Upload
suat-nasif
View
215
Download
0
Embed Size (px)
Citation preview
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 1/169
THE HAZARDS OF UNMANNED AIR VEHICLEINTEGRATION INTO UNSEGREGATED AIRSPACE
Andrew R Evans
This report is submitted to satisfy the project requirements of the
Master of Science in Safety Critical Systems Engineering
at the Department of Computer Science
September 2006
Number of words = 43,176, as indicated by the Microsoft Word ‘word count’ tool. The count includes the title page, preliminaries, report body, and Annex F, but not the Bibliography. Annexes A – E contain supporting evidence and contextual information for the reader, and have not been included in the word count.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 2/169
i
ABSTRACT
There is strong interest in expanding Unmanned Air Vehicle Systems (UAVS) usage.Potential military and civil tasks will need them to operate in the same airspace as manned
aircraft and over the general public. While they are currently segregated because ofconcerns for safety, what are the real safety risks and can they be addressed?
A broad literature review has highlighted a range of safety-related issues. In particular:
• The root hazards associated with UAVS integration are not well understood.
• Can a EASA CS.23/25.1309 type safety assessment approach be taken, to identifythe hazards and support clearance into unsegregated airspace?
A hazard identification methodology has been developed based on ARP4761 (an acceptedframework for satisfying EASA CS.23/25.1309). Functional Hazard Assessment (FHA)elements have been modified to be UAVS-applicable, with a UAVS-level assessment,consideration of the wider system of systems, and techniques to draw out UAVS
peculiarities. The method has been applied to a Tactical UAVS case study to derive ahazard listing.
The project has concluded that:
• There are a broad range of safety issues to be overcome, to allow UAVS integrationinto unsegregated airspace – some relating to the differences of UAVS as ‘disruptivetechnology’; others to the manned airspace environment struggling to accommodate UAVS.
• The hazard identification method developed provides a strong supplement toARP4761, allowing the combined framework to be used for UAVS safety assessment.
• In the test application, the method identified around 90% of hazards related tointegrating UAVS into unsegregated airspace. This should improve further in a realapplication, through peer review, stakeholder involvement, and the use of the follow-onsafety assessment techniques that make up ARP4761.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 3/169
ii
ACKNOWLEDGMENTS
The completion of this project would not have been possible, without the support of manypeople.
I would like to thank Peter Moores and JRA Aerospace Ltd, for their support andsponsorship; and my JRA colleagues Dan Warnes and Mike Shilling for acting as ‘soundingboards’ (or sounding bored?) of my developing ideas.
I would like to thank my project supervisor, Mark Nicholson, for his guidance, advice andhumour throughout the conduct of the project.
I would like to thank Patrick Mana and Mike Strong (EUROCONTROL) for their advice on AirTraffic Management approaches to safety and Unmanned Air Vehicles.
I would like to thank the many people of the UAVS industry with whom I had discussions – too many to mention in full, but a few key personalities being Dr Sue Wolfe (Parc Aberporth),Andre Clot and Mike Lake (the UAVS Association), and Ingo Massey (Remote Aviation Ltd) –
their unwavering enthusiasm and belief that UAVs will become integrated with mannedairspace was infectious.
Finally, I would like to thank my wife, Caroline, my family and friends for their love, supportand preaf-rooding. Yes, I promise that I won’t do any more educational ‘challenges’. Well, fora long while, at least.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 4/169
iii
TABLE OF CONTENTS
Abstract...................................................................................................................................i Acknowledgments ..................................................................................................................ii Table of Contents.................................................................................................................. iii List of Tables..........................................................................................................................v List of Figures........................................................................................................................vi Introduction ........................................................................................................................... 1 PART 1 – Literature Review .................................................................................................. 4
Overview of Unmanned Aerial Vehicle Systems............................................................. 4 Issues Relating to UAV Safety and Access to Integrated Airspace................................. 7 Note on UAV Classification ............................................................................................ 7
1.1 Safety Issues Relating to UAVs as 'Disruptive Technology'.......................................... 8 1.1.1 Impact of the Variety, Roles and Performance of UAVs......................................... 8 1.1.2 The complex system boundary for UAVs............................................................... 9 1.1.3 UAV autonomy - technology, predictability, complexity........................................ 11 1.1.4 Accident rates and reliability - UAV airworthiness................................................ 15
1.2 Safety Issues Relating to the Manned Airspace Environment 'Coming to Terms' withUAVs ............................................................................................................................... 18
1.2.1 Regulation, Certification and the Drive for Standards .......................................... 18 1.2.2 ATM interaction ................................................................................................... 23 1.2.3 Collision avoidance.............................................................................................. 27 1.2.4 Security and safety.............................................................................................. 30 1.2.5 The Human Element............................................................................................ 31 1.2.6 Public perception of UAV safety .......................................................................... 33
1.3 Summary of UAVS Safety Issues............................................................................... 35 PART 2 - Design and Build: Moving forward in UAVS HazID............................................... 40
2.1 Assessment of ARP4761 Usability for UAVS HazID................................................... 40 2.1.1 Introduction .................................................................................................... 40 2.1.2 Safety Objectives........................................................................................... 40 2.1.3 'Aircraft Level' and 'System Level' FHA .......................................................... 41 2.1.4 FHA Process:................................................................................................. 41 2.1.5 Overall Applicability of ARP4761 for UAVS use.............................................. 42
2.2 Modifying ARP 4761 FHA for UAVS Use ................................................................... 43 2.2.1 Derivation of Safety Criteria and Objectives for UAVS Application....................... 43 2.2.2 FHA Levels to Address System Complexities...................................................... 49 2.2.3 Function Identification.......................................................................................... 51 2.2.4 Identification and Description of Failure Conditions ............................................. 54
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 5/169
iv
2.2.5 Identifying and Managing the Effects of the Failure Conditions............................ 57 2.2.6 Summary of Amended FHA Process................................................................... 59
PART 3 - Test and Evaluation ............................................................................................. 61 3.1 Test Methodology ...................................................................................................... 61 3.2 Evaluation of the Modified HazID Method through Trial Application ........................... 63
3.2.1 Derivation of Safety Criteria and Objectives for UAVS Application....................... 63 3.2.2 FHA Levels to Address System Complexities...................................................... 64 3.2.3 Function Identification.......................................................................................... 65 3.2.4 Identification and Description of Failure Conditions ............................................. 67 3.2.5 Identifying and Managing the Effects of the Failure Conditions............................ 69
3.3 Evaluation of Hazards Identified by the Modified HazID Method ................................ 75 PART 4 – Conclusions and Further Work............................................................................ 78
4.1 Findings, Related to Satisfaction of the Project's Aims............................................... 78 4.1.1 Identifying Current Concerns over UAVS Safety ............................................ 78 4.1.2 A Framework for Considering Safety Risks Related to Integrating UnmannedVehicles into Unsegregated Airspace ........................................................................... 80
4.2 Recommendations for Further Work .......................................................................... 83 4.2.1 UAVS Safety, generally.................................................................................. 83 4.2.2 UAVS Hazard Identification Methodology and Application of ARP4761Framework................................................................................................................... 84
Bibliography ........................................................................................................................ 85 Abbreviations & Acronyms................................................................................................... 88 Annex A Review of ARP 4761, to support ARP 4758, CS 25.1309 etc for UAVapplication…………………………………………………………………………………………. A-1
Annex B Extract from [CAA02] - A Method for Setting Design Standards for New Kinds ofAircraft, Including Unmanned Air Vehicles……………………………………………………..B-1
Annex C 'Guard Dog' - generic TUAV Case Study……………………………………………C-1
Appendix C1 Guard Dog Mission Scenario (Coastal Route)………………………………..C-6
Appendix C2 Guard Dog Mission Scenario (Inland Route)…………………………………..C-7
Annex D FHA for 'Guard Dog' TUAV System (extracts)……………………………………...D-1
Annex E SWIFT Assessment for Comparison (extract of hazards)…………………………E-1
Annex F Listing of Hazards for Integration of UAVS into Unsegregated Airspace (From TUAVCase Study)……………………………………………………………………………………….F-1
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 6/169
v
LIST OF TABLES
Table 2.2.1(i) - Airworthiness Failure Condition Severities (after [SAE96], with additions from [UTF04]as noted) ..........................................................................................................................................44 Table 2.2.1(ii) - EUROCONTROL ATM-Focused Separation / Collision Safety Criteria (from [EUR04])
.........................................................................................................................................................46 Table 2.2.1(iii) - Airworthiness Safety Objectives - probabilities per Flying Hour (from [SAE96], drawnfrom [FAA88] and compared with [FAA99])........................................................................................48 Table 3.2.1(i) - Airworthiness Failure Condition Severities for ‘Guard Dog (drawn from Table 2.2.1(i))63 Table 3.2.4(i) – Example of ‘Loss of Function’ for pseudo-continuous function...................................68 Table 3.2.4(ii) – Example of ‘Uncommanded Function’ ......................................................................69 Table 3.2.4(iii) – Example of ‘Incorrect Function’ for a cross-system function.....................................69 Table 3.2.4(iv) – Example of failure identification for a warning function.............................................69 Table 3.2.5(i) Examples of analysis of the effects of failure conditions, from the ‘Guard Dog’ FFA.....70 Table 4.1.2(i) – Satisfaction matrix for development of HazID methodology.......................................81 Table A(i) - Safety Objective, from ARP 4761 (drawn in turn from CS.25.1309)……………….……..A-3
Table A(ii) - Severity Criteria as defined in ESARR4 by EUROCONTROL…………………….………A-4
Table D(i) - Airworthiness Failure Condition Severities (from Table 2.2.1(i))………………….………D-3
Table D(ii) - Airworthiness Safety Objectives…………………………………………………….………..D-3
Table D(iii) – ATM Separation / Collision Safety objectives…………………………………….………..D-4
Table D(iv) – Flight phases view of functions……………………………………………………….……D-12
Table D(v) – External interactions and derived UAVS functions………………………………….……D-14
Table D(vi) – Functional Failure Conditions for Guard Dog UAVS……………………………….……D-18
Table D(vii) – Failure Effects for (a selection of) Guard Dog failure conditions………………………D-30
Table E(i) – SWIFT hazards identified for Guard Dog case study………………………………………E-2
Table F(i) –Hazards identified for Guard Dog case study, using the proposed modifications toARP4761 FHA technique…………………………………………………………………………………….F-2
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 7/169
vi
LIST OF FIGURESFigure 1a - AQM-34 derivative showing the improving reliability of 'high end' UAV systems [Wes05] ...5 Figure 1b - Aerosonde Laima Crosses the Atlantic (taken fromwww.aa.washington.edu/research/afsl/background.shtml)...................................................................5 Figure 1c - Spectrum of current UAV military types [Wei04].................................................................6 Figure 1.1.3a - Autonomy level variation with required flexibility of mission / environment and certaintyof information....................................................................................................................................12 Figure 1.1.3b Optimising autonomy level to suit operator's [mission] needs .......................................12 Figure 1.1.3c varying the UAVS autonomy level to suit the required level of operator authority for asituation............................................................................................................................................13 Figure 1.1.3d 'Agent' View of the UAVS assets and mission decision-making environment (for a multi-UAV scenario)...................................................................................................................................14 Figure 1.2.1a - EASA / EUROCONTROL 'Total System' vision for aircraft / UAVS regulation............20 Figure 2.2.2a – Example of decomposition of high level policy to lower level agents or cases [Hall05]
.........................................................................................................................................................50 Figure 2.2.2b - Example of Rich Context Diagram (taken from [RQE05, unit 20])...............................51 Figure 2.2.3a – Modified ‘V’ to ‘Y’ model safety assessment process [Jos05].....................................53 Figure 2.2.6a - ARP 4761 FHA Process, with modifications overlaid for UAVS applicability ...............60 Figure 3.1a - "Capture - Recapture" analysis method, to measure the effectiveness of hazardidentification processes.....................................................................................................................62 Figure 3.1b - Overview of Guard Dog UAVS case study ....................................................................63 Figure 3.2.2a - Rich Context Diagram for Guard Dog UAVS and the System of Systems...................64 Figure 3.2.3a – Example of use of mind-map to consider each system element’s view of functions...65 Figure 3.2.3b – Example of derived Functions Tree for ‘Guard Dog’ UAVS........................................67 Figure 3.2.4a – Example of outline Emergency Procedures, to derive functions.................................68 Figure 3.2.5a – Example of mini scenario for consideration of failure effects......................................74 Figure 3.2.5b – Example of graphical scenario ‘MS1 Routine Take-off and climb out’ ........................74 Figure A-1 - ARP4761 Process for an Aircraft-level FHA…………………………………...……….……A-8
Figure B-1 – Unpremeditated Descent Scenario……………………………………………...…….……..B-5
Figure B-2 – Loss of Control Scenario…………………………………………………………...…………B-6
Figure C-1 – Overview of Guard Dog Case Study…………………………………………………………C-2
Figure C1-1 Flight Plan – Westerly Route (to maximize over-water flight)……………….....................C-6Figure C2-1 - Flight Plan – Easterly Route (to maximise overland / ATC interaction…………...……..C-7
Figure D-1 Rich Context Diagram for Guard Dog UAVS and the System of Systems around it…......D-5
Figure D-2 - Outline Emergency Recovery Procedures……………………………………....................D-8
Figure D-3a – UAV Centred view of functions…………………………………………………………......D-9
Figure D-3b – GCS centred view of functions…………………………………………………………….D-10
Figure D-3c TACU and Field Recovery / Launch Unit centred views of functions…………...……….D-11
Figure D-4a – Guard Dog Functions Tree (part 1 of 3)……………………………… …………..……..D-15
Figure D-4b – Guard Dog Functions Tree (part 2 of 3)………………………………… ………..……..D-16
Figure D-4c – Guard Dog Functions Tree (part 3 of 3)………………………………… ………..……..D-17
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 8/169
1
INTRODUCTION
Background
Unmanned Air Vehicles (UAVs), from quiet beginnings alongside manned aviation as targetsand Remotely Piloted Vehicles (RPVs), have been gradually growing in use. In particular,their use by military forces in operational areas such as the Balkans, Afghanistan and Iraqhas started to catch the public eye. Now, with a drive for ‘homelands security’, and withincreasing environmental and financial pressure in carrying out ‘dull, dangerous and dirty’tasks with larger, manned aircraft, interest is growing to expand the use of UAVs in militaryand civil applications. This requires that they be integrated into unsegregated airspace,alongside manned aircraft and over the general public. However, important questions remainover how they can be cleared to operate safely, in airspace infrastructures developed andregulated for safe manned flight.
This report is aimed at safety professionals who may become involved in the assessmentand clearance of UAV Systems (UAVS). It is also intended to be of use to UAVS developers,
operators and regulators, as they face the many issues to be overcome to allow safe,integrated flight.
Objectives and Motivation for the Project
There is strong interest in expanding the use of UAVs. Currently, their operation issegregated from civilian airspace because of safety concerns, but to allow them to reachtheir potential, they need to be integrated into unsegregated airspace. What, then, are thereal safety issues that must be overcome? In particular, it is unclear how they can beintegrated safely with manned aircraft and conventional air traffic control. Partly, withoutprior experience of integrating such systems, the types of hazards involved are notadequately understood. Without a clear framework of UAVS hazards, it is therefore difficult tooperate a risk-based safety assessment process.
This project aims to:
• Identify the current concerns over UAVS safety, in relation to the existing mannedairspace infrastructure;
• Hence, derive a framework for considering the safety risks related to integratingunmanned vehicles into unsegregated airspace. The intent is that this, as part of arobust safety assessment and certification programme, will assist in the eventualclearance of UAVS, to operate routinely alongside manned aircraft.
Project Scope (and Limitations)
There is a large amount of documentation available in the public domain, relating to UAVS
and their integration. With the pace of technological advance being high, the project hasfocussed on the later information as being most relevant (significantly, some issues have notadvanced in recent times, even with this ‘push’).
The first part of the project has thus involved a significant effort, to identify the currentconcerns over safety.
Having established as part of this research that there is a place for a risk-based safetyanalysis process, the project has had to remain focussed on the hazard identification frame-work as the main goal. Hence, while there are suggestions for a complete safetyassessment framework for UAVS development, the project is not intended to provide a ‘onestop shop’ for the safety professional involved in UAVS assessment. It does not providedetailed safety analysis methods for further down the design and implementation path.
The project is intended, however, to provide a robust start to such a safety assessmentprocess, with a sound hazard identification methodology based on the civil standard of ARP
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 9/169
2
4761. It is noted that other forms of hazard identification do exist, and they might also proveUAVS-friendly, but this project has strived to ensure that the hazard identification methodwould be compatible with existing requirements of the regulatory bodies for civil aviation.Without their consensus, the safety assessment method will not support clearance into civilskies. ARP4761 is an accepted standard and, if it can be made UAVS-applicable, it cansupport civil clearance.
In order to assess the hazard identification framework, a case study has been used, featuringa generic Tactical UAV System. This provides a good benchmark for the applicability of themethod and the hazards it produces. However, as is discussed in section 1.1.1, UAVSsdiffer significantly in size, performance and role. Due to limitations of time, it has not beenpossible to assess the framework against all of these varieties. Instead, the Tactical UAVSwas chosen as having broad applicability which may have significant read across to many ofthe other configurations. That said, the method should be reviewed for its applicability beforeits use with the more extreme configurations of UAVS.
Report Structure and Layout
This report presents the research, analysis, development, evaluation, conclusions and
recommendations for the project and is structured as follows:
• Part 1 presents the literature review. A broad review has been carried out, toestablish the context for UAV Systems, and this provides an important introduction to thecharacteristics of such systems for those not overly familiar. The review then focusses onthe safety-related issues, identifying those inherent in the UAVS as ‘disruptive technology’,and those due to the manned airspace environment trying to come to terms with thatdisruption.
• Part 2 represents the ‘design and build’ activity for the project. Here, the ARP4761civil safety assessment process is assessed for its UAVS applicability. Then, a hazardidentification framework is derived, to address the identified gaps and hence provide arobust, UAVS-friendly methodology.
• Part 3 assesses how robust the new hazard identification methodology is. Theframework is evaluated using a Tactical UAV case study, and the results analysed forpracticality of application and robustness of hazard identification.
• Part 4 presents the conclusions and recommendations from the project, assessedagainst the project aims. It also suggests areas of potential further work, identified during theconduct of the project.
The annexes to the report provide supplementary material as context and evidence for themain report body:
• Annex A provides a more detailed review of ARP4761, used to derive the ‘design
requirements’ for the UAVS-friendly Functional Hazard Assessment (FHA) hazardidentification method.
• Annex B provides an extract from a Civil Aviation Authority paper on a method forcomparing UAVSs against manned aircraft, using kinetic energy criteria. This is used, inpart, within the hazard identification method.
• Annex C provides useful contextual information on the Tactical UAVS case studyused throughout the project.
• Annex D contains extracts from the results of applying the hazard identificationmethodology to the case study system. The full results could not be practically annexed dueto document size, so elements have been extracted pertinent to the evaluation in Part 3.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 10/169
3
• Annex E contains a summary of the hazards identified using Structured What-Iftechnique (SWIFT) as an alternative identification method. The results allow comparison ofthe robustness of the hazard identification from both methods.
• Annex F provides a listing of the hazards identified using the UAVS-friendly FHAmethod, as applied to the Tactical UAVS case study. This is provided as a ‘starter list’ to aid
the assessment of other UAV Systems, and is not intended as being a complete list for allvarieties of UAVS.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 11/169
4
PART 1 – LITERATURE REVIEW
Overview of Unmanned Aerial Vehicle Systems
What is an Unmanned Aerial Vehicle System (UAVS)?
Let us start with a narrower question - what is an Unmanned Aerial Vehicle, or UAV, as thistends to be the 'business end' of the overall system? This can be surprisingly complex todefine, but the Civil Aviation Authority (CAA) take a nice, broad view in their definition as:
“An aircraft which is designed to operate with no human pilot on board.” [CAA04, section2.1].
