Professional Documents
Culture Documents
Contents
90.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2178
90.2 Motivation and Application Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2180
90.3 COA Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2182
90.3.1 COA Area Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2182
90.3.2 Airworthiness Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2185
90.3.3 Lost Communications and Emergency Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2187
90.4 Using COAs and FAA Interaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2191
90.4.1 COA Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2191
90.4.2 Activating COA Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2193
90.4.3 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2193
90.5 Case Study/Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2194
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2197
K.P. Valavanis, G.J. Vachtsevanos (eds.), Handbook of Unmanned Aerial Vehicles, 2177
DOI 10.1007/978-90-481-9707-1 63,
© Springer Science+Business Media Dordrecht 2015
2178 M. Stachura et al.
Abstract
This chapter discusses the specifics of the Certificates of Authorization (COA)
that were obtained for the second Verification of the Origin of Rotation in Torna-
does Experiment (VORTEX2) project and how the operations were conducted to
satisfy the COA requirements. A strategy is outlined for operating these nomadic
missions with small UAS within the confines of FAA regulations. This includes
information on getting FAA COAs for a large area, specifically focusing on area
selection, airworthiness, and emergency procedures, which are the keys to these
applications. Interacting with the FAA once COAs have been granted is very
important to the success of such a mission and is included in this chapter along
with some lessons learned to improve future projects with similar goals.
90.1 Introduction
On 6 May 2010, on the plains of west Kansas, the Tempest unmanned aircraft
system (UAS) made the first ever intercept of a supercell thunderstorm as part of
the VORTEX2 field campaign (Elston et al. 2011b). This was surpassed on 10 June
2010, on the plains of eastern Colorado, with the first ever UAS intercept of a
tornadic supercell (Elston et al. 2011b). With more than 100 scientists and engineers
deploying more than 40 instrument platforms, VORTEX2 was the largest effort
in history dedicated to the study of tornadoes (Oceanic and Association 2010).
Two field campaigns were conducted 1 May–13 June 2009 and 1 May–15 June
2010; the Tempest UAS was deployed for the 2010 field campaign. The VORTEX2
participants maintained a completely nomadic program, roaming the Great Plains
to track supercell thunderstorms. Supercells are the most violent form of severe
convective storms, often producing the most violent and damaging tornadoes. The
purpose of VORTEX2 is to study these storms for a better understanding of the
ingredients that create supercells and to try to answer the question of why some
supercells produce tornadoes while others do not (VORTEX2 SPO).
The development of the Tempest unmanned aircraft system (Fig. 90.1) addressed
a variety of scientific, technical, logistical, and regulatory issues. Science drivers for
the Tempest UAS focused on the need to sample pressure, temperature, humidity,
and wind velocity in the rear-flank downdraft of supercell thunderstorms. Current
models suggest that this area plays a causative role in tornadogenesis, and these
models cannot be evaluated without in situ data. In turn, the science drivers lead to
the requirement to sample the storm in areas where little is known about the flight
conditions that will be encountered. As a result, the Tempest aircraft was developed
for robust flight across a range of expected flight conditions. The dynamic nature of
supercell thunderstorms necessitated a mobile concept of operations such that the
unmanned aircraft could be stowed and transported by ground and then launched
as quickly as possible. Finally, additional limitations were imposed by the Federal
Aviation Administration (FAA) in order to satisfy regulatory requirements for the
operation of unmanned aircraft systems.
90 Certification Strategy for Small Unmanned Aircraft 2179
The primary engineering objective for the Tempest UAS deployment was to develop
a small UAS networked into a mobile command, control, and communications
(C3) infrastructure that could meet the requirements for supercell penetration,
specifically in the rear-flank downdraft (RFD), a region considered critical to the
understanding of tornado formation. The UAS would also have to meet requirements
for portability, with the mobility to target and track supercell thunderstorms,
then enable rapid launch, storm penetration, and recovery of the unmanned air-
craft.
90 Certification Strategy for Small Unmanned Aircraft 2181
Fig. 90.2 Three sampling scenarios designed for use in the 2010 VORTEX2 campaign (Elston
et al. 2011b) (a) S1 = standard inflow launch parallel to storm motion (b) S2 = inflow launch
perpendicular to storm motion (c) S3 = outflow launch parallel to storm motion
Although the engineering requirements for the Tempest UAS were ultimately
driven by the meteorological science objectives, for VORTEX2 the purpose was
to demonstrate the feasibility of a small UAS for supercell sampling, so the
science objectives were secondary to the engineering objectives. The primary
science objective was to collect in situ measurements of pressure, temperature, and
humidity, targeted in the rear-flank downdraft (RFD) and its outflow (VORTEX2
SPO). The RFD generally forms on the southwest portion of the storm, and when
the downdraft approaches the ground, it spreads horizontally to form the RFD gust
front. The focus of the Tempest UAS science mission is to fly into the RFD from
the east or the south, crossing the gust front during the ingress.
Figure 90.2 from Elston et al. (2011b) illustrates three sampling scenarios. In S1
the UA is launched from the east of the supercell, then flies beneath the hook of
the mesocyclone, near the tornado indicated by the small red triangle, into the RFD.
The UA then proceeds to fly multiple transects, where the different colors of the
trajectories indicated transects at different altitudes. For S2, the UA approaches the
mesocyclone hook from the south, crossing the RFD gust front with its horizontal
outflow before the UA makes contact with the main downdraft of the RFD and the
tornado. S3 is the most difficult of the three scenarios, with an approach from the
southwest which means that the UA is chasing supercells that typically move on
northeast to easterly tracks.
Development of the concept of operations (CONOPS) for the Tempest UAS, and
subsequent COA applications, focused on safe, assured operations by maintaining
situational awareness of the UAS and airspace at all times. The main barrier to safe
operation that satisfies FAA regulations is the ability to perform “sense and avoid”
whereby the operational airspace is continually monitored and deconflicted, i.e., the
UAS is kept clear of other airborne traffic. Though the FAA allows different options
for providing sense and avoid, (e.g., stationary visual observers on the ground, visual
observers in a chase aircraft, ground-based radar, radio transponders, and direction
from air traffic control), stationary ground observers were used as the only solution
during VORTEX2.
2182 M. Stachura et al.
A second major factor in the COA application process was the dynamic, mobile
pace of operations required to sample supercell thunderstorms. The conditions for
supercell thunderstorm formation can become evident several days in advance.
However, pinpointing the location and trajectory of a particular storm is difficult.
Further, the onset of tornado formation cannot be predicted reliably in advance
(the whole point of the VORTEX2 mission). Tornadogenesis within a supercell
thunderstorm has been observed to occur in as little as 13 min from the first
manifestation of potential tornadic activity (Erickson and Brooks 2006). As a
result, successful operation during VORTEX2 required the ability to establish flight
profiles with minimal advance notification. The standard provisions for most COA’s
require at least 48 h notification to activate a COA area through Notice to Airman
(NOTAMS) along with contacting other groups such as ATC or military operations
groups depending on the area. This provision would make these types of operations
impossible.
Many of the FAA requirements that needed to be satisfied affected directly the
design of the Tempest system. These design decisions were a direct result of a
previous project, the Collaborative Colorado-Nebraska Unmanned Aircraft System
Experiment (CoCoNUE), that acted as a precursor to the VORTEX2 campaign
with the goal of using a UAS to sample across an air mass boundary. One of the
important lessons learned during these experiments is that maintaining eyes on the
aircraft from a chase car (an FAA requirement to ensure airspace deconfliction) is
only feasible if the aircraft is tasked to orbit the chase car. This coupled with the
requirement of a stationary ground station led to the use of a tracker vehicle which
needed to maintain a data link with the aircraft to share its GPS position and led
to the use of an ad hoc network to allow the UA to simultaneously communicate
with both the ground station and the tracker vehicle; see Elston (2011) for more
information on the communication subsystem.
Some subsystems had to be added to the Tempest UAS to either satisfy FAA
requirements or to increase safety to expedite the COA process including a 900 MHz
tracking antenna with Yagi for up to 20 miles of range to ensure communication over
the maximum range of COA area from stationary ground station, a 2.4 GHz data
link with ad hoc communication and multi-hop routing protocol for communication
from the aircraft to both the tracker vehicle and the stationary ground station, a
COTS autopilot and airframe for self-certification, a tracker vehicle to stay with the
UA, and a scout vehicle to check the roads ahead for the tracker vehicle.
Certificates of authorization are issued for specific areas of operation. The FAA
requires that the UA position be known with enough accuracy that air traffic
controllers can inform nearby aircraft. To satisfy this requirement, UAS operators
90 Certification Strategy for Small Unmanned Aircraft 2183
Fig. 90.3 Vortex 2 operations area (red), desired UAS operations area (green box), actual COA areas (blue polygons)
M. Stachura et al.
90 Certification Strategy for Small Unmanned Aircraft 2185
Fig. 90.4 Considerations for the sizing, shape and location of each polygon, with green arrows
indicating minimum distances and obstacles including 5 miles or more from both airports and
built-up areas, 1 mile from major highways, and consideration for Victor airways, which the FAA
does not allow loitering in
ceiling of 1,000 ft (300 m) AGL for operation of the Tempest UAS, with some areas
limited to a 400-ft (120-m) ceiling based on proximity to specific airport approach
airspace. Victor airways must also be considered, and in some cases impact the
decisions to provide permission for flights over 400 ft (120 m) AGL.
These handbooks were created for the certification of military aircraft, including
manned and unmanned aircraft that carry ordnance, so the user must determine the
criteria that are relevant for civilian applications. Sections 4–19 of MIL-HDBK-
516A contain criteria specific to the different systems and operational procedures
that must be addressed for airworthiness, though it is clear that Sections 9, 17, and
18 of MIL-HDBK-516A do not apply to unmanned aircraft.
The Tempest airworthiness document submitted to the FAA contained the
heading of each subsection (e.g., 12.x) followed by statements explaining how each
criterion is addressed to guarantee airworthiness. In many cases the subsection was
not pertinent to the Tempest UAS, and it was sufficient to include a statement
indicating this fact. Examples of criterion in MIL-HDBK-516A that were not
necessary to satisfy for the Tempest UAS are structural fatigue, flight envelope,
aircraft stability, and avionics architecture. It is, however, necessary to outline the
procedures and analyses that are used to guarantee these criteria or steps used to
mitigate risks from possible failures.
Airworthiness of the Tempest UAS was demonstrated based on three main
factors. First, the airframe was developed in collaboration with a commercial manu-
facturer with experience designing and constructing competition radio-controlled
sailplanes. In particular, Skip Miller Models (Skip Miller) modified an existing
design based on specifications for the VORTEX2 mission. Successful demonstration
in remote control dynamic soaring (RCS 2011), where aircraft routinely obtains high
air speeds and accelerations, validates the ability of the construction techniques used
in the Tempest airframe to provide sturdy and durable aircraft. Second, the commer-
cial Piccolo SL autopilot (Cloudcap) used for the Tempest UAS has an established
record of success, both in military systems and other unmanned aircraft that have
obtained COAs, including other UAS operated by the authors. Third, the complete
Tempest UAS avionics system, which includes redundant wireless communication
channels, onboard supervisory computer, ground control station, and operator
interface, has been demonstrated through flight operations of other aircraft (Brown
et al. 2007; Frew et al. 2008; Houston et al. 2012). An appendix with examples of
checklists, flight logs, maintenance logs, and operational procedures was included
in the COA application to document those items used to support safe operations and
maintenance. General guidelines for preparing an airworthiness statement based on
lessons learned from VORTEX2 and other flight operations are given in Elston et al.
(2011a). Excerpts from the Tempest UAS airworthiness statement are given here
to show the level of detail required. Heading titles correspond to the sections of
MIL-HDBK-516A.
6. Flight Technology
6.1 Stability and Control
The airframe used for the Tempest UA is the Tempest glider, commercially available
from Skip Miller Models. The Piccolo Light autopilot control system ensures stable
flight characteristics when coupled with a stable aircraft such as the Tempest UA as
90 Certification Strategy for Small Unmanned Aircraft 2187
required in Sect. 6.1.2.3. The envelopes, as outlined in 6.1.6, will be safe because
the Tempest airframe is a commercially available glider.
9. Crew Systems
The Tempest is unmanned; therefore, there are no crew systems.
Lost communications and emergency procedures are specified as part of the COA
application. The contents of these sections of the COA application pertain to
the operations during abnormal and emergency situations. It is impossible to
develop guidelines and procedures to deal with all situations, so the Tempest UAS
application enumerated them as best as possible and stated that the judgement, skill,
and training of all persons involved in flight operations were necessary to bring an
abnormal or emergency situation to a safe conclusion.
The policies and procedures used for the Tempest UAS were developed and
refined through previous flight experiences with other aircraft (Brown et al. 2007;
Frew et al. 2008; Houston et al. 2012). In general, the response to an in-flight
emergency or severe change in weather is to bring the UA back to the main landing
site and to begin landing procedures, using either manual or automatic landing. The
COA applications stated that all incidents and accidents would follow reporting
and notification processes and requirements as laid out in FAA Orders 8020.11,
2188 M. Stachura et al.
7210.56, and in NTSB 830. During the VORTEX2 mission, there were no incidents
that required reporting under these rules.
The Tempest UAS COA application was written specifically for a three-person
team piloting an unmanned aircraft system using a Piccolo autopilot system
(Cloudcap). FAA regulations require a two-person team consisting of a pilot in-
command (PIC) and a trained, medically certified observer (Davis 2008). Typical
Tempest UAS operations consist of the PIC acting as a mission commander and
two pilots at control (PACs): the PAC-M with manual flight control through a
handheld console and the PAC-O who monitors and controls the UA when it is
in semiautonomous mode. Only one of these copilots will be the acting PAC at
a given time; therefore, the PIC can perform one of the roles. For Tempest UAS
flights during VORTEX2, the PIC always served as the PAC-M.
been asserted prior to the communication time out, then when the communication
time out occurs the autopilot will issue an aerodynamic termination. If the GPS
time out has not occurred, then the autopilot will switch from the current flight
plan to the emergency waypoint plan, defined by the lost communication entry
point. If communication is reacquired during the orbiting phase of the emergency
flight plan then the PAC can initiate landing procedures. If communication is not
reacquired after 2 min of orbiting at the lost communication waypoint, the autopilot
will automatically switch to the autoland segment of the emergency flight plan, and
will begin an autonomous landing.
Finally, since the operation of the Tempest UAS will be well within the
communication range of the 900 MHz link, failure of the communication link will
tend to be hardware based. Therefore, after a lost communication event is detected,
a crew member who is not currently tasked as the observer or PIC will be directed
by the PIC to inspect the communication hardware in the GCS to make sure there is
no visible problems with the 900 MHz antenna, its location, or in the cabling.
This section describes additional provisions included in the actual COAs issued for
the Tempest UAS and notification procedures prior to flight. In general, there is
little interaction between the FAA Unmanned Program Office and the applicant once
the COA application was submitted. As a result the final approved Certificate of
Authorization could contain additional provisions or changes from the application.
Further, the COA describes procedures for interacting with air route traffic control
centers (ARTCCs) prior to flight.
Fifty-nine distinct Certificates of Authorization were issued for the Tempest UAS
participation during VORTEX2. The COAs included some changes from the
original application and additional provisions that were not stated in the application.
The original Tempest UAS COAs required notification 72–48 h in advance of flight
operations. However, during the VORTEX2 campaign, the uncertainty of forecast-
ing the time and location of target supercell thunderstorms required shortening the
advance notice window. After submitting evidence to the UAPO and the ARTCCs in
the COA areas, “pen-and-ink” (A pen-and-ink change is terminology used by FAA
to indicate a minor change to a previously issued COA document.) changes were
made to the Tempest UAS COAs to shorten the notification requirements to 2 h.
Table 90.1 describes the main provisions directly stated in the COA document.
These include weather conditions suitable for flight operations, documentation
and additional clearances required by the UAS operations team, and operational
requirements. The main significant difference between the final COA and the
2192 M. Stachura et al.
Several steps are required prior to flight operation in order to notify air route traffic
control centers and local airfields of pending UAS flights. The first step in activating
a COA is to issue a Notice to Airmen (NOTAM) (https://pilotweb.nas.faa.gov/
PilotWeb/) describing the planned activity. For the VORTEX2 mission, NOTAMs
could be issued for up to four different COA areas with 2- h advance notice. Because
the ARTCCs notify all pilots of NOTAMs in a given area, it was not feasible to issue
NOTAMs for all 59 COA areas. The-2 h advance notice was at the limits of the
meteorologists’ abilities to predict thunderstorm evolution. As a result, NOTAMs
could be rescinded and issued for different areas as needed, resetting the 2- h wait
time before flight operation could commence.
Although the COA areas in the applications were specified by the coordinates of
the bounding polygon, NOTAMs are issued based on radial distance and direction
from Very High Frequency Omni-Directional Radio Range Tactical Air Navigation
Aid (VORTACs). As a result, a better general strategy for COA applications is the
use of circular regions that can be specified easily from a VORTAC. Because the
COA areas and VORTACs are stationary, all pertinent information needed to issue a
NOTAM for a specific COA could be determined in advance. The example NOTAM
in Table 90.2 has all of the necessary information for other pilots operating in the
NAS. The NOTAM, number 09/003, informs of UAS operations in a 3NM radius
centered around a point that is 15NM from the BJC VORTAC off the 330ı radial.
The operations are conducted 400-ft AGL and below from time 1500Z to 2100Z
on 3 September 2010. See FAA Order JO 7930.2M, section 6-1-7b (http://www.
faa.gov/documentLibrary/media/Order/NTM.pdf) for more details on NOTAMs for
UAS.
The final step in the notification process occurred 30 min before flight operations
could commence. At this point it was necessary to contact by telephone the
Denver ARTCC and any nearby airport or military operations desks. They will
require both the COA number and the NOTAM number associated with the
flight.
90.4.3 Reporting
There are three types of reports required by the FAA for UAS operation: accident
(NTS 2010), incident (NTS 2010), and monthly operational. These are all accessed
through the secure FAA web portal (https://ioeaaa.faa.gov/oeaaa/). There are also
real-time reporting requirements for loss of communication and/or violation of
COA boundaries, which are covered in the Emergency Procedures section. Monthly
operational reports were submitted for all active COAs within five business days of
2194 M. Stachura et al.
a b c
d e f
Fig. 90.5 Composite radar, flight path, and COA boundary for supercell intercepts during the
VORTEX2 campaign (Elston et al. 2011b) (a) 6 May 2010, sampling scenario S3 (b) 26 May
2010, sampling scenario S2 (c) 6 June 2010, sampling scenario S1 (d) 7 June 2010, sampling
scenario S3 (e) 9 June 2010, sampling scenario S2 (f) 10 June 2010, sampling scenario S2
the end of each month. They were submitted even if no operations took place under
a specific COA. The reports required information about the COA along with number
of operations and total hours.
storms the evening before flight experiments. It continued the next morning with
examining any new data and setting a departure time and initial destination. The
entire armada would then begin driving to the destination, with any changes to the
target area being relayed to the individual team leaders.
At approximately 2 h prior to the predicted launch time, the meteorology lead
of the UAS team would select 4 COA areas that were most likely to be within the
target area, and these would be activated using NOTAMs. It should also be noted
that there were other notifications that may have to go out depending on the specific
COA areas such as nearby airports or Air force bases. Since these were very specific
to each COA area, they will not be mentioned in detail here. These groups required
anywhere from 2 h to 5 min notice prior to launch. Also, during this phase of the
deployment, NOTAMs could be cancelled and new ones put in if the storm changed
direction. However, 2 h lead time was required from whenever the new NOTAM was
issued.
At 1 h prior to launch the flight preparations would commence for all parties
utilizing checklists. An example of one such checklist is given in Table 90.3 for the
ground control station operator. Somewhere in this time up to 10 min to launch the
meteorology lead would select a launch area and begin preparing the flight plan.
The team would then arrive at the location, finishing prepping the UA, deploy all
mobile ground vehicles, and launch the UA.
During the flight experiment the flight plan would be changed depending on both
RADAR imagery of the storm and in situ data from the UA. Following the flight
experiment the UA would return to base, land, and all postflight checklists would
be utilized. This would include cancelling any active NOTAMs, notifying any flight
service groups as required by the COAs, and logging all necessary data for monthly
COA reports. For a more detailed description of the entire CONOPS, see Elston
et al. (2011b).
The system designed for VORTEX2 led to six successful and safe flight
experiments with no deviation from FAA rules for UAS. There were however several
important lessons learned that could lead to improved operations in the future and
more useful data for the scientific community.
The first major issue that was encountered was the issue of predicting which COA
areas the storms would pass through. The standard provisions require activating a
COA area between 48 and 72 h prior to flight operations. The initial solutions was to
simply activate all 59 COA areas 2 days before we planned on flying. However, this
was found to be unsustainable for ATC since each COA area required a separate
NOTAM, and this many would overwhelm their system. In order to address this
issue, we worked with the FAA to reduce the activation time to 2 h. Permission was
also given to activate up to 4 COA areas at a time. However, the dynamic nature
of the storms made even this difficult to predict. An example of when this issue
came up was during sampling the June 10th storm; the team had to wait for the start
of time of the NOTAM while there was already a tornado on the ground from the
storm. Being able to deploy sooner than the required-2 h time could potentially lead
to more useful data. The FAA has since reduced this time to 1 h for the 59 COA
areas.
2196 M. Stachura et al.
Operator checklist
After power on
Turn off van Wi-Fi
Start averaging groundstation GPS
Disable engine
Set the pilot address
Copy commands and verify all loops are auto
Uncheck auto center and zoom as appropriate
Verify COA area altitude and mission limits altitude
Set up flight plans: lost comm, take-off, landing
Zero air data with GPS altitude
Test pitot-tube airspeed
Turn on APS, verify tracking, and set to take-off orientation
Start up B.A.T.M.A.N on focus through ssh
Preflight
Check Piccolo voltage
Check Servo voltage
Check UA GPS
Set the tracked waypoint to 10
Check Piccolo 900MHz link
Verify sonde operation
Launch, start NetUAS timer
Start APS tracking
Notify tracker of handover
Postflight
Kill engine
Save config if it was changed
Close OI and save log files to a new (reliable) location
Run NetUAS log save scripts
Turn off Piccolo GCS
The second major issue we encountered was the boundaries of the COA areas.
Figure 90.5a, b, f were successful sampling missions that got as far as the active
COA boundary and could not sample any further losing out on some more data
that may have proved useful. There were also several other potential missions that
never flew because the storm was just outside of the COA area, including a very
promising one on June 11th. The solution to this problem is not as obvious. The
FAA did not want us to have a COA area larger than 20 20 miles since that would
be too large an area to keep traffic out of. Also, there is the issue of avoiding airports,
90 Certification Strategy for Small Unmanned Aircraft 2197
we arbitrarily chose 5 miles and major roads. A potential solution to this issue is to
grant a single large COA spanning the entire 200 200 mile area and restrict us
to activating only a 20-mile diameter circle in that area at a given time where we
are responsible for avoiding airports and major roads. This gives the meteorologist
more precision to work with when activating COA areas. It was also found that
ATC prefers circular areas for the NOTAMS since they can just list a center point
and radius in the NOTAMs.
Conclusion
The capabilities of current UAS to perform these nomadic science missions
currently exist, and the main bottleneck for these missions is satisfying FAA
regulations to perform safe operations. It is important to work with the FAA to
reach a compromise that satisfies both the scientific and engineering goals of the
project while being able to prove the necessary level of safety for operating in
the National Airspace System. This chapter used experience from the VORTEX2
UAS campaign to present information on obtaining COAs, working with the FAA
to conduct successful flight operations, and some lessons learned that could lead
to improved operations in the future.
References
V.G. Ambrosia, E. Hinkley, Nasa science serving society: improving capabilities for fire character-
ization to effect reduction in disaster losses, in IEEE International Geoscience and Remote
Sensing Symposium, IGARSS 2008, Boston, vol. 4, 2008, pp. IV-628–IV-631. doi:10.1109/
IGARSS.2008.4779800
M. Ballinger, D. Bossert, Faa certification process for a small unmanned aircraft system: one
success story, in AIAA Infotech@Aerospace 2007 Conference and Exhibit, Rohnert Park, CA,
2007
T.X. Brown, B.M. Argrow, E.W. Frew, C. Dixon, D. Henkel, J. Elston, H. Gates, Experiments
using small unmanned aircraft to augment a mobile ad hoc network, in Emerging Technologies
in Wireless LANs: Theory, Design, and Deployment, chapter 28, ed. by B. Bing (Cambridge
University Press, Cambridge, 2007), pp. 123–145. ISBN-13:9780521895842
Cloudcap, The cloudcap website (2011), http://cloudcaptech.com
K.D. Davis, Interim Operation Approval Guidance 08–01: Unmanned Aircraft Systems Operations
in the U.S. National Airspace System, FAA Unmanned Aircraft Systems Program Office, 2008
J. Elston, Semi-autonomous small unmanned aircraft systems for sampling tornadic supercell
thunderstorms. Ph.D. thesis, University of Colorado, 2011. data/publications/11 thesis.pdf
J. Elston, M. Stachura, B. Argrow, C. Dixon, Guidelines and best practices for faa certificate
of authorization applications for small unmanned aircraft, in AIAA Infotech@Aerospace
Conference, St. Louis, MO, 2011a
J.S. Elston, J. Roadman, M. Stachura, B. Argrow, A. Houston, E.W. Frew, The tempest unmanned
aircraft system for in situ observations of tornadic supercells: design and vortex2 flight results.
J. Field Robot. (2011b). Accepted http://www.journalfieldrobotics.org/Home.html
S.A. Erickson, H. Brooks, Lead time and time under tornado warnings: 1986–2004, in 23rd
Conference on Severe Local Storms, St. Louis, MO, 2006
E.W. Frew, C. Dixon, J. Elston, B. Argrow, T.X. Brown, Networked communication, command,
and control of an unmanned aircraft system. AIAA J. Aerosp. Comput. Inf. Commun. 5(4),
84–107 (2008)
A. Houston, B. Argrow, J. Elston, J. Lahowetz, P. Kennedy, The collaborative colorado-nebraska
unmanned aircraft system experiment. Bull. Am. Meteorol. Soc. 93(1), 39–54 (2012)
2198 M. Stachura et al.
R. Murphy, B. Argrow, Uas in the national airspace system: research directions. Unmanned Syst.
27(6), 23–28 (2009)
National Oceanic and Atmospheric Association, Vortex2: verification of the origins of rotation in
tornadoes experiment (2010), http://www.nssl.noaa.gov/vortex2/
Part 830 notification and reporting of aircraft accidents or incidents and overdue aircraft, and
preservation of aircraft wreckage, mail, National Transportation Safety Board, 2010
RCSpeeds (2011). http://rcspeeds.com/aircraftspeeds.aspx?rpt=LL
Skip Miller, The skip miller models website (2010), http://skipmillermodels.com
B. Tarbert, T. Wierzbanowski, Comprehensive Set of Recommendations for Suas Regulatory
Development, FAA Small Unmanned Aircraft System Aviation Rulemaking Committee, 2009
R.J. Van Vuren, Advisory Circular 91–57: Model Aircraft operating Standards, FAA Air Traffic
Organization, 1981
VORTEX2 SPO, Vortex2 scientific program overview (2007), http://www.vortex2.org/Documents/
vortex2-spo-2007-0131.pdf
Hazard and Safety Risk Modeling
91
Konstantinos Dalamagkidis
Contents
91.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2200
91.2 Equivalent Level of Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2201
91.2.1 Manned Aviation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2201
91.2.2 Derivation of an ELOS for UAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2202
91.3 UAS Accident Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2205
91.4 Ground Impact Fatality Risk Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2206
91.4.1 Ground Impact ELOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2208
91.4.2 Exposure to Ground Impact Accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2209
91.4.3 Probability of Fatality of Exposed Persons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2210
91.4.4 Frequency of Ground Impact Accidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2215
91.5 Midair Collision Fatality Risk Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2216
91.5.1 Midair Collision ELOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2216
91.5.2 Exposure and Risk of Fatality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2218
91.5.3 Conflicting Trajectory Expectation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2219
91.5.4 Collision Probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2219
91.6 Model Choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2220
91.7 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2223
91.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2226
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2227
Abstract
This chapter presents aspects of risk modeling with a focus on UAS. It provides
an overview of the current level of safety of manned aviation in terms of accident
statistics. These are then mapped as target levels for UAS under the “Equivalent
Level of Safety” principle to provide a glimpse at what that may entail for UAS
regulations. Different methodologies are presented for estimating the risk of
ground impact and midair collision accidents and how these estimates can be
K. Dalamagkidis
Institut für Informatik I6, Technische Universität München, Garching bei München, Germany
e-mail: dalamagkidis@tum.de
K.P. Valavanis, G.J. Vachtsevanos (eds.), Handbook of Unmanned Aerial Vehicles, 2199
DOI 10.1007/978-90-481-9707-1 35,
© Springer Science+Business Media Dordrecht 2015
2200 K. Dalamagkidis
91.1 Introduction
Although this distinction is made, it was felt that in certain cases, the reader would
benefit from a presentation of certain, selected information from RCC 321-07. This
is because either this information is general and applies to most risk/reliability
assessments or valuable insight is to be gained from contrasting it with information
specific to UAS.
