Civil UAVs (UK
Civil Aviation Authority, London, 2002)
INnovative Operational UAS Integration (INOUI), Proposal for the integration of UAS into non-
segregated airspace. Booklet (2009)
Joint Capability Group on Unmanned Aerial Vehicles, STANAG 4671 – Unmanned aerial vehicle
systems airworthiness requirements (USAR). Draft, NATO Naval Armaments Group (2007)
Joint JAA/Eurocontrol Initiative on UAVs, A concept for European regulations for civil unmanned
aerial vehicles (UAV). Final report, 2004
National Transportation Safety Board (NTSB), Accident database and synopses (2008a), http://
www.ntsb.gov/ntsb/query.asp (online)
National Transportation Safety Board (NTSB), Aviation accident statistics (2008b), http://www.
ntsb.gov/aviation/Stats.htm (online)
Range Safety Group, Range Commanders Council, Range safety criteria for unmanned air
vehicles. Document 323–99 (1999a)
Range Safety Group, Range Commanders Council, Range safety criteria for unmanned air
vehicles – rationale and methodology supplement. Supplement to document 323–99 (1999b)
Range Safety Group, Range Commanders Council, Common risk criteria standards for national
test ranges. Document 321–07 (2007a)
Range Safety Group, Range Commanders Council, Common risk criteria standards for national
test ranges: supplement. Supplement to document 321–07 (2007b)
L.M. Sturdivan, D.C. Viano, H.R. Champion, Analysis of injury criteria to assess chest and
abdominal injury risks in blunt and ballistic impacts. J. Trauma 56(3), 651–663 (2004)
U.S. Department of Defense, Unmanned Systems Safety Guide for DoD Acquisition, 1st edn.
(Version .96) (2007)
U.S. Department of Defense Office of the Secretary of Defense, Unmanned aircraft systems
roadmap 2005–2030. Report, 2005
R.E. Weibel, Safety considerations for operation of different classes of unmanned aerial vehicles
in the national airspace system. Master’s thesis, Department of Aeronautics & Astronautics,
Massachusetts Institute of Technology, 2005
R.E. Weibel, R.J. Hansman, Safety considerations for operation of small unmanned aerial vehicles
in civil airspace. Presented in MIT Joint University Program Quarterly Meeting, Boston, 2003
R.E. Weibel, R.J. Hansman, Safety considerations for operation of different classes of UAVs in the
NAS, in Proceedings of the AIAA 4th Aviation Technology, Integration and Operations Forum
and AIAA 3rd Unmanned Unlimited Technical Conference, Workshop and Exhibit, Chicago,
2004
Safety Risk Management of Unmanned
Aircraft Systems 92
Reece A. Clothier and Rodney A. Walker
Contents
92.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2231
92.1.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2232
92.1.2 Aim and Overview of Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2233
92.2 Establishing the Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2234
92.2.1 Safety Risk Management Process and UAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2234
92.2.2 The Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2235
92.2.3 Considerations and Constraints on the UAS Safety Risk
Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2235
92.2.4 Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2235
92.2.5 High-Level Safety Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2238
92.2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2243
92.3 Risk Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2243
92.3.1 Risk Identification Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2244
92.3.2 The Identification of Hazards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2247
92.3.3 The Contributing Failures and Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2249
92.3.4 Assessing the Potential Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2253
92.3.5 The Set of Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2254
92.4 Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2255
92.4.1 Assessing the Consequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2255
92.4.2 Likelihood of Occurrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2256
92.4.3 Assessing the Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2256
92.4.4 Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2257
92.5 Risk Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2257
92.5.1 The ALARP Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2258
92.5.2 Evaluating the Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2260
R.A. Clothier ()

School of Aerospace, Mechanical and Manufacturing Engineering, RMIT University, Bundoora,
Melbourne, VIC, Australia
e-mail: reece.clothier@rmit.edu.au
R.A. Walker
Australian Research Centre for Aerospace Automation, Queensland University of Technology,
Brisbane Airport, Brisbane, QLD, Australia
DOI 10.1007/978-90-481-9707-1 39,
2230 R.A. Clothier and R.A.Walker
92.6 Risk Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2260

92.6.1 Prioritization of Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2261
92.6.2 Determining Available Mitigation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2261
92.6.3 The Selection of Mitigation Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2264
92.6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2268
92.7 Monitor and Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2269
92.7.1 The Importance of Accident and Incident Recording. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2269
92.7.2 Triggers for Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2270
92.7.3 Tracking Safety Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2270
92.8 Communication and Consultation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2270
92.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2271
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2271
Abstract
The safety risk management process describes the systematic application of
management policies, procedures, and practices to the activities of communi-
cating, consulting, establishing the context, and assessing, evaluating, treating,
monitoring and reviewing risk. This process is undertaken to provide assurances
that the risks associated with the operation of unmanned aircraft systems have
been managed to acceptable levels. The safety risk management process and its
outcomes form part of the documented safety case necessary to obtain approvals
for unmanned aircraft system operations. It also guides the development of an
organization’s operations manual and is a key component of an organization’s
safety management system. The aim of this chapter is to provide existing risk
practitioners with a high level introduction to some of the unique issues and
challenges in the application of the safety risk management process to unmanned
aircraft systems. The scope is limited to safety risks associated with the operation
of unmanned aircraft in the civil airspace system and over inhabited areas.
This chapter notes the unique aspects associated with the application of the
safety risk management process to UAS compared to that of conventionally
piloted aircraft. Key challenges discussed include the specification of high-
level safety criteria; the identification, analysis and evaluation of the risks; and
the effectiveness of available technical and operational mitigation strategies.
This chapter also examines some solutions to these challenges, including those
currently in practice and those still under research and development.
Acronyms
ACAS Airborne collision avoidance systems
ADF Australian Defence Force
ADS-B Automatic dependent surveillance-broadcast
ALARP As low as reasonably practicable
ALoS Acceptable level of safety
ATSB Australian Transport Safety Bureau
CAA Civil Aviation Authority (United Kingdom)
CASA Civil Aviation Safety Authority (Australia)
92 Safety Risk Management of Unmanned Aircraft Systems 2231
COTS Commercial-Off-The-Shelf
CPA Conventionally-piloted aircraft
DoD U.S. Department of Defense
EASA European Aviation Safety Agency
ELoP Equivalent level of performance
ELoS Equivalent level of safety
FAA Federal Aviation Administration
FMEA Failure modes and effects analysis
GCS Ground control station
HAZOP Hazard and operability analysis
HLSC High-level safety criteria
HSE Health and Safety Executive (United Kingdom)
ICAO International Civil Aviation Organization
ISO International Organization for Standardization
LoS Line of sight
NAA National aviation authority
NTSB National Transportation Safety Board
RPA Remotely piloted aircraft
SARPS Standards and Recommended Practices
SMS Safety management system
SRMP Safety risk management process
SSP State Safety Plan
TCAS Traffic Alert and Collision Avoidance System
UAS Unmanned/uninhabited aircraft/airborne/aerial system/s (plural
same as singular)
UAV Unmanned/uninhabited aircraft/airborne/aerial vehicle/s (plural
same as singular)
92.1 Introduction
Unmanned aircraft systems (UAS) are one of a number of emerging sectors of

the aviation industry. The potential benefits from the use of UAS have been
demonstrated in a variety of civil and commercial applications including crop
and infrastructure management, emergency management, search, and rescue, law
enforcement, environmental research, and many other applications often described
as being too dull, dirty, dangerous, or demanding for conventionally piloted aircraft
(CPA). However, as well as benefits, the operation of UAS has associated risks.
Intrinsic to the realization of any system is a finite degree of risk; subsequently,
accidents involving UAS will occur no matter how stringent the conditions pre-
scribed or draconian the regulatory oversight provided. One could argue that the
only way to assure absolute safety is to prohibit the deployment of UAS altogether.
However, to justify this argument, one must also address the philosophical question
of what are the risks of not using UAS technologies?
The starting premise of this chapter, and one which is consistent with modern
aviation safety thinking (ICAO 2009) is that UAS operations, like CPA operations,
are not currently, and never will be, absolutely safe (i.e., have zero associated risks).
The challenge for UAS stakeholders is to establish a safety case detailing how these
inherent risks can be managed to an acceptable level.
Achieving an acceptable level of risk is a multidisciplinary problem. It requires
a balancing of complex social, psychological, technical, political, and economic
factors arising due to the following:
• Limited knowledge and resources available to identify characterize, and treat the
safety risks associated with a technology
• Subsequent need to make trade-offs between available risk mitigation strategies
based on assessments of the associated costs and benefits
• Potentially conflicting values, beliefs, perceptions, objectives, and expectations
held by the different stakeholder groups involved in the decision-making process
(e.g., those held by the UAS industry, other airspace user groups, and the general
public)
• Conditions and environment under which the decisions are made (e.g., hidden
political or time pressures)
Achieving a balanced outcome from such a problem space is the objective of the
safety risk management process. This objective is achieved through the application
of the safety risk management process (SRMP), which can be described as
the systematic application of management policies, procedures and practices to the activ-
ities of communicating, consulting, establishing the context, and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk. [Definition 3.1, (ISO 2009)]
This chapter explores some of the unique aspects, issues, and challenges
associated with application of the SRMP to the safety risks associated with UAS
operations.
92.1.1 Scope
Discussion in this chapter is limited to the safety risks associated with civil UAS
operations. There are a variety of descriptions of the SRMP, and these descriptions
can differ in their scope, subprocesses, and structure. For the purposes of this
chapter, the generalized and domain-independent description of the SRMP provided
in ISO 31000:2009 is used and illustrated in Fig. 92.1 (ISO 2009). Some aviation-
specific descriptions of the SRMP can be found in references (FAA 2000; ICAO
2009; CAA 2010b).
Establishing, maintaining, and improving safety requires more than the appli-
cation of an SRMP. The SRMP is conducted as part of an organizational risk
framework developed in accordance with a fundamental set of organizational risk
principles (ISO 2009). In aviation parlance, these principles and the organizational
framework in which the SRMP is applied are part of an organization’s safety
Fig. 92.1 The safety risk

management process, based
on ISO (2009)
management system (SMS) (ICAO 2009). The scope of this chapter does not include
the SMS. For general information on the components of the SMS, the reader is
referred to the references (ICAO 2009; ISO 2009).
92.1.2 Aim and Overview of Chapter
The aim of this chapter is to provide existing risk practitioners with a high-
level introduction to some of the unique issues and challenges in the application
of the SRMP to unmanned aircraft systems. This chapter does not provide a
comprehensive description of the SRMP itself. The discussion is intentionally high
level in its nature to ensure applicability to a broad range of UAS and their potential
concepts of operation.
The structure of this chapter follows the SRMP illustrated in Fig. 92.1. The first
step in any SRMP is to establish the context, which is described in Sect. 92.2. This
is followed by the risk assessment process. The objective of the risk assessment
process is to comprehensively characterize the safety risks associated with UAS
operations and, based on this information, determine which of the characterized
risks can be tolerated and which of the characterized risks require mitigation
(treatment). As illustrated in Fig. 92.1, the risk assessment process comprises the
subprocesses of risk identification, risk analysis, and risk evaluation. These are
discussed in Sects. 92.3–92.5, respectively. The objective of the risk treatment
process (described in Sect. 92.6) is to identify, implement, and evaluate suitable
measures to reduce (mitigate, modify, treat, or control) the risk. The SRMP is
a living process being a key component of an organization’s overarching SMS.
The process of monitoring and reviewing (Sect. 92.7) is pivotal to maintaining
and improving the management of the risks. Finally, there is the process of
communication and consultation (Sect. 92.8). The communication and consultation
process is key to addressing broader stakeholder concerns and those issues that
stem from a lack of knowledge of the risks and benefits associated with civil
UAS operations.
92.2 Establishing the Context
Understanding the complexity of challenges to be faced in the safety risk man-

agement of UAS requires consideration of the social, psychological, political, and
economic factors associated with the broader integration of UAS into society. These
factors are identified as part of the context for the SRMP and are commonly
overlooked in UAS safety discussions. Establishing the context is the process
of “defining the external and internal parameters to be taken into account when
managing risk, and setting the scope and risk criteria for the risk management
policy” (ISO 2009). This subprocess of the SRMP involves consideration of the
“cultural, social, political, legal, regulatory, financial, technological, economic,
natural, and competitive environment, whether international, national, regional or
local; the key drivers and trends having impact on the objectives of the organiza-
tion; and relationships with, and perceptions and values of external stakeholders”
(ISO 2009).
92.2.1 Safety Risk Management Process and UAS
The SRMP can be used to support a range of operational, financial, or regulatory

decisions concerning UAS. Here, we will focus on those decisions made in relation
to the management of the safety risks associated with their operation. In this context,
the SRMP provides an accepted and systematic means for providing assurances that
the risks associated with UAS operations have been managed to an acceptable level.
The SRMP and its outcomes form part of the documented safety case necessary
to obtain approvals for UAS operations. It also guides the development of an
organization’s operations manual and is a primary component of an organization’s
SMS. The SRMP is also used to guide the safety policy, rulemaking, and oversight
activities of a national aviation authority (ICAO 2009).
The Civil Aviation Safety Authority (CASA) has released draft guidance material
describing the application of SMS principles to civil UAS operators (CASA
2011). The guidance material is believed to be the first of its kind specifically
targeted to civil UAS operations. Drawing on ICAO SMS principles and internal
CASA policy, the guidance material includes recommendations on how UAS
operators should approach the safety risk management of UAS operations (ICAO
2009). Although not a regulatory requirement, CASA actively encourages UAS
operators to develop an SMS due to the potential benefits of improved safety and
reduced costs.
92.2.2 The Objective
One of the first steps is to define the objectives of the activity. The general
overarching objective is to provide assurances in the safety of a particular UAS
operation or organization’s activities. Objectives also need to be defined in relation
to the expected benefits of the operation to the different stakeholders involved.
For commercial UAS operations, these objectives can often be derived from the
corporate and strategic objectives of the organization (e.g., profitability, market
growth, reputation). As well as being a goal, objectives can also act as constraints
on decisions made throughout the SRMP. All objectives should be clearly defined
to ensure transparency in decision-making to help identify potential conflicts in the
SRMP.
92.2.3 Considerations and Constraints on the UAS Safety Risk

Management Process
Constraints bound the decisions made within the SRMP and can arise due to
a variety of financial, legal, social, psychological, technological, temporal, or
spatial limitations or requirements. For example, the national aviation authority
(NAA) functions of safety policy, rulemaking, and oversight must be defined
in consideration of ICAO Standards and Recommended Practices (SARPS); the
safety performance objectives established within a State Safety Plan (SSP); the
legal, political, economic, and cultural requirements specific to their respective
state; and the internal resources and capability of the NAA to define and execute
these functions. Constraints are typically categorized as being either internal or
external to the organization. Internal constraints are those that arise due to limits
in the capability or resources of the organization or due to the organization’s
existing policies, procedures, or objectives. External constraints include existing
regulations (e.g., existing civil aviation safety, environmental protection, or work-
place health and safety legislation) or other social, cultural, political, or economic
expectations held by other stakeholders (including the members of the general
public).
92.2.4 Stakeholders
A stakeholder can be defined as “an individual, group of people, organization or

other entity that has a direct or indirect interest (or stake) in a system” (Hull et al.
2011). An interest may arise through the stakeholder using, benefiting from, being
disadvantaged by being responsible for, or otherwise being affected by the system
(Hull et al. 2011). Stakeholders in the UAS SRMP can include other airspace users,
the general public, air traffic service providers, the end users of UAS services or their
data products, the aviation safety regulator, landowners, and members of the UAS
industry (inclusive of equipment and airframe manufacturers, operators, training,

and maintenance organizations). Stakeholders will have their own objectives,
information needs, and expectations in terms of the safety performance of UAS.
These need to be identified and considered at all stages of the SRMP.
The acceptance of UAS operations requires more than a solid safety case. Under-
standing stakeholder concerns, the motivation for them and how they influence their
decisions in relation to safety, is key to achieving the broader acceptance of UAS
operations. Clothier et al. (2008) use the situation faced by horseless carriages in
the 1800s as an analogy to the situation being faced by UAS today. As described
in Clothier et al. (2008), there are hidden factors concerning the integration of
UAS into society that can influence stakeholder decision-making in relation to
their safety. UAS are a new user within an existing airspace system. Further,
there exist potentially competing industries, whose value and safety performance
is already widely known and tolerated by society. These and other factors (e.g.,
the unemployment of pilots) can manifest as hidden objectives and constraints
on the SRMP. Effective stakeholder communication is pivotal to the identifica-
tion, characterization, and resolution of the potential conflicts that can arise in
the SRMP.
92.2.4.1 Perception
A distinction is often made between those stakeholder assessments of the safety
risks that are formed through the use of objective data, expert domain knowledge,
models, or formal assessment techniques, and those assessments that are based on
the subjective knowledge, beliefs, emotions, values, and needs of the individual. The
latter of these types of assessments is commonly referred to as perceived risk. There
is a range of factors that influence how different stakeholders appraise and respond
to the safety risks associated with UAS operations. Importantly, these appraisals
and responses can be different to those they would make for the safety risks
associated with CPA operations. These perceptions give rise to different stakeholder
expectations in terms of the safety performance of UAS.
At the time of writing, no significant body of research into the perception of
the safety risks associated with UAS operations could be found. Clothier and
Walker (2006); Clothier et al. (2008) provide limited discussion on factors likely
to influence the perception and acceptability of the risks associated with UAS
operations. Also worth noting is the survey of air travelers conducted by MacSween-
George (2003). This survey attempted to characterize the willingness of people to
travel onboard a pilotless passenger aircraft.
In the absence of a risk perception study specific to UAS, general factors
taken from existing psychometric modeling studies (Fischhoff et al. 1978; Slovic
et al. 1979; Slovic 1987, 1999) are used to hypothesize the public’s perception of
the safety risks associated with UAS operations. An analysis of the UAS safety
paradigm with respect to the factors of voluntariness of exposure, control of
exposure, awareness of benefits, and uncertainty is described below.
Voluntariness. The primary risks of concern due to CPA operations are to the
crew and passengers onboard the aircraft. The individuals exposed voluntarily
undertake these risks in return for a direct benefit. On the other hand, for UAS
operations, the primary risks are to members of the general public overflown who
are largely involuntarily exposed to the risks.
Control. The members of the general public overflown by UAS operations are
largely unable to influence the level of their exposure. Whereas passengers of CPA
have greater control over the level of risk they are willing to tolerate through the
number and type of aircraft operations (e.g., gliding, sport aviation, or scheduled
passenger flights) they partake in and through choice of a particular air service
provider.
Benefit. The knowledge of the benefits of CPA operations (e.g., efficient trans-
portation of people and freight) is broadly understood and widely known. Further,
there is a direct and identifiable relationship between the individuals exposed and
the benefits they receive. However, the routine operation of UAS for civil and
commercial applications has yet to be realized, and as a consequence broader society
has limited, if any, knowledge of the benefits. For UAS, the connection between
benefits and the individual exposed may not always be identifiable to the individual
exposed.
Knowledge and Information. In relation to UAS, there are limited sources of
information available to stakeholders. The quality of the information that is available
to stakeholders is variable, biased, and often unverified. For example, the movie
StealthTM portrays UAS with unrealistic capabilities. The information available
predominantly relates to military UAS operations and their roles in recent conflicts
(e.g., as weapons of war). This can create a bias in stakeholder knowledge of
UAS. There is also a significant knowledge gradient between stakeholders (i.e., a
difference in the amount and quality of knowledge held by the different stakeholder
groups). The general public and the NAAs have less personal knowledge that they
can use to contrast/verify the information available to them. Whereas the industry
stakeholders have much more experience and knowledge relating to UAS operations
and their safety performance. This knowledge gradient can lead to issues of trust and
in turn higher stakeholder uncertainty in assessments of the risks. Finally, the above
factors can lead to lower stakeholder certitude (e.g., belief in their self-knowledge),
and potential issues of trust can lead to higher perceptions of the risk. These and
other factors give rise to stakeholder uncertainty. The higher the uncertainty, the
higher the perception of the risks.
Based on the above factors, it is hypothesized that stakeholder perceptions of the
risks associated with UAS operations will be higher than that for a comparable CPA
operation. Addressing the issues relating to risk perception requires the development
of communication strategies (Sect. 92.8). Psychological factors influence not only
stakeholder assessments of the risks but also their appetite for them. It has been
proposed that stakeholders will expect UAS to demonstrate a level of safety
performance better than that currently expected of CPA operations. If true, this
expectation will need to be taken into consideration when defining high level safety
criteria (HLSC) for UAS. Most qualitative specifications of HLSC for UAS express
a desire for UAS to exhibit a level of risk less than, or equal to, that currently
demonstrated by CPA. Some quantitative specifications of HLSC for UAS include
a multiplicative factor to account for the hypothesized difference in stakeholder

appetite for risk, for example (Weibel and Hansman 2004).
92.2.5 High-Level Safety Criteria
HLSC are qualitative or quantitative statements describing “the terms of reference

against which the significance of a risk is evaluated” (ISO 2009). A review of
regulations, regulatory guidance material, and industry position papers yielded a
disparate array of qualitative and quantitative statements of the HLSC for UAS.
Based on this review, the existing HLSC can be broadly categorized into one of
two general categories: acceptable level of safety (ALoS) and equivalent level
of safety (ELoS) criteria. These HLSC are not to be confused with equiva-
lent level of performance (ELoP) requirements, which are briefly described in
Sect. 92.2.5.3.
92.2.5.1 Acceptable Level of Safety Criteria

The first category of HLSC for UAS are those defined in relation to an ALoS.
Examples of existing qualitative statements of ALoS HLSC are provided in
Table 92.1. Although ALoS HLSC avoid many of the issues associated with making
a direct comparison to the safety performance of CPA (discussed in the next section),
they provide no guidance as to what constitutes an acceptable level of safety.
Table 92.1 Examples of qualitative specifications of the acceptable level of safety criteria for
UAS
Statement Reference
“UAS must operate safely, efficiently, and compatibly with manned aircraft RTCA Guidance
operation in the airspace so that the overall safety of the airspace is not Material (RTCA
degraded. The fundamental safety requirement for the UAS is to provide 2007)
an acceptable level of risk for people and property in the air and on the
ground” p. 1
“. . . UAS are to provide and acceptable level of risk for people and property
on the ground and in the air and to operate without adversely affecting the
existing users of the NAS.” p. 11
“Enable the operation of sUAS [small UAS] by mitigating, to an acceptable Recommendations
level of risk, the hazards posed to manned aircraft and other airborne from the Aviation
objects operating in the National Airspace System (NAS) as well as the Rulemaking
public on the surface.” p. iii Committee, FAA
(SUAS 2009)
“Any sUAS may be operated in such a manner that the associated risk
of harm to persons and property not participating in the operation is
expected to be less than acceptable threshold value(s) as specified by the
Administrator.” p. 53
“Regulations are intended to ensure that the UAV systems and their MITRE Issues
operations achieve an acceptable level of safety for people and property paper (DeGarmo
in other aircraft and on the surface.” pp. 2–46 2004)
One approach for qualifying/quantifying acceptable is to base it on the de

facto levels of risk determined for other activities (e.g., smoking or riding a bike)
or naturally occurring events (e.g., death due to being struck by lightning). For
example, the Swedish Aviation Authority use the probability of someone dying in
a road accident to guide the setting of ALoS criteria for UAS (Wiklund 2003).
Another approach is to directly adopt existing safety criteria specified in the
regulation of other industries (e.g., as used for land use planning, space launch
activities, and nuclear energy industry).
92.2.5.2 Equivalent Level of Safety Criteria

The second and most common category of HLSC for UAS qualifies acceptable
through reference to the safety performance currently exhibited by CPA. Safety
performance is expressed as the level of risk or the potential for harm (i.e., the
existence of hazards). These comparative HLSC are widely referred to as ELoS
criteria, and some qualitative examples are provided in Table 92.2.
There are a number of critical assumptions that need to be considered in the
use of ELoS HLSC. Firstly, there is the foundational assumption that risks as
tolerated or accepted in the past (i.e., those associated with CPA operations) provide
a suitable basis for judging the acceptability of future risks associated with a
different technology (i.e., those associated with UAS operations). Many of the
factors discussed in Sect. 92.2.4 would challenge this assumption.
Secondly, ELoS criteria require a mechanism for making comparisons between
the different categories of CPA and of UAS. For example, CASA states that HLSC
for UAS should be defined in relation to CPA of equivalent class or category
(CASA 2002). A range of mechanisms for making such a comparison have been
proposed and include those based on similarities in the maximum takeoff weight of
the aircraft, the maximum kinetic energy of the aircraft under different failure modes
(JAA/EUROCONTROL 2004) or in the expected number of casualties (Grimsley
2004). For some UAS, it is not possible to establish an equivalent type within the
CPA fleet on the basis of a similarity in the attributes of the aircraft alone. This issue
is clearly illustrated in the comparative histogram plots of the UAS and CPA fleets
presented by Clothier et al. (2011). Even if equivalence in terms of a similarity in
aircraft attributes can be made, such attributes may not account for the differences
between the safety risk profiles associated with the two different aviation concepts.
These differences are discussed in the risk assessment subprocesses of Sects. 92.3,
92.4, and 92.5.
A range of measures, reference data, and approaches have been used to quantify
ELoS criteria and some examples are provided in Table 92.3. There are a number of
issues associated with the use of these measures. Firstly, most of the ELoS HLSC
were determined through an historical analysis of CPA accident and incident data.
As discussed by Clothier and Walker (2006), this quantification approach can be
sensitive to the period over which the historical analysis is conducted and the type
of CPA activity considered. Averaging over a historical period does not reflect
trends in the safety performance of CPA operations or the infrequent nature of
the events being characterized. Further, the averaged/aggregated measures do not
Table 92.2 Examples of qualitative specifications of the equivalent level of safety criteria
for UAS
Statement Reference
“The principal objective of the aviation regulation framework is to ICAO circular (ICAO
achieve and maintain the highest possible uniform level of safety. In 2011)
the case of UAS, this means ensuring the safety of any other airspace
user as well as the safety of persons and property on the ground.” p. 4
“[this framework] . . . will provide, at a minimum, an equivalent level
of safety for the integration of UAS into non-segregated airspace and
at aerodromes.” p. 4
“The introduction of RPA [remotely piloted aircraft] must not increase
the risk to other aircraft or third parties and should not prevent or
restrict access to airspace.” p. 17
“UAV operations should be as safe as manned aircraft insofar as they CASA advisory
should not present or create a hazard to persons or property in the air or circular (CASA 2002)
on the ground greater than that created by manned aircraft of equivalent
class or category.” p. 11
“When considering a request for approval to conduct a particular
operation with a UAV, CASA must ensure that the operation of the UAV
will pose no greater threat to the safety of air navigation than that posed
by a similar operation involving a manned aircraft. This characteristic
may be termed ‘acceptable’.” p. 18
“. . . UAS operations must be as safe as manned aircraft insofar as they CAA-UK Guidance
must not present or create a greater hazard to persons, property, vehicles material (CAA
or vessels, whilst in the air or on the ground, than that attributable to the 2010a)
operations of manned aircraft of equivalent class or category.” Sect. 1,
Chap. 1, p. 1
“A civil UAS must not increase the risk to people or property on the EASA Policy
ground compared with manned aircraft of equivalent category.” p. 4 statement (EASA
2009)
“UAV Operations shall not increase the risk to other airspace users or JAA and
third parties.” p. 12 EUROCONTROL,
“If civil UAV Systems are to become a reality the industry must gain the Report (JAA/EURO
acceptance and confidence of these people [general public and existing CONTROL 2004)
airspace users], and this could be achieved by demonstrating a level
of safety at least as demanding as the standards applied to manned
aircraft.” p. 12
“. . . it is broadly accepted by European military authorities that UAV EUROCONTROL
operations outside segregated airspace should be conducted at a level of Specifications
safety equivalent to that for manned aircraft. Similarly, UAV operations (EUROCONTROL
should not increase the risk to other airspace users and should not deny 2007)
the airspace to them.” p. 6
“. . . UAVs must demonstrate that they do not pose an undue hazard to MITRE Issues paper
other aircraft or persons on the ground. They must, in short, provide for (DeGarmo 2004)
an equivalent level of safety to manned aircraft.” pp. 2–1
“UASs shall operate to equivalent levels of safety as manned aircraft in Australian Defence
regard to the risk they pose to people on the ground, other aircraft and Force airworthiness
property.” MILAVREG 7.1 p. 1, Sect. 2, Chap. 7 regulations and
“The objective of the unmanned aerial systems (UAS) airworthiness guidance material
regulations is to ensure that UAS operations present no greater risk (ADF 2009)
to personnel, other aircraft and property than that accepted for the
operation of manned aircraft, without undue compromise to operational
flexibility.” Sect. 5, Chap. 3, p. 1
(continued)
Table 92.2 (continued)

Statement Reference
“Any UAV operation or test must show a level of risk to human life no U.S. Range
greater than that for an operation or test of a piloted aircraft.” p. 3 Commanders
“The hazards associated with a specific UAV are defined in the hazard Council, Flight test
analysis (risk management criteria). The range must ensure that the range safety
risks to people identified in the hazard analysis are reduced to an requirements (RCC
acceptable level. . . . The criteria is[sic] met if the hazard is confined 1999)
to unpopulated areas (2.1) or if the combined vehicle reliability and
population distribution results in a risk is[sic] no greater than that for
manned aircraft operations (2.2).” p. 4
“The Army vision is to have “file and fly” access for appropriately U.S. Army,
equipped UAS by the end of 2012 while maintaining an equivalent level Unmanned systems
of safety (ELOS) to aircraft with a pilot onboard.” p. 105 roadmap (DoD
2010b)
“. . . it is MoD policy that the operation of a RPAS [Remotely Piloted UK Mod 1000 Series
Air Systems] should be no more likely to cause injury or fatality to (GEN) (MAA 2011)
personnel or the general public than the operation of a manned aircraft.”
Clarifications indicated in [bracketed] and italicized text
account for peak risks that can occur due to geospatial or temporal concentrations in
aviation activity or variations in the level of exposure of different subgroups within
the populations exposed to the risks (e.g., the level of risk to pilots and aircrew
compared to the level of risk to members of the general flying public).
To ensure a more comprehensive management of the risks associated with UAS
operations and to be consistent with the safety risk management of other industries
(see HSE 2001b), Clothier et al. (2011) propose that the specification of HLSC for
UAS includes measures indicative of the individual and societal risk, in addition to
the measures of group/collective risk that have been previously proposed. Further,
it is recommended that the HLSC for UAS be defined based on the peak risks
associated with CPA operations as opposed to averaged values.
Irrespective of the measures used or where the baseline level of safety is set (e.g.,
equivalent to that of CPA or not), there is the inherent difficulty of verifying that a
system or operation actually satisfies the HLSC.
92.2.5.3 Equivalent Level of Performance Requirements

The ELoS criteria described in the previous section should not be confused with the
requirement for an ELoS as described in (FAA 2009, 2011b; Wolfe 2009) which
are referred to here as ELoP requirements. Whereas ELoS criteria are expressed in
terms of levels of safety or of risk, ELoP criteria are typically expressed in terms of
equivalence to the following:
• Existing regulations, standards, or procedures for CPA (e.g., design or operating
requirements)
• Functions or functional performance (e.g., UAS must demonstrate a sense and
act function equivalent to the see and avoid function provided by a human pilot).
ELoP requirements are not HLSC but lower-level requirements mandated to
control (or mitigate) the risks associated with UAS operations (discussed further
Table 92.3 Examples of quantitative specifications of the equivalent level of safety criteria for UAS
2242
Value Measure Method and data used Reference