This definition is both short and subtle, in that it is inclusive of all flying vehicles that wouldusually be considered under a wide remit as 'aircraft', and covers all aspects of pilotage andcontrol from the fully autonomous vehicle to those under direct ground-based pilot control.
There are more complex definitions, such as that proposed by the United States Departmentof Defense (DoD) for "A powered, aerial vehicle that does not carry a human operator, usesaerodynamic forces to provide vehicle lift, can f ly autonomously or be piloted remotely, canbe expendable or recoverable, and can carry a lethal or non-lethal payload. Ballistic or semi-ballistic vehicles, cruise missiles, and artillery projectiles are not considered unmanned aerialvehicles." [DeG04, section 1.1]. While this is admirable from a legalistic viewpoint, it does notmake for easy reading or general use, so we will stick with the more inclusive CAA definition.What this does indicate is the lack of consensus between agencies involved in gainingairspace access for UAVs, and hence the basic levels of difficulties that will have to beovercome.
What, then, of the UAVS? This is the broader system, which includes not only the UAV itselfbut also all the other necessary elements to operate the vehicle. There are the 'hard'
elements in use during the actual real-time mission, such as the Ground Control Station(GCS) and its Datalink with the UAV, and any hardware required to launch and recover theUAV. Then there are less real-time but still significant aspects such as Mission Planning. The'system' can also include softer aspects, such as the organisation that operates the UAV, itspersonnel and their competence, and the procedures for operation of the system. All ofthese have significance for the safe operation of the UAV.
Brief History of UAVs
The early story of UAVs lies almost solely with military efforts, to alleviate pilots from the 'dull,dangerous and dirty' jobs. The earliest significant attempt was perhaps the Sopwith AT in1916, which was proposed as an 'aerial target' but was actually intended to air intercept / ground attack under remote control. Unfortunately it never flew, being damaged in its hangarand subsequently abandoned.
As might be expected, the major developments occurred in line with the requirements of war,and WWII gave real impetus. The first large numbers of Radio Controlled targets appeared inthe mid-late 1930s, to allow the growing population of air gunners to practice - in the UK, theQueen Bee (from where the term 'drone' emanates) and in the US the Radioplane RP-4 (or'Denny Drones'), which was the first sub-scale target (and hence showed the potential forminiaturisation) [Wes05]. Meanwhile, Germany developed the V1 and V2 weapon systems -not UAVs as such but contributing significantly to the technology required for guidance and
autonomous control. [DeG04]. In the late 1940s, the US began to broaden the role fromtargets, using RC aircraft such as pilotless P-61s for thunderstorm meteorological datacollection, and even large QB-17 Fortresses for Bikini Atoll atomic tests [Wes05]. The Korea
and Vietnam wars saw major US development, introducing the AQM-34 Firebee and itsderivatives [Wes05]. Flying over 3,400 missions (in Vietnam) this system introduced several
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 12/169
5
new developments of the role and capability of UAVs: photo reconnaissance, ElectronicIntelligence (ELINT), decoy, Electronic Counter-Measures (ECM), even weapon deliveryincluding torpedoes and 500lb iron bombs; and technology improvements such as long-range navigation (using LORAN) and datalinks for image data download. An example ofthese more sophisticated UAVs is shown in Figure 1a.
Figure 1a - AQM-34 derivative showing the improving reliability of 'high end' UAVsystems [Wes05]
In the 1980s and 90s, US funding receded in 'low-end' UAV systems, and instead switchedinto higher performance systems such as Predator and Global Hawk. Othercountries continued to see the value of low cost reconnaissance systems as 'forcemultipliers' in dangerous situations. In this period, Israeli, French and UK systems (Phoenix)saw service in the Balkans, Afghanistan and Iraq. The military requirement for UAVs wasnow well established.
The 1990s finally saw some peaceful civilian uses for UAVs, such as NASA Pathfinder and
Helios, for environmental monitoring. In 1998, a 13kg Australian system (Aerosonde Laima)crossed the Atlantic, opening the door for long endurance civil systems with fully autonomousnavigation (using GPS) (see Figure 1b). UAVs are here and cannot be ignored!
Figure 1b - Aerosonde Laima Crosses the Atlantic (taken from
www.aa.washington.edu/research/afsl/background.shtml )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 13/169
6
Current and Future Directions
New technology is accelerating the pace of UAV development, and hence increasing the'push' into the market-place. As Willbond notes [Wil05], not only has the aviation industryseen major developments, such as in avionics, fault tolerant flight controls and stronger / lighter composite materials, but the world overall is being changed by disruptive technologies
such as Global Positioning navigation, faster / more flexible communications links and theincredible speed of development in computing power ('per pound' of hardware required toperform it). These changes are allowing UAV Systems themselves to develop as adisruptive technology - like the jet engine when it emerged among the piston-engined fleetsof the 1950s, they do not just evolve from previous technology but completely revolutionisewhat can be achieved.
What is less certain at the moment is the directions of the 'pull' into the market-place - whatdo people want UAVs to do for them? As before, the military have more establishedrequirements, based on the UAVs perceived unique capabilities:
o They can perform jobs that are too 'dull, dangerous or dirty' to be undertaken bymanned aircraft.
o However, they also have capabilities beyond those of manned aircraft - in particularto undertake tasks at extreme altitude, or incredible endurance. They can alsolaunch and recover from areas that manned aircraft (even helicopters) cannot get intoor out from.
o With their relative low cost (compared to manned aircraft and helicopters), usingseveral UAVs can perform some persistent tasks more cost-effectively than the fewmanned aircraft that could be deployed for the same resource.
Several military customers have published 'roadmaps' showing their requirements for UAVs,from the current situation out to quite extended timescales in some circumstances. Whatthese declare is a vision, of how they see UAV types and their operational capabilitiesdeveloping. As Figure 1c shows (fairly typically), there is a wide spectrum of UAV typesrequired, from micro (such as the Black Widow) costing a few hundred dollars and easilyman-portable for operational-level deployment, up to large scale High Altitude / LongEndurance (HALE) type UAVs (such as Global Hawk) costing millions of dollars butdelivering strategic-level capability.
Figure 1c - Spectrum of current UAV military types [Wei04]
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 14/169
7
Potential civil applications are held back from deployment in most nations, primarily becauseof the lack of certification and safe integration into the general airspace that this reportexplores ([Wil05]). Civil applications cannot, routinely, fit into a segregated range or battlearea. Hence there are not, currently, many civil UAVs outside of experimental developmentand use. There are, however, many intended uses once the barrier of integration has beensurmounted, such as [Okr05]:
o Environmental monitoring tasks, such as pollution patrolling, earthquake warning,animal population tracking, weather forecasting...
o Catastrophe management, allowing operation management, situation assessment, ordirect action such as fire-fighting
o Patrolling low-population areas, for tasks such as Search and Rescue, or bordersecurity patrol (very useful as part of the US Homelands Security initiative)...
o Survey tasks such as geological surveys, pipeline / cable surveying...
Rather like the Laser once was described, the civil UAV is a solution waiting for a problem,
and uses will multiply once they have gained access to the necessary airspace.
Issues Relating to UAV Safety and Access to Integrated Airspace
In order to gain this routine access to airspace, UAVS designers, operators and regulatorswill have to address a number of significant safety issues, and these are discussed below.The issues identified from the Literature Search fall roughly into two areas:
o Those issues which derive from the UAVs own disruptive technology;
o Those caused by the UAVs developing, not in a vacuum (as manned aerospace didin its first years) but in an already established manned airspace environment, whichmust come to terms with how to handle the newcomers.
These aspects are discussed in the following sections.
Note on UAV Classification
As discussed in CAP 722 [CAA04, Chapter 1], there are several ways of classifying UAVs inorder to apply some common principle, such as by weight, kinetic energy, operating domainor mission type (and we look briefly at the issues this creates in section 1.1.1). However,when discussing the need to integrate UAVs into manned airspace, it is very useful toclassify UAVs by the type of airspace they will operate within. On this basis (as proposed in[CAA04] and the corresponding UK military publications set of Joint Service Publication
(JSP) 550) an appropriate classification, which shall be used elsewhere in this report, may beconsidered as:
Group 1 - Those intended to be flown in permanently or temporarily segregated airspace(normally a Danger Area) over an unpopulated surface (normally the sea following 'clearrange' procedure).
Group 2 - Those intended to be flown in permanently or temporarily segregated airspace(normally a Danger Area) over a surface that may be permanently or temporarily inhabited byhumans.
Group 3 - Those intended to be flown outside Controlled Airspace (Class F&G) in the UnitedKingdom Flight Information Region (UK Flight Information Region (FIR)).
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 15/169
8
Group 4 - Those intended to be flown inside Controlled Airspace (Class A-E) in the UnitedKingdom Flight Information Region and United Kingdom Upper Information Region (UK FIRand UK UIR).
Group 5 - Those intended to be flown in all airspace classifications.
1.1 Safety Issues Relating to UAVs as 'DisruptiveTechnology'
Some issues with potential safety impact stem from the differences UAVs pose, compared totheir manned predecessors. Some inherent issues are due to the very nature of theirdisruptive technology, whether or not there was an existing system to clash with. Theseaspects are discussed here (though some, inevitably, cause knock-on issues for the existingmanned airspace environment and cross-references are given where appropriate).
1.1.1 Impact of the Variety, Roles and Performance of UAVs
Breadth of Scope of UAV System (UAVS) Varieties
The initial problem in discussing safety of UAVSs is the sheer breadth of scope of suchsystems. It is difficult to pin down generalities for a range of systems that embrace the palm-sized / Line of Sight (LOS) controlled micro UAV right up to the Boeing 737-sized HALEcontrolled via satellite datalink. This range is a challenge for the regulators - possibly moreso than their manned counterparts, and we shall look more into this when we discuss issuesof legislation and certification (section 1.2.1). Nelson and DeGarmo [Nel04] paint afascinating set of 7 scenarios for UAV operations in 2020, ranging from a stratosphericairship acting as a telecommunications relay, to a team (swarm?) of UAVs on border patrol,and on to a 'media and traffic reporting' UAV operating under Visual Flight Regulations (VFR)in an urban environment.
At this point, while it may not necessarily be a direct safety issue, the fact that authoritiescannot classify UAVs (or even model aircraft [Deg04]) consistently shows the extent to whichthey challenge regular thinking. The Swedish Aviation Safety Authority believe it isnecessary to define at least 5 classifications of UAV in order to arrive at suitably granularunderstanding of requirements [Wik03]; the military tend to classify based on altitude andendurance, or sometimes on operational characteristics; other schemes by civilian authoritiesconsider kinetic energy (i.e. mass and speed), or mass alone, or range, or operating airspacetype, or potentially some measure of the level of autonomy. The FAA cannot even arrive at aconsistent definition of what constitutes a UAV [DeG04, paragraph 2.4.1].
My concern is that these attempts to pigeon-hole UAVs into existing categories (or
something similar) and manage them accordingly, shows a limited understanding of thenature of UAVSs and the safety risks they may pose: the accent is on trying to keep thestatus quo rather than address the rich differences that UAVSs present. This concern willreappear regularly throughout this report.
UAV Performance
UAVs can perform differently to their manned counterparts, in part due to their different sizeand sometimes unusual planform. Sometimes the performance is possible primarily becausethey are unmanned and aren't limited by human frailties. The fact that they performdifferently means that they can be difficult to slot into a stream of manned aircrafttraffic. Degarmo [DeG04,] in particular notes the variation in performance capabilities ofdifferent UAV systems. Some will operate very slowly, with limited manoeuvrability, while
others may be faster and more agile than their neighbours. Relative differences in velocityand manoeuvrability introduce potential conflict which must be managed.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 16/169
9
UAV Roles and Mission Profiles
If UAVs lack performance commonality with manned ac, they also lack predictability of flightpath, with their roles and missions introducing unusual flight behaviour. DeGarmo again[DeG04, paragraph 2.3] discusses how UAV types of mission are rarely 'point to point' butinstead have variations of patterned flight, loitering, tracking and orbit activity. There is even
the possibility of planned flight termination, with the vehicle potentially suddenly enteringa 'falling leaf' or parachute recovery in the path of other traffic - while this was not discussedin the literature reviewed, it would be an obvious concern in traffic. [DeG04] does proposethe establishment of designated flight recovery areas, where UAVs could go to 'die' (flightterminate) assuming that power and control was still available. In the CRS Report forCongress [Bol05] there is the interesting prospect of swarms of UAVs operating mutuallyunder a common human controller, on border patrol. This introduces the potential for theUAVs mutual interference, as well as constituting a widespread hazard for other aircraft andground-based population (see 'increased traffic' in section 1.2.2).
Before getting too excited over these differences, though, perhaps we should considerwhether parallels may be drawn with the capabilities, roles and flight patterns of helicopters:
the fixed wing fraternity has managed to accommodate these vehicles, so perhaps there isfair hope for UAV integration.
Launch and Recovery
In [DeG04, paragraph 2.3] DeGarmo discusses the UAVs' next trick - the capability to launchand recover from almost anywhere (in ac terms). While it is true that large UAVs willgenerally operate from airfields (itself something of an issue - see 'airfield operations' insection 1.2.2 of this report), smaller UAVs are designed to operate not just from runways butalso from ships, open country, even buildings and urban environments. The implication (notexplicit in the text) is the safety risk associated with the UAVs sudden and unexpectedinsertion into manned traffic, as it rises from below. Conversely, the UAV may performa sudden change of vector, not expected by manned traffic on a parallel point-to-point flight,
as it turns into a recovery pattern. However, as for the discussion over roles and missionprofiles, the literature does not draw any parallel with the introduction of helicopters into fixedwing aviation, and I feel that there could be useful aspects to draw from the experiencegained with this, in the cause of UAV integration.
1.1.2 The complex system boundary for UAVs
Extended System Criticality
Several sources recognise the criticality of the UAVS overall, and not just the vehicle.Certainly, the ground support environment plays its role in manned aviation, but in UAVSsthere are a number of direct causal links that can affect safety in real time.
The Joint UAV Task force (UTF) [UTF04, sections 7.2 and 7.3] recognised this criticalitywhen they proposed extending the usual definitions of 'airworthiness' to include all safetycritical elements of the system, such as Ground Control System, datalink, Flight Termination System etc. They then took this further to suggest that some of these elements (and otherssuch as Flight Control / Flight Management System, the Control Station and Launch / Recovery equipment) should themselves be subject to Type Certification (discussed more insection 1.2.1 of this report). DeGarmo [DeG04, section 2.3.3] extends the boundary further toconsider the information and data systems used by the UAVS, including those derived fromwider sources. He suggests that we need to consider the data being passed around thesystem internally, such as navigation and position data, telemetered parameters. Then, tolook further out to consider the mission planning / retasking from the ground station; and then
further still to consider the data sources feeding the GCS, such as terrain databases,weather databases / live links, and possibly dynamic Air Traffic Management (ATM) datasuch as time-dependent clearance blocks. DeGarmo goes on to discuss US plans for an
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 17/169
10
ATM information network, but whatever the implementation, the UAVS, vehicle and GCS willinevitably have to interface with various proprietary wide-area networks and even internetbased information networks.
None of the documents agree entirely on what the critical elements are. The CAA offer auseful maxim of "Where any function of a UAVS is essential to, or can prejudice, continued
safe flight and landing of the UAV...have to comply with the applicable airworthinessrequirements" - this allows some flexibility to identify the critical elements pertinent to thesystem under consideration, but without saying what those applicable airworthinessrequirements might be.
It is clear that the overall 'system' is extended even within those elements in control of theUAV organisation. If we consider all the system elements that could affect safety, we have avery extended critical system. In effect, we can view this as a particularly interesting 'Systemof Systems', with varying levels of coupling between the different system elements.
Command Datalink
A key integrating element of the extended system is presented by the Datalink. It links theUAV with its Ground Control System for guidance and telemetry, plus a host of other system-specific possibilities. Being the system 'glue' in this way makes it a critical element of theextended system, a fact not missed among the literature.
Reliability: Schneider [Sch04] notes the need for dependable, Over the Horizon datalinks tobe developed, possibly using dual redundant Satellite Communications (SatComms) (animportant feature for the US current trend for large, long range UAV systems). In [UTF04],reliability requirements are developed further, with proposals that no single failure within thesystem (uplink or downlink) should affect normal control of the system, and the need forElectro-magnetic Interference (EMI) hardening to protect the datalink. They also highlight theneed for link data (such as signal strength or coverage limitations) to be displayed to theUAV pilot (UAV-p), to ensure that he can monitor its continuing reliability. But no matter howreliable command datalinks will prove to be, the requirement to deal with loss of datalink will
remain as a particular risk to be addressed, and regulators will demand Standard Operatingprocedures (SOPs) to deal with the occurrence (see section 1.2.2). [UTF04], [CAA04] andmany others repeat this requirement many times.
Spectrum availability: [Sch04] starts the analysis by initially stating that manned aircraftoperators were bemoaning the rate that UAVs would eat up available frequency spectrum;but then he offsets this by suggesting that, in a networked environment, the presence ofUAVs will allow information to be shared more easily and hence reduce the number of otherairborne sensors needing bandwidth. Somehow, I suspect that this gentle balancing ofsystems is unlikely to occur in reality, but instead the airborne sensors will also grow innumber and compete for spectrum. This view is shared by CAA's Mettrop [Met05], not justbecause of the number of UAVs but because of the growth in the number of sensors and
command frequencies required by both manned and unmanned systems. His paper lookingat the difficulties of trying to negotiate international agreements through the InternationalTelecommunications Union (ITU) paints a fairly bleak picture, and raises the likelihood ofRadio Frequency (RF) interoperability and interference between systems due to sheerdensity of vehicles or simple differences in allowed frequency between countries. DeGarmo[DeG04, 2.3.4] also believes things will be tight, but suggests that, in the future, innovativesolutions may come to light such as flexible frequency use: although nearly all the civilfrequencies are allocated, only 2% are actually in use at any one time, so there couldpotentially be plenty to 'share' - this may be tricky to align with the need for dependability of acommand datalink, but perhaps other uses (such as voice communications (‘comms’) or non-priority sensors) could be re-allocated to use this technology and free-up spectrum.
Connection path: Current, small UAVs generally use VHF / UHF datalinks, giving directLine-of-Sight capability. This can cause problems with terrain masking (as noted in [UTF04],briefly) and affect the possibility for low-level operations. [DeG04] discusses other options:
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 18/169
11
The US has made use of commercial and military SatCom links [Sch04] and potentially thereis access via Iridium Low Earth Orbit (LEO) satellites. Each of these potential connectionpaths changes the system boundary, which returns us neatly to the opening statements ofthis section - the UAV and its extended system criticality.
1.1.3 UAV autonomy - technology, predictability, complexityTim Willbond [Wil05] in his keynote speech at the Royal Aeronautical Society (RAeS)conference in 2005, talked about the two-edged sword of autonomy in UAVs: on one hand, itis a key enabling technology, allowing flexibility to the UAV, capability to the humanoperator and providing fall-back options if the datalink goes down; on the other hand, it willbe a major hurdle to prove its dependability to allow integrated operation in mannedairspace. To consider its hazards, we need to understand a little of what autonomy may belike 'in service'.
Autonomy level factors
When we talk about autonomy levels, we are talking about a continuum of system authority:
at the one extreme, where the system has no autonomy, the human operator has full controlof the system at the most basic level, making inputs to the direct control actuators of thevehicle. At the other extreme, with full autonomy, the system is able to exercise its owncontrol, make its own decisions, learn new tactics and shape the mission, without eveninforming the human operator. Most likely, systems in the near future will exist somewhere inbetween.