This principle has been widely adopted by most national aviation agencies world-
wide and is known as the ELOS requirement. For example, the Range Commanders
Council in its guidance on UAS operations states:
Any UAV operation or test must show a level of risk to human life no greater than that for
an operation or test of a piloted aircraft.
Range Safety Group, Range Commanders Council (1999a).
Fig. 91.1 Risk reference system for large manned aircraft (the grayed areas signify unacceptable
risk) (Source: European Aviation Safety Agency (EASA) (2007))
Table 91.1 FAR Part 23 aircraft classes and corresponding acceptable failure condition
probability based on severity, as defined in AC 23.1309-1C (Source: Federal Aviation Adminis-
tration (1999))
Aircraft class Minor Major Hazardous Catastrophic
Class I (<2;720 kg, SRE) 103 104 105 106
Class II (<2;720 kg, STE, MRE) 103 105 106 107
3 5 7
Class III (>2;720 kg, SRE, MRE, STE, MTE) 10 10 10 108
3 5 7
Class IV (commuter) 10 10 10 109
SRE, single reciprocating engine; MRE, multiple reciprocating engine; STE, single turbine engine;
MTE, multiple turbine engine
Use of the same risk reference system like the one presented in Fig. 91.1 or even
Table 91.1 is not straightforward because of the wide range of UAS sizes and
characteristics. In addition to that, UAS depend on the onboard flight control system
and/or the communication link to operate. This requirement introduces additional
failure modes that may increase the total number of accidents for the same reliability
requirement. On the other hand, since UAS do not carry passengers, the number of
91 Hazard and Safety Risk Modeling 2203
Table 91.2 Fatality rates from all accidents based on analysis of NTSB accident data (National
Transportation Safety Board (NTSB) 2008b) between 1983 and 2006
Rates per hour Air carrier Commuter General aviation Total
Accident 2:43 106 2:37 105 8:05 105 5:05 105
Fatalities aboard 8:68 106 1:64 105 2:77 105 2:06 105
Ground fatalities 3:37 107 8:30 106 6:54 107 1:31 106
10−4
10−5
Total fatality rate per hour of flight
10−6
10−7
10−8
19
19
19
20
19
19
19
20
19
19
19
20
83
90
97
04
83
90
97
04
83
90
97
04
Gen. Aviation Commuter Air. Carrier
Fig. 91.2 Fatality rates from general aviation, commuter, and air carrier accidents as a function
of time. Based on analysis of NTSB accident data (National Transportation Safety Board (NTSB)
2008b) between 1983 and 2006
casualty limit is that of 104 casualties per event, which has been used by a number
of agencies like the NASA, the U.S. DoD, and the Space Licensing and Safety Office
of Australia (Range Safety Group, Range Commanders Council 2007b). The same
limit was chosen in Range Safety Group, Range Commanders Council (2007a),
complemented by an individual casualty risk probability limit of 106 . Nevertheless,
the use of fatalities has also been advised as a supplemental metric, to better assess
the risk involved in an activity (Range Safety Group, Range Commanders Council
2007b).
The aforementioned proposed casualty and fatality limits can be contrasted with
estimated rates from other sources or activities, provided in Table 91.3, as well as
aviation accident statistics given in Table 91.2. When comparing these rates, one
must consider that in some activities, a higher risk may be acceptable because
of the perceived benefits of participation. It should also be noted that these rates
refer to collective risk (Range Safety Group, Range Commanders Council 2007b),
i.e., the averaged risk for the entire population. Depending on a person’s location,
activity, and other factors, the actual individual risk may be significantly higher
or lower.
91 Hazard and Safety Risk Modeling 2205
Table 91.3 Estimated injury, casualty, and fatality rates from different sources or activities
Activity/source Injury rate (h1 ) Casualty rate (h1 ) Fatality rate (h1 )
Motor vehicle accidents 1:35 105 1:13 106 1:40 107
a
(all)
Motor vehicle accidents 8:80 106 6:73 107 5:89 108
(occupant)a
Pedestrian involved in 5:10 107 8:92 108 1:04 108
collision with motor
vehiclea
Unintentional fallsa 2:45 105 2:20 106 6:06 108
7 8
Natural environment a
1:31 10 1:44 10 7:59 109
6 8
Bicycles and 1:50 10 8:98 10
accessoriesb
Household appliances 4:23 107 1:81 108
(ranges, refrigerators,
washers)b
Baseball, basketball, 2:59 105 3:44 107
and football combinedb
London Blitz (civilian N/A 1:04 106 6:22 107
only)c
a
The number of injuries and fatalities are from the Web-based Injury Statistics Query and Reporting
System available from the Centers for Disease Control and Prevention, National Centers for Injury
Prevention and Control and correspond to emergency department admissions in the year 2005.
The rates were derived based on an estimated population of 296;410;404 and assuming that every
individual (regardless of age, sex, or location) is exposed to hazards involving each activity/source
an average of 3 h per day. The casualty rate is based on injury cases that required hospitalization
or transfer to other facilities such as trauma centers
b
The data are from the National Electronic Injury Surveillance System maintained by the U.S.
Consumer Product Safety Commission and concern the year 2007. The reported data did not make
a distinction between incidents requiring hospitalization and incidents involving deaths. The rates
are derived the same way as above, with the exception of the baseball, basketball, and football
activities, where an average exposure of 3 h per week is assumed instead
c
For the London Blitz, the civilian casualties were drawn from historical sources, and the rate was
obtained by dividing by the population of London in 1939 and by the number of days the Blitz
lasted, assuming continuous exposure
UAS operations are subject to various hazards that can lead to three primary
accidents: unintended or abnormal system mobility operation (U.S. Department of
Defense 2007), midair collision, and early flight termination (Clothier et al. 2007).
2206 K. Dalamagkidis
and/or
Damage/Loss Impact on
of system environment
Fig. 91.3 Primary and secondary accidents that can result from the operation of UAS and their
possible outcomes
In (91.2), Nexp is replaced by the product of the lethal area (Aexp ) by the population
density (). An additional term, the sheltering factor fshelter , is introduced that takes
values from 0, denoting that everyone is sheltered from the impact, to 1, denoting
that nobody is sheltered. This formulation implies a type of “absolute sheltering,”
where any person considered sheltered is not affected by the impact.
In certain cases, the exposed population can be divided in groups. Each group is
assigned a different probability of fatality given exposure. This can occur when, for
example, part of the population is inside buildings and part is outside. In this case,
(91.1) can be expressed as follows:
X
fF D fGIA Ni; exp Pi .fatalityjexposure/ (91.3)
i
where subscript i refers to the i th group. Although this approach offers better
accuracy, it also requires the availability of a library that contains the number of
2208 K. Dalamagkidis
people in each location and the level of their sheltering or at least estimates thereof
(Range Safety Group, Range Commanders Council 2007b).
Since the acceptable fF is provided by the ELOS requirement, if the Nexp and
P .fatalityjexposure/ can be estimated, it is possible to determine the target level
of safety (TLS) for ground impact accidents given by fGIA . Although (91.1) is
simple and straightforward, calculation of the terms involved in it is not. In fact,
there is a number of options that have been proposed for calculating both Nexp and
P .fatalityjexposure/. The following section will start with the calculation of the fF
term based on the ELOS principle.
In determining the fatality rate requirement after ground impacts, special consid-
eration should be given to the fact that UAS is unmanned. This means that only
the number of fatalities on the ground is to be taken into account. According to
Table 91.2, this number represents only a very small percentage of the total fatalities,
about 6 %. The ground fatality rate calculated is in the order of 106 h1 , although
a more conservative ELOS can be derived based on the ground fatality rate of air
carriers, which is in the order of fF D 107 h1 .
It should be noted that Table 91.2 considers all accidents. An alternative analysis
can be used by considering only accidents where an in-flight collision with terrain
or water occurred (approximately 35 % of the total). The updated fatality rates
based on NTSB data for the period 1983–2006 are presented in Table 91.4. In this
case, the proposed ELOS would be in the order of fF D 108 h1 , although it
does not include fatalities after emergency landings, ditching, and other situations.
If the latter are included, the ELOS is closer to fF D 107 h1 as shown in
Table 91.5.
For the subsequent analysis, the value for fF is set to 107 h1 , which is the same
with that proposed in Range Safety Group, Range Commanders Council (2007b).
However, it should be noted that lower or higher acceptable fatality rates have also
been proposed in the past. In Weibel and Hansman (2004), although an ELOS of
107 h1 was derived, a target of 108 h1 is proposed instead. This choice was
made in an effort to account for the fact that the benefits of UAS operations are
not evident to the general public, and as a result, the tolerance for fatalities will be
lower. In Clothier et al. (2007), analysis is based on multiple acceptable fatality
likelihoods ranging from 106 to 109 h1 . The Range Safety Criteria for UAS
proposed a fatality rate of 106 h1 or less based on the U.S. Navy survey discussed
previously (Range Safety Group, Range Commanders Council 1999b), but their
requirements are for military operations that allow higher fatality rates. Finally the
NATO USAR adopted a TLS of 106 h1 for catastrophic UAS accidents (Joint
Capability Group on Unmanned Aerial Vehicles 2007), which corresponds to an
equal or higher fatality rate.
Although stricter requirements may be attractive, they can seriously impede
commercialization of UAS as well as their integration in the NAS.
91 Hazard and Safety Risk Modeling 2209
Table 91.4 Fatality rates for accidents where an in-flight collision with terrain or water occurred.
Based on analysis of NTSB accident data (National Transportation Safety Board (NTSB) 2008a)
between 1983 and 2006
Rates per hour Air carrier Commuter General aviation Total
Accident 2:06 107 9:33 106 2:84 105 1:77 105
Fatalities aboard 4:71 106 1:32 105 2:16 105 1:55 105
Ground fatalities 9:84 108 2:86 108 4:46 108 5:99 108
Table 91.5 Fatality rates for accidents where one or a combination of in-flight collision with
terrain or water, hard/forced landing, runway overrun, or ditching occurred. Based on analysis
of NTSB accident data (National Transportation Safety Board (NTSB) 2008a) between 1983 and
2006
Rates per hour Air carrier Commuter General aviation Total
Accident 5:64 107 1:56 105 5:18 105 3:21 105
Fatalities aboard 4:85 106 1:46 105 2:41 105 1:71 105
7 8 8
Ground fatalities 1:01 10 7:63 10 8:43 10 8:89 108
Assuming a uniform population density in the area affected by the crash, Nexp can
be calculated as the product of that area (Aexp ) by the population density ():
The population density used in (91.4) is typically estimated using the average
population density over the area the UAS will operate. Although use of the actual
population density will offer better precision, a standard population density can be
used as a reasonable estimate instead. Specifically, EASA has proposed the use of a
standard density of 200 ppl/km2 (European Aviation Safety Agency (EASA) 2005).
This density was derived taking into account typical civil aviation operations, where
a significant percentage of flight time is spent over less densely populated areas. For
UAS designed to loiter over populated areas, a higher density will be necessary to
avoid underestimating the risk involved. A worst-case scenario of impact at the most
densely populated area within the area of operations may also be used to provide
a conservative estimate of (Range Safety Group, Range Commanders Council
1999b).
There are several ways to determine the Aexp based on impact characteristics.
For a vertical crash, this area may be approximated by the frontal area of the aircraft
2210 K. Dalamagkidis
augmented by a small buffer to account for the width of an average human (Weibel
and Hansman 2003). For a gliding descent, it can be approximated by (91.5), where
the wingspan and length of the aircraft have been increased by the radius of an
average person (Clothier and Walker 2006):
Hperson
Aexp D Waircraft Laircraft C (91.5)
sin.glide angle/
It should be noted that in some cases instead of the area exposed to the impact, a
casualty or lethal area is mentioned. In this case, attention should be given on how
these areas are defined. This is because in some cases they are the same as Aexp ,
while other times they are defined as the areas within which 100 % casualties or
fatalities are expected, respectively.
For example, Range Safety Group, Range Commanders Council (2007b) defines
a casualty area as the area where everyone is expected to receive injuries of
such severity that they will require hospitalization. On the other hand, the same
organization in Range Safety Group, Range Commanders Council (1999b) defines
the lethal area merely as an area of concern, obtained by
where Lglide is the gliding distance at an altitude of 6 ft and Lstop is the distance
required for the aircraft to come to a stop.
The human body is capable of sustaining a certain level of force or injury, and as
a result, presence of a person in an area affected by a crash does not guarantee a
fatality. Moreover, obstacles such as trees and buildings may provide shelter, thus,
increasing the chances of survival. It is evident, therefore, that the probability of
fatality of a person exposed to a crash need be modeled taking into account the
aforementioned factors, namely, human vulnerability and sheltering. This section
presents some of the approaches available. Nonetheless, a detailed account of the
problem of human vulnerability is beyond the scope of this chapter.
Despite the observations above, the most commonly used estimate for the
probability of fatality of an exposed person is the number one (Range Safety Group,
Range Commanders Council 1999a). This is because it is a conservative measure
that is not susceptible to criticism. On the other hand, it can easily be argued that
this measure can be overconservative especially in the case of small UAS.
91 Hazard and Safety Risk Modeling 2211
1k
P .fatalityjexposure/ D q h i p3 (91.9)
1 2k C ˇ˛ Eˇimp
s
2212 K. Dalamagkidis
0.8
Probability of Fatality
0.6 ps = 1
6
=s
p
0.4
Conservative
0.2 Dalamagkidis
Feinstein
Weibel
0
101 102 103 104 105 106 107 108 109
Fig. 91.4 A comparison of the vulnerability models of Feinstein, Dalamagkidis, and Weibel as
well as the conservative approach of unit probability above the 34 J kinetic energy threshold
p3
where k D min 1; Eˇimp
s
is a correction factor k, used to improve the estimates
given for low kinetic energies, especially those close to, or below, the threshold limit
of 34 J.
The sheltering parameter ps determines how exposed is the population to an
impact and takes values in the range .0; 1/. It is a function of the amount of
obstacles in the crash trajectory of the aircraft that can absorb impact energy or
deflect debris as well as the ability of people to take shelter behind such obstacles.
It takes an average value of 1, with higher values, meaning better sheltering and
a lower probability of fatality for the same kinetic energy. The ˛ parameter is
the impact energy required for a fatality probability of 50 % when ps D 6.
Finally the ˇ parameter is the impact energy threshold required to cause a fatality
as ps goes to zero. Based on the fatality limit of Range Safety Group, Range
Commanders Council (2007b), the ˇ parameter can be considered to be a constant
with value 34 J.
The fatality probability models presented in this section are compared in
Fig. 91.4.
used. A useful conservative substitute for the impact speed is terminal velocity.
The latter can be calculated from (91.10), where m is the vehicle mass, g is
the acceleration of gravity, ˛ is the air density, A is the cross-sectional area
of the vehicle, and Cd is its drag coefficient. The latter two parameters are not
always available, since they vary with the orientation of the aircraft during a
descent:
m2 g
Eimp D (91.10)
˛ ACd
The use of the maximum between the terminal velocity and the velocity not to
exceed provided by the manufacturer is proposed as an alternative in Range Safety
Group, Range Commanders Council (1999b).
In Haddon and Whittaker (2002), Joint JAA/Eurocontrol Initiative on UAVs
(2004), and European Aviation Safety Agency (EASA) (2005), instead of the
terminal velocity, the use of the maximum operating velocity (vop ) increased by
40 % is proposed, instead. This choice overcomes the problem of accurately esti-
mating the parameters required to calculate the terminal velocity, greatly simplifying
calculations. The kinetic energy can then be calculated as
It may also be argued that when the mass of the impacting object is comparable
or larger than that of the body part struck, not all of the object’s kinetic energy
will be absorbed. In fact, after the impact, the object will continue to move, in
unison with the body, retaining some kinetic energy. The energy absorbed during
the collision can be calculated based on momentum conservation by Sturdivan et al.
(2004):
1 2 m1
E D m 1 v1 1 (91.12)
2 m1 C m2
where m1 and v1 are the mass and velocity of the object and m2 refers to
the effective mass of the body part struck. As a result, when m1 m2 , the
effective energy is equal to the kinetic energy of the projectile. It should be
noted that when body movement is constrained (e.g., from a wall), then (91.12)
no longer applies and the entire kinetic energy is to be used (Sturdivan et al.
2004).
Irrespective of which of the aforementioned methods is used to calculate the
kinetic energy of the impacting object, if a person is sheltered within a building or a
vehicle, some of the kinetic energy will be exhausted to penetrate the shelter. As a
result, the energy used in the vulnerability model may be also adjusted to take into
account the effects of sheltering. The following section provides a more detailed
account of the factors that need to be considered when incorporating the effects
of sheltering, either by kinetic energy adjustments or by estimating the value of a
parameter in the vulnerability model.
2214 K. Dalamagkidis
Table 91.6 Estimate of the expected frequency of ground impact accidents for new UAS. The
value shown represents a confidence of 95 % that the actual fGIA is less than or equal to fOGIA
(Source: Range Safety Group, Range Commanders Council (1999b))
Flight hours without crash fOGIA
10 3 101 h1
30 1 101 h1
100 3 102 h1
300 1 102 h1
The expected frequency of fatalities (fF ) following midair collision accidents can
be calculated by the following equation:
fF D E.fatalityjcollision/fMaC (91.13)
D Nexp P .fatalityjcollision/P .collisionjCT/fC T (91.14)
Table 91.7 Fatality rates for accidents where an in-flight collision with obstacles (e.g., birds,
trees, power lines) occurred. Based on analysis of NTSB accident data (National Transportation
Safety Board (NTSB) 2008a) between 1983 and 2006
Rates per hour Air carrier Commuter General aviation Total
Accident 1:34 107 3:22 106 1:33 105 8:17 106
Fatalities aboard 9:67 107 2:67 106 6:27 106 4:25 106
Ground fatalities 5:97 109 3:81 108 5:73 108 3:93 108
Total fatalities 9:73 107 2:71 106 6:32 106 4:29 106
Table 91.8 Fatality rates for accidents where a midair collision with another aircraft occurred.
Based on analysis of NTSB accident data (National Transportation Safety Board (NTSB) 2008a)
between 1983 and 2006
Rates per hour Air carrier Commuter General aviation Total
Accident None 2:76 107 5:90 107 3:74 107
Fatalities aboard None 6:96 107 1:04 106 6:82 107
Ground fatalities None 1:91 108 2:86 108 1:87 108
Total fatalities None 7:15 107 1:07 106 7:01 107
Table 91.9 Fatality rates for accidents where either a midair collision with an object or another
aircraft occurred. Based on analysis of NTSB accident data (National Transportation Safety Board
(NTSB) 2008a) between 1983 and 2006
Rates per hour Air carrier Commuter General aviation Total
Accident 1:34 105 3:48 106 1:38 105 8:53 106
7 6
Total fatalities 9:73 10 3:42 10 7:40 106 4:99 106
Total fatalitiesa 5:97 109 7:53 107 1:13 106 7:40 107
a
Excluding fatalities aboard after collisions with objects other than aircraft
From the NTSB accident data in Table 91.9, it can be argued that the fatality
rate following midair collisions with aircraft or other obstacles is in the order of
fF D 106 h1 . A more conservative estimate of fF D 107 h1 can be reached
from the same table, if the onboard fatalities after a collision with obstacles other
than aircraft are ignored. By deriving the expected number of fatalities after a
midair collision accident, it is then possible to determine the maximum acceptable
frequency of such accidents.
Another approach is to assume that in the case of midair collisions, the fatality
expectation is the same, regardless of whether a UAS was involved in the accident.
Although this assumption is more conservative, it simplifies subsequent analysis,
since one may directly obtain the accident TLS for midair collisions. Based on the
NTSB data of Table 91.9, the average rate of midair collisions involving manned
aircraft is 7:40 107 , and under ELOS requirements, a maximum midair collision
rate of fMaC D 107 h1 can be proposed for UAS.
2218 K. Dalamagkidis
Table 91.10 Maximum acceptable accident frequency depending on ATC type, flight phase, and
aircraft threatened. The collision accident criteria to be applied corresponds to the one for the
highest category of aircraft threatened (Source: INnovative Operational UAS Integration (INOUI)
(2009))
ATC type Flight phase >2;730 kg MEP/SET <2;730 kg SEP <2;730 kg
9
Area control En route inbound 3 10 3 108 3 107
9
En route outbound 1 10 1 108 1 107
9
En route transit 3 10 3 108 3 107
9
Approach Departure 1 10 1 108 1 107
9
Init and interm app 3 10 3 108 3 107
9
Final approach 3 10 3 108 3 107
9
Tower Landing 8 10 8 108 8 107
9
Line-up 3 10 3 108 3 107
9
Start-up/push-back 8 10 8 108 8 107
9
Takeoff 8 10 8 108 8 107
Taxiing 6 108 6 107 6 106
MEP, multiengine piston; SET, single-engine turbine; SEP, single-engine piston
Other accident frequency limits proposed for UAS take into account both the
manned aircraft threatened and the phase of flight. Such an approach was taken by
INOUI that proposed the limits presented in Table 91.10.
Finally, it should be noted that not all collisions lead to catastrophic accidents.
The large variability of aircraft sizes and designs, whether manned or unmanned,
and the fact that not all their systems are critical for remaining airborne, means
that certain collisions may be survived by one or even both of the aircraft involved.
Nevertheless, since it is nearly impossible to account for every possible collision
scenario and its effects, every collision is considered a catastrophic accident for
both aircraft.
The number of people exposed to the accident, as well as the probability of them
sustaining fatal injuries, depends on the aircraft that are involved in the accident and
the passengers they carry. As a result, it is difficult to get a good estimate without a
priori knowledge of all air traffic in the area of operations.
A more general estimate can be derived by noting that the product of Nexp and
P .fatalityjcollision/ is in fact the expected number of fatalities per accident. Using
the NTSB accident data of Table 91.9, this product is higher for commuter aviation
where it takes a value of one, while on average it is closer to 0:58. Moreover, if
the onboard fatalities after a collision with obstacles other than aircraft are ignored,
the expected number of fatalities per accident drops to below 0:09. It should be
noted that this estimate can be considered conservative because in contrast with
the accident data it was derived from, the midair collisions of interest will always
involve at least one aircraft that is unoccupied.
91 Hazard and Safety Risk Modeling 2219
In Weibel and Hansman (2004), the midair collision risk assessment was based on
the use of a gas model of aircraft collisions to estimate the number of expected
collisions per hour of flight (fMaC ) from
Aexp d
fMaC D (91.15)
V t
where Aexp is the exposed area of the threatened aircraft, d is the distance traveled,
V is the airspace volume, and t is the time required to travel the distance d .
It should be noted that this model estimates the number of midair collision
hazards due to insufficient spatial and temporal separation given predetermined
flight paths or simply the number of potential collisions. An additional term is then
required to take into account the fact that one or both of the aircraft in a collision
course may attempt maneuvers to avoid each other. As a result, the expected number
of collisions should be calculated from
Aexp d
fMaC D P .collisionjCT/ (91.16)
V t
„ƒ‚…
E.CT/
Even when two aircrafts are on conflicting trajectories, a collision is not guarantied.
One or both of the pilots may take action to avoid a hazardous situation by
maintaining the required separation between the two aircrafts. As a result, the
collision probability depends on the collision avoidance capabilities of all the
aircraft involved as well as the measures taken to assure proper separation. If
a maximum allowable collision probability is known, it can be used instead of
2220 K. Dalamagkidis
Tables 91.11 and 91.12 summarize the parameters involved in modeling risk from
UAS ground impact and midair collision accidents, respectively, as well as the
alternatives presented for estimating their values. It is evident that there are several
choices available to an engineer tasked with assessing the risk of UAS operations.
The subject of this section is what criteria should drive the selection of one
alternative over another.
There is a multitude of modeling options available to estimate risk, each with
different levels of detail and accuracy. According to Range Safety Group, Range
Commanders Council (2007b), any model used for risk/reliability assessment
should be based on four basic standards: transparency, clarity, consistency, and
reasonableness.
A number of different models may be used in a risk evaluation involving
UAS operations depending on the objective and requirements of the risk study in
question. A common use of risk models in the UAS domain is for building a safety
case that is then used for obtaining a permit to operate in the national airspace
system. As a result, the models used must be clearly presented so that they can be
reviewed by the regulators, and the assumptions and limitations contained therein
must be succinctly expressed. This would lead to compliance with the clarity and
transparency standards.
Typically, the regulatory framework does not specify the use of a particular
modeling choice over another. Nevertheless, every choice must be defensible. This
is achieved by compliance with the consistency and reasonableness standards. The
former refers to the use of models that are in use and accepted by the scientific
91 Hazard and Safety Risk Modeling 2221
Table 91.11 A summary of the methods presented to estimate the terms involved in ground
impact risk modeling when their values are not known a priori, Eq. (91.1). Some terms can be
estimated with multiple methods
Term Estimate
fF Based on ELOS requirements with typical values in the range of 106 –109 h1
Nexp The product of the population density () and the area affected by the impact
(Aexp )
(i) Assuming uniform population density
(ii) Using a standard population density (e.g., 200 ppl/km2 )
(iii) Assuming a worst-case scenario of impact at the most densely populated
area
Aexp (i) The area presented by the aircraft perpendicular to its path and augmented by
the width of an average person
(ii) The aforementioned area, including the area the aircraft traverses on the
ground until it stops
P .fatality/ (i) Probability of one as a conservative estimate
(ii) Zero or one, based on whether the kinetic energy at impact (Eimp ) exceeds a
pre-specified threshold (e.g., 34 J)
(iii) From a vulnerability model based on kinetic energy at impact (Eimp ),
e.g., Feinstein et al. (1968)
(iv) From a vulnerability model that also includes the effects of sheltering,
e.g., Weibel (2005) or Dalamagkidis et al. (2012)
Eimp (i) Kinetic energy at terminal velocity
(ii) Kinetic energy at VNE (velocity not to exceed)
(iii) Kinetic energy at 140 % operational velocity
(iv) The difference between kinetic energy at impact and kinetic energy remain-
ing post-impact (combined human/object)
(v) The kinetic energy calculated with one of the aforementioned means,
reduced by the energy required to penetrate sheltering
Sheltering (i) Using a conservative value that assumes little or no sheltering
(ii) Based on average sheltering provided by structures, vehicles, and other
objects
(iii) Based on the building with the worst sheltering
(iv) Using a database containing structure characteristics and population distri-
bution
fGIA (i) From previous accident statistics, if sufficient flight hours have accumulated
(ii) Assuming an exponential accident distribution for new vehicles without
accidents so far
(iv) Using a conservative estimate of one crash per flight or per flight hour
(v) Based on the results of a formal UAS reliability assessment
community. The latter means that model selection should be based on rational
criteria, risk is not underestimated, and a potential review would not raise concerns.