Ground Fatality Criteria
1:0 1006 Number of ground fatalities per flight Based on civil aviation and U.S. Navy aviation accident data compiled over U.S. Range
hour the period 1982–1998. Used by Grimsley (2004) to determine permissible Commanders
system failure rates for UAS. Also used in Appendixes 3–5, enclosure 3 of Council (RCC 1999,
(JAA/EUROCONTROL 2004) 2001)
1:0 1007 Number of ground fatalities per flight Based on references to existing historical studies Dalamagkidis et al.
hour (2008)
8:4 1008 Number of involuntary ground fatali- Derived directly from an analysis of aviation accident and incident data Clothier and Walker
ties per flight hour compiled by the NTSB over the period 1984–2004 (2006)
1:0 1008 Number of involuntary ground fatali- Based on analysis of aviation accident and incident data compiled by the Weibel and
ties per flight hour NTSB over the period 1983–2003. Includes multiplicative factor to account Hansman (2004)
for differences in the public’s appetite for UAS risks
1:0 1008 Nominal likelihood of a mishap caus- Interim/recommended level for management of all UAS hazards (including Australian Defence
ing serious injury, loss of life, or risks to people on the ground). Reference level based on existing Australian Force airworthiness
significant damage per flight hour Defence Force (ADF) aviation risk management guidelines and assumptions regulations (ADF
made in relation to the average duration of UAS operations 2009)
Midair Collision Criteria
4:10 1007 Midair collision rate per flight hour Determined directly from an analysis of aviation accident and incident data Clothier and Walker
compiled by the NTSB over the period 1984–2004 (2006)
2:32 1007 Fatal midair collision rate per flight Determined directly from an analysis of aviation accident and incident data Clothier and Walker
hour compiled by the NTSB over the period 1984–2004 (2006)
1:0 1007 Midair collision rate per flight hour Based on aviation accident and incident data compiled by the NTSB over the Dalamagkidis et al.
period 1983–2006 (2008)
1:0 1008 Nominal likelihood of a mishap caus- Interim/recommended level for management of all UAS hazards (including ADF airworthiness
ing serious injury, loss of life, or midair collisions). Reference level based on existing ADF aviation risk man- regulations (ADF
significant damage per flight hour agement guidelines and assumptions made in relation to the average duration 2009)
of UAS operations
1:0 1009 Midair collisions per flight hour Existing target level of safety criteria provided in Federal Aviation Adminis- Weibel and
R.A. Clothier and R.A.Walker
tration (FAA) System Safety guidelines (FAA 2000) Hansman (2004)

in the Section 92.2.5.3). Satisfying an ELoP does not necessarily give rise to an
ELoS. The use of ELoP as de facto safety criteria requires assumptions to be
made in relation to the nature of the relationship between system performance (e.g.,
reliability) and the level of risks to different entities of value (e.g., the potential
damage to people and property).
92.2.6 Summary
Establishing the context defines the inputs, desired outputs, and the boundaries and
constraints on decisions made throughout the SRMP. It is important to note that
obtaining a public license for UAS operations must take into consideration a broad
range of issues. The integration of a new technology into society is subject to a wide
range of broader social, political, cultural, and economic considerations. For exam-
ple, one of the primary concerns identified in the survey of air travelers conducted
by MacSween-George (2003) was the potential unemployment of pilots. A search
of mainstream media sources reveals numerous articles identifying a broad range of
public concerns including privacy, noise and public disturbance, and the potential
misuse of UAS by drug traffickers or terrorists. Such concerns can be as significant
as those issues relating to their safety. Further research is needed to characterize
the safety criteria for UAS and to better understand different stakeholder concerns,
perceptions, and expectations. In the interim, guidance can potentially be found
through exploring the safety risk management of other new technologies, such as
genetically modified foods, nanotechnologies, stem cell research, nuclear power,
and the use of automation in the rail and shipping industries.
92.3 Risk Identification
The objective of the risk identification process is to identify how the system can fail,
how these failures and conditions manifest as hazards, and the potential undesired
outcomes that can result from the occurrence of the hazards. The identification of a
specific combination of these three components describes a risk scenario. The set of
all risk scenarios can be defined through the identification of the set of hazards, and
for each particular hazard the associated sets describe the following:
1. The different conditions, failures, and events contributing to the occurrence of
the particular hazard
2. The potential types and levels of consequential outcomes associated with the
occurrence of the particular hazard
The set of all scenarios identified with a given activity is described as the
risk profile. By way of general introduction, the high-level UAS and CPA risk
profiles are illustrated in Figs. 92.2 and 92.3, respectively. Illustrated in Figs. 92.2
and 92.3 are the primary and secondary hazards and their potential consequential
outcomes to people and property. Not shown are the conditions, failures, and events
contributing to the occurrence of the hazards. The profiles, and the tools, data, and
techniques that can be used to identify and characterize them are described in the
following subsections.
Fig. 92.2 Illustration of the high-level risk profile associated with UAS operations
92.3.1 Risk Identification Tools
A range of techniques can be used to identify and characterize the risk scenarios
associated with UAS operations. The CAA categorizes these techniques into histor-
ical (e.g., a review of accident and incident data), brainstorming (e.g., elicitation of
knowledge from domain experts), and systematic (e.g., formal tools and processes)
techniques (CAA 2010b).
A typical starting point for any risk identification process is a review of existing
accident and incident data. Such a review can provide general insights into the
key hazards and their likely consequential outcomes and, depending on the scope
and quality of the investigative reports available, the factors contributing to their
occurrence. Some notable examples of UAS accidents and incidents are provided in
Table 92.4.
There is limited data on UAS accidents and incidents. The majority of publicly
available data relate to military UAS operations primarily because of the limited
amount of nonmilitary UAS activity to date (a product of the current regulatory
environment) and that mandatory reporting of accidents and incidents involving
nonmilitary UAS has only recently come into force (refer to Sect. 92.7.1). Seldom
does a review of accident and incident data provide a comprehensive identification
of the potential hazards and their outcomes. This is particularly the case for UAS,
Fig. 92.3 Illustration of the high-level risk profile associated with CPA operations
where there is limited data available and the primary hazards are inherently rare
events. Further, the ability to identify the complexity of factors contributing toward
the occurrence of an accident or incident is often restricted by the method and
quality of the records available. Incidents occur more frequently than accidents.
Incidents provide valuable information as precursor or lead indicators for accidents;
however, less information is typically available in incident reports due to the limited
amount of resources available to investigate them. There is also a bias in the
data toward military UAS operations, and therefore, when using this data, it is
important to consider some of the differences between military and nonmilitary
UAS operations. For example, the potential differences:
• Between the design and operational philosophies adopted for military and
nonmilitary UAS (e.g., trade-offs made between survivability and mission risk
vs. public, and personnel risk)
• Between the environments they are operated in (e.g., natural environment, mix
and types of other airspace users, and electromagnetic environment)
• In how they are managed within the airspace system (e.g., procedures for
separation, the situational awareness available to air traffic control, the UAS
operators and other airspace users, and the type of services provided)
Table 92.4 Notable accidents and incidents involving UAS

Date Location Description of accident/incident Reference
1. May 10, Incheon, A Schiebel S-100 Camcopter crashed into its Mortimer
2012 South ground control station, killing one crew (2012)
Korea member and injuring two others. The cause
for the crash is still being investigated
2. Aug 17, Afghanistan RQ-7 Shadow and a C-130J military Hodge
2011 transport aircraft both operated by the U.S. (2011)
Department of Defense collided over
Afghanistan. The C-130J made an emergency
landing. TheRQ-7 was destroyed on impact
with the ground. No casualties were reported
3. July 19, Karachi, An Uqab UAS operated by the Pakistan Navy Siddiqui
2011 Pakistan encountered bird strike and subsequently (2011)
crashed in the vicinity of an oil refinery. No
casualties or damage to the refinery was
reported
4. December El Paso, An Aeronautics Orbiter Mini UAS operated Washington
17, 2010 USA by the government of Mexico crossed the Valdez and
U.S. border and crashed in a residential area. Borunda
No injuries resulted (2010)
5. May 10, Dili, East A SkyLark UAS operated by the Australian Fitzpatrick
2007 Timor Defence Force during a peacekeeping (2007)
mission crashed into a house. The house was
unoccupied at the time
6. October Kinshasa, A Belgian B-Hunter UAS operated as part of La Franchi
05, 2006 Democratic the European Union Force peacekeeping (2006a)
Republic of mission crashed shortly after takeoff. The
Congo crash and ensuing fire killed one civilian and
injured at least three others
7. April 25, Arizona, A General Atomics Aeronautical Systems NTSB
2006 USA MQ-9 Predator UAS crashed near Nogales, (2007)
Mexico, in the USA while on a U.S. Customs
and Border Patrol mission. The aircraft was
destroyed on impact with no casualties
reported
8. August Afghanistan A near midair collision between a Luna UAS La Franchi
30, 2004 operated by the German Army and an Ariana (2006b)
Afghan Airlines Airbus A300B4 with over
100 passengers and crew onboard. The two
aircraft passed within 50 m of each other. The
wake turbulence from the A300B4 caused the
Luna UAS to crash. No casualties were
reported
9. December Edwards RQ-4A Global Hawk autonomously AIB (2000)
06, 1999 Air Force responded to an erroneous command to taxi
Base, USA at a speed of 155 knots. The aircraft left the
taxiway before ground crew could respond.
The aircraft sustained substantial damage,
but no injuries or damage to other aircraft
occurred
(continued)
Table 92.4 (continued)

Date Location Description of accident/incident Reference
10. March 29, China A RQ-4A Global Hawk received and Drezner
1999 Lake, USA executed a command to terminate flight. The and
aircraft was destroyed on impact with the Leonard
ground, and no casualties were reported. The (2002)
command was sent by operators conducting
radio testing at a neighboring test range. The
high altitude of operation of the global hawk
was not considered as part of the frequency
management plan
• In the nature of the missions performed (e.g., low-level flights, maneuver, and
mission profiles)
• In their hazards (e.g., for military UAS, there are unique hazards associated
with the carriage of ordinance, self-protection systems, and payload self-destruct
mechanisms)
These and many other differences can give rise to unique sets of risk scenarios
for military and nonmilitary UAS operations. Although a valuable input to the
risk identification process, UAS accident and incident data should not be used as
the sole means for risk identification. This data should be complemented by other
risk identification techniques to ensure a comprehensive identification of the risks.
References (SAE 1996; FAA 2000; FAA and EUROCONTROL 2007) describe a
number of tools, and that can be used in the identification and analysis of aviation
safety risks. A domain-independent review of over 100 different risk identification
and analysis techniques can be found in Stephens et al. (1997). Commonly used risk
identification and analysis tools are provided in Table 92.5.
92.3.2 The Identification of Hazards
The specification of a risk scenario starts with the identification of the hazards.
A hazard is a state or condition that has the potential to cause loss to something
of value. ISO31000:2009 describes the analogous concept of a risk source, defined
as an “element which alone or in combination has the intrinsic potential to give rise
to risk” (ISO 2009). Prescriptive definitions of hazard can be found in ICAO (2009);
DoD (2010a).
92.3.2.1 Primary Hazards of Concern Associated with UAS Operations

A primary hazard is one that has the potential to directly cause harm. Some
definitions of primary hazard include the additional condition of immediately (Dala-
magkidis et al. 2008); however, such definitions preclude primary hazards that have
delayed effects or require long-term exposures (e.g., radiation, psychological losses,
exposure to carcinogens, or damage to ecosystems). With respect to the operation
of UAS in the civil airspace system and over inhabited areas, the primary hazards
of concern are well known and common to those for CPA operations. As described
Table 92.5 Some common risk identification and analysis tools

Description References
Functional hazard analysis is a predictive risk identification technique that SAE (1996)
attempts to identify and explore the effects of functional failures at different
representative levels of a system (aircraft and system levels)
Failure modes and effects analysis (FMEA) explores how different compo- SAE (1996,
nents and functions can fail (modes) and the potential effects in relation 2001) and CAA
to other components or functions of a system. Failure mode, effects and (2010b)
criticality analysis (FMECA) includes assessments of the likelihood of end
consequences
Hazard and operability analysis (HAZOP) is a structured and qualitative FAA and EURO-
group brainstorming approach for identifying hazards and their contributing CONTROL 2007
failures and CAA
(2010b)
Common cause analysis is a technique aimed at identifying risk scenarios SAE (1996) and
in which two or more events could occur as the result of one common FAA and EURO-
event/failure. It combines a number of sub-techniques: zonal analysis, par- CONTROL
ticular risks assessment, and common mode analysis (2007)
Bow-tie analysis primarily used as a risk analysis/modeling tool; a bow-tie FAA and EURO-
analysis combines models (e.g., event tree or fault trees) with consequence CONTROL
modeling tools (e.g., consequence tree) to explore how a particular hazard (the (2007)
bow) arises and the subsequent manner and types of possible consequential
outcomes
Event tree analysis used as both a risk identification and an analysis tool; an CAA (2010b)
event tree models sequences of causally related events from an initiating event
Fault Tree Analysis is a deductive (top down) graphical risk identification SAE (1996)
and analysis tool for determining different logic paths in which the top level
undesired event could occur
External events analysis is a risk identification tool focusing on how exter- FAA and EURO-
nal/environmental factors/inputs can influence the behavior of the system. It is CONTROL
also useful for the identification of security threats (2007)
in JAA/EUROCONTROL (2004), Clothier and Walker (2006), and Dalamagkidis

et al. (2008) and as illustrated in Fig. 92.2 these hazards are the following:
(A) A collision with a CPA (situated on the ground or in the air) and the potential
harm caused to people onboard the CPA (e.g., incident 2 in Table 92.4)
(B) The controlled or uncontrolled impact with terrain or objects on the terrain
(such as people or structures), for example, incidents 5 and 6 in Table 92.4
92.3.2.2 Secondary Hazards of Concern Associated with UAS

Operations
Secondary hazards of concern are those that can occur as a result of a primary
hazard. Some of the secondary hazards associated with the primary hazard A above,
include the potential harm caused to people:
1. On the ground due to falling aircraft or debris from a midair collision (e.g., the
falling debris described in incident 2 in Table 92.4)
2. On the ground due to falling aircraft or debris from a near midair collision (e.g.,
incident 8, Table 92.4, where wake turbulence caused the loss of the UAS)
3. Onboard the CPA due to evasive maneuvers performed in order to avoid a
collision with a UAS (while either of the aircraft is in the air or on the
ground)
Some of the secondary hazards associated with the primary hazard B above
include the potential harm caused to people on the ground due to the following:
1. Release of hazardous materials (e.g., chemical payloads, composite materials, or
ordnance) following an impact with terrain or an object on the terrain
2. Progression of fires, the collapse of buildings, motor vehicle accidents, or other
hazards arising as a result of the UAS coming to earth (e.g., in incident 3 of
Table 92.4 there was the potential for an explosion or fire had the UAS damaged
critical components of the oil refinery)
As can be observed in Figs. 92.2 and 92.3, the primary and secondary hazards
identified within the UAS risk profile also exist within the CPA risk profile.
However, not shown are differences in the failures and conditions contributing to the
occurrence of these hazards and in the types and levels of consequence associated
with their occurrence.
92.3.3 The Contributing Failures and Conditions
There are a variety of ways in which the hazards illustrated in Fig. 92.2 can
eventuate. The specification of a risk scenario includes identifying how a particular
hazard can occur. A hazard is typically the result of a series of active failures
in combination with latent conditions that involve all components of the system
(i.e., the interaction of the components of man, machine, and organization) and
the interaction of the system within its operating environment. Some key tech-
niques for identifying these failures and conditions include FMEA, HAZOP, fault
tree analysis, human factors studies (discussed below), and anticipatory failure
determination.
High-level guidance on common factors contributing to UAS mishaps can
be found in studies of existing accident and incident data. For example, some
frequent causes of mishaps reported by the U.S. Department of Defense (DoD) are
summarized in Table 92.6.
92.3.3.1 Unique Components and Functions

There are some obvious differences in the design and operation of UAS when
compared to CPA. For example, a communications link for command and control
is a critical component of the safe operation of UAS particularly in the absence
of aircraft autonomy (i.e., a remotely piloted aircraft). Other unique components
of an UAS include the ground control element, flight termination systems, and
devices used in the launch and recovery of the air vehicle. The existence of these
components can create unique hazards and contribute toward the occurrence of the
Table 92.6 Percentage of mishaps attributed to different failure mode categories, from OSD
(2003)
Failure mode % of total mishapsa
category Description attributed to categoryb
Power/propulsion Encompasses the engine, fuel supply, transmission, 37
propeller, electrical system, generators, and other
related subsystems onboard the aircraft
Flight control Includes all systems contributing to the aircraft 26
stability and control such as avionics, air data
system, servo-actuators, control surfaces/servos,
onboard software, navigation, and other related
subsystems. Aerodynamic factors are also included
in this grouping
Human/ground Accounts for all failures resulting from human error 17
and maintenance problems with any non-vehicle
hardware or software on the ground
Communications The datalink between the aircraft and the ground 11
Miscellaneous Any mission failures not attributable to those 9
previously noted, including airspace issues,
operating problems, and other nontechnical factors
a
Defined as an accident resulting in significant vehicle damage or total loss of human life, or
causing more than $1,000,000 in damage
b
Averaged over 100,000 flight hours across five different UAS types
primary hazards illustrated in Fig. 92.2. Consideration of such components (and

their failures) is not captured in existing CPA risk identification studies.
92.3.3.2 The Importance of a “Systems” Mentality

UAS are more than an aircraft. Consideration of the individual components of the
UAS in isolation of the other components of the system and its environment would
fail to provide a comprehensive identification of the risks. An emergent property
is one which is not determined solely from the properties of the system’s parts but
which is additionally determined from the system’s structure and behavior (Thomé
1993). These emergent properties and the boundaries and constraints on them are
all potential sources for active failures or latent accident-producing conditions. For
example, the UAS system has the property of line-of-sight (LoS) communication
range. LoS range is an emergent property, arising due to the interactions between
the system and its environment. Specifically, it is a function of the state of the
air vehicle (e.g., antenna attitude), the properties of the communications system
(e.g., frequency and minimum permissible signal to noise ratio for a given bit error
rate), the ground control system (e.g., geographical position), the mission (e.g., the
flight path), and the environment (e.g., weather, terrain, and ambient radio frequency
environment). Together, these properties interact to define the maximum LoS range
of the system at a given time. Exceeding this range can contribute to the occurrence
of a hazard (i.e., a loss of command and control, which for an RPA, could lead to
a mishap).
92.3.3.3 The Human Element

Despite the relocation of the pilot, the human element still has a significant
contribution to the safety of UAS operations. A clear example of this is incident
7 in Table 92.4 (refer to associated accident report). An analysis of U.S. DoD
operations recorded over the 10-year period ending in 2003 (Tvaryanas et al. 2005)
found that 68.3 % of the 211 mishaps reviewed involved operations or maintenance
organizational, supervisory, or individual human factors. References (Manning
et al. 2004; Williams 2004; McCarley and Wikens 2005; Tvaryanas et al. 2005;
Hobbs 2010) provide further analysis and discussion of the contribution of the
human element to UAS accidents using a variety of modeling frameworks. Common
human factors identified in these studies include crew resource management,
decision-making, situational awareness, human machine interface design, training,
task load, and fatigue. Psychological issues can include the apparent risk-taking
behavior of UAS operators due to the absence of a shared fate between the operator
and the UAS; issues of operator trust, awareness, and dependency on automation;
issues associated with a handover between remotely located operators; and issues
relating to the simultaneous control of multiple UAS. It is important to consider
human factors in all aspects of a UAS deployment and not just its launch, operation,
and recovery. For example, Hobbs and Stanley (2005) identify the personnel issues
of complacency and a model aircraft culture in the maintenance of UAS; such
factors can contribute toward the 8 % of U.S. DoD UAS accidents that were the
direct result of maintenance errors (Tvaryanas et al. 2005). For some UAS, much
of the maintenance can be performed in the field during an active deployment
(e.g., change of payloads, replacement of wings, minor repairs). Maintenance in
the field can be subject to additional time pressures (e.g., push for readiness for next
deployment), poor working conditions (e.g., exposure to the environment), and the
need to make decisions and actions without access to all the necessary information
or tools (e.g., arising due to poor logistics and operational planning).
92.3.3.4 The Operation and the Environment

It is important to consider how failures can eventuate through the interaction of the
UAS and its operational environment. Many of the hazards arising from the natural
environment are common to CPA and are well known, for example, storms and bird
strikes (e.g., incident 3 in Table 92.4). However, for UAS, the detection of these
conditions can be difficult as the operator is not located onboard the aircraft, and
even if it is detected, many UAS do not have the same resilience to them as CPA
(e.g., the absence of anti-icing systems or bird strike protection).
A single UAS type can be used for a wide range of applications. The potential
failures and conditions need to be investigated for these different operations and
environments. For example, the low-altitude operation of UAS in the vicinity of
structures creates a number of additional challenges over UAS operations in rela-
tively clear areas. For example, large structures can impede communications, create
turbulent environments, and degrade navigation performance through increased
multipath and a reduction in the number of visible GPS satellites.
92.3.3.5 Software
Most nonmilitary UAS make use of Commercial-Off-The-Shelf (COTS) consumer-
grade software that is often provided without warranty or assurance. Without such
assurances, it can be extremely difficult to assess the likelihood of encountering
latent errors or undesired behavior. Often, the dependability of software can only
be gauged through extensive experience in its use under a variety of conditions.
Configuration control is also particularly important for those systems using COTS
software. Small bug fixes and auto updates to operating systems can introduce
new latent conditions and significantly change the stability and behavior of the
software system as well as its performance under existing conditions. Software
considerations should extend to include any electronic databases (e.g., publicly
available digital elevation maps), firmware, operating systems, and applications
used during flight or prior to and after flight (e.g., flight planning, software,
and documentation control systems). In addressing software-related risks, there
are two separate, yet often confused, considerations. Firstly, there are risks as-
sociated with the behavior of algorithms and, in the case of UAS, the validity
of autonomous behavior. The latter is particularly of concern when the level of
autonomy increases (Parasuraman et al. 2000). The second consideration relates to
the implementation of the algorithm and is addressed by standards such as DO-178B
(RTCA 1992).
92.3.3.6 Security
Security threats are a subcategory of hazards. More specifically, they are hazards
that arise, either directly or indirectly, through the intentional disturbance of the
safe or normal operational state of the UAS. Most often, these disturbances originate
from objects external to the system, which exploit the interfaces between the UAS
and its environment (e.g., interference, jamming, or the overriding of control via
communications links or physical access to the ground control station (GCS)). The
security of the UAS should take into consideration:
• The type of radio control gear, voice, and data links used for communication
between all components of the system (including ground personnel and air traffic
control)
• Whether the links are vulnerable to intentional or unintentional interference and
whether the loss of this link has a safety impact for different phases of the
operation
• The type of information conveyed on these links and its criticality to the
safety of the operation of the aircraft if corruption, disruption, or spoofing
occurs
• Whether the sender or recipient of the information on these links needs to be
verified or not (e.g., incident 10 described in Table 92.4)
• The location and physical security of the GCS and any launch, recovery,
communications relay, maintenance, and storage sites
• Whether software security, such as firewalls and antivirus programs, is installed
and used
• Policies in relation to access to the Internet and the transfer of media via
removable storage.
92.3.3.7 The Criticality of Failure Modes

Firstly, flight critical failures are no longer restricted to the aircraft; one must also
identify those flight critical failures that exist in the GCS and communications
components of the UAS. Secondly, what is considered a catastrophic failure for
CPA may not necessarily be catastrophic for a UAS, and vice versa. For CPA, the
assignment of criticality to a failure is based on an assumed exposure probability
of one (i.e., there is always at least one person onboard; thus, someone is always
exposed, see Fig. 92.3). For UAS, the exposure probability is a complex function
that depends on where the UAS is operated. In some cases, the exposure probability
may approach zero (e.g., those UAS operations restricted to uninhabited areas and in
segregated airspace). In such cases, the failure criticality can potentially be assigned
to a lower severity category (e.g., major or hazardous), and this assignment should
be based on the potential impact of the failure on the ability of the UAS to remain in
its predefined operational area. On the other hand, some failures for UAS may have
a higher criticality due to the absence of the additional protection provided by a pilot
onboard. Thus, adopting existing CPA failure criticality assignments for UAS must
be treated with caution.
92.3.4 Assessing the Potential Consequences
The final component of the specification of a risk scenario is the identification of

the potential consequential outcomes. Explicitly linked to the concept of hazard are
the concepts of loss, harm, or consequence. For example, the definition of hazard
provided by ICAO (2009) includes a specification of the types of consequential
outcomes to be considered:
Any real or potential condition that can cause injury, illness, or death to personnel; damage
to or loss of a system, equipment or property; or damage to the environment. pp. 4–1 (ICAO
2009)
As can be observed in Fig. 92.3, the risks associated with CPA operations include
consideration of the potential harm to people onboard the aircraft in addition to those
onboard other CPA or on the ground. An analysis of worldwide accidents involving
conventionally piloted commercial jet aircraft over the period 2001–2010 reveals
that more than 95 % of all fatal injuries were to people onboard an aircraft (Boeing
2011). Therefore, for both of the primary hazards associated with CPA operations,
the consequences of principal concern are those to the passengers and crew onboard
the aircraft and, secondarily, to the population of people external to the aircraft
(e.g., those living in the regions overflown). For UAS, there are no people onboard
the aircraft, and the primary risks are instead to those entities of value considered
external to the system. Consequently, the primary types and spectra of consequential
outcomes associated with UAS operations are different to those associated with
CPA operations.
92.3.4.1 Domains of Consequence

There are a variety of potential consequential outcomes associated with the occur-
rence of a hazard. For example, MIL-STD-882D (DoD 2010a) defines loss in terms
of damage to people, equipment or property, or the environment. These types of

loss describe the different domains of consequence. Typically, the primary domain
of consequence is that of physical harm to people, with secondary domains being
the potential loss registered to equipment and property (inclusive of the air vehicle),
the environment, the organization (e.g., financial, reputational, capability, market,
or mission losses), clients, the broader industry, and the losses registered to other
less tangible values held by society (e.g., culture, trust).
Distinctions are often made between consequences of the same type. For
example, the risk management of CPA operations makes a distinction between
those operations with fare-paying passengers onboard and those without. Such
a distinction is made due to social and psychological factors that influence the
general public’s perception and acceptance of risk (e.g., the assigned value, dread,
fear, control, voluntariness of exposure). For UAS, similar distinctions will need
to be made in relation to the primary entities of value at risk on the ground. For
example, a distinction is often made between third-party casualties (e.g., a member
of the public) and a first-party casualty (e.g., personnel supporting the deployment
of the UAS). Similar distinctions are made between damage to property and the
damage to hospitals, schools, residential areas, historical or culturally significant
sites, etc.
92.3.4.2 The Spectra of Consequences

A qualitative or quantitative spectrum of consequence needs to be defined for each
domain of consequence identified. Take, for example, the consequence domain of
people. The associated scale of loss could be defined from no injury to multiple
fatal injuries. As shown in the studies by Clothier et al. (2010) and Fraser and
Donnithorne-Tait (2011), there can be categories of UAS which are unable to
cause significant and direct physical harm to other aircraft or people or property
on the ground. For these categories of UAS, the losses associated with secondary
domains of consequence (e.g., organizational, financial, or environmental) or those
losses arising due to the occurrence of secondary hazards (e.g., ensuing bushfires
or downstream losses due to damage to critical infrastructure) are likely to be more
significant in the evaluation and management of the safety of their operation.
92.3.5 The Set of Scenarios
The outcome of the risk identification process is a set of characterized scenar-

ios. This set is seldom complete as there will always be unknown hazards or
failures and conditions that can give rise to existing hazards. It is important that
the hazard identification process is periodically reviewed to make use of new
knowledge, information, or identification techniques (refer to Sect. 92.7). A hazard
log should be maintained to record and track any new scenarios identified during
the course of operations and should form a valuable input to any review of the
risk assessment. Finally, the endeavor to ensure the set of scenarios is as com-
prehensive as possible, coupled with the use of conservative assumptions in their
characterization, can lead to the specification of unrealistic scenarios. There are

limited resources available to treat the risks associated with the identified scenarios;
therefore, it is important that all scenarios be subject to a test of plausibility.
92.4 Risk Analysis
The third step in the SRMP, Fig. 92.1, is an analysis of the risk. Risk analysis
describes the process of characterizing the nature and level of the risk for each
of the identified risk scenarios. A measure of risk is expressed through the
combination of assessments of the consequence and the likelihood of occurrence
of the given scenario.
92.4.1 Assessing the Consequence
A qualitative or quantitative table is often used to group and rank the different types
and levels of consequence associated with the identified risk scenarios (examples
shown in Table 92.7). An assessment of the consequence for a given risk scenario
is made by mapping its potential outcomes to one of the consequence levels defined
within the table. As there can be more than one consequential outcome associated
with the occurrence of a single-risk scenario, a mapping is typically based on the
worst possible outcome identified.
Table 92.7 Examples of existing consequence/severity classification schemes

ICAO SMM (ICAO 2009) MIL-STD-882D (DoD 2010a)
Catastrophic – equipment destroyed; multiple Catastrophic – could result in one or more of
deaths the following: death, permanent total
disability, irreversible significant
environmental impact, or loss exceeding
$10M
Hazardous – a large reduction in safety margins, Critical – could result in one or more of the
physical distress, or a workload such that the following: permanent partial disability,
operators cannot be relied upon to perform their injuries or occupational illness that may result
tasks accurately or completely. Serious injury in hospitalization of at least 3 personnel,
and major equipment damage reversible significant environmental impact,
or loss exceeding $1M but less than $10M
Major – a significant reduction in safety margins, Marginal – could result in one or more of the
a reduction in the ability of the operators to cope following: injury or occupational illness
with adverse operating conditions as a result of resulting in 10 or more lost work days,
increase in workload, or as a result of conditions reversible moderate environmental impact, or
impairing their loss exceeding $100K but less than $1M
efficiency. Serious incident and injury to persons
Minor – Nuisance; operating limitations; use of Negligible – could result in one or more of
emergency procedures; minor incident the following: injury or illness resulting in
Negligible – little consequences less than 10 lost work days, minimal
environment impact, or loss less than $100K
92.4.2 Likelihood of Occurrence
A range of formal techniques can be used to assess the likelihood of a scenario

occurring (e.g., the risk assessment tools described in Table 92.5). Some high-level
models characterizing the primary risk scenarios illustrated in Fig. 92.2 have also
been proposed, for example (Weibel and Hansman 2004; Clothier et al. 2007; Lum
et al. 2011; Lum and Waggoner 2011).
Assessments can draw on a range of information sources including incident
and accident data, aircraft activity data, component reliability data, and expert
knowledge. Assessment can also use existing models used in other application
domains (e.g., space vehicle launch and reentry, motor vehicle accident studies,
munitions, debris modeling, generic human injury models, and CPA airspace
collision risk models). The output is a qualitative or quantitative assessment of the
likelihood of realizing a given risk scenario. Depending on the tools and modeling
approach used, this assessment can be used directly in the assessment of the risk or
mapped to a likelihood scale or classification scheme (Table 92.8).
92.4.3 Assessing the Risk
A range of qualitative and quantitative scales have been used to describe levels of
risk. For example, MIL-STD-882D (DoD 2010a) assesses risk on the qualitative
ordinal scale: low, medium, serious, and high. The component measures of conse-
quence (Sect. 92.4.1) and of likelihood (Sect. 92.4.2) then need to be mapped to one
of these levels of risk. A risk matrix is the most common method for illustrating
this mapping, and an example of which is provided in Fig. 92.4. ICAO (2009) also
provides an example of a risk matrix.
Table 92.8 Examples of existing likelihood/probability classification schemes

ICAO SMM (ICAO 2009) MIL-STD-882D (DoD 2010a)
Frequent – likely to occur many times Frequent – likely to occur often in the life of an item with
(has occurred frequently) a probability of occurrence greater than 101 in that life
Probable – likely to occur sometimes Probable – will occur several times in the life of an item;
(has occurred infrequently) with a probability of occurrence less than 101 but
greater than 102 in that life
Remote – unlikely to occur but Occasional – likely to occur sometime in the life of an
possible (has occurred rarely) item; with a probability of occurrence less than 102 but
Improbable – very unlikely to occur Remote – unlikely but possible to occur in the life of an
(not known to have occurred). item; with a probability of occurrence less than 103 but
Extremely improbable – almost Improbable – so unlikely, it can be assumed occurrence
inconceivable that the event will may not be experienced in the life of an item; with a
occur probability of occurrence less than 106 in that life
Eliminated – incapable of occurrence in the life of an item
(hazard has been eliminated)
CATASTROPHIC CRITICAL MARGINAL NEGLIGIBLE