The military have traditionally used a simple linear scale (usually 1 - lowest to 10 - highest) todescribe a UAVS level of autonomy. However, Huang [Hua04, 2] suggests that the answeris more complex. He proposes that a number of factors provide the real indicator ofthe autonomy level: difficulty of the environment; complexity of the mission; and operator interaction (inversely proportional - less interaction is more autonomous). For our
consideration of safety, each of these axes would give us a series of issues to beconsidered. Is the UAV autonomy appropriate to the situation it finds itself in? What if one ofthese factors changes?
Platt [PlJ05] takes a broader, less constrained view, and says that Autonomy of a system is afunction of: the operator's interaction and its context; the types of reasoning about theenvironment that the system employs; and the types of knowledge that the system hasavailable or can gather. Figure 1.1.3a, below does two things: it gives a view of how theenvironment and mission context might drive the required level of autonomy; but, again, itindicates how these axes could become safety issues, if our UAVS equipped to a certainlevel of autonomy gets pushed beyond its intended model.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 19/169
12
Figure 1.1.3a - Autonomy level variation with required flexibility of mission /environment and certainty of information
Autonomy v Ground Control:
The Joint UAV Task Force [UTF04, section 7.9] propose that the Human Machine Interfacewill be a critical area of autonomy design and regulation, with the need for a careful tradebetween autonomy level and the capability of operator intervention. While the spirit of this isclear, it may represent (again) a too black-and-white mental model of autonomy and humaninterchange. Walan [Wal03] instead suggests that the situation changes between differentmission types and even during the same mission. Periods of intense action such as missionplanning and sensor operation may be interspersed by long periods of boredom and lapsesof operator awareness, and this would be much increased for an operator responsible formultiple UAVs in a package. What he offers is a model for variable autonomy, what he calls"sharing control rather than trading control" - "Sharing control means that the human and thecomputer control different aspects of the system at the same time . . . Trading control meansthat either the human or the computer turns over control to the other"
Platt [PlJ05] supports this view. In Figure 1.1.3b, Platt suggests that the scope of anoperator's inputs to and desired outputs from the UAVS can be modelled at different scopes -from direct system control (Tier 1) through tactical system management of the vehicleconfiguration (Tier 2), up to strategic overall mission management (Tier 3). Figure 1.1.3.cthen shows how the autonomy / authority can be varied to suit the operator's needs for agiven situation.
Figure 1.1.3b Optimising autonomy level to suit operator's [mission] needs
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 20/169
13
Figure 1.1.3c varying the UAVS autonomy level to suit the required level of operatorauthority for a situation
Whilst debating the required share of autonomous functions, note should be made that someautonomous behaviour will be demanded by the regulators and ATM providers, primarily foractions in the event of emergency situations - section 1.1.2 refers.
Reliability and predictability
Autonomous behaviour will demand a safety critical consideration of its reliability. AsSchneider notes [Sch04] "Conflict avoidance, especially in a fully autonomous, lost link
situation, will be the Achilles heel challenge for the FAA to prove" - he demands anEquivalent Level of Safety (ELOS) for UAVs with autonomous vehicle operation.
What makes an autonomous system hard to trust? Platt [PlJ05] proposes two generalreasons: the gulf of execution - does the system take actions that correspond to theintentions of the operator; and the gulf of evaluation - can you monitor the state of the systemand what is the difference in state from that intended. When we get to considering autonomyfor high level functions (Tier 3 in the above discussion), Platt assumes that these will mostlikely be controlled using 'agent based' methods (see Figure 1.1.3d below). These introducethree areas of uncertainty:
o These are a novel application in air vehicles and hence there will be issues ofexpertise, trust and clearance
o They require accurate capture and specification of the 'agent' behaviours beforehandgiving issues of knowledge acquisition (and requirements elicitation - see Yorkmodule on Requirements Engineering (RQE)).
o There will probably more be than one 'Artificial Intelligence' method used toimplement the decision making, and these will introduce new issues of architectureand integration
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 21/169
14
Figure 1.1.3d 'Agent' View of the UAVS assets and mission decision-makingenvironment (for a multi-UAV scenario)
Platt echoes the old cry of "It's only software!" and the issues of predictability that entails (seeYork Computers and Software (CAS) course). He proposes that the challenging issue will bein trying to ensure clear distinction is made between safety critical and mission criticalfunctionality such that inevitable changes to the mission critical aspects can not impact onthe safety critical aspects.
UAV 'Airmanship'In section 1.2.2, we look at issues of ATM interaction and the need for 'transparency', i.e. theability of the UAV to behave in the same way as manned aircraft, and (for highly autonomoussystems) this function will fall to the vehicle autonomy. Behaviours and judgments such asapplying rules of the air, navigating, sensing and responding to weather conditions fall intothis vague category of 'airmanship' and are difficult to describe, let alone specify - in somecases, behaviour should be absolutely predictable (such as generally within an airspacecorridor) and in others, instantaneously flexible (such as in collision avoidance). Airmanshipis both planning for expected events, plus reacting (predictably but swiftly) to externalevents. Marsters and Sinclair [Sin03, section 4] say that "The precision and repeatability oftechnological solutions notwithstanding, the knowledge, judgment and skill (sometimes called'airmanship') of the on-board pilot will be difficult to emulate."
DeGarmo [DeG04] looks at various airmanship issues, such as how the UAVS detects andresponds to weather systems and conditions - in some cases coping with the conditions, butin others deciding how to route to avoid them. This may be quite an issue, especially forsmaller UAVs more sensitive to weather (see section 1.1.1). He also looks at how UAVSdecision making matches the expectation of Air Traffic Control (ATC) decision making tools(such as used to effect Traffic alerting & Collision Avoidance System (TCAS) manoeuvres).
A critical aspect of UAV autonomy will be the vehicle response in the event of commanddatalink failure (as noted elsewhere, in sections 1.1.2 and 1.2.2). DeGarmo [DeG04], forexample, calls for pre-programmed actions, diversionary sites / flight termination areas andprocedures to be defined - what this implicitly calls for is that, in the event of datalink failure,
the UAV can successfully analyse the situation (including external factors such as weatherconditions), decide on the course of action, and navigate its way there predictably and
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 22/169
15
dependably. Such functions are identified in a number of other documents, including theCAA in CAP722 [CAA04].
1.1.4 Accident rates and reliability - UAV airworthiness
This section looks at the accident rates and reliability of current UAV systems, related toachieving safety levels acceptable for flight in unsegregated airspace / terrain. It discussesthe inherent safety levels for UAVS, rather than the demands for legislation, standardisationand regulation to achieve such levels, which are covered in section 1.2.1.
The Catastrophic failure rate is too high (currently)
Indications are that the failure rate for UAVs is currently too high. DeGarmo [Deg04, 2.1]quotes US DoD analyses that show the UAV catastrophic failure rate (in terms of vehicleslost rather than induced fatalities ) at around 50 times that of an F16 (itself held to be a fairlyrisky platform), and around 100 times that of more general aviation. Another statisticcompares an accident rate of 0.06 per million flying hours for U.S. commercial aircraft in U.S.airspace to a rate of 1,600 per million flying hours for the Global Hawk. Clearly such figures,
if read across to UAV operation in unsegregated airspace and larger UAV fleets, would notseem tenable. Part of the problem is the data - all of it, currently, is sourced from militaryUAVS which have often been rushed from research into service (e.g. Predator use inAfghanistan); have been employed in fairly high-risk operations; and come from a very smallsample, compared to the manned fleet they are being compared with [DeG04,2.1.2]. Nonetheless, such figures would not currently support integration.
If the situation is to improve, we need to understand the causes for the poor safety record.This is not easy: as Williams [Wil04] notes in his review of UAV Human Factors issues, thereis a lack of good, reported UAV accident data, even in the military: until recently, the USArmy and Navy classified UAVs as 'vehicles', and treated accident investigation similarly todamage to ground vehicles. The US Air Force did carry out more detailed investigations but
would not release information into the public domain. As a result, most UAV accident'statistics' are based on aggregated information or single sentence entries - it is thus difficultto derive significant causal analysis. DeGarmo [DeG04, 2.1.2] tries to pick through what isavailable, quoting DoD analyses again to state that around 75-85% of the failures were dueto equipment failure (37% propulsion, 26% flight control, 11% communications link; 17%human factors, 9% miscellaneous). He states that such figures are not unexpected: as wenoted above, the current generation of UAVS stem from research programmes, and/or havebeen 'thrown' together to satisfy high risk operations at low cost, thus redundancy andreliability have not been high priorities. It is not stated, but we can presume that militaryprogrammes have also assumed a higher acceptable risk level, combined with operationover unfriendly territory, so concerns over ground or air collisions have also been pretty low -we are not assessing the record of systems designed for operation in integrated airspace
over 'friendly' populated areas! Schneider [Sch04] concurs, providing a little more detail onthe equipment failings:
o Propulsion system unreliability relates to the search for a reliable 'heavy fuel' enginethat can cope with the extended endurance requirements, at temperatures andaltitudes not generally experienced.
o The flight control failures, on the other hand, relate to the use of COTS actuators,some drawn from commercial non-aviation sources (hence not intended for this levelof criticality) and often being used outside their intended environment.
Schneider concludes that, while current UAVSs could have been designed, fabricated andmaintained to manned aircraft levels, this had clearly not been the case so far.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 23/169
16
Bolkcom [Bol05] also highlights the problems due to evolving technology in this generation ofUAVSs, but says that the equipment issues are heightened because the UAV-p is removedfrom the event: rather than being a direct Human Factors accident, instead an equipmentfailure develops into an avoidable accident because the UAV-p is less able to diagnose andcorrect problems; he lacks the 'seat of the pants' sensory inputs. There is further discussionof Human Factors safety-related issues, in section 1.2.5.
What is acceptable Safety Risk?
DeGarmo [DeG04] says that, to gain acceptance, UAVS will have to prove that they have anEquivalent Level of Safety (ELOS) to manned aircraft. But defining this 'equivalence' interms of actual safety requirements is very difficult. The CAA echo this general requirement[CAA04], saying that UAVs operating in the UK “…must not present or create a hazard topersons or property in the air or on the ground greater than that attributable to the operationsof manned aircraft of equivalent class or category”. [UTF04] also starts with a generalprinciple of equivalence, that requirements should be no less demanding than those currentlyapplied to comparable manned aircraft, but does then try to achieve fairness that suchrequirements should not penalise UAV Systems with higher standards simply because
technology permits. This gives us a concept of balanced safety requirements, but how couldwe define such requirements?
The Swedish Aviation Safety Authority in [Wik03] takes a fairly pragmatic view. They arecontent to allow a higher accident risk per flight hour for UAVs during the earlier developmentperiod, provided that this is balanced by a low number of flights / UAVs to ensure that the riskto the overflown public or manned aircraft remains acceptably low. As the number of UAVsincrease, the reliability of systems must increase sharply to keep the individual risk low.They consider an overall balanced target of no more than 1 death on the ground per 50 yearperiod; and in the air, UAV systems shall not give rise to more near collisions, calculated perflight (or flight hour) than manned aircraft have caused during the most recent ten-yearperiod. [Wik03] refers in turn to [Mar03] to calculate the allowable critical failure rate perUAV flight hour. This they derived by reckoning the overall target against the number of flight
hours per annum, the population density (assuming flight over a low density area in the earlyyears) and the 'lethal swathe' area determined by the expected crash mode of the system - ahorizontal crash creating a longer, bigger swathe than a vertical dive. In this way, they say,by controlling the number of allowed flight hours, the failure rate for a given system can beallowed to be higher in the early stages.
Weibel and Hansman [Wei04] take a slightly different approach to achieving balanced safetytargets, in their attempts to identify required levels of reliability to avoid ground and aircollisions. For ground collisions, they start with the FAA requirement for a 'hazardous' event (assuming that the number of fatalities in any event will be small, hence not catastrophic) tooccur less than 1x10-7 per operating hour. From the National Transportation Safety Board(NTSB) records they found the actual number of ground fatalities per operating hour to be
2x10-7 per flying hour; and then set a target level of safety a magnitude higher at 1x10-8 ground fatalities per hour in recognition that, to gain acceptance, UAVs will need a greater level of safety than manned aircraft. For air collisions, the FAA target of less than 1x10-9 collisions per hour was taken, for ELOS. In calculating the required levels of reliability,[Wei04] goes into more depth (than [Mar03]) in assessing the risk, taking into account theUAV mass and barriers to actual fatalities. For ground collisions, these barriers areproposed as: population density, shelter afforded by buildings, and likelihood of fatalpenetration. For air collisions, they propose the 'collision volume' of the UAV and mannedaircraft (their near-miss area extruded along their intended flight route), the size, length andtraffic densities within controlled airspace, and finally a probability that the collision may notactually cause fatalities - the latter does not accord with the CAA view that 'nearly allcollisions result in fatalities' but does allow for the fact that birdstrikes etc are usually
survivable, and we are discussing a wide spectrum of UAV sizes and masses. Interesting(but maybe not unexpected) conclusions from the study are that high mass, high altitude
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 24/169
17
UAVs in controlled airspace will have to achieve a much higher level of safety (because oftheir kinetic energy capability) than smaller vehicles in less dense airspace; but that theformer would be more able to meet such levels from inclusion of redundant systems and co-operative collision avoidance technology, because of their size and sophistication.
Achieving Airworthiness
Marsters [Mar03] is clear that "It is very important that the overall safety-assurance for UAVoperations outside reserved airspace be based upon the design, development andmaintenance of highly reliable air vehicles." He presses on that UAV reliability and theircontingent catastrophic failure rate must be acceptable by civil aviation standards, and thiscan only be achieved by adopting a stringent system-safety design regime for UAVs. Whathe proposes is to incorporate a 'FAR 1309-type' philosophy in the UAV flight-critical systemsafety design, and refers to ARP 4761 [SAE96] as a suitable approach for safety analyses.
The Swedish Aviation Safety Authority [Wik03] also place great faith in airworthiness throughdesign, but note that there will also be requirements for operator and maintenance standards(of which more in section 1.2.1). The paper looks at JAR 25.1309 and JAR 23.1309 requiredanalyses for manned ac, and briefly compares the applicability of such analyses to UAVSs. It
concludes that targets such as allowable failure rates should be adopted, but that themethodology may be amended to suit the differences in UAVS. For example, where theJoint Airworthiness Requirements (JARs) make an assumption of 100 critical systems forlarge aircraft, and 10 critical systems for small single-engined aircraft, the UAVS designermay apportion required reliability more pertinent to the UAVS system breakdown, providedthat the overall demanded reliability is thus achieved. This does seem to be a sensibleproposition, and a suitable way of establishing 'equivalence' with manned systems in termsof reliability, while duly noting the differences that exist for UAVSs.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 25/169
18
1.2 Safety Issues Relating to the Manned AirspaceEnvironment 'Coming to Terms' with UAVs
Some safety issues are evident, not so much because of the nature of UAVSs, but because
they are having to fit in and around an already established environment. When mannedaerospace was at a similar point of development, the skies were empty - now the skies arefull of manned aircraft and the monolithic environment of Air Traffic Control, procedures,regulations and so on that has been established over time to keep them safe. This sectionlooks at those issues where the environment is struggling to come to terms with UAVSs andtheir nature.
1.2.1 Regulation, Certification and the Drive for Standards
Elsewhere in this report we look at characteristics of the UAVS such as airworthiness, safetyrequirements (section 1.1.4), operations (1.2.5), collision avoidance (1.2.3) and ATM
interaction (1.2.2). The aerospace community's approach to try and ensure the safety ofthese characteristics is to derive regulations, certification and standards that must beapplied. In this section, we look at the safety issues emerging from this 'must-do' philosophy.
Regulation
Manned airspace is a highly regulated environment, and it is worth a brief review of what thisentails for the UAVS. At the top of the regulatory 'tree' is the Chicago convention, specificallyArticle 8 which states that "... no aircraft capable of being flown without a pilot shall be flownwithout a pilot over the territory of a Contracting State without special authorisation by thatState" [CAA04]. The push for regulators is currently to find international agreement on howto open up the skies to unmanned aircraft.
The CAA provide an overview of how regulation is flowed down from the Chicago Conventionfor aircraft generally, both manned and unmanned, in CAP 722 [CAA04, chapter 2]:
o European Aviation Safety Agency (EASA) regulation EC 1592/2002 applies generallyto all aircraft in the European Union, for airworthiness certification and continuingairworthiness (maintenance and modification);
o This excludes 'state aircraft' (military, police, customs), research craft and thoseunder 150Kg, to which national regulations must apply.
o Equipment requirements, operational rules, personnel licensing, aerodromeregulation and regulation of air traffic services are not (yet) dealt with by EuropeanRegulations and so are matters for national regulation for all categories of aircraft.The UK covers these (for non-military aircraft) under the Air Navigation Order 2000
and Rules of the Air Regulations 1996. Aircraft must have a Certificate ofAirworthiness (Design and maintenance), a Permit to Fly (Operations) and LicensedAircrew (for airspace and meteorology / visibility conditions).
CAP 722 then goes on, chapter by chapter, to try and state how general aircraft regulation(civil and military) should be applied to UAVSs. But there are many areas where theregulation becomes vague and stops fairly quickly after demanding 'equivalence' in terms ofperformance, safety levels, certification, interaction et al, without guidance on what theequivalence is to, or how the UAV differences may be resolved in this environment.
The Australian Civil Aviation Safety Authority (CASA) have similarly moved to apply existingregulation, and published their Civil Aviation Safety Regulations Part 101 [CAS04] to define
how that was to be done. 'Define' is perhaps too strong a word - while the text appearsdefinitive at first, this is predominantly for application to small and micro UAVs: once the
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 26/169
19
regulation reaches larger UAV systems and operation, it basically refers the reader back toCASA, to establish written agreements on what can be flown, where and how. Perhaps itsmajor contribution is that it allows small UAVs fairly good access, even to controlledairspace. This will allow building of experience for designers, operators, and ATC personneland hence inform the wider use of UAVS.
DeGarmo [DeG04, section 2.4.3] discusses this worldwide move to try and apply existingmanned regulation - he declares that it is good in principle, to apply existing regulationwherever possible, because it avoids developing new, specific regulation that mightultimately prejudice a developing area of UAV operation. Hence, he notes that thisapproach currently forms the backbone of the US development of a UAV 'roadmap' towardsintegrated airspace (and its equivalent can be found in most of the international roadmaps indevelopment). However, he goes on to note that the wide variety of UAVs could makethis universal application difficult to apply (as we discuss in section 1.1.1).
In their Joint UAV Task Force report [UTF04], Joint Aviation Authority (JAA) / EUROCONTROL provide a useful discussion of their philosophy for regulatory developmentfor UAVs, and this has been flowed on through EASA into their provisional regulation under
Advance – Notice of Proposed Amendment (A-NPA) No.16-2005 ([EAS05]). Their guidingprinciples are that regulation should establish:
o Fairness - between competing UAV systems and with existing manned aircraft:hence the principle is to apply existing regulation wherever possible (in accord withDeGarmo, above).
o Equivalence - regulation covering UAVs should be no less, but also no moredemanding than expected for manned aircraft systems: this they break down intoequivalence of risk (see 1.1.4) and in operations (to meet the expectations of otherairspace users). Few clues are provided on what to establish the equivalence to!
o Responsibility / accountability - clear demarcation of the organisation requirementsfor: design, manufacture, operation and maintenance of UAVS. The report notes the
importance for maintaining the accountability chain in the event of extended UAVoperations causing responsibility to be passed between personnel and organisations,even nations as an operation proceeds.
o Transparency - especially for ATM: this does not seem so much a guideline as apretty hard-line requirement, the fairness and applicability of which is discussed insection 1.2.2.
Eventually, EASA / EUROCONTROL settle down to consider regulation aimed at controllingtheir "5 pillars of safety and security": Airworthiness & Certification; Operations &Maintenance & Licensing; Security; Air Traffic management; and Airports. However, they goon to reiterate that, currently, EASA only regulate airworthiness and environment, and they
propose that a 'Total System' approach is required in the long run ([EAS05, IV-4-b]) as hintedat in [CAA04] above. A graphical representation is shown in Figure 1.2.1a, below.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 27/169
20
Figure 1.2.1a - EASA / EUROCONTROL 'Total System' vision foraircraft / UAVS regulation
Certification
For the UAVS itself, certification literature falls broadly into two areas: that for the UAVSdesign, and that covering the operation of the system.