As a result, the easier and in fact a common approach is to make conservative
estimates.
Conservative estimates are also attractive because of their simplicity and of
the associated ease of achieving clarity and transparency. In general, even when
high fidelity modeling is possible, a balance must be struck between precision
2222 K. Dalamagkidis
Table 91.12 A summary of the methods presented to estimate the terms involved midair collision
risk modeling when their values are not known a priori, Eqs. (91.13) and (91.14)
Term Estimate
fF (i) Based on ELOS requirements with typical values in the range of
106 –108 h1
(ii) As above but considering only fatalities on the ground for calculating ELOS
(valid when the accident involves only UAS)
E.fatality/ (i) Estimated from historical data, e.g., based on NTSB data from Table 91.9,
it takes values in the range 0:02–1
(ii) Estimated from the product of Nexp and P .fatality/
Nexp The number of people onboard the aircraft involved in the collision as well as in
the area exposed to debris
P .fatality/ (i) Use of the number one as a conservative estimate
(ii) Estimate from historical data, if available
fMaC (i) From historical data with typical values in the range of 105 –107 h1
(ii) As the product of P .collision/ with fC T
P .collision/ (i) A conservative estimate of probability one
(ii) Estimated based on the capabilities of the S & A system
fC T (i) Based on the gas model of aircraft collisions using actual traffic data
(ii) Using worst-case air traffic density either at the flight level of operations
or the entire airspace
and limitations relevant to cost, resources, and time (Range Safety Group, Range
Commanders Council 2007b).
On the other hand, conservative estimates may lead to irrationally high reliability
requirements and/or very strict operational restrictions. This occurs as a conse-
quence of a problem known as compounding conservatism, where use of successive
conservative estimates can lead to overconservative results (Range Safety Group,
Range Commanders Council 2007b). To illustrate this issue, consider the modeling
of a ground impact accident scenario using (91.1). In addition, assume that the
actual population and area affected by the crash are overestimated by 50 and 20 %,
respectively, and the probability of fatality is considered to be 1 when in fact it
is only 20 %. In this case, the fatality expectation will be nine times higher than
what it really is. Moreover, if conservative estimates are used for evaluating the
possible hazards that may lead to a crash, the reliability requirements for the various
aircraft parts can be higher by two or more orders of magnitude. Although such an
aircraft would be capable of performing well within the target safety levels, the
higher production and maintenance costs could mean that it may never get built.
The problem of compounding conservatism may be addressed by avoiding to take
conservative estimates and, instead, opting for the best available estimate (Range
Safety Group, Range Commanders Council 2007b). Such an approach has also
been advocated by the U.S. Nuclear Regulatory Commission (Range Safety Group,
Range Commanders Council 2007b). Of course, when best or mean estimates are
used, the uncertainties and possible inaccuracies affecting the final result should
be clearly documented (Range Safety Group, Range Commanders Council 2007b).
91 Hazard and Safety Risk Modeling 2223
This would also allow adjustments at a later stage to account for newer data as
they become available. Moreover, if the uncertainties can be quantified through
simulation, sensitivity analysis, or other methods, then confidence intervals can be
determined. The latter can then be used to adjust results so that proposed reliability
targets can be achieved with arbitrary confidence.
As an example, it will be assumed that a probability of fatality of 0:4 was
estimated for a particular accident scenario. Further analysis of the model showed
that for a confidence level of 95 %, the actual value is expected to be between 0:3
and 0:5. In this case, the 0:5 value may be used instead of 0:4 to determine UAS
reliability requirements. If higher confidence is required, the range will be larger
and the value used more conservative.
In certain cases – especially when required data are missing – a safety case
can be made by comparing the UAS under investigation with a different system
already authorized to fly (Range Safety Group, Range Commanders Council 1999b).
Qualitative arguments may also be made without a complete analysis of the risk
involved (Range Safety Group, Range Commanders Council 1999b). For example,
the UAS may be too light to cause an injury or the area of operations may be so
sparsely populated that the risk to the general public is too low under any conditions.
The modeling techniques described in the previous sections produce an average
risk estimate from the operation of a UAS, especially when best estimates are used
instead of conservative. What should be mentioned is that in certain cases when
using a casualty or fatality metric, particularly catastrophic accidents involving
multiple fatalities can occur without violating the target safety levels on average
(Range Safety Group, Range Commanders Council 2007b). Such accidents of
course are best to be avoided, and as a result, it is useful to incorporate catastrophe
aversion in the models used (Range Safety Group, Range Commanders Council
2007b). The latter is accomplished by assigning activities that can be particularly
dangerous to lower acceptable probabilities of occurrence. This in turn is may be
done either by creating a risk profile if sufficient data are available or easier by using
k
functions of the Nexp type for expressing the affected population (Range Safety
Group, Range Commanders Council 2007b). Of course the latter methodology
should be employed with care and for high risk activities only, so as not to
unnecessarily inflate the risk in other less dangerous activities. A risk profile gives
the function between the number of expected casualties and the expected frequency
for each casualty size due to various future incidents (Range Safety Group, Range
Commanders Council 2007b). Although this profile is useful for obtaining a better
view of the associated risks, it is usually costly and time consuming to obtain.
Table 91.13 Characteristics of five UAS of various sizes, used for the case analysis (Source: FSF
editorial staff (2005) and U.S. Department of Defense. Office of the Secretary of Defense (2005))
Oper. Oper.
Weight (kg) Dimensions (m) speed (m/s) altitude (ft)
RQ-4 Global Hawk 11; 612 35.4 (wingspan) 177 65; 000
MQ1 Predator 1; 021 14.8 (wingspan) 70 20; 000
RQ-2 Pioneer 205 5.2 (wingspan) 41 15; 000
RQ-11 Raven 1:9 1.3 (wingspan) 15 1; 000
Rmax IIG 94 3.12 (rotor diameter) 5:6 500
Table 91.14 The parameters used for each test case and a description of a possible corresponding
scenario
Pop. density
Scenario (ppl/km2 ) ps Description
1 – Optimistic 50 7 Low population density area. It is also assumed that
people are afforded significant sheltering either by natural
obstacles (e.g., trees) or they can be trained to avoid or
take cover when required. This scenario may correspond
to surveillance of a remote military installation or to a
forest monitoring application
2 – Pessimistic 5,000 1 This scenario features very high population density.
Additionally the sheltering factor used corresponds to no
protection from sheltering at all. This case corresponds to
the scenario of a search and rescue operation in a
metropolitan area, where several people are in open areas
preoccupied with other tasks
Table 91.15 Fatality probability with respect to ground impact accidents for five UAS under the
pessimistic scenario. Four different means of obtaining the fatality probability are used
P .fatalityjexposure/
Eq. (91.9)a Eq. (91.9)b 34 kJ limitb
UAS model (%) (%) (%)
RQ-4 Global Hawk 100.0 100.0 100.0
MQ1 Predator 100.0 100.0 100.0
RQ-2 Pioneer 100.0 100.0 100.0
RQ-11 Raven 97.4 100.0 100.0
Rmax type IIG 100.0 100.0 100.0
a
Using vehicle kinetic energy estimated from (91.11)
b
Worst-case vehicle kinetic energy estimate
Table 91.16 Reliability requirement for five UAS with respect to ground impact accident under
the pessimistic scenario. Five different fatality probability estimates are used
Required time between ground impact accidents in hours
UAS model Eq. (91.9)a Eq. (91.9)b 34 kJ limitb P D1
RQ-4 Global Hawk 28;002;000 28;002;000 28;002;000 28;002;000
MQ1 Predator 7;879;500 7;879;500 7;879;500 7;879;500
RQ-2 Pioneer 1;738;500 1;738;500 1;738;500 1;738;500
RQ-11 Raven 280;485 287;987 288;000 288;000
Rmax type IIG 566;023 566;069 566;069 566;069
a
Using vehicle kinetic energy estimated from (91.11)
b
Worst-case vehicle kinetic energy estimate
For the first three options and under both scenarios, parameter ˛ was chosen to be
100 kJ and ˇ equal to 34 J.
In addition to the probability of fatality, the required system reliability was also
calculated for each of the aforementioned fatality probability models as well as for
the conservative estimate of probability of 1. The UAS reliability requirement has
been given in minimum hours between ground impact accidents, and its calculation
is based on a target level of safety of 107 fatalities per hour of flight. The system
reliability requirement was derived since it allows a comparison with the current
performance of manned and unmanned aviation. The results for each UAS and each
case are summarized in Tables 91.15–91.18.
In the pessimistic scenario, the probability of fatality associated with each UAS
is, almost in every case, 100 %. As a result, there are no differences between
the reliability requirements calculated from the different models. Considering that
current manned aviation accident rates are in the order of 107 h1 for air carriers
and 105 h1 for general aviation (Table 91.4), it is obvious that for operations in
high population density areas, certain UAS will need to exceed this performance.
In the optimistic scenario, the most striking differences between vulnerability
models can be seen! This is due to the effect of the sheltering factor, which is not
taken into account when using a threshold kinetic energy. Smaller systems feature
2226 K. Dalamagkidis
Table 91.17 Fatality probability with respect to ground impact accidents for five UAS under the
optimistic scenario. Four different means of obtaining the fatality probability are used
P .fatalityjexposure/
UAS model Eq. (91.9)a (%) Eq. (91.9)b (%) 34 kJ limitb (%)
RQ-4 Global Hawk 94.5 95.1 100.0
MQ1 Predator 75.4 81.1 100.0
RQ-2 Pioneer 49.0 72.5 100.0
RQ-11 Raven 3.6 10.7 100.0
Rmax type IIG 9.8 26.5 100.0
a
Using vehicle kinetic energy estimated from (91.11)
b
Worst-case vehicle kinetic energy estimate
Table 91.18 Reliability requirement for five UAS with respect to ground impact accident under
the optimistic scenario. Five different fatality probability estimates are used
Required time between ground impact accidents in hours
UAS model Eq. (91.9)a Eq. (91.9)b 34 kJ limitb P D1
RQ-4 Global Hawk 264;481 266;239 280;020 280;020
MQ1 Predator 59;394 63;909 78;795 78;795
RQ-2 Pioneer 8;514 12;598 17;385 17;385
RQ-11 Raven 102 309 2;880 2;880
Rmax type IIG 554 1;501 5;661 5;661
a
Using vehicle kinetic energy estimated from (91.11)
b
Worst-case vehicle kinetic energy estimate
fatality probabilities of 10–25 % that are further reduced to 4–10 % when using a
less conservative estimate for the kinetic energy at impact. This is also evidenced
in the system reliability requirement, which is at least an order of magnitude
smaller compared to that obtained using the threshold function. The benefits are
evidenced in larger systems as well, where the reliability requirement is lower by a
factor up to 3.
91.8 Conclusion
This chapter has investigated ways to calculate the target level of safety requirement
for UAS based on the current levels of safety of manned aviation. As mentioned
before, actual regulations will need to depend on a number of factors, and as a
result, it is possible that they will contradict the results shown. Nevertheless, the
methodologies are still useful for getting an idea of the relevant risk imposed by
UAS as well as for arguing a safety-based authorization for operations.
Moving beyond the actual risk model and target safety level chosen, it is normally
necessary to obtain design specifications and requirements on the hardware and
software components that comprise the UAS rather than restrictions on the UAS as
a whole. The way to derive these requirements is beyond the scope of the chapter,
91 Hazard and Safety Risk Modeling 2227
but it normally involves a lengthy, formal process of identifying the hazards, the
resulting failure conditions and their likelihoods, and then working backwards,
derive requirements for the system, subsystems, and individual components. Even
when a UA is designed in such a way that safety requirements are met for every
conceivable application, additional risk mitigation measures may still need to be
taken depending on the actual operating scenario.
References
R. Clothier, R. Walker, Determination and evaluation of UAV safety objectives, in Proceedings of
the 21st International Unmanned Air Vehicle Systems Conference, Irvine, 2006, pp. 18.1–18.16
R. Clothier, R. Walker, N. Fulton, D. Campbell, A casualty risk analysis for unmanned aerial sys-
tem (UAS) operations over inhabited areas, in Proceedings of the 12th Australian International
Aerospace Congress and 2nd Australasian Unmanned Air Vehicles Conference, Melbourne,
2007
J.K. Cole, L.W. Young, T. Jordan-Culler, Hazards of falling debris to people, aircraft, and
watercraft. Sandia report, SAND97-0805, Sandia National Laboratories, 1997
K. Dalamagkidis, On integrating unmanned aircraft systems into the national airspace system, in
Tutorial Presentation in 3rd International Symposium on Unmanned Aerial Vehicles (UAV’10),
Dubai, UAE, 2010
K. Dalamagkidis, K. Valavanis, L. Piegl, Current status and future perspectives for unmanned
aircraft system operations in the U.S. J. Intell. Robot. Syst. 52(2), 313–329 (2008)
K. Dalamagkidis, K. Valavanis, L. Piegl, On Integrating Unmanned Aircraft Systems into the
National Airspace System: Issues, Challenges, Operational Restrictions, Certification, and
Recommendations. Intelligent Systems, Control and Automation: Science and Engineering,
vol. 36, 2nd edn. (Springer, Dordrecht/New York, 2012)
European Aviation Safety Agency (EASA), A-NPA, No. 16/2005, policy for unmanned aerial
vehicle (UAV) certification (2005)
European Aviation Safety Agency (EASA), Certification specification 25 (CS25). Amendment 3
(2007)
European Aviation Safety Agency, Airworthiness certification of Unmanned Aircraft Systems
(UAS). Policy statement, E.Y01301 (2009)
Federal Aviation Administration, Equipment, systems and installations in part 23 airplanes. AC
23.1309-1C (1999)
D.I. Feinstein, W.F. Haugel, M.L. Kardatzke, A. Weinstock, Personnel casualty study. Technical
Report Project No. J 6067, Illinois Institute of Technology Research Institute, 1968
FSF Editorial Staff, See what’s sharing your airspace. Flight Saf. Dig. 24(5), 1–26 (2005)
J.M. Haber, A.M. Linn, Practical models of human vulnerability to impacting debris, in Proceed-
ings of the First IAASS Conference: “Space Safety, a New Beginning”, Nice (ESA SP-599),
2005, pp. 543–548
D.R. Haddon, C.J. Whittaker, Aircraft Airworthiness Certification Standards for Civil UAVs (UK
Civil Aviation Authority, London, 2002)
INnovative Operational UAS Integration (INOUI), Proposal for the integration of UAS into non-
segregated airspace. Booklet (2009)
Joint Capability Group on Unmanned Aerial Vehicles, STANAG 4671 – Unmanned aerial vehicle
systems airworthiness requirements (USAR). Draft, NATO Naval Armaments Group (2007)
Joint JAA/Eurocontrol Initiative on UAVs, A concept for European regulations for civil unmanned
aerial vehicles (UAV). Final report, 2004
National Transportation Safety Board (NTSB), Accident database and synopses (2008a), http://
www.ntsb.gov/ntsb/query.asp (online)
2228 K. Dalamagkidis
National Transportation Safety Board (NTSB), Aviation accident statistics (2008b), http://www.
ntsb.gov/aviation/Stats.htm (online)
Range Safety Group, Range Commanders Council, Range safety criteria for unmanned air
vehicles. Document 323–99 (1999a)
Range Safety Group, Range Commanders Council, Range safety criteria for unmanned air
vehicles – rationale and methodology supplement. Supplement to document 323–99 (1999b)
Range Safety Group, Range Commanders Council, Common risk criteria standards for national
test ranges. Document 321–07 (2007a)
Range Safety Group, Range Commanders Council, Common risk criteria standards for national
test ranges: supplement. Supplement to document 321–07 (2007b)
L.M. Sturdivan, D.C. Viano, H.R. Champion, Analysis of injury criteria to assess chest and
abdominal injury risks in blunt and ballistic impacts. J. Trauma 56(3), 651–663 (2004)
U.S. Department of Defense, Unmanned Systems Safety Guide for DoD Acquisition, 1st edn.
(Version .96) (2007)
U.S. Department of Defense Office of the Secretary of Defense, Unmanned aircraft systems
roadmap 2005–2030. Report, 2005
R.E. Weibel, Safety considerations for operation of different classes of unmanned aerial vehicles
in the national airspace system. Master’s thesis, Department of Aeronautics & Astronautics,
Massachusetts Institute of Technology, 2005
R.E. Weibel, R.J. Hansman, Safety considerations for operation of small unmanned aerial vehicles
in civil airspace. Presented in MIT Joint University Program Quarterly Meeting, Boston, 2003
R.E. Weibel, R.J. Hansman, Safety considerations for operation of different classes of UAVs in the
NAS, in Proceedings of the AIAA 4th Aviation Technology, Integration and Operations Forum
and AIAA 3rd Unmanned Unlimited Technical Conference, Workshop and Exhibit, Chicago,
2004
Safety Risk Management of Unmanned
Aircraft Systems 92
Reece A. Clothier and Rodney A. Walker
Contents
92.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2231
92.1.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2232
92.1.2 Aim and Overview of Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2233
92.2 Establishing the Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2234
92.2.1 Safety Risk Management Process and UAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2234
92.2.2 The Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2235
92.2.3 Considerations and Constraints on the UAS Safety Risk
Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2235
92.2.4 Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2235
92.2.5 High-Level Safety Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2238
92.2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2243
92.3 Risk Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2243
92.3.1 Risk Identification Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2244
92.3.2 The Identification of Hazards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2247
92.3.3 The Contributing Failures and Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2249
92.3.4 Assessing the Potential Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2253
92.3.5 The Set of Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2254
92.4 Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2255
92.4.1 Assessing the Consequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2255
92.4.2 Likelihood of Occurrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2256
92.4.3 Assessing the Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2256
92.4.4 Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2257
92.5 Risk Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2257
92.5.1 The ALARP Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2258
92.5.2 Evaluating the Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2260
K.P. Valavanis, G.J. Vachtsevanos (eds.), Handbook of Unmanned Aerial Vehicles, 2229
DOI 10.1007/978-90-481-9707-1 39,
© Springer Science+Business Media Dordrecht 2015
2230 R.A. Clothier and R.A.Walker
Abstract
The safety risk management process describes the systematic application of
management policies, procedures, and practices to the activities of communi-
cating, consulting, establishing the context, and assessing, evaluating, treating,
monitoring and reviewing risk. This process is undertaken to provide assurances
that the risks associated with the operation of unmanned aircraft systems have
been managed to acceptable levels. The safety risk management process and its
outcomes form part of the documented safety case necessary to obtain approvals
for unmanned aircraft system operations. It also guides the development of an
organization’s operations manual and is a key component of an organization’s
safety management system. The aim of this chapter is to provide existing risk
practitioners with a high level introduction to some of the unique issues and
challenges in the application of the safety risk management process to unmanned
aircraft systems. The scope is limited to safety risks associated with the operation
of unmanned aircraft in the civil airspace system and over inhabited areas.
This chapter notes the unique aspects associated with the application of the
safety risk management process to UAS compared to that of conventionally
piloted aircraft. Key challenges discussed include the specification of high-
level safety criteria; the identification, analysis and evaluation of the risks; and
the effectiveness of available technical and operational mitigation strategies.
This chapter also examines some solutions to these challenges, including those
currently in practice and those still under research and development.
Acronyms
ACAS Airborne collision avoidance systems
ADF Australian Defence Force
ADS-B Automatic dependent surveillance-broadcast
ALARP As low as reasonably practicable
ALoS Acceptable level of safety
ATSB Australian Transport Safety Bureau
CAA Civil Aviation Authority (United Kingdom)
CASA Civil Aviation Safety Authority (Australia)
92 Safety Risk Management of Unmanned Aircraft Systems 2231
COTS Commercial-Off-The-Shelf
CPA Conventionally-piloted aircraft
DoD U.S. Department of Defense
EASA European Aviation Safety Agency
ELoP Equivalent level of performance
ELoS Equivalent level of safety
FAA Federal Aviation Administration
FMEA Failure modes and effects analysis
GCS Ground control station
HAZOP Hazard and operability analysis
HLSC High-level safety criteria
HSE Health and Safety Executive (United Kingdom)
ICAO International Civil Aviation Organization
ISO International Organization for Standardization
LoS Line of sight
NAA National aviation authority
NTSB National Transportation Safety Board
RPA Remotely piloted aircraft
SARPS Standards and Recommended Practices
SMS Safety management system
SRMP Safety risk management process
SSP State Safety Plan
TCAS Traffic Alert and Collision Avoidance System
UAS Unmanned/uninhabited aircraft/airborne/aerial system/s (plural
same as singular)
UAV Unmanned/uninhabited aircraft/airborne/aerial vehicle/s (plural
same as singular)
92.1 Introduction
However, to justify this argument, one must also address the philosophical question
of what are the risks of not using UAS technologies?
The starting premise of this chapter, and one which is consistent with modern
aviation safety thinking (ICAO 2009) is that UAS operations, like CPA operations,
are not currently, and never will be, absolutely safe (i.e., have zero associated risks).
The challenge for UAS stakeholders is to establish a safety case detailing how these
inherent risks can be managed to an acceptable level.
Achieving an acceptable level of risk is a multidisciplinary problem. It requires
a balancing of complex social, psychological, technical, political, and economic
factors arising due to the following:
• Limited knowledge and resources available to identify characterize, and treat the
safety risks associated with a technology
• Subsequent need to make trade-offs between available risk mitigation strategies
based on assessments of the associated costs and benefits
• Potentially conflicting values, beliefs, perceptions, objectives, and expectations
held by the different stakeholder groups involved in the decision-making process
(e.g., those held by the UAS industry, other airspace user groups, and the general
public)
• Conditions and environment under which the decisions are made (e.g., hidden
political or time pressures)
Achieving a balanced outcome from such a problem space is the objective of the
safety risk management process. This objective is achieved through the application
of the safety risk management process (SRMP), which can be described as
the systematic application of management policies, procedures and practices to the activ-
ities of communicating, consulting, establishing the context, and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk. [Definition 3.1, (ISO 2009)]
This chapter explores some of the unique aspects, issues, and challenges
associated with application of the SRMP to the safety risks associated with UAS
operations.
92.1.1 Scope
Discussion in this chapter is limited to the safety risks associated with civil UAS
operations. There are a variety of descriptions of the SRMP, and these descriptions
can differ in their scope, subprocesses, and structure. For the purposes of this
chapter, the generalized and domain-independent description of the SRMP provided
in ISO 31000:2009 is used and illustrated in Fig. 92.1 (ISO 2009). Some aviation-
specific descriptions of the SRMP can be found in references (FAA 2000; ICAO
2009; CAA 2010b).
Establishing, maintaining, and improving safety requires more than the appli-
cation of an SRMP. The SRMP is conducted as part of an organizational risk
framework developed in accordance with a fundamental set of organizational risk
principles (ISO 2009). In aviation parlance, these principles and the organizational
framework in which the SRMP is applied are part of an organization’s safety
92 Safety Risk Management of Unmanned Aircraft Systems 2233
management system (SMS) (ICAO 2009). The scope of this chapter does not include
the SMS. For general information on the components of the SMS, the reader is
referred to the references (ICAO 2009; ISO 2009).
The aim of this chapter is to provide existing risk practitioners with a high-
level introduction to some of the unique issues and challenges in the application
of the SRMP to unmanned aircraft systems. This chapter does not provide a
comprehensive description of the SRMP itself. The discussion is intentionally high
level in its nature to ensure applicability to a broad range of UAS and their potential
concepts of operation.
The structure of this chapter follows the SRMP illustrated in Fig. 92.1. The first
step in any SRMP is to establish the context, which is described in Sect. 92.2. This
is followed by the risk assessment process. The objective of the risk assessment
process is to comprehensively characterize the safety risks associated with UAS
operations and, based on this information, determine which of the characterized
risks can be tolerated and which of the characterized risks require mitigation
(treatment). As illustrated in Fig. 92.1, the risk assessment process comprises the
subprocesses of risk identification, risk analysis, and risk evaluation. These are
discussed in Sects. 92.3–92.5, respectively. The objective of the risk treatment
process (described in Sect. 92.6) is to identify, implement, and evaluate suitable
measures to reduce (mitigate, modify, treat, or control) the risk. The SRMP is
a living process being a key component of an organization’s overarching SMS.
The process of monitoring and reviewing (Sect. 92.7) is pivotal to maintaining
2234 R.A. Clothier and R.A.Walker
and improving the management of the risks. Finally, there is the process of
communication and consultation (Sect. 92.8). The communication and consultation
process is key to addressing broader stakeholder concerns and those issues that
stem from a lack of knowledge of the risks and benefits associated with civil
UAS operations.
One of the first steps is to define the objectives of the activity. The general
overarching objective is to provide assurances in the safety of a particular UAS
operation or organization’s activities. Objectives also need to be defined in relation
to the expected benefits of the operation to the different stakeholders involved.
For commercial UAS operations, these objectives can often be derived from the
corporate and strategic objectives of the organization (e.g., profitability, market
growth, reputation). As well as being a goal, objectives can also act as constraints
on decisions made throughout the SRMP. All objectives should be clearly defined
to ensure transparency in decision-making to help identify potential conflicts in the
SRMP.
Constraints bound the decisions made within the SRMP and can arise due to
a variety of financial, legal, social, psychological, technological, temporal, or
spatial limitations or requirements. For example, the national aviation authority
(NAA) functions of safety policy, rulemaking, and oversight must be defined
in consideration of ICAO Standards and Recommended Practices (SARPS); the
safety performance objectives established within a State Safety Plan (SSP); the
legal, political, economic, and cultural requirements specific to their respective
state; and the internal resources and capability of the NAA to define and execute
these functions. Constraints are typically categorized as being either internal or
external to the organization. Internal constraints are those that arise due to limits
in the capability or resources of the organization or due to the organization’s
existing policies, procedures, or objectives. External constraints include existing
regulations (e.g., existing civil aviation safety, environmental protection, or work-
place health and safety legislation) or other social, cultural, political, or economic
expectations held by other stakeholders (including the members of the general
public).
92.2.4 Stakeholders
92.2.4.1 Perception
A distinction is often made between those stakeholder assessments of the safety
risks that are formed through the use of objective data, expert domain knowledge,
models, or formal assessment techniques, and those assessments that are based on
the subjective knowledge, beliefs, emotions, values, and needs of the individual. The
latter of these types of assessments is commonly referred to as perceived risk. There
is a range of factors that influence how different stakeholders appraise and respond
to the safety risks associated with UAS operations. Importantly, these appraisals
and responses can be different to those they would make for the safety risks
associated with CPA operations. These perceptions give rise to different stakeholder
expectations in terms of the safety performance of UAS.
At the time of writing, no significant body of research into the perception of
the safety risks associated with UAS operations could be found. Clothier and
Walker (2006); Clothier et al. (2008) provide limited discussion on factors likely
to influence the perception and acceptability of the risks associated with UAS
operations. Also worth noting is the survey of air travelers conducted by MacSween-
George (2003). This survey attempted to characterize the willingness of people to
travel onboard a pilotless passenger aircraft.