FREQUENT HIGH HIGH SERIOUS MEDIUM
PROBABLE HIGH HIGH SERIOUS MEDIUM
OCCASIONAL HIGH SERIOUS MEDIUM LOW
REMOTE SERIOUS MEDIUM MEDIUM LOW
IMPROBABLE MEDIUM MEDIUM MEDIUM LOW
ELIMINATED ELIMINATED
Fig. 92.4 Example of a risk matrix as per MIL-STD-882D (2010)
92.4.4 Uncertainty
A particular issue in the safety risk management of UAS is managing uncertainty

in the risk assessment process. Uncertainty can pervade all stages of the SRMP.
Uncertainty influences the level of risk perceived by stakeholders (i.e., the higher
the perceived uncertainty the higher the perceived risks) and their preferences
for risk treatment (i.e., a preference to treat those risk scenarios with a higher
degree of associated uncertainty). Uncertainty arises through a lack of knowledge
and information available in the risk assessment process, differences in the level
of knowledge held by stakeholders (leading to issues of trust), and a lack of
transparency in the SRMP. An effective communication and consultation process
(Sect. 92.8) is key to addressing the uncertainty of stakeholders. However, managing
the uncertainty in the assessment process is particularly difficult for those UAS
that employ COTS equipment with limited or no information on their reliability.
A defensible starting position is to attempt to establish the boundaries on the
assessment of the risks as opposed to an estimate of the point value of the risk.
The upper boundary on the risk can be estimated by propagating the assumption
that all systems and components will fail. An estimate on the lower boundary can be
made by adopting a less conservative assumption based on the best available data.
As the SRMP is iterative and ongoing, these initial and conservative assumptions
can be revised as more experience and data becomes available. An introductory
paper on the types of uncertainty and how uncertainty pervades the SRMP can be
found in Zio and Pedroni (2012).
92.5 Risk Evaluation
Risk evaluation is the process of comparing the results of the risk analysis with the
HLSC to determine whether the risk for a given scenario is tolerable (ISO 2009)
or whether further measures need to be undertaken to reduce the risk. There are a
range of decision-making frameworks that can be used within the risk evaluation
process; these include the as low as reasonably achievable, globalement au moins
Équivalent, or minimum endogenous mortality frameworks used in the Netherlands,
France, and Germany, respectively. Discussion in this chapter is limited to the as low
as Reasonably practicable (ALARP) evaluation framework, which is advocated by

ICAO (2009) and has been widely used in the management of a broad range of risks
in the UK, the USA, and Australia.
92.5.1 The ALARP Framework
The ALARP framework is intended to represent safety decisions made in everyday

life (HSE 1992, 2001b). There are some risks that people choose to ignore and
others that they are not prepared to entertain irrespective of the benefits associated
with them. In addition, there are those risks people are prepared to take by making
a trade-off between the benefits of taking the risks and the precautions required to
mitigate them (HSE 2001b). These three types of decision scenarios are the basis
for the development of the ALARP framework. Referring to Fig. 92.5, the ALARP
framework comprises
A Region of Broadly Unacceptable Risk – Except under extenuating circum-
stances, risks that fall within this region are generally considered unjustified
regardless of the benefits associated with the activity. Such activities would be ruled
Except under extraordinary circumstances,

control measures must be undertaken to
reduce the risk to a level deemed tolerable
Unacceptable irrespective of the cost/benefit.
De Manifestis Level
In this region, the residual risk must be at a

level As Low As Reasonably Practicable
Direcrtion of decreasing risk
(ALARP). A proposed control must be

implemented if the sacrifices (e.g., in
money, time, trouble ot cost) are not in
gross disproportion to the benefits
achieved by implementing the control
(e.g., the reduction in risk). What constitutes
Tolerable “gross disproportion” will depend on the
level of risk (i.e., for a given level of benefit:
the higher the associated level of residual
Scrutiny Level risk, the greater the degree of disproportion
necessary for it to be considered ALARP).
Broadly Acceptable Level

Residual risk is generally regarded as
insignificant and adequately controlled.
Broadly
Acceptable
Risk controls should still be implemented in
those cases where the benefits still
outweigh the costs.
De Minimis Level
Negligible Risk generally considered below concern.
Eliminated Hazard has been eliminated (seldom possible).
Fig. 92.5 The ALARP risk evaluation framework

out unless further action can be undertaken to reduce the risk (HSE 2001b). This
region corresponds with the notion of a de manifestis level of risk, which is based
on the legal definition of obvious risk (RCC 2007). It is defined as the level of risk
above which a person of ordinary level of intelligence intuitively recognizes as being
inherently unacceptable (Fulton 2002; RCC 2007).
A Region of Tolerability – This region describes those risks which are considered
tolerable, specifically those situations where there is “. . . a willingness to live with
a risk so as to secure certain benefits and in the confidence that it is being properly
controlled. To tolerate a risk means that we do not regard it as negligible or
something we might ignore, but rather as something we need to keep under review
and reduce still further if and as we can” (HSE 1992). As described in HSE (2001b),
risks that fall in the region are considered tolerable if and only if the:
• Risks have been properly assessed (e.g., assessments based on the best available
scientific evidence or advice), and the results are used to determine appropriate
measures to control the risks.
• Residual risks are not unduly high (e.g., above the de manifestis level) and are
kept to level as ALARP.
• Risks are periodically reviewed.
A Region of Broadly Acceptable Risk – Risks within this region are “gen-
erally regarded as insignificant and adequately controlled” (HSE 2001b). There
is no distinct line demarcating tolerable risks from broadly acceptable risks;
instead, it has been described as the point at which “the risk becomes truly
negligible in comparison with other risks that the individual or society runs”
(HSE 1992). Obtaining a broadly acceptable level does not mean the pursuit
for the reduction of risks to ALARP should be abandoned. As described by
the UK Health and Safety Executive (HSE), “duty holders must reduce risks
wherever it is reasonably practicable to do so or where the law so requires it”
(HSE 2001b).
The Concept of ALARP – A risk is considered ALARP if the cost of any
reduction in that risk is in gross disproportion to the benefit obtained from the
reduction Determining that risks have been reduced to a level as ALARP involves
an assessment of the risk to be avoided, of the sacrifice or costs (e.g., in money, time,
and trouble) involved in taking measures to treat that risk, and a comparison of the
two to see if there exists a gross disproportion (HSE 2001a). General discussion
on the cost-benefit process that needs to be undertaken and some guidance on the
meaning of gross disproportion can be found in references (HSE 2001b,a; CASA
2010; Jones-Lee and Aven 2011).
De Minimis Level – Some specifications of the ALARP framework include a
specification of the de minimis level of risk. The de minimis level stems from
the legal principle de minimis non curat lex (the law does not concern itself with
trifles) (Paté-Cornell 1994; Fulton 2002; RCC 2007). It is often used as a guide for
determining when risks have been managed to a level that could be considered below
concern.
A Scrutiny Level – Some implementations of the ALARP framework feature a
scrutiny line, which is often used to put newly assessed risks in context with risks
that have been tolerated or broadly accepted in the past. Often, the scrutiny level
represents the de facto risks for a similar activity/industry.
It is important to note that the meaning of ALARP and its implementation in law
can change between states (an important consideration when it comes to the risk
management of international UAS operations). The description of ALARP provided
above is consistent with its implementation in those countries that adopt common
law (e.g., the UK, the USA, Australia, Canada, New Zealand). Ale (2005) provides
an example of some of the issues that can arise due to the application of safety
decision-making frameworks such as ALARP within different legal systems.
There are psychological, social, and practical difficulties in the specification and
sole use of quantifiable criteria within the ALARP framework. This has lead to
the use of qualitative frameworks that focus on demonstrating that all reasonably
practicable measures have been undertaken to reduce a risk as opposed to making
quantifiable comparisons of the assessed risks to specifications of the de manifestis,
de minimis, or scrutiny levels. The results from comparisons of assessed risks
to HLSC ultimately translate to requirements on design; hence, a quantifiable
specification of HLSC within the ALARP framework is most desirable. When
introducing a new technology into society one cannot avoid the commonly used
litmus test of a comparison to similar and existing risks (as often made by the
media or by members of the public). In this case, the ELoS HLSC (as described in
Sect. 92.2.5) should be represented as scrutiny lines within the ALARP framework.
Further research is needed to explore the psychological, social, and practical
implications relating to the representation of the quantitative HLSC for UAS in the
ALARP framework. There can also be general issues associated with the application
of ALARP specifically to new technologies such as UAS, and these are discussed
in Melchers (2001).
92.5.2 Evaluating the Risk
The ALARP framework is represented in a risk matrix by assigning the levels of

risk, and hence cells of the matrix, to the different regions of the ALARP framework.
This assignment is often illustrated through the use of a graduated color scale (e.g.,
refer to the corresponding colors used in Figs. 92.4 and 92.5). Refer to Figs. 5–4
and 5–5, pp. 5–8/9 of ICAO (2009) for another example of a representation of the
ALARP framework within a risk matrix. Each risk scenario can then be mapped
to one of the regions within the ALARP framework. Whether or not a particular
scenario requires treatment will depend on the ALARP region it is mapped to (as
described in Sect. 92.5.1).
92.6 Risk Treatment
For those risk scenarios that are not tolerable, measures need to be undertaken to
reduce (mitigate, modify, treat, or control) the residual risk to a level considered as
ALARP.
92.6.1 Prioritization of Treatment
The scenarios requiring treatment need to be prioritized due to a practical limit on

the resources available to treat the risks. This prioritization is usually based on the
level of unmitigated risk, with those scenarios having a higher level of risk given a
higher priority for treatment. However, there are other factors that can influence the
prioritization of scenarios, for example, the prioritization of scenarios:
• Based on the nature of their associated consequences. For example, the apparent
public aversion to accidents with a higher-level consequence, psychological
factors (e.g., fear or dread), or those scenarios that have prolonged or sustained
consequences
• With a high level of uncertainty.
It is important to note that the treatment of some scenarios may be mandatory
irrespective of their risks (e.g., due to environmental protection or workplace health
and safety regulations).
92.6.2 Determining Available Mitigation Options
The first step is to determine a list of all possible treatment options. Guidance
on potential mitigation strategies can be found in regulatory materials (CASA
2002; FAA 2011b) or by reviewing the safety cases used in the approval of
existing operations. In general, risk mitigation strategies reduce the risk through
the following:
A. Removing the hazard altogether
B. Reducing the likelihood that a hazardous event occurs
C. Reducing the level of potential consequence associated with the occurrence of
an hazardous event
D. Sharing the retained risk with other organizations
E. Combinations of the above
92.6.2.1 Risk Mitigation Strategies for Midair Collision

A range of strategies can be used to mitigate the risks associated with the hazard
of a midair collision between a UAS and a CPA. Some example strategies are
summarized in Table 92.9. The strategies in Table 92.9 are classified based on how
the primary reduction in risk is achieved, specifically (1) through elimination of the
hazard, (2) through a reduction in the likelihood the hazard occurs, or (3) through
a reduction in the consequence given the occurrence of the hazard. Category 2
mitigation strategies are divided into the subcategories of the following:
A. See – strategies that provide the UAS with an awareness of its air traffic
environment
B. Be seen – strategies that provide other airspace users with an awareness of
the UAS
C. Staying away – UAS operational strategies that reduce the likelihood of encoun-
tering other aircraft
Table 92.9 Examples of existing midair collision mitigation strategies

(1) Elimination of the Segregation of UAS from other aircraft (e.g., use of prohibited or restric-
hazard ted airspace); not conducting the operation
(2) Reduction in the
likelihood of a hazard
occurring (i) Active (ii) Passive
(A) See Periodic radio broadcasts; Chase plane; radio
airborne or ground-based listening watch; airborne
systems that employ or ground-based systems
primary radar (e.g., that employ
Fig. 92.6), transponder electro-optical (Fig. 92.7),
interrogators, or LIDAR infrared, or acoustic
sensors; existing airborne sensors; automatic
collision avoidance dependent
systems (e.g., TCAS-II) surveillance-broadcast
(ADS-B) in;
ground-based visual
observers; subscription to
traffic information feeds
(B) Be seen ADS-B out; Chase plane;
transponders; existing high-visibility paint
ACAS (e.g., TCAS-II) (Fig. 92.8);
inter-aircraft establishment and
communication systems activation of warning or
(e.g., VHF – Data Link); danger areas
anticollision strobe
lights (Fig. 92.8)
(C) Staying away Flying in airspace of known low aircraft activity, over
the oceans, above or below international en route
airspace; at night, below the CPA minimum safe
altitude, outside peak CPA traffic times
(D) Services Utilization of third-party air traffic services; flying in
controlled airspace
(E) Strategic Survey and crew familiarization with airspace
operating environment; crew training in procedures;
general awareness (briefing local airspace user
groups)
(3) Reduction of the Established procedures for responding to an emergency; frangible aircraft;
level of potential not flying in areas where there are aircraft with a high consequence value
consequences (e.g., commercial passenger aircraft)
D. Services – third-party air traffic separation services that provide situational

awareness and separation management services to the UAS and/or other air
traffic
E. Strategic – ongoing strategies that improve the effectiveness or proficiency of the
UAS crew in managing the risk of midair collisions or build a general awareness
of UAS operations
The subcategories of A and B comprise technological and operational strategies
that help to provide an alerted see-and-avoid environment and can be further
Fig. 92.6 An example mitigation technology: the INSITU Pacific Mobile Aircraft Tracking
System with communications, primary radar, and ADS-B In (Wilson 2012) (Image courtesy of
Dr Michael Wilson)
Fig. 92.7 An example

mitigation technology: the
Australian Research Centre
for Aerospace Automation
(ARCAA) electro-optical
sense-and-act system fitted
onto the wing strut of the
ARCAA flight test aircraft
(Lai et al. 2012) (Image
courtesy ARCAA)
categorized based on whether the additional situational awareness is achieved

through active transmission or not. Some mitigation strategies can be assigned to
more than one category, and it is important to note that some of the proposed
mitigation technologies are concepts still under development; their suitability as
effective mitigation strategies has yet to be determined.
Fig. 92.8 An example mitigation technology: the INSITU Pacific ScanEagleTM on launcher with
high-visibility markings and strobes (Image courtesy INSITU Pacific Ltd)
92.6.2.2 Risk Mitigation Strategies for an Impact with Terrain

A range of strategies can be used to mitigate the risks associated with the hazard
of a controlled or uncontrolled impact with terrain or objects on the terrain.
Some example strategies are summarized in Table 92.10. The example approaches
summarized in Table 92.10 are classified based on whether the reduction in risk
is achieved through (1) the elimination of the hazard, (2) a reduction in the
likelihood the hazard occurs, or (3) a reduction in the consequence given the
occurrence of the hazard. Category 2 mitigation strategies are further divided
into the subcategories of operational, technological, and strategic. The strategies
summarized in Table 92.10 are in addition to those that improve the airworthiness
of the system (e.g., the adoption of sound engineering design practices, fault-
tolerant design principles, the certification of software to high levels of assurance,
the implementation of quality control in manufacturing processes, increasing
the depth and frequency of preventative maintenance cycles, completion of pre-
flight checks, and procedures and policies for crew management, training and
licensing).
92.6.3 The Selection of Mitigation Strategies
ICAO (2009) evaluates mitigation strategies on the basis of their effectiveness

(in terms of risk reduction), associated costs and benefits, practicality, whether
they create new problems (e.g., introduce new risks), and other factors such as
whether they stand up to scrutiny, the acceptability to other stakeholders, whether
they are enforceable or durable, and whether the residual risks can be further
reduced.
Table 92.10 Example strategies for mitigating the risks of a controlled or uncontrolled impact
with terrain or objects on the terrain
(1) Elimination of Not conducting the operation
the hazard
(2) Reduction in the Operational Isolating UAS operations to designated and controlled
likelihood of a ranges where there are no people or property exposed;
hazard occurring minimizing/avoiding the overflight of people and property,
or limiting operations to areas of low population density;
operating over the oceans and away from known fishing
areas or shipping lanes; establishing designated recovery or
ditching points; flying at night when people are more likely
to be sheltered; ability to operate under more than one
mode of operation (e.g., autonomous or manual remote
operation)
Technological Automated recovery systems capable of flying to
preprogrammed recovery sites; emergency forced landing
systems (e.g., Mejias et al. 2009); failure warning systems
(e.g., icing or fuel warnings, breach of operational
boundaries); controlled ditching in preprogrammed areas;
containment systems (e.g., automated fencing, parachute,
ditching, or explosive termination systems)
Strategic survey and crew familiarization with operating
environment; crew training in failure and emergency
procedures; general awareness (briefing local population)
(3) Reduction of the Sheltering of people or assets; frangible aircraft; energy dissipating flight
level of potential profiles (manual or pre-programmed); air bags; parachute systems; avoiding
consequences areas with the potential for consequences of high value (e.g., areas with
hospitals, schools, or areas of high population density); personal protective
equipment (e.g., helmet and eye protection – for micro/small UAS
operations); established emergency procedures; emergency response
equipment (e.g., first aid, environmental spill kits, fire fighting, and personnel
protective equipment for post accident cleanup)
92.6.3.1 Effectiveness and the General Hierarchy of Mitigation

Strategies
The effectiveness of a mitigation strategy is measured in terms of the magnitude of
the reduction in risk achieved. The most effective strategy is to eliminate the hazard,
followed by those strategies that reduce the severity of the hazard or the likelihood of
its occurrence. The third most effective strategies are those that employ engineering
controls preventing the mishap from occurring, followed by warning devices, and
procedures and training (DoD 2010a).
Effectiveness of Midair Collision Avoidance Mitigation Strategies

The most effective strategy is to segregate UAS from other airspace users; however,
due to issues of practicality and cost, this is not always a viable treatment option.
Those safety cases that are primarily based on the situational awareness of other
airspace users (e.g., be seen, Table 92.9) or strategies that reduce the level of
consequence given the occurrence of a mishap are the least effective and, on their
own, are not likely to provide an acceptable safety case. Reducing exposure (e.g.,
staying away, Table 92.9) in combination with other see and be seen mitigation
strategies is likely to provide the most effective approach for managing the risk
of a midair collision. In assessing the effectiveness of the different strategies,
consideration should be given to the following:
• Types of airspace users that are likely to be encountered and their:
– Resilience to damage due to a collision with the particular type of UAS (e.g.,
bird strike protection of transport category aircraft)
– Observability to the different sensing or awareness approaches that could be
used (e.g., radar cross-sectional area)
– Equipage (e.g., whether they have radios or transponders onboard)
– Ability to detect the UAS
– Ability to maneuver
– Typical operating speeds (e.g., determination of closing speeds and time to
react)
– Conditions of right of way
• Operating conditions (e.g., instrument meteorological conditions vs. visual
meteorological conditions) or the operational profile flown (e.g., variation in
radar clutter performance with altitude)
• Geographical volumes over which protection or awareness needs to be provided
• Temporal changes (e.g., use of strobes during the day vs. at night) and the dura-
tion of activity (e.g., effectiveness of ground observers for extended
missions)
Effectiveness of Mitigation Strategies for Managing the Risks to People and

Property on the Ground
The most effective mitigation strategies for mitigating the risks to people and
property on the ground are those that reduce the following:
• Probability of a flight critical failure or human error occurring (e.g., through
fault-tolerant design, maintenance, crew resource management, and training)
• Exposure of people and property to the hazard. Specifically the operational
mitigations in Table 92.10 that restrict UAS operations to uninhabited areas or
avoid/minimize the overflight of densely populated regions, critical infrastructure
or culturally sensitive sites
Automated emergency flight termination systems and recovery systems are effective
but not for all failure modes (e.g., typically only those for failure modes where there
is still a degree of control over the flight path of the UA). Least effective are those
strategies that rely solely on the general public being sheltered, wearing personal
protective equipment, or emergency equipment and procedures employed following
a mishap.
Effectiveness of CPA Mitigations

It is important to note that a risk control strategy that is effective for CPA may
not be effective for UAS. For example, a number of studies have been conducted
to evaluate the effectiveness of ACAS as a means for self-separation, collision
avoidance, or situational awareness for UAS (FAA 2011a). These studies identified
a number of technical and operational issues, which have a significant impact on the
effectiveness of ACAS as a midair collision avoidance system for UAS.
Evaluating Layers of Mitigations

Seldom will a single mitigation strategy be sufficient for a risk to be consid-
ered tolerable. In evaluating the cumulative effectiveness of multiple mitigation
strategies, it is important to consider the potential for one strategy to degrade
the effectiveness of another, thus forcing a reevaluation of the residual risks.
The selection of strategies should ensure coverage of the complete spectrum of
risk scenarios (e.g., implementing strategies that are only effective under visual
meteorological conditions) and how the mitigation strategies, in isolation and in
combination, can be overcome or can fail. The selection of strategies should try to
ensure that these failure modes are not common to all of the strategies adopted.
92.6.3.2 Practicality
The practicable feasibility of mitigation strategies needs to be considered in
relation to the physical and performance limitations of the system. For exam-
ple, there are fundamental limits in relation to the maximum takeoff weight,
payload volume, and power available to support mitigation systems onboard
an unmanned aircraft. Similarly, there are fundamental limits in relation to the
maneuverability, speed, range, endurance, glide performance, or ceiling
of the UAS.
92.6.3.3 The Costs and Benefits Associated with Treatment Options

Costs should be considered in relation to a broad range of stakeholder groups
(e.g., existing airspace users, air service providers, NAAs, the UAS industry,
and ultimately, the general public) and include the indirect costs beyond those
immediately associated with the occurrence of an accident (e.g., beyond the
compensation for loss of life, the damage to property, and fines). Take for example,
the mitigation strategies of (a) the use of redundant flight critical systems and (b)
the equipage of a collision avoidance system. These mitigation options can result in
increased:
• Platform costs due to the direct added cost of the collision avoidance system
or the use of duplicate subsystems and the increased costs incurred in the
engineering design, manufacture, and quality control processes
• Operational costs due to additional personnel training (e.g., in the operation of
the collision avoidance system)
• Through-life costs due to additional maintenance
• Mission costs due to reductions in the following:
– Performance of the system (e.g., the extra weight and drag and its impact on
endurance, range, speed, or ceiling)
– Ability for the UAS to support payloads (e.g., less weight, volume, and power
available for payloads)
– Subsequent ability of the UAS to meet mission objectives
• Market cost due to a reduction in the number of serviceable clients

• Reduction in benefits with respect to foregone downstream benefits to end users
and the broader society
As well as costs, there can be indirect benefits associated with the implementation
of mitigation strategies. For example, improving the overall reliability of the UAS
can lead to the benefits of a lower platform attrition rate, a reduction in insurance
premiums, an increase in availability, and an increase in customer trust and in turn
repeat business. These costs and benefits, along with the direct benefit of a reduction
in the risks, need to be factored into the determination of ALARP.
92.6.3.4 Other Factors

Mitigation strategies for UAS should be assessed to determine whether they
introduce new risks and whether these introduced risks warrant treatment or whether
they outweigh the benefits of the employing the mitigation strategy altogether (e.g.,
explosive flight termination systems). The selection of mitigation options can also be
guided by secondary objectives, values, and constraints held by different stakeholder
groups. For example, the FAA (2011b) explicitly preclude treatment options that
reduce the operational freedoms of other airspace users (e.g., the designation of
airspace specifically for use by UAS). Another example is the military preference
for passive midair collision avoidance systems due to the requirement to reduce
the observability of military UAS operations. External constraints can include
applicable standards and regulations (e.g., existing aviation safety, environmental
protection, or occupational health and safety regulations) or constraints imposed by
insurance providers.
92.6.4 Summary
The selection of mitigation options for UAS is a complex decision-making process.

Mitigation options must be evaluated in terms of their effectiveness, costs, benefits,
practicalities, and other factors to determine whether their implementation is
reasonably practicable or not. This decision process is guided by the ratio of the
costs and benefits associated with pursuing the different options for mitigation. A
risk is considered ALARP if this ratio is in gross disproportion, a concept which
is subjective and variable. Finally, a determination of ALARP does not make a
risk tolerable. For every scenario, a decision must be made by the organization as
to whether it is willing to retain the residual risk in return for the benefits of the
operation. Authorization should be obtained at two stages in the treatment process:
(1) at the point of approving the selection of mitigation strategies and the decision
to retain residual risks and (2) to verify that strategies have been implemented as
described. Typically, the delegation of authority is dependent on the level of residual
risk that is being retained.
Currently, operational mitigation strategies (e.g., restrictions on the flight of
UAS over populous areas) are central to obtaining operational approvals. Miti-
gation technologies like sense-and-avoid and automated emergency landing sys-

tems, are currently under development and showing much promise. These miti-
gation technologies will reduce the need for restrictions on UAS operations and
will be key to the uptake of UAS in a greater number of civil applications.
These technologies also have the potential to greatly improve the safety of CPA
operations.
92.7 Monitor and Review
Risk is dynamic. Key to maintaining and improving the SRMP is a process to

monitor and review the SRMP in response to changes in the risk. Risks evolve
with changes in the organization, technology, and operations performed and in
the natural, social, regulatory, and political environments. Further, there can be
opportunities to improve the safety risk management of existing activities if new
information, assessment tools, or treatment options become available.
92.7.1 The Importance of Accident and Incident Recording
One of the primary triggers for an ad hoc review of the safety risk management of an
activity is the occurrence of an accident or incident. Accident and incident data are
a valuable source of information that can be used to identify new risk scenarios and
update risk assessments. Most importantly, an analysis of accidents and incidents
provides organizations with the opportunity to evaluate the effectiveness of their
mitigation strategies and to put in place new measures to further reduce the risks.
The definition of accidents and incidents and the conditions for their reporting
depend on the particular state in which the accident occurs. The National Trans-
portation Safety Board (NTSB) in the USA defines an unmanned aircraft accident
as the following:
“an occurrence associated with the operation of any public or civil unmanned aircraft system
that takes place between the time that the system is activated with the purpose of flight and
the time that the system is deactivated at the conclusion of its mission, in which: (1) Any
person suffers death or serious injury; or (2) The aircraft has a maximum gross take-off
weight of 300 pounds or greater and sustains substantial damage.” p. 600, 49 CFR 830.2
(GPO 2010)
Mandatory reporting of accidents involving UAS in the USA only formally came
into force in October 2010 [amendments to title 49 CFR 830 (GPO 2010)]. FAA
accident and incident reporting requirements were in force prior to this date and
were mandated under the conditions of a certificate of waiver or authorization (FAA
2011b). Annex 13 to the Chicago Convention was amended in November 2010 to
include the investigation of accidents and serious incidents involving international
civil UAS operations but only for those UAS with design and/or operational
approval (ICAO 2011).
92.7.2 Triggers for Review
The occurrence of an accident or incident as a trigger for a review is a reactive

approach to safety management. A proactive strategy does not wait for an accident
or incident to occur in order to trigger a review of the SRMP. Reviews can be
periodic or triggered by certain conditions (e.g., a change in operations, operating
environment, regulations, applications, operational types, business activity). Iden-
tified risks need to be continually reviewed to ensure that the level of risk has not
changed, that mitigations are still effective, that stakeholder expectations are still
being satisfied, to determine if new options for risk mitigation are available, or to
determine whether there is new information or tools available that can be used to
improve the assessment of the risks. Reporting mechanisms should be established
that allow the organization to identify and track emerging risks.
92.7.3 Tracking Safety Performance
Measuring and tracking the safety performance of an activity or organization is

part of the overarching SMS or SPP established by the organization or NAA,
respectively. In most cases, accidents are extremely rare events, and hence, a
proactive safety performance management strategy is needed. Such a strategy
attempts to estimate the safety performance through the use of a variety of safety
performance indicators or measures of lead indicator events (e.g., recording and
tracking the number of breaches in policies or procedures, issues detected as part of
the preflight inspection of an aircraft, as opposed to counts of accidents).
92.8 Communication and Consultation
The risk communication and consultation process is described as the “continual

and iterative processes that an organization conducts to provide, share or obtain
information and to engage in dialogue with stakeholders regarding the management
of risk” (ISO 2009). Communication and consultation is key to avoiding poten-
tial conflict in the safety decision-making process, for ensuring that stakeholder
concerns are being addressed, and for reducing uncertainty in the decisions and
outcomes. This process is undertaken at all stages of the SRMP. Key to addressing
issues of trust and uncertainty is ensuring transparency in the SRMP to the different
stakeholders. Both the outcomes from the SRMP and the SRMP itself need to
be communicated to stakeholders. It is also important to note that the different
stakeholders will have different information needs. The right information needs
to be communicated to the right stakeholder and in a method and manner that is
acceptable and comprehensible to them. Finally, communication and consultation
is a bidirectional process. Eliciting domain knowledge from stakeholders can
significantly improve the SRMP by reducing uncertainty and ensuring a more