Design Certification
The first issue for regulators is to establish the basic strategy for certifying UAVS designs.
For manned aircraft, civil regulators have generally followed a standards-based approachand assume an independence from the operational considerations, while military certificationauthorities have followed a mix of standards and safety target / safety case methods in orderto focus on eventual satisfaction of specific missions and uses. How then, to certify UAVS?DeGarmo [DeG04] discusses a CAA study in 2002 [CAA02], which assessed twoapproaches - safety targets (where, potentially, design requirements could be traded againstoperating requirements, such as operation over unpopulous areas to offset initial reliabilityconcerns) and certification design requirements (standards). While the former was proposedas being easiest to apply, the CAA decided that this was "not consistent with InternationalCivil Aviation Organisation (ICAO) ... legislation". The study went on to say that "the secondapproach, one that is requirements-based, was seen as more practical in that it is familiar tothe aviation industry, it facilitates the development of common standards, and there are no
special, type-specific, operating restrictions to address airworthiness uncertainties, thereforeoffering greater operational freedom". Degarmo suggests that this will be the way mostregulators will opt for, inspite of his earlier observation that there are no establishedstandards for UAV systems.
The Joint UAV Task Force report [UTF04, 6.3.1.1] considered the same two options forcertification. Again, they suggest that, given the current unknowns about the differencesbetween UAV systems, the safety target approach would be easiest for UAVS application,but that the standards approach must be followed for the following reasons:
o In order to accept a safety case approach, the regulator needs to be closely linked tothe operational acceptance side as well, in order to understand and apply controls.While this is possible for military systems, it is not for civil regulators - EASA, as noted
before, do not have control of operations, personnel, airfields etc. Even if theregulator could control operating aspects, it could still prove unfeasible: if a safety
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 28/169
21
case for a system was accepted on a risk-basis underpinned by assumptions ofmission length and frequency, it would be difficult to enforce this generalisedassumption to specific missions and tasks on a daily basis. Civil standards-basedcertification separates the design from the operation and enforces minimumstandards.
o The separation of design and operation will ease the certification process in thelonger term, to allow UAVSs to be used by a wider variety of operators and for a widerange of missions. It also facilitates export of systems and operation across nationalborders.
o In order to support fair competition for civil contracts, designers and operators need toface a 'level playing field' of certification, in order that one system under a particularregulator is not unfairly advantaged.
o The build up of civil standards has delivered manned aircraft systems that havesafety levels accepted by the public, and the same should be expected for UAVSs.Also, civil aircraft manufacturers are comfortable with the standards-based approach,and it ensures clarity that, provided the minimum standard is complied with, the
system will get certified.
Some of the above sounds like "it's worked for us on civil manned aircraft, therefore it mustwork for civil UAVs" and there is still the problem of finding applicable standards (seebelow). I feel it is very difficult to separate the UAV from its mission, in the same way that themilitary have recognised the inter-relationship, and the Joint European Task Force hasalready pushed the need for a 'total systems' approach (see above). There are still the vastdifferences between UAVSs to be dealt with (see 1.1.1). The glimmer of hope within[UTF04] and the related EASA proposed regulation of [EAS05] is that, apart from blunt-edged minimum standards, a safety objective approach based on CS.25 / 23.1309 typerequirements should be established and followed. This at least means that systemdifferences, safety risk assessment and the application of novel technology within the designmay be identified and dealt with appropriately. This approach, and related literaturediscussing it, has already been discussed in section 1.1.4.
The CAA [CAA02] provides some assistance in the issue of deciding the equivalence ofmanned and UAV systems. Briefly, the method involves the consideration of two scenarios:i) impact with the surface at a velocity appropriate to an emergency landing under controland, ii) impact at a velocity resulting from loss of control at altitude. The kinetic energy foreach case is calculated and then compared with the results of similar calculations as appliedto a sample of the existing manned aircraft fleet. Consideration of the results gives a firstorder approximation, to look at the indicated certification requirements (such as EASACS.23) and draw out relevant aspects for the system under consideration. Wherenecessary, different sources can be merged to give the best mix of requirements for the new
system.
The next issue is that we need to be clear on what design aspects need to be addressed,and this is critical if the standards route is to be followed. Degarmo suggests that most of theusual manned aircraft design requirements will apply, such as for structural integrity,performance, reliability, stability and control, but would need to extend to certification of thewider system elements such as the ground control station, data link, data security, launchand recovery mechanisms, and the autonomous systems and software integrated into thevehicle and ground elements. The extended aspects of 'System-of-systems' safety criticalityhave been discussed in section 1.1.2 - these would all need to be addressed forrequirements, while recognising the different criticality of sub-systems between different UAVsystems - this will be a major challenge.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 29/169
22
Operations Certification
Marsters [Mar03] provides the overall context of operations certification. He suggests thatany operator of UAVs wishing to routinely undertake missions in unsegregated airspace willapply for a UAV Operating Certificate from the relevant regulating authority, and that thisapplication will provide "documented evidence of organisational competence and system
safety", entailing:o a description of the applicant organization, including relevant qualifications of
competent technical and operational staff;
o a full safety history of the vehicles to be used and of the fleet of this same type;
o a global safety analysis for the combined vehicle - mission types;
o a full description of the design standards used for all flight-critical UAV systems (seePart 4, below);
o manufacturer's Flight Manual and manufacturer's Maintenance and InspectionManual (see Part 5); and -
o A Flight Operations Manual for the operating organization, including specification ofthe required qualifications and levels of training and proficiency for crew members(see Part 3, below).
This seems to provide the overall basis for a safety argument for the system in its intendeduse - while not as fully integrating as a safety case would be, elements such as the 'globalsafety analysis' mentioned above should help to bridge the gap between the bounded designcertification discussed above and the actual usage of the system.
The Joint UAV Task Force [UTF04] took a fresh look at operations certification. Their reviewincluded: a brainstorming of particular aspects of UAVs that might not have a parallel inexisting regulations for manned aircraft; a review of existing JAR (now EASA CS) regulations
on operations, maintenance and licensing; and where available a review of EASA regulatorymaterial. Once again, their standpoint is that existing certification requirements should beapplied wherever possible - but then they identify many areas where this is not possible! Forlicencing of personnel, they proposed that it would be possible to modify existingrequirements. But for operating aspects, EASA OPS-1 did not seem to offer equivalent typesof operation (aerial work such as filming, agriculture, customs and police work are allexcluded); similarly for maintenance operations EASA CS145, 147 and 66 did not always fiteasily with UAV operators providing continuing airworthiness for systems undertaking thetype and variety of work expected. The study concluded by reiterating that existingrequirements should be used wherever possible - a not wholly useful conclusion, but it mightbe assumed that the intent is to use the existing requirement as a start point and extend it tocover appropriate UAV characteristics and operations. The CAA [CAA04] do not get much
beyond this principle, suggesting it apply across the board to maintenance and continuingairworthiness, organisation and personnel licensing, and approval to operate.
Standards
DeGarmo ([DeG04] section 2.4.2) takes a broad look at the current initiatives on standards,and some of these are discussed below. He notes activities by US DoD and North AtlanticTreaty Organisation (NATO), the American Institute of Aeronautics and Astronautics (AIAA),ASTM International, the UK UAV Safety Subcommittee (Ministry of Defence (MoD) andindustry group) and RTCA; but he voices concern that there is a competitive spirit betweenthese schemes, and while the current lack of standards makes regulation difficult, a plethoraof different standards would not help either. He identifies that the US government havemandated that global, consensus-based standards should be adopted wherever available,
rather than developing government specific requirements.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 30/169
23
ASTM International (originally the American Society for Testing and Materials) are one of thegroups trying to establish suitable consensus based standards for UAVs. In [AST04], theirStatement on the role of ASTM International committee F38, they discuss the intent to raisestandards to cover: Airworthiness; Flight Operations; Operator Qualifications. In line with theUS Government requirement (and also, as discussed above, with EASA and CAA principles),these standards are to be established on the prioritised principle of: Adopt; else Modify; else Create as appropriate to suit UAVs. As they note in their review of the US DoD 2005Roadmap for UAV development [AST05-1], standards play a major role within the roadmap -without standards it is difficult to build regulation. One of F38's first priorities was to establishrequirements for Sense and Avoid capability (see 1.2.3)
RTCA Incorporated (originally the Radio Technical Commission for Aeronautics) is anotherAmerican society aiming to produce consensus-based standards, but is perhaps closer to thefederal government (without being an actual government body). This is particularly true forUAV standards activities of Special Committee SC-203, as it was set up with duelsponsorship from the Aircraft Owners and Pilots Association (AOPA) and the FederalAviation Authority (FAA), to consider the standards required to support UAV operationswithin the National Air-space (NAS). In the terms of reference for SC-203 [RTC05], their
objective is set out to produce key supporting standards documents:
o A. Guidance Material and Considerations for Unmanned Aircraft Systems (UAS) – toprovide a definition of UASs, the NAS environment, and taxonomy of UASterminology.
o B. Minimum Aviation System Performance Standards (MASPS) for UnmannedAircraft Systems - containing quantitative performance standards with specific focuson UAS level operational performance.
o C. MASPS for Command, Control and Communication Systems for UnmannedAircraft Systems - recommended standards for command, control and communicationsystems used in conjunction with UAS operations: addressing (but not limited to):
Human Factors; Reliability; Data Links.o D. MASPS for Sense and Avoid Systems for Unmanned Aircraft Systems -
recommended standards and procedures for UAS sense and avoid systems,providing a safety level equivalent to that for manned aircraft operations. This willaddress: Reliability Factors; Traffic Avoidance; Data/Communication Links;Operational Safety Considerations (see section 1.2.3 in this paper).
The Terms of Reference note that SC-203 is not a joint committee with the EuropeanOrganisation for Civil Aviation Electronics (EUROCAE), but does at least indicate that theywill liaise. EUROCAE has recently formed its own Working Group (WG-73) to providesupport to introducing UAVS safely into integrated airspace, and ensure compatibility with
existing infrastructure and systems. In particular, it is to help bridge the gap between existingand necessary regulation and standards, to allow integration. WG-73 will look at a broadspectrum of issues, including: Operations; ATM; Airworthiness and Safety; Test andMaintenance. The working group is intended to draw together the various internationalinitiatives (European and US) and includes setting up joint activity with RTCA. Perhaps thiswill help to establish a more joint approach to regulation and standards than is currently thecase.
1.2.2 ATM interaction
This section looks at the safety issues relating to interoperability of UAVs with Air TrafficManagement (ATM) - particularly the personnel and technical systems. As DeGarmo notes[DeG04 section 2.3.1] a key part of understanding the concern this aspect causes is that,because of current segregation, very few UAVs have interacted with Air Traffic Control
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 31/169
24
(ATC) and the ATM system, it is difficult to predict what the real impacts might be. Hepostulates that it may be more an issue of uncertainty than any specific technical challenge.As I suggested previously (section 1.1.1), when people are faced with the unknown, theyseek to impose their existing understanding and regulations upon it. Let’s look at some ofthe specific issues.
The Requirement for 'Transparency'The CAA's CAP722 Guidance for UAV Operation in UK Airspace [CAA04] sets the tone thatis common to a lot of other authorities: "UAV operation is expected to be transparent to AirTraffic Service (ATS) providers. The UAV-p will be required to comply with any air trafficcontrol instruction or a request for information made by an ATS unit in the same way andwithin the same timeframe that the pilot of a manned aircraft would." I.e. that the onlydifference an Air Traffic Controller would notice would be the 'UAV identifier' on his screens.But is this level of transparency feasible? We have already looked at some ways that UAVsare basically different from manned aircraft (section 1.1.1), so what are the implications formixing them with the existing ATM elements?
ATC Systems
ATM in most developed countries has well established technical systems to assist ATC totrack aircraft, request information from and pass instructions to the pilots of manned aircraft.How well can UAVs fit with these systems? Marsters & Sinclair [Mar03 part 3] in 2003 wassuggesting a requirement for Transponder Mode S in Canadian domestic airspace, to allowATC to interrogate / track UAVs; and the CAA [CAA04] and EUROCONTROL [UTF04] bothspecify an impressive list of required equipage, to be consistent with existing levels formanned aircraft in particular types of airspace. But UAVs (particularly the smaller types) willstruggle to comply because of limitations of space, payload or even the available power.DeGarmo [DeG04 section 2.3.5] takes up this issue of equipage, but focusses on thenavigational requirements. With incoming Area Navigation ('RNAV') procedures, regulations
generally state that aircraft must "retain the capability to navigate relative to ground-basednavigational aids" such as Very High Frequency (VHF) Omni-Directional Range (VOR) forcertain airspace types. However, most UAVs use GPS in isolation, and would not be able tocarry VOR fit. It may be that UAVs will need the eventual back up of the European Galileoand Russian GLONASS systems to provide the required reliability to satisfy the authoritieson navigational reliability in controlled airspace [Bon05] (i.e. Group 4 and 5 UAVs as definedin section 1.1).
[DeG04 section 2.3.1] extends this discussion to consider the Air Traffic Controller's displayinformation. Because UAVs have different characteristics (see Section 1.1.1 of this report),he suggests that it is likely that they will need some specialized attention - hence unique IDor symbol on display. He takes this first simple idea further by proposing that it may also
prove valuable for ATC to know if the UAV is under manual or autonomous control; maybeeven the need for a separate location / registration for the GCS, in case ATC need to speakdirectly with the pilot (while it is not discussed, I would propose that this would be even morecrucial if the same GCS has control of several UAVs - the need for ATC to talk to the 'controlnode' if one or more of the associated UAVs acts out of turn).
[DeG04 section 2.3.2] also turns around the issue of ATM system integration in noting theneed to ensure not just system compatibility but also interoperability - that UAV and ATMsystems do not interfere with each other. In section 1.1.2, we considered the issuesaround datalinks spectrum availability, but there are broader EMI effects due to the high-power nature of some of the ATM ground based systems (such as Precision ApproachRadar) that the system will need to be proofed against.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 32/169
25
Voice Commands
In Marster's suggested flight approval process, put forward in 2003 [Mar03 part 3],he suggested the requirement for 2 way communications between ATC and 'vehiclecommander', to allow flights in domestic Canadian airspace. Most proposed regulation since[e.g. UK in CAA04, Australia in CAS04] has similarly stipulated or assumed direct voice
communications between ATC and the UAV pilot or controller. DeGarmo, once again[DeG04 section 2.3.4], takes up the practicalities of this proposed requirement, noting theneed for ATC compatible VHF radios for voice comms. This is quite an overhead, as theUAV has to carry two radios (usually) to allow receiving of the voice comms from ATC (say)and simultaneous onward transmission to the GCS (and vice versa). DeGarmo suggeststhat in the long run, it would be useful have ATC comms 'split' with both an air transmissionand a ground relay direct to the GCS - but while this would improve reliability (lesstransmitters and receivers than needed at present) it would require significant resource tobuild up such an infrastructure, and it is hard to see how cash-strapped ATM services would jump to provide this until the requirement on them was made explicit.
All of the writers above have made an implicit assumption of the system - that voice commsmust be relayed to the ground pilot. However Schneider [Sch04, chapter 6] takes a differentview and instead urges the US to push research to allow UAV autonomy, through airspacesituational awareness and speech recognition of ATC voice commands. Particularly where asingle GCS has overall management of a number of UAVs but each has a measure of itsown autonomous control, this must be the eventual approach, with each UAV having theability to understand and communicate in speech, just as it will have in other informationforms.
The expectations of the Air Traffic Controller
Lets turn to look at the human side of the ATM system, and especially how the ATC expectsthe UAVS to react in a 'transparent' manner. As we noted above in the introduction to 'The
Requirement for Transparency', there are some aspects of UAV behaviour andcharacteristics that are plainly different to manned aircraft - how can these truly be absorbedinto the existing ATM system? Some aspects we have discussed elsewhere, in particular theATC expectations with regard to UAV characteristics (see 1.1.1), Airmanship (see 1.1.4),and Collision Avoidance (see 1.2.3). Here we look more generally at ATC expectations ofUAVSs.
Marsters and Sinclair [Mar03 part 3] proposed that UAV operators would need a suite ofStandard Operating Procedures covering all normal and abnormal flight conditions: thereview and approval of these procedures by the ATM authorities would then form the basisfor approval of that operator to conduct UAV flights. The CAA [CAA04] follows thisapproach, with similar requirements for a suite of procedures to foster planning and
authorisation. This seems to be the general civil way, and we have already looked into thisin section 1.2.1. DeGarmo [DeG04 section 2.3.1] looks more specifically into the proceduresand expectations for conduct of flight in controlled airspace (such as might affect a Group 4or 5 UAV). He suggests that where there are existing ATM procedures and routes (e.g. forInstrument Flight Regulations (IFR) ascent through airspace), these will have been builtaround the expected performance capabilities of manned aircraft - some UAVs will fit in thisenvelope, but others won't: thus, the ATM will either have to exclude them (not optimum forour vision of integrated airspace), or develop new routes / procedures to accommodate thesespecifically. DeGarmo's study also considers a UAV specific hazard, due to their sensitivityto wake turbulence (particularly the lighter wing loading of Long Endurance UAVs); currentvertical separation minima may be inadequate for these UAVs, hence they could requirespecial treatment in order to fly safely along existing corridors.
While most regulators are busy hammering home their requirement for transparency from thestart, the Swedish Aviation Safety Authority seem more willing to take a practical approach in
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 33/169
26
these early days of integration. In the paper proposing the Swedish approach until the EASAregulations mature, Wiklund [Wik03, section 3] proposes that, initially, it will be useful for'special Air Traffic Controllers' to be lent to UAV programmes, to provide specific attention toseparation of UAVs from other traffic - in this way, experience can be built for both UAVoperators and the Controllers. This approach seems ideal as an answer to DeGarmo's pointnoted at the very beginning of this section that most issues may be due to inexperience anduncertainty, rather than hard technical concerns.
The Demands of Increased Traffic
Even without the addition of UAVs, ATM systems are facing the problem of trying to reduceaircraft accidents while the number of manned aircraft looks set to increase significantly overthe coming years. How will UAVs add to this? DeGarmo [DeG04 section 2.3.8] says theanswer is... that we don't know! We need to study the effect of UAVs on airspace (andcontroller) capacity, including simulation of UAV numbers and looking at how different typesof UAV and their varying performance characteristics affect the balance (see section 1.1.1 ofthis report). Factors such as the incredible endurance of some types (from 30 hours up tomonths at a time) mean that there aren't just more aircraft (with UAVs) but they are airborne
and loading the system for much longer.Emergency Procedures
ATM systems set particular store in contingency planning, especially how to handle particularrisks associated with aircraft, such as propulsion failure or communications loss. How willUAVSs and ATMs interact for UAV emergencies?
Marsters [Mar03 part 3] suggests that UAV operators establish procedures for dealing withLoss of Control Datalink - flight profiles, recovery areas, diversionary airfields if appropriate.Other critical failures that could require Abort and Flight Termination procedure (a UAVunique feature discussed in 1.1.1) need to be established and briefed to ATC. He also statesthat the UAVS should have the capability to allow the UAV commander to squawk anemergency code independent of the vehicle itself, to allow independent broadcast of the
emergency state to ATC and all potentially affected traffic. This seems like a good idea atfirst, but perhaps should be reflected on after consideration of the particular failures thatmight affect a specific system - e.g. a highly autonomous UAV could fly on perfectly safely,perhaps, without the need to 'frighten the locals' in the event of a communications failure. I'mnot sure if DeGarmo is hinting at this [DeG04 section 2.3.1] when he states that "Theprocedures to be taken by the vehicle will need to be communicated or predictable to thecontroller." I take this to mean that the procedures may be specific to a particular UAVS andits capabilities, provided that they are then made clear to ATC personnel who may interactwith it. DeGarmo does try and standardise some of the emergency procedural aspects ofUAVs [DeG04 section 2.3.7] by suggesting that aspects such as designated flight terminationareas be declared and coded into available ATM databases, to ensure all are aware and planaccordingly. This would go a long way to make the common elements of UAV emergencyprocedures become second nature to operators and ATC alike.