In the absence of a risk perception study specific to UAS, general factors
taken from existing psychometric modeling studies (Fischhoff et al. 1978; Slovic
et al. 1979; Slovic 1987, 1999) are used to hypothesize the public’s perception of
the safety risks associated with UAS operations. An analysis of the UAS safety
paradigm with respect to the factors of voluntariness of exposure, control of
exposure, awareness of benefits, and uncertainty is described below.
Voluntariness. The primary risks of concern due to CPA operations are to the
crew and passengers onboard the aircraft. The individuals exposed voluntarily
92 Safety Risk Management of Unmanned Aircraft Systems 2237
undertake these risks in return for a direct benefit. On the other hand, for UAS
operations, the primary risks are to members of the general public overflown who
are largely involuntarily exposed to the risks.
Control. The members of the general public overflown by UAS operations are
largely unable to influence the level of their exposure. Whereas passengers of CPA
have greater control over the level of risk they are willing to tolerate through the
number and type of aircraft operations (e.g., gliding, sport aviation, or scheduled
passenger flights) they partake in and through choice of a particular air service
provider.
Benefit. The knowledge of the benefits of CPA operations (e.g., efficient trans-
portation of people and freight) is broadly understood and widely known. Further,
there is a direct and identifiable relationship between the individuals exposed and
the benefits they receive. However, the routine operation of UAS for civil and
commercial applications has yet to be realized, and as a consequence broader society
has limited, if any, knowledge of the benefits. For UAS, the connection between
benefits and the individual exposed may not always be identifiable to the individual
exposed.
Knowledge and Information. In relation to UAS, there are limited sources of
information available to stakeholders. The quality of the information that is available
to stakeholders is variable, biased, and often unverified. For example, the movie
StealthTM portrays UAS with unrealistic capabilities. The information available
predominantly relates to military UAS operations and their roles in recent conflicts
(e.g., as weapons of war). This can create a bias in stakeholder knowledge of
UAS. There is also a significant knowledge gradient between stakeholders (i.e., a
difference in the amount and quality of knowledge held by the different stakeholder
groups). The general public and the NAAs have less personal knowledge that they
can use to contrast/verify the information available to them. Whereas the industry
stakeholders have much more experience and knowledge relating to UAS operations
and their safety performance. This knowledge gradient can lead to issues of trust and
in turn higher stakeholder uncertainty in assessments of the risks. Finally, the above
factors can lead to lower stakeholder certitude (e.g., belief in their self-knowledge),
and potential issues of trust can lead to higher perceptions of the risk. These and
other factors give rise to stakeholder uncertainty. The higher the uncertainty, the
higher the perception of the risks.
Based on the above factors, it is hypothesized that stakeholder perceptions of the
risks associated with UAS operations will be higher than that for a comparable CPA
operation. Addressing the issues relating to risk perception requires the development
of communication strategies (Sect. 92.8). Psychological factors influence not only
stakeholder assessments of the risks but also their appetite for them. It has been
proposed that stakeholders will expect UAS to demonstrate a level of safety
performance better than that currently expected of CPA operations. If true, this
expectation will need to be taken into consideration when defining high level safety
criteria (HLSC) for UAS. Most qualitative specifications of HLSC for UAS express
a desire for UAS to exhibit a level of risk less than, or equal to, that currently
demonstrated by CPA. Some quantitative specifications of HLSC for UAS include
2238 R.A. Clothier and R.A.Walker
Table 92.1 Examples of qualitative specifications of the acceptable level of safety criteria for
UAS
Statement Reference
“UAS must operate safely, efficiently, and compatibly with manned aircraft RTCA Guidance
operation in the airspace so that the overall safety of the airspace is not Material (RTCA
degraded. The fundamental safety requirement for the UAS is to provide 2007)
an acceptable level of risk for people and property in the air and on the
ground” p. 1
“. . . UAS are to provide and acceptable level of risk for people and property
on the ground and in the air and to operate without adversely affecting the
existing users of the NAS.” p. 11
“Enable the operation of sUAS [small UAS] by mitigating, to an acceptable Recommendations
level of risk, the hazards posed to manned aircraft and other airborne from the Aviation
objects operating in the National Airspace System (NAS) as well as the Rulemaking
public on the surface.” p. iii Committee, FAA
(SUAS 2009)
“Any sUAS may be operated in such a manner that the associated risk
of harm to persons and property not participating in the operation is
expected to be less than acceptable threshold value(s) as specified by the
Administrator.” p. 53
“Regulations are intended to ensure that the UAV systems and their MITRE Issues
operations achieve an acceptable level of safety for people and property paper (DeGarmo
in other aircraft and on the surface.” pp. 2–46 2004)
92 Safety Risk Management of Unmanned Aircraft Systems 2239
Table 92.2 Examples of qualitative specifications of the equivalent level of safety criteria
for UAS
Statement Reference
“The principal objective of the aviation regulation framework is to ICAO circular (ICAO
achieve and maintain the highest possible uniform level of safety. In 2011)
the case of UAS, this means ensuring the safety of any other airspace
user as well as the safety of persons and property on the ground.” p. 4
“[this framework] . . . will provide, at a minimum, an equivalent level
of safety for the integration of UAS into non-segregated airspace and
at aerodromes.” p. 4
“The introduction of RPA [remotely piloted aircraft] must not increase
the risk to other aircraft or third parties and should not prevent or
restrict access to airspace.” p. 17
“UAV operations should be as safe as manned aircraft insofar as they CASA advisory
should not present or create a hazard to persons or property in the air or circular (CASA 2002)
on the ground greater than that created by manned aircraft of equivalent
class or category.” p. 11
“When considering a request for approval to conduct a particular
operation with a UAV, CASA must ensure that the operation of the UAV
will pose no greater threat to the safety of air navigation than that posed
by a similar operation involving a manned aircraft. This characteristic
may be termed ‘acceptable’.” p. 18
“. . . UAS operations must be as safe as manned aircraft insofar as they CAA-UK Guidance
must not present or create a greater hazard to persons, property, vehicles material (CAA
or vessels, whilst in the air or on the ground, than that attributable to the 2010a)
operations of manned aircraft of equivalent class or category.” Sect. 1,
Chap. 1, p. 1
“A civil UAS must not increase the risk to people or property on the EASA Policy
ground compared with manned aircraft of equivalent category.” p. 4 statement (EASA
2009)
“UAV Operations shall not increase the risk to other airspace users or JAA and
third parties.” p. 12 EUROCONTROL,
“If civil UAV Systems are to become a reality the industry must gain the Report (JAA/EURO
acceptance and confidence of these people [general public and existing CONTROL 2004)
airspace users], and this could be achieved by demonstrating a level
of safety at least as demanding as the standards applied to manned
aircraft.” p. 12
“. . . it is broadly accepted by European military authorities that UAV EUROCONTROL
operations outside segregated airspace should be conducted at a level of Specifications
safety equivalent to that for manned aircraft. Similarly, UAV operations (EUROCONTROL
should not increase the risk to other airspace users and should not deny 2007)
the airspace to them.” p. 6
“. . . UAVs must demonstrate that they do not pose an undue hazard to MITRE Issues paper
other aircraft or persons on the ground. They must, in short, provide for (DeGarmo 2004)
an equivalent level of safety to manned aircraft.” pp. 2–1
“UASs shall operate to equivalent levels of safety as manned aircraft in Australian Defence
regard to the risk they pose to people on the ground, other aircraft and Force airworthiness
property.” MILAVREG 7.1 p. 1, Sect. 2, Chap. 7 regulations and
“The objective of the unmanned aerial systems (UAS) airworthiness guidance material
regulations is to ensure that UAS operations present no greater risk (ADF 2009)
to personnel, other aircraft and property than that accepted for the
operation of manned aircraft, without undue compromise to operational
flexibility.” Sect. 5, Chap. 3, p. 1
(continued)
92 Safety Risk Management of Unmanned Aircraft Systems 2241
account for peak risks that can occur due to geospatial or temporal concentrations in
aviation activity or variations in the level of exposure of different subgroups within
the populations exposed to the risks (e.g., the level of risk to pilots and aircrew
compared to the level of risk to members of the general flying public).
To ensure a more comprehensive management of the risks associated with UAS
operations and to be consistent with the safety risk management of other industries
(see HSE 2001b), Clothier et al. (2011) propose that the specification of HLSC for
UAS includes measures indicative of the individual and societal risk, in addition to
the measures of group/collective risk that have been previously proposed. Further,
it is recommended that the HLSC for UAS be defined based on the peak risks
associated with CPA operations as opposed to averaged values.
Irrespective of the measures used or where the baseline level of safety is set (e.g.,
equivalent to that of CPA or not), there is the inherent difficulty of verifying that a
system or operation actually satisfies the HLSC.
in the Section 92.2.5.3). Satisfying an ELoP does not necessarily give rise to an
ELoS. The use of ELoP as de facto safety criteria requires assumptions to be
made in relation to the nature of the relationship between system performance (e.g.,
reliability) and the level of risks to different entities of value (e.g., the potential
damage to people and property).
92.2.6 Summary
Establishing the context defines the inputs, desired outputs, and the boundaries and
constraints on decisions made throughout the SRMP. It is important to note that
obtaining a public license for UAS operations must take into consideration a broad
range of issues. The integration of a new technology into society is subject to a wide
range of broader social, political, cultural, and economic considerations. For exam-
ple, one of the primary concerns identified in the survey of air travelers conducted
by MacSween-George (2003) was the potential unemployment of pilots. A search
of mainstream media sources reveals numerous articles identifying a broad range of
public concerns including privacy, noise and public disturbance, and the potential
misuse of UAS by drug traffickers or terrorists. Such concerns can be as significant
as those issues relating to their safety. Further research is needed to characterize
the safety criteria for UAS and to better understand different stakeholder concerns,
perceptions, and expectations. In the interim, guidance can potentially be found
through exploring the safety risk management of other new technologies, such as
genetically modified foods, nanotechnologies, stem cell research, nuclear power,
and the use of automation in the rail and shipping industries.
The objective of the risk identification process is to identify how the system can fail,
how these failures and conditions manifest as hazards, and the potential undesired
outcomes that can result from the occurrence of the hazards. The identification of a
specific combination of these three components describes a risk scenario. The set of
all risk scenarios can be defined through the identification of the set of hazards, and
for each particular hazard the associated sets describe the following:
1. The different conditions, failures, and events contributing to the occurrence of
the particular hazard
2. The potential types and levels of consequential outcomes associated with the
occurrence of the particular hazard
The set of all scenarios identified with a given activity is described as the
risk profile. By way of general introduction, the high-level UAS and CPA risk
profiles are illustrated in Figs. 92.2 and 92.3, respectively. Illustrated in Figs. 92.2
and 92.3 are the primary and secondary hazards and their potential consequential
outcomes to people and property. Not shown are the conditions, failures, and events
contributing to the occurrence of the hazards. The profiles, and the tools, data, and
techniques that can be used to identify and characterize them are described in the
following subsections.
2244 R.A. Clothier and R.A.Walker
Fig. 92.2 Illustration of the high-level risk profile associated with UAS operations
A range of techniques can be used to identify and characterize the risk scenarios
associated with UAS operations. The CAA categorizes these techniques into histor-
ical (e.g., a review of accident and incident data), brainstorming (e.g., elicitation of
knowledge from domain experts), and systematic (e.g., formal tools and processes)
techniques (CAA 2010b).
A typical starting point for any risk identification process is a review of existing
accident and incident data. Such a review can provide general insights into the
key hazards and their likely consequential outcomes and, depending on the scope
and quality of the investigative reports available, the factors contributing to their
occurrence. Some notable examples of UAS accidents and incidents are provided in
Table 92.4.
There is limited data on UAS accidents and incidents. The majority of publicly
available data relate to military UAS operations primarily because of the limited
amount of nonmilitary UAS activity to date (a product of the current regulatory
environment) and that mandatory reporting of accidents and incidents involving
nonmilitary UAS has only recently come into force (refer to Sect. 92.7.1). Seldom
does a review of accident and incident data provide a comprehensive identification
of the potential hazards and their outcomes. This is particularly the case for UAS,
92 Safety Risk Management of Unmanned Aircraft Systems 2245
Fig. 92.3 Illustration of the high-level risk profile associated with CPA operations
where there is limited data available and the primary hazards are inherently rare
events. Further, the ability to identify the complexity of factors contributing toward
the occurrence of an accident or incident is often restricted by the method and
quality of the records available. Incidents occur more frequently than accidents.
Incidents provide valuable information as precursor or lead indicators for accidents;
however, less information is typically available in incident reports due to the limited
amount of resources available to investigate them. There is also a bias in the
data toward military UAS operations, and therefore, when using this data, it is
important to consider some of the differences between military and nonmilitary
UAS operations. For example, the potential differences:
• Between the design and operational philosophies adopted for military and
nonmilitary UAS (e.g., trade-offs made between survivability and mission risk
vs. public, and personnel risk)
• Between the environments they are operated in (e.g., natural environment, mix
and types of other airspace users, and electromagnetic environment)
• In how they are managed within the airspace system (e.g., procedures for
separation, the situational awareness available to air traffic control, the UAS
operators and other airspace users, and the type of services provided)
2246 R.A. Clothier and R.A.Walker
• In the nature of the missions performed (e.g., low-level flights, maneuver, and
mission profiles)
• In their hazards (e.g., for military UAS, there are unique hazards associated
with the carriage of ordinance, self-protection systems, and payload self-destruct
mechanisms)
These and many other differences can give rise to unique sets of risk scenarios
for military and nonmilitary UAS operations. Although a valuable input to the
risk identification process, UAS accident and incident data should not be used as
the sole means for risk identification. This data should be complemented by other
risk identification techniques to ensure a comprehensive identification of the risks.
References (SAE 1996; FAA 2000; FAA and EUROCONTROL 2007) describe a
number of tools, and that can be used in the identification and analysis of aviation
safety risks. A domain-independent review of over 100 different risk identification
and analysis techniques can be found in Stephens et al. (1997). Commonly used risk
identification and analysis tools are provided in Table 92.5.
The specification of a risk scenario starts with the identification of the hazards.
A hazard is a state or condition that has the potential to cause loss to something
of value. ISO31000:2009 describes the analogous concept of a risk source, defined
as an “element which alone or in combination has the intrinsic potential to give rise
to risk” (ISO 2009). Prescriptive definitions of hazard can be found in ICAO (2009);
DoD (2010a).
2. On the ground due to falling aircraft or debris from a near midair collision (e.g.,
incident 8, Table 92.4, where wake turbulence caused the loss of the UAS)
3. Onboard the CPA due to evasive maneuvers performed in order to avoid a
collision with a UAS (while either of the aircraft is in the air or on the
ground)
Some of the secondary hazards associated with the primary hazard B above
include the potential harm caused to people on the ground due to the following:
1. Release of hazardous materials (e.g., chemical payloads, composite materials, or
ordnance) following an impact with terrain or an object on the terrain
2. Progression of fires, the collapse of buildings, motor vehicle accidents, or other
hazards arising as a result of the UAS coming to earth (e.g., in incident 3 of
Table 92.4 there was the potential for an explosion or fire had the UAS damaged
critical components of the oil refinery)
As can be observed in Figs. 92.2 and 92.3, the primary and secondary hazards
identified within the UAS risk profile also exist within the CPA risk profile.
However, not shown are differences in the failures and conditions contributing to the
occurrence of these hazards and in the types and levels of consequence associated
with their occurrence.
There are a variety of ways in which the hazards illustrated in Fig. 92.2 can
eventuate. The specification of a risk scenario includes identifying how a particular
hazard can occur. A hazard is typically the result of a series of active failures
in combination with latent conditions that involve all components of the system
(i.e., the interaction of the components of man, machine, and organization) and
the interaction of the system within its operating environment. Some key tech-
niques for identifying these failures and conditions include FMEA, HAZOP, fault
tree analysis, human factors studies (discussed below), and anticipatory failure
determination.
High-level guidance on common factors contributing to UAS mishaps can
be found in studies of existing accident and incident data. For example, some
frequent causes of mishaps reported by the U.S. Department of Defense (DoD) are
summarized in Table 92.6.
Table 92.6 Percentage of mishaps attributed to different failure mode categories, from OSD
(2003)
Failure mode % of total mishapsa
category Description attributed to categoryb
Power/propulsion Encompasses the engine, fuel supply, transmission, 37
propeller, electrical system, generators, and other
related subsystems onboard the aircraft
Flight control Includes all systems contributing to the aircraft 26
stability and control such as avionics, air data
system, servo-actuators, control surfaces/servos,
onboard software, navigation, and other related
subsystems. Aerodynamic factors are also included
in this grouping
Human/ground Accounts for all failures resulting from human error 17
and maintenance problems with any non-vehicle
hardware or software on the ground
Communications The datalink between the aircraft and the ground 11
Miscellaneous Any mission failures not attributable to those 9
previously noted, including airspace issues,
operating problems, and other nontechnical factors
a
Defined as an accident resulting in significant vehicle damage or total loss of human life, or
causing more than $1,000,000 in damage
b
Averaged over 100,000 flight hours across five different UAS types
92.3.3.5 Software
Most nonmilitary UAS make use of Commercial-Off-The-Shelf (COTS) consumer-
grade software that is often provided without warranty or assurance. Without such
assurances, it can be extremely difficult to assess the likelihood of encountering
latent errors or undesired behavior. Often, the dependability of software can only
be gauged through extensive experience in its use under a variety of conditions.
Configuration control is also particularly important for those systems using COTS
software. Small bug fixes and auto updates to operating systems can introduce
new latent conditions and significantly change the stability and behavior of the
software system as well as its performance under existing conditions. Software
considerations should extend to include any electronic databases (e.g., publicly
available digital elevation maps), firmware, operating systems, and applications
used during flight or prior to and after flight (e.g., flight planning, software,
and documentation control systems). In addressing software-related risks, there
are two separate, yet often confused, considerations. Firstly, there are risks as-
sociated with the behavior of algorithms and, in the case of UAS, the validity
of autonomous behavior. The latter is particularly of concern when the level of
autonomy increases (Parasuraman et al. 2000). The second consideration relates to
the implementation of the algorithm and is addressed by standards such as DO-178B
(RTCA 1992).
92.3.3.6 Security
Security threats are a subcategory of hazards. More specifically, they are hazards
that arise, either directly or indirectly, through the intentional disturbance of the
safe or normal operational state of the UAS. Most often, these disturbances originate
from objects external to the system, which exploit the interfaces between the UAS
and its environment (e.g., interference, jamming, or the overriding of control via
communications links or physical access to the ground control station (GCS)). The
security of the UAS should take into consideration:
• The type of radio control gear, voice, and data links used for communication
between all components of the system (including ground personnel and air traffic
control)
• Whether the links are vulnerable to intentional or unintentional interference and
whether the loss of this link has a safety impact for different phases of the
operation
• The type of information conveyed on these links and its criticality to the
safety of the operation of the aircraft if corruption, disruption, or spoofing
occurs
• Whether the sender or recipient of the information on these links needs to be
verified or not (e.g., incident 10 described in Table 92.4)
• The location and physical security of the GCS and any launch, recovery,
communications relay, maintenance, and storage sites
• Whether software security, such as firewalls and antivirus programs, is installed
and used
• Policies in relation to access to the Internet and the transfer of media via
removable storage.
92 Safety Risk Management of Unmanned Aircraft Systems 2253
As can be observed in Fig. 92.3, the risks associated with CPA operations include
consideration of the potential harm to people onboard the aircraft in addition to those
onboard other CPA or on the ground. An analysis of worldwide accidents involving
conventionally piloted commercial jet aircraft over the period 2001–2010 reveals
that more than 95 % of all fatal injuries were to people onboard an aircraft (Boeing
2011). Therefore, for both of the primary hazards associated with CPA operations,
the consequences of principal concern are those to the passengers and crew onboard
the aircraft and, secondarily, to the population of people external to the aircraft
(e.g., those living in the regions overflown). For UAS, there are no people onboard
the aircraft, and the primary risks are instead to those entities of value considered
external to the system. Consequently, the primary types and spectra of consequential
outcomes associated with UAS operations are different to those associated with
CPA operations.
The third step in the SRMP, Fig. 92.1, is an analysis of the risk. Risk analysis
describes the process of characterizing the nature and level of the risk for each
of the identified risk scenarios. A measure of risk is expressed through the
combination of assessments of the consequence and the likelihood of occurrence
of the given scenario.
A qualitative or quantitative table is often used to group and rank the different types
and levels of consequence associated with the identified risk scenarios (examples
shown in Table 92.7). An assessment of the consequence for a given risk scenario
is made by mapping its potential outcomes to one of the consequence levels defined
within the table. As there can be more than one consequential outcome associated
with the occurrence of a single-risk scenario, a mapping is typically based on the
worst possible outcome identified.
A range of qualitative and quantitative scales have been used to describe levels of
risk. For example, MIL-STD-882D (DoD 2010a) assesses risk on the qualitative
ordinal scale: low, medium, serious, and high. The component measures of conse-
quence (Sect. 92.4.1) and of likelihood (Sect. 92.4.2) then need to be mapped to one
of these levels of risk. A risk matrix is the most common method for illustrating
this mapping, and an example of which is provided in Fig. 92.4. ICAO (2009) also
provides an example of a risk matrix.
92.4.4 Uncertainty
Risk evaluation is the process of comparing the results of the risk analysis with the
HLSC to determine whether the risk for a given scenario is tolerable (ISO 2009)
or whether further measures need to be undertaken to reduce the risk. There are a
range of decision-making frameworks that can be used within the risk evaluation
process; these include the as low as reasonably achievable, globalement au moins
Équivalent, or minimum endogenous mortality frameworks used in the Netherlands,
France, and Germany, respectively. Discussion in this chapter is limited to the as low
2258 R.A. Clothier and R.A.Walker
out unless further action can be undertaken to reduce the risk (HSE 2001b). This
region corresponds with the notion of a de manifestis level of risk, which is based
on the legal definition of obvious risk (RCC 2007). It is defined as the level of risk
above which a person of ordinary level of intelligence intuitively recognizes as being
inherently unacceptable (Fulton 2002; RCC 2007).
A Region of Tolerability – This region describes those risks which are considered
tolerable, specifically those situations where there is “. . . a willingness to live with
a risk so as to secure certain benefits and in the confidence that it is being properly
controlled. To tolerate a risk means that we do not regard it as negligible or
something we might ignore, but rather as something we need to keep under review
and reduce still further if and as we can” (HSE 1992). As described in HSE (2001b),
risks that fall in the region are considered tolerable if and only if the:
• Risks have been properly assessed (e.g., assessments based on the best available
scientific evidence or advice), and the results are used to determine appropriate
measures to control the risks.
• Residual risks are not unduly high (e.g., above the de manifestis level) and are
kept to level as ALARP.
• Risks are periodically reviewed.
A Region of Broadly Acceptable Risk – Risks within this region are “gen-
erally regarded as insignificant and adequately controlled” (HSE 2001b). There
is no distinct line demarcating tolerable risks from broadly acceptable risks;
instead, it has been described as the point at which “the risk becomes truly
negligible in comparison with other risks that the individual or society runs”
(HSE 1992). Obtaining a broadly acceptable level does not mean the pursuit
for the reduction of risks to ALARP should be abandoned. As described by
the UK Health and Safety Executive (HSE), “duty holders must reduce risks
wherever it is reasonably practicable to do so or where the law so requires it”
(HSE 2001b).
The Concept of ALARP – A risk is considered ALARP if the cost of any
reduction in that risk is in gross disproportion to the benefit obtained from the
reduction Determining that risks have been reduced to a level as ALARP involves
an assessment of the risk to be avoided, of the sacrifice or costs (e.g., in money, time,
and trouble) involved in taking measures to treat that risk, and a comparison of the
two to see if there exists a gross disproportion (HSE 2001a). General discussion
on the cost-benefit process that needs to be undertaken and some guidance on the
meaning of gross disproportion can be found in references (HSE 2001b,a; CASA
2010; Jones-Lee and Aven 2011).
De Minimis Level – Some specifications of the ALARP framework include a
specification of the de minimis level of risk. The de minimis level stems from
the legal principle de minimis non curat lex (the law does not concern itself with
trifles) (Paté-Cornell 1994; Fulton 2002; RCC 2007). It is often used as a guide for
determining when risks have been managed to a level that could be considered below
concern.
A Scrutiny Level – Some implementations of the ALARP framework feature a
scrutiny line, which is often used to put newly assessed risks in context with risks
2260 R.A. Clothier and R.A.Walker
that have been tolerated or broadly accepted in the past. Often, the scrutiny level
represents the de facto risks for a similar activity/industry.
It is important to note that the meaning of ALARP and its implementation in law
can change between states (an important consideration when it comes to the risk
management of international UAS operations). The description of ALARP provided
above is consistent with its implementation in those countries that adopt common
law (e.g., the UK, the USA, Australia, Canada, New Zealand). Ale (2005) provides
an example of some of the issues that can arise due to the application of safety
decision-making frameworks such as ALARP within different legal systems.
There are psychological, social, and practical difficulties in the specification and
sole use of quantifiable criteria within the ALARP framework. This has lead to
the use of qualitative frameworks that focus on demonstrating that all reasonably
practicable measures have been undertaken to reduce a risk as opposed to making
quantifiable comparisons of the assessed risks to specifications of the de manifestis,
de minimis, or scrutiny levels. The results from comparisons of assessed risks
to HLSC ultimately translate to requirements on design; hence, a quantifiable
specification of HLSC within the ALARP framework is most desirable. When
introducing a new technology into society one cannot avoid the commonly used
litmus test of a comparison to similar and existing risks (as often made by the
media or by members of the public). In this case, the ELoS HLSC (as described in
Sect. 92.2.5) should be represented as scrutiny lines within the ALARP framework.
Further research is needed to explore the psychological, social, and practical
implications relating to the representation of the quantitative HLSC for UAS in the
ALARP framework. There can also be general issues associated with the application
of ALARP specifically to new technologies such as UAS, and these are discussed
in Melchers (2001).
For those risk scenarios that are not tolerable, measures need to be undertaken to
reduce (mitigate, modify, treat, or control) the residual risk to a level considered as
ALARP.