comprehensive management of the risks. Expert domain knowledge can be used at
all stages in the SRMP (i.e., risk identification, analysis, evaluation, and treatment).
92.9 Conclusion
This chapter has highlighted many of the unique issues and challenges associated
with the application of the safety risk management process to UAS. These issues
and challenges can be technical, operational, economic, political, and social in
nature and can influence all facets of the safety risk management process. Some
sections of this chapter pose more questions than they do answers, highlighting
that there is still much to be learned. The area of greatest need is in developing an
understanding of the broader perceptions, beliefs, and expectations of society and
how these factors influence decisions in relation to the safety of UAS operations.
The challenges and issues discussed in this chapter are, in general, not unique
to UAS. Challenges of a similar nature will need to be addressed in the safety
risk management of other emerging aviation sectors such as reusable space launch
vehicles, personal air vehicles, and hypersonic aircraft. It is hoped that the general
processes developed and the lessons learned in the safety risk management of UAS
will help to pave the way for these and other emerging and highly beneficial aviation
sectors.
While this chapter has highlighted many issues, it is important to note that UAS
are being safely operated in civil airspace today. In Australia, an approval to operate
is obtained through the presentation of a suitable safety case to CASA, a safety case
underpinned by a safety risk management process. Addressing the issues identified
in this chapter will be pivotal to reducing the uncertainty in these safety cases,
for ensuring consistency in the regulation of the industry, and for supporting the
definition of more prescriptive safety regulations.
Acknowledgments The authors would like to thank Dr Neale Fulton, adjunct professor at
Queensland University of Technology, Mr. Brendan Williams and Dr Michael Wilson from Boeing
Research & Technology, Australia, Mr. Jim Coyne and Mr. Phil Presgrave from the Civil Aviation
Safety Authority, and Mr. Kim Jones for their valuable comments and additions to this chapter.
References
ADF, AAP7001.048(AM1), ADF Airworthiness Manual (Australian Defence Force (ADF), Direc-
torate General Technical Airworthiness, Canberra, Australia, 2009)
AIB, RQ-4A Global Hawk UAV Accident Investigation, Executive Summary (2000). Retrieved 8
Nov 2011 from http://usaf.aib.law.af.mil/ExecSum2000/RQ-4A Edwards 6Dec99.pdf
B.J.M. Ale, Tolerable or acceptable: a comparison of risk regulation in the United Kingdom and in
the Netherlands. Risk Anal. 25(2), 231–241 (2005)
Boeing, Statistical Summary of Commercial Jet Airplane Accidents, Worldwide Operations 1959–
2010 (Aviation Safety, Boeing Commercial Airplanes, Seattle, 2011)
CAA, CAP 722 Unmanned Aircraft System Operations in UK Airspace – Guidance (CAP 722,
Civil Aviation Authority (CAA), The Stationary Office London, 2010a)
CAA, CAP 760 Guidance on the Conduct of Hazard Identification, Risk Assessment and the
Production of Safety Cases (UK Civil Aviation Authority, The Stationary Office, London,
2010b)
CASA, AC101-1(0) Unmanned Aircraft and Rockets, Unmanned Aerial Vehicle (UAV) Operations,
Design Specification, Maintenance and Training of Human Resources (AC101-1(0), Civil
Aviation Safety Authority (CASA), Canberra, 2002)
CASA, Cost Benefit Analysis Procedures Manual (Civil Aviation Safety Authority (CASA),
Canberra, 2010)
CASA, AC101-8 Unmanned Aircraft Systems – Safety Management (Draft) (Canberra, Civil
Aviation Safety Authority (CASA), 2011)
R.A. Clothier, R.A. Walker, Determination and evaluation of UAV safety objectives, in
21st International Unmanned Air Vehicle Systems Conference, Bristol, United Kingdom,
2006
R.A. Clothier, R.A. Walker et al., A casualty risk analysis for unmanned aerial system (UAS)
operations over inhabited areas, in Twelfth Australian International Aerospace Congress
(AIAC-12), 2nd Australasian Unmanned Air Vehicles Conference, Melbourne, Australia,
2007
R.A. Clothier, N.L. Fulton et al., Pilotless aircraft: the horseless carriage of the twenty-first
century? Risk Res. 11(8), 999–1023 (2008)
R.A. Clothier, J.L. Palmer et al., Definition of airworthiness categories for civil unmanned aircraft
systems (UAS), in 27th International Congress of the Aeronautical Sciences (ICAS), Nice,
France, 2010
R.A. Clothier, J.L. Palmer et al., Definition of an airworthiness certification framework for civil
unmanned aircraft systems. Saf. Sci. 49(6), 871–885 (2011)
K. Dalamagkidis, K.P. Valavanis et al., On unmanned aircraft systems issues, challenges and
operational restrictions preventing integration into the National Airspace System. Prog. Aerosp.
Sci. 44(7–8), 503–519 (2008)
M.T. DeGarmo, Issues Concerning Integration of Unmanned Aerial Vehicles in Civil Airspace.
MP 04W0000323 (Center for Advanced Aviation System Development, MITRE Corporation,
McLean 2004)
DoD, MIL-STD-882D Department of Defense Standard Practice, System Safety, Environment,
Safety, and Occupational Health Risk Management Methodology for Systems Engineering.
Draft incorporating Change 1 (U.S. Department of Defense (DoD), 2010a)
DoD, U.S. Army Unmanned Aircraft Systems Roadmap 2010–2035 (U.S. Army UAS Center of
Excellence, U.S. Department of Defense, Fort Rucker, Alabama, 2010b)
J.A. Drezner, R.S. Leonard, Innovative Development: Global Hawk and DarkStar. Flight Test in
the HAE UAV ACTD Program (RAND, Santa Monica, 2002)
EASA, E.Y01301, Policy Statement Airworthiness Certification of Unmanned Aircraft Systems
(UAS) (Rulemaking Directorate, European Aviation Safety Agency (EASA), 2009)
EUROCONTROL, Specifications for the Use of Military UAVs as Operational Air Traffic Outside
Segregated Airspace (EUROCONTROL-SPEC-0102, EUROCONTROL, Brussels, Belgium,
2007)
FAA, FAA System Safety Handbook (Federal Aviation Administration (FAA), Department of
Transportation, Washington, 2000)
FAA, Sense and Avoid (SAA) for Unmanned Aircraft Systems (UAS). Report for the FAA
sponsored “Sense and Avoid” workshop federal aviation administration (FAA), Department
of Transportation, Washington DC, USA (2009)
FAA, Evaluation of Candidate Functions for Traffic Alert and Collision Avoidance System II
(TCAS II) on Unmanned Aircraft System (UAS) (Aviation Safety, Flight Standards Service,
Unmanned Aircraft Program Office, Federal Aviation Administration (FAA), Washington,
2011a)
FAA, JO 7210.766, Unmanned Aircraft Operations in the National Airspace System (NAS). JO
7210.766 (Unmanned Aircraft Systems Group, Federal Aviation Administration (FAA), U.S.
Department Of Transportation, Washington, 2011b)
FAA and EUROCONTROL, FAA/EUROCONTROL ATM Safety Techniques and Toolbox (Federal
Aviation Administration (FAA) and EUROCONTROL, 2007)
B. Fischhoff, P. Slovic et al., How safe is safe enough? A psychometric study of attitudes towards
technological risks and benefits. Policy Sci. 9(2), 127–152 (1978)
S. Fitzpatrick, Australian spy plane crashes into Timorese home. The Australian (2007).
Retrieved 8 Nov 2011, from http://www.news.com.au/top-stories/australian-spy-plane-
crashes-into-timorese-home/story-e6frfkp9-1111113506458
C. Fraser, D. Donnithorne-Tait, An approach to the classification of unmanned aircraft, in Bristol
International Unmanned Aerial Vehicle Systems (UAVS) Conference, Bristol, UK, 2011
N.L. Fulton, Regional airspace design: a structured systems engineering approach. PhD Disserta-
tion, The University of New South Wales, Australian Defence Force Academy, 2002
GPO, 49 CFR 830 – Notification and Reporting of Aircraft Accidents or Incidents and Overdue
Aircraft, and Preservation of Aircraft Wreckage, Mail, Cargo, and Records. GPO Federal
Digital System (2010). Retrieved on 8 Nov from: http://www.gpo.gov/fdsys/, U.S. Government
Printing Office (GPO), pp. 599–602
F. Grimsley, Equivalent safety analysis using casualty expectation approach, in AIAA 3rd
“Unmanned Unlimited” Technical Conference, Workshop and Exhibit, Chicago, 2004
A. Hobbs, Unmanned aircraft systems, in Human Factors in Aviation, ed. by E. Salas, D. Maurino
(Academic, Burlington, 2010)
A. Hobbs, H.R. Stanley, Human Factors in the Maintenance of Unmanned Aircraft (Unmanned
Aerial Vehicles Human Factors, Program Review, Federal Aviation Administration (FAA), U.S.
Department of Transportation, Washington, 2005)
N. Hodge, U.S. Says Drone, Cargo plane collide over Afghanistan. Wall Str.
J. Online (2011). Retrieved 4 Nov 2011 from http://online.wsj.com/article/
SB10001424053111903480904576512081215848332.html
HSE, The Tolerability of Risk From Nuclear Power Stations (Health and Safety Executive, HMSO,
London, 1992)
HSE, Principles and Guidelines to Assist HSE in Its Judgements that Duty-Holders have Reduced
Risk as Low as Reasonably Practicable (Health and Safety Executive Online Guidance
Material, Health and Safety Executive (HSE), London, 2001a)
HSE, Reducing Risks, Protecting People. HSE’s Decision-Making Process (Health and Safety
Executive (HSE), Her Majesty’s Stationery Office (HMSO), Norwich, 2001b)
E. Hull, K. Jackson et al., Requirements Engineering (Springer, Dordrecht, 2011)
ICAO, Safety Management Manual (SMM), Doc 9859 (International Civil Aviation Organization
(ICAO), Montréal, 2009)
ICAO, Unmanned Aircraft Systems (UAS) Circular, CIR 328, AN/190. CIR 328, AN/190 (Interna-
tional Civil Aviation Organization (ICAO), Montréal, 2011)
ISO, Risk Management – Principles and Guidelines. ISO 31000:2009 (International Organization
for Standardization (ISO), Geneva 2009)
JAA/EUROCONTROL, Final report a concept for European regulations for civil unmanned aerial
vehicles (UAVs), The Joint JAA/EUROCONTROL Initiative on UAVs, 2004. Brussels, Bel-
gium. Available online: http://www.easa.europa.eu/rulemaking/docs/npa/2005/NPA 16 2005
Appendix.pdf
M. Jones-Lee, T. Aven, ALARP—What does it really mean? Reliab. Eng. Syst. Saf. 96(8), 877–882
(2011)
P. La Franchi, EUFOR Details Belgian B-Hunter UAV Crash that Caused Civilian Death. Flight
International (2006a). Retrieved 8 Nov 2011, from http://www.flightglobal.com/articles/2006/
10/06/209716/eufor-details-belgian-b-hunter-uav-crash-that-caused-civilian.html
P. La Franchi, Incidents Between UAVs and Helicopters in Afghanistan and Iraq Prompt
Action. Flight International (2006b). Retrieved 8 Nov 2011, from http://www.flightglobal.com/
articles/2006/03/14/205379/animation-near-misses-between-uavs-and-airliners-prompt-nato-
low-level-rules.html
J. Lai, J. Ford et al., See and avoid using on board computer vision, in Sense and Avoid in UAS:
Research and Applications, ed. by A. Plamen (Wiley, Hoboken, 2012)
C.W. Lum, B. Waggoner, A risk based paradigm and model for unmanned aerial systems in
the national airspace, in AIAA Infotech@Aerospace Conference and Exhibit 2011, St. Louis,
Missouri, USA, 2011
C.W. Lum, K. Gauksheim et al., Assessing and estimating risk of operating unmanned aerial
systems in populated areas, in 11th AIAA Aviation Technology, Integration, and Operations
(ATIO) Conference, Virginia Beach, Virginia, 2011
MAA, Regulatory Articles 1000 Series: General Regulations, RA 1000 Series (GEN) (Military
Aviation Authority (MAA), UK Ministry of Defence (MoD), United Kingdom, 2011)
S.L. MacSween-George, A public opinion survey – unmanned aerial vehicles for cargo, commer-
cial, and passenger transportation, in AIAA “Unmanned Unlimited” Systems, Technologies, and
Operations Conference, San Diego, California, 2003
S.D. Manning, C.E. Rash et al., The role of human causal factors in U.S. army unmanned aerial
vehicle accidents, USAARL Report No. 2004–11, Aircrew Health and Performance Division,
U.S. Army Aeromedical Research Laboratory (UAARL), U.S. Department of Defense (2004)
J.S. McCarley, C.D. Wikens, Human factors implications of UAVs in the National Airspace.
Technical Report AHFD-05-05/FAA-05-01, Aviation Human Factors Division Institute of
Aviation, University of Illinois, Savoy, Illinois, USA, 2005
L. Mejias, D.L. Fitzgerald et al. Forced landing technologies for unmanned aerial vehicles: towards
safer operations, in Aerial Vehicles, ed. by L. Thanh Mung (In-Tech, Kirchengasse, 2009), pp.
413–440
R.E. Melchers, On the ALARP approach to risk management. Reliab. Eng. Syst. Saf. 71(2), 201–
208 (2001)
G. Mortimer, Schiebel S-100 Crash Kills Engineer in South Korea (2012). Retrieved 31 May 2012
from http://www.suasnews.com/2012/05/15515/schiebel-s-100-crash-kills-engineer-in-south-
korea/
NTSB, Accident Brief CHI06MA121 (National Transportation Safety Board (NTSB), 2007).
Retrieved 8 Nov 2011 from http://www.ntsb.gov/ntsb/GenPDF.asp?id=CHI06MA121&rpt=fi
OSD, Unmanned Aerial Vehicle Reliability Study (Office of the Secretary of Defense, U.S.
Department of Defense, 2003)
R. Parasuraman, T.B. Sheridan et al., A model for types and levels of human interaction with
automation. IEEE Trans. Syst. Man Cybern. A 30(3), 286–297 (2000)
E. Paté-Cornell, Quantitative safety goals for risk management of industrial facilities. Struct. Saf.
13(3), 145–157 (1994)
RCC, Range Safety Criteria for Unmanned Air Vehicles. Document 323–99 (Range Safety Group,
Range Commanders Council, White Sands, New Mexico, 1999)
RCC, Range Safety Criteria for Unmanned Air Vehicles, Rationale and Methodology Supplement.
Supplement to Document 323–99 (Range Safety Group, Range Commanders Council, White
Sands, New Mexico, 2001)
RCC, Common Risk Criteria Standards for National Test Ranges: Supplement Standard 321–07.
Document 321–07 (Range Safety Group, Range Commanders Council, White Sands, New
Mexico, 2007)
RTCA, DO-178B Software Considerations in Airborne Systems and Equipment Certification
(RTCA, Washington DC, USA, 1992)
RTCA, DO-304, Guidance Material and Considerations for Unmanned Aircraft Systems. DO-304
(RTCA, Washington DC, USA 2007)
SAE, ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil
Airborne Systems and Equipment (Aircraft and Systems Development and Safety Assessment
Committee, Society Automotive Engineers (SAE), 1996)
SAE, ARP5580 Recommended Failure Modes and Effects Analysis (FMEA) Practices for
Non-Automobile Applications (Reliability Committee, Society Automotive Engineers (SAE),
2001)
S. Siddiqui, Disaster Averted: Navy’s Unmanned Aircraft Crashes After ‘hitting bird’. The Express
Tribune (2011). Retrieved 8 Nov 2011 from http://tribune.com.pk/story/212919/small-plane-
crashes-near-oil-refinery-in-korangi/
P. Slovic, Perception of risk. Science 236(4799), 280–285 (1987)
P. Slovic, Trust, emotion, sex, politics, and science: surveying the risk-assessment battlefield. Risk
Anal. 19(4), 689–701 (1999)
P. Slovic, B. Fischhoff et al. Rating the risks. Environment 21(3), 14–20 (1979)
R.A. Stephens, W.W. Taslon et al. System Safety Analysis Handbook (System Safety Society U.S.,
New Mexico Chapter, Albuquerque, 1997)
SUAS, Comprehensive Set of Recommendations for sUAS Regulatory Development (Small
Unmanned Aircraft System (sUAS) Aviation Rule-making Committee (ARC), Federal Aviation
Administration (FAA), Washington, 2009)
B. Thomé, Systems Engineering: Principles and Practice of Computer-Based Systems Engineering
(Wiley, New York, 1993)
A.P. Tvaryanas, W.T. Thompson et al., The U.S. military unmanned aerial vehicle (UAV) expe-
rience: evidence-based human systems integration lessons learned, in Strategies to Maintain
Combat Readiness during Extended Deployments – A Human Systems Approach (NATO
Research and Technology Organisation, Neuilly-sur-Seine, 2005)
D. Washington Valdez, D. Borunda, Mexican drone crashes in backyard of El Paso home. El Paso
Times (Online) (2010). Retrieved 8 Nov 2011 from http://www.elpasotimes.com/ci 16875462
R. Weibel, R. Hansman, Safety considerations for operation of different classes of UAVs in the
NAS, in 3rd “Unmanned Unlimited” Technical Conference, Workshop and Exhibit (American
Institute of Aeronautics and Astronautics, Chicago, Illinois, 2004)
E. Wiklund, Flying with Unmanned Aircraft (UAVs) in Airspace Involving Civil Aviation Activity
Air Safety and the Approvals Procedure (English translation of “Flygning med obemannade
luftfartyg (UAV) iluftrum med civil flygverksamhet”) (The Swedish Aviation Safety Authority,
Norrköping, Sweden, 2003)
K.W. Williams, A Summary of Unmanned Aircraft Accident/Incident Data: Human Factors
Implications. DOT/FAA/AM-04/24 (Civil Aerospace Medical Institute, Federal Aviation Ad-
ministration, Oklahima City, 2004)
M. Wilson, The use of low-cost mobile radar systems, for small UAS sense and avoid, in Sense
and Avoid in UAS: Research and Applications, ed. by A. Plamen (Wiley, Hoboken, 2012)
R. Wolfe, Why Demonstrating an “Equivalent Level of Safety” for See and Avoid is an
Inappropriate Requirement for Unmanned Aircraft System Operations (Modern Technology
Solutions Incorporated (MTSI), Alexandria, 2009)
E. Zio, N. Pedroni, Uncertainty Characterization in Risk Analysis for Decision-Making Practice.
Number 2012–07 (Cahiers de la Se’curite’ Industrielle, Foundation for an Industrial Safety
Culture, Toulouse, 2012)
Certification of Small UAS
93
Ron van de Leijgraaf
Contents
93.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2278
93.2 Aeronautical Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2279
93.3 Certification Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2279
93.3.1 Process Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2280
93.3.2 Procedure to Deal with Novel Design Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2282
93.3.3 Certification and Validation Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2282
93.4 Certification Safety Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2283
93.4.1 Certification Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2283
93.4.2 European Technical Standard Orders (ETSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2284
93.5 Relation Between Safety Requirements and RPAS Components . . . . . . . . . . . . . . . . . . . . . . . . . 2286
93.5.1 Remotely Piloted Aircraft (RPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2286
93.5.2 Remote Pilot Station (RPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2286
93.5.3 Command, Control, and Communication System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2287
93.5.4 Other Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288
93.5.5 Detect and Avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288
93.5.6 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2289
93.6 Certification Organizational Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2289
93.7 Final Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2290
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2291
Abstract
This chapter described the certification of (small) unmanned aircraft systems
(UAS). It focuses on the certification process, the requirements for the safe
design of a UAS, and the organizational requirements for the company designing
the UAS.
R. van de Leijgraaf
Civil Aviation Authorities – The Netherlands, Airworthiness Inspectorate, Hoofddorp,
The Netherlands
e-mail: ron.vande.leijgraaf@minienm.nl
DOI 10.1007/978-90-481-9707-1 38,
2278 R. van de Leijgraaf
93.1 Introduction
Aviation authorities worldwide consider an unmanned aircraft (UA) an aircraft

as defined by the International Civil Aviation Organization (ICAO). Since these
authorities all have signed the ICAO convention, the fundamental standards and
recommended practices for the integration of UAS into the airspace will be
developed by ICAO. When considering the certification of small UAS, the
standards are given in Annex 8 (Airworthiness) of the ICAO Chicago
Convention.
ICAO has acknowledged the rapid growing market for UAS and has established
in 2008 a study group to address this issue. At the moment, this UAS study group
is evaluating all ICAO annexes and is preparing recommended changes to these
annexes to accommodate UAS in the ICAO standards. The study group published
ICAO UAS Circular 328 on unmanned aircraft systems (UAS), providing guiding
information on how UAS can be introduced in the ICAO annexes to facilitate a safe
introduction of UAS in the airspace worldwide. As a next step, the study group is
developing detailed proposals for changes to the annexes. These changes will be
written as guidance material to possible changes in the annexes. This will result
in the ICAO UAS Manual, which is planned to be presented at an ICAO UAS
Conference in fall 2014.
When the manual is published, it will be up to the various ICAO panels to develop
the adaptations to the annexes, based on the guidance material provided by the study
group. Experts from the UAS study group will most likely be involved in the work
to be performed by the panels.
Autonomous UAS are not considered at the moment by ICAO in the update of the
annexes. Only UAS where the remote pilot is capable of interfering with the flight
path of the aircraft are considered in the ICAO Circular. Such a system, considered
a subset of UAS, is defined as remotely piloted aircraft system (RPAS) by ICAO. In
this chapter, the official ICAO terms and definitions, as given in Circular 328, will
be used.
This chapter will only focus on the initial airworthiness of the RPAS, i.e., the
certification. Continuing airworthiness, which is equally part of airworthiness, will
be touched upon lightly and only in relation to the initial certification. Furthermore,
this chapter will not address the issues of safety oversight of the whole airworthiness
process by the national aviation authorities. When examples of the current aircraft
certification practice are given, they will be primarily given in the European context.
The same examples are equally valid for the American practice, the only difference
is the terminology used by the European Aviation Safety Agency (EASA) and the
U.S. Federal Aviation Authority (FAA).
Although ICAO is only responsible for the standards and recommended practices
for international operations and operations over the high seas, its standards are
usually adopted by states for their national aviation regulations. Therefore, the
process and safety standards described in this chapter are applicable to international
and national operations of RPAS.
93 Certification of Small UAS 2279
93.2 Aeronautical Products
The whole concept of airworthiness is primarily aimed at developing a safe aircraft

to allow safe flight operations. One would expect the topic of airworthiness only
dealing with the aircraft, but within Annex 8, ICAO currently recognizes three
products that need to have an airworthiness approval:
1. Aircraft
2. Engines
3. Propellers
Each product can go through the certification process as described in the next
paragraph and have its design approved. When the design approval is granted, the
product will have a type certificate (TC). By themselves the engine and propeller
will of course not be able to fly, they still need to be integrated with the aircraft. The
advantage of evaluating the engines and the propellers separate from the aircraft
design is twofold:
First, it allows the manufacturer of the engines or propellers to design products
that can be used on more than one aircraft design (General Electric engines that can
be installed on both Airbus and Boeing aircraft, for instance).
Second, it allows the aircraft designer to be involved only with the certification
of the integration of the engine and/or propeller into his aircraft, not with the actual
certification of the engine or propeller itself. This seriously reduces the effort needed
by the aircraft designer to go through the certification process with the aircraft
design.
When studying the impact of the introduction of RPAS to the ICAO annexes, in
preparation for the ICAO UAS Circular, the UAS study group concluded that the
remote pilot station (RPS) should be treated as a new aeronautical product within
Annex 8. Therefore, the study group will be proposing to introduce the remote pilot
station (RPS) as an additional airworthiness product within Annex 8. This will allow
manufacturers of RPS optimal flexibility in developing and providing their product
for various RPAS designers. It will also more easily allow for the use of multiple
RPS during one specific flight with an RPAS. Think about the possible operation
of a long-haul flight with an RPAS and a cruise pilot using satellite communication
during the cruise phase with one specific RPS and harbor pilot(s) using a different
RPS and direct radio communication during take-off and landing. For small UAS,
this operational concept of using multiple RPS during a flight will not be very likely.
In that case, the RPS could be certificated as part of the RPAS directly, not through
a separate design approval.
93.3 Certification Process
As defined in Annex 8 of the ICAO Convention, an aircraft can only be certificated

by the aviation authorities of the country where the principle place of business of
the designer of the aircraft is located. In ICAO terms, the country performing the
certification is the state of design. Other national aviation authorities can either
fully accept the certification by the state of design, or they can do an additional
investigation into the safe design of the aircraft. This additional investigation is
called a “validation.” Countries that can act as a state of design usually have
bilateral agreements with other countries about the certification and validation
process and acceptance of certificates. In general, authorities avoid duplicating tests,
so when a validation process is performed, this process focuses on the known
differences in safety requirements between the state of design and the validating
authority. In Europe, a regional safety oversight organization (RSOO) has been
created, which has taken over most of the aviation safety responsibilities from the
participating European countries. This organization is called the European Aviation
Safety Agency, EASA. When in this chapter a reference is made to a country, EASA
can be seen as the equal organization for the national aviation authority for the
participating European countries. For instance, EASA is responsible, in the state of
design role, for certification activities of Airbus and Fokker aircraft. EASA will also
do the European validation process for aircraft designed in, e.g., the USA or Brazil.
In the EASA Basic Regulation (http://eur-lex.europa.eu/LexUriServ/LexUriServ.
do?uri=CONSLEG:2008R0216:20091214:EN:PDF), the responsibilities of the
agency regarding UAS are clearly limited. Unmanned aircraft with an operating
mass of no more than 150 kg are not the responsibility of EASA, but the responsi-
bility of the individual states.
Certification authorities around the world use a similar process when addressing
the certification of an aircraft. This process is described in this paragraph for an
aircraft, but as indicated in the introduction of this chapter, RPAS are considered
aircraft and are treated in a similar way.
93.3.1 Process Description
A certification project for an aircraft is always started with an official application for
certification by the organization responsible for the aircraft design. The organization
requesting the certification is commonly referred to as the “applicant.” When the
application is accepted by the aviation authority, the certification project will start.
This project is normally started with a kickoff meeting where the designer of the
aircraft presents the design to the complete team of specialists that have been
assigned to the certification team by the authority.
The certification project follows four different phases:
1. Establishing the Certification Basis In this phase, the safety requirements
against which the safe design of the aircraft must be proven will be defined
for the project. These requirements are referred to as the “certification basis.”
Normally, the designer of the aircraft is responsible for providing a first draft
of this certification basis. During and after the presentation of this first draft,
the discussion and interaction with the authority certification team takes place,
leading to a mutually agreed and mutually accepted certification basis for the
whole of the project. The basic safety requirements for a certification project are
the latest version of requirements from the state of design (usually referred to
as Certification Specification (CS) by EASA and Federal Aviation Regulation
(FAR) by the FAA) applicable at the moment the application for certification has
been received by the authority. A certification project usually lasts several years,
and it is considered unfair to the applicant to add updated requirements to the
certification basis over the years, due to the further development of the safety
requirements. Of course, when both the applicant and the authority agree, newer
version of the requirements can be made applicable to the project.
When all safety requirements are agreed between the applicant and the certifying
authority, this phase is closed.
2. Defining the Means of Compliance Once the safety requirements are estab-
lished, the applicant and the authority have to reach agreement on how the
applicant will show that his design of the aircraft is meeting these requirements.
There is a variety of methods available, from expert judgment, through theoreti-
cal analysis, down to flight testing. Not only the methods of showing compliance
with the requirements are agreed in this phase. The involvement of the authorities
in the various compliance finding tasks will also be agreed. In general, complete
test plans, documents to be delivered, etc., will be agreed between applicant and
authority.
At the end of this phase, there is agreement between applicant and the
certifying authority about which tests are required and which reports will have
to be delivered by the applicant. Furthermore, there will be agreement about the
level of involvement of the authorities in the compliance finding, e.g., which
rapports need to be accepted and approved by the authorities, which tests will
be witnessed by the authorities, and what will be left to the responsibility of the
applicant, without any authority involvement.
This phase closes when there is mutual agreement on all mentioned points.
3. Compliance Finding In this phase, all activities agreed between applicant and
authority in the previous phase will be performed. Design documents will be
developed, tests will be performed, and manuals will be written. Where needed,
authority will witness testing or approve reports, as agreed in the previous phase.
For all certification projects, this phase takes the most time and is the most
expensive phase for the applicant.
When all the compliance finding activities have been performed and accepted by
the authority, the applicant is ready for the final phase.
4. Delivering the Type Certificate At the end of the third phase, there is full
agreement between the authority and the applicant about the safe design of
the aircraft. Now the applicant can provide a statement of compliance to the
authority, to indicate that all safety requirements have been met, all necessary
tests have been done, and everything is to full satisfaction of the authorities.
When this statement of compliance is provided, the authority then can provide
the type certificate to the applicant, indicating that the aircraft is designed in
accordance with the applicable safety requirements and that the aircraft can now
be built and operated safely.
Although these four phases are given in sequential order, in practice these
phases are not clearly separated in time. For some parts, the whole process can
be straightforward, and then the process can be done in these clear steps. Other
parts require extensive discussions between applicant and authority, and in this case,
the process can easily jump back and forth between the various phases. The only
certainty in the whole process is that the first three phases have to be fully completed
before phase 4 can happen. This last phase is usually the shortest phase of the four.
A more complete description of the certification process can be found in the
EASA Type Certification Procedure (http://www.easa.europa.eu/certification/docs/
internal-working-procedures/PR.TC.00001-002%20Type%20certification.pdf).
93.3.2 Procedure to Deal with Novel Design Features
As indicated, phase 1 concerns the definition of the certification basis. Normally a

standard set of safety requirements is selected as the basis. But rulemaking normally
does not develop as quickly as the technical advancements in aviation. This means
that in most aircraft designs, there are new features that have not yet been covered
by safety regulation. A clear example of this was the first fly by wire aircraft.
Within the certification process, there are means of dealing with these novel
design features. When such a new design feature is identified, the authority can
develop some project-specific requirements, tailored to the specifics of the design.
In EASA projects, these specific requirements are captured in so-called certification
review items or CRIs, and in FAA projects, they are captured in issue papers or IPs.
Normally, both the technical requirements and the accepted means of compliance
against these requirements are captured in these documents. In general the novel
design features are captured in the first phase, but occasionally, some features are
only identified in a later stage of the design. So up to very late in the project, these
CRIs or IPs can be developed.
93.3.3 Certification and Validation Projects
In large certification projects, the certification project (performed by the aviation

authority of the state of design of the aircraft) and the validation project (performed
by any other aviation authority) run in parallel. This saves the applicant valuable
time and money and allows operation of the aircraft in all countries where the design
has been approved.
For example, consider an Embraer aircraft design. The state of design in this
case is Brazil. But Embraer would like to allow operation of their aircraft not only
in Brazil, but worldwide. In order to enable these worldwide operations, Embraer
needs approval from all other aviation authorities of countries that have signed the
ICAO Convention. Luckily, most countries in the world accept either an American
(FAA) or European (EASA) approval. That means that additional to the Brazilian
approval, Embraer is looking for EASA and FAA approvals as well. So in that case,
there are three projects running in parallel. First, there is the certification project
performed by the Brazilian authorities (Agência National de Aviação Civil, ANAC),
and the other two projects are validation projects with an FAA validation team and
an EASA validation team.
93.4 Certification Safety Requirements
In this paragraph, the major forms of safety requirements will be described.
93.4.1 Certification Specifications
For all RPAS, the certification safety requirements still need to be developed
and accepted by national authorities. In its policy on UAS certification (E.Y013-
01, August 25, 2009, http://easa.europa.eu/certification/docs/policy-statements/E.
Y013-01 %20UAS %20Policy.pdf), EASA UAS policy described the methodology
to develop such requirements. First, it needs to be determined which category of
manned aircraft is most applicable to the remotely piloted aircraft system that will be
certificated. When this is done, the associated safety requirement for manned aircraft
is selected. Subsequently, this requirement needs to be adapted to be applicable to
the RPAS.
For small UAS, the following two certification specifications from EASA are
most appropriate:
• EASA CS-VLA for airplanes (http://easa.europa.eu/agency-measures/docs/
certification-specifications/CS-VLA/CS-VLA%20%20Amdt%201%20combined
.pdf)
• EASA CS-VLR for rotorcraft (http://easa.europa.eu/agency-measures/docs/
certification-specifications/CS-VLR/MERGED v2.pdf)
At the moment, there are a few (unofficial) certification specifications available.
Firstly, the NATO FINAS group has provided a specification based on CS/FAR 23,
primarily used for military purposes and not applicable to small RPAS. Secondly,
there is a final draft version available of the CS-LURS (Certification Specification
Light Unmanned Rotorcraft System, adapted from CS-VLR), which the JARUS
group (Joint Authorities for Rulemaking on Unmanned Systems) has developed.
This last group is a voluntary group of national aviation authorities, together with
EASA and EUROCONTROL, that works on drafting UAS regulation.
To give an example of the sort of topics that are covered in certification speci-
fications, the various subparts that together form the CS-LURS set of requirements
are given below:
Book A:
Subpart A: General
Dealing with general requirements like applicability.
Subpart B: Flight
Dealing with flight envelope, weight, performance issues, and flight
characteristics.
Subpart C: Strength requirements