Airfield Operations
A significant aspect of ATM interaction can occur before the UAV even leaves the ground.How does the 'unmanned ground vehicle' cope with taxiing, braking, etc in a groundcontrolled environment such as a shared airfield? DeGarmo [DeG04 section 2.3.9] suggeststhat because taxiing requires precise ground movements and the ability to search forobstacles, most current UAVs lack this and so are towed out to the Take-off position / backfrom the landing position. While simple for the UAV, this must increase the risk to theground-crew and slow down operations - future UAVs will have taxiing capability, there canbe little doubt. Part of the problem is for the UAV to recognise visual signals such as traffic
lights for manoeuvring, as noted by the Joint European UAV Task Force [UTF04 section7.18]. They suggested that UAVs need a Ground Operator to interpret for the UAV andintervene. In a telephone call with Parc Aberporth Operations Manager, it was confirmed
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 34/169
27
that recent UAV operations had been achieved by towing the vehicle out to the launch point,thus avoiding the issue, but that proposed UAVs had a taxiing capability and that it wasconsidered that a Ground Operator would look after the vehicle in the confines of the airfield(on the ground or on Take-off up to 50ft) then hand over to the main GCS for the remainderof the sortie. In the longer run, it is perceived that new UAVs will require autonomous groundoperations to maintain the airfield movement tempo at busier airfields - this may even provesafer than manual control, as some high profile manned aircraft accidents (such as atTenerife) have unfortunately shown.
The paragraph above noted that current UAVs generally use manual take-off and landing. Inthe very near future, automatic TO/L systems are expected to be introduced. [DeG04] andothers suggest that Differential GPS (DGPS) will be a key technology, as plain GPS will notbe precise enough.
One last aspect of UAV airfield operations concerns landing at diversionary airfield - will theybe able to cope? The ASTM [AST05, 2], in their study noted the lack of standards to definehow airports should deal with UAVs, in the event that they became an unexpecteddiversionary. Suddenly, an airfield might find themselves having to cope with the various
issues noted above. Again, I suspect that this is really an issue of inexperience: in mostcases, operators will file a f light plan and declare the diversionary airfields that they mayhave to use. Just as a civil Boeing 737 operator would only nominate a known 737-compatible airfield, the same would surely be true of a UAV operator, and part of planningwill be to liaise and agree on diversionary procedures and facilities (as noted in 'Emergencyprocedures' above).
1.2.3 Collision avoidance
The reader might wonder why there is a specific section on 'collision avoidance', when itseems that the majority of the other sections have already focused on safety issues relatingto potential collisions. The reason is that, as Platt implies in his paper [PlP05], internationalregulators have followed a philosophy of layered defences to avoid collision risks. Platt talksof three layers that must be provided and prove independently effective (i.e. faults in onelayer cannot be offset intentionally by dependence on another layer):
1. The outermost layer - strategic conflict management - is achieved through the overallstructuring of airspace by type (to separate aircraft classes and capabilities) and useof ATM to maintain efficient flows and manage the overall traffic structure.
2. The middle layer is separation provision . This layer exists to ensure that separationminima are maintained if strategic management has been compromised. This isachieved through declared separation minima (to ensure adequately low risks),regulated Rules of the Air for flight planning and Rights of Way for airmanship, andspecified equipment lists to ensure navigational accuracy and aircraft detection.
3. The innermost layer is collision avoidance . At this point, safe minima have beenbreached, and the successful outcome is simply to achieve a miss throughemergency action. This is (currently) achieved for manned aircraft through visuallookout and gradual introduction of assisting systems such as Traffic Alert & CollisionAvoidance Systems (TCAS).
Layer 1 is strongest (i.e. it is mandatory) in controlled airspace (class A-E in the UK FIR - see'Note on UAV classification' in the introduction to the Literature Review), and is advisorywhere available in Class F airspace. In Class G, the home of most General Aviation, conflictmanagement relies on layer 2 initially, and if this breaks down, then layer 3 is required toindependently maintain safety. UAVS issues pertinent to strategic conflict management andseparation provision are discussed in the other sections of this report. This section mainlyfocusses on collision avoidance as defined above.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 35/169
28
Ground Collision Avoidance
Ground collision avoidance (or terrain avoidance) is somewhat the 'poor man' of UAVSliterature, and not a lot is said about it in any detail. Perhaps this is because it is consideredto be better understood, with more easily identifiable criteria drawn from manned aviation.The CAA in CAP722 [CAA04] merely state that an approved method of assuring terrain
clearance is required, but do not give specifics. We could assume that the requirement isfor 'equivalence' with methods in use in manned aircraft. This is supported by theEUROCONTROL position in [UTF04], which implies this by reference to existing GroundProximity Warning Systems (GPWS).
The Australian and Swedish regulations ([CAS04] and [Wik03] respectively) do not go intodetail about terrain avoidance so much as population avoidance. Both establish restrictionsfor flight over populous areas; the Swedes justify this position with details of their calculationsfor acceptable levels of ground fatalities (see section 1.1.4).
Most literature tries to lump ground collision avoidance into what they consider is the biggerproblem of air-air collision avoidance. Whittaker [Whi05], DeGarmo [DeG04] and Platt[PlP05] infer that ground avoidance will be solved as part of the wider 'sense and avoid'
debate (see below). I suggest that this is somewhat simplistic, because down in the detail,characteristics for ground / obstacle target detection will be very different from point airtargets, and the technical solutions and airmanship requirements will be likewise quitedifferent. Fairly simple ground collision avoidance may be achieved, for example, throughGPS and terrain database use (such as existing GPWS) - and this may be achieved in theUAV, or possibly in the GCS by relating the UAV's telemetered position. Some discussionover the acceptability of such solutions is presented in section 1.2.2, under ATC Systems.
Air-Air Collision Avoidance
Airmanship & Situation Awareness
We have already mentioned the role of procedures and regulations in the layered approachto conflict management, and this continues into the collision avoidance inner layer. The JointEuropean Task Force review the arrangements in [UTF04] - these are summarised here as:ICAO establish basic Rights of Way (RoW) for aircraft depending on their class, airspace andattitude; pilots are expected to respect these RoW using airmanship, in order to either standon or take avoiding action as appropriate to the RoW. In the last-ditch event that theappropriate aircraft does not take action, the stand-on aircraft must take emergency evasiveaction anyway, to suit the particular collision situation. This implies that, in order to respectthe RoW, the UAVS must be aware of its situation in terms of the factors that determine whohas right of way, and be able to react accordingly.
In CAP722 [CAA04], the CAA list a number of factors that affect the outcome in any
particular collision avoidance scenario. The situation will vary depending on: whether allinvolved aircraft comply fully and correctly with the Rules of the Air; the controllability andmanoeuvrability of each aircraft and their respective flight performance; the level ofautonomy of operation and control (in terms of the involvement (or not) of a ground pilot). Ingeneral, these aspects for UAVs are discussed in sections 1.2.1, 1.1.1 and 1.1.3respectively, but it is important to note their implications at this safety critical situation.
Conspicuity - being seen
In order that other aircraft may respect the UAV's position to the RoW, they need to be ableto see the vehicle and its attitude. This issue is identified by the Swedish Aviation SafetyAuthority [Wik03]. Will other traffic be able to see the UAV? Will the UAV carry enhancing
equipment (e.g. transponder, warning lights)? DeGarmo [DeG04] also identifies this
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 36/169
29
issue. Many UAVs are fairly small making them tricky to see, and even if seen can provedifficult for the other pilot to judge their distance and closure rate.
Seeing and Reacting - Detect / Sense & Avoid
The Rules of the Air set requirements for aircraft pilots to See and Avoid other aircraftaccording to the established RoW, as discussed above. Here is the crux of the issue - it isgenerally believed that the UAV-p cannot adequately provide this function, as he will nothave the required field of view and because of the complexity of the data link and controllatency ([LeT02]). Currently, there are no approved collision avoidance systems suitable for'Sense and Avoid' (the non-human equivalent of See and Void) and no accepted criteriaagainst which to develop such technology, and this is the main impediment to UAVintegration into manned airspace ([Ste05]). The issues that lead to this state of affairs arediscussed below.
In CAP722 [CAA04], the CAA provide a list of 'Sense and Avoid' (S&A) factors, most ofwhich are generally applicable to UAVS operation in all layers of conflict management. Thedocument sets the requirement for a 'Method of sensing other airborne objects' but then goeson to say that it is not possible to define suitable criteria for a Sense and Avoid system, untilsuitable technologies and their capabilities start to emerge in more detail. The best that theycan currently suggest is to seek an Equivalent Level of Safety as for current manned aircraft.Schneider [Sch04] on the other hand, pushes the US government to support developmentand validation of robust 'Detect, See and Avoid' (DSA) requirements first, before trying todevelop technology solutions. Personally, I feel these things must happen in parallel -requirements for specific classes of UAVs could be worked up through modelling, but need tobe tailored with the art of the possible, as development of possible technologies yieldsinformation on likely sensor performance. In this way, an effective sense & avoid capabilitymight be achieved by using a combination of methods, rather than coming purely from arequirement or single technology focus. More is discussed on criteria, below.
Marsters, in his earlier attempt at defining UAV regulatory requirements [Mar03], notes theproblems with setting the baseline as 'ELOS' to manned aircraft, due to the examples wherethis has gone catastrophically wrong in the past. He calls for UAVs to be equipped with theemerging technologies of the day - TCAS and GPS-based Automatic DependenceSurveillance - Broadcast (ADS-B). But this is only part of the problem solved. DeGarmo[DeG04 section 2.1.1] notes that such existing systems can help detect co-operative aircraft,i.e. those carrying the required systems and transmitters to make their whereabouts known:but to be allowed into all classes of airspace, UAVs will need to be able to sense andavoid non co-operative objects, such as most general aviation, microlights, even birds andground obstacles such as masts. DeGarmo notes the activities of ASTM and RTCA to tryand establish suitable criteria for such non co-operative S&A systems, to provide ELOS tomanned aircraft (see section 1.2.1). The paper looks at some developing technologies,
discussing aspects such as field of view, detection ranges, false alarms, and performance inreduced visibility (though how does this compare with the human pilot's capability in suchconditions?). Conversely, it notes that, if the Sense & Avoid is not entirely provided on-boardbut requires interaction with the GCS, then there may be issues with decision making anddata latency.
This is a timely point to discuss the shortcomings of manned See & Avoid. As noted byMarsters, in his paper with Sinclair [Sin03], there is a useful consideration of manned See &Avoid, and reference to work on the shortcomings of the unaided pilot. Marsters and Sinclairargue that UAV Detect & Avoid (or Sense & Avoid) must outperform human equivalence toensure safety - though a fair portion of this may come from the fact that technical systemswill provide constant scan, rather than being distracted as the pilot often is. In their review of
a number of studies, results were showing that the performance of an 'alerted pilot' averagedabout 1.6nm detection range, while modelling of Global Hawk closing speeds,
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 37/169
30
manoeuvrability and datalink lags was suggesting a required detection range of ~7nm. Thiswill vary considerably depending on the UAVS and whether the avoidance manoeuvre isinitiated by the vehicle itself or by manned intervention, but show that a simple ELOS willpose some difficulties.
1.2.4 Security and safetyThere is no doubting the increased awareness over security issues that affects aviationgenerally, since the events of '9/11' in 2001. But some suggest that UAVs potentially pose anincreased risk, due to vulnerabilities that we will look at below. Some have evensuggested that UAVs have an added 'attractiveness' for malicious terrorist use, because oftheir unmanned nature [UTF04, 7.15]. Whether these suggestions are realistic or not, thefact is that security is a critical issue that UAVs will have to prove they have mastered, beforebeing allowed into potential threat areas.
The suggested areas of concern all stem from the expanded system boundary thatencompasses the UAVS as a whole (which we have already discussed in section 1.1.2). Let
us now look at the impact of the external, malicious world on the system of systems.Jamming of Navigation Systems
Although talking primarily about military applications, the Defense Science Board study[Sch04] raises the valid point that most current generation UAVs use GPS based navigation,and urges the fitting of jam-resistant GPS as a matter of course. Unless suitably hardened,civil UAVs could likewise suffer loss of their sole position fixing capability, with potentiallycritical consequences.
Communications Signal Security
As the Joint European UAV Task Force note in [UTF04, 7.15], UAVs are currently (and forthe foreseeable future) dependent on the integrity of the command datalink (see discussion
at section 1.1.2). Maintaining integrity from blunt jamming tactics down to more subtlespoofing or stealing of control will have to be addressed. DeGarmo [DeG04, 2.2.2] suggeststhat modern encryption techniques and user authentication methods can help with the latter,but would not be able to assist against high-power jamming. He also suggests (sensibly) thatUAVs will benefit from other signal-based industries which are working to obtain securecommunications techniques.
None of the papers reviewed discussed the basic visibility of the signal to unwanted parties -an aspect of security can be to use specific frequencies to minimise 'broadcast' of the UAVSoperation, or frequency-agile systems that both minimise possibility of detection, and reducethe effect of jamming to those frequency segments in-band.
Ground Infrastructure
This aspect relates to the simple physical security of the ground-based elements, of whichthere may be many in an extended system of systems. DeGarmo [DeG04, 2.2.1] states thatthis has seen little interest shown by UAV operators to date, but could be a major and directway to affect or overthrow the control of the UAV. This would be particularly true for mobilesystems (having less opportunity for fixed barrier based security); and for distributed systemswith control elements located at various points around the world (such as recent US Predatoroperations in Iraq, controlled via datalink from Nevada but with Iraq-local control elementsinvolved also).
Flight Planning and Data Security
DeGarmo [DeG04 2.2.3] goes on to consider the security implications of the data elements of
the UAVS. All manner of digital data is involved in a successful UAV operation, from thedatabases used to plan missions and avoid terrain, to the specified flight plan itself,the coding of ground and UAV control functions, etc. The US (and UK CAA repeat the
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 38/169
31
requirement in [CAA04]) require security of systems to detect and counter all attemptsto corrupt critical systems and data before / during / after loading.
1.2.5 The Human Element
There are human aspects cutting across many of the other issues we highlight - in ATM(section 1.2.2), collision avoidance (1.2.3), security (1.2.4), and notably in our discussionsover UAV accident rates (1.1.4) and the man / machine boundary of autonomy (1.1.3). Inthis section we focus specifically on the human element of the UAVS. From very generalHuman Factors issues, we extend the discussion to cover organisational issues and thenpersonnel qualification and skill levels.
Human factors
We have already looked at UAV accident rates, in section 1.1.4. There, we notedDeGarmo's assessment [DeG04, 2.1.3] that Human Factors (HF) accounted for some 17% ofthe UAV accidents where information was available. He commented that this was lower than
the comparable figure for manned aircraft (~80%) and seemed to be proportional toautomation levels and (where responsibility lay with the UAV-p) the datalink update rates.The dominant Human / Machine Interface (HMI) aspects related to: the ground 'cockpit'environment; the available cues from the UAV and displays; the UAV-p skill levels; levels ofsituational awareness and a suggestion that the low personal risk to the UAV-p removed himsomewhat from trying to recover difficult situations. Schneider [Sch04, chapter 3] suggeststhat the majority of UAV mishaps were due to the relatively low experience level of operators& maintainers, and LaFranchi [LaF05-2] echoes this with his account of Canadian Armyexperience with deploying the Sperwer system in Afghanistan. After only a short trainingcourse, they found themselves having to adapt their training to a new and hostileenvironment. In the second of 2 crashes (in 3 months), the GCS took manual control onapproach to land and flew the vehicle into a ridge, in spite of a ground proximity alarm
sounding for some 30 seconds before impact, and there being 4 personnel in the GCSincluding a certified manned aircraft pilot.
The JAA / EUROCONTROL Task Force cover HF as a specific discussion topic, focusing onthe HMI ([UTF04, section 7.10]). They saw issues with the lack of physical (and particularlyvisual) cues that allow the pilot on board to recognize some failure scenarios and to decidethe suitable decisions and actions to take. They were also concerns at the current shortageof experience in civil UAV operations, which compares well with Schneider's and LaFranchi'sconcerns noted above.
However, Williams [Wil04] believes that it is difficult to draw general Human Factorsconclusions, because the HMI is so very different between systems. He could not findconsistent HF causes between the US military accidents that he analysed (see more generaldiscussion in section 1.1.4). He does, though, raise two interesting points at different ends ofthe human factors / automation / airmanship spectrum:
o Predator is a UAV which acts very much as an RPV - it is 'flown' by a pilot usingcockpit-type controls from the GCS, using a camera in the UAV to present a 30degree forward view to the pilot. Predator suffered the highest percentage HFaccidents (~65%) of the 5 systems he analysed.
o Global Hawk is another US Air Force UAVS but is very automated with the UAV-pmerely monitoring the aircraft progress. Global Hawk had relatively low HF accidents(~30%). However, the system is automated through fully pre-programmed missions
from take-off to landing (rather than autonomous decision making) and the planningfor a mission can take up to 270 days to achieve. Hence there have been HF
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 39/169
32
accidents caused by small but significant errors buried within the complex missionplanning.
Human Factors is a tricky issue for UAVS, due to the complex system boundary, and inparticular due to the growing influence of autonomy. In part, this is necessary to offload thepilot and allow aspects such as multiple UAV operation (see 'autonomy v ground control'in 1.1.3). Nevertheless, we should not forget that accidents can occur when the humanoperator does not understand what the highly automated system is doing, and tries tooverride it with disastrous consequences. This key issue is discussed in several YorkAdvanced MSc course modules (Human Factors Engineering (HFE) and Foundations ofSafety Engineering (FSE) especially).
Organisation
In section 1.2.1 (Regulation etc), we noted the EASA drive [EAS05] for 'Total safety' asshown in Figure 1.2.1a. This clearly indicates the involvement of the operating organisationand personnel, in the safe maintenance and operation of the UAVS. In 1.2.1 we discussedthe push for 'equivalence' with manned aircraft based regulation, where here we try to
discuss the inherent safety issues.Marsters [Mar03] assumes that an applicant for a UAV clearance will have already obtaineda UAV Operating Certificate covering global activities for his system, with an approvedorganisation and competent staff / operators, vehicle safety history and analysis, designstandards, operating manuals, etc. He does not explicitly discuss why these are required.EASA and the Joint European Task Force discuss organisations [UTF04 section 6.3.3.3] butdo not get beyond the requirement for equivalence to manned systems and application oflicencing regulations. The CAA likewise in [CAA04] state requirements against existingregulation.
The Swedish Aviation Safety Authority also discuss organisational requirements [Wik 03],initially suggesting parity between UAV and manned aircraft organisations, but then
suggesting that there could be flexibility - the UAV system operation organisationrequires proportionality with the UAV system complexity and operating conditions - simplersystems and environments would allow simpler organisations. Wiklund suggests that theorganisation will probably vary at different stages of a project. "During the design stage theemphasis may for example be on technical competence with advisory operationalcompetence, while in the test stage further practical operational competence will be addedand in the operational stage the emphasis will be on practical operating competence." It isclear that the drive here is for competence within the organisation, with experience, to beable to recognise and resolve the safety issues arising at that point in the programme.
Schneider [Sch04] sees the organisation playing a key role in addressing the HF safetyissues noted above, due to low experience among UAVS maintainers and operators. He
pushes the US government that operator and maintenance organisations should explicitlyplan for the recruitment, training, career development of personnel to improve retention of theexperience necessary to operate UAVS safely. Schneider suggest that military organisationscurrently do the very opposite, by forced posting and promotion of experienced operators outof the organisation.