92 Safety Risk Management of Unmanned Aircraft Systems 2261
The first step is to determine a list of all possible treatment options. Guidance
on potential mitigation strategies can be found in regulatory materials (CASA
2002; FAA 2011b) or by reviewing the safety cases used in the approval of
existing operations. In general, risk mitigation strategies reduce the risk through
the following:
A. Removing the hazard altogether
B. Reducing the likelihood that a hazardous event occurs
C. Reducing the level of potential consequence associated with the occurrence of
an hazardous event
D. Sharing the retained risk with other organizations
E. Combinations of the above
Fig. 92.6 An example mitigation technology: the INSITU Pacific Mobile Aircraft Tracking
System with communications, primary radar, and ADS-B In (Wilson 2012) (Image courtesy of
Dr Michael Wilson)
Fig. 92.8 An example mitigation technology: the INSITU Pacific ScanEagleTM on launcher with
high-visibility markings and strobes (Image courtesy INSITU Pacific Ltd)
Table 92.10 Example strategies for mitigating the risks of a controlled or uncontrolled impact
with terrain or objects on the terrain
(1) Elimination of Not conducting the operation
the hazard
(2) Reduction in the Operational Isolating UAS operations to designated and controlled
likelihood of a ranges where there are no people or property exposed;
hazard occurring minimizing/avoiding the overflight of people and property,
or limiting operations to areas of low population density;
operating over the oceans and away from known fishing
areas or shipping lanes; establishing designated recovery or
ditching points; flying at night when people are more likely
to be sheltered; ability to operate under more than one
mode of operation (e.g., autonomous or manual remote
operation)
Technological Automated recovery systems capable of flying to
preprogrammed recovery sites; emergency forced landing
systems (e.g., Mejias et al. 2009); failure warning systems
(e.g., icing or fuel warnings, breach of operational
boundaries); controlled ditching in preprogrammed areas;
containment systems (e.g., automated fencing, parachute,
ditching, or explosive termination systems)
Strategic survey and crew familiarization with operating
environment; crew training in failure and emergency
procedures; general awareness (briefing local population)
(3) Reduction of the Sheltering of people or assets; frangible aircraft; energy dissipating flight
level of potential profiles (manual or pre-programmed); air bags; parachute systems; avoiding
consequences areas with the potential for consequences of high value (e.g., areas with
hospitals, schools, or areas of high population density); personal protective
equipment (e.g., helmet and eye protection – for micro/small UAS
operations); established emergency procedures; emergency response
equipment (e.g., first aid, environmental spill kits, fire fighting, and personnel
protective equipment for post accident cleanup)
own, are not likely to provide an acceptable safety case. Reducing exposure (e.g.,
staying away, Table 92.9) in combination with other see and be seen mitigation
strategies is likely to provide the most effective approach for managing the risk
of a midair collision. In assessing the effectiveness of the different strategies,
consideration should be given to the following:
• Types of airspace users that are likely to be encountered and their:
– Resilience to damage due to a collision with the particular type of UAS (e.g.,
bird strike protection of transport category aircraft)
– Observability to the different sensing or awareness approaches that could be
used (e.g., radar cross-sectional area)
– Equipage (e.g., whether they have radios or transponders onboard)
– Ability to detect the UAS
– Ability to maneuver
– Typical operating speeds (e.g., determination of closing speeds and time to
react)
– Conditions of right of way
• Operating conditions (e.g., instrument meteorological conditions vs. visual
meteorological conditions) or the operational profile flown (e.g., variation in
radar clutter performance with altitude)
• Geographical volumes over which protection or awareness needs to be provided
• Temporal changes (e.g., use of strobes during the day vs. at night) and the dura-
tion of activity (e.g., effectiveness of ground observers for extended
missions)
avoidance, or situational awareness for UAS (FAA 2011a). These studies identified
a number of technical and operational issues, which have a significant impact on the
effectiveness of ACAS as a midair collision avoidance system for UAS.
92.6.3.2 Practicality
The practicable feasibility of mitigation strategies needs to be considered in
relation to the physical and performance limitations of the system. For exam-
ple, there are fundamental limits in relation to the maximum takeoff weight,
payload volume, and power available to support mitigation systems onboard
an unmanned aircraft. Similarly, there are fundamental limits in relation to the
maneuverability, speed, range, endurance, glide performance, or ceiling
of the UAS.
92.6.4 Summary
One of the primary triggers for an ad hoc review of the safety risk management of an
activity is the occurrence of an accident or incident. Accident and incident data are
a valuable source of information that can be used to identify new risk scenarios and
update risk assessments. Most importantly, an analysis of accidents and incidents
provides organizations with the opportunity to evaluate the effectiveness of their
mitigation strategies and to put in place new measures to further reduce the risks.
The definition of accidents and incidents and the conditions for their reporting
depend on the particular state in which the accident occurs. The National Trans-
portation Safety Board (NTSB) in the USA defines an unmanned aircraft accident
as the following:
“an occurrence associated with the operation of any public or civil unmanned aircraft system
that takes place between the time that the system is activated with the purpose of flight and
the time that the system is deactivated at the conclusion of its mission, in which: (1) Any
person suffers death or serious injury; or (2) The aircraft has a maximum gross take-off
weight of 300 pounds or greater and sustains substantial damage.” p. 600, 49 CFR 830.2
(GPO 2010)
Mandatory reporting of accidents involving UAS in the USA only formally came
into force in October 2010 [amendments to title 49 CFR 830 (GPO 2010)]. FAA
accident and incident reporting requirements were in force prior to this date and
were mandated under the conditions of a certificate of waiver or authorization (FAA
2011b). Annex 13 to the Chicago Convention was amended in November 2010 to
include the investigation of accidents and serious incidents involving international
civil UAS operations but only for those UAS with design and/or operational
approval (ICAO 2011).
2270 R.A. Clothier and R.A.Walker
92.9 Conclusion
This chapter has highlighted many of the unique issues and challenges associated
with the application of the safety risk management process to UAS. These issues
and challenges can be technical, operational, economic, political, and social in
nature and can influence all facets of the safety risk management process. Some
sections of this chapter pose more questions than they do answers, highlighting
that there is still much to be learned. The area of greatest need is in developing an
understanding of the broader perceptions, beliefs, and expectations of society and
how these factors influence decisions in relation to the safety of UAS operations.
The challenges and issues discussed in this chapter are, in general, not unique
to UAS. Challenges of a similar nature will need to be addressed in the safety
risk management of other emerging aviation sectors such as reusable space launch
vehicles, personal air vehicles, and hypersonic aircraft. It is hoped that the general
processes developed and the lessons learned in the safety risk management of UAS
will help to pave the way for these and other emerging and highly beneficial aviation
sectors.
While this chapter has highlighted many issues, it is important to note that UAS
are being safely operated in civil airspace today. In Australia, an approval to operate
is obtained through the presentation of a suitable safety case to CASA, a safety case
underpinned by a safety risk management process. Addressing the issues identified
in this chapter will be pivotal to reducing the uncertainty in these safety cases,
for ensuring consistency in the regulation of the industry, and for supporting the
definition of more prescriptive safety regulations.
Acknowledgments The authors would like to thank Dr Neale Fulton, adjunct professor at
Queensland University of Technology, Mr. Brendan Williams and Dr Michael Wilson from Boeing
Research & Technology, Australia, Mr. Jim Coyne and Mr. Phil Presgrave from the Civil Aviation
Safety Authority, and Mr. Kim Jones for their valuable comments and additions to this chapter.
References
ADF, AAP7001.048(AM1), ADF Airworthiness Manual (Australian Defence Force (ADF), Direc-
torate General Technical Airworthiness, Canberra, Australia, 2009)
AIB, RQ-4A Global Hawk UAV Accident Investigation, Executive Summary (2000). Retrieved 8
Nov 2011 from http://usaf.aib.law.af.mil/ExecSum2000/RQ-4A Edwards 6Dec99.pdf
B.J.M. Ale, Tolerable or acceptable: a comparison of risk regulation in the United Kingdom and in
the Netherlands. Risk Anal. 25(2), 231–241 (2005)
Boeing, Statistical Summary of Commercial Jet Airplane Accidents, Worldwide Operations 1959–
2010 (Aviation Safety, Boeing Commercial Airplanes, Seattle, 2011)
2272 R.A. Clothier and R.A.Walker
CAA, CAP 722 Unmanned Aircraft System Operations in UK Airspace – Guidance (CAP 722,
Civil Aviation Authority (CAA), The Stationary Office London, 2010a)
CAA, CAP 760 Guidance on the Conduct of Hazard Identification, Risk Assessment and the
Production of Safety Cases (UK Civil Aviation Authority, The Stationary Office, London,
2010b)
CASA, AC101-1(0) Unmanned Aircraft and Rockets, Unmanned Aerial Vehicle (UAV) Operations,
Design Specification, Maintenance and Training of Human Resources (AC101-1(0), Civil
Aviation Safety Authority (CASA), Canberra, 2002)
CASA, Cost Benefit Analysis Procedures Manual (Civil Aviation Safety Authority (CASA),
Canberra, 2010)
CASA, AC101-8 Unmanned Aircraft Systems – Safety Management (Draft) (Canberra, Civil
Aviation Safety Authority (CASA), 2011)
R.A. Clothier, R.A. Walker, Determination and evaluation of UAV safety objectives, in
21st International Unmanned Air Vehicle Systems Conference, Bristol, United Kingdom,
2006
R.A. Clothier, R.A. Walker et al., A casualty risk analysis for unmanned aerial system (UAS)
operations over inhabited areas, in Twelfth Australian International Aerospace Congress
(AIAC-12), 2nd Australasian Unmanned Air Vehicles Conference, Melbourne, Australia,
2007
R.A. Clothier, N.L. Fulton et al., Pilotless aircraft: the horseless carriage of the twenty-first
century? Risk Res. 11(8), 999–1023 (2008)
R.A. Clothier, J.L. Palmer et al., Definition of airworthiness categories for civil unmanned aircraft
systems (UAS), in 27th International Congress of the Aeronautical Sciences (ICAS), Nice,
France, 2010
R.A. Clothier, J.L. Palmer et al., Definition of an airworthiness certification framework for civil
unmanned aircraft systems. Saf. Sci. 49(6), 871–885 (2011)
K. Dalamagkidis, K.P. Valavanis et al., On unmanned aircraft systems issues, challenges and
operational restrictions preventing integration into the National Airspace System. Prog. Aerosp.
Sci. 44(7–8), 503–519 (2008)
M.T. DeGarmo, Issues Concerning Integration of Unmanned Aerial Vehicles in Civil Airspace.
MP 04W0000323 (Center for Advanced Aviation System Development, MITRE Corporation,
McLean 2004)
DoD, MIL-STD-882D Department of Defense Standard Practice, System Safety, Environment,
Safety, and Occupational Health Risk Management Methodology for Systems Engineering.
Draft incorporating Change 1 (U.S. Department of Defense (DoD), 2010a)
DoD, U.S. Army Unmanned Aircraft Systems Roadmap 2010–2035 (U.S. Army UAS Center of
Excellence, U.S. Department of Defense, Fort Rucker, Alabama, 2010b)
J.A. Drezner, R.S. Leonard, Innovative Development: Global Hawk and DarkStar. Flight Test in
the HAE UAV ACTD Program (RAND, Santa Monica, 2002)
EASA, E.Y01301, Policy Statement Airworthiness Certification of Unmanned Aircraft Systems
(UAS) (Rulemaking Directorate, European Aviation Safety Agency (EASA), 2009)
EUROCONTROL, Specifications for the Use of Military UAVs as Operational Air Traffic Outside
Segregated Airspace (EUROCONTROL-SPEC-0102, EUROCONTROL, Brussels, Belgium,
2007)
FAA, FAA System Safety Handbook (Federal Aviation Administration (FAA), Department of
Transportation, Washington, 2000)
FAA, Sense and Avoid (SAA) for Unmanned Aircraft Systems (UAS). Report for the FAA
sponsored “Sense and Avoid” workshop federal aviation administration (FAA), Department
of Transportation, Washington DC, USA (2009)
FAA, Evaluation of Candidate Functions for Traffic Alert and Collision Avoidance System II
(TCAS II) on Unmanned Aircraft System (UAS) (Aviation Safety, Flight Standards Service,
Unmanned Aircraft Program Office, Federal Aviation Administration (FAA), Washington,
2011a)
92 Safety Risk Management of Unmanned Aircraft Systems 2273
FAA, JO 7210.766, Unmanned Aircraft Operations in the National Airspace System (NAS). JO
7210.766 (Unmanned Aircraft Systems Group, Federal Aviation Administration (FAA), U.S.
Department Of Transportation, Washington, 2011b)
FAA and EUROCONTROL, FAA/EUROCONTROL ATM Safety Techniques and Toolbox (Federal
Aviation Administration (FAA) and EUROCONTROL, 2007)
B. Fischhoff, P. Slovic et al., How safe is safe enough? A psychometric study of attitudes towards
technological risks and benefits. Policy Sci. 9(2), 127–152 (1978)
S. Fitzpatrick, Australian spy plane crashes into Timorese home. The Australian (2007).
Retrieved 8 Nov 2011, from http://www.news.com.au/top-stories/australian-spy-plane-
crashes-into-timorese-home/story-e6frfkp9-1111113506458
C. Fraser, D. Donnithorne-Tait, An approach to the classification of unmanned aircraft, in Bristol
International Unmanned Aerial Vehicle Systems (UAVS) Conference, Bristol, UK, 2011
N.L. Fulton, Regional airspace design: a structured systems engineering approach. PhD Disserta-
tion, The University of New South Wales, Australian Defence Force Academy, 2002
GPO, 49 CFR 830 – Notification and Reporting of Aircraft Accidents or Incidents and Overdue
Aircraft, and Preservation of Aircraft Wreckage, Mail, Cargo, and Records. GPO Federal
Digital System (2010). Retrieved on 8 Nov from: http://www.gpo.gov/fdsys/, U.S. Government
Printing Office (GPO), pp. 599–602
F. Grimsley, Equivalent safety analysis using casualty expectation approach, in AIAA 3rd
“Unmanned Unlimited” Technical Conference, Workshop and Exhibit, Chicago, 2004
A. Hobbs, Unmanned aircraft systems, in Human Factors in Aviation, ed. by E. Salas, D. Maurino
(Academic, Burlington, 2010)
A. Hobbs, H.R. Stanley, Human Factors in the Maintenance of Unmanned Aircraft (Unmanned
Aerial Vehicles Human Factors, Program Review, Federal Aviation Administration (FAA), U.S.
Department of Transportation, Washington, 2005)
N. Hodge, U.S. Says Drone, Cargo plane collide over Afghanistan. Wall Str.
J. Online (2011). Retrieved 4 Nov 2011 from http://online.wsj.com/article/
SB10001424053111903480904576512081215848332.html
HSE, The Tolerability of Risk From Nuclear Power Stations (Health and Safety Executive, HMSO,
London, 1992)
HSE, Principles and Guidelines to Assist HSE in Its Judgements that Duty-Holders have Reduced
Risk as Low as Reasonably Practicable (Health and Safety Executive Online Guidance
Material, Health and Safety Executive (HSE), London, 2001a)
HSE, Reducing Risks, Protecting People. HSE’s Decision-Making Process (Health and Safety
Executive (HSE), Her Majesty’s Stationery Office (HMSO), Norwich, 2001b)
E. Hull, K. Jackson et al., Requirements Engineering (Springer, Dordrecht, 2011)
ICAO, Safety Management Manual (SMM), Doc 9859 (International Civil Aviation Organization
(ICAO), Montréal, 2009)
ICAO, Unmanned Aircraft Systems (UAS) Circular, CIR 328, AN/190. CIR 328, AN/190 (Interna-
tional Civil Aviation Organization (ICAO), Montréal, 2011)
ISO, Risk Management – Principles and Guidelines. ISO 31000:2009 (International Organization
for Standardization (ISO), Geneva 2009)
JAA/EUROCONTROL, Final report a concept for European regulations for civil unmanned aerial
vehicles (UAVs), The Joint JAA/EUROCONTROL Initiative on UAVs, 2004. Brussels, Bel-
gium. Available online: http://www.easa.europa.eu/rulemaking/docs/npa/2005/NPA 16 2005
Appendix.pdf
M. Jones-Lee, T. Aven, ALARP—What does it really mean? Reliab. Eng. Syst. Saf. 96(8), 877–882
(2011)
P. La Franchi, EUFOR Details Belgian B-Hunter UAV Crash that Caused Civilian Death. Flight
International (2006a). Retrieved 8 Nov 2011, from http://www.flightglobal.com/articles/2006/
10/06/209716/eufor-details-belgian-b-hunter-uav-crash-that-caused-civilian.html
P. La Franchi, Incidents Between UAVs and Helicopters in Afghanistan and Iraq Prompt
Action. Flight International (2006b). Retrieved 8 Nov 2011, from http://www.flightglobal.com/
2274 R.A. Clothier and R.A.Walker
articles/2006/03/14/205379/animation-near-misses-between-uavs-and-airliners-prompt-nato-
low-level-rules.html
J. Lai, J. Ford et al., See and avoid using on board computer vision, in Sense and Avoid in UAS:
Research and Applications, ed. by A. Plamen (Wiley, Hoboken, 2012)
C.W. Lum, B. Waggoner, A risk based paradigm and model for unmanned aerial systems in
the national airspace, in AIAA Infotech@Aerospace Conference and Exhibit 2011, St. Louis,
Missouri, USA, 2011
C.W. Lum, K. Gauksheim et al., Assessing and estimating risk of operating unmanned aerial
systems in populated areas, in 11th AIAA Aviation Technology, Integration, and Operations
(ATIO) Conference, Virginia Beach, Virginia, 2011
MAA, Regulatory Articles 1000 Series: General Regulations, RA 1000 Series (GEN) (Military
Aviation Authority (MAA), UK Ministry of Defence (MoD), United Kingdom, 2011)
S.L. MacSween-George, A public opinion survey – unmanned aerial vehicles for cargo, commer-
cial, and passenger transportation, in AIAA “Unmanned Unlimited” Systems, Technologies, and
Operations Conference, San Diego, California, 2003
S.D. Manning, C.E. Rash et al., The role of human causal factors in U.S. army unmanned aerial
vehicle accidents, USAARL Report No. 2004–11, Aircrew Health and Performance Division,
U.S. Army Aeromedical Research Laboratory (UAARL), U.S. Department of Defense (2004)
J.S. McCarley, C.D. Wikens, Human factors implications of UAVs in the National Airspace.
Technical Report AHFD-05-05/FAA-05-01, Aviation Human Factors Division Institute of
Aviation, University of Illinois, Savoy, Illinois, USA, 2005
L. Mejias, D.L. Fitzgerald et al. Forced landing technologies for unmanned aerial vehicles: towards
safer operations, in Aerial Vehicles, ed. by L. Thanh Mung (In-Tech, Kirchengasse, 2009), pp.
413–440
R.E. Melchers, On the ALARP approach to risk management. Reliab. Eng. Syst. Saf. 71(2), 201–
208 (2001)
G. Mortimer, Schiebel S-100 Crash Kills Engineer in South Korea (2012). Retrieved 31 May 2012
from http://www.suasnews.com/2012/05/15515/schiebel-s-100-crash-kills-engineer-in-south-
korea/
NTSB, Accident Brief CHI06MA121 (National Transportation Safety Board (NTSB), 2007).
Retrieved 8 Nov 2011 from http://www.ntsb.gov/ntsb/GenPDF.asp?id=CHI06MA121&rpt=fi
OSD, Unmanned Aerial Vehicle Reliability Study (Office of the Secretary of Defense, U.S.
Department of Defense, 2003)
R. Parasuraman, T.B. Sheridan et al., A model for types and levels of human interaction with
automation. IEEE Trans. Syst. Man Cybern. A 30(3), 286–297 (2000)
E. Paté-Cornell, Quantitative safety goals for risk management of industrial facilities. Struct. Saf.
13(3), 145–157 (1994)
RCC, Range Safety Criteria for Unmanned Air Vehicles. Document 323–99 (Range Safety Group,
Range Commanders Council, White Sands, New Mexico, 1999)
RCC, Range Safety Criteria for Unmanned Air Vehicles, Rationale and Methodology Supplement.
Supplement to Document 323–99 (Range Safety Group, Range Commanders Council, White
Sands, New Mexico, 2001)
RCC, Common Risk Criteria Standards for National Test Ranges: Supplement Standard 321–07.
Document 321–07 (Range Safety Group, Range Commanders Council, White Sands, New
Mexico, 2007)
RTCA, DO-178B Software Considerations in Airborne Systems and Equipment Certification
(RTCA, Washington DC, USA, 1992)
RTCA, DO-304, Guidance Material and Considerations for Unmanned Aircraft Systems. DO-304
(RTCA, Washington DC, USA 2007)
SAE, ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil
Airborne Systems and Equipment (Aircraft and Systems Development and Safety Assessment
Committee, Society Automotive Engineers (SAE), 1996)
92 Safety Risk Management of Unmanned Aircraft Systems 2275
SAE, ARP5580 Recommended Failure Modes and Effects Analysis (FMEA) Practices for
Non-Automobile Applications (Reliability Committee, Society Automotive Engineers (SAE),
2001)
S. Siddiqui, Disaster Averted: Navy’s Unmanned Aircraft Crashes After ‘hitting bird’. The Express
Tribune (2011). Retrieved 8 Nov 2011 from http://tribune.com.pk/story/212919/small-plane-
crashes-near-oil-refinery-in-korangi/
P. Slovic, Perception of risk. Science 236(4799), 280–285 (1987)
P. Slovic, Trust, emotion, sex, politics, and science: surveying the risk-assessment battlefield. Risk
Anal. 19(4), 689–701 (1999)
P. Slovic, B. Fischhoff et al. Rating the risks. Environment 21(3), 14–20 (1979)
R.A. Stephens, W.W. Taslon et al. System Safety Analysis Handbook (System Safety Society U.S.,
New Mexico Chapter, Albuquerque, 1997)
SUAS, Comprehensive Set of Recommendations for sUAS Regulatory Development (Small
Unmanned Aircraft System (sUAS) Aviation Rule-making Committee (ARC), Federal Aviation
Administration (FAA), Washington, 2009)
B. Thomé, Systems Engineering: Principles and Practice of Computer-Based Systems Engineering
(Wiley, New York, 1993)
A.P. Tvaryanas, W.T. Thompson et al., The U.S. military unmanned aerial vehicle (UAV) expe-
rience: evidence-based human systems integration lessons learned, in Strategies to Maintain
Combat Readiness during Extended Deployments – A Human Systems Approach (NATO
Research and Technology Organisation, Neuilly-sur-Seine, 2005)
D. Washington Valdez, D. Borunda, Mexican drone crashes in backyard of El Paso home. El Paso
Times (Online) (2010). Retrieved 8 Nov 2011 from http://www.elpasotimes.com/ci 16875462
R. Weibel, R. Hansman, Safety considerations for operation of different classes of UAVs in the
NAS, in 3rd “Unmanned Unlimited” Technical Conference, Workshop and Exhibit (American
Institute of Aeronautics and Astronautics, Chicago, Illinois, 2004)
E. Wiklund, Flying with Unmanned Aircraft (UAVs) in Airspace Involving Civil Aviation Activity
Air Safety and the Approvals Procedure (English translation of “Flygning med obemannade
luftfartyg (UAV) iluftrum med civil flygverksamhet”) (The Swedish Aviation Safety Authority,
Norrköping, Sweden, 2003)
K.W. Williams, A Summary of Unmanned Aircraft Accident/Incident Data: Human Factors
Implications. DOT/FAA/AM-04/24 (Civil Aerospace Medical Institute, Federal Aviation Ad-
ministration, Oklahima City, 2004)
M. Wilson, The use of low-cost mobile radar systems, for small UAS sense and avoid, in Sense
and Avoid in UAS: Research and Applications, ed. by A. Plamen (Wiley, Hoboken, 2012)
R. Wolfe, Why Demonstrating an “Equivalent Level of Safety” for See and Avoid is an
Inappropriate Requirement for Unmanned Aircraft System Operations (Modern Technology
Solutions Incorporated (MTSI), Alexandria, 2009)
E. Zio, N. Pedroni, Uncertainty Characterization in Risk Analysis for Decision-Making Practice.
Number 2012–07 (Cahiers de la Se’curite’ Industrielle, Foundation for an Industrial Safety
Culture, Toulouse, 2012)
Certification of Small UAS
93
Ron van de Leijgraaf
Contents
93.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2278
93.2 Aeronautical Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2279
93.3 Certification Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2279
93.3.1 Process Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2280
93.3.2 Procedure to Deal with Novel Design Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2282
93.3.3 Certification and Validation Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2282
93.4 Certification Safety Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2283
93.4.1 Certification Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2283
93.4.2 European Technical Standard Orders (ETSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2284
93.5 Relation Between Safety Requirements and RPAS Components . . . . . . . . . . . . . . . . . . . . . . . . . 2286
93.5.1 Remotely Piloted Aircraft (RPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2286
93.5.2 Remote Pilot Station (RPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2286
93.5.3 Command, Control, and Communication System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2287
93.5.4 Other Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288
93.5.5 Detect and Avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288
93.5.6 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2289
93.6 Certification Organizational Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2289
93.7 Final Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2290
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2291
Abstract
This chapter described the certification of (small) unmanned aircraft systems
(UAS). It focuses on the certification process, the requirements for the safe
design of a UAS, and the organizational requirements for the company designing
the UAS.
R. van de Leijgraaf
Civil Aviation Authorities – The Netherlands, Airworthiness Inspectorate, Hoofddorp,
The Netherlands
e-mail: ron.vande.leijgraaf@minienm.nl
K.P. Valavanis, G.J. Vachtsevanos (eds.), Handbook of Unmanned Aerial Vehicles, 2277
DOI 10.1007/978-90-481-9707-1 38,
© Springer Science+Business Media Dordrecht 2015
2278 R. van de Leijgraaf
93.1 Introduction
the designer of the aircraft is located. In ICAO terms, the country performing the
certification is the state of design. Other national aviation authorities can either
fully accept the certification by the state of design, or they can do an additional
investigation into the safe design of the aircraft. This additional investigation is
called a “validation.” Countries that can act as a state of design usually have
bilateral agreements with other countries about the certification and validation
process and acceptance of certificates. In general, authorities avoid duplicating tests,
so when a validation process is performed, this process focuses on the known
differences in safety requirements between the state of design and the validating
authority. In Europe, a regional safety oversight organization (RSOO) has been
created, which has taken over most of the aviation safety responsibilities from the
participating European countries. This organization is called the European Aviation
Safety Agency, EASA. When in this chapter a reference is made to a country, EASA
can be seen as the equal organization for the national aviation authority for the
participating European countries. For instance, EASA is responsible, in the state of
design role, for certification activities of Airbus and Fokker aircraft. EASA will also
do the European validation process for aircraft designed in, e.g., the USA or Brazil.
In the EASA Basic Regulation (http://eur-lex.europa.eu/LexUriServ/LexUriServ.
do?uri=CONSLEG:2008R0216:20091214:EN:PDF), the responsibilities of the
agency regarding UAS are clearly limited. Unmanned aircraft with an operating
mass of no more than 150 kg are not the responsibility of EASA, but the responsi-
bility of the individual states.
Certification authorities around the world use a similar process when addressing
the certification of an aircraft. This process is described in this paragraph for an
aircraft, but as indicated in the introduction of this chapter, RPAS are considered
aircraft and are treated in a similar way.
A certification project for an aircraft is always started with an official application for
certification by the organization responsible for the aircraft design. The organization
requesting the certification is commonly referred to as the “applicant.” When the
application is accepted by the aviation authority, the certification project will start.
This project is normally started with a kickoff meeting where the designer of the
aircraft presents the design to the complete team of specialists that have been
assigned to the certification team by the authority.
The certification project follows four different phases:
1. Establishing the Certification Basis In this phase, the safety requirements
against which the safe design of the aircraft must be proven will be defined
for the project. These requirements are referred to as the “certification basis.”
Normally, the designer of the aircraft is responsible for providing a first draft
of this certification basis. During and after the presentation of this first draft,
the discussion and interaction with the authority certification team takes place,
leading to a mutually agreed and mutually accepted certification basis for the
93 Certification of Small UAS 2281
whole of the project. The basic safety requirements for a certification project are
the latest version of requirements from the state of design (usually referred to
as Certification Specification (CS) by EASA and Federal Aviation Regulation
(FAR) by the FAA) applicable at the moment the application for certification has
been received by the authority. A certification project usually lasts several years,
and it is considered unfair to the applicant to add updated requirements to the
certification basis over the years, due to the further development of the safety
requirements. Of course, when both the applicant and the authority agree, newer
version of the requirements can be made applicable to the project.
When all safety requirements are agreed between the applicant and the certifying
authority, this phase is closed.
2. Defining the Means of Compliance Once the safety requirements are estab-
lished, the applicant and the authority have to reach agreement on how the
applicant will show that his design of the aircraft is meeting these requirements.