Dealing with loads on the aircraft, structural, and mechanical safety and fatigue.
Subpart D: Design and construction
Dealing with materials, rotor design, (hydro-) mechanical flight control design,
landing gear, fire protection, lighting protection, and construction of the air-
frame.
Subpart E: Powerplant
Dealing with the engine installation, rotor drive system, fuel systems, batteries
for electric engines, oil system, and exhaust system.
Subpart F: Equipment
Dealing with primarily electrical, electronical and computer systems, system
safety, system installation, and the airborne part of the command and con-
trol link.
Subpart G: Operating limitations and information
Dealing with all sorts of operational issues.
Subpart H: (reserved for Detect and Avoid)
Subpart I: Control station
Dealing with the remote pilot station.
Appendix A: Instructions for continued airworthiness
Appendix B: Engines
Appendix C: Test procedure for self-extinguishing materials
Book B: Acceptable means of compliance
Providing clarification of the regulations in Book A and by the authorities
accepted means of showing compliance against the regulations.
93.4.2 European Technical Standard Orders (ETSO)
Technical Standard Orders (TSO) are a well-known mechanism from the manned
aviation regulations to allow system manufacturers to develop approved systems
irrespective of the aircraft in which it will be installed.
During the certification process, the designer of the aircraft is responsible for
the total certification effort. That does not only mean that he is responsible for
the fuselage, engines, wings, etc., but also for the systems that are installed in the
aircraft. The designer is really acting as the system integrator of the total system that
will become the aircraft.
When it comes to certification of the electrical or avionics systems onboard the
aircraft, there are two ways of getting an approval. The first possibility is that the full
system functionality and integration with the other onboard systems is done during
the certification of the whole aircraft. The second possibility is to have the system
functionality approved prior to the aircraft certification and focus on the certification
of the integration with the other onboard systems during the aircraft certification.
This second method provides some benefits to the system manufacturers that
build these electrical or avionics systems. This described methodology is equally
applicable to aircraft seats, for instance. But this is considered out of scope for UAS
in this paragraph.
The system that is used for this specific functional approval is the European
Technical Standard Order (ETSO, in the USA it is referred to as a Technical
Standard Order or TSO). The certifying authority can establish specific functional
requirements for equipment. Then, in a separate process, the manufacturer of the
system can obtain approval for the functionality of the system. This approach has
two distinct advantages:
1. The manufacturer of the system is able to provide his systems to different aircraft
manufacturers.
2. The aircraft designer does not have to consider the functional approval of the
system, only the integration of the system in the total aircraft system.
Some typical examples of these sorts of systems are VHF radios, navigation
receivers, transponders, etc.
Normally, the authorities are not defining the functional requirements for the
system themselves, but they work closely together with the manufacturing industry
to define some acceptable functional standards. Within aviation, these standards
are developed in two standardization bodies: EUROCAE (European Organisation
for Civil Aviation Equipment) and RTCA (Radio Technical Commission for Aero-
nautics). EUROCAE is primarily European, while RTCA is primarily American.
In most cases, these two bodies work together to develop a worldwide functional
standard for equipment. The process by which these standards are developed
is the following; the governing body of either EUROCAE or RTCA identifies
the need for a new standard and drafts terms of reference for a working group
(WG, EUROCAE) or special committee (SC, RTCA) to establish these new
standards. Then a working group or special committee is created (most of the
times these groups work together, as said earlier), and participation from members
of EUROCAE or RTCA is sought. The participants are primarily from industry,
but aviation authorities participate in these groups as well. Within this group, a
functional standard is developed, based on consensus with all participants in the
group.
When such a group has finalized its work and either EUROCAE or RTCA
have published the industry functional standard, the aviation authorities adopt this
standard by referring to that standard in a (E)TSO. Once the (E)TSO is published,
the equipment manufacturer can apply for approval with the aviation authority.
The largest part of the approval process for an (E)TSO is to show compliance
with the industry standard that has been published by EUROCAE or RTCA
(or both).
After obtaining this approval, the manufacturer is able to provide his equipment
to an aircraft designer who is looking for that specific functionality in his aircraft
design. During the certification process of the aircraft, the aircraft designer does
not have to show that the system that is installed in his aircraft meets the
functional requirements for that system. He can provide the (E)TSO approval
of the system to the certifying authority and that is the required proof that the
system meets the requirements. The aircraft designer, however, is still responsible
for proving that the integration of that equipment with the other systems onboard
the aircraft is still in accordance with the safety requirements for the aircraft
design.
The approval for the equipment against the functional requirements requires a
lot of functional testing and significant environmental testing. With this testing
done at the equipment level and granting a more generic functional approval of
the equipment, both the equipment manufacturer and the aircraft designer save
significantly in cost and time for the certification of aircraft.
93.5 Relation Between Safety Requirements and RPAS

Components
In this paragraph, the various systems that together form the RPAS will be
addressed. It will look at how to relate the safety requirements given in the previous
paragraph with these various parts.
93.5.1 Remotely Piloted Aircraft (RPA)
When converting a manned certification safety requirement for an RPAS, there are a
few issues that need to be considered. First is the obvious issues that are directly
related to not having a person onboard. This includes requirements on onboard
chairs, seat belts, emergency oxygen, etc. But there also are less obvious issues
that need to be considered. In general, a small UAS is a much more complex
aircraft than the equivalent category of manned aircraft, especially from a systems
perspective. This means that additional requirements are necessary to cover these
design features, primarily the requirements in Subpart F of the various certification
requirements.
Another area that usually needs additional requirements is the power plant
installation section (Subpart E). Electrically driven engines and dual turbine engine
installations, these kinds of design features are not covered by the equivalent
manned aircraft safety requirements. Therefore, the subparts of the requirements
that address these issues need special attention and most probably need a partial
rewrite of the whole section.
One final topic that needs to be mentioned is the emergency control and failure
warning systems. There is nobody onboard to perform a number of emergency
recovery actions that are implicit in the manned aircraft safety requirements. These
requirements need careful rethinking and an adaptation that allows the pilot in the
remote pilot station to still be informed about possible system failures and perform
some emergency control if that is required.
From the given table of contents of CS-LURS, Subparts A–G are covering the
RPA requirements.
93.5.2 Remote Pilot Station (RPS)
This is a new system component of the RPAS that has no equivalent in the
manned aviation regulations. In the ICAO concept as described in the UAS Circular,
the remote pilot station (RPS) will be a separate aeronautical product. This will
mean that once the ICAO annexes have been adapted accordingly, there will be a
separate certification safety requirement document for the RPS. At the moment, the
safety requirements for the RPS are still part of the safety requirements document
for the RPA. In current safety requirements documents, there is a specific subpart
(Subpart I) dedicated to the RPS requirements.
Establishing the requirements for the RPS is not a matter of simply copying the
requirements related to the cockpit design from manned aviation to the RPS. Of
course, all human machine interfaces are part of the RPS and have a prominent
place in the RPS requirements. But most of these interfaces are part of systems
that have components both in the RPA and the RPS. In such a situation, it is
necessary to develop a consistent strategy for dividing the requirements between
the subparts for RPA and RPS. It should be avoided to duplicate requirements
between the RPA and RPS. In the JARUS team that worked on the CS-LURS,
the philosophy was used to include the requirements systems that had compo-
nents in both the RPA and RPS part into the RPA part of the document. The
requirements that refer to the RPS only are then collected in the subpart for
the RPS.
From the given table of contents of CS-LURS, Subparts A and I are covering the
RPS requirements.
93.5.3 Command, Control, and Communication System
The command, control, and communication (C3) system will not be certificated
separately. When a radio line of sight system will be used, the airborne part and
the ground-based part of the C3 system will be certificated as part of the RPA or
RPS, respectively. For the safety requirements, this means that the requirements for
the C3 components will be contained in the respective subparts of the certification
specification. This is identical to how radio communication systems in manned
aviation are currently certificated.
When a beyond radio line of sight system, e.g., satellite communication, will
be used, the current proposal in the ICAO circular is to work with a certificated
communication provider that is under safety oversight of the aviation authorities.
It is considered impossible to certificate a satellite communication system as a
fully integrated part of the RPAS. In this case, the performance requirements for
the C3 system and the interfaces between RPA, RPS, and C3 system will be
defined and the components of the RPA and RPS that will interface with the
communication system will be included in the safety requirements of the respective
subsystems.
For small UAS, in most RPAS designs, a radio line of sight system will be
used, so the first approach to certificating the system, as described above, will be
applicable.
From the given table of contents of CS-LURS, Subparts A, F, and I are covering
the command and control requirements.
93.5.4 Other Systems
There will be very specific subsystems being designed as part of an RPAS.

The first two systems that immediately come to mind are a launching and recovery
system and a flight termination system. These systems are usually unknown
in the manned aviation system, so specific safety requirements and associated
system standards need to be developed for these. At the moment, the CS-LURS
does contain some requirements on the flight termination system. Over time, the
detailed safety requirements will be introduced in the certification specification.
Until the time that these requirements are part of the official specifications,
the authorities will be able to deal with these subsystems by introducing ded-
icated requirements for a certification project and document these requirements
in a certification review item (EASA system) or in an issue paper
(FAA system).
93.5.5 Detect and Avoid
One of the specific subsystems that are foreseen to be used in RPAS is the detect and
avoid system (DAA). This system will be required to replace the collision avoidance
capability that is provided by the onboard pilot in manned aviation. Another chapter
in this book is fully dedicated to the DAA system, so this paragraph will only focus
on the certification aspects of it. From a certification perspective, there are two issues
to address.
First the functionality of the system needs to be defined. This is usually done
by asking standardization organizations like EUROCAE and RTCA to define
standards for the system. The aviation authorities can then accept these standards
and make them part of the safety requirements by including the standard from
EUROCAE and/or RTCA in a (European) Technical Standard Order ((E)TSO),
which is explained in more detail in the previous paragraph. Additional to this
equipment approval, some functional requirements can also be included in the
certification specification.
Secondly, specific safety requirements for the system need to be developed, in
line with the current practice of assuring system safety in the manned certification
standards.
Various rulemaking bodies around the world are currently working together to
develop both of these standards. At the time of writing of this chapter, there was
no definitive regulation for this system available yet. In practice this will mean that
operations of RPAS on a regular basis will be limited to visual line of sight, unless
an authority has given a specific approval to a certain operational scenario to allow
operations beyond visual line of sight.
From the given table of contents of CS-LURS, Subparts A and H are covering
the DAA requirements.
93.5.6 Concluding Remarks
The whole area of safety requirements for small UAS is undergoing significant
development at the moment. This paragraph therefore cannot address these require-
ments too specifically, because without a doubt these would have changed when
this book is published. Therefore, the framework for certification has been given.
The issues that are currently being addressed are also provided. Together this should
allow understanding of the requirements once they are published by the aviation
authorities.
Apart from the specifics of CS-LURS, this chapter is equally applicable to other
certification specifications, ranging from airplanes (small and large) and helicopters
(small and large).
93.6 Certification Organizational Requirements
Not everybody is allowed to design an aircraft, according to the aviation reg-

ulations. Before being granted this right, an organization needs to prove that
it is capable of designing a safe aircraft. This whole process is referred to as
Design Organisation Authorisation (DOA) approval. In the EASA Airworthiness
Regulation (EASA Part 21, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?
uri=CONSLEG:2003R1702:20091228:EN:PDF), the whole process of acquiring
and maintaining a DOA approval is given in Subpart J.
The DOA approval process is not about demonstrating the technical ability
to design an aircraft but is about the organizational capabilities to design in a
structured and (safety) controlled manner. These organizational capabilities include
a quality assurance system, an independent validation system to do a check on the
technical design, training of relevant personnel, delegation of responsibilities within
the organization, etc. So the process is aimed at assuring that the organization that
is designing the aircraft is capable of:
• Designing in accordance with the QA system
• Providing an independent validation check
• Training the personnel timely and adequately
• Working in accordance with procedures that assure the quality of the work
• Appropriately delegating responsibilities within the organization
The philosophy behind the DOA approval is that the authorities can partly rely on
the internal design organization procedures when certificating the aircraft. During
the “defining the means of compliance” phase of the certification project, the
authorities will normally agree with the applicant about which specific parts of the
compliance finding can be delegated to the applicant, i.e., which reports will only
be checked and validated by the applicant and which tests will be independently
witnessed by the applicant only. In this case, the validation organization within the
applicants’ organization can be considered to act on behalf of the authorities. That

is one of the reasons why the independence of the validation team within the design
organization is considered of prime importance.
93.7 Final Remarks
As said at the introduction of this chapter, UAS are aircraft. Therefore, UAS will
need to fit into the currently existing aviation system, both from an airworthiness
and from an operational perspective. But the introduction of UAS into civil airspace
is slowly changing the way aviation regulators are thinking about airworthiness
and safe operations. In manned aviation, that aircraft is the core element where
everything needs to be integrated. The aircraft in itself is the end product and
provides the platform where everything (fuselage, equipment, engines, etc.) are
integrated. With the introduction of RPAS, the aircraft is “just” the airborne
component of the total system. This means that the whole approval system and
the associated safety oversight system by the national aviation authorities can no
longer be aircraft centered but should be system centered. When you consider
the aircraft in manned aviation as the core element where the whole system is
integrated, this system-centered approach for RPAS is no different to what the
authorities are used to from manned aviation. The only difference is that the
system in the case of the RPAS is more than the aircraft, while in manned
aviation, the system is the aircraft. In the future, this new thinking will be
finding its way into ICAO Annex 8. But the fundamentals of the safety approach
by ICAO, an approved design and safety oversight by countries, will not be
changed.
This chapter has focused on the airworthiness issues only. Although the chapter
is written with small UAS in mind, the processes and practices given in this chapter
are, in general, equally valid for larger UAS. Only the specific requirements and
examples given herein are tailored toward small UAS. The certification process and
the layout of the certification specification is identical for larger UAS.
The authorities are looking for the differentiation between large UAS and
small UAS by downscaling the requirements to an appropriate level. It is widely
understood that a Global Hawk should be certificated against different requirements
then a 2 kg octocopter UAS. But the whole system and process of approval should
be identical.
One of the issues that the authorities are facing to deal with at the moment
is that there is no manned equivalent for the certification specification for small
UAS, certainly for those well below 25 kg. This leads to the following more
fundamental question: To what level do the requirements for larger UAS need to
be downgraded to provide safe UASs that are still economically viable? A follow-
on question to this is as follows: What sort of categorization scheme can be used to
classify these small UASs? Industry and authorities are currently addressing these
issues.
References
EASA Basic Regulation, Regulation (EC) No.216/2008 of the European Parliament and of the
Council on common rules in the field of civil aviation and establishing a European Aviation
Safety Agency. Available to download from the EASA website: www.easa.europa.eu
EASA CS-VLA, Decision (EASA) No.2003/18/RM of the Executive Director of the Agency on
certification specifications, including airworthiness codes and acceptable means of compliance
for very light aeroplanes (CS-VLA). Available to download from the EASA website: www.
easa.europa.eu
EASA CS-VLR, Decision (EASA) No.2003/17/RM of the Executive Director of the Agency on
certification specifications for very light rotorcraft (CS-VLR). Available to download from the
EASA website: www.easa.europa.eu
EASA Part 21, Regulation (EC) No.1702/2003 of the European Parliament and of the Council
on laying down implementing rules for the airworthiness and environmental certification of
aircraft and related products, parts and appliances, as well as for the certification of design and
production organisations. Available to download from the EASA website: www.easa.europa.eu
EASA Type Certification Procedure, EASA Procedure PR.TC.00001-002 Type Certification.
Available to download from the EASA website: www.easa.europa.eu
EASA UAS policy, EASA Policy Statement – Airworthiness Certification of Unmanned Aircraft
Systems. E.Y013-01 25 August 2009. Available to download from the EASA website: www.
easa.europa.eu
ICAO UAS Circular, ICAO Cir 328, Unmanned Aircraft Systems (UAS). Available to purchase
from the ICAO website: www.icao.int
JARUS reference, JARUS – Joint Authorities for Rulemaking on Unmanned System, UAS
Unmanned Aircraft System – The Global Perspective, 2011, 9th edn. (UVS International, Paris)
Technology Surveys and Regulatory Gap
Analyses of UAS Subsystems Toward 94
Access to the NAS
Richard S. Stansbury and Timothy A. Wilson
Contents
94.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2294
94.2 Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2294
94.2.1 Technology Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2295
94.2.2 FAA Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2296
94.2.3 Regulatory Gap Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2297
94.3 Case Study #1: Propulsion Technologies for UAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2298
94.3.1 Technology Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2298
94.3.2 Regulatory Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2304
94.4 Case Study #2: Sense-and-Avoid Technologies for UAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2306
94.5 Case Study #3: Command, Control, and Communication Technologies for UAS . . . . . . . 2312
94.6 Case Study #4: Emergency Recovery and Flight Termination Systems for UAS . . . . . . . . 2322
94.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2333
94.7.1 Guidance on Performing a UAS Technology Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2333
94.7.2 Guidance on Performing a Regulatory Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2334
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2334
Abstract
To make a safe transition of UAS into the National Airspace System, new
regulations must be developed by the Federal Aviation Administration. The tech-
nologies employed by UAS are in many circumstances fundamentally different
R.S. Stansbury () • T.A. Wilson

Department of Electrical, Computer, Software, and Systems Engineering, Embry-Riddle
Aeronautical University, Daytona Beach, FL, USA
e-mail: stansbur@erau.edu; wilsonti@erau.edu
DOI 10.1007/978-90-481-9707-1 62,
2294 R.S. Stansbury and T.A. Wilson
than those of traditional manned aircraft. The regulations written to support

the airworthiness certification, operations, maintenance, etc. of manned aircraft
often do not apply as written without interpretation, revision, and/or deletion.
This chapter provides the necessary details on how to conduct a technology
survey and regulatory gap analysis of UAS technology subsystems. Four past
studies performed by Embry-Riddle Aeronautical University for the FAA’s
William J. Hughes Technology Center are discussed. These studies address UAS
propulsion systems, sense-and-avoid technologies and procedures, command
control and communication, and emergency recovery and flight termination
systems. Each study will be discussed in this chapter, and a recommended
process for future studies is provided.
94.1 Introduction
To safely transition unmanned aircraft systems (UAS) into the National Airspace
System (NAS), new regulations must be developed by the Federal Aviation
Administration (FAA) as will other international civil air authorities (CAAs) for
their respective airspaces. There are many subtle and fundamental differences
between technologies used for UAS versus traditionally manned aircraft. Before
new regulations or policies can be written to support unmanned aviation, regulatory
issues must be articulated.
Beginning in 2006, researchers at Embry-Riddle Aeronautical University (ERAU)
began collaboration with the FAA William J. Hughes Technology Center to identify
technology-based gaps within the FAA’s current regulatory framework. The first
study surveyed UAS propulsion technologies. Follow-on research included a regu-
latory gap analysis of UAS propulsion performed in 2007–2008. Three additional
technology survey and gap analysis studies followed for UAS sense-and-avoid
(SAA) technologies; command, control, and communication (C3) technologies; and
emergency recovery and flight termination (ERFT) technologies and procedures.
The purpose of each technology survey was to articulate representative technolo-
gies and frameworks being used in current and near-future UAS. The regulatory
gap analysis focuses on the alignment of the technology with existing regulations.
It should allow the target audience to clearly identify and articulate where revisions
or reinterpretations are required. This chapter begins with an overview of technology
surveys, gap analyses, and relevant types of FAA documents. Next, the above-
mentioned studies are presented as separate case studies. This chapter concludes
with the authors’ recommended best practices for future studies.
94.2 Background
UAS represent a near-disruptive technology for the current NAS in the United
States of America and in the corresponding airspace systems of nations worldwide.
While total displacement of aircraft with an onboard pilot from the NAS seems
extremely unlikely at any near-future time, the introduction of remotely piloted
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2295
aircraft having varying degrees of onboard autonomy has been beyond the current
regulatory framework for aircraft design and manufacture, for flight activities, and
for on-ground operations and maintenance.
The introduction of disruptive or near-disruptive technologies on markets has
been studied regarding technologies such as the Internet, wireless telephony, and
mobile electronics. Less effort has been dedicated to the impact of these technolo-
gies in industries such as aviation and aerospace where the primary motivation for
existing regulations stems from public safety, both of air passengers and of those on
the ground.
Current federal air regulations (FARs) did not anticipate operation of controlled unmanned
aircraft in civil airspace. There is no specific part or definition under applicable law related
to unmanned aircraft. The absence of absolute legal guidance with respect to the jurisdiction
of UAV regulation, the definition of UAV, and the integration of UAVs in the national
airspace prevents the optimum use of UAVs for the public benefit. Yet, given the risks of
a ground impact or mid-air collision with other aircraft, the need for regulatory certainty
respecting UAVs is an imminent issue deserving the attention of regulators, manufacturers,
and operators alike (Ravich 2009).
To better articulate issues related to UAS technologies, the FAA Office of

Aviation Research and Development funded a number of technology surveys and
regulatory gap analyses, including the following UAS aspects: propulsion, C3, SAA,
and ERFT. Before presenting the content of these studies, the following section shall
address the higher level concepts of what a “technology study” or a “gap analysis”
is, in the context of the introduction of disruptive technology in a regulatory context
(such as the introduction of UAS into the NAS).
94.2.1 Technology Surveys
A technology survey for any disruptive or near-disruptive suite of technolo-

gies is a summary of current and near-future technologies having the disruptive
impact.
One approach to articulate the elements of a set of technologies, such as those
that could serve as propulsion systems for a remotely piloted aircraft, would begin
with a catalog of the different aircraft and their propulsion systems. Listings of UAS
in service and development are published regularly (AIAA 2011). While such tables
are rich with aircraft dimensions, weight, operating regimes, flight durations, etc.,
they consistently fail to include specific details for the technologies in use. Due to
proprietary interests of the developers and manufacturers, details ranging from the
displacement volumes of internal combustion engines to the name of a vendor that
developed a particular ballistic recovery system are rarely published; developers and
manufacturers are understandably reticent to supply such information outside of a
nondisclosure agreement.
The lack of such details turns out to not prevent an effective technology survey.
From a regulatory point of view, what matters in such a survey is not the collection of
details across some number of disruptive technology exemplars, but the underlying
technologies those details represent. It is more important to articulate the families
of technologies in use than to exhaustively enumerate each unique case. The

technology survey must comprise a complete articulation of the classes which the
particular technology might take, but only that list of classes. Specification of that
list of classes becomes part of the technology survey itself, based on an initial review
of the forms of the technology in use in the disruptive technology.
The results of the technology survey are usually presented in tabular form,
with that data kept as a spreadsheet or database while the survey is performed.
The table is populated with rows, each of which collects the attributes of the
representative elements of each class in the technology in the columns of the table.
While a single representative element is conceptually sufficient to articulate the
collection of technologies, the table usually contains multiple representatives for
each technology. A complete articulation of every last instance and representative
element of the technologies is not required for a successful survey.
A technology survey articulates current and near-future technologies through
a collective set of representative examples. Given the snail’s pace of changes to
aviation regulations, the technology survey needs to capture technologies on the
horizon that could have an impact within the next 5 or 10 years, even if they are not
currently in production use.
A second, and possibly more important, artifact of the technology survey is a
conceptual framing of the technologies to be used in future works, such as regulatory
gap analyses. The conceptual framework can range from formal modeling of the
underlying technologies to an abstract capturing of those technologies’ salient
aspects and operations. The model/framework creates the context for conduct of
the regulatory gap analysis.
94.2.2 FAA Documents
In addition to the regulations, there are a variety of FAA documents that must
be produced and/or revised to accommodate UAS-NAS integration. This section
defines some common documents related to airworthiness, certification, and FAA
policy. A technical standard order (TSO) defines the minimum operations per-
formance standards and minimum aviation system performance standards for an
aircraft system or subsystem. A component authorized for production under a
TSO is identified as compliant with that TSO. The FAA can utilize advisory
circulars (ACs) to share information with the aviation community. ACs have varied
audiences including engineers, pilots, operators, etc. ACs can be used as a means of
presenting critical design requirements so that aircraft meet sufficient airworthiness
standards. It should be noted that these documents are not law. Lastly, guidance
material is published by the FAA to the community. One example is the FAA
UAS Interim Guidance Document 08-01 (Federal Aviation Administration 2008).
Another example is the Aeronautical Information Manual (AIM), which defines
pilot procedures in the NAS (Federal Aviation Administration 2012a). Guidance
materials are not regulatory or as official as an advisory circular but are used to
convey FAA policy, procedures, etc. to the aviation community.
94.2.3 Regulatory Gap Analyses
The FAA is chartered through the same piece of statute law chartering the entire
Department of Transportation, Title 49 of the United States Code (USC). The
FAA authorized in 49 USC 44701 to regulate aircraft and their usage within the
framework of Federal administrative law. Regulations issued by the FAA comprise
Chap. I (Parts 1–199) of Title 14 of the Code of Federal Regulations (CFR). These
are divided into several subchapters relating to definitions, rule making, aircraft,
airmen, airspace, air traffic and general operating rules, air carriers and operational,
schools, airports, navigation facilities, and the FAA itself. It should be noted that 14
CFR Parts 1–199 are still known to many in the aviation world as “the FARs,” where
“FAR” stands for “Federal Aviation Regulation;” in Federal speak, “FAR” has since
been superseded to mean “Federal Acquisitions Rules.”
The meaning of a regulatory gap varies according to which chapters of Title
14 CFR one is considering. For example, aircraft are only allowed to fly in the
NAS when the aircraft has been issued a type certificate (TC) for its design (or a
Supplemental Type Certificate (STC)). The issuance of such a TC or STC follows a
prescribed set of activities in which the aircraft designer articulates which elements
of Title 14 CFR apply to the design at hand and then demonstrates through testing,
analysis, and formalized processes that the design complies with the specifications
and regulations of the articulated elements.
When an aircraft design employs a novel technology, it is unlikely that there is
an existing regulation applicable to the technology. The designer can qualify the
use of the technology toward certification through either special conditions (SC) or
equivalent level of safety (ELOS) findings. A third option, exemption, exists, but
applies more often to exemptions from specified procedures than from specified
requirements. In either case, the aircraft designer articulates in an issue paper the
features of the new technology and how its inclusion in the aircraft design satisfies
the thrust, in general SC or in particular ELOS, of the regulations; FAA engineers
respond to the issue paper, and the officers responsible for certification take the
designers’ and the FAA engineers’ analysis into account in deciding whether to
issue a TC.
For aircraft, then, a regulatory gap exists when certification of an airframe
employing a technology would require either a SC or ELOS finding to use that
technology. The result of the gap analysis is a collection of annotated regulations.
The annotations consist of declarations as to whether the regulation:
• Applies (as is)
• Applies with interpretation
• Applies with revision
• Does not apply
From previous literature, it was found that several approaches to presenting
regulatory gaps exist (Kirk et al. 2007; Frater et al. 2006). Kirk et al. (2007) provide
an examination of Federal aviation laws, regulations, and guidance materials for
applicability to UAS in general. Frater et al. (2006) present a different style of
regulatory gap, focused upon nanotechnology, in which the results are presented
in a tabular form where related aspects of existing legislation and regulations are
summarized, the gap or potential gap due to novel technology presented, and further
comments or annotations are appended (see Annex 5 of Frater et al. 2006). ERAU’s
approach is much closer to the former following a process by which the collection
of rule applicability results was looked at from both global (all rules together) and
local (one rule at a time) to produce text describing the regulatory gaps.
94.3 Case Study #1: Propulsion Technologies for UAS
94.3.1 Technology Survey
The goal of the UAS propulsion technology survey, Griffis et al. (2007), was to
examine existing and novel propulsion systems for UAS such as reciprocating piston
engines (RP), wankel rotary engines (RO), propeller drive systems (PR), gas turbine
propulsion systems (GT), rocket-powered means of propulsion (RK), electric
motor-based propulsion system (EM), battery-based propulsion system (BB), fuel
cell-powered propulsion system (FC), solar/photovoltaic-powered systems (PH),
and ultracapacitor-based energy storage (UC).
A conceptual framework was derived as shown in Fig. 94.1. This framework
guided the study of each technology area to maintain internal consistency. The
elements of this framework are defined as follows:
Energy source (ES). Propulsion requires expenditure of energy, and the ES is the
origin of that energy. ES is intended to be a generic label for things like the
following examples: gasoline, diesel fuel, lithium hydride, liquid hydrogen, solar
energy, etc.
Energy transformer (ET). An ET converts the potential energy within the ES into
a means for producing work, heat, or electrical current.
Power plant (PP). A PP is any aspect that harnesses the product of the ET into
motion. For example, a motor that spins a shaft as a result of a supplied electric
current classifies as a PP in this context.
Propulsion effector (PE). A PE is the interface between the motion generated
and the impulse exerted to move the vehicle; it is what will give the effect of
propulsion.
Fig. 94.1 Technology survey framework for UAS propulsion systems

Control effector (CE). A CE is whatever is in place to give the effect of control to

the propulsion means in a way that serves the purpose of controlling propulsion
generation for the vehicle. CE is intended to be a generic label for things that
perform control on propulsion such as a full authority digital engine control
(FADEC), throttle control, fuel mixture control, and current regulator.
The conceptual framework is representative of the state of propulsion systems.
For example, consider the following utilization of the framework. A UAS employing
an avgas-fueled RP would have petroleum distillates for its ES, combustion as its
ET, the piston/crankshaft as its PP, a PR as its PE, and control of the flow of fuel,
air, and electricity as its CE. It should be noted that in some cases single physical
units can assume the role of two or more conceptual elements. For example, the
thermodynamics of a GT can be considered an ET, PP, and PE simultaneously.
Reciprocating Piston Engines Reciprocating piston systems vary in size, ge-

ometry, and configuration. Often an engine is classified by how many cylinders
it contains, how much total volume is displaced within its cylinders, or the
configuration of those cylinders. They all contain some variation of the same basic
parts, and there is a common principle behind how work is generated from stored
energy of the fuel consumed as presented in Table 94.1. Representative examples of
RP-based UAS are presented in Table 94.2.
Table 94.1 Conceptual Conceptual unit Description

decomposition of a
reciprocating piston engine Energy source Petroleum distillates
Energy transformer Heat production and expanding volumes
resulting from contained combustion of
petroleum distillates
Power plant Piston motion resulting from expanding
volumes, which in turn rotate the
crankshaft
Propulsion effector Propeller or fan unit driven directly or
indirectly (geared) by the crankshaft
Control effector Throttle, regulation of fuel flow
Table 94.2 Representative Aircraft Manufacturer Subclass

cases of UAS using
reciprocating piston engines MQ-1B Predator General Atomics 4-stroke
(Office of the Secretary of RQ-2B Pioneer Pioneer UAV 2-cylinder, 2-stroke
Defense 2005; Parsch 2006; RQ-5A Hunter Northrop Grumman 4-stroke, heavy fuel
RCV Engines, Ltd 2006) ScanEagle A Insitu 1-cylinder, 2-stroke
(heavy fuel variant
available)
T-Hawk Honeywell Heavy fuel engine
Wankel Rotary Engine Wankel rotary engines use the combustion of petroleum-
based fuel, and the desired output is the rotation of a power shaft that drives the
rest of the system. They differ from conventional reciprocating engines in that their
volume displacement and associated internal motion are rotational, as opposed to
back and forth. An internal triangular core, shaped as a “Reuleaux” triangle, divides
a chamber with an epitrochoid-shaped stator into three expansion areas (AREN
2006). A conceptual breakdown of the this propulsion technology is shown in
Table 94.3. Examples of RO-based UAS are presented in Table 94.4.
Propeller-Based Systems A large body of knowledge exists for propellers, which

is outside the scope of this document. However, as they are an important instance
of commonly utilized propulsion effector, they deserve mention. Most reciprocating
piston and rotary engines use propellers as their propulsion effectors, and many
smaller UAS use electric motors to drive a propeller.
Gas Turbine Engines A gas turbine engine is an internal combustion engine

operating on a highly dynamic process, processing air and fuel to yield high-velocity
thrust. A gas turbine engine comes in various forms including turbine engine,
turbofan engine, and turboprop engine. A conceptual decomposition representative
of all three gas turbine approaches is presented in Table 94.5, and examples of its
use in UAS are presented in Table 94.6.
Rocket Propulsion A rocket is propelled by a chemical reaction that generates

extreme pressure gradients and high-velocity particles that exit a nozzle. The
resulting momentum exchange provides impulse over some duration, accelerating
the rocket’s mass (Brian 2007). Propulsion derived exclusively from rocket power
tends to be used in applications where the asset is not expected to return home.