From the literature reviewed, there did not seem to be specific organisational issues relatedto UAV operation and maintenance, other than that noted by Schneider, above. Else, theliterature was driven by the requirement for equivalence with manned aircraft, on the read-across assumption that a competent organisation (with competent personnel and appropriateprocedures and plans) supports the overall aims for safe UAV operation and maintenance.However, from our discussion over aspects such as ATM (1.2.2) and the complex systemboundary (1.1.2), I would propose that there could be issues related to the transfer of databetween organisations, to support accurate mission planning, establishment of appropriate
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 40/169
33
emergency procedures, etc. What is a safety issue is thus the complex organisationalinterfaces within the overall system of systems.
Suitably Qualified and Experienced Personnel
Experience levels among personnel are clearly an issue, as noted in both sub-sections
above. Here we discuss the qualification aspect of their necessary competence.
The CAA in CAP722 [CAA04] discuss the UAVS 'crew' consisting of a UAV commander and(potentially) one or more UAV pilots (UAV-p). While the UAV-p is a qualified person who isactively exercising remote control of a non-autonomous UAV flight, or monitoring anautonomous UAV flight, the commander is the person charged with overall responsibility tothe CAA: he assumes the same operational and safety responsibilities as the captain of apiloted aircraft performing a similar mission in similar airspace. Hence the commander mustbe qualified to meet manned aircraft equivalents for the airspace and meteorological rulesthat the UAV will operate within, while the UAV-p may be less stringently qualified to meetthe training, experience and currency requirements set out by the organisation. This wouldallow UAV operation in accordance with current military training regimes, where the UAV iscontrolled by an operator who may not have manned aircraft qualifications but who can directthe UAV to a specific location (rather than fly it manually using traditional controls) - butwould require an overall commander to oversee and ensure safe operation in accordancewith the Rules of the Air. The Australian Civil Aviation Safety Regulations in CAS 101[CAS04] have rolled out a similar view of pilot certification. The issue here might be howmany UAV-p could safely operate under one commander, while ensuring safe operations.The issue is heightened when a single UAV-p could conceivably be controlling more thanone UAV, due to the apparent simplicity of the interface. DeGarmo [DeG04, section 2.4.5]picks up on these aspects. He says that UAV-p certification is not simple, because of thevariation in UAVS and their operating intent: simple UAVs may act like model aircraft, stayingwithin visual contact; others will be operated beyond Line of Sight, possibly in swarms of
multiple UAVs; some will require direct pilot-like input as RPVs; others will have automatedsystems requiring only location designation, or even be operating near-fully autonomously.While the UAV design will force part of the training regime, predominant factors might be theoutside world, e.g. the operational environment (other traffic, ATC, etc). DeGarmo suggestthat a similar licencing system could be operated to that currently for aircraft pilots, wherespecific ratings are earned appropriate to the type of aircraft being flown and the type ofoperation to be undertaken. This would, he says, require extensive tailoring to suit UAVdifferences (as discussed in 1.1.1). DeGarmo finishes with a discussion of the role of theUAV-p compared to the commander (or controller as he calls it). While this is a potentialsolution to the training / skills issue, he implies that it is another interface that would needcareful implementation.
1.2.6 Public perception of UAV safety
As we touched on briefly in Section 1 under 'Current and Future Directions', the pull of themarket for civil use is still uncertain, and gaining public acceptance of the safety of UAVs willbe an important part of any success. So what is the public perception?
The CAA has, so far, taken a 'gut instincts' view that the perception is at best neutral and atworst fearful / mistrusting. Whittaker in [Whi05] looks briefly at potential ground and aircollisions featuring UAVs: in the former, he contrasts the manned aircraft ground collisionheadlines ("AIRCRAFT CRASHES NEAR SCHOOL - Pilot swerves into trees to avoid risk tochildren") with those for a UAV ("TERROR AS GUIDED MISSILE ALMOST HITS SCHOOL -Shocked parents demand Public Inquiry"). For collisions in the air between UAV and
manned aircraft, he takes the view that such occurrences are seldom survivable for thepeople involved, and the unmanned aircraft will doubtless be blamed by the public, no matter
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 41/169
34
what the reality of the situation. In essence, he is talking about a media led onslaught, (mis-)informing a public with no alternative positive views of the benefits of UAVs.
DeGarmo [DeG04, Section 2.5.2] takes a broader view. He proposes that the public can becourted with a reasoned debate over the benefits that can be gained (i.e., greater security,improved information, more services, lower costs) versus the potential costs (i.e., increased
noise, pollution, privacy concerns, safety risks, delays) and that this 'marketing' will be a keyrequirement to gain acceptance and enable market forces. However, he also notes that sucha build up of trust will take time and be fragile, as it would be easily damaged by any highprofile accident. He quotes a public opinion survey of air users in 2003, which stated that68% were happy with the idea of UAVs for cargo and commercial use, but only a smallpercentage would be happy to allow unmanned passenger-flying aircraft. While this, at facevalue, suggests that people might be happy with the risk associated with UAVs flyingoverhead, to me it implies that, as soon as the risk might actually impinge on them, theiracceptance drops massively.
In the end, then, DeGarmo under the microscope brings us to the same conclusion: that inthe event of an accident, the media will hold sway over any expert discussion over the
significance of risks posed by UAVs to the public, be they in the air or on the ground. UAVswill have to prove themselves 'safer than safe' or face a similar bad press over safety as therail industry, say. However, there is some hope that the public will have been educatedbeforehand, and the perceived benefits of UAVs will ultimately help restore confidence morequickly.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 42/169
35
1.3 Summary of UAVS Safety Issues
1.3.1 Review of current UAVS safety issues relating to integration into unsegregatedairspace
Sections 1.1 and 1.2 have covered a lot of issues with respect to UAV safety, and it is worthsummarising these here, before proceeding further. Note that ** indicates an issue that hasbeen taken forward in this project, as discussed in ‘Focus for Project Development’.
(1.1.1) Impact of the Variety, Roles and Performance of UAVs
1. UAV differences may introduce additional, unexpected hazards, for regulators tryingto pigeon-hole them into manned aircraft categories **.
2. UAV performance differences from manned aircraft make them difficult to manage ina stream of manned aircraft traffic **.
3. UAV roles and missions make their behaviour unpredictable for manned aircraft traffic / ATC **.
4. UAV 'ad hoc' launch sites cause unexpected insertion into manned traffic.
(1.1.2) The complex system boundary for UAVs
1. Confusion over what the safety critical elements of a UAVS are (and then how toregulate them, if not currently covered by manned systems): elements such asdatalinks, GCS, data flow around the UAVS, data sources outside the UAVS pushbeyond current manned aircraft experience.
2. The need for reliable datalinks (including Over the Horizon), teamed with therequirement to deal safely with datalink failure / corruption.
3. UAV sensors, datalinks, will compete for limited RF spectrum availability or faceinteroperability / interference problems.
4. Use of Beyond Line of Sight datalinks to overcome terrain masking extends thesystem boundary and hence the number of critical systems incorporated within theUAV system of systems.
(1.1.3) UAV autonomy - technology, predictability, complexity
1. Current in-use definitions of autonomy level are over simplistic; but there is confusionover what factors give a better indication of system authority. Some are very broad,making it difficult to arrive at a clear indication (clear indication of autonomy level iscalled for in various papers, to give visibility over who is in charge of the UAV in case
of emergency action being required).2. Environment and mission context are proposed as drivers for required levels of
autonomy - how will the system respond if pushed outside its parameters?
3. Autonomy level should be varied ("traded") to suit the operator's needs throughoutthe mission - will the operator know the extent of his control? Will the needs of theoperator align with the needs of the regulators to enforce human control?
4. 'Agent Based' autonomous control introduces new areas of uncertainty:
a. These are novel application in air vehicles and hence there will be issues ofexpertise, trust and clearance
b. They require accurate capture and specification of the 'agent' behavioursbeforehand - issues of knowledge acquisition (and requirements elicitation -see York module on RQE).
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 43/169
36
c. There will probably more be than one 'AI' method used to implement thedecision making, and these will introduce new issues of architecture andintegration.
5. Autonomy through software will entail solving the usual issues over systempredictability. In particular, there may be difficulties trying to clearly separate safety
critical elements from other functionality.6. The knowledge, judgment and skill ('airmanship') necessary to fly predictably and yet
flexibly to react to changing situations (such as weather) may be difficult to automate,or even specify.
7. UAV autonomous decision making must somehow be matched to expectation of ATCdecision making tools (such as used to effect TCAS).
8. UAV actions in the event of datalink failure need to be predictable and dependable(for ATM interaction), yet airmanship demands the ability of flexible response **.
(1.1.4) Accident rates and reliability - UAV airworthiness
1. The catastrophic failure rate for UAVs is currently too high.
2. There is little reliable accident data for UAVS occurrences - none sourced outsidemilitary programs, research-based systems, in high risk (non-civil) usage, and eventhat data is from a small sample compared to manned aviation data availability.
3. UAVs lack available, reliable system components (they currently have to useresearch-standard equipment or COTS items operating outside their intendedenvironment).
4. UAVSs have not currently been designed, fabricated and maintained to mannedaircraft levels **.
5. It is difficult to define what the 'Equivalent Level of Safety' or balanced safety targets
should be for UAVSs.
a. Difficulties in identifying the equivalent class.
b. Differences in the lethality of UAVSs, from manned aircraft, and betweendifferent UAV classes.
6. To improve airworthiness, there are suggestions to apply FAR 1309-type philosophyto UAV flight-critical system safety design, and referrals to ARP 4761 as a suitableapproach for safety analyses, but that these may require some amendment to suitdifferences in UAVSs **.
(1.2.1) Regulation, Certification and the Drive for Standards
1. Current UAV regulation demands 'equivalence' to manned systems, without beingable to address UAV differences.
2. There are proposals that a 'total system' approach is required to address UAV-relatedregulation, but that airworthiness is currently regulated separately (by EASA) fromoperations, maintenance, ATM and airports (by national bodies such as CAA) **.
3. How to certify UAVSs? Studies suggest that, while a 'safety targets' [safety case]approach would be easiest to apply, it is necessary to apply a standards / requirements based approach to be consistent with ICAO rules, and becausedifferent regulators [see ‘2’ above] force separate consideration of design fromoperation - but can the UAVS design and operation be cleanly separated without
missing potential safety risks?
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 44/169
37
4. EASA suggest application of a .1309 safety assessment philosophy, to address novelaspects of UAVS design [refer with 1.1.4 item 6, above ] **.
5. To apply standards-based certification requires standards to be defined for clear,safety critical design aspects, but these are difficult to define for UAVS [refer to 1.1.2 item 1, above ].
6. Regulators wish to apply existing certification for operations (such as maintenance,flight operations) 'wherever possible', but their own studies show that many aspects ofUAVS operations are not adequately covered, mainly because the scope of UAVwork lies far outside the aspects that the regulation was intended to cover.
7. Several international organisations are pushing to establish consensus-basedstandards, but there is currently a competitive spirit between them, which may lead toseveral conflicting standards.
(1.2.2) ATM interaction
1. Because of current segregation of traffic, very few UAVs have interacted with Air
Traffic Control (ATC) and the ATM system; hence it is difficult to predict what the realimpacts might be**.
2. Regulators and ATM providers demand that UAV operation will be 'transparent' toATM services, that UAVs will "...comply with any air traffic control instruction or arequest for information made by an ATS unit in the same way and within the sametimeframe that the pilot of a manned aircraft would." Yet there are many ways inwhich UAVs will react differently from manned aircraft [see 1.1.1 items 2, 3, 4 above,as well as the following items ].
3. Regulators require specific lists of equipage for flight in controlled airspace, but(most) current UAVs lack the available space, payload or power to carry them all.
4. ATC controllers may require additional data feeds to inform them of UAV specificstatus (such as autonomy level), which conflicts with the drive for ATM transparency.
5. How will ATC controllers handle potential 'swarms' of UAVs under a common controlnode?
6. High powered ATM RF equipment may pose interoperability problems for someUAVSs [especially with reference to the crowded spectrum in 1.1.2 item 3 ].
7. UAVs will ultimately require capability for speech recognition and voice response aspart of their autonomous behaviour.
8. Existing ATM routes and procedures have been built around manned aircraft: it issuggested that, for UAVs that don't fit the pattern, they will either have to be excluded(and forced into general airspace) or have new routes / procedures to accommodatethem.
9. For lighter UAVs subject to wake turbulence, current vertical separation minima maybe inadequate to allow safe flight.
10. The impact of UAVs (their numbers and long endurance) on air traffic, and its effecton ATC controllers and systems overall, has not been adequately modelled thus far.
11. ATM procedures want to hard-define procedures and flight termination areas to dealwith UAV particular risks and emergencies, but the actual procedures may need to bevaried to best suit specific systems (e.g. highly autonomous systems may be safer tofly on, rather than flight terminate, in response to the particular risk of datalink failure).
12. There are concerns over UAV operations on the ground, on shared airfields -associated with taxiing into obstructions / other aircraft, and being able to recogniseand respond to visual signals that are used in airfield operations**.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 45/169
38
13. Diversionary airfields may pose additional problems for UAVs, if the airfield is notadequately prepared to handle UAV traffic, or appropriate navigation facilities (suchas D-GPS) are not available to provide sufficient accuracy for auto-land systems .
(1.2.3) Collision avoidance
1. 'Approved' methods of terrain avoidance have yet to be identified for UAVSs.2. Most literature sources imply that terrain avoidance will be solved as part of the
airborne collision avoidance / Sense & Avoid effort - but characteristics for ground / obstacle target detection will be very different from point air targets, and the technicalsolutions and airmanship requirements will be likewise quite different.
3. In order to respect the Rights of Way, the UAVS must be aware of its situation interms of the factors that determine who has right of way, and be able to reactaccordingly. But each situation will be different depending on: whether all involvedaircraft comply fully and correctly with the Rules of the Air; the controllability andmanoeuvrability of each aircraft and their respective flight performance; the level ofautonomy of operation and control (in terms of the involvement (or not) of a ground
pilot) [refer to autonomy specification, in 1.1.3 item 6 above ].
4. Due to the size, role and performance of UAVs, will manned aircraft pilots be able tospot them in order to respect the Rights of Way?
5. Some authorities believe that it is not possible to set criteria for Sense & Avoidsystems - they must develop once the available technology performance and UAVsystems definition become clearer. But others believe that the technologies forSense & Avoid should not be developed until the necessary criteria are defined.Currently, there are no defined criteria.
6. Current technologies such as TCAS cannot be relied on, as they require all traffic toco-operate in carrying interrogating equipment. UAVs in general airspace must have
Sense & Avoid that can detect non-cooperative traffic (which manned aircraftcurrently attempt to do using the pilot's visual acuity).
7. The nearest thing to S&A criteria is currently to establish 'equivalent level of safety' tomanned aircraft. But high profile accidents have shown the fallibility of human visualcollision avoidance. Also, initial modelling has indicated that human eye perceptionranges fall short of the required detection range to avoid collisions.
(1.2.4) Security and safety
1. UAVS dependent on GPS based navigation may be susceptible to jamming unless jam-resistant systems can be fitted.
2. The command datalink significantly extends the responsibility to ensure safe controlof the UAV, and practical solutions to avoid jamming, spoofing or stealing of thedatalink need to be found.
3. The use of ground-based control elements (some distributed globally) extends theneed for physical security of the system, beyond the airframe considerations ofmanned systems.
4. The data elements of the UAVS present a key security issue, to avoid corruption ofmission planning, airspace and terrain databases, flight programmes, GCS functionsetc.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 46/169
39
(1.2.5) Human factors, Suitably Qualified & Experienced Personnel (SQEP) andorganisations
1. Human / Machine Interface (HMI) aspects affecting UAV flight safety exist relating to:the ground 'cockpit' environment; the available cues from the UAV and displays; theUAV-p and maintainers skill levels; levels of situational awareness and a suggestionthat the low personal risk to the UAV-p removed him somewhat from trying to recoverdifficult situations.
2. Human factors issues are difficult to analyse for UAVSs, due to the wide variety ofHMI currently in use, and big questions over the interaction between the humanoperator and the autonomous level of the system [refer to 1.1.3 item 3 above ]
3. There is a huge assumption that a UAV Operating Certificate covering globalactivities for the UAVS system, with an approved organisation and competent staff / operators, vehicle safety history and analysis, design standards, operating manuals,etc, will provide the main route to a safe UAVS operating within manned airspace. Isthis tenable?
4. Current military organisations force regular rotation of personnel, so that there is not
adequate build up of UAVS operating experience within the organisations.
5. The complex network of organisations, running the UAVS system of systems, controlsafety-involved data interfaces for the UAVS. This network is not adequatelydiscussed or understood in the literature reviewed.
6. Where several UAV-ps (with lesser skills) may be under control of an officiallyrecognised UAV Commander, what issues influence how many may be safelycontrolled without compromise? How does this vary with UAVS complexity / role / interface / autonomy levels? While regulators depend on the skills and experience ofthe UAV Commander, how does the interface between Commander and Pilot(s)affect the efficacy?
(1.2.6) Public perception of UAV safety 1. CAA perspective is that airborne collisions are seldom survivable, but other agencies
are pursuing UAV characteristics (such as frangible materials) such that collisionsmay not be so catastrophic. Is this approach practical in terms of safety, and could itinfluence public opinion sufficiently?
2. How do media perspectives of UAV safety compare with actual public opinion, andwith achievable levels of safety for UAV systems?
1.3.2 Focus for project developmentFrom a review of the issues above, and the overall aims of the project, several optionsexisted to take this particular study forward. After much reflection, it was decided that there
was a common core of issues that could be addressed, related to the need for:
A. A better understanding of what the root hazards associated with UAVS integration are. [Predominantly 1.1.1 issues 1-3; 1.2.2 issues 1 and 12]In exploring this aspect, the project would need a robust Hazard Identification(HazID) methodology, and understanding of the system(s) being assessed. Thus, it couldalso contribute to other, related aspects along the way, in particular:B. Can a .1309 / ARP4761 safety assessment approach be used for UAVS, to identify hazards for solution during design / manufacture / operation? [Relating to 1.1.4 issue 6,1.2.1 issue 4]
This approach thus relates to a number of the issues shown above - these are indicated witha double asterisk **. Along the way, it was hoped that the study would also provide usefulinformation on other aspects, such as those on system complexity in section 1.1.2, but thesewould not be the primary focus.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 47/169
40
PART 2 - DESIGN AND BUILD: MOVING FORWARD INUAVS HAZID
The intent of Part 2 is to identify a robust method for Hazard Identification (HazID), based on
ARP 4761. This would be used in Part 3 to assess a UAVS case study and henceinvestigate the root hazards of integrating UAVS into manned airspace.
This part of the project can be likened to Design and Build for a product-based project. Werequire a clear set of Design Requirements, to which a sound methodology can then bebuilt.
o In general, the design requirements were outlined at the end of section 1.3, but therewas a need to define the full requirement list more robustly. Section 2.1 assesses theexisting ARP 4761HazID methodology for its usability for UAVS assessment, andhence establishes where improvements are required.
o Section 2.2 then works through the requirements, to establish a proposed improvedmethodology for UAVS HazID.
2.1 Assessment of ARP4761 Usability for UAVS HazID
2.1.1 Introduction
ARP 4761 [SAE96] has the following scope:
"This document describes guidelines and methods of performing the safetyassessment for certification of civil aircraft. It is primarily associated with showingcompliance with FAR/JAR 25.1309. The methods outlined here identify a systematicmeans, but not the only means, to show compliance. A subset of this material may be
applicable to non-25.1309 equipment. The concept of Aircraft Level SafetyAssessment is introduced and the tools to accomplish this task are outlined. Theoverall aircraft operating environment is considered.”