There is a variety of methods available, from expert judgment, through theoreti-
cal analysis, down to flight testing. Not only the methods of showing compliance
with the requirements are agreed in this phase. The involvement of the authorities
in the various compliance finding tasks will also be agreed. In general, complete
test plans, documents to be delivered, etc., will be agreed between applicant and
authority.
At the end of this phase, there is agreement between applicant and the
certifying authority about which tests are required and which reports will have
to be delivered by the applicant. Furthermore, there will be agreement about the
level of involvement of the authorities in the compliance finding, e.g., which
rapports need to be accepted and approved by the authorities, which tests will
be witnessed by the authorities, and what will be left to the responsibility of the
applicant, without any authority involvement.
This phase closes when there is mutual agreement on all mentioned points.
3. Compliance Finding In this phase, all activities agreed between applicant and
authority in the previous phase will be performed. Design documents will be
developed, tests will be performed, and manuals will be written. Where needed,
authority will witness testing or approve reports, as agreed in the previous phase.
For all certification projects, this phase takes the most time and is the most
expensive phase for the applicant.
When all the compliance finding activities have been performed and accepted by
the authority, the applicant is ready for the final phase.
4. Delivering the Type Certificate At the end of the third phase, there is full
agreement between the authority and the applicant about the safe design of
the aircraft. Now the applicant can provide a statement of compliance to the
authority, to indicate that all safety requirements have been met, all necessary
tests have been done, and everything is to full satisfaction of the authorities.
When this statement of compliance is provided, the authority then can provide
the type certificate to the applicant, indicating that the aircraft is designed in
accordance with the applicable safety requirements and that the aircraft can now
be built and operated safely.
2282 R. van de Leijgraaf
Although these four phases are given in sequential order, in practice these
phases are not clearly separated in time. For some parts, the whole process can
be straightforward, and then the process can be done in these clear steps. Other
parts require extensive discussions between applicant and authority, and in this case,
the process can easily jump back and forth between the various phases. The only
certainty in the whole process is that the first three phases have to be fully completed
before phase 4 can happen. This last phase is usually the shortest phase of the four.
A more complete description of the certification process can be found in the
EASA Type Certification Procedure (http://www.easa.europa.eu/certification/docs/
internal-working-procedures/PR.TC.00001-002%20Type%20certification.pdf).
there are three projects running in parallel. First, there is the certification project
performed by the Brazilian authorities (Agência National de Aviação Civil, ANAC),
and the other two projects are validation projects with an FAA validation team and
an EASA validation team.
For all RPAS, the certification safety requirements still need to be developed
and accepted by national authorities. In its policy on UAS certification (E.Y013-
01, August 25, 2009, http://easa.europa.eu/certification/docs/policy-statements/E.
Y013-01 %20UAS %20Policy.pdf), EASA UAS policy described the methodology
to develop such requirements. First, it needs to be determined which category of
manned aircraft is most applicable to the remotely piloted aircraft system that will be
certificated. When this is done, the associated safety requirement for manned aircraft
is selected. Subsequently, this requirement needs to be adapted to be applicable to
the RPAS.
For small UAS, the following two certification specifications from EASA are
most appropriate:
• EASA CS-VLA for airplanes (http://easa.europa.eu/agency-measures/docs/
certification-specifications/CS-VLA/CS-VLA%20%20Amdt%201%20combined
.pdf)
• EASA CS-VLR for rotorcraft (http://easa.europa.eu/agency-measures/docs/
certification-specifications/CS-VLR/MERGED v2.pdf)
At the moment, there are a few (unofficial) certification specifications available.
Firstly, the NATO FINAS group has provided a specification based on CS/FAR 23,
primarily used for military purposes and not applicable to small RPAS. Secondly,
there is a final draft version available of the CS-LURS (Certification Specification
Light Unmanned Rotorcraft System, adapted from CS-VLR), which the JARUS
group (Joint Authorities for Rulemaking on Unmanned Systems) has developed.
This last group is a voluntary group of national aviation authorities, together with
EASA and EUROCONTROL, that works on drafting UAS regulation.
To give an example of the sort of topics that are covered in certification speci-
fications, the various subparts that together form the CS-LURS set of requirements
are given below:
Book A:
Subpart A: General
Dealing with general requirements like applicability.
Subpart B: Flight
Dealing with flight envelope, weight, performance issues, and flight
characteristics.
2284 R. van de Leijgraaf
Technical Standard Orders (TSO) are a well-known mechanism from the manned
aviation regulations to allow system manufacturers to develop approved systems
irrespective of the aircraft in which it will be installed.
During the certification process, the designer of the aircraft is responsible for
the total certification effort. That does not only mean that he is responsible for
the fuselage, engines, wings, etc., but also for the systems that are installed in the
aircraft. The designer is really acting as the system integrator of the total system that
will become the aircraft.
When it comes to certification of the electrical or avionics systems onboard the
aircraft, there are two ways of getting an approval. The first possibility is that the full
system functionality and integration with the other onboard systems is done during
the certification of the whole aircraft. The second possibility is to have the system
functionality approved prior to the aircraft certification and focus on the certification
of the integration with the other onboard systems during the aircraft certification.
This second method provides some benefits to the system manufacturers that
build these electrical or avionics systems. This described methodology is equally
applicable to aircraft seats, for instance. But this is considered out of scope for UAS
in this paragraph.
93 Certification of Small UAS 2285
The system that is used for this specific functional approval is the European
Technical Standard Order (ETSO, in the USA it is referred to as a Technical
Standard Order or TSO). The certifying authority can establish specific functional
requirements for equipment. Then, in a separate process, the manufacturer of the
system can obtain approval for the functionality of the system. This approach has
two distinct advantages:
1. The manufacturer of the system is able to provide his systems to different aircraft
manufacturers.
2. The aircraft designer does not have to consider the functional approval of the
system, only the integration of the system in the total aircraft system.
Some typical examples of these sorts of systems are VHF radios, navigation
receivers, transponders, etc.
Normally, the authorities are not defining the functional requirements for the
system themselves, but they work closely together with the manufacturing industry
to define some acceptable functional standards. Within aviation, these standards
are developed in two standardization bodies: EUROCAE (European Organisation
for Civil Aviation Equipment) and RTCA (Radio Technical Commission for Aero-
nautics). EUROCAE is primarily European, while RTCA is primarily American.
In most cases, these two bodies work together to develop a worldwide functional
standard for equipment. The process by which these standards are developed
is the following; the governing body of either EUROCAE or RTCA identifies
the need for a new standard and drafts terms of reference for a working group
(WG, EUROCAE) or special committee (SC, RTCA) to establish these new
standards. Then a working group or special committee is created (most of the
times these groups work together, as said earlier), and participation from members
of EUROCAE or RTCA is sought. The participants are primarily from industry,
but aviation authorities participate in these groups as well. Within this group, a
functional standard is developed, based on consensus with all participants in the
group.
When such a group has finalized its work and either EUROCAE or RTCA
have published the industry functional standard, the aviation authorities adopt this
standard by referring to that standard in a (E)TSO. Once the (E)TSO is published,
the equipment manufacturer can apply for approval with the aviation authority.
The largest part of the approval process for an (E)TSO is to show compliance
with the industry standard that has been published by EUROCAE or RTCA
(or both).
After obtaining this approval, the manufacturer is able to provide his equipment
to an aircraft designer who is looking for that specific functionality in his aircraft
design. During the certification process of the aircraft, the aircraft designer does
not have to show that the system that is installed in his aircraft meets the
functional requirements for that system. He can provide the (E)TSO approval
of the system to the certifying authority and that is the required proof that the
system meets the requirements. The aircraft designer, however, is still responsible
for proving that the integration of that equipment with the other systems onboard
the aircraft is still in accordance with the safety requirements for the aircraft
design.
2286 R. van de Leijgraaf
The approval for the equipment against the functional requirements requires a
lot of functional testing and significant environmental testing. With this testing
done at the equipment level and granting a more generic functional approval of
the equipment, both the equipment manufacturer and the aircraft designer save
significantly in cost and time for the certification of aircraft.
In this paragraph, the various systems that together form the RPAS will be
addressed. It will look at how to relate the safety requirements given in the previous
paragraph with these various parts.
When converting a manned certification safety requirement for an RPAS, there are a
few issues that need to be considered. First is the obvious issues that are directly
related to not having a person onboard. This includes requirements on onboard
chairs, seat belts, emergency oxygen, etc. But there also are less obvious issues
that need to be considered. In general, a small UAS is a much more complex
aircraft than the equivalent category of manned aircraft, especially from a systems
perspective. This means that additional requirements are necessary to cover these
design features, primarily the requirements in Subpart F of the various certification
requirements.
Another area that usually needs additional requirements is the power plant
installation section (Subpart E). Electrically driven engines and dual turbine engine
installations, these kinds of design features are not covered by the equivalent
manned aircraft safety requirements. Therefore, the subparts of the requirements
that address these issues need special attention and most probably need a partial
rewrite of the whole section.
One final topic that needs to be mentioned is the emergency control and failure
warning systems. There is nobody onboard to perform a number of emergency
recovery actions that are implicit in the manned aircraft safety requirements. These
requirements need careful rethinking and an adaptation that allows the pilot in the
remote pilot station to still be informed about possible system failures and perform
some emergency control if that is required.
From the given table of contents of CS-LURS, Subparts A–G are covering the
RPA requirements.
This is a new system component of the RPAS that has no equivalent in the
manned aviation regulations. In the ICAO concept as described in the UAS Circular,
93 Certification of Small UAS 2287
the remote pilot station (RPS) will be a separate aeronautical product. This will
mean that once the ICAO annexes have been adapted accordingly, there will be a
separate certification safety requirement document for the RPS. At the moment, the
safety requirements for the RPS are still part of the safety requirements document
for the RPA. In current safety requirements documents, there is a specific subpart
(Subpart I) dedicated to the RPS requirements.
Establishing the requirements for the RPS is not a matter of simply copying the
requirements related to the cockpit design from manned aviation to the RPS. Of
course, all human machine interfaces are part of the RPS and have a prominent
place in the RPS requirements. But most of these interfaces are part of systems
that have components both in the RPA and the RPS. In such a situation, it is
necessary to develop a consistent strategy for dividing the requirements between
the subparts for RPA and RPS. It should be avoided to duplicate requirements
between the RPA and RPS. In the JARUS team that worked on the CS-LURS,
the philosophy was used to include the requirements systems that had compo-
nents in both the RPA and RPS part into the RPA part of the document. The
requirements that refer to the RPS only are then collected in the subpart for
the RPS.
From the given table of contents of CS-LURS, Subparts A and I are covering the
RPS requirements.
The command, control, and communication (C3) system will not be certificated
separately. When a radio line of sight system will be used, the airborne part and
the ground-based part of the C3 system will be certificated as part of the RPA or
RPS, respectively. For the safety requirements, this means that the requirements for
the C3 components will be contained in the respective subparts of the certification
specification. This is identical to how radio communication systems in manned
aviation are currently certificated.
When a beyond radio line of sight system, e.g., satellite communication, will
be used, the current proposal in the ICAO circular is to work with a certificated
communication provider that is under safety oversight of the aviation authorities.
It is considered impossible to certificate a satellite communication system as a
fully integrated part of the RPAS. In this case, the performance requirements for
the C3 system and the interfaces between RPA, RPS, and C3 system will be
defined and the components of the RPA and RPS that will interface with the
communication system will be included in the safety requirements of the respective
subsystems.
For small UAS, in most RPAS designs, a radio line of sight system will be
used, so the first approach to certificating the system, as described above, will be
applicable.
From the given table of contents of CS-LURS, Subparts A, F, and I are covering
the command and control requirements.
2288 R. van de Leijgraaf
One of the specific subsystems that are foreseen to be used in RPAS is the detect and
avoid system (DAA). This system will be required to replace the collision avoidance
capability that is provided by the onboard pilot in manned aviation. Another chapter
in this book is fully dedicated to the DAA system, so this paragraph will only focus
on the certification aspects of it. From a certification perspective, there are two issues
to address.
First the functionality of the system needs to be defined. This is usually done
by asking standardization organizations like EUROCAE and RTCA to define
standards for the system. The aviation authorities can then accept these standards
and make them part of the safety requirements by including the standard from
EUROCAE and/or RTCA in a (European) Technical Standard Order ((E)TSO),
which is explained in more detail in the previous paragraph. Additional to this
equipment approval, some functional requirements can also be included in the
certification specification.
Secondly, specific safety requirements for the system need to be developed, in
line with the current practice of assuring system safety in the manned certification
standards.
Various rulemaking bodies around the world are currently working together to
develop both of these standards. At the time of writing of this chapter, there was
no definitive regulation for this system available yet. In practice this will mean that
operations of RPAS on a regular basis will be limited to visual line of sight, unless
an authority has given a specific approval to a certain operational scenario to allow
operations beyond visual line of sight.
From the given table of contents of CS-LURS, Subparts A and H are covering
the DAA requirements.
93 Certification of Small UAS 2289
The whole area of safety requirements for small UAS is undergoing significant
development at the moment. This paragraph therefore cannot address these require-
ments too specifically, because without a doubt these would have changed when
this book is published. Therefore, the framework for certification has been given.
The issues that are currently being addressed are also provided. Together this should
allow understanding of the requirements once they are published by the aviation
authorities.
Apart from the specifics of CS-LURS, this chapter is equally applicable to other
certification specifications, ranging from airplanes (small and large) and helicopters
(small and large).
As said at the introduction of this chapter, UAS are aircraft. Therefore, UAS will
need to fit into the currently existing aviation system, both from an airworthiness
and from an operational perspective. But the introduction of UAS into civil airspace
is slowly changing the way aviation regulators are thinking about airworthiness
and safe operations. In manned aviation, that aircraft is the core element where
everything needs to be integrated. The aircraft in itself is the end product and
provides the platform where everything (fuselage, equipment, engines, etc.) are
integrated. With the introduction of RPAS, the aircraft is “just” the airborne
component of the total system. This means that the whole approval system and
the associated safety oversight system by the national aviation authorities can no
longer be aircraft centered but should be system centered. When you consider
the aircraft in manned aviation as the core element where the whole system is
integrated, this system-centered approach for RPAS is no different to what the
authorities are used to from manned aviation. The only difference is that the
system in the case of the RPAS is more than the aircraft, while in manned
aviation, the system is the aircraft. In the future, this new thinking will be
finding its way into ICAO Annex 8. But the fundamentals of the safety approach
by ICAO, an approved design and safety oversight by countries, will not be
changed.
This chapter has focused on the airworthiness issues only. Although the chapter
is written with small UAS in mind, the processes and practices given in this chapter
are, in general, equally valid for larger UAS. Only the specific requirements and
examples given herein are tailored toward small UAS. The certification process and
the layout of the certification specification is identical for larger UAS.
The authorities are looking for the differentiation between large UAS and
small UAS by downscaling the requirements to an appropriate level. It is widely
understood that a Global Hawk should be certificated against different requirements
then a 2 kg octocopter UAS. But the whole system and process of approval should
be identical.
One of the issues that the authorities are facing to deal with at the moment
is that there is no manned equivalent for the certification specification for small
UAS, certainly for those well below 25 kg. This leads to the following more
fundamental question: To what level do the requirements for larger UAS need to
be downgraded to provide safe UASs that are still economically viable? A follow-
on question to this is as follows: What sort of categorization scheme can be used to
classify these small UASs? Industry and authorities are currently addressing these
issues.
93 Certification of Small UAS 2291
References
EASA Basic Regulation, Regulation (EC) No.216/2008 of the European Parliament and of the
Council on common rules in the field of civil aviation and establishing a European Aviation
Safety Agency. Available to download from the EASA website: www.easa.europa.eu
EASA CS-VLA, Decision (EASA) No.2003/18/RM of the Executive Director of the Agency on
certification specifications, including airworthiness codes and acceptable means of compliance
for very light aeroplanes (CS-VLA). Available to download from the EASA website: www.
easa.europa.eu
EASA CS-VLR, Decision (EASA) No.2003/17/RM of the Executive Director of the Agency on
certification specifications for very light rotorcraft (CS-VLR). Available to download from the
EASA website: www.easa.europa.eu
EASA Part 21, Regulation (EC) No.1702/2003 of the European Parliament and of the Council
on laying down implementing rules for the airworthiness and environmental certification of
aircraft and related products, parts and appliances, as well as for the certification of design and
production organisations. Available to download from the EASA website: www.easa.europa.eu
EASA Type Certification Procedure, EASA Procedure PR.TC.00001-002 Type Certification.
Available to download from the EASA website: www.easa.europa.eu
EASA UAS policy, EASA Policy Statement – Airworthiness Certification of Unmanned Aircraft
Systems. E.Y013-01 25 August 2009. Available to download from the EASA website: www.
easa.europa.eu
ICAO UAS Circular, ICAO Cir 328, Unmanned Aircraft Systems (UAS). Available to purchase
from the ICAO website: www.icao.int
JARUS reference, JARUS – Joint Authorities for Rulemaking on Unmanned System, UAS
Unmanned Aircraft System – The Global Perspective, 2011, 9th edn. (UVS International, Paris)
Technology Surveys and Regulatory Gap
Analyses of UAS Subsystems Toward 94
Access to the NAS
Contents
94.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2294
94.2 Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2294
94.2.1 Technology Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2295
94.2.2 FAA Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2296
94.2.3 Regulatory Gap Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2297
94.3 Case Study #1: Propulsion Technologies for UAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2298
94.3.1 Technology Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2298
94.3.2 Regulatory Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2304
94.4 Case Study #2: Sense-and-Avoid Technologies for UAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2306
94.4.1 Technology Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2306
94.4.2 Regulatory Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2310
94.5 Case Study #3: Command, Control, and Communication Technologies for UAS . . . . . . . 2312
94.5.1 Technology Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2312
94.5.2 Regulatory Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2318
94.6 Case Study #4: Emergency Recovery and Flight Termination Systems for UAS . . . . . . . . 2322
94.6.1 Technology Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2322
94.6.2 Regulatory Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2327
94.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2333
94.7.1 Guidance on Performing a UAS Technology Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2333
94.7.2 Guidance on Performing a Regulatory Gap Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2334
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2334
Abstract
To make a safe transition of UAS into the National Airspace System, new
regulations must be developed by the Federal Aviation Administration. The tech-
nologies employed by UAS are in many circumstances fundamentally different
K.P. Valavanis, G.J. Vachtsevanos (eds.), Handbook of Unmanned Aerial Vehicles, 2293
DOI 10.1007/978-90-481-9707-1 62,
© Springer Science+Business Media Dordrecht 2015
2294 R.S. Stansbury and T.A. Wilson
94.1 Introduction
To safely transition unmanned aircraft systems (UAS) into the National Airspace
System (NAS), new regulations must be developed by the Federal Aviation
Administration (FAA) as will other international civil air authorities (CAAs) for
their respective airspaces. There are many subtle and fundamental differences
between technologies used for UAS versus traditionally manned aircraft. Before
new regulations or policies can be written to support unmanned aviation, regulatory
issues must be articulated.
Beginning in 2006, researchers at Embry-Riddle Aeronautical University (ERAU)
began collaboration with the FAA William J. Hughes Technology Center to identify
technology-based gaps within the FAA’s current regulatory framework. The first
study surveyed UAS propulsion technologies. Follow-on research included a regu-
latory gap analysis of UAS propulsion performed in 2007–2008. Three additional
technology survey and gap analysis studies followed for UAS sense-and-avoid
(SAA) technologies; command, control, and communication (C3) technologies; and
emergency recovery and flight termination (ERFT) technologies and procedures.
The purpose of each technology survey was to articulate representative technolo-
gies and frameworks being used in current and near-future UAS. The regulatory
gap analysis focuses on the alignment of the technology with existing regulations.
It should allow the target audience to clearly identify and articulate where revisions
or reinterpretations are required. This chapter begins with an overview of technology
surveys, gap analyses, and relevant types of FAA documents. Next, the above-
mentioned studies are presented as separate case studies. This chapter concludes
with the authors’ recommended best practices for future studies.
94.2 Background
UAS represent a near-disruptive technology for the current NAS in the United
States of America and in the corresponding airspace systems of nations worldwide.
While total displacement of aircraft with an onboard pilot from the NAS seems
extremely unlikely at any near-future time, the introduction of remotely piloted
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2295
aircraft having varying degrees of onboard autonomy has been beyond the current
regulatory framework for aircraft design and manufacture, for flight activities, and
for on-ground operations and maintenance.
The introduction of disruptive or near-disruptive technologies on markets has
been studied regarding technologies such as the Internet, wireless telephony, and
mobile electronics. Less effort has been dedicated to the impact of these technolo-
gies in industries such as aviation and aerospace where the primary motivation for
existing regulations stems from public safety, both of air passengers and of those on
the ground.
Current federal air regulations (FARs) did not anticipate operation of controlled unmanned
aircraft in civil airspace. There is no specific part or definition under applicable law related
to unmanned aircraft. The absence of absolute legal guidance with respect to the jurisdiction
of UAV regulation, the definition of UAV, and the integration of UAVs in the national
airspace prevents the optimum use of UAVs for the public benefit. Yet, given the risks of
a ground impact or mid-air collision with other aircraft, the need for regulatory certainty
respecting UAVs is an imminent issue deserving the attention of regulators, manufacturers,
and operators alike (Ravich 2009).
In addition to the regulations, there are a variety of FAA documents that must
be produced and/or revised to accommodate UAS-NAS integration. This section
defines some common documents related to airworthiness, certification, and FAA
policy. A technical standard order (TSO) defines the minimum operations per-
formance standards and minimum aviation system performance standards for an
aircraft system or subsystem. A component authorized for production under a
TSO is identified as compliant with that TSO. The FAA can utilize advisory
circulars (ACs) to share information with the aviation community. ACs have varied
audiences including engineers, pilots, operators, etc. ACs can be used as a means of
presenting critical design requirements so that aircraft meet sufficient airworthiness
standards. It should be noted that these documents are not law. Lastly, guidance
material is published by the FAA to the community. One example is the FAA
UAS Interim Guidance Document 08-01 (Federal Aviation Administration 2008).
Another example is the Aeronautical Information Manual (AIM), which defines
pilot procedures in the NAS (Federal Aviation Administration 2012a). Guidance
materials are not regulatory or as official as an advisory circular but are used to
convey FAA policy, procedures, etc. to the aviation community.
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2297
The FAA is chartered through the same piece of statute law chartering the entire
Department of Transportation, Title 49 of the United States Code (USC). The
FAA authorized in 49 USC 44701 to regulate aircraft and their usage within the
framework of Federal administrative law. Regulations issued by the FAA comprise
Chap. I (Parts 1–199) of Title 14 of the Code of Federal Regulations (CFR). These
are divided into several subchapters relating to definitions, rule making, aircraft,
airmen, airspace, air traffic and general operating rules, air carriers and operational,
schools, airports, navigation facilities, and the FAA itself. It should be noted that 14
CFR Parts 1–199 are still known to many in the aviation world as “the FARs,” where
“FAR” stands for “Federal Aviation Regulation;” in Federal speak, “FAR” has since
been superseded to mean “Federal Acquisitions Rules.”
The meaning of a regulatory gap varies according to which chapters of Title
14 CFR one is considering. For example, aircraft are only allowed to fly in the
NAS when the aircraft has been issued a type certificate (TC) for its design (or a
Supplemental Type Certificate (STC)). The issuance of such a TC or STC follows a
prescribed set of activities in which the aircraft designer articulates which elements
of Title 14 CFR apply to the design at hand and then demonstrates through testing,
analysis, and formalized processes that the design complies with the specifications
and regulations of the articulated elements.
When an aircraft design employs a novel technology, it is unlikely that there is
an existing regulation applicable to the technology. The designer can qualify the
use of the technology toward certification through either special conditions (SC) or
equivalent level of safety (ELOS) findings. A third option, exemption, exists, but
applies more often to exemptions from specified procedures than from specified
requirements. In either case, the aircraft designer articulates in an issue paper the
features of the new technology and how its inclusion in the aircraft design satisfies
the thrust, in general SC or in particular ELOS, of the regulations; FAA engineers
respond to the issue paper, and the officers responsible for certification take the
designers’ and the FAA engineers’ analysis into account in deciding whether to
issue a TC.
For aircraft, then, a regulatory gap exists when certification of an airframe
employing a technology would require either a SC or ELOS finding to use that
technology. The result of the gap analysis is a collection of annotated regulations.
The annotations consist of declarations as to whether the regulation:
• Applies (as is)
• Applies with interpretation
• Applies with revision
• Does not apply
From previous literature, it was found that several approaches to presenting
regulatory gaps exist (Kirk et al. 2007; Frater et al. 2006). Kirk et al. (2007) provide
an examination of Federal aviation laws, regulations, and guidance materials for
applicability to UAS in general. Frater et al. (2006) present a different style of
regulatory gap, focused upon nanotechnology, in which the results are presented
2298 R.S. Stansbury and T.A. Wilson
in a tabular form where related aspects of existing legislation and regulations are
summarized, the gap or potential gap due to novel technology presented, and further
comments or annotations are appended (see Annex 5 of Frater et al. 2006). ERAU’s
approach is much closer to the former following a process by which the collection
of rule applicability results was looked at from both global (all rules together) and
local (one rule at a time) to produce text describing the regulatory gaps.
The goal of the UAS propulsion technology survey, Griffis et al. (2007), was to
examine existing and novel propulsion systems for UAS such as reciprocating piston
engines (RP), wankel rotary engines (RO), propeller drive systems (PR), gas turbine
propulsion systems (GT), rocket-powered means of propulsion (RK), electric
motor-based propulsion system (EM), battery-based propulsion system (BB), fuel
cell-powered propulsion system (FC), solar/photovoltaic-powered systems (PH),
and ultracapacitor-based energy storage (UC).
A conceptual framework was derived as shown in Fig. 94.1. This framework
guided the study of each technology area to maintain internal consistency. The
elements of this framework are defined as follows:
Energy source (ES). Propulsion requires expenditure of energy, and the ES is the
origin of that energy. ES is intended to be a generic label for things like the
following examples: gasoline, diesel fuel, lithium hydride, liquid hydrogen, solar
energy, etc.
Energy transformer (ET). An ET converts the potential energy within the ES into
a means for producing work, heat, or electrical current.
Power plant (PP). A PP is any aspect that harnesses the product of the ET into
motion. For example, a motor that spins a shaft as a result of a supplied electric
current classifies as a PP in this context.
Propulsion effector (PE). A PE is the interface between the motion generated
and the impulse exerted to move the vehicle; it is what will give the effect of
propulsion.
Wankel Rotary Engine Wankel rotary engines use the combustion of petroleum-
based fuel, and the desired output is the rotation of a power shaft that drives the
rest of the system. They differ from conventional reciprocating engines in that their
volume displacement and associated internal motion are rotational, as opposed to
back and forth. An internal triangular core, shaped as a “Reuleaux” triangle, divides
a chamber with an epitrochoid-shaped stator into three expansion areas (AREN
2006). A conceptual breakdown of the this propulsion technology is shown in
Table 94.3. Examples of RO-based UAS are presented in Table 94.4.
However, takeoff assist can utilize rocket-based propulsion (Office of the Secretary
of Defense 2005). Table 94.7 shows the conceptual decomposition of rocket
propulsion, and Table 94.8 presents some examples of its use for UAS.