decomposition of a Wankel
rotary engine Energy source Petroleum distillates internal energy
relative to oxidation products
Energy transformer Heat production and expanding volumes
resulting from contained combustion of
petroleum distillates
Power plant Reuleaux triangular rotor motion within
an epitrochoid stator turning the eccentric
shaft
indirectly (geared) by eccentric shaft
Control effector FADEC, carburetor, fuel/air flow control
Table 94.4 Representative Aircraft Manufacturer Sub class

cases of UAS using Wankel
rotary engines (Office of the Shadow 200 AAI Single rotor
Secretary of Defense 2005) Cypher Sikorsky Single rotor

decomposition of a gas
turbine system Energy source Petroleum distillates
Energy transformer Heat production and extremely high
pressures (relative to operating
environment) resulting from contained
combustion of petroleum distillates
Power plant Dynamic adiabatic/isentropic one of those
processes of high-pressure gas converting
to high-velocity gas from nozzle
Propulsion effector High-velocity gas exiting the rear aperture
Control effector Fuel flow, propeller pitch

cases of UAS using gas
CL-289 Bombardier Turbojet
turbine systems
(Army-Technology.com RQ-4A Global Hawk Northrop Turbofan
2007; Rolls-Royce, PLC Grumman
2006; Office of the Secretary Predator B General Turboprop
of Defense 2005) Atomics

decomposition of
rocket-based propulsion Energy source Self-contained chemical reactants (solid
or liquid)
Energy transformer Exothermic high-pressure chemical
reaction in rapid release of kinetic energy
Power plant Expulsion of reaction products through
nozzle creating high-velocity exhaust
Propulsion effector Thrust from momentum transfer of
high-velocity exhaust
Control effector Nozzle direction, reaction rate control

cases of UAS using rocket
propulsion (Office of the RQ-2B Pioneer Pioneer UAV Rocket-assisted takeoff
Secretary of Defense 2005) Cormorant Project Lockheed Martin Rocket-based takeoff
However, takeoff assist can utilize rocket-based propulsion (Office of the Secretary
of Defense 2005). Table 94.7 shows the conceptual decomposition of rocket
propulsion, and Table 94.8 presents some examples of its use for UAS.
Electric Motors For electrically based propulsion systems, electric motors are used
as the power plant because they can easily couple with propellers as the propulsion
effector; all that is needed is a continuous source of electricity. The rotational
speed of a DC motor is proportional to the voltage applied to it, and the torque is

decomposition of electric
motor-based propulsion Energy source Unspecified
Energy transformer That which yields electrical power
Power plant An electric motor
Propulsion effector Unspecified; usually a propeller or fan
unit that is functioning as a result of the
rotating motion created by the motor.
Alternatively, for example, it could drive a
wing-flapping mechanism
Control effecter Feedback control loops, current/voltage
control

decomposition of propulsion
using stored battery power Energy source Electrochemical energy gradient between
internal cathode/anode materials
Energy transformer Chemical reaction yielding electron
transport, generating an electromotive
force
Power plant Electrically driven motor
indirectly (geared) by motor shaft
Control effecter Voltage/current regulators, analog/digital
feedback control loops

cases of UAS using batteries
for energy storage (AIAA Aladin EMT Unknown
2005; Office of the Secretary Wasp AeroVironment Proprietary
of Defense 2005; Defense Desert Hawk Lockheed Unknown
Update International Online Martin
Defense Magazine 2006) BATCAM ARA Unknown
proportional to the current (Hall et al. 2003). A conceptual breakdown of propulsion

using electric motors is provided below in Table 94.9.
Batteries For UAS applications, rechargeable batteries are preferred and therefore
the focus of discussion. Lithium batteries tend to be lighter and possess higher
energy density (Reid et al. 2004). Table 94.10 presents the conceptual decompo-
sition of UAS propulsion using electric motors driven by batteries, and Table 94.11
provides representative examples of UAS using batteries. Unfortunately, manufac-
turers do not frequently offer the details on what particular chemistry of battery
is used.
Fuel Cells Instead of consuming oxygen in the direct combustion of fuel, a

fuel cell consumes oxygen (or some other environmentally provided reactant) to

decomposition of a fuel cell
based propulsion system Energy source Molecular hydrogen internal energy
relative to water
Energy transformer PEMFC creating a power source through
ionization and electrochemical oxidation
of molecular hydrogen
Control effector Hydrogen flow regulators, voltage/current
boost regulators, analog/digital feedback
control loops
Table 94.13 Representative Aircraft Manufacturer Sub class

cases of UAS using fuel cells
(Protonex Technology SpiderLion NRL/Protonex Proton exchange
Corporation 2006; Office of membrane
the Secretary of Defense Hornet AeroVironment Proton exchange
2005) membrane
Table 94.14 Conceptual Conceptual Unit Description

decomposition of a
photovoltaic-based Energy source Solar radiation
propulsion system Energy transformer Superpositioned power-generating
photovoltaic cells stimulated by the
photoelectric effect
Control effector Voltage/current regulators, analog/digital
generate electrical power via an electrochemical process. There are a wide variety
of fuel cells, including proton exchange membrane fuel cells, phosphoric acid fuel
cells, molten carbon fuel cells, solid oxide fuel cells, methanol fuel cells, and
alkaline fuel cells (Theiss and Thomas 2000; National Fuel Cell Council 2006).
Table 94.12 presents the conceptual decomposition of fuel cell-based propulsion,
and Table 94.13 presents two representative cases of fuel cells used in unmanned
aircraft.
Photovoltaics Photovoltaic technology obtains usable energy from sunlight. Being

effectively cost free and inexhaustible, solar power is attractive for long-endurance
systems. Unfortunately, due to weather or daily sunlight availability, UAS oper-
ations can be limited unless there is some means of energy storage. A conceptual
framework for photovoltaic-based propulsion is shown in Table 94.14 with examples
of its usage in Table 94.15.

cases of UAS using
photovoltaics (AC Propulsion SoLong AC Propulsion Solar cells on wings
2005; AIAA 2005) Helios AeroVironment Solar cells on wings

decomposition of an
ultracapacitor-powered Energy source Electrostatic potential within capacitor
propulsion system plates, charged by external source
Energy transformer Application of external load, liberating
potential energy in the form of electric
current
Power plant Electrically driven DC motor
Control effector Voltage/current regulators, analog/digital
Ultracapacitors An ultracapacitor is a specialized modern capacitor that has an

unusually high energy density when compared to common capacitors (Electricity
Storage Association 2007). Ultracapacitors are a potential stored energy source for
a UAS propulsion system using electric motors. Ultracapacitors can retain much
greater energies than standard capacitors for a comparable geometry. While there are
no existing applications of ultracapacitors in existing UAS, their use in automotive
applications provides a natural transition point into aerospace applications. A con-
ceptual breakdown of propulsion using this technology is shown in Table 94.16.
94.3.2 Regulatory Gap Analysis
Following the technology survey, follow-on research was funded to perform a

regulatory gap analysis. The analysis examined Title 14 CFR Part 27 Subpart
E, Airworthiness Standards: Normal, Utility, Acrobatic, and Commuter Category
Airplanes Power Plans; Title 14 CFR Part 33, Airworthiness Standards: Aircraft
Engines; and Title 14 CFR Part 35, Airworthiness Standards: Propellers.
94.3.2.1 Regulatory Gap Analysis Process and Tools

The regulatory gap analysis was performed in two parts. The first part was a local
assessment of the regulations to determine where regulatory gaps exist. The second
part was a global assessment. The global assessment yields information on the state
of the regulations based upon the results of the local assessment.
The local assessment was performed using a spreadsheet to capture a section-by-
section analysis of the regulations.
Each row represents a specific section of the regulation part being examined.
The section is analyzed based upon its degree of applicability for each conceptual
technology and conceptual decomposition framework element. The dimensions of
applicability were identified as applies (APP), applies with interpretation (AWI),
applies with revision (AWR), or does not apply (DNA). For this study, these terms
are defined as follows:
APP The regulatory guideline, as it stands, makes sense for the corresponding
technology identified in the spreadsheet.
AWI Understanding the intent of each regulatory guideline, it can be interpreted to
cover other areas or technologies that are not explicitly mentioned or addressed,
for example, regulations that cover RP technology and also AWI to RO technol-
ogy.
AWR Employed prudently. Suggests that the regulatory guideline is fine as it stands
except with a minor amendment.
DNA The regulation does not apply to any of the propulsion technologies or
conceptual aspects of a UAS propulsion system.
94.3.2.2 Results
Upon completion of the local analysis using the spreadsheets, global analysis was
performed to derive the final results and recommendations of the study. First, the
“fundamental gaps” are identified, which include any fundamental technological
differences between the propulsion technologies for UAS versus manned aircraft.
Next, the “open set” gaps are identified where regulatory gaps exist because of safety
concerns for technologies that fall outside of the existing regulatory framework.
The Fundamental Gap The fundamental gap between the existing regulations and
UAS propulsion technologies results from a greater diversity in the types of ET
and PP that can be utilized for a UAS. Existing regulations focus upon one of two
types of systems, GT and RP. As a result, some regulations simply do not apply
to alternative propulsion systems, and in other cases new regulations are required
to address the safety concerns of the new technology. A fundamental gap exists in
regulation of systems that depend exclusively on EM for propulsion and that there
exists no specific regulation addressing the kinds of power supplies that would be
driving these propulsion systems. UAS (excluding optionally piloted vehicles) do
not need to be concerned with the power requirements to propel the weight of both
the pilot and the onboard support and control interfaces, thereby further reducing the
electrical carrying requirements of an electrical power source. Technologies such as
FC, modernized batteries, UC, and PH have the ability to supply sufficient electricity
to provide sufficient endurance for a UAS and must now be considered by regulators.
The regulatory guidelines for thermodynamically driven engines address a set
of associated high-level concerns related to the lubrication of moving parts, heat
transfer, fuel delivery, air supply, fuel storage, etc. The GT and RP approaches
to propulsion both carry flammable liquid petroleum distillates that burn hot with
oxygen and have reactants that need to be expelled. These fundamental issues
(among many others) are addressed in the regulatory guidelines in a manner that
assures that any implementation of these approaches will be airworthy and have an
associated reliability for a given specified period of time. For an electric engine,
many of these factors do not apply with the same literal interpretation. Some issues
still need to be addressed such as ensuring that the motors remain sufficiently
cool and the moving parts remain lubricated. However, a new set of concerns are
introduced with the concept of an exclusively EM. Many of the restrictions and
regulations in place for guaranteeing the safety of GT and RP in some cases do not
make sense and are insufficient when dealing with an EM.
The Open Set Gap From the fundamental gap and the technology survey, it is
evident that there exist technologies that exist outside of the regulations. Incremental
adjustments to the regulations can be made to accommodate these changes. As
new technologies emerge, this could result in regulators continually attempting to
patch the regulations rather than create a new mechanism for addressing these new
and emergent technologies. In order to close the coverage of the open set gap, the
study concluded that the concepts of catch-all regulations should be embraced and
extended. This can include extending concepts of abstract regulation, in similar
approaches to the conceptual framework. Ideas like those in Parts 23 and 25
Sects. 1301 and 1309 can be complemented with regulation of generic propulsion
systems, regulating only the conceptual components, their abstract interfaces,
and the conceptualized interactions that each component would have between its
interface and another conceptual component interface.
94.4 Case Study #2: Sense-and-Avoid Technologies for UAS
The sense-and-avoid (SAA) technology survey is guided by a representative frame-

work for sense-and-avoid technologies for UAS. Figure 94.2 graphically depicts this
framework. Three major categories of technologies relevant to the topic of SAA for
UAS are sense, avoid, and be seen. Each will be discussed in this section.
94.4.1.1 Sense
The first category of SAA technology is sense. These technologies allow the UAS to
detect other traffic and local terrain features. It is subdivided into airborne sensing
and ground-based sending.
Airborne: Cooperative Cooperative technologies require other NAS users to be

equipped with specialized communication equipment, such as a working transpon-
der, such that they can be seen by other aircraft.
Traffic alert and collision avoidance system (TCAS) is a technology used in
manned aviation to improve pilot situation awareness to mitigate midair collisions.
TCAS I and TCAS II provide traffic advisories to the pilot in the event that
Fig. 94.2 Technology survey framework for UAS sense-and-avoid technologies
there is a risk of collision given the current flight path and oncoming traffic.
TCAS II also provides collision avoidance directives to the pilot (Federal Aviation
Administration 2012b). A recent FAA study examined TCAS for UAS (Federal
Aviation Administration 2011). It concluded that TCAS could be a viable tool to
aid situational awareness to the UAS operator/pilot but stated that the technology
was never approved as a sole means of replacing the pilot’s role to see and confirm
the presence of other air traffic.
Automatic dependent surveillance-broadcast (ADS-B) can also provide an
airborne sensing capability to improve situational awareness of local air traffic.
Equipped aircraft broadcast their current position and some additional state data
via data link. The broadcast message can be received by suitably equipped aircraft.
For manned aviation, the aircraft positions received can be displayed in real
time to the pilot to enhance local situational awareness. Air traffic controllers
can also receive this information via ground-based transceivers (Federal Aviation
Administration 2007).
There are two types of ADS-B technology currently in use. Universal
Access Transceiver (UAT) technology at 978 MHz is most commonly used by
general aviation aircraft. The second type utilizes a 1,090 MHz Extended Squitter
(ES) Mode-S transponder and is most commonly applied to transport category
aircraft (Federal Aviation Administration 2007). The MITRE Corporation has
produced prototype UAT units for UAS operations including one that is transmit
only and another that is capable of both sending and receiving ADS-B messages
(Strain et al. 2007).
Airborne: Noncooperative, Active Active non cooperative systems scan ahead

of the aircraft to identify local traffic and/or collision threats by emitting and
then receiving some form of sound or energy. The technologies vary in size
and configuration for airborne sensing of local air traffic and/or terrain features.
Radar can be equipped onboard a UAS for airborne sensing of other aircraft.
Smaller non-cooperative radar systems have been employed in robotics applications
in the past such as millimeter wave (MMW) radar. Laser systems such as LIDAR or
laser range finders emit laser light, which is reflected off of the surface of a target.
Depending upon the scanning technique, sampling resolution, etc., it is possible to
analyze the shape of the target. The system can also track a target over successive
scans allowing for a determination of range, bearing, speed, and trajectory. The
sensors can be robust enough to support operation in conditions of low human
visibility such as fog or smoke. Sonar systems utilize the emission of acoustic
pulses. The time of flight from transmission to the reception of the reflection is
used to determine the approximate range to the target. Due to the limited resolution
and range, sonar at this time is not likely a viable option for airborne active
sensing.
Airborne: Noncooperative, Passive Passive noncooperative systems do not emit

sound or energy in order to detect a target. These sensors often cannot yield
as robust of a data set as active sensors including safety critical data such as
bearing, range, velocity, or trajectory of the target. Electro-optical (EO) cameras
convert visible spectrum light into electronic signals and analyze the changes in
data. EO cameras can be used with image processing algorithms to detect and
analyze visible targets. Video or still images can also be rebroadcast to ground-
based operators. Motion detection algorithms (Hottman et al. 2007) can be used to
detect potential targets and track features of its motion by using multiple cameras.
Infrared cameras are similar to EO but capture light frequencies within some subset
of the infrared spectrum. These cameras and their processors can produce images
for human operators as either black-hot objects or white-hot objects (i.e., with
black-hot, the darker a pixel is within the image, the hotter it was perceived by
the camera, and vice versa for white-hot). These images can also be examined
by computer vision algorithms to do automatic target detection and tracking.
One advantage of infrared is that it can operate in conditions where the visual
spectrum is occluded such as fog and smoke (Access 5 2004). An acoustic system
utilizes an array of microphones and processors to analyze the sounds within the
airspace around the aircraft and can be capable of detecting and tracking local
air traffic (Hottman et al. 2007). The viability of this approach is debated. For
instance, a NASA Access 5 study indicates concern about the high signal-to-noise
ratio (Access 5 2004). However, SARA Inc. has developed a prototype system
utilizing a windscreen to dampen the noise from wind and aircraft vibration (SARA,
Inc. 2008).
Ground-based: Cooperative Traffic information system-broadcast (TIS-B) is

similar to ADS-B. Suitably equipped aircraft or ground stations can receive
information regarding local air traffic. TIS-B uses ground-based radar to detect
local air traffic. This information is then transmitted via uplink to aircraft equipped
with an ADS-B receiver. The ground-based radars can detect non-ADS-B-equipped
aircraft so long as they have a Mode-S or Mode-C transponder (Access 5 2004).
Air traffic control (ATC) radar-based separation is another approach that can be
taken to aid the sensing of aircraft. Primary radar can be used to detect cooperative
and noncooperative aircraft within a limited range. Secondary radar could be used
to detect transponder equipped, cooperative aircraft.
Ground-based: Noncooperative Ground-based radar separation can be sup-

ported for noncooperative aircraft as well as cooperative aircraft. To detect a
noncooperative aircraft, primary surveillance radar would be required. Such radar
provides limited range and can have difficulty discriminating between local aircraft
and other airborne phenomena such as birds.
Spotters can provide noncooperative ground-based sensing of local air traffic so
long as the UAS is operating within their visual line of sight. The observer must
be able to identify the aircraft and local air traffic. It is the spotter’s duty to notify
the pilot in command (PIC) if any perceived right-of-way issues exist with local air
traffic. A pilot in command (PIC) is the UAS pilot/operator that has legal authority
over the flight. Their responsibility from a regulatory point of view is analogous to
the pilot in command of a manned flight. It is also common to have airborne spotters
that observe the UAS and its local air traffic from a chase aircraft.
94.4.1.2 Avoid
The second category of SAA technology is avoid. Collision avoidance can be
addressed through one of two primary mechanisms. First, the system can be diverted
by a remote operator. Second, the aircraft could choose to autonomously avoid the
collision using its autopilot. There can also be a blending of these two approaches.
Aircraft autonomy is addressed further in Sect. 94.5.
94.4.1.3 Be Seen
The third category of SAA technology is be seen. This represents the ability for the
aircraft to be seen by other aircraft both cooperative and noncooperative and ATC.
This is divided into UAS equipage for being seen and UAS conspicuity.
Aircraft Equipage ADS-B can be equipped on UAS. The MITRE Corporation

has developed the UAT Beacon Radio transmit-only and transceiver ADS-B (UBR-
TX and UBR-TVR) prototypes for general aviation and UAS operations (Strain
et al. 2007). This equipage would allow the UAS to be visible to ATC and suitably
equipped local air traffic. Transponder-equipped UAS will also be visible to others
whenever operating in range of a primary or secondary radar site. Lastly, TCAS-
equipped UAS could be detected by other TCAS-equipped aircraft so that they
could receive collision warnings and/or deviation instructions should a collision
risk exist.
Aircraft Conspicuity An RTCA SC-203 report, DO-304 (RTCA SC-2003 2007),

states the concept and need for conspicuity quote well:
Conspicuity: Many UA are small and made of materials that provide minimal radar cross
sections. Aircraft that are difficult to see by human sight or by systems (e.g., radar or
optical) can increase risks of collisions. These could be mitigated by paint schemes, lights
or radar reflectors to enhance visibility, but these measures must be appropriate to the flight
environment.
In addition to the techniques discussed in the definition above, procedural changes

made by the UAS operator can also impact the ability of others to detect the UAS
(Hottman et al. 2007).
The regulatory gap analysis for SAA is divided into two areas of focus. First, FAA
Title 14 CFR Part 91 is reviewed to identify regulations related to the PICs role
to see and avoid other aircraft. Next, while not law, the AIM (Federal Aviation
Administration 2012a) is examined because it provides guidance to pilots regarding
their role to see and avoid other aircraft.
94.4.2.1 FAA Title 14 CFR Part 91

Title 14 CFR 91.111: Operating Near Other Aircraft This regulation covers
restrictions forbidding the operator to control his/her aircraft in close proximity
to other aircraft. The regulation states that operations near another aircraft cannot
be made if a collision hazard exists. For manned aviation, this is an instruction
to provide adequate self-separation to mitigate risk of collision. For an unmanned
aircraft, this regulation points out the necessity of a separation mechanism. The
sensing mechanism must have sufficient accuracy and resolution such that the
operator and/or vehicle autonomy can determine both the location of the aircraft and
the location of the other aircraft. The pilot in command and/or the autonomy must
be capable of responding appropriately when a minimum distance of separation is
violated. Qualitative and quantitative requirements for avionic components will be
necessary to ensure that a sufficient level of safety is maintained.
Title 14 CFR 91.113: Right-of-Way Rules: Except Water Operations This

regulation covers the necessary vigilance required by the system (operator and/or
autonomy) to see and avoid other aircraft. It also identifies the right-of-way
requirements concerning a variety of airborne platforms, as well as the right-of-
way requirements among similar aircraft in various situations. The regulation also
discusses right of way for landing aircraft. Similar to 91.111, there is a necessity
of the sensing technology to determine when the UAS is operating at the same or a
sufficiently close altitude to another aircraft and that the two aircraft are converging.
There is currently no special rules for UAS. As regulators and engineers evaluate the
safety case for passing operations, it is possible that such rules and priorities must
be identified.
A potential gap exists with respect to UAS operating around aircraft performing
landing operations. A landing aircraft is said to have the right of way. If two aircraft
are landing, the lower aircraft has the right of way. This would require that the
aircraft be capable of not only sensing the other aircraft but also deriving its intent
to land. Similarly, the regulation also gives right of way to aircraft in distress, which
can likely be difficult to identify when the pilot is physically decoupled from the
aircraft.
Title 14 CFR 91.115: Right-of-Way Rules: Water Operations This regulation

covers right of way similar to 91.113 but includes water operation with interaction
can include non-aircraft vessels. This includes head-on, crossing, and overtaking
conditions with other vessels. This specifically must be addressed for UAS designed
for water operations. Visual observation can be more difficult with water operations.
Identifying surface vehicle capabilities and intent can also be more difficult for a UA
and/or its operator.
94.4.2.2 Aeronautical Information Manual

Essential to the scope of this project, the AIM identifies the process of fulfilling
the see-and-avoid requirements. It also provides a detailed synopsis of how ground
operations should be performed. For ERAU’s analysis of the AIM, excerpts were
extracted that were deemed applicable to see and avoid processes of manned aircraft
that would need to be replaced by SAA capabilities of UAS.
AIM 4-4-14: Visual Separation This section discusses visual separation as a

mechanism for ensuring safe operation in the terminal area and en route. This
includes visual observation provided by ATC in the tower within the terminal area. It
also includes active scanning of the airspace around the aircraft to ensure separation.
In most flight situations, scanning the sky is a necessary component of flight safety,
and it is mentioned in AIM 8-1-6(c)(1) that spotting potential threats increases
directly with the amount of time the operator spends scanning the skies. A SAA
system would more than provide constant scanning. Unlike the human eye scanning
at 10ı per second limited by several blind spots in the aircraft, a SAA system may
be less limited with regard to the distance, speed, and directions of sensing.
AIM 4-4-15: Use of Clearing Procedures This section discusses clearing pro-
cedures used to maintain visual awareness of the airspace around the aircraft. It
defines expectations for pre-takeoff, climbs and descents, straight and level, traffic
patterns at VOR sites, training operations, etc. It also distinguishes between low-
wing and high-wing aircraft. UAS operations also require a clearing of the airspace
to maintain assurance of safe separation with other aircraft. However, depending
upon the see-and-avoid systems onboard, the need for actual clearing procedures
may be reduced or eliminated given the scanning and/or field-of-view capabilities
of the sensor(s).
AIM 5-5-8: See and Avoid This section simply restates that under permitting
meteorological conditions the pilot has the responsibility to see and avoid other
aircraft. The controller can provide local air traffic information as workload permits.
The controller can also issue safety alerts if other unsafe situations are observed.
This relates directly to the sections of Part 91 discussed above.
AIM 8-1-6: Vision in Flight This section of the AIM discusses effective use
of vision given various levels of illumination as well as techniques that can be
employed to scan the sky. It also identifies some quantitative data that can be useful
in determining human capabilities for aircraft detection. Some of these details can
be relevant to UAS when dealing with ground observers. Other aspects may not be
applicable as scanning techniques and the impact of illumination may have little or
no impact on particular sensors.
AIM 8-1-8: Judgment Aspects of Collision Avoidance This section of the AIM
provides guidance on handling unique collision avoidance situations. It describes
determining relative altitude based upon the location of another aircraft with respect
to the observer’s determination of the horizon. This holds some relevance to visual
sensors such as EO or IR cameras. However, some UAS sensors may not be
capable of utilizing this technique or have better alternative results for altitude
approximation. Visual observers on the ground would be unable to apply this
technique.
The section also describes addressing multiple threats simultaneously. This calls
on observation of the other aircraft as the pilot performs the avoidance maneuver to
ensure that a secondary collision threat does not result. This can be challenging
depending upon the SAA technology and the lack of situational awareness for
the PIC. Some situations in which visual limitations exist are also discussed. For
instance, poor windshield conditions are considered (which could be similar to a
fouled sensor on a UAS), which would need to be replaced and/or repaired prior to
flight. Similarly, smoke, haze, dust, etc. can reduce visual acuity for manned aircraft
visual separation but may or may not have an impact for UAS operators depending
upon the sensing techniques employed.
94.5 Case Study #3: Command, Control, and Communication

Technologies for UAS
UAS C3 for this study is defined as:

Command: Aspects related to ensuring the aircraft’s progress toward completion
of its mission including, but not exclusive to, flight automation, remote piloting,
link loss (LL) procedures, situational awareness, flight ATC coordination, etc.
Control: Aspects related specifically to flight control including control surfaces,
fly-by-wire(less) systems, and aspects involving flight control at the GCS
including cockpit indicators and aircraft controls (yoke, pedals, throttle levers,
joystick, touch screens, etc.)
Communication: Aspects of wired and wireless communication necessary to

ensure safe operation of the aircraft and communication with ATC regardless
of the UA’s proximity to the GCS.
Use of the C3 acronym is not without issue. C3 as originally used by the
U.S. Department of Defense (DOD) had “command” meaning ordering tactical
elements to carry out some particular mission or goal, “control” as execution
of that mission by means of verification of progress and correction toward the
goal(s), and “communication” referring to communication between the command
and control elements (United States Naval Academy 2008). The Radio Technical
Commission for Aeronautics, Inc. (RTCA) Special Committee 203 (SC-203) has
condensed this acronym to control and communication (C2), eliminating command.
“Control” under their definition combines all aspects of the system necessary to
direct the aircraft’s execution of its mission; “communication” refers to both ATC
communication and communication between the control station, the aircraft, and
flight observers (air or ground based). Such a grouping is problematic, in that there
are numerous regulations focusing upon control-related aspects, including those
related to control surfaces, cockpit layout, pilot flight control requirements, and
adequate redundancy.
A technology survey was performed on C3 technologies for current and near-
future UAS. A web search yielded a summary of the UAS. From this list,
representative aircraft with low, medium, and high endurance, operating within both
RF line of site (LOS) and RF beyond line of site (BLOS), was selected. For each, a
deeper search was performed to locate data sheets and other information. These data
were compiled, and a hierarchical model was produced based on the key variation
points among representative systems. Using this model and the data collected, the
technology survey section was generated and organized. In this report, the terms
LOS and BLOS will refer to line-of-sight capabilities of RF signal propagation.
Any cases of visual line of site will be explicitly stated as such.
The C3 framework is shown in Fig. 94.3, organizing surveyed technologies into
categories. UAS operations utilize LOS and/or BLOS communications. Under each,
technical issues are divided into two categories, C2 and ATC. For C2, the survey
explored technologies and issues necessary to safely support flight operations of the
UAS from a remote pilot and/or control point of view. For ATC, technologies and
issues on the interaction of the aircraft or PIC with ATC were explored. Various data
links were examined including their frequencies and data rates. LL procedures are
enumerated. For C2 only, the issue of autonomy, remote pilot versus autopilot, is
examined.
It is important to note that most BLOS-capable UAS incorporate some LOS
technologies. LOS operation may be divided between three classes of UA: low
endurance, medium endurance, and high endurance. Low endurance operates
almost entirely within LOS. Examples included Advance Ceramic Research’s
(ACR) Manta B (Advance Ceramic Research 2008), ACR’s Silver Fox (Advance
Ceramic Research 2008), Meridian (Hale et al. 2007), AeroVironment’s (AV) Raven
(AeroVironment 2008), and AV’s Dragon Eye (AeroVironment 2008). Medium-
and high-endurance classes operate in both LOS and BLOS conditions. Medium-
endurance examples include Insitu’s ScanEagle (Insitu 2008), Insitu’s Georanger
Fig. 94.3 UAS C3

hierarchical system model
(Insitu 2008), and AAI Corp.’s Shadow (AAI Corp. 2008). Examples of high
endurance include General Atomics’ (GA) Predator (General Atomics Aeronautical
Systems, Inc. 2008), GA’s Mariner (General Atomics Aeronautical Systems, Inc.
2008), Northrup Grumman’s (NG) Global Hawk (Northrop Grumman 2008), NG’s
BAMS (Northrop Grumman 2008), and AV’s Global Observer (AeroVironment
2008). Table 94.17 lists some examples of LOS C3 technologies.
BLOS UAS cover primarily high-endurance UAS. Table 94.18 lists some
examples of BLOS C3 technologies aboard UAS.
C2 Data Links LOS C2 data links use spectrum from VHF (30–300 MHz) to
microwave C band (4–8 GHz) (Neale and Schultz 2007). The most common LOS
data link employed for UAS is C band, using 3.7–4.2 GHz for downlink and
5.9–6.4 for uplink. C Band is strategically chosen its frequency less affected by
extreme weather.
Some small UA like ScanEagle and Georanger, Meridian, Shadow, Dragon, and
Raven use UHF (300 MHz–3 GHz) for LOS C2. It is not uncommon for these
aircraft to utilize 72 MHz handheld remote control similar or identical to those used
by hobbyists. Some experimental UAS use IEEE 802.11 for C2 link (Brown et al.
2006; Frew et al. 2008), allowing ad hoc networks between UAS. Their range is
LOS and directional antennas may be required to ensure signal strength to maintain
connectivity.
For BLOS, low Earth orbiting (LEO) and geostationary Earth orbiting (GEO)
satellites represent two extremes for satellite communication (SATCOM). LEO
satellites operate around 400 km (250 miles). GEO satellites operate around
35,800 km (22,200 miles). Because they are closer to the Earth’s surface, LEO
satellites can transmit equivalent bit-error-rate messages with lower power.
Table 94.17 Line-of-sight communication for a sample of surveyed unmanned aircraft

Aircraft Manufacturer LOS communication Characteristics
Predator General C band Wingspan 20.1 m
Atomics Length 10.9 m
Aeronautical Payload 385.5 kg
Systems Max altitude 15,240 m
Max endurance: 30 h
Global Hawk Northrop CDL (137 Mbps, Wingspan 39.9 m
Grumman 274 Mbps); Length 14.6 m
Integrated UHF SATCOM Payload 1,360.7 kg
Max endurance 36 h
ScanEagle Insitu Group 900 MHz of spread Wingspan 3.1 m
spectrum frequency Length 1.2 m
hopping; UHF Payload 6.0 kg
command/telemetry Max altitude 4,998 m
Max endurance 20 h
Meridian University of Kansas 72 MHz Futaba radio Wingspan 8 m
2.4 GHz microband Length 5.1 m
radio Payload 54.4 kg
Max altitude 4,572 m
Max endurance 9 h
Desert Hawk Lockheed Military 15 km Wingspan 1.4 m
Martin data link Length 0.9 m
Payload 3.1 kg
Max altitude 152 m
Max endurance 1 h
Dragon Eye AeroVironment Military 10 km Wingspan 1.2 m
data link @ 9600 Length 0.9 m
baud Payload 2.3 kg
Max altitude 152 m
Max endurance 1 h
Manta B Advance Military band/ISM Wingspan 2.7 m
Ceramic band radio modem; Length 1.9 m
Research 24–32 km radio Payload 6.8 kg
Max endurance 6 h
Since they are not stationary relative to the Earth’s surface and narrower field of
view, LEO satellite constellations require a larger number of satellites to achieve
the same coverage as GEOs. In Peters and Farrell (2003), a constellation of 80
LEO satellites was compared with a six-satellite GEO constellation with equivalent
coverage area using Ka band. The LEO constellation outperformed the GEO
constellation with reduced latency, lower path losses, and reduced launch cost.
A LEO satellite constellation has higher operational costs. Examples of widely used
LEO constellations include Iridium (2008) and Globalstar (2008). For both cases,
Table 94.18 BLOS communication for a sample of surveyed unmanned aircraft