Clearly, the current intent is to support safety assessment of civil (predominantly heavytransport) aircraft. In has been reviewed for its applicability in supporting safety assessmentfor UAVS certification, primarily for the Hazard Identification elements at this stage. The fullreview is at Annex A to this report; a summary of the issues identified is presented below. Atthis point, the focus has been on hazard identification through Functional Hazard Analysis(FHA); only a cursory look has been taken at the lower-level Preliminary System SafetyAnalysis (PSSA) and System Safety Analysis (SSA) elements.
2.1.2 Safety Objectives
Safety objectives and criteria are drawn in from FAR / JAR 25.1309 (becoming EASACS.25.1309 in Europe). These talk in terms that are focused on manned, large aircraftairworthiness - for example, a Catastrophic consequence is defined as "All failure conditionswhich prevent continued safe flight and landing" with a target probability of better than 1 in10-9 per flying hour.
For airworthiness considerations for UAVs, criteria need to reflect the variety of UAV systemsat least in terms of their lethality, such as the variation between transport and smaller aircraftin 25.1309 and 23.1309 from 1 in 10-9 to 1 in 10-6 per flying hour for catastrophicoccurrences.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 48/169
41
Criteria descriptions need to reflect UAV potential occurrences, such as those proposed bythe JAA / EUROCONTROL Joint Task Force in [UTF04 chapter 7.5] - for example, theysuggested modifying the catastrophic definition to "UAV’s inability to continue controlled flightand reach any predefined landing site".
For 'total system safety' as required by EASA (see section 1.2.1), rather than justairworthiness, the criteria need to reflect occurrences that compromise safety through ATMor operational context. EUROCONTROL have established related (but different!) criteria thatthey insist are applied where an occurrence could affect the ATM environment, throughEUROCONTROL Safety Regulatory Requirement 4 (ESARR 4) [EUR01].
2.1.3 'Aircraft Level' and 'System Level' FHA
[SAE96]proposes that Functional Hazard Assessment (FHA) be carried out at what it callsthe 'Aircraft-Level', then lower-level 'System-Level' assessment once the design work startsin earnest.
If the 'Aircraft Level' is to equate to the UAVS, then care / guidance is needed to address thecomplexity of the system:
o The extended critical boundary (for elements such as the Ground Control System(GCS) and mission planning?).
o The people and procedural elements.
How should the System of Systems or 'super-system' elements be considered? There issome reference to looking at 'exchange functions' (see below) but not in sufficient detail todefine and address these critical interfaces for the UAVS.
2.1.4 FHA Process:
[SAE96] describes how "The FHA process is a top down approach for identifying thefunctional failure conditions and assessing their effects. This assessment is made inaccordance with the following processes.” [Square brackets refer to further discussion ofeach aspect in later paragraphs]:
1. "Identification of all the functions associated with the level under study (internalfunctions and exchanged functions).” [Function Identification]
2. "Identification and description of failure conditions associated with these functions,considering single and multiple failures in normal and degraded environments.”
[Identification of Failure Conditions]
3. "Determination of the effects of the failure condition.” [Identifying and ManagingEffects]
4. "Classification of failure condition effects on the aircraft (Catastrophic, Severe-Major/Hazardous, Major, Minor and No Safety Effect). [Identifying and ManagingEffects]
5. "Assignment of requirements to the failure conditions to be considered at the lowerlevel.” [FHA Outputs]
6. "Identification of the supporting material required to justify the failure condition effectclassification.” [FHA Outputs]
7. "Identification of the method used to verify compliance with the failure conditionrequirements." [FHA Outputs]
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 49/169
42
Function Identification:
o Source data requirements for input to the 'aircraft level' FHA assume a single,homogenous aircraft.
o This does not reflect the more complex UAVS structure.
o It does not draw out the more complex interfaces with the wider SOS.o The 'Aircraft level' Internal Functions list guidance does not reflect the more complex
UAVS structure. These may vary with the initial design assumptions over the UAVSoverall architecture.
o The aircraft-level Exchanged Functions list assumes a simple interaction with theoutside world - this area requires careful guidance for the UAVS to ensure that theinterfaces with the wider System of Systems (SoS) are adequately assessed forexchanged functions.
o Flight Phases need guidance to ensure they are adequately defined for the UAVS.UAVS missions are more complex and variable than those for transport aircraft(around which [SAE96]is based).
Identification of Failure Conditions:
o New and different Emergency and Environmental Conditions are likely to be requiredfor UAVS considerations.
o Environmental conditions and events may come from the more extremeclimatic or mission conditions they experience, due to the unusualperformance and roles they undertake.
o Particular Emergency conditions will be applicable, from both regulatory andsystem architecture sources, such as datalink failure response.
o There will be new types of single functional failure, but potentially many new multiplefailure conditions to consider, due to the extended system and the wider SoS. Morecare will be required to ensure all credible combinations are considered.
Identifying and Managing the Effects of the Failure Conditions:
o For UAVS, Flight Phases and other sources of mission context will be critical inevaluating the consequential effects of failures on other airspace users or theoverflown public. The loss of the UAV itself is not as significant as hull loss for atransport aircraft; instead, it is the second tier effect on other persons that is crucial,and that is dependent on where the UAV is and what it does when the failure occurs.ARP 4761 does not adequately support the significance of establishing this mission /
environmental / ATM context.
FHA Outputs:
o [SAE96]proposed outputs seem appropriate at this point, but would need to be testedmore thoroughly through actual input to the PSSA process.
2.1.5 Overall Applicability of ARP4761 for UAVS use
The intent of ARP4761 to support the safety assessment (and hence clearance) of novelaircraft systems remains good. If the issues identified above can be addressed, then therevised framework should equally support safety assessment and clearance of UAVS.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 50/169
43
2.2 Modifying ARP 4761 FHA for UAVS Use
Each of the areas of ARP 4761 FHA requiring modification has been worked through in turn,to arrive at a justified, proposed revised HazID methodology. Key elements of the proposedmethodology are shown in bold, italicised text .
It is worth including a note here on the use of Functional Failure Analysis for FHA. Otherforms of FHA are available, such as HazOp, Structured What If technique (SWIFT) et al (see[HRA03 session 12] for further guidance). However, it was decided to continue on the basisof Functional Failure Analysis (FFA), in order to conform with the basic process behind ARP4761. It is a sound method for initial hazard investigation, where the design is still in itsinfancy but its purpose can be identified; and it is an accepted method recognised forcertification through previous use of ARP 4761 and ARP 4754. To abandon FFA for anothermethod at this stage would have required strong reasons – and none were identified at thisearly stage of investigation.
2.2.1 Derivation of Safety Criteria and Objectives for UAVS
Application
Safety Criteria
We need to define suitable safety criteria in order to assess the effects and consequences ofpotential UAVS hazards. It is important to note that safety criteria have been separated fromsafety objectives - the latter are considered later in this section. Our focus here is howhazardous effects are to be defined.
The first consideration is "who is likely to be affected by the UAVS". A quick review ofexisting airworthiness criteria such as in AC 23.1309 [FAA99] leads us to the following
traditional parties:
o Passengers of the vehicle? NO, this should not be an issue for a UAV.
o Flight crew - NO (but possibly indirect effects on UAVS operators?).
o The air vehicle itself
ARP 4761, looking to support ARP 4754 (and hence EASA CS.25.1309) focuses on this list,to give a set of airworthiness criteria. It can be argued that, if the aircraft is kept safely in theair, then the safety of the 3rd parties on the ground is necessarily protected. As noted insection 2.1 of the report, EUROCONTROL suggested modifications to these criteria to makethem more UAVS applicable. Hence a modified set of airworthiness criteria has been
drawn together as shown in Table 2.2.1(i) below:
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 51/169
4 4
F a i l u r e C o
n d i t i o n
S e v e r i t y C
l a s s i f i c a t i o n
F A A M i n o r
M a j o r
S e v e r e M a j o r
C a t a s t r o p h i c
J A A M i n o r
M a j o r
H a z a r d o u s
C a t a s t r o p h i c
E x i s t i n g F
a i l u r e
C o n d i t i o n
E f f e c t
c r i t e r i a
( F A A & J A
A / E A S A )
- S l i g h t r e d u c t i o n i n
s a f e t y m a r g i n s
- S l i g h t i n c r e a s e i n c r e w
w o r k l o a d
- S o m e i n c o n v e n i e n c e
t o o c c u p a n t s
- S i g n i f i c a n t r e d u c t i o n i n s a f e t y m a r g i n s o r
f u n c t i o n a l c a p a b i l i t i e s
- S i g n i f i c a n t i n c r e a s e i n
c r e w w o r k l o a d o r
i n c o n d i t i o n s i m p a i r i n g
c r e w e f f i c i e n c y
- S o m e d i s c o m f o r t t o o c c u p a n t s
- L a r g e r e d u c t i o n i n s a f e t y m a r g i n s
o r f u n c t i o n a l c
a p a b i l i t i e s
- H i g h e r w o r k l o a d o r p h y s i c a l
d i s t r e s s s u c h
t h a t t h e c r e w c o u l d
n o t b e r e l i e d o
n t o p e r f o r m t a s k s
a c c u r a t e l y o r c o m p l e t e l y
- A d v e r s e e f f e
c t s u p o n o c c u p a n t s
- A l l f a i l u r e
c o n d i t i o n s w h i c h
p r e v e n t c o n t i n u e d s a f e
f l i g h t a n d l a
n d i n g
P r o p o s e d
U A V S
c r i t e r i a ( t a k e n f r o m U A V
T a s k F o r c e
[ U T F 0 4 ] )
- S l i g h t r e d u c t i o n i n
s a f e t y m a r g i n s ( e . g .
l o s s o f r e d u n d
a n c y )
- S i g n i f i c a n t r e d u c t i o n i n s a f e t y m a r g i n s
( e . g . , t o t a l l o s s o f c o m m
u n i c a t i o n w i t h
a u t o n o m o u s f l i g h t a n d
l a n d i n g o n a
p r e d e f i n e d e m e r g e n c y
s i t e )
- C o n t r o l l e d l o
s s o f t h e U A V o v e r
a n u n p o p u l a t e
d e m e r g e n c y s i t e ,
u s i n g E m e r g e
n c y R e c o v e r y
p r o c e d u r e s w h e r e r e q u i r e d .
U A V ' s i n a b
i l i t y t o c o n t i n u e
c o n t r o l l e d f
l i g h t a n d r e a c h
a n y p r e d e f i n e d l a n d i n g s i t e
T a b l e 2 . 2 . 1 ( i ) - A i r w o r t h
i n e s s F a i l u r e C o n d i t i o n S e v e r i t i e s ( a f t e r [ S A E 9 6 ] , w i t h a d
d i t i o n s f r o m [
U T F 0 4 ] a s n o t e
d )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 52/169
45
While it was tempting to modify the criteria further, such as to include factors for UAVSoperators’ workload under ‘Major’ and ‘Severe Major’, it was decided to leave the criteriaalone at this stage. The baseline FAA / JAA criteria are well established to support regulatedrequirements; similarly, the UAV Task Force criteria were arrived at by a multi-national teamand, it is assumed, have reached a high level of consensus. With this in mind, it was felt
better to try out the criteria first, so that if proposed changes were found necessary, theywould be underpinned by a demonstrable need to overcome specific shortcomings. Thedomain is slow to change (as we have seen evidence for, throughout section 1).
That said, the criteria above do provide a very airworthiness-centric view. Looking at a widerrequirement for safety leads us to the following affected parties, additionally:
o 3rd parties on the ground - the overflown public.o 3rd parties in other aircraft - in the air or on the ground at airfields.o ATM personnel
It could be argued that, in providing criteria aimed at keeping the aircraft reliably in the air,the requirements of the overflown public are met (especially as the [UTF04] criteria includeconsideration of whether the vehicle can reach an unpopulated site) - this is consistent withthe view that UAVS must meet an Equivalent Level of Safety to that for manned aircraft, andthe criteria above are set for manned aircraft. What then should be done about the secondtwo parties, other aircraft occupants and ATM personnel, where the criteria currently say littlespecifically applicable?
As noted in section 2.1, EUROCONTROL are insistent that their criteria must be applied inall instances where the ATM environment may be affected. Although the criteria arefocussed on applications for ATM system developments, it can be seen that they would beapplicable for a UAVS and particular concerns over manned aerospace integration. The
criteria are shown in Table 2.2.1(ii) below:
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 53/169
4 6
F a i l u r e
C o n d i t i o n
S e v e r i t y
C l a s s i f i c a t i o n
S e v e r i t y 5 - N o
I m m e d i a t e E f f e c t
o n S a f e t y
S e v e r i t y 4 - M i n o r
I n c i d e n
t s
S e v e r i t y 3 - S
i g n i f i c a n t I n c i d e n t s
S e v e r i t y
2 - M a j o r I n c i d e n t s
S e v e r i t y 1
- A c c i d e n t s
F a i l u r e C o n d i t i o n
E f f e c t
- N o h a z a r d o u s
c o n d i t i o n i . e . n o
i m m e d i a t e d i r e c t
o r i n d i r e c t i m p a c t
o n t h e o p e r a t i o n s
- I n c r e a s i n g w o r k l o a d o f
t h e a i r t r a f f i c c o n t r o l l e r o r
[ U A V S ]
c r e w , o r s l i g h t l y
d e g r a d i n g t h e f u n c t i o n a l
c a p a b i l i t y o f t h e e n a b l i n g
C N S S y
s t e m .
- M i n o r r e d u c t i o n ( e . g . , a
s e p a r a t i o n o f m o r e t h a n
h a l f t h e
s e p a r a t i o n m i n i m a )
i n s e p a r
a t i o n w i t h [ U A V S ]
c r e w o r
A T C c o n t r o l l i n g t h e
s i t u a t i o n
a n d f u l l y a b l e t o
r e c o v e r
f r o m t h e s i t u a t i o n .
- L a r g e r e d u c t i o n ( e . g . , a s e p a r a t i o n o f
l e s s t h a n h a l f
t h e s e p a r a t i o n m i n i m a )
i n s e p a r a t i o n w i t h [ U A V S ] c r e w o r
A T C c o n t r o l l i n
g t h e s i t u a t i o n a n d a b l e
t o r e c o v e r f r o m
t h e s i t u a t i o n .
- M i n o r r e d u c t
i o n ( e . g . , a s e p a r a t i o n o f
m o r e t h a n h a l f t h e s e p a r a t i o n m i n i m a )
i n s e p a r a t i o n w i t h o u t [ U A V S ] c r e w o r
A T C f u l l y c o n t r o l l i n g t h e s i t u a t i o n ,
h e n c e j e o p a r d
i s i n g t h e a b i l i t y t o
r e c o v e r f r o m t
h e s i t u a t i o n ( w i t h o u t t h e
u s e o f c o l l i s i o n o r t e r r a i n a v o i d a n c e
m a n o e u v r e s ) .
- L a r g e r
e d u c t i o n i n s e p a r a t i o n
( e . g . , a s
e p a r a t i o n o f l e s s t h a n
h a l f t h e s e p a r a t i o n m i n i m a ) ,
w i t h o u t [ U A V S ] c r e w o r A T C
f u l l y c o n t r o l l i n g t h e s i t u a t i o n o r
a b l e t o r e c o v e r f r o m t h e
s i t u a t i o n .
- O n e o r
m o r e a i r c r a f t d e v i a t i n g
f r o m t h e i r i n t e n d e d c l e a r a n c e ,
s o t h a t a
b r u p t m a n o e u v r e i s
r e q u i r e d
t o a v o i d c o l l i s i o n w i t h
a n o t h e r a i r c r a f t o r w i t h t e r r a i n
( o r w h e n
a n a v o i d a n c e a c t i o n
w o u l d b e
a p p r o p r i a t e ) .
- O n e o r m
o r e c a t a s t r o p h i c
a c c i d e n t s
- O n e o r m
o r e m i d - a i r
c o l l i s i o n s
- O n e o r m
o r e c o l l i s i o n s o n
t h e g r o u n d
b e t w e e n t w o
a i r c r a f t
- O n e o r m
o r e C o n t r o l l e d
F l i g h t I n t o
T e r r a i n
- T o t a l l o s s o f f l i g h t c o n t r o l .
- N o i n d e p
e n d e n t s o u r c e o f
r e c o v e r y m
e c h a n i s m , s u c h
a s s u r v e i l l a n c e o r A T C
a n d / o r [ U A
V S ] c r e w
p r o c e d u r e s c a n r e a s o n a b l y
b e e x p e c t e d t o p r e v e n t t h e
a c c i d e n t ( s ) .
N o t e : m y s u b s t i t u t i o n o f [ U A V S ] f o r f l i g h t
c r e w r e f e r e n c e s .
T a b l e 2 . 2 . 1 ( i i ) - E
U R O C O N T R O L A T M - F o c u s e d S e p a r a t i o n / C o l l i s i o n S a f e t y C r i t e r i a ( f r o m [
E U R 0 4 ] )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 54/169
47
First thought was to try and combine these criteria with those previously, e.g. to add the'Severity 1' criteria to those for 'Catastrophic'. However, on further consideration, this wasrejected:
o The criteria are specifically separation and collision focussed, and do not map well
onto airworthiness criteria.
o The criteria introduce issues which may have no airworthiness causes - particularly inthe way they consider effects on ATM personnel and 'flight crew' (or UAVS operatorsin our case). Looked at another way, they provide a means to assess hazards thatare caused by ATM personnel and UAVS operators, and start to address thepersonnel issues within the System of Systems.
o The associated probability targets required by EUROCONTROL under the ESARR 4regulation do not line up directly with those for airworthiness under CS.23.1309 orCS.25.1309; hence the requirements for a merged category would be out of step. Itwas felt clearer to maintain the different severity titles in order to dissuade readers’instinctive attempts to merge the safety objectives (see below).
What is arrived at is a dual-criteria system , to satisfy different hazard types and regulatorybodies. This might seem unwieldy, but should be fairly simple to apply in practice:
o For hazards and potential accidents where the UAV comes to ground - affecting theoverflown population and / or the UAV itself: apply the Airworthiness safety criteria . These will be predominantly due to airworthiness and reliability causes, andthe effect will vary with the system size and speed (see Safety Objectives below).They will also fit within the airworthiness occurrence reporting regime.
o For hazards and potential accidents where the UAV could conflict with other mannedaircraft: apply ATM Separation / Collision safety criteria . These may have a
system reliability / airworthiness cause, but could also be due to failures within thewider System of Systems, including personnel and procedural issues. They will alsofit within the ATM occurrence reporting regime.
o If a situation arises with potential overlap, i.e. it could cause both an airworthinessand collision risk, what then? It is not so easy to say ‘pick the highest severity’ as thedifferent criteria have different safety targets (see below) and hence a highairworthiness severity might indicate a lower risk overall. A different view is that suchsituations will need the different criteria at different times (e.g. a failure in controlcauses a UAV to wander off through controlled airspace first, before ultimatelycrashing to the ground). Hence my proposal is to split the potential hazard into itsairworthiness and collision components, and apply each criterion to the applicable
component.
Airworthiness-based Safety Objectives
Safety Objectives, in terms of acceptable probabilities, from ARP 4761 are predominantlyaimed at heavy transport aircraft. This is in line with FAA / JAA Part 25.1309 (now EASACS.25.1309 in Europe) and defined in [FAA88]. For smaller manned aircraft, CS.23.1309would usually apply - this refers in turn to AC 23.1309 [FAA99] for guidance on showingcompliance. Both refer to ARP 4761 for guidance on carrying out suitable safety analyses,but AC 23.1309 notes the need to amend the safety objectives. To this end, SafetyObjectives for CS.23 and CS.25 aircraft for acceptable probabilities per flying hour arecompared in Table 2.2.1(iii) below:
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 55/169
48
Severity of Outcome Minor Major Hazardous Catastrophic
Category of Aircraft:
CS.23.1309 Class I: Single ReciprocatingEngine (SRE) / under 6000lbs
<10-3 <10-4 <10-5 <10-6
CS.23.1309 Class II: SRE and Multi-
Reciprocating Engine (MRE) / under 6000lbs
<10-3 <10-5 <10-6 <10-7
CS.23.1309 Class III (1): SRE, MRE, SingleTurbine Engine (STE), Multi-Turbine Engine(MTE) >= 6000lbs
<10-3 <10-5 <10-7 <10-8
CS.23.1309 Class IV (2): Commuter Category <10-3 <10-5 <10-7 <10-9
CS.25.1309 Heavy Transport <10-3 <10-5 <10-7 <10-9
Notes:
(1) Aeroplanes in the normal, utility and aerobatic categories that have a seating configuration,excluding the pilot seat(s), of nine or fewer and a maximum certificated take-off weight of 5670kg (12 500 lb) or less.