Electric Motors For electrically based propulsion systems, electric motors are used
as the power plant because they can easily couple with propellers as the propulsion
effector; all that is needed is a continuous source of electricity. The rotational
speed of a DC motor is proportional to the voltage applied to it, and the torque is
2302 R.S. Stansbury and T.A. Wilson
Batteries For UAS applications, rechargeable batteries are preferred and therefore
the focus of discussion. Lithium batteries tend to be lighter and possess higher
energy density (Reid et al. 2004). Table 94.10 presents the conceptual decompo-
sition of UAS propulsion using electric motors driven by batteries, and Table 94.11
provides representative examples of UAS using batteries. Unfortunately, manufac-
turers do not frequently offer the details on what particular chemistry of battery
is used.
generate electrical power via an electrochemical process. There are a wide variety
of fuel cells, including proton exchange membrane fuel cells, phosphoric acid fuel
cells, molten carbon fuel cells, solid oxide fuel cells, methanol fuel cells, and
alkaline fuel cells (Theiss and Thomas 2000; National Fuel Cell Council 2006).
Table 94.12 presents the conceptual decomposition of fuel cell-based propulsion,
and Table 94.13 presents two representative cases of fuel cells used in unmanned
aircraft.
Each row represents a specific section of the regulation part being examined.
The section is analyzed based upon its degree of applicability for each conceptual
technology and conceptual decomposition framework element. The dimensions of
applicability were identified as applies (APP), applies with interpretation (AWI),
applies with revision (AWR), or does not apply (DNA). For this study, these terms
are defined as follows:
APP The regulatory guideline, as it stands, makes sense for the corresponding
technology identified in the spreadsheet.
AWI Understanding the intent of each regulatory guideline, it can be interpreted to
cover other areas or technologies that are not explicitly mentioned or addressed,
for example, regulations that cover RP technology and also AWI to RO technol-
ogy.
AWR Employed prudently. Suggests that the regulatory guideline is fine as it stands
except with a minor amendment.
DNA The regulation does not apply to any of the propulsion technologies or
conceptual aspects of a UAS propulsion system.
94.3.2.2 Results
Upon completion of the local analysis using the spreadsheets, global analysis was
performed to derive the final results and recommendations of the study. First, the
“fundamental gaps” are identified, which include any fundamental technological
differences between the propulsion technologies for UAS versus manned aircraft.
Next, the “open set” gaps are identified where regulatory gaps exist because of safety
concerns for technologies that fall outside of the existing regulatory framework.
The Fundamental Gap The fundamental gap between the existing regulations and
UAS propulsion technologies results from a greater diversity in the types of ET
and PP that can be utilized for a UAS. Existing regulations focus upon one of two
types of systems, GT and RP. As a result, some regulations simply do not apply
to alternative propulsion systems, and in other cases new regulations are required
to address the safety concerns of the new technology. A fundamental gap exists in
regulation of systems that depend exclusively on EM for propulsion and that there
exists no specific regulation addressing the kinds of power supplies that would be
driving these propulsion systems. UAS (excluding optionally piloted vehicles) do
not need to be concerned with the power requirements to propel the weight of both
the pilot and the onboard support and control interfaces, thereby further reducing the
electrical carrying requirements of an electrical power source. Technologies such as
FC, modernized batteries, UC, and PH have the ability to supply sufficient electricity
to provide sufficient endurance for a UAS and must now be considered by regulators.
The regulatory guidelines for thermodynamically driven engines address a set
of associated high-level concerns related to the lubrication of moving parts, heat
transfer, fuel delivery, air supply, fuel storage, etc. The GT and RP approaches
to propulsion both carry flammable liquid petroleum distillates that burn hot with
oxygen and have reactants that need to be expelled. These fundamental issues
2306 R.S. Stansbury and T.A. Wilson
(among many others) are addressed in the regulatory guidelines in a manner that
assures that any implementation of these approaches will be airworthy and have an
associated reliability for a given specified period of time. For an electric engine,
many of these factors do not apply with the same literal interpretation. Some issues
still need to be addressed such as ensuring that the motors remain sufficiently
cool and the moving parts remain lubricated. However, a new set of concerns are
introduced with the concept of an exclusively EM. Many of the restrictions and
regulations in place for guaranteeing the safety of GT and RP in some cases do not
make sense and are insufficient when dealing with an EM.
The Open Set Gap From the fundamental gap and the technology survey, it is
evident that there exist technologies that exist outside of the regulations. Incremental
adjustments to the regulations can be made to accommodate these changes. As
new technologies emerge, this could result in regulators continually attempting to
patch the regulations rather than create a new mechanism for addressing these new
and emergent technologies. In order to close the coverage of the open set gap, the
study concluded that the concepts of catch-all regulations should be embraced and
extended. This can include extending concepts of abstract regulation, in similar
approaches to the conceptual framework. Ideas like those in Parts 23 and 25
Sects. 1301 and 1309 can be complemented with regulation of generic propulsion
systems, regulating only the conceptual components, their abstract interfaces,
and the conceptualized interactions that each component would have between its
interface and another conceptual component interface.
94.4.1.1 Sense
The first category of SAA technology is sense. These technologies allow the UAS to
detect other traffic and local terrain features. It is subdivided into airborne sensing
and ground-based sending.
there is a risk of collision given the current flight path and oncoming traffic.
TCAS II also provides collision avoidance directives to the pilot (Federal Aviation
Administration 2012b). A recent FAA study examined TCAS for UAS (Federal
Aviation Administration 2011). It concluded that TCAS could be a viable tool to
aid situational awareness to the UAS operator/pilot but stated that the technology
was never approved as a sole means of replacing the pilot’s role to see and confirm
the presence of other air traffic.
Automatic dependent surveillance-broadcast (ADS-B) can also provide an
airborne sensing capability to improve situational awareness of local air traffic.
Equipped aircraft broadcast their current position and some additional state data
via data link. The broadcast message can be received by suitably equipped aircraft.
For manned aviation, the aircraft positions received can be displayed in real
time to the pilot to enhance local situational awareness. Air traffic controllers
can also receive this information via ground-based transceivers (Federal Aviation
Administration 2007).
There are two types of ADS-B technology currently in use. Universal
Access Transceiver (UAT) technology at 978 MHz is most commonly used by
general aviation aircraft. The second type utilizes a 1,090 MHz Extended Squitter
(ES) Mode-S transponder and is most commonly applied to transport category
aircraft (Federal Aviation Administration 2007). The MITRE Corporation has
produced prototype UAT units for UAS operations including one that is transmit
only and another that is capable of both sending and receiving ADS-B messages
(Strain et al. 2007).
Radar can be equipped onboard a UAS for airborne sensing of other aircraft.
Smaller non-cooperative radar systems have been employed in robotics applications
in the past such as millimeter wave (MMW) radar. Laser systems such as LIDAR or
laser range finders emit laser light, which is reflected off of the surface of a target.
Depending upon the scanning technique, sampling resolution, etc., it is possible to
analyze the shape of the target. The system can also track a target over successive
scans allowing for a determination of range, bearing, speed, and trajectory. The
sensors can be robust enough to support operation in conditions of low human
visibility such as fog or smoke. Sonar systems utilize the emission of acoustic
pulses. The time of flight from transmission to the reception of the reflection is
used to determine the approximate range to the target. Due to the limited resolution
and range, sonar at this time is not likely a viable option for airborne active
sensing.
Air traffic control (ATC) radar-based separation is another approach that can be
taken to aid the sensing of aircraft. Primary radar can be used to detect cooperative
and noncooperative aircraft within a limited range. Secondary radar could be used
to detect transponder equipped, cooperative aircraft.
94.4.1.2 Avoid
The second category of SAA technology is avoid. Collision avoidance can be
addressed through one of two primary mechanisms. First, the system can be diverted
by a remote operator. Second, the aircraft could choose to autonomously avoid the
collision using its autopilot. There can also be a blending of these two approaches.
Aircraft autonomy is addressed further in Sect. 94.5.
94.4.1.3 Be Seen
The third category of SAA technology is be seen. This represents the ability for the
aircraft to be seen by other aircraft both cooperative and noncooperative and ATC.
This is divided into UAS equipage for being seen and UAS conspicuity.
Conspicuity: Many UA are small and made of materials that provide minimal radar cross
sections. Aircraft that are difficult to see by human sight or by systems (e.g., radar or
optical) can increase risks of collisions. These could be mitigated by paint schemes, lights
or radar reflectors to enhance visibility, but these measures must be appropriate to the flight
environment.
The regulatory gap analysis for SAA is divided into two areas of focus. First, FAA
Title 14 CFR Part 91 is reviewed to identify regulations related to the PICs role
to see and avoid other aircraft. Next, while not law, the AIM (Federal Aviation
Administration 2012a) is examined because it provides guidance to pilots regarding
their role to see and avoid other aircraft.
aircraft be capable of not only sensing the other aircraft but also deriving its intent
to land. Similarly, the regulation also gives right of way to aircraft in distress, which
can likely be difficult to identify when the pilot is physically decoupled from the
aircraft.
AIM 4-4-15: Use of Clearing Procedures This section discusses clearing pro-
cedures used to maintain visual awareness of the airspace around the aircraft. It
defines expectations for pre-takeoff, climbs and descents, straight and level, traffic
patterns at VOR sites, training operations, etc. It also distinguishes between low-
wing and high-wing aircraft. UAS operations also require a clearing of the airspace
to maintain assurance of safe separation with other aircraft. However, depending
upon the see-and-avoid systems onboard, the need for actual clearing procedures
may be reduced or eliminated given the scanning and/or field-of-view capabilities
of the sensor(s).
AIM 5-5-8: See and Avoid This section simply restates that under permitting
meteorological conditions the pilot has the responsibility to see and avoid other
aircraft. The controller can provide local air traffic information as workload permits.
2312 R.S. Stansbury and T.A. Wilson
The controller can also issue safety alerts if other unsafe situations are observed.
This relates directly to the sections of Part 91 discussed above.
AIM 8-1-6: Vision in Flight This section of the AIM discusses effective use
of vision given various levels of illumination as well as techniques that can be
employed to scan the sky. It also identifies some quantitative data that can be useful
in determining human capabilities for aircraft detection. Some of these details can
be relevant to UAS when dealing with ground observers. Other aspects may not be
applicable as scanning techniques and the impact of illumination may have little or
no impact on particular sensors.
AIM 8-1-8: Judgment Aspects of Collision Avoidance This section of the AIM
provides guidance on handling unique collision avoidance situations. It describes
determining relative altitude based upon the location of another aircraft with respect
to the observer’s determination of the horizon. This holds some relevance to visual
sensors such as EO or IR cameras. However, some UAS sensors may not be
capable of utilizing this technique or have better alternative results for altitude
approximation. Visual observers on the ground would be unable to apply this
technique.
The section also describes addressing multiple threats simultaneously. This calls
on observation of the other aircraft as the pilot performs the avoidance maneuver to
ensure that a secondary collision threat does not result. This can be challenging
depending upon the SAA technology and the lack of situational awareness for
the PIC. Some situations in which visual limitations exist are also discussed. For
instance, poor windshield conditions are considered (which could be similar to a
fouled sensor on a UAS), which would need to be replaced and/or repaired prior to
flight. Similarly, smoke, haze, dust, etc. can reduce visual acuity for manned aircraft
visual separation but may or may not have an impact for UAS operators depending
upon the sensing techniques employed.
(Insitu 2008), and AAI Corp.’s Shadow (AAI Corp. 2008). Examples of high
endurance include General Atomics’ (GA) Predator (General Atomics Aeronautical
Systems, Inc. 2008), GA’s Mariner (General Atomics Aeronautical Systems, Inc.
2008), Northrup Grumman’s (NG) Global Hawk (Northrop Grumman 2008), NG’s
BAMS (Northrop Grumman 2008), and AV’s Global Observer (AeroVironment
2008). Table 94.17 lists some examples of LOS C3 technologies.
BLOS UAS cover primarily high-endurance UAS. Table 94.18 lists some
examples of BLOS C3 technologies aboard UAS.
C2 Data Links LOS C2 data links use spectrum from VHF (30–300 MHz) to
microwave C band (4–8 GHz) (Neale and Schultz 2007). The most common LOS
data link employed for UAS is C band, using 3.7–4.2 GHz for downlink and
5.9–6.4 for uplink. C Band is strategically chosen its frequency less affected by
extreme weather.
Some small UA like ScanEagle and Georanger, Meridian, Shadow, Dragon, and
Raven use UHF (300 MHz–3 GHz) for LOS C2. It is not uncommon for these
aircraft to utilize 72 MHz handheld remote control similar or identical to those used
by hobbyists. Some experimental UAS use IEEE 802.11 for C2 link (Brown et al.
2006; Frew et al. 2008), allowing ad hoc networks between UAS. Their range is
LOS and directional antennas may be required to ensure signal strength to maintain
connectivity.
For BLOS, low Earth orbiting (LEO) and geostationary Earth orbiting (GEO)
satellites represent two extremes for satellite communication (SATCOM). LEO
satellites operate around 400 km (250 miles). GEO satellites operate around
35,800 km (22,200 miles). Because they are closer to the Earth’s surface, LEO
satellites can transmit equivalent bit-error-rate messages with lower power.
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2315
Since they are not stationary relative to the Earth’s surface and narrower field of
view, LEO satellite constellations require a larger number of satellites to achieve
the same coverage as GEOs. In Peters and Farrell (2003), a constellation of 80
LEO satellites was compared with a six-satellite GEO constellation with equivalent
coverage area using Ka band. The LEO constellation outperformed the GEO
constellation with reduced latency, lower path losses, and reduced launch cost.
A LEO satellite constellation has higher operational costs. Examples of widely used
LEO constellations include Iridium (2008) and Globalstar (2008). For both cases,
2316 R.S. Stansbury and T.A. Wilson
when the UA moves from one satellite’s coverage area to another, service may be
temporarily disrupted as communications are handed off.
BLOS C2 data links range from UHF (300 MHz–3 GHz) to Ku band
(12–18 GHz) via SATCOM (Neale and Schultz 2007). Ku band is used by high-
endurance UAS like Global Hawk, BAMS, and Predator and its derivatives.
INMARSAT SATCOM data links, with a frequency range from 1,626.5 to
1,660.5 MHz for uplink and 1,525–1,559 MHz for downlink (INMARSAT 2008),
are used by some high-endurance UAS including BAMS, Mariner, and Global
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2317
Hawk. L band iridium data links range from 390 MHz to 1.55 GHz (Iridium
2008) and are used by smaller, low- or medium-endurance research UAS such as
Georanger and Meridian.
Certain military UAS use Common Data Link (CDL) or Tactical CDL. CDL is a
jam-resistant spread spectrum digital link incorporating multiple microwave bands
(Global Security 2008). CDL is mostly used for BLOS operations; it can be used
for LOS operations to ensure continuously safe and seamless communication when
deployed in hostile territory. Data sheets for larger military UAS (e.g., Predator-B,
Global Hawk) show identical specifications to CDL without explicitly stating the
technology is in use.
C2 Link Loss Procedures In the original study performed by ERAU, lost link
(LL) procedures were addressed as part of the C3 study. One year later, the ERFT
study revisited this topic in greater detail. For the sake of conciseness and to avoid
redundancy, this topic with respect to C2 will be further addressed within the ERFT
case study later in this chapter.
ATC Communication, Coordination, and Lost Link For ATC LL, the objective
is to reestablish voice communications between the GCS and the ATC authority.
For LL with ATC for LOS operation, a land-based phone line is the only option
currently used. Some UA are equipped with multiple VHF transceivers that could
be used to establish a ground control to ATC voice communication link using the
UA as an intermediary.
BLOS UAS PIC-ATC communications can utilize the UA as a communication
relay. The PIC contacts the ATC facility local to the UA via VHF radio onboard
the aircraft. For BLOS operations, reestablishing a connection after LL requires
redundant voice communication systems onboard. For the Altair LL, the FAA and
ATC were provided with detailed flight plans, making sure that the ATC knew
2318 R.S. Stansbury and T.A. Wilson
the aircraft’s location. Additionally, the missions were planned meticulously with
respect to ATC coordination, such that all potential ATC facilities are notified. The
mode of notification was not explicitly disclosed (Ambrosia et al. 2007).
Using a UA as a voice relay with ATC has technical issues such as handoff.
For manned aircraft, as it transitions from one ATC cell to another, the onboard
pilot dials the VHF radio to the appropriate ATC channel as instructed through the
handoff procedure. For several existing COAs and aircraft, the aircraft performs
a rapid assent to an altitude above controlled airspace (i.e., above 60,000 ft) and
maintains this altitude for the duration of the flight. As a result, interaction along a
flight path involving multiple ATC facilities is not common, and proper procedures
to handle operations within controlled airspace have not been formally developed.
For UAS to operate within ATC-controlled airspace in the NAS BLOS, further
protocols must be established regarding the handling of the handoffs and setting of
the new frequencies of the aircraft’s ground-to-ATC relay. Another potential issue of
using UAS as a relay is the spectrum availability to handle additional voice channels
(25 kHz bandwidth) to support each UA (Heppe, personal communications, Insitu,
Inc., 2008). A proposed alternative is to utilize ground-based telecommunications
networks to connect the PIC at the GCS to the ATC facility under which the UA is
operating.
The C3 gap analysis examined 14 CFR Parts 21, 23, 25, 27, and 91 and the AIM.
Each section was labeled does not apply, applied as is, applies with interpretation,
or applies with revision with respect to the categories command, control, and
communication. Fundamental gaps were identified as well as gaps associated
with particular technologies and/or regulations. Related gaps were grouped as
appropriate. Additional regulatory concerns not fitting into the above categories
were also identified.
The regulatory gap analysis was performed iteratively. First, each section of
the parts was classified using the four labels above for command, control, and
communication. During the second pass, the reviewer annotated sections that were
labeled as applicable with interpretation or revision. Third, the annotations were
organized and merged to produce the regulatory gap analysis report.
and 23.1309. It was concluded that UAS should be certified as a whole, and any
deviations from current TSOs as regulated in 14 CFR 21.609 should be acceptable
only by demonstrating an ELOS for the entire system.
The second fundamental gap is the definition, roles, and responsibilities of the
PIC. Because the PIC is no longer onboard the aircraft, regulations and procedures
defined with this expectation must be reviewed and reinterpreted to address this
change.
The decoupling of the pilot’s flight control interfaces and the aircraft control
system (autopilot, surfaces, etc.), and the required data link to support this wireless
interaction, results in the next fundamental gap. Revisions would be required in
14 CFR 23.f175, 177, 1329g, 25.f175, 177, 253, 331, 1303, 1329g, and 27.143
to ensure that the failure of certain data links will not result in a system failure.
Regulations that previously described the redundancies needed between for flight
controls and control surfaces may now be reinterpreted as applying to the data link.
94.5.2.2 Command
In industry and the military, UAS pilots have not necessarily been licensed pilots.
14 CFR 21.37 and 21.31(b) call for the pilot to be licensed and medically certified
in order to assume command of the aircraft. It must be decided whether UAS
PICs require the same medical and training standards as licensed pilots. Training
can be developed to certify licensed UAS operators, requiring at minimum pilot
ground school. Flight instruction regulations are defined in 14 CFR 91.109. For a
typical training flight, an instructor pilot sits in the aircraft’s copilot position, having
complete authority to take command of the aircraft at any time. UAS instructor pilots
must similarly be able to override a UAS trainee, requiring GCS with a redundant
set of flight controls offering the instructor pilot the same ability to immediately
subsume the trainee pilot’s commands.
Under 14 CFR 91.7, the PIC of an aircraft has the responsibility to perform
the safety-critical preflight check of the aircraft prior to departure. This is suitable
for UAS operations in which the takeoff and landing occur at the same site as the
UAS PIC. If the takeoff and/or landing site is decoupled from the PIC, an approved
designee must be permitted to assume this duty.
FAA UAS Interim Guidelines 08-01 require use of a ground- or chase aircraft-
based observer to achieve SAA. Use of an observer produces gaps regarding AIM
procedures and guidance. AIM 4.4.1 and 4.4.12 define guidance stating that the
PIC has overall authority regarding the safety of the aircraft regardless of any order
issued by ATC. If the observers have greater situational awareness than the PIC,
the chain of command in choosing how to respond to a safety-critical situation
must be reconsidered. AIM 4.4.14 and 5.5.1 both discuss the authority of ATC
to command the aircraft in visual flight rules (VFR). It can be asked, should
similar authority be given to the observer when, regarding vertical clearance, the
surveillance capabilities of ATC within the terminal area are vastly superior to
those of a ground observer? It may be necessary to set limits upon when a PIC
has authority to accept or reject ATC orders and guidance from observers.
2320 R.S. Stansbury and T.A. Wilson
The need for pilot situational awareness and the ability to react quickly to adverse
conditions conflicts with the physical decoupling of pilot and aircraft in UAS.
14 CFR 25.253 and 23/25.671 discuss design of the flight control system to
provide timely information to the pilot and to handle the commands in the event of a
critical warning or sudden loss of control. UAS data link latency increases the time
it takes for the pilot to become aware of an adverse situation and react. Maintaining
an ELOS under these conditions is challenging. AIM 3.4.6 defines alert areas (e.g.,
areas of a heavy volume of training flights), and AIM 3.5.4 defines parachute jump
areas. Higher situation awareness is also necessary when operating under special
use airspace. UAS should be prohibited from both of these environments unless
suitable SAA technology is approved. A remote pilot lacks the necessary situation
awareness and the reaction time necessary to avoid a potential collision.
AIM 4.1.19 and 4.4.14 define conditions in which the pilot would have to
switch transponder or radio frequencies during transitions from various modes of
flight. Current radios and transponders are equipped with knobs that must be turned
to change frequencies. Approved alternative mechanisms must be developed to
allow this transition to be triggered remotely or automatically.
94.5.2.3 Control
14 CFR 25.397 discusses mechanical loads placed upon the cockpit controls
such as stick and wheel controls. Since the cockpit controls are decoupled from
the control surfaces, this regulation is no longer applicable. Other mechanical
requirements such as those in 14 CFR 23.395 and 23.405 are no longer necessary
as the aircraft is clearly in a fly-by-wire(less) control mode.
The requirement of status indicators to aid the pilots’ situational awareness must
also be reconsidered. 14 CFR 25.1303, 23/25.1309, and 91.205 as well as AIM
1.1.19 define the indicators required for the pilot. Under the UAS paradigm, the
indicator status information must be transmitted to the GCS and then displayed on
the GCS flight control displays.
14 CFR 23/25.1329 require the capability of the system to avoid becoming
stuck in a hard-over. In the event of a GCS or data link failure, the aircraft’s autopilot
and control system should have sufficient intelligence to detect faults and prevent
improper configurations from occurring.
14 CFR 23.679 discusses the need for lockouts of controls, while the aircraft
is grounded to prevent accidental bumping of controls, but the lockout must be
disabled and cannot be set during flight. For UAS, it may be necessary to include
such mechanisms while in flight as well. Consider the need for a UAS operator
(other than a PIC) to leave a position temporarily. It may be beneficial to enable a
lockout mechanism given the lack of situational awareness to ensure the aircraft is
not accidentally controlled by a 3rd party.
94.5.2.4 Communications
Regulatory gaps can be divided into communication segments. GCS-UA com-
munication will focus upon the command data link. GCS-ATC will focus upon
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2321
ATC to remote pilot interactions, which may rely upon the UAS as part of the
communication link.
as new TSOs may be issued with less effort than a change to the FARs. TSO-C9c:
Automatic Pilots (Federal Aviation Administration 2012e) defines the requirements
for automatic pilots, which must be approved for use in civil aircraft. This TSO is
written toward an autopilot on a manned aircraft in which a pilot is in immediate
control of the aircraft. The TSO references SAE Aeronautical Standards AS-402A
(SAE International 2001). A detailed analysis of AS-402A yielded the following
gaps. TSO-C9c 4.2.3 calls for “a controller, if present, it shall operate in the
plane and with the sense of direction of motion of the aircraft. The control sensing
shall be plainly identified on or adjacent to each control.” This requirement can be
reinterpreted toward the requirements of the ground control station.
TSO-C9c 4.3.1 and 4.3.2 call for “a means by which the pilot can be made
cognizant of the condition, including control behavior” and “the direction and
relative magnitude of the primary pitch servo present and other two axes.” This
requirement may be re-interpreted toward the requirements of the ground control
station. It must also be considered that any feedback of information to the GCS
controls and indicators from the UA will be susceptible to latency.
TSO-C9c 4.4.1 calls for “corrective control to be: (a) Pitch ˙50ı (b) Roll ˙75ı
(c) Yaw ˙20ı .” Since the PIC is no longer in immediate control of the aircraft,
the corrective controls about these three axes may require greater limitations of
corrective controls, while the autopilot is engaged.
TSO-C9c 4.5.1 calls for “a system interlock to prevent the automatic pilot
engagement until it has reached a fully operable condition.” For aircraft that
handle autonomous takeoff and landing, this requirement is no longer relevant.
However, for aircraft in which the PIC may manually remote control the aircraft,
this requirement must be reinterpreted toward a requirement for the GCS.
TSO-C52b: Flight Director Equipment (Federal Aviation Administration 2012d)
establishes minimum performance standards referencing SAE AS-8008 (SAE
International 1984). The regulatory gaps identified are similar if not identical to
that of TSO-C9c. TSO-C52b 3.6 calls for identical corrective control capabilities
for the pilot, while the autopilot is engaged as TSO-C9c 4.1.1. Likewise, TSO-
C52b 3.8 calls for the same lockout mechanism as defined by TSO-C9c 4.5.1.
The recommendations for interpretation remain the same for each.
To maintain a sufficient level of safety, UAS are equipped with systems to detect
faults and failures of onboard components, including electromechanical systems
(e.g., control-surface actuators) and avionic systems (e.g., data links, actuator
controllers, and sensors). In emergency recovery (ER), the aircraft determines that a
fault has occurred, recovering from it while maintaining safe flight. Link loss (LL)
procedures, addressing and rectifying failure of command and control data links, are
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2323
a subset of ER. UAS experiencing LL or GPS loss may leave a predefined area for
operation, the bounding box (BB), and need to be brought down. Flight termination
(FT) technologies and procedure end the UA flight while minimizing the risk to the
public and property. A flight termination system (FTS) is an onboard system that
executes a flight termination, which may be remotely triggered via an independent
communications channel by the PIC or automatically performed by the UA on the
basis of aircraft conditions.
Information was gathered for UAS systems and related technologies related
to emergency recovery, link loss, and flight termination. Data sheets and other
materials were collected on a number of UAS and UAS subsystems. A questionnaire
was developed and distributed to UAS researchers and industry workers, but very
few vendors replied, and fewer were willing to provide data. After conversations
with individuals in academia and industry, it was determined that the questions were
too concerned with proprietary information and had the potential to expose issues
manufacturers may not want made public, including experimental flight test results.
Figure 94.4 presents the developed ERFT conceptual framework. From left to
right, the criticality of a vehicle loss and ramifications of such a loss increase.
When criticality is low, health-based recovery systems diagnose and correct the
problem, and the vehicle continues onward. With greater criticality, mission-
level contingency systems handle an emergency recovery, often accompanied by
termination of the aircraft’s mission. The final and most extreme response is flight
termination. In addition to this framework above, UAS pilot procedures differ from
those for manned aircraft with the difference in some cases tied to the technology
being used, but in others coming from fundamental differences between UAS and
manned aircraft, and their operations.
Table 94.19 summarizes the ERFT capabilities of several surveyed autopilots
for small UAS (Vaglienti et al. 2008; Procerus Technologies 2008a; MicroPilot Inc.
2005). Table 94.20 presents the ERFT capabilities of several of the surveyed aircraft
(Heppe, personal communications, Insitu, inc., 2008; McDuffy, personal communi-
cations, Insitu inc., 2008; Butler and Loney 1995; Flightglobal 2009b; Winstead
2008; Flightglobal 2009d; Flightglobal 2009a; Donaldson and Lake 2007).