Aircraft Manufacturer BLOS communication Characteristics
Predator General Ku band Wingspan 20.1 m
Atomics SATCOM Length 10.9 m
Aeronautical Payload 385.5 kg
Max endurance 30 h
Global Hawk Northrop Ku band Wing Span 39.9 m
Grumman SATCOM; Length 14.6 m
Integrated Inmarsat Payload 1,360.7 kg
Max endurance 36 h
ScanEagle Insitu Group Iridium Wingspan 3.1 m
Length 1.2 m
Payload 6.0 kg
Max endurance 20 h
Meridian University of Iridium A3LA-D Wingspan 8 m
Kansas modem Length 5.1 m
2.4 Kbits/s Payload 54.4 kg
1,616–1,626.5 MHz Max altitude 4,572 m
Max endurance 9 h
Desert Hawk Lockheed No BLOS Wingspan 1.4 m
Martin operations Length 0.9 m
disclosed Payload 3.1 kg
Max altitude 152 m
Max endurance 1 h
Dragon Eye AeroVironment No BLOS Wingspan 1.2 m
operations Length 0.9 m
disclosed Payload 2.3 kg
Max altitude 152 m
Max endurance 1 h
Manta B Advance No BLOS Wingspan 2.7 m
Ceramic operations Length 1.9 m
Research disclosed Payload 6.8 kg
Max endurance 6 h
when the UA moves from one satellite’s coverage area to another, service may be
temporarily disrupted as communications are handed off.
BLOS C2 data links range from UHF (300 MHz–3 GHz) to Ku band
(12–18 GHz) via SATCOM (Neale and Schultz 2007). Ku band is used by high-
endurance UAS like Global Hawk, BAMS, and Predator and its derivatives.
INMARSAT SATCOM data links, with a frequency range from 1,626.5 to
1,660.5 MHz for uplink and 1,525–1,559 MHz for downlink (INMARSAT 2008),
are used by some high-endurance UAS including BAMS, Mariner, and Global
Hawk. L band iridium data links range from 390 MHz to 1.55 GHz (Iridium
2008) and are used by smaller, low- or medium-endurance research UAS such as
Georanger and Meridian.
Certain military UAS use Common Data Link (CDL) or Tactical CDL. CDL is a
jam-resistant spread spectrum digital link incorporating multiple microwave bands
(Global Security 2008). CDL is mostly used for BLOS operations; it can be used
for LOS operations to ensure continuously safe and seamless communication when
deployed in hostile territory. Data sheets for larger military UAS (e.g., Predator-B,
Global Hawk) show identical specifications to CDL without explicitly stating the
technology is in use.
Flight Control Technologies and Operation Low-endurance UAS often uses

LOS remote control (R/C) for at least part of the flight. For takeoff/landing,
an R/C pilot controls the aircraft. Once airborne, the pilot can fly the aircraft
manually or allow the autopilot to perform waypoint navigation along a flight path.
Representative examples include Manta B, Meridian, Raven A and B, Dragon Eye,
Silver Fox, and Shadow. High-endurance UAS often use autopilot for all LOS
(and BLOS) flight operations. The flight plan is programmed into the autopilot.
Once the mission begins, the aircraft will autonomously takeoff and follow the
predefined path. The pilot remains out of the C2 loop but monitors the flight
operations and, if need be, interrupts the autopilot and takes over piloting duties.
Representative examples include Predator, Mariner, ScanEagle, Georanger, Global
Hawk, and BAMS.
For BLOS operations, remote piloting becomes less feasible with SATCOM due
to its latency. Most long-endurance BLOS UAS employ autopilots and a pilot on the
loop (able to intervene if necessary). The flight plan is programmed in the autopilot
via the GCS GUI.
C2 Link Loss Procedures In the original study performed by ERAU, lost link
(LL) procedures were addressed as part of the C3 study. One year later, the ERFT
study revisited this topic in greater detail. For the sake of conciseness and to avoid
redundancy, this topic with respect to C2 will be further addressed within the ERFT
case study later in this chapter.
ATC Communication, Coordination, and Lost Link For ATC LL, the objective
is to reestablish voice communications between the GCS and the ATC authority.
For LL with ATC for LOS operation, a land-based phone line is the only option
currently used. Some UA are equipped with multiple VHF transceivers that could
be used to establish a ground control to ATC voice communication link using the
UA as an intermediary.
BLOS UAS PIC-ATC communications can utilize the UA as a communication
relay. The PIC contacts the ATC facility local to the UA via VHF radio onboard
the aircraft. For BLOS operations, reestablishing a connection after LL requires
redundant voice communication systems onboard. For the Altair LL, the FAA and
ATC were provided with detailed flight plans, making sure that the ATC knew
the aircraft’s location. Additionally, the missions were planned meticulously with
respect to ATC coordination, such that all potential ATC facilities are notified. The
mode of notification was not explicitly disclosed (Ambrosia et al. 2007).
Using a UA as a voice relay with ATC has technical issues such as handoff.
For manned aircraft, as it transitions from one ATC cell to another, the onboard
pilot dials the VHF radio to the appropriate ATC channel as instructed through the
handoff procedure. For several existing COAs and aircraft, the aircraft performs
a rapid assent to an altitude above controlled airspace (i.e., above 60,000 ft) and
maintains this altitude for the duration of the flight. As a result, interaction along a
flight path involving multiple ATC facilities is not common, and proper procedures
to handle operations within controlled airspace have not been formally developed.
For UAS to operate within ATC-controlled airspace in the NAS BLOS, further
protocols must be established regarding the handling of the handoffs and setting of
the new frequencies of the aircraft’s ground-to-ATC relay. Another potential issue of
using UAS as a relay is the spectrum availability to handle additional voice channels
(25 kHz bandwidth) to support each UA (Heppe, personal communications, Insitu,
Inc., 2008). A proposed alternative is to utilize ground-based telecommunications
networks to connect the PIC at the GCS to the ATC facility under which the UA is
operating.
The C3 gap analysis examined 14 CFR Parts 21, 23, 25, 27, and 91 and the AIM.
Each section was labeled does not apply, applied as is, applies with interpretation,
or applies with revision with respect to the categories command, control, and
communication. Fundamental gaps were identified as well as gaps associated
with particular technologies and/or regulations. Related gaps were grouped as
appropriate. Additional regulatory concerns not fitting into the above categories
were also identified.
The regulatory gap analysis was performed iteratively. First, each section of
the parts was classified using the four labels above for command, control, and
communication. During the second pass, the reviewer annotated sections that were
labeled as applicable with interpretation or revision. Third, the annotations were
organized and merged to produce the regulatory gap analysis report.
94.5.2.1 Fundamental Gaps

Fundamental gaps were defined as issues with the existing regulatory framework
resulting in widespread regulatory gaps from the fundamental difference between
UAS C3 versus manned aviation C3 and their operating/flight procedures. The most
fundamental gap is that UAS are comprised of two physically separate subsystems,
the UA and the GCS at which the PIC is located, connected via data links.
Secondly, ATC-PIC voice must now be reconsidered. Numerous gaps result from
communication being decoupled for UAS. Under some instances, reinterpretation is
required such as 14 CFR 21.f3, 16, 19, 33, 35, 37, 45, 127, 305, 605, and 609g
and 23.1309. It was concluded that UAS should be certified as a whole, and any
deviations from current TSOs as regulated in 14 CFR 21.609 should be acceptable
only by demonstrating an ELOS for the entire system.
The second fundamental gap is the definition, roles, and responsibilities of the
PIC. Because the PIC is no longer onboard the aircraft, regulations and procedures
defined with this expectation must be reviewed and reinterpreted to address this
change.
The decoupling of the pilot’s flight control interfaces and the aircraft control
system (autopilot, surfaces, etc.), and the required data link to support this wireless
interaction, results in the next fundamental gap. Revisions would be required in
14 CFR 23.f175, 177, 1329g, 25.f175, 177, 253, 331, 1303, 1329g, and 27.143
to ensure that the failure of certain data links will not result in a system failure.
Regulations that previously described the redundancies needed between for flight
controls and control surfaces may now be reinterpreted as applying to the data link.
94.5.2.2 Command
In industry and the military, UAS pilots have not necessarily been licensed pilots.
14 CFR 21.37 and 21.31(b) call for the pilot to be licensed and medically certified
in order to assume command of the aircraft. It must be decided whether UAS
PICs require the same medical and training standards as licensed pilots. Training
can be developed to certify licensed UAS operators, requiring at minimum pilot
ground school. Flight instruction regulations are defined in 14 CFR 91.109. For a
typical training flight, an instructor pilot sits in the aircraft’s copilot position, having
complete authority to take command of the aircraft at any time. UAS instructor pilots
must similarly be able to override a UAS trainee, requiring GCS with a redundant
set of flight controls offering the instructor pilot the same ability to immediately
subsume the trainee pilot’s commands.
Under 14 CFR 91.7, the PIC of an aircraft has the responsibility to perform
the safety-critical preflight check of the aircraft prior to departure. This is suitable
for UAS operations in which the takeoff and landing occur at the same site as the
UAS PIC. If the takeoff and/or landing site is decoupled from the PIC, an approved
designee must be permitted to assume this duty.
FAA UAS Interim Guidelines 08-01 require use of a ground- or chase aircraft-
based observer to achieve SAA. Use of an observer produces gaps regarding AIM
procedures and guidance. AIM 4.4.1 and 4.4.12 define guidance stating that the
PIC has overall authority regarding the safety of the aircraft regardless of any order
issued by ATC. If the observers have greater situational awareness than the PIC,
the chain of command in choosing how to respond to a safety-critical situation
must be reconsidered. AIM 4.4.14 and 5.5.1 both discuss the authority of ATC
to command the aircraft in visual flight rules (VFR). It can be asked, should
similar authority be given to the observer when, regarding vertical clearance, the
surveillance capabilities of ATC within the terminal area are vastly superior to
those of a ground observer? It may be necessary to set limits upon when a PIC
has authority to accept or reject ATC orders and guidance from observers.
The need for pilot situational awareness and the ability to react quickly to adverse
conditions conflicts with the physical decoupling of pilot and aircraft in UAS.
14 CFR 25.253 and 23/25.671 discuss design of the flight control system to
provide timely information to the pilot and to handle the commands in the event of a
critical warning or sudden loss of control. UAS data link latency increases the time
it takes for the pilot to become aware of an adverse situation and react. Maintaining
an ELOS under these conditions is challenging. AIM 3.4.6 defines alert areas (e.g.,
areas of a heavy volume of training flights), and AIM 3.5.4 defines parachute jump
areas. Higher situation awareness is also necessary when operating under special
use airspace. UAS should be prohibited from both of these environments unless
suitable SAA technology is approved. A remote pilot lacks the necessary situation
awareness and the reaction time necessary to avoid a potential collision.
AIM 4.1.19 and 4.4.14 define conditions in which the pilot would have to
switch transponder or radio frequencies during transitions from various modes of
flight. Current radios and transponders are equipped with knobs that must be turned
to change frequencies. Approved alternative mechanisms must be developed to
allow this transition to be triggered remotely or automatically.
94.5.2.3 Control
14 CFR 25.397 discusses mechanical loads placed upon the cockpit controls
such as stick and wheel controls. Since the cockpit controls are decoupled from
the control surfaces, this regulation is no longer applicable. Other mechanical
requirements such as those in 14 CFR 23.395 and 23.405 are no longer necessary
as the aircraft is clearly in a fly-by-wire(less) control mode.
The requirement of status indicators to aid the pilots’ situational awareness must
also be reconsidered. 14 CFR 25.1303, 23/25.1309, and 91.205 as well as AIM
1.1.19 define the indicators required for the pilot. Under the UAS paradigm, the
indicator status information must be transmitted to the GCS and then displayed on
the GCS flight control displays.
14 CFR 23/25.1329 require the capability of the system to avoid becoming
stuck in a hard-over. In the event of a GCS or data link failure, the aircraft’s autopilot
and control system should have sufficient intelligence to detect faults and prevent
improper configurations from occurring.
14 CFR 23.679 discusses the need for lockouts of controls, while the aircraft
is grounded to prevent accidental bumping of controls, but the lockout must be
disabled and cannot be set during flight. For UAS, it may be necessary to include
such mechanisms while in flight as well. Consider the need for a UAS operator
(other than a PIC) to leave a position temporarily. It may be beneficial to enable a
lockout mechanism given the lack of situational awareness to ensure the aircraft is
not accidentally controlled by a 3rd party.
94.5.2.4 Communications
Regulatory gaps can be divided into communication segments. GCS-UA com-
munication will focus upon the command data link. GCS-ATC will focus upon
ATC to remote pilot interactions, which may rely upon the UAS as part of the
communication link.
GCS-UA Communications 14 CFR 25.143 requires the aircraft to be safely

controllable and maneuverable during all phases of flight. The higher latency
associated with BLOS operations adds challenges to meeting this regulation with
an ELOS. Latency also impacts the remote pilot’s use of SAA tools as TCAS and
ADS-B, as well as a number of other data services provided by ATC must be
rebroadcast from the UA to the remote pilot. The transmission of real-time state data
for visual indicators specified in 14 CFR 23.207, 25.1303, 25.1309, and 91.205 is
similarly affected by latency.
There is also a need to address link loss detection and recovery, which is currently
not regulated. 14 CFR 23.685 discusses the aircraft’s mechanical design to pre-
venting mechanical jamming throughout the aircraft’s various linkages as essential
to control systems. Loss of data link due to RF range or jamming (malicious
or otherwise) represents a different but analogous type of jamming associated
with controls. 14 CFR 91.511 requires aircraft to be equipped with sufficiently
redundant communication systems for flight over bodies of water exceeding 30 min
duration or 100 nautical miles extent. UAS component redundancy can be weight,
cost, power, and space prohibitive.
GCS-ATC Communications The technology survey identified techniques to han-

dle communication between the remote pilot located at the GCS and the controlling
ATC facility. The major difference is that pilot communication does not originate
from the aircraft, but the GCS. 14 CFR 91.185 requires procedures for handling a
LL between a pilot and ATC. This regulation may be interpreted as requiring UAS
to use a terrestrial telecommunications link from the GCS to the ATC in case the
GCS-ATC radio link is lost.
AIM 4.1.15 discusses safety alert messages that require an immediate response
by the pilot to avoid eminent damage to the aircraft and/or others; AIM 4.4.10
defines messages in which the word IMMEDIATELY may be added in order to
inflect the urgency of the controller’s command. As latency may make “immediate”
infeasible, “immediate” may need to be replaced with a quantifiable time limit for
the pilot to take action. AIM 5.3.1 defines en route procedures for pilots, and
AIM 5.3.1.2 defines the controller pilot data link as a supplemental means of
providing en route commands from the controller to the pilot. To ensure these en
route directives are met, the UA must be equipped with a controller pilot data link,
relaying that data back to the PIC at the GCS. Current guidelines do not require this
capability and must be revised.
94.5.2.5 Other C3 Gaps

FAA TSOs (Federal Aviation Administration 2012c) are an additional source of
regulatory gaps. For the TSO gap analysis, there is less concern regarding whether
or not the performance standards are applicable with interpretation versus revision
as new TSOs may be issued with less effort than a change to the FARs. TSO-C9c:
Automatic Pilots (Federal Aviation Administration 2012e) defines the requirements
for automatic pilots, which must be approved for use in civil aircraft. This TSO is
written toward an autopilot on a manned aircraft in which a pilot is in immediate
control of the aircraft. The TSO references SAE Aeronautical Standards AS-402A
(SAE International 2001). A detailed analysis of AS-402A yielded the following
gaps. TSO-C9c 4.2.3 calls for “a controller, if present, it shall operate in the
plane and with the sense of direction of motion of the aircraft. The control sensing
shall be plainly identified on or adjacent to each control.” This requirement can be
reinterpreted toward the requirements of the ground control station.
TSO-C9c 4.3.1 and 4.3.2 call for “a means by which the pilot can be made
cognizant of the condition, including control behavior” and “the direction and
relative magnitude of the primary pitch servo present and other two axes.” This
requirement may be re-interpreted toward the requirements of the ground control
station. It must also be considered that any feedback of information to the GCS
controls and indicators from the UA will be susceptible to latency.
TSO-C9c 4.4.1 calls for “corrective control to be: (a) Pitch ˙50ı (b) Roll ˙75ı
(c) Yaw ˙20ı .” Since the PIC is no longer in immediate control of the aircraft,
the corrective controls about these three axes may require greater limitations of
corrective controls, while the autopilot is engaged.
TSO-C9c 4.5.1 calls for “a system interlock to prevent the automatic pilot
engagement until it has reached a fully operable condition.” For aircraft that
handle autonomous takeoff and landing, this requirement is no longer relevant.
However, for aircraft in which the PIC may manually remote control the aircraft,
this requirement must be reinterpreted toward a requirement for the GCS.
TSO-C52b: Flight Director Equipment (Federal Aviation Administration 2012d)
establishes minimum performance standards referencing SAE AS-8008 (SAE
International 1984). The regulatory gaps identified are similar if not identical to
that of TSO-C9c. TSO-C52b 3.6 calls for identical corrective control capabilities
for the pilot, while the autopilot is engaged as TSO-C9c 4.1.1. Likewise, TSO-
C52b 3.8 calls for the same lockout mechanism as defined by TSO-C9c 4.5.1.
The recommendations for interpretation remain the same for each.
94.6 Case Study #4: Emergency Recovery and Flight

Termination Systems for UAS
To maintain a sufficient level of safety, UAS are equipped with systems to detect
faults and failures of onboard components, including electromechanical systems
(e.g., control-surface actuators) and avionic systems (e.g., data links, actuator
controllers, and sensors). In emergency recovery (ER), the aircraft determines that a
fault has occurred, recovering from it while maintaining safe flight. Link loss (LL)
procedures, addressing and rectifying failure of command and control data links, are
a subset of ER. UAS experiencing LL or GPS loss may leave a predefined area for
operation, the bounding box (BB), and need to be brought down. Flight termination
(FT) technologies and procedure end the UA flight while minimizing the risk to the
public and property. A flight termination system (FTS) is an onboard system that
executes a flight termination, which may be remotely triggered via an independent
communications channel by the PIC or automatically performed by the UA on the
basis of aircraft conditions.
Information was gathered for UAS systems and related technologies related
to emergency recovery, link loss, and flight termination. Data sheets and other
materials were collected on a number of UAS and UAS subsystems. A questionnaire
was developed and distributed to UAS researchers and industry workers, but very
few vendors replied, and fewer were willing to provide data. After conversations
with individuals in academia and industry, it was determined that the questions were
too concerned with proprietary information and had the potential to expose issues
manufacturers may not want made public, including experimental flight test results.
Figure 94.4 presents the developed ERFT conceptual framework. From left to
right, the criticality of a vehicle loss and ramifications of such a loss increase.
When criticality is low, health-based recovery systems diagnose and correct the
problem, and the vehicle continues onward. With greater criticality, mission-
level contingency systems handle an emergency recovery, often accompanied by
termination of the aircraft’s mission. The final and most extreme response is flight
termination. In addition to this framework above, UAS pilot procedures differ from
those for manned aircraft with the difference in some cases tied to the technology
being used, but in others coming from fundamental differences between UAS and
manned aircraft, and their operations.
Table 94.19 summarizes the ERFT capabilities of several surveyed autopilots
for small UAS (Vaglienti et al. 2008; Procerus Technologies 2008a; MicroPilot Inc.
2005). Table 94.20 presents the ERFT capabilities of several of the surveyed aircraft
(Heppe, personal communications, Insitu, inc., 2008; McDuffy, personal communi-
cations, Insitu inc., 2008; Butler and Loney 1995; Flightglobal 2009b; Winstead
2008; Flightglobal 2009d; Flightglobal 2009a; Donaldson and Lake 2007).
Health-Based Recovery Health-based recovery systems handle less extreme air-

craft system faults and failures in which the aircraft’s mission continues by
adjusting the vehicular attributes. Redundancy is the more common framework for
Mission
Health-based Flight
Contingency
Recovery Termination
Recovery
Increase in criticality of vehicle loss
Fig. 94.4 A framework for guidance of ERFT technology survey

Table 94.19 Autopilot Contingency-based

ERFT capabilities Autopilot recovery Flight termination
Cloudcap Return to waypoint Mission selectable from
Piccolo close throttle,
aerodynamic
termination, and/or
deploy parachute
Procerus Shallow bank until Aerodynamic
Kestrel restored termination
Micropilot Mission selectable Mission selectable from
MP-2028g (see next column) fly to climb, descend,
roll, eject chute, etc.
Table 94.20 Known ERFT capabilities for surveyed aircraft

Contingency-based
Aircraft Manufacturer recovery Flight termination
ScanEagle Insitu, Inc. Loiter at point for lost Aerodynamic
link termination if departs
mission area
Predator General Return home for lost Optional parachute for
Atomics link early models
Global Hawk Northrop Contingency flight paths Terminate with extreme
Grumman for various emergency/ prejudice
contingency modes
Polecat Lockheed Unknown Terminate with extreme
Martin prejudice
X-48B Boeing and Unknown Parachute, airbags, and
Cranfield spin parachute (for stall
Aerospace testing)
Arrow Jordon Unknown Parachute and flotation
Military device
health-based recovery, while fault detection, identification, and recovery (FDIR)

is a recent approach to health-based recovery. With sufficient redundancy, when a
component becomes non-functional, it is possible for the control system to transition
to a backup system and continue nominal operation. A European UAS research
commission recently funded the development of a medium-altitude UA equipped
with a redundant engine (Flightglobal 2009c). Redundancy is common in civil
and military aviation, with dual or triple redundant systems used for safety-critical
hydraulic, electrical, and computational components within aircraft.
For fault detection, residuals representing the error between the expected and
actual responses of the aircraft’s systems are calculated. Fault identification analyzes
the residuals to identify the cause of the problem. Fault recovery adjusts the control
system dynamically, reducing the impact of the failure and restoring nominal
operation. If the recovery system is unable to perform such a restoration, then a
mission contingency plan or a flight termination system may be activated (Rotstein

et al. 2006; Atkins 2004; Heredia et al. 2004).
Mission Contingency Recovery In mission contingency recovery, the aircraft

deviates from its current mission to one of several possible emergency-recovery
modes, altering its flight path to mitigate risk due to the failure and/or allow
safe recovery of the aircraft. As an example, the Global Hawk UAS possesses
a sophisticated contingency management system (CMS) with recovery modes
including link loss recovery, return-to-base command, abort landing command,
and land now command (Winstead 2008). For each of these, the CMS redirects
the aircraft to a flight path appropriate for the current mode, requiring all points
along the mission route to have contingency routes that branch off for each
contingency mode. Along a contingency route, additional contingency routes can
be branched off should additional failures occur. Figure 94.5 presents a primary
flight path and a number of contingency branches for Global Hawk. In this figure,
only three abstract contingency modes, C1, C2, and C3, are considered. Such an
elaborate contingency plan allows ATC along the mission and contingency paths
to be aware of the aircraft’s potential presence and the circumstances for that
presence.
As it is unsafe to operate a UAS when the control data link between the
aircraft and the ground control operator is down, lost link procedures are consid-
ered contingency-based recovery. The survey revealed that the most common LL
procedure is for the aircraft to fly to a predefined location, where it can either loiter
until the link is restored, autonomously land, or be remotely piloted via secondary
data link (Walker 1997; McMinn and Jackson 2002; National Transportation Safety
Fig. 94.5 Contingency

routes for Global Hawk
(Winstead 2008)
Board 2008; Ro et al. 2007). The BAT III LL procedure is a simple return home
functionality, flying directly to the last known location of the GCS (Ro et al. 2007).
Within sufficient range of the GCS, a remote pilot controls the aircraft to land.
NASA and Boeing’s PhantomWorks X-36 follows a similar method of returning to
base and loitering (Walker 1997), but rather than return to base directly, the aircraft
follows a predefined return path. Researchers at NASA Dryden are developing a
path-planning algorithm for return-to-base and LL operations ensuring that the UA
stays within its authorized flight zone (McMinn and Jackson 2002). LL procedures
for BLOS operation in either medium-endurance or high-endurance UA are nearly
identical to LOS operations. Altair flew in NAS for Western States Fire Imaging
Mission. During one of its missions, the UA had a modem malfunction, resulting in
BLOS Ku band C2 LL. The aircraft switched to C band and flew to a predetermined
loiter point until the link was reestablished (Ambrosia et al. 2007).
For small UAS, commercial autopilots have contingency management features
for link loss. The Piccolo Autopilot (Vaglienti et al. 2008) supports a lost commu-
nication timeout in seconds. If after that specified time a message from the GCS
has not been received, the aircraft flies to a LL waypoint. The Procerus Kestrel
lost link procedure returns the aircraft either to base or an alternate “rally point”
(Procerus Technologies 2008b). Micropilot’s various autopilots allow users to define
the response to the lost link procedure and the criteria for diagnosing the lost
link (Micropilot 2008). Its LL procedure supports the return to any waypoint or
alternatively to trigger a FTS.
Flight Termination A FTS brings an aircraft down expeditiously while main-

taining an appropriate level of safety to public and property. Given sufficient
redundancy, a FTS may not be necessary, but two motivating factors for having such
a system include insufficient redundancy, often the case for smaller UAS, and the
FTS being mandated per conditions of the restricted airspace in which the aircraft
is flying (i.e., range safety).
One approach is to aerodynamically terminate a flight by setting the aircraft’s
control surfaces to a state resulting in the vehicle crashing into the ground or a body
of water in a semi-controlled manner. One form of aerodynamic termination is to
perform a slow downward spiral, allowing some aircraft damage to be mitigated by
a slow descent and the aircraft’s final position to be controlled. This mechanism
is ideal under airspace violation events, as it prevents deeper intrusion into an
unauthorized airspace. This technique is used by the Insitu ScanEagle (McDuffy,
personal communications, Insitu inc., 2008) and is also provided as a feature by
the Piccolo (Vaglienti et al. 2008), Micropilot autopilots (Micropilot 2008), and
the Kestrel autopilots (Procerus Technologies 2008b). In glide-path descents, the
aircraft glides from its current altitude to a landing site without engine power.
Under a glide-path termination, a suitable landing site may be designated by the UA
PIC (Atkins 2004) or autonomously (Atkins 2004; Fitzgerald et al. 2005). Glide-
path descents for high-altitude UAS allow the aircraft to terminate in a region in
which the risk can be mitigated, as the aircraft can glide out over the ocean or an
unoccupied area before impacting with the surface.
Several ballistic recovery systems are available to handle flight termination of an

unmanned aircraft. Parachutes have a history of use in manned aircraft, and some
technical standard orders exist (Federal Aviation Administration 2009c). Autopilots
such as the Piccolo (Vaglienti et al. 2008) and Kestrel (Procerus Technologies
2008b) allow parachute deployment to be part of the FTS if the target aircraft
is appropriately equipped. While not a standard feature, parachutes have been
installed on the Predator UAS (Butler and Loney 1995), and a number of other UAS
are parachute equipped (Flightglobal 2009c; Donaldson and Lake 2007; Procerus
Technologies 2008b; Micropilot 2008; Vaglienti et al. 2008). Parafoil parachutes
provide additional loft permitting greater control for the aircraft such that it is
possible to achieve a glide-path approach (Fitzgerald et al. 2005). This is used on the
BAE SkyEye and the IAI I-View (Donaldson and Lake 2007). Some aircraft such as
the X-48B also include spin parachutes, which aid in recovery of an aircraft caught
in a spin. Airbags or flotation devices may accompany parachute-based FTS. The
X-48b is equipped with airbags to reduce the forces at impact (Flightglobal 2009a).
The Jordon Arrow is equipped with a foam body in order to remain buoyant if the
aircraft is terminated in the water (Donaldson and Lake 2007).
This section presents the process and results of the ERFT regulatory gap analysis.
Title 14 CFR Parts 23, 25, 27, 29, and 91 were reviewed as well as guidance
materials, including the Aeronautical Information Manual (AIM) (Federal Avia-
tion Administration 2012a), Airplane Flying Handbook (AFH) (Federal Aviation
Administration 2009a), and Helicopter Flying Handbook (Federal Aviation Admin-
istration 2009b). Regulatory gaps were organized based upon aspects of pilot/crew
procedures, health-based recovery, contingency-based recovery, and flight termina-
tion. Both fundamental gaps, regulatory gaps that exist because of the difference
between technologies when regulations were written and UAS technologies utilized,
as well as open-set gaps, gaps due to UAS technologies that have no analogue with
currently regulated technologies, are identified.
The gap analysis was performed by an iterative process. The regulatory and
guidance materials to be considered were determined and collected, followed by an
initial review employing coarse filtering to identify ERFT-relevant sections of those
materials. Rubrics were developed for each of the four aspects to determine the level
of applicability of each section, introducing greater transparency and consistency in
identifying gaps. The rubrics provided aspect-specific criteria to facilitate consistent
classification of the section as applying as is, applying with interpretation, applying
with revision, or not applying. Their length precludes their being included here; for
the full text of the rubrics, see Stansbury et al. (2009a). A representative example of
a rubric is shown in Table 94.21 for assessment of regulations/procedures related to
pilot procedures. Using the rubrics, team members analyzed the identified sections,
adding annotations to justify each classification. Chapter 16 of AFH was analyzed
through a less-formal procedure by deriving the implications of manned emergency
Table 94.21 Rubric for Does not Regulation or guidance material does not
assessing regulations related apply discuss procedures relevant to the
to pilot procedures emergency recovery/contingency
procedures to mitigate risk
Applies as is Regulation or guidance material discusses
procedures relevant to the emergency
recovery/contingency procedures to
mitigate risk. Given current language,
applicable as is need for interpretation or
revision for UAS paradigm
Applies with Regulation or guidance material discusses
interpretation procedures relevant to the emergency
mitigate risk. Parts of the language of the
regulation require interpretation toward
equivalent operations for unmanned
aircraft
Applies with Regulation or guidance material discusses
revision procedures relevant to the emergency
mitigate risk. Regulation defines
procedures of the pilot for safe operation
within NAS that are unachievable for
UAS given the language as it is written
procedures for UAS. The results of the several analyses, including the annotations,
were discussed to determine a consensus as to the level of applicability of each
section. The discussion below focuses upon regulations that required revision or
interpretation. Fundamental gaps and open set gaps were also identified. The result
of the gap analysis follows.
Pilot and Crew Procedure Gaps Title 14 CFR 91 and the AIM were examined
regarding pilot and crew procedures. The AFH was also examined as it indicates
expectations of the PIC of a manned aircraft in an emergency. Pilot and crew
procedures defined within 14 CFR Part 91 assume the pilot, crew, and passengers are
onboard the aircraft. While the pilot of a UAS may no longer be onboard the aircraft,
it is possible for a remotely piloted or autonomous aircraft to carry passengers or
crew in the not too distant future. These regulations cannot simply be dismissed for
“unmanned” aircraft, but rather must be interpreted or revised to be appropriate for
cases in which pilots, crew, and/or passengers are or are not onboard. Examples of
these regulatory gap include 14 CFR 91.509, 91.511, and 91.513, which define
survival equipment for emergency evacuation for overwater flights, and 14 CFR
91.501, which requires any crewmember onboard the aircraft to be familiar with
the emergency equipment and emergency procedures onboard the aircraft before
flight. This regulation is also written with the assumption of the PIC being onboard
the aircraft and must be reinterpreted.
Procedures for normal flight operations impacted because the pilot is not
aboard the aircraft include operations where a pilot would diagnose or respond
to an emergency situation that could be handled through health-based recovery,
contingency-based recovery system, or flight termination. An example is AIM
5-4-11, 5-4-14, and 5-4-16, defining arrival procedures, including instrument
approaches and simultaneous landing approaches. Under these conditions requiring
fast reaction times, the need to abort a landing or deviate from an arrival path
could be better handled through contingency-based recovery, which can both restore
safety and send a notification to ATC. Similar issues of deviation and notification of
ATC exist in AIM 6-1-1, 6-1-2, and 6-2-1, which define emergency procedures,
and AIM 7-1-14, which defines weather avoidance assistance procedures. Other
procedure-related guidance includes AIM 6-2-5, which defines requirements for
use of the onboard emergency locator during emergencies such as ditching, which
under the UAS paradigm ought to be activated by the flight termination system;
AIM 6-3-3, which defines procedures for selecting a suitable glide path to ditch
the aircraft, which under the UAS paradigm could be performed by the PIC, FT
system, or both; and AIM 6-4-2, which defines procedures for a pilot handling
the loss of a communication link with ATC. The health-based recovery should be
responsible for diagnosing the issue and switching to a redundant communication
system if available; if communication is not restored, the contingency management
is better capable of handling the procedures for transponder settings to alert ATC of
the issue and performing appropriate LL procedure.
Throughout the regulations and the AIM, the pilot is assumed to be capable of
issuing a distress call and/or rapidly communicating any sudden deviations with
ATC. Given the significant changes to the communication paradigm between pilot,
aircraft, and ATC, these procedures need to be revised or significantly reinterpreted.
Guidance materials falling under this gap include AIM 5-3-1, which is written
assuming traditional communication paradigms for manned aircraft, instead of the
aircraft acting as a relay; AIM 6-1-1, 6-1-2, and 6-2-1, which discuss the ability
to deviate from standard procedures in an emergency; AIM 6-3-1, which discusses
distress communications where the PIC must provide immediate notification and
response to notifications dependent upon the condition and the directives of ATC,
with “immediate” being made difficult because of latency; and AIM 6-3-2, which
discusses request for emergency assistance when flying under distress.
Additional pilot- and crew-related gaps from Title 14 CFR and AIM include
14 CFR 91.609, which establishes the requirement for flight data recorders and
cockpit voice recorders in transport category aircraft; AIM 1-1-19, which assumes
that onboard global position system (GPS) would be identical to the currently
technical standard order (TSO)-defined units featuring a graphical display for the
pilot. Under the UAS paradigm, the GPS can likely be different from these TSOed
GPS units and thus may require entirely different procedures for addressing a minor
or major GPS failure. Aspects of chapter 16 of the AFH suggest that a new approach
will be required regarding emergency situations in UAS. In a traditionally piloted
aircraft, the pilot uses visual means to best determine the location in event of an
unplanned landing. UAS require either dedicated space in which to fly or technology
to implement determination of the location for a flight-termination event. There is