(2) Propeller-driven twin-engine airplanes in the commuter category that have a seatingconfiguration, excluding the pilot seat(s), of nineteen or fewer and a maximum certificated take-off weight of 8618 kg (19 000 lb) or less.
Table 2.2.1(iii) - Airworthiness Safety Objectives - probabilities per Flying Hour (from[SAE96], drawn from [FAA88] and compared with [FAA99])
If we wished to apply these variations to UAVs airworthiness safety objectives, we wouldneed to identify the equivalent class of vehicle. While we could not consider the seating
aspects, it would seem sensible to take the engine configuration and mass into account, andthus arrive at a practical equivalent. However, it is worth noting that the CAA [CAA02] pushfor a kinetic energy equivalence to be determined in deciding which certification criteria toapply (see section 1.2.1), and this should be considered for the safety objectives too. Inmost cases, the comparison will probably come out about the same - e.g. a 500Kg UAV,powered by a Single Reciprocating Engine, with stalling speed (Vs) of 40kts and maximumoperating speed (Vmo) of 100kts would indicate as a Class I by either criteria. Unfortunately,this is not always the case - Global Hawk could be considered similar to a CS.23 Class IIImanned aircraft, but through kinetic energy considerations indicates as a CS.25 classaircraft. With the likely public sensitivity to UAVs entering the media eye (see section 1.2.6)it would seem sensible to take the higher indicated safety objectives.
In summary, for UAVS Airworthiness-based safety objectives, it is proposed:
o To determine the UAV kinetic equivalence to manned aircraft (using the methodextracted from [CAA02] and shown in Annex B to this report)
o Review the applicable objectives for that class of vehicle (as presented in Table2.2.1(iii) above) and hence establish the airworthiness objectives for the UAVS.
ATM Separation / Collision based Safety Objectives
It is important to note that the ATM separation / collision based safety objectives will notchange with the class of vehicle. The acceptable probability of a Severity 1 accident remains
fixed by ESARR 4 [EUR04] at 1.55 x 10-8
per flight/hour.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 56/169
49
2.2.2 FHA Levels to Address System Complexities
Currently, ARP 4761 calls for Aircraft Level then deeper System level Functional HazardAnalyses (FHAs), in order to identify significant hazards (see discussion at section 2.1). Whatlevels are appropriate for assessment of a UAVS?
Dealing with the UAV System boundary & complexity
As noted in section 1.1.2 of this report, there were concerns over the 'airworthiness'boundary for the UAVS. It was clear that the critical elements extended beyond just the UAVitself, and probably included elements such as the GCS, the Datalink, the Flight TerminationSystem (FTS) (if used), but did it include wider aspects such as mission planning systemsand so on? The boundary was unclear.
However, if we consider that the aim of the Aircraft Level FHA in ARP 4761 is to explore thecritical functions that lie within the designer's control, then the boundary does not reallymatter at this stage. The bulk of functionality within the planned UAVS is to replace thosetaken for granted in manned systems. Thus, by extending the Aircraft Level FHA to be aUAVS Level FHA, looking at all functions of the UAVS within the designer's control, then theoutcome would be an identification of all the functions that are critical to the safe behaviour ofthe system and the consequences of their breakdown.
These would then flow down into the System level FHA, et al, as described in the ARP, to beanalysed as functional sub-systems within the UAVS.
In section 2.1, it was suggested that the extended criticality criteria should consider peopleand procedural aspects of system, as these were not specifically addressed by the ARP.However, in the early stages of UAVS design, the specific nature of these elements may notbe known. Instead, I would propose that it is important to understand the role they playrather than the details - essentially to understand the functions they might perform. In thisway, after having performed the UAVS-level FHA, the designer would use the results to
inform decisions on where to partition functions between the hardware, software and humanelements of the system. By doing this, a proactive approach can be taken to ensure that thehuman and procedural elements are well designed and part of an integrated approach tosafety, rather than just dumping ad hoc safety monitoring tasks there in order to keep thesystem simple (as has been the way in the past with some system designs). Furtherguidance on the human elements of safety and designing for human factors can be found inthe York University HFE course [HFE05].
Dealing with the System of Systems around the UAVS
As was discussed in sections 1.1.2, UAVS operate within a wide System of Systems (SoS),and in section 2.1 it was noted that [SAE96] was not strong in analysing these relationships.
One consideration was to introduce a 'Super-system' level FHA to the process, to assess thefunctions of the wider SoS. However, this was not felt to be practical for the UAVS designerto attempt: while he wishes to understand the SoS to the extent that it affects his system, hecan control only a (relatively) small element of it and a full analysis would take excessiveresources. On reflection, this level of analysis might be useful for a wider SoS player suchas EUROCONTROL or EASA to conduct, and provide resulting information to inform systemdesigners.
A research area of interest is the work ongoing towards decomposition of safety policy, forSystems of Systems. This is discussed by Hall-May and Kelly in [Hall05], looking at howpolicy (that is, permitted and required behaviours) can be flowed down from top-level goalsfor different agents, or different situational cases, within a SoS. An example from the paperis shown in Figure 2.2.2a, below.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 57/169
50
Figure 2.2.2a – Example of decomposition of high level policy tolower level agents or cases [Hall05]
Such decomposition causes (usually implicit) assumptions over the context behind suchpolicies to be made explicit. It also requires the policy setter to understand (even at a fairlysimple level) a model of expectations, over how the agents can behave – e.g. glider pilotscannot be expected to climb to satisfy policy. If EUROCONTROL or EASA (say) were todevelop such a policy model, this would be of great use: both for UAVS designers tounderstand explicitly what was required (and hence allocate suitable functions for safetyanalyses – see 2.2.3); and for EUROCONTROL / EASA to better understand how UAVS and
other novel systems may / should behave within their wider SoS. It would also allow areas ofpolicy failure to be explored, to determine where the SoS overall may be sensitive to single-point breakdown.
The UAVS designer's interest is to achieve a better understanding of the interactionsbetween the UAVS and the SoS. This suggested that parallels could be drawn withRequirements Engineers, trying to understand the 'problem domain' and how the World andtheir potential Machine interface. From a review of their methodologies in [RQE05], it isproposed that a Rich Context Diagram could provide a suitable visual model to help drawout complexities and interactions. An example is shown in Figure 2.2.2b below, for a TrainControl System.
The Rich Context diagram as proposed assists by:
o Helping to gather domain information - we can use it to establish the existing contextthrough: observed behaviour (as functions of the systems and people elements);processes (people); data (systems).
o Helping to define the machine / world boundary - the world is all that we cannot control; the system is all that we can control. Note that there are occasions where theboundary can be negotiated, but many where it cannot (such as over ATM systeminterfaces, for example).
o Establishing the problem context - identifying the relevant parts of the world; theirinteractions with each other and the machine.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 58/169
51
Figure 2.2.2b - Example of Rich Context Diagram (taken from [RQE05, unit 20])
This latter point is a key element of how Rich Context Diagrams differ from the traditionalContext Diagram: In the traditional form, only direct interactions with the machine areidentified, so in the example, the driver would not be shown. It was felt that this would be amajor shortcoming to understanding the SoS, as the bulk of the 'world' has already been setup for manned aircraft, and it was suspected that there were key interactions betweenexisting elements that would need to be understood.
Thus to summarise for this section:
o FHA levels should be established at UAVS-level (rather than Aircraft Level), andsubsequently down into system-level as per the ARP.
o Instead of a Super-System FHA, establish a Rich Context Diagram, to ensure that theSoS and its interactions with the UAVS are suitably understood, to inform the UAVS-level FHA.
2.2.3 Function Identification
Our analysis method needs a robust identification of functions, as these are the buildingblocks for the hazard identification. We do not want to miss out vital functions (and thusareas of hazard analysis and design requirement) due to assumption or error, which will laterbe found to have critical safety implications for the system in-service. ARP 4761 provides alittle guidance on function identification aimed at Aircraft Level FHA, but what is thereis aimed at a primarily unitary overall system. This guidance needs to be built upon, toensure a more structured approach for a UAVS made up of several system elements andworking within a wider SoS.
ARP 4761 Annex A starts by looking at Source document requirements, but we will return tothis once the needs for information to support the functional identification have been explored(see below).
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 59/169
52
ARP 4761 also suggests an 'Aircraft Level generic hazard list' to help get started. As wasnoted in ‘Focus for project development’ at section 1.3.2, such a list would be useful todevelop for UAVS-level assessments and so would a starter list of generic UAVS functions,to act as a catalyst for assessment of new UAVSs.
Internal Functions
The ARP [SAE96] suggests that, for the Aircraft Level "...these are main functions of theaircraft and functions exchanged between the internal systems of the aircraft." Our concernhere is to ensure that the identification adequately explores the complexity of the UAVS, bothin its overall capabilities and in its internal interactions (see sections 1.1.1, 1.1.2 and 2.1). Toachieve this, the following structured approach has been developed, to identify the FunctionsList (or Functions Tree as preferred):
1. Consider UAVS functions overall :
a. Ideally, there will be an established User Requirement Document or similarspecification to draw upon.
2. Consider functions determined by the UAVS internal structure :
a. Is there a simple representation of the initial design concept? These could be asformal as Yourdon diagrams or Functional Block Diagrams (as discussed in[HRA03]), or could be a simple architectural model (like an internal Context Diagram)showing interactions between the UAV, the GCS, use of the datalink etc.
b. Consider each major element of the structure and identify any additional internalfunctions - it may help to consider each as a transform mechanism, that is to considerthe inputs and the resultant modified set of outputs, in order to determine whatfunctions that element needs to perform the transformation:
(i) Does the element have particular behaviour functions - e.g. does it reactphysically to inputs?
(ii) Does it have control functions - does it monitor and/or control the behaviour ofother elements?
(iii) Does it have information functions - does it generate information or process data,to be used elsewhere?
(iv) Does it have utility functions - such as power generation, needed to providesupport elsewhere in the system?
c. Care will be needed to balance what is sensible to achieve at the UAVS levelanalysis, and what can be left to the more in-depth System-Level analyses. The
balance may be self-imposed by the limited design information available at the earlystages of the project.
3. Consider the effect of flight phases , as UAVS usually have a broader mission profilethan the transport aircraft that [SAE96] was intended for originally:
a. See ‘Flight Phases’ below for discussion on identifying flight phases.
b. Review the function list (so far) for each proposed flight phase and mission variation,to identify any additional functions or sub-functions.
At this point, some concern was felt over how complete the function list could be, and couldthere be improvement possible through use of more formal modelling of the system throughUnified Modelling Language (UML) or similar specification tools. A further review of literatureshowed that there is a developing theme for model-based safety analyses. Joshi andHeimdahl [Jos05] for instance, discuss application of Simulink modelling tools to transfer a
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 60/169
53
design representation of the ARP 4761 Wheel Braking System example into the SCADEDesign Verifier tool, and from there progress through automated FHA into Fault TreeAnalyses and Failure Mode Effects Analysis generation. This work is very promising forUAVS application in terms of: developing formal system models; formalizing fault conditions;automated analysis and verification (including assessing multiple failures – see 2.2.4 below);and developing formal methods to ensure completeness of assessment. However, thisapproach needs a detailed model of the system design, and [Jos05] notes that it is intendedto fit into the bottom of the system / safety ‘V’ (to make it a system / safety ‘Y’ and henceimprove the efficiency of developing and integrating the system safely). Thus, it willultimately be more suited to the later stages of the safety assessment, through detailedPSSA and SSA. – see figure 2.2.3a, below.
Figure 2.2.3a – Modified ‘V’ to ‘Y’ model safety assessment process [Jos05]
Exchanged Functions
[SAE96] suggests that, for the Aircraft Level "...these are functions that interface with otheraircraft or with ground systems." As discussed earlier (sections 2.1 and 2.2.2), moreguidance is needed to ensure that the interactions with the wider SoS are identified, hence
the following additional advice is proposed:
1. Using the Rich Context Diagram identified in section 2.2.2:
a. Consider each element in turn that the UAVS will interact with.
b. Consider each Rich Context Diagram interaction for implied functions on the UAVS . Again it may help to consider the UAVS as a transform mechanism:
(i) Are there particular behaviour functions - e.g. does it react physically to inputs?
(ii) Are there control functions - does it monitor and/or control the behaviour of otherelements?
(iii) Are there information functions - does it generate information or process data, tobe used elsewhere?
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 61/169
54
(iv) Are there utility functions - such as power generation, needed to provide supportelsewhere in the system?
Flight Phases
Flight phases can be somewhat more exotic for UAVs than the transport aircraft originallyconsidered by ARP 4761 (as discussed in section 1.1.1). It is important that all phases areidentified, for the main mission and also any variations (e.g. a UAV might act as a sensorgathering target information, but might also be able to act as a datalink relay for anotherUAV). For this reason, the following modification is proposed to supplement the HazIDmethod:
1. Mission types and parameters should be reviewed to identify the various flight phases possible , for main and alternate mission types.
a. This could be gleaned from the User Requirement Document (URD), or maybe thereis a simple Concept of Operation (ConOps) that can be used
UAVS-Level FHA Source Data Input Requirements
From the work above, there are obvious additions to the initial list of source documents for the UAVS-Level assessment. The proposed list would now read:
1. List of generic UAVS functions (when available ).
2. The UAVS objectives and customer requirements
a. Ideally from a URD or similar specification.
3. Initial design decisions or constraints (e.g. size and type of UAV, scope of GCS, scope ofDatalink)
a. Perhaps a simple design representation, such as Yourdon or Functional BlockDiagram
b. Or an initial architectural representation of the system elements (such as an 'internal'Context Diagram).
4. A representation (such as a Rich Context Diagram) showing the interactions of the UAVSwith the outside world (the SoS) and any critical interactions between those externalelements (such as between ATM and other, manned aircraft).
5. Initial mission types or constraints.
a. From a simple ConOps for the system.
From the above input data, it should prove feasible to draw up a suitably robust Function Listor Function Tree, and hence get the FHA off on a sound basis.
2.2.4 Identification and Description of Failure Conditions
ARP 4761 proposes that identification and description of failure conditions for a particularfunction begins with definition of an Environment and Emergency Configuration list (in orderto understand 'normal' and 'degraded' aspects of operation), before going on to considerfailure conditions in depth. Each of these aspects is discussed below - note that it isproposed to separate the environment and emergency configurations into two lists, in order
to make them more manageable.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 62/169
55
Environment List
[SAE96]starts with suggestions of weather, High Intensity Radio Frequency (HIRF) andvolcanic ash as examples pertinent to transport aircraft.
For UAVS, the list of possible environments to consider needs to grow. As noted in section1.1.1, UAVs may operate in a very different environment from manned aircraft, due to acombination of their performance and role / mission differences.
1. The Environment List should be defined from a review of appropriate domains :
a. Weather aspects - e.g. temperature, icing, precipitation, winds, visibility...
b. Overflown terrain aspects - this may raise additional 'weather' aspects, such aswind-shear, sand and dust storms. It may also indicate other aspects such as forlanding and take-off, or communications masking.
c. Electrical environment - in particular, man-made or natural RF fields such as HighIntensity Radio Transmission Areas (HIRTAs), and perhaps aspects of limited oroverlapping spectrum, where problems can be foreseen.
d. Mission environment - such as personnel shift-changeovers (for long endurancemissions), or action of hostile forces for military uses, or use in day or night.
e. Air traffic environment - such as the classes of airspace that may be flown throughor nearby, and the levels and types of traffic.
2. Some of these aspects might already have come to light from creation of the RichContext Diagram (section 2.2.2). However, in order to define this list adequately, it mayprove necessary to extend the assessment through use of a series of simple scenarios or vignettes, to define typical situations - more is proposed on this aspect under section2.2.5.
Emergency Configuration List
Consider any specific emergency or 'expected' abnormal flight conditions that may occur . Some will be defined in regulation (see section 1.2.2, under Emergency Procedures),others might be necessary due to initial design choices. A preliminary listing of aspectsof regulation and guidance from material discussed in the Literature Review (Part 1) hasbeen identified below, though it is not proposed as being complete in all respects:
1. Single failure of the UAV communication link, and/or control link (uplink and/or downlink,depending on implementation)
2. Operation of Flight Termination System (if fitted)
3. Else, conduct of other Emergency Recovery procedures due to loss of critical system(s)
a. With UAV-p control
b. Without UAV-p control (i.e. autonomous)
4. Emergency landing due to loss of thrust
5. Collision avoidance with co-operative and non-cooperative aircraft
a. Including evasive manoeuvre
6. Terrain avoidance
7. Interception by military aircraft
8. Failure of onboard Sense and Avoid equipment
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 63/169
56
9. Operation with degraded systems
10. Degradation of weather conditions
11. Security threats to upload data, commands and transmissions
Items 1-8 are drawn from [UTF04]; items 1, 3, 6,7, 9 - 11 from [CAA04]. Clearly the intent ofthese sources is to try and mitigate what are seen as the inherent hazards of UAVS: it will beinteresting to see if the list is appropriate and complete.
Failure Condition Determination
[SAE96]suggests that single failures may be determined by "examining the original[functions] list created in the previous steps and, in addition, applying an analysis of theconcept design created in the initial design process". While not UAVS specific, it is proposedthat the Functional Failure Analysis advice contained in [HRA03, session 12] providesvaluable guidance, to help structure the determination of failure conditions. This proposesthree categories of failures to assess:
1. Function not provided – this is fairly easy to interpret for responsive functions, but care isrequired with continuous or periodic functions, to ensure that variations are assessed:single failure; periodic failure; complete loss.
2. Function provided when not required – obviously, this is not applicable to continuousfunctions.
3. Incorrect operation of function – this can be a tricky catch-all, which needs care to ensurecompleteness. Examples include: asymmetry; substitution; partial; timing.
One aspect of interest is that ARP 4761 implies that there can be significantdifferences whether failures are annunciated or unannunciated . This is worth noting forthe UAVS analysis, and it may be more interesting when we consider whom of the variousstakeholders (from our Rich Context Diagram) the failures would / could / should beannunciated to.
To identify multiple failures, [SAE96]suggests that "...this process is aided by anunderstanding of the aircraft and system architecture. Multiple failures have to beconsidered, especially when the effect of a certain failure depends on the availability ofanother system". To apply some structure to this, we should consider multiple failureconditions:
1. Through assessment of the initial design architecture (perhaps represented by our
internal context diagram). In particular consider any elements that could suffer somecommon cause for failure (such as EMI affecting both navigation and communicationsfunctions).
2. Where mitigation for a critical function failure is expected by the successful operation of another function . Here, we should reconsider the criticality of thatfunction, and review 'what if' that function failed also, to give us a more roundedassessment overall.
In part, some of this multiple failure analysis will occur through application of the EmergencyCondition list, where regulation and guidance has already highlighted some expected areasof criticality such as datalink and propulsion functions. Application of the method will need
care to ensure that variables caused by design implementation (as it develops) are suitablyidentified and assessed.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 64/169
57
2.2.5 Identifying and Managing the Effects of the Failure Conditions
From ARP 4761, this covers the following elements of the FHA process:
1. "Classification of failure condition effects on the aircraft (Catastrophic, Severe-
Major/Hazardous, Major, Minor and No Safety Effect)."2. "Assignment of requirements to the failure conditions to be considered at