Mission
Health-based Flight
Contingency
Recovery Termination
Recovery
Board 2008; Ro et al. 2007). The BAT III LL procedure is a simple return home
functionality, flying directly to the last known location of the GCS (Ro et al. 2007).
Within sufficient range of the GCS, a remote pilot controls the aircraft to land.
NASA and Boeing’s PhantomWorks X-36 follows a similar method of returning to
base and loitering (Walker 1997), but rather than return to base directly, the aircraft
follows a predefined return path. Researchers at NASA Dryden are developing a
path-planning algorithm for return-to-base and LL operations ensuring that the UA
stays within its authorized flight zone (McMinn and Jackson 2002). LL procedures
for BLOS operation in either medium-endurance or high-endurance UA are nearly
identical to LOS operations. Altair flew in NAS for Western States Fire Imaging
Mission. During one of its missions, the UA had a modem malfunction, resulting in
BLOS Ku band C2 LL. The aircraft switched to C band and flew to a predetermined
loiter point until the link was reestablished (Ambrosia et al. 2007).
For small UAS, commercial autopilots have contingency management features
for link loss. The Piccolo Autopilot (Vaglienti et al. 2008) supports a lost commu-
nication timeout in seconds. If after that specified time a message from the GCS
has not been received, the aircraft flies to a LL waypoint. The Procerus Kestrel
lost link procedure returns the aircraft either to base or an alternate “rally point”
(Procerus Technologies 2008b). Micropilot’s various autopilots allow users to define
the response to the lost link procedure and the criteria for diagnosing the lost
link (Micropilot 2008). Its LL procedure supports the return to any waypoint or
alternatively to trigger a FTS.
This section presents the process and results of the ERFT regulatory gap analysis.
Title 14 CFR Parts 23, 25, 27, 29, and 91 were reviewed as well as guidance
materials, including the Aeronautical Information Manual (AIM) (Federal Avia-
tion Administration 2012a), Airplane Flying Handbook (AFH) (Federal Aviation
Administration 2009a), and Helicopter Flying Handbook (Federal Aviation Admin-
istration 2009b). Regulatory gaps were organized based upon aspects of pilot/crew
procedures, health-based recovery, contingency-based recovery, and flight termina-
tion. Both fundamental gaps, regulatory gaps that exist because of the difference
between technologies when regulations were written and UAS technologies utilized,
as well as open-set gaps, gaps due to UAS technologies that have no analogue with
currently regulated technologies, are identified.
The gap analysis was performed by an iterative process. The regulatory and
guidance materials to be considered were determined and collected, followed by an
initial review employing coarse filtering to identify ERFT-relevant sections of those
materials. Rubrics were developed for each of the four aspects to determine the level
of applicability of each section, introducing greater transparency and consistency in
identifying gaps. The rubrics provided aspect-specific criteria to facilitate consistent
classification of the section as applying as is, applying with interpretation, applying
with revision, or not applying. Their length precludes their being included here; for
the full text of the rubrics, see Stansbury et al. (2009a). A representative example of
a rubric is shown in Table 94.21 for assessment of regulations/procedures related to
pilot procedures. Using the rubrics, team members analyzed the identified sections,
adding annotations to justify each classification. Chapter 16 of AFH was analyzed
through a less-formal procedure by deriving the implications of manned emergency
2328 R.S. Stansbury and T.A. Wilson
Table 94.21 Rubric for Does not Regulation or guidance material does not
assessing regulations related apply discuss procedures relevant to the
to pilot procedures emergency recovery/contingency
procedures to mitigate risk
Applies as is Regulation or guidance material discusses
procedures relevant to the emergency
recovery/contingency procedures to
mitigate risk. Given current language,
applicable as is need for interpretation or
revision for UAS paradigm
Applies with Regulation or guidance material discusses
interpretation procedures relevant to the emergency
recovery/contingency procedures to
mitigate risk. Parts of the language of the
regulation require interpretation toward
equivalent operations for unmanned
aircraft
Applies with Regulation or guidance material discusses
revision procedures relevant to the emergency
recovery/contingency procedures to
mitigate risk. Regulation defines
procedures of the pilot for safe operation
within NAS that are unachievable for
UAS given the language as it is written
procedures for UAS. The results of the several analyses, including the annotations,
were discussed to determine a consensus as to the level of applicability of each
section. The discussion below focuses upon regulations that required revision or
interpretation. Fundamental gaps and open set gaps were also identified. The result
of the gap analysis follows.
Pilot and Crew Procedure Gaps Title 14 CFR 91 and the AIM were examined
regarding pilot and crew procedures. The AFH was also examined as it indicates
expectations of the PIC of a manned aircraft in an emergency. Pilot and crew
procedures defined within 14 CFR Part 91 assume the pilot, crew, and passengers are
onboard the aircraft. While the pilot of a UAS may no longer be onboard the aircraft,
it is possible for a remotely piloted or autonomous aircraft to carry passengers or
crew in the not too distant future. These regulations cannot simply be dismissed for
“unmanned” aircraft, but rather must be interpreted or revised to be appropriate for
cases in which pilots, crew, and/or passengers are or are not onboard. Examples of
these regulatory gap include 14 CFR 91.509, 91.511, and 91.513, which define
survival equipment for emergency evacuation for overwater flights, and 14 CFR
91.501, which requires any crewmember onboard the aircraft to be familiar with
the emergency equipment and emergency procedures onboard the aircraft before
flight. This regulation is also written with the assumption of the PIC being onboard
the aircraft and must be reinterpreted.
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2329
Procedures for normal flight operations impacted because the pilot is not
aboard the aircraft include operations where a pilot would diagnose or respond
to an emergency situation that could be handled through health-based recovery,
contingency-based recovery system, or flight termination. An example is AIM
5-4-11, 5-4-14, and 5-4-16, defining arrival procedures, including instrument
approaches and simultaneous landing approaches. Under these conditions requiring
fast reaction times, the need to abort a landing or deviate from an arrival path
could be better handled through contingency-based recovery, which can both restore
safety and send a notification to ATC. Similar issues of deviation and notification of
ATC exist in AIM 6-1-1, 6-1-2, and 6-2-1, which define emergency procedures,
and AIM 7-1-14, which defines weather avoidance assistance procedures. Other
procedure-related guidance includes AIM 6-2-5, which defines requirements for
use of the onboard emergency locator during emergencies such as ditching, which
under the UAS paradigm ought to be activated by the flight termination system;
AIM 6-3-3, which defines procedures for selecting a suitable glide path to ditch
the aircraft, which under the UAS paradigm could be performed by the PIC, FT
system, or both; and AIM 6-4-2, which defines procedures for a pilot handling
the loss of a communication link with ATC. The health-based recovery should be
responsible for diagnosing the issue and switching to a redundant communication
system if available; if communication is not restored, the contingency management
is better capable of handling the procedures for transponder settings to alert ATC of
the issue and performing appropriate LL procedure.
Throughout the regulations and the AIM, the pilot is assumed to be capable of
issuing a distress call and/or rapidly communicating any sudden deviations with
ATC. Given the significant changes to the communication paradigm between pilot,
aircraft, and ATC, these procedures need to be revised or significantly reinterpreted.
Guidance materials falling under this gap include AIM 5-3-1, which is written
assuming traditional communication paradigms for manned aircraft, instead of the
aircraft acting as a relay; AIM 6-1-1, 6-1-2, and 6-2-1, which discuss the ability
to deviate from standard procedures in an emergency; AIM 6-3-1, which discusses
distress communications where the PIC must provide immediate notification and
response to notifications dependent upon the condition and the directives of ATC,
with “immediate” being made difficult because of latency; and AIM 6-3-2, which
discusses request for emergency assistance when flying under distress.
Additional pilot- and crew-related gaps from Title 14 CFR and AIM include
14 CFR 91.609, which establishes the requirement for flight data recorders and
cockpit voice recorders in transport category aircraft; AIM 1-1-19, which assumes
that onboard global position system (GPS) would be identical to the currently
technical standard order (TSO)-defined units featuring a graphical display for the
pilot. Under the UAS paradigm, the GPS can likely be different from these TSOed
GPS units and thus may require entirely different procedures for addressing a minor
or major GPS failure. Aspects of chapter 16 of the AFH suggest that a new approach
will be required regarding emergency situations in UAS. In a traditionally piloted
aircraft, the pilot uses visual means to best determine the location in event of an
unplanned landing. UAS require either dedicated space in which to fly or technology
2330 R.S. Stansbury and T.A. Wilson
Health-based Recovery Gaps For health-based recovery systems, the gap analysis
focused upon regulations for equipment that identified potential risks and mitigated
them through corrective measures that did not alter the aircraft’s current flight
plan. Similar to the procedural gaps, the physical disconnect of the pilot from the
aircraft lead to situations in which the regulation must be interpreted or revised
toward the use of a health-based recovery system to address the situation. 14 CFR
23/25/27/29.672 mandate that an indicator light notify the pilot if there is a loss
in stability control. Under the UAS paradigm, due to data link latency, an indicator
light may not be sufficient for notifying the pilot of this situation. The regulation
also calls for the aircraft’s control to be recoverable by the pilot. However, a health-
based recovery system could be capable of dynamically reacting to the fault and
recovering stability control. If such a system were onboard the aircraft, it would be
necessary that it be demonstrated to provide an ELOS, and the regulation must be
reinterpreted to consider such an alternative.
Engine fire suppression systems as mandated by 14 CFR 23/25.1195 can be
considered a health-based recovery system currently onboard some manned aircraft.
This regulation requires revision for a number of reasons. The propulsion system of
a UAS may not be based upon the use of an internal combustion (e.g., fuel cell,
electric motors), which would likely not need a fire suppression system. Based upon
the size of an aircraft, requiring such a system may produce a significant burden. For
instance, a small hand-launched UAS could likely be incapable of handling such a
system and remain airworthy.
Health-based systems may be capable of handling a variety of different failures
either by initiating the appropriate transition to a redundant system or by diagnosing
and recovering the failure directly. As a result, regulations such as 14 CFR 27.695
and 29.695, which discuss recovery from power and control failures, ought to be
reinterpreted to consider the health-based recovery system operating in place of the
pilot in command. Similarly, health-based recovery may be capable of providing
the “immediate” response to some emergency situations defined in the AIM such as
AIM 5-4-11.
In AIM 1-1-1, 1-1-12, and 1-1-20, it is assumed that minor failures of
navigation aids may be detected by the pilot in command and the pilot can then act
appropriately to maintain safe flight. Under the UAS ERFT framework, a health-
based recovery system could both detect and recover from a minor fault without
having a significant impact on flight. Voice communication loss and recovery is
discussed in AIM 6-4-1. A health-based recovery system could be utilized in place
of pilot procedures to autonomously change to a redundant communication link.
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2331
ATC and the GCS-based operators, the wording of this requirement will likely
require revision for it to fit correctly. 14 CFR 25.1457, 27.1457, and 29.1457 also
address cockpit voice recorders, though it provides the requirements of the device,
rather than the requirement to have the device.
The AIM and chapter 16 of the AFH define procedures for the pilot if the aircraft
must be ditched. AIM 6-2-5 defines the requirements for triggering the emergency
locator upon ditching the aircraft. AIM 6-3-3 discusses the procedures for finding
a suitable crash glide path to ditch the aircraft in water. In all of these cases, it may
be possible to automate these tasks as part of the onboard flight termination system.
Fundamental Gaps During the gap analysis, fundamental gaps were identifiable
because a significant number of regulations were identified as having gaps and
the justifications for these gaps were very similar. The physical decoupling of the
PIC from the aircraft qualifies as one of the largest fundamental gaps as it results
in the largest number of regulatory gaps related to procedures and airworthiness
regulations. For instance, any procedure requiring an immediate response must be
reevaluated as “immediate” may no longer be achievable as currently understood
due to latency and a lack of situational awareness.
A number of regulations and procedures are written regarding the safety of
passengers and crew onboard the aircraft; however, one of the fundamental dif-
ferences between UAS and manned aircraft is that a UAS can be constructed
for operation solely without passengers or crew. All existing relevant regulations
must be reinterpreted, revised, or eliminated from applicability for UAS. The
GCS generates an additional fundamental gap as existing regulations for cockpit
layout and equipment must be reinterpreted and/or revised in order to support
aircraft control remotely. It may be necessary to revise existing regulations as some
traditional cockpit controls have been eliminated in place of a mouse and keyboard
being used to define waypoints and the autopilot controlling flight surfaces.
Under the AFH and HFH, procedures existed for the pilot to down the aircraft. A
fundamental gap exists in regard to how procedures are written for UAS regarding
emergency flight termination. A flight termination system such as a parachute is
available to UAS, which is rarely seen or used by manned aircraft. The kinetic
energy of a UAS can be dramatically different than a manned aircraft such
that terrain considered previously unsuitable for an emergency landing may be
adequate.
Open Set Gaps Several pieces of aircraft equipment must be evaluated to deter-
mine what regulations must be defined for their usage within an unmanned aircraft,
as they are not typically found within a manned aircraft, including command
data link; ATC/GCS voice link; GCS components; situational awareness sensors
such as any onboard cameras, radars, and auditory sensors; health-based recovery
system; contingency management system; and flight termination system (explosives
or ballistic recovery system).
The PIC can only communicate with the aircraft via a command data link at the
GCS. An open set gap exists because manned aircraft are not equipped with data
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2333
links for this purpose, and no existing regulations exist for the command data link as
part of 14 CFR. Regulations must exist to define performance, link loss procedures,
data frequencies, message sets, etc. In the event of a mishap, UAS technology must
be equipped with a contingency management system capable of identifying the
failure and then executing one of several possible predefined actions. A number
of possible approaches are available. The open set gap occurs because nowhere
in the current regulatory framework is such a system mandated nor its minimum
performance requirements defined. Additional open set gaps exist for the roles of the
UAS flight crew. Ground observer qualifications including training, health, visual
acuity, etc. are not currently defined as part of the regulations.
94.7 Conclusion
This chapter has discussed the role of technology surveys and regulatory gap
analyses in supporting the FAA and policy makers in understanding how the current
regulatory environment must adapt to accept the near-disruptive technology of UAS.
Earlier in the report, the concepts of the technology survey and regulatory gap
analysis were presented, but without any specific best practices.
Each case study summarized published research conducted by the ERAU team
over the course of several years. The first two studies involved propulsion systems
for UAS (Griffis et al. 2008; Griffis and Wilson 2009). Next, C3 (Stansbury et al.
2008, 2009d) and SAA (Reynolds and Wilson 2008a, b) were studied. Finally,
given the lessons learned from the previous studies, the ERFT study (Stansbury
et al. 2009a, b, c) tried to pool together the best practices from the previous studies in
order to produce a less subjective analysis of the regulations. It is recommended that
the reader seek out these papers for further information and more detailed versions
of their respective technology surveys and gap analyses.
This chapter concludes with the authors attempt to convey some recommended
practices for conducting technology surveys and regulatory gap analyses. This shall
hopefully allow those in the UAS community seeking to analyze other technology
areas to start with a solid iterative foundation for conducting their studies.
The gap analysis proceeds in steps. The first step is to review Title 14 of the Code
of Federal Regulations to determine putative applicability of the regulation to the
particular technology at hand. Putative applicability is determined by as inclusive of
an applicability criterion as possible: if the regulation could be construed through
even a generous interpretation to apply to the technology, it is included in the
putative list.
The second step is to develop rubrics which classify the regulation applied to
the technology as one of applies, applies with interpretation, applies with revision,
and does not apply. A rubric is developed for each element of the conceptual model
or framework for the technologies under review. The language of the rubric should
be such that a reasonably well-informed individual using the rubric should come
to similar conclusions as to whether any given regulation applies to the technology
at hand.
The third step is to apply the appropriate rubric of step two to each of the
regulations in 14 CFR 1–199. Multiple individuals should perform step three, such
that their results can be compared. Differing results should be discussed until
agreement is reached as to the proper classification. Annotations should be provided
to identify the rationale for the classifications made whenever necessary.
The fourth and final step is to compare the results of step three with the putative
list from step one. Disagreements between the step three list and the putative list
should be re-examined to ensure that the classification is appropriate.
References
AAI Corp, Unmanned aircraft systems (2008), online, http://www.aaicorp.com/New/UAS/index.
htm
AC Propulsion, AC propulsion’s solar electric powered solong uav (2005), online, http://www.
acpropulsion.com/ACP PDFs/ACP SoLong Solar UAV 2005-06-05.pdf
Access 5, Cooperative conflict avoidance sensor trade study report V.2. Technical report, NASA
Access 5, Edwards, CA, 2004
Advance Ceramic Research, Unmanned vehicle systems (2008), online, http://www.acrtucson.
com/UAV/index.htm
AeroVironment, Unmanned aircraft systems (2008), online, http://www.avinc.com/UAS products.
asp
AIAA, UAV programs around the world. Aerospace America, issue supplement, 2005
AIAA, 2011 worldwide UAV roundup, Poster, 2011
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2335
V.G. Ambrosia, B. Cobleigh, C. Jennison, S. Wegener, Recent experiences with operating UAS in
the NAS, in AIAA Infotech Aerospace 2007 Conference and Exhibit, Rohnert Park, California,
AIAA 2007-3007, 2007
AREN, Mazda Wankel Rotary Engines for aircraft website (2006), online, http://www.rotaryeng.
net
Army-Technologycom, Army technology – CL289 – unmanned aerial vehicle (2007), online,
http://www.technology.com/projects/cl289/
E.M. Atkins, Dynamic waypoint generation given reduced flight performance, in Proceedings of
the 42nd AIAA Aerospace Sciences Meeting and Exhibit, Reno, Nevada, AIAA 2004-779, 2004
M. Brian, How rocket engines work (2007), online, http://science.howstuffworks.com/rocket.htm
N. Brown, A. Samuel, S. Bhandar, R. Colgren, D. Schinstock, J. Lookadoo, Modular wireless
avonic system for autonomous UAVs, in AIAA Guidance, Navigation, and Control Conference
and Exhibit, Keystone, CO, AIAA 2006-6683, 2006, pp. 21–24
M.C. Butler, T. Loney, Design, development and testing of a recovery system for the Predator UAV,
in 13th AIAA Aerodynamic Decelerator Systems Technology Conference, Clearwater Beach,
AIAA 95-1573, 1995
Defense Update International Online Defense Magazine, Desert Hawk Miniature UAV (2006),
online, http://www.defense-update.com/products/d/deserthawk.htm
P. Donaldson, D. Lake (eds.), Unmanned Vehicles Handbook 2008 (Shephard Press, Ltd.,
Berkshire, UK, 2007)
Electricity Storage Association, Technologies – supercapacitors (2007), online, http://
electricitystorage.org/tech/technologies technologies supercapacitor.htm
Federal Aviation Administration, Automatic dependent surveillance – broadcast (ADS-B) out
performance requirements to support air traffic control (ATC) service. Technical report, Docket
no. FAA-2007-29305, Department of Transportation: FAA, 2007, http://www.faa.gov/aircraft/
air cert/continued operation/ad/
Federal Aviation Administration, Interim operational approval guidance 08-01: Unmanned aircraft
systems operations in the national arspace system, Technical report, Federal Aviation Admin-
istration. Aviation Safety Unmanned Aircraft Program Office AIR-160, 2008
Federal Aviation Administration, Airplane flying handbook (2009a), http://www.faa.gov/library/
manuals/aircraft/airplane handbook/
Federal Aviation Administration, Helicopter flying handbook (2009b), http://www.faa.gov/library/
manuals/aircraft/media/faa-h-8083-21.pdf
Federal Aviation Administration, TSO-C23d: Personnel parachute assemblies (2009c), http://rgl.
faa.gov/Regulatory andGuidanceLibrary/rgTSO.nsf/0/00493ac675eda12e86256da500600ef7/
$FILE/C23d.pdf
Federal Aviation Administration, Evaluation of candidate functions for traffic alert and collision
avoidance system II (TCAS II) on unmanned aircraft system (UAS) (2011), online, http://www.
faa.gov/about/initiatives/uas/media/TCASonUAS FinalReport.pdf
Federal Aviation Administration, Aeronautical information manual (2012a), online, http://www.
faa.gov/air traffic/publications/atpubs/aim/
Federal Aviation Administration, TCAS home page (2012b), online, http://adsb.tc.faa.gov/TCAS.
htm
Federal Aviation Administration, Technical standard order (TSO) (2012c), online, http://www.faa.
gov/aircraft/air cert/design approvals/tso/
Federal Aviation Administration, TSO-C52b: Flight director equipment (2012d), online, http://rgl.
faa.gov/Regulatory and Guidance Library/rgTSO.nsf/0/56EF54910099134186256DC1006006
02?OpenDocument
Federal Aviation Administration, TSO-C9c: Automatic pilot (2012e), http://rgl.faa.gov/Regul
atory and Guidance Library/rgTSO.nsf/0/4D729BA5BDF5851286256DA4005DC0AD?Open
Document
D. Fitzgerald, R. Walker, D. Campbell, Vision based emergency forced landing system for
an autonomous UAV, in Proceedings of the Australian International Aerospace Congress
Conference, Melbourne, Australia, 2005, pp. 397–402
2336 R.S. Stansbury and T.A. Wilson
Flightglobal, British blend: UAV x-planes help boeing with blended wing concept
(2009a), online, http://www.flightglobal.com/articles/2006/05/30/206893/british-blend-uav-x-
planes-help-boeing-with-blended-wing.html
Flightglobal, Global Hawk downed by rouge abort signal (2009b), online, http://www.flightglobal.
com/articles/1999/10/06/56882/global-hawk-downed-by-rogue-abort-signal.html
Flightglobal, Grand designs (2009c), online, http://www.flightglobal.com/articles/2005/06/07/
198916/grand-designs.html
Flightglobal, Lockheed confirms P-175 Polecat UAV crash (2009d), online, http://www.flig
htglobal.com/articles/2007/03/20/212700/lockheed-confirms-p-175-polecat-uav-crash.html
L. Frater, E. Stokes, R. Lee, T. Oriola, An overview of the framework of current regulation affecting
the development and marketing of nanomaterials. Technical report, ESRC Centre for business
relationships accountability sustainability and society (BRASS), Cardiff University, 2006
E.W. Frew, C. Dixon, J. Elston, B. Agrow, T.X. Brown, Networked communication, command, and
control of unmanned aircraft systems. J. Aerosp. Comput. Inf. Commun. 5, 84–107 (2008)
General Atomics Aeronautical Systems, Inc, Aircraft platforms (2008), online, http://www.ga-asi.
com/products/index.php
Global Security, Common Data Link (2008), online, http://www.globalsecurity.org/intell/systems/
cdl.htm
Globalstar, Globalstar, Inc. – worldwide satellite voice and data products and services for
customers around the globe, (2008), online, http://www.globalstar.com
C.L. Griffis, T.A. Wilson, A conceptual framework for UAS propulsion applied to risk and
regulatory gap analyses, in SAE 2009 AeroTech Congress and Exhibition, Seattle, WA, 2009
C.L. Griffis, T. Wilson, J. Schneider, P. Pierpont, UAS propulsion systems technology survey,
Technical report, U.S. Department of Transportation: Federal Aviation Administration, 2007
C.L. Griffis, T.A. Wilson, J.A. Schneider, P.S. Pierpont, Framework for the conceptual decompo-
sition of unmanned aircraft propulsion systems, in Proceedings of the 2008 IEEE Aerospace
Conference, 2008
R.D. Hale, W.R. Donovan, M. Ewin, K. Siegele, R. Jager, E. Leong, W.B. Liu, The Meridian UAS:
detailed design review, Technical report, TR-124, Center for Remote Sensing of Ice Sheets.
The University of Kansas. Lawrence, Kansas, 2007
D. Hall, B. Hosken, R. Wagner Robotics instruction course (2003), online, http://teamster.usc.
edu/fixture/Robotics/Course.htm
G. Heredia, V. Remu, A. Ollero, R. Mahtani, M. Musal, Actuator fault detection in autonomous
helicopters, in Proceedings of the 5th IFAX Symposium on Intelligent Autonomous Vehicles
(IAV 2004), Lisbon, Portugal, 2004
S. Hottman, K. Hansen, M. Berry, Review of detect, sense, and avoid technologies for unmanned
aircraft systems. Technical report, U.S. Department of Transportation: FAA, 2007
INMARSAT, Aeronautical services (2008), Online, http://www.inmarsat.com/Services/
Aeronautical/default.aspx?language=EN&textonly=False
Insitu, Insitu unmanned aircraft systems (2008), http://www.insitu.com/uas
Iridium, Aviation equipment (2008), online, http://www.iridium.com/products/product.htm
L. Kirk, D. Marshall, B. Trapnell, G. Frushour, Unmanned aircraft system regulatory review.
Technical report, US. Department of Transportation: Federal Aviation Administration, 2007
J.D. McMinn, E.B. Jackson, Autoreturn function for a remotely piloted vehicle, in AIAA Guidance,
Navigation, and Control Conference and Exhibit, Monterey, CA, AIAA 2002-4673, 2002
Micropilot, MP2028 series autopilots (2008), Online, http://micropilot.com/autopilots.htm
MicroPilot Inc, MP2028g Installation and Operation (MicroPilot Inc., Stony Mountain, MB, 2005)
National Fuel Cell Council, Fuel cell glossary (2006), http://www.usfcc.com/Glossary2.pdf
National Transportation Safety Board, NTSB Incident CHI06MA121 – full narrative (2008), on-
line, http://www.ntsb.gov/ntsb/brief2.asp?ev id=20060509X00531&ntsbno=CHI06MA121&
akey=1
M. Neale, M.J. Schultz, Current and future unmanned aircraft system control and communications
datalinks, in AIAA Infotech Aerospace Conference and Exhibit, Rohnert Park, CA, AIAA 2007-
3001, 2007
94 Technology Surveys and Regulatory Gap Analyses of UAS Subsystems 2337
C. Theiss, A. Thomas, Comparison of prime movers suitable for USMC expeditionary power
sources. Technical report, Oak Ridge National Laboratory (ORNL), 2000
United States Naval Academy, Fundamentals of naval warfare systems (2008), online, http://www.
fas.org/man/dod-101/navy/docs/fun/index.html
B. Vaglienti, R. Hoag, M. Niculescu, Piccolo System User’s Guide (Cloud Cap Technology, Hood
River, OR, 2008)
L.A. Walker, Flight testing the X-36 – the test pilot’s perspective. Technical report, NASA
contractor report no. 198058, NASA – Dryden Flight Research Center, Edwards, California,
1997
J.S. Winstead, Transformational isr (RQ-4 GlobalHawk), in TAAC Conference Proceedings 2009
[cd-rom], Albuquerque, NM, 2008
Concept of Operations of Small
Unmanned Aerial Systems: Basis for 95
Airworthiness Towards Personal
Remote Sensing
Contents
95.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2340
95.2 Airworthiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2343
95.2.1 Aircraft Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2343
95.2.2 Ground Control Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2345
95.2.3 Air Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2346
95.3 Flight Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2349
95.3.1 Operational Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2349
95.3.2 Flight Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2350
95.3.3 Data Mission Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2351
95.4 Operator Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2351
95.4.1 Human Factors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2352
95.4.2 Documentation and Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2352
95.5 An Application Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2353
95.5.1 The Riparian Application Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2353
95.5.2 Mission Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2353
95.5.3 Mission Success Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2354
95.5.4 Applications for Advanced Payload Development or
Human-Automation Interaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2355
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2358
K.P. Valavanis, G.J. Vachtsevanos (eds.), Handbook of Unmanned Aerial Vehicles, 2339
DOI 10.1007/978-90-481-9707-1 105,
© Springer Science+Business Media Dordrecht 2015