currently no performance specification for such a technological solution. Also, the
necessity and means of informing other aircraft in the event the UAS engages in
ERFT procedures should be specified. Finally, in the event of a ground-based or
airborne observer, procedures should be specified to handle loss of visual contact
with the UA, whether due to IMC or some other situation.
Health-based Recovery Gaps For health-based recovery systems, the gap analysis
focused upon regulations for equipment that identified potential risks and mitigated
them through corrective measures that did not alter the aircraft’s current flight
plan. Similar to the procedural gaps, the physical disconnect of the pilot from the
aircraft lead to situations in which the regulation must be interpreted or revised
toward the use of a health-based recovery system to address the situation. 14 CFR
23/25/27/29.672 mandate that an indicator light notify the pilot if there is a loss
in stability control. Under the UAS paradigm, due to data link latency, an indicator
light may not be sufficient for notifying the pilot of this situation. The regulation
also calls for the aircraft’s control to be recoverable by the pilot. However, a health-
based recovery system could be capable of dynamically reacting to the fault and
recovering stability control. If such a system were onboard the aircraft, it would be
necessary that it be demonstrated to provide an ELOS, and the regulation must be
reinterpreted to consider such an alternative.
Engine fire suppression systems as mandated by 14 CFR 23/25.1195 can be
considered a health-based recovery system currently onboard some manned aircraft.
This regulation requires revision for a number of reasons. The propulsion system of
a UAS may not be based upon the use of an internal combustion (e.g., fuel cell,
electric motors), which would likely not need a fire suppression system. Based upon
the size of an aircraft, requiring such a system may produce a significant burden. For
instance, a small hand-launched UAS could likely be incapable of handling such a
system and remain airworthy.
Health-based systems may be capable of handling a variety of different failures
either by initiating the appropriate transition to a redundant system or by diagnosing
and recovering the failure directly. As a result, regulations such as 14 CFR 27.695
and 29.695, which discuss recovery from power and control failures, ought to be
reinterpreted to consider the health-based recovery system operating in place of the
pilot in command. Similarly, health-based recovery may be capable of providing
the “immediate” response to some emergency situations defined in the AIM such as
AIM 5-4-11.
In AIM 1-1-1, 1-1-12, and 1-1-20, it is assumed that minor failures of
navigation aids may be detected by the pilot in command and the pilot can then act
appropriately to maintain safe flight. Under the UAS ERFT framework, a health-
based recovery system could both detect and recover from a minor fault without
having a significant impact on flight. Voice communication loss and recovery is
discussed in AIM 6-4-1. A health-based recovery system could be utilized in place
of pilot procedures to autonomously change to a redundant communication link.
Contingency-Based Recovery Gaps Because contingency-based recovery results

in the UAS deliberately changing course to recover from some emergency condition,
the procedural guidelines as defined in the AIM may require some re-interpretation
because of the physical separation from the UAS with its contingency-based
recovery system and the pilot in command. For instance, AIM 4-3-5 defines the
necessity to quickly notify ATC in the event of a land abort. Since such a deviation
may be executed by the contingency-based recovery system, the system must either
alert ATC directly or communicate the event to the PIC who then notifies ATC
resulting in added delay. This gap exists for a number of sections of the AIM
including AIM 4-3-5, 4-4-1, and 5-5-2.
Lost link procedures also generate a number of gaps. Current regulations do
not address the command data link, but do address the voice communication
channel. Recovery procedures for voice communication loss are defined in AIM
6-4-1 and 6-4-2. The latter requires the pilot to notify ATC via a change in
transponder setting. If the aircraft is used as a communication relay and the loss of
communication with ATC occurs as a result in the link from GCS to UA failing, the
pilot would be unable to command such setting change. Diagnosis and recovery of
communication failures, however, could be handled entirely without the PIC actions
as part of a predefined set of lost link procedures onboard the aircraft. It may be
useful to define separate transponder alert settings for voice and data communication
losses, respectively.
A number of other contingency situations occur in which the contingency-
based recovery system would override the actions specified in the AIM. Specific
examples include AIM 1-1-1, 1-1-12, and 1-1-20 for corrective measures in the
event of a navigation aide failure; AIM 7-1-14 for utilizing weather avoidance
assistance; etc.
Flight Termination Gaps The examination of regulations and procedures related

to flight termination focused upon those that addressed the ditching or emergency
landing of an aircraft. One major gap that exists with respect to FT is the structural
and restraint requirements for passengers and crew onboard aircraft. For UAS, it
might be assumed that no pilot is onboard; however, in the future unpiloted aircraft
may still be used for passenger or cargo transport. In the case in which the intended
design and use of the aircraft would not support any humans onboard, these safety
regulations would not be applicable. If the intent is for passengers or crew, it
should be possible to mandate only those safety elements necessary to support
that use. Impacted regulations include 14 CFR 23/25/27/29.561, 23/25/27/29.562,
23/25/29.803, 23/27/29.805, 23/25/27/29.807, 25/29.809, 25.810, 23/25/29.811,
23/25/29.812, and 23/25/29.813. Similarly, emergency/survival equipment and crew
training on procedures to utilize this equipment are mandated in 14 CFR 91.501,
91.509, 91.511, and 91.513.
14 CFR 91.609 establishes the requirement for flight data recorders and cockpit
voice recorders in transport category aircraft. This regulation provides no exemption
for aircraft without a pilot in the cockpit, such as an unmanned transport-category
aircraft. While a voice recorder could be useful to record communication between
ATC and the GCS-based operators, the wording of this requirement will likely
require revision for it to fit correctly. 14 CFR 25.1457, 27.1457, and 29.1457 also
address cockpit voice recorders, though it provides the requirements of the device,
rather than the requirement to have the device.
The AIM and chapter 16 of the AFH define procedures for the pilot if the aircraft
must be ditched. AIM 6-2-5 defines the requirements for triggering the emergency
locator upon ditching the aircraft. AIM 6-3-3 discusses the procedures for finding
a suitable crash glide path to ditch the aircraft in water. In all of these cases, it may
be possible to automate these tasks as part of the onboard flight termination system.
Fundamental Gaps During the gap analysis, fundamental gaps were identifiable
because a significant number of regulations were identified as having gaps and
the justifications for these gaps were very similar. The physical decoupling of the
PIC from the aircraft qualifies as one of the largest fundamental gaps as it results
in the largest number of regulatory gaps related to procedures and airworthiness
regulations. For instance, any procedure requiring an immediate response must be
reevaluated as “immediate” may no longer be achievable as currently understood
due to latency and a lack of situational awareness.
A number of regulations and procedures are written regarding the safety of
passengers and crew onboard the aircraft; however, one of the fundamental dif-
ferences between UAS and manned aircraft is that a UAS can be constructed
for operation solely without passengers or crew. All existing relevant regulations
must be reinterpreted, revised, or eliminated from applicability for UAS. The
GCS generates an additional fundamental gap as existing regulations for cockpit
layout and equipment must be reinterpreted and/or revised in order to support
aircraft control remotely. It may be necessary to revise existing regulations as some
traditional cockpit controls have been eliminated in place of a mouse and keyboard
being used to define waypoints and the autopilot controlling flight surfaces.
Under the AFH and HFH, procedures existed for the pilot to down the aircraft. A
fundamental gap exists in regard to how procedures are written for UAS regarding
emergency flight termination. A flight termination system such as a parachute is
available to UAS, which is rarely seen or used by manned aircraft. The kinetic
energy of a UAS can be dramatically different than a manned aircraft such
that terrain considered previously unsuitable for an emergency landing may be
adequate.
Open Set Gaps Several pieces of aircraft equipment must be evaluated to deter-
mine what regulations must be defined for their usage within an unmanned aircraft,
as they are not typically found within a manned aircraft, including command
data link; ATC/GCS voice link; GCS components; situational awareness sensors
such as any onboard cameras, radars, and auditory sensors; health-based recovery
system; contingency management system; and flight termination system (explosives
or ballistic recovery system).
The PIC can only communicate with the aircraft via a command data link at the
GCS. An open set gap exists because manned aircraft are not equipped with data
links for this purpose, and no existing regulations exist for the command data link as
part of 14 CFR. Regulations must exist to define performance, link loss procedures,
data frequencies, message sets, etc. In the event of a mishap, UAS technology must
be equipped with a contingency management system capable of identifying the
failure and then executing one of several possible predefined actions. A number
of possible approaches are available. The open set gap occurs because nowhere
in the current regulatory framework is such a system mandated nor its minimum
performance requirements defined. Additional open set gaps exist for the roles of the
UAS flight crew. Ground observer qualifications including training, health, visual
acuity, etc. are not currently defined as part of the regulations.
94.7 Conclusion
This chapter has discussed the role of technology surveys and regulatory gap
analyses in supporting the FAA and policy makers in understanding how the current
regulatory environment must adapt to accept the near-disruptive technology of UAS.
Earlier in the report, the concepts of the technology survey and regulatory gap
analysis were presented, but without any specific best practices.
Each case study summarized published research conducted by the ERAU team
over the course of several years. The first two studies involved propulsion systems
for UAS (Griffis et al. 2008; Griffis and Wilson 2009). Next, C3 (Stansbury et al.
2008, 2009d) and SAA (Reynolds and Wilson 2008a, b) were studied. Finally,
given the lessons learned from the previous studies, the ERFT study (Stansbury
et al. 2009a, b, c) tried to pool together the best practices from the previous studies in
order to produce a less subjective analysis of the regulations. It is recommended that
the reader seek out these papers for further information and more detailed versions
of their respective technology surveys and gap analyses.
This chapter concludes with the authors attempt to convey some recommended
practices for conducting technology surveys and regulatory gap analyses. This shall
hopefully allow those in the UAS community seeking to analyze other technology
areas to start with a solid iterative foundation for conducting their studies.
94.7.1 Guidance on Performing a UAS Technology Survey
An iterative process is recommended for conducting a technology survey for a

UAS. First, a web search will provide a summary of the market for a specific
UAS technology. The preliminary results will likely be a list of UAS utilizing
the technology, manufacturers of that technology, some major categories of the
technology, and some high-level information on how the technology is applied to
UAS. Second, given these preliminary results, a second survey of literature (both
online and print published) should be conducted to derive a deeper understanding
of the technology (i.e., specific data sheets, user manuals, guidance materials)
The resulting data should be compiled. Third, a framework should be derived for
conceptually representing the technology, its subcategories, and its relationship

to UAS. This model is used to help define the key points of variation among
representative systems. Lastly, utilizing this model, a final technology survey is
conducted in which collected references and additional research results are applied
to the model to clearly articulate the representative cases of the various technologies
as applied to the context of UAS.
94.7.2 Guidance on Performing a Regulatory Gap Analysis
The gap analysis proceeds in steps. The first step is to review Title 14 of the Code
of Federal Regulations to determine putative applicability of the regulation to the
particular technology at hand. Putative applicability is determined by as inclusive of
an applicability criterion as possible: if the regulation could be construed through
even a generous interpretation to apply to the technology, it is included in the
putative list.
The second step is to develop rubrics which classify the regulation applied to
the technology as one of applies, applies with interpretation, applies with revision,
and does not apply. A rubric is developed for each element of the conceptual model
or framework for the technologies under review. The language of the rubric should
be such that a reasonably well-informed individual using the rubric should come
to similar conclusions as to whether any given regulation applies to the technology
at hand.
The third step is to apply the appropriate rubric of step two to each of the
regulations in 14 CFR 1–199. Multiple individuals should perform step three, such
that their results can be compared. Differing results should be discussed until
agreement is reached as to the proper classification. Annotations should be provided
to identify the rationale for the classifications made whenever necessary.
The fourth and final step is to compare the results of step three with the putative
list from step one. Disagreements between the step three list and the putative list
should be re-examined to ensure that the classification is appropriate.
References
AAI Corp, Unmanned aircraft systems (2008), online, http://www.aaicorp.com/New/UAS/index.
htm
AC Propulsion, AC propulsion’s solar electric powered solong uav (2005), online, http://www.
acpropulsion.com/ACP PDFs/ACP SoLong Solar UAV 2005-06-05.pdf
Access 5, Cooperative conflict avoidance sensor trade study report V.2. Technical report, NASA
Access 5, Edwards, CA, 2004
Advance Ceramic Research, Unmanned vehicle systems (2008), online, http://www.acrtucson.
com/UAV/index.htm
AeroVironment, Unmanned aircraft systems (2008), online, http://www.avinc.com/UAS products.
asp
AIAA, UAV programs around the world. Aerospace America, issue supplement, 2005
AIAA, 2011 worldwide UAV roundup, Poster, 2011
V.G. Ambrosia, B. Cobleigh, C. Jennison, S. Wegener, Recent experiences with operating UAS in
the NAS, in AIAA Infotech Aerospace 2007 Conference and Exhibit, Rohnert Park, California,
AIAA 2007-3007, 2007
AREN, Mazda Wankel Rotary Engines for aircraft website (2006), online, http://www.rotaryeng.
net
Army-Technologycom, Army technology – CL289 – unmanned aerial vehicle (2007), online,
http://www.technology.com/projects/cl289/
E.M. Atkins, Dynamic waypoint generation given reduced flight performance, in Proceedings of
the 42nd AIAA Aerospace Sciences Meeting and Exhibit, Reno, Nevada, AIAA 2004-779, 2004
M. Brian, How rocket engines work (2007), online, http://science.howstuffworks.com/rocket.htm
N. Brown, A. Samuel, S. Bhandar, R. Colgren, D. Schinstock, J. Lookadoo, Modular wireless
avonic system for autonomous UAVs, in AIAA Guidance, Navigation, and Control Conference
and Exhibit, Keystone, CO, AIAA 2006-6683, 2006, pp. 21–24
M.C. Butler, T. Loney, Design, development and testing of a recovery system for the Predator UAV,
in 13th AIAA Aerodynamic Decelerator Systems Technology Conference, Clearwater Beach,
AIAA 95-1573, 1995
Defense Update International Online Defense Magazine, Desert Hawk Miniature UAV (2006),
online, http://www.defense-update.com/products/d/deserthawk.htm
P. Donaldson, D. Lake (eds.), Unmanned Vehicles Handbook 2008 (Shephard Press, Ltd.,
Berkshire, UK, 2007)
Electricity Storage Association, Technologies – supercapacitors (2007), online, http://
electricitystorage.org/tech/technologies technologies supercapacitor.htm
Federal Aviation Administration, Automatic dependent surveillance – broadcast (ADS-B) out
performance requirements to support air traffic control (ATC) service. Technical report, Docket
no. FAA-2007-29305, Department of Transportation: FAA, 2007, http://www.faa.gov/aircraft/
air cert/continued operation/ad/
Federal Aviation Administration, Interim operational approval guidance 08-01: Unmanned aircraft
systems operations in the national arspace system, Technical report, Federal Aviation Admin-
istration. Aviation Safety Unmanned Aircraft Program Office AIR-160, 2008
Federal Aviation Administration, Airplane flying handbook (2009a), http://www.faa.gov/library/
manuals/aircraft/airplane handbook/
Federal Aviation Administration, Helicopter flying handbook (2009b), http://www.faa.gov/library/
manuals/aircraft/media/faa-h-8083-21.pdf
Federal Aviation Administration, TSO-C23d: Personnel parachute assemblies (2009c), http://rgl.
faa.gov/Regulatory andGuidanceLibrary/rgTSO.nsf/0/00493ac675eda12e86256da500600ef7/
$FILE/C23d.pdf
Federal Aviation Administration, Evaluation of candidate functions for traffic alert and collision
avoidance system II (TCAS II) on unmanned aircraft system (UAS) (2011), online, http://www.
faa.gov/about/initiatives/uas/media/TCASonUAS FinalReport.pdf
Federal Aviation Administration, Aeronautical information manual (2012a), online, http://www.
faa.gov/air traffic/publications/atpubs/aim/
Federal Aviation Administration, TCAS home page (2012b), online, http://adsb.tc.faa.gov/TCAS.
htm
Federal Aviation Administration, Technical standard order (TSO) (2012c), online, http://www.faa.
gov/aircraft/air cert/design approvals/tso/
Federal Aviation Administration, TSO-C52b: Flight director equipment (2012d), online, http://rgl.
faa.gov/Regulatory and Guidance Library/rgTSO.nsf/0/56EF54910099134186256DC1006006
02?OpenDocument
Federal Aviation Administration, TSO-C9c: Automatic pilot (2012e), http://rgl.faa.gov/Regul
atory and Guidance Library/rgTSO.nsf/0/4D729BA5BDF5851286256DA4005DC0AD?Open
Document
D. Fitzgerald, R. Walker, D. Campbell, Vision based emergency forced landing system for
an autonomous UAV, in Proceedings of the Australian International Aerospace Congress
Conference, Melbourne, Australia, 2005, pp. 397–402
Flightglobal, British blend: UAV x-planes help boeing with blended wing concept
(2009a), online, http://www.flightglobal.com/articles/2006/05/30/206893/british-blend-uav-x-
planes-help-boeing-with-blended-wing.html
Flightglobal, Global Hawk downed by rouge abort signal (2009b), online, http://www.flightglobal.
com/articles/1999/10/06/56882/global-hawk-downed-by-rogue-abort-signal.html
Flightglobal, Grand designs (2009c), online, http://www.flightglobal.com/articles/2005/06/07/
198916/grand-designs.html
Flightglobal, Lockheed confirms P-175 Polecat UAV crash (2009d), online, http://www.flig
htglobal.com/articles/2007/03/20/212700/lockheed-confirms-p-175-polecat-uav-crash.html
L. Frater, E. Stokes, R. Lee, T. Oriola, An overview of the framework of current regulation affecting
the development and marketing of nanomaterials. Technical report, ESRC Centre for business
relationships accountability sustainability and society (BRASS), Cardiff University, 2006
E.W. Frew, C. Dixon, J. Elston, B. Agrow, T.X. Brown, Networked communication, command, and
control of unmanned aircraft systems. J. Aerosp. Comput. Inf. Commun. 5, 84–107 (2008)
General Atomics Aeronautical Systems, Inc, Aircraft platforms (2008), online, http://www.ga-asi.
com/products/index.php
Global Security, Common Data Link (2008), online, http://www.globalsecurity.org/intell/systems/
cdl.htm
Globalstar, Globalstar, Inc. – worldwide satellite voice and data products and services for
customers around the globe, (2008), online, http://www.globalstar.com
C.L. Griffis, T.A. Wilson, A conceptual framework for UAS propulsion applied to risk and
regulatory gap analyses, in SAE 2009 AeroTech Congress and Exhibition, Seattle, WA, 2009
C.L. Griffis, T. Wilson, J. Schneider, P. Pierpont, UAS propulsion systems technology survey,
Technical report, U.S. Department of Transportation: Federal Aviation Administration, 2007
C.L. Griffis, T.A. Wilson, J.A. Schneider, P.S. Pierpont, Framework for the conceptual decompo-
sition of unmanned aircraft propulsion systems, in Proceedings of the 2008 IEEE Aerospace
Conference, 2008
R.D. Hale, W.R. Donovan, M. Ewin, K. Siegele, R. Jager, E. Leong, W.B. Liu, The Meridian UAS:
detailed design review, Technical report, TR-124, Center for Remote Sensing of Ice Sheets.
The University of Kansas. Lawrence, Kansas, 2007
D. Hall, B. Hosken, R. Wagner Robotics instruction course (2003), online, http://teamster.usc.
edu/fixture/Robotics/Course.htm
G. Heredia, V. Remu, A. Ollero, R. Mahtani, M. Musal, Actuator fault detection in autonomous
helicopters, in Proceedings of the 5th IFAX Symposium on Intelligent Autonomous Vehicles
(IAV 2004), Lisbon, Portugal, 2004
S. Hottman, K. Hansen, M. Berry, Review of detect, sense, and avoid technologies for unmanned
aircraft systems. Technical report, U.S. Department of Transportation: FAA, 2007
INMARSAT, Aeronautical services (2008), Online, http://www.inmarsat.com/Services/
Aeronautical/default.aspx?language=EN&textonly=False
Insitu, Insitu unmanned aircraft systems (2008), http://www.insitu.com/uas
Iridium, Aviation equipment (2008), online, http://www.iridium.com/products/product.htm
L. Kirk, D. Marshall, B. Trapnell, G. Frushour, Unmanned aircraft system regulatory review.
Technical report, US. Department of Transportation: Federal Aviation Administration, 2007
J.D. McMinn, E.B. Jackson, Autoreturn function for a remotely piloted vehicle, in AIAA Guidance,
Navigation, and Control Conference and Exhibit, Monterey, CA, AIAA 2002-4673, 2002
Micropilot, MP2028 series autopilots (2008), Online, http://micropilot.com/autopilots.htm
MicroPilot Inc, MP2028g Installation and Operation (MicroPilot Inc., Stony Mountain, MB, 2005)
National Fuel Cell Council, Fuel cell glossary (2006), http://www.usfcc.com/Glossary2.pdf
National Transportation Safety Board, NTSB Incident CHI06MA121 – full narrative (2008), on-
line, http://www.ntsb.gov/ntsb/brief2.asp?ev id=20060509X00531&ntsbno=CHI06MA121&
akey=1
M. Neale, M.J. Schultz, Current and future unmanned aircraft system control and communications
datalinks, in AIAA Infotech Aerospace Conference and Exhibit, Rohnert Park, CA, AIAA 2007-
3001, 2007
Northrop Grumman, Unmanned systems (2008), online, http://www.is.northropgrumman.com/

systems/systems ums.html
Office of the Secretary of Defense, Unmanned aircraft systems roadmap 2005–2030, 2005
A. Parsch, Boeing/Insitu ScanEagle (2006), online, http://www.designation-systems.net/dusrm/
app4/scaneagle.html
R.A. Peters, M. Farrell, Comparison of LEO and GEO satellite systems to provide broadband
services, in 21st International Communications Satellite Systems Conference and Exhibit,
Yokohama, AIAA 2003-2246, 2003
Procerus Technologies, Kestrel autopilot system (2008a), online, http://procerusuav.com/
Downloads/DataSheets/Kestrel 2.2x.pdf
Procerus Technologies, Kestrel User Guide (Procerus Technologies, Vineyard, UT, 2008b)
Protonex Technology Corporation, ProCore UAV – Lightweight Propulsion (Promotional Flyer,
2006), online, http://www.fuelcellmarkets.com/images/articles/ProtonexProCoreUAV.pdf
T.M. Ravich, The integration of unmanned aerial vehicles into the national airspace. North Dakota
Law Rev. 85(597), 597–622 (2009)
RCV Engines, Ltd, News release: RCV awarded engine contract for micro air vehicle (2006),
online, http://www.rcvengines.com/pdf files/pr/mav-contract.pdf
C. Reid, M. Manzo, M. Logan, Performance characterization of a lithium-ion gel polymer battery
power supply system for an unmanned aerial vehicle. Technical report NASA/TM-2004-
213401 2004-01-3166, NASA, 2004
C. Reynolds, T.A. Wilson, Detect, sense, and avoid: Regulatory gap analysis, in FAA Center for
Excellence in General Aviation Conference, Anchorage, AK, 2008a
C. Reynolds, T.A. Wilson, Regulatory gap analysis: Detect, sense, and avoid technologies for UAS.
Technical report, Pending Release, FAA technical report, 2008b
K. Ro, J.S. Oh, L. Dong, Lessons learned: Application of small UAV for urban highway traffic
montoring, in 45th AIAA Aerospace Sciences Meeting and Exhibit, Reno, Nevada, AIAA 2007-
0596, 2007
Rolls-Royce, PLC, AE 3007 technical data (2006), online, http://www.rolls-royce.com/defence
aerospace/products/tactical/ae3007/tech.jsp
H.P. Rotstein, R. Ingvalson, T. Keviczky, G.J. Balas, Fault-detection design for uninhabited aerial
vehicles. Journal of Guid. Control Dyn. Anchorage, AK, 29(5), 1051–1060 (2006)
RTCA SC-2003, DO-304: Guidance materials and considerations for unmanned aircraft systems.
Technical report, RTCA, Inc. Special Committee SC-203, 2007
SAE International, Flight Director Equipment, AS-8008, 1984
SAE International, Automatic pilots, AS-402B, 2001
SARA, Inc, Uav acoustic collision-alert system (2008), online, http://www.sara.com/ISR/UAV
payloads/PANCAS.html
R.S. Stansbury, M.A. Vyas, T.A. Wilson, A survey of UAS technologies for command, control,
and communication (C3). J. Robot. Intell. Syst. (JINT) 54(1), 61–78 (2008)
R.S. Stansbury, W. Tanis, J. Davis, T.A. Wilson, A technology survey and regulatory gap analysis
of emergency recovery and flight termination for UAS, in AUVSI North America, Washington,
DC, 2009a
R.S. Stansbury, W. Tanis, J. Davis, T.A. Wilson, UAS emergency recovery and flight termination:
technologies and regulatory gaps, in SAE 2009 AeroTech Congress and Exhibition, Seattle, WA,
2009b
R.S. Stansbury, W. Tanis, T.A. Wilson, A technology survey of emergency recovery and flight
termination systems for UAS, in Infotech@Aerospace/Unmanned Unlimited Conference,
Seattle, WA, 2009c
R.S. Stansbury, M.A. Vyas, T.A. Wilson, A technology survey and regulatory gap analysis of
command, control, and communication (C3) UAS technologies, in IEEE/AIAA Aerospace
Conference, Big Sky, MT, 2009d
R.C. Strain, M.T. Degarmo, J.C. Moody, A lightweight, low-cost ADS-B system for UAS appli-
cations, in AIAA Infotech Aerospace 2007 Conference and Exhibit, Rohnert Park, California,
AIAA 2007-2780, 2007
C. Theiss, A. Thomas, Comparison of prime movers suitable for USMC expeditionary power
sources. Technical report, Oak Ridge National Laboratory (ORNL), 2000
United States Naval Academy, Fundamentals of naval warfare systems (2008), online, http://www.
fas.org/man/dod-101/navy/docs/fun/index.html
B. Vaglienti, R. Hoag, M. Niculescu, Piccolo System User’s Guide (Cloud Cap Technology, Hood
River, OR, 2008)
L.A. Walker, Flight testing the X-36 – the test pilot’s perspective. Technical report, NASA
contractor report no. 198058, NASA – Dryden Flight Research Center, Edwards, California,
1997
J.S. Winstead, Transformational isr (RQ-4 GlobalHawk), in TAAC Conference Proceedings 2009
[cd-rom], Albuquerque, NM, 2008
Concept of Operations of Small
Unmanned Aerial Systems: Basis for 95
Airworthiness Towards Personal
Remote Sensing
Brandon Stark, Calvin Coopmans, and YangQuan Chen
Contents
95.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2340
95.2 Airworthiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2343
95.2.1 Aircraft Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2343
95.2.2 Ground Control Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2345
95.2.3 Air Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2346
95.3 Flight Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2349
95.3.1 Operational Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2349
95.3.2 Flight Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2350
95.3.3 Data Mission Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2351
95.4 Operator Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2351
95.4.1 Human Factors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2352
95.4.2 Documentation and Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2352
95.5 An Application Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2353
95.5.1 The Riparian Application Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2353
95.5.2 Mission Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2353
95.5.3 Mission Success Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2354
95.5.4 Applications for Advanced Payload Development or
Human-Automation Interaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2355
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2358
B. Stark () • Y. Chen

Mechatronics, Embedded Systems and Automation (MESA) Lab, School of Engineering,
University of California, Merced, CA, USA
e-mail: bstark2@ucmerced.edu; yqchen@ieee.org; ychen53@ucmerced.edu
C. Coopmans
The Center for Self-Organizing and Intelligent Systems (CSOIS), Utah State University, Logan,
UT, USA
e-mail: cal.coopmans@usu.edu
DOI 10.1007/978-90-481-9707-1 105,

UAV Hazard

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UAV Hazard

Uploaded by

Copyright:

Available Formats

Certification Strategy for Small Unmanned

Aircraft Performing Nomadic Missions in 90

Maciej Stachura, Jack Elston, Brian Argrow, Eric W. Frew, and

M. Stachura () • J. Elston • E.W. Frew

Fig. 90.1 The Tempest

The operations of unmanned aircraft systems in the U.S. National Airspace

small UAS operators claimed permission to operate according to FAA Advi-

90.2 Motivation and Application Strategy

90.3 COA Application

90.3.1 COA Area Selection

are generally required to file a Notice to Airmen (NOTAM) 72–48 h in advance

90.3.2 Airworthiness Statement

Policy 08–01 (Davis 2008) outlines the procedure to create an airworthiness

6.2 Vehicle Control Functions (VCF)

90.3.3 Lost Communications and Emergency Procedures

90.3.3.1 Emergency Procedures

such as loss of power in the various components. Finally, Tempest UA describes

Operational Emergency Procedures

Ground Control Station Emergency

Unmanned Aircraft Emergency

90.3.3.2 Lost Communication and Lost Link Procedures

90.4 Using COAs and FAA Interaction

90.4.1 COA Provisions

Table 90.1 Summary of Weather minimums

application was a reduction in allowable flight altitude (reduced from 3,000 to

90.4.2 Activating COA Areas

Table 90.2 NOTAM 09/003 – AIRSPACE UNMND AC 3 NMR BJC330015

90.5 Case Study/Lessons Learned

A synopsis of a typical deployment will be presented next to better illustrate

Table 90.3 Example of One

translated to system requirements. The chapter also provides guidelines on the

The primary goal of regulating UAS operations is to assure an appropriate level

91.2 Equivalent Level of Safety

According to Joint JAA/Eurocontrol Initiative on UAVs (2004) and European

It should be noted that there is significant criticism aimed at the usefulness of

91.2.1 Manned Aviation Requirements

Manned aviation is regulated through a code of requirements, which often refers

Catastrophic Hazardous Major Minor No safety effect

Probable > 10−5 h−1

hand, the same publication considers multiple fatalities to be of catastrophic severity

91.2.2 Derivation of an ELOS for UAS

people exposed to risk can be significantly lower. As a result, the probability of

Significant differences can be expected between the effects of various accident

91.3 UAS Accident Types

Unintended or abnormal mobility operation refers to accidents that occur when

91.4 Ground Impact Fatality Risk Modeling

The expected frequency of fatalities (fF ) can be calculated by the following

Primary Accidents Ground Mid-air Unintended

Secondary Accidents Falling

Injury or Damage to Impact

fF D Aexp P .fatalityjexposure/fGIA fshelter (91.2)

91.4.1 Ground Impact ELOS

Therefore, a conservative evaluation of the risk from emerging hazards is preferable,

91.4.2 Exposure to Ground Impact Accidents

Nexp D Aexp (91.4)

Aexp D .Laircraft C 2 ft/ .Waircraft C 2 ft/ (91.6)

for a vertically falling vehicle and

91.4.3 Probability of Fatality of Exposed Persons

According to the Range Commanders Council, an exception may be made to

where Z is the cumulative normal distribution whose value is typically obtained

Kinetic Energy in Joules

91.4.3.1 Kinetic Energy Estimation

Eimp mv2op (91.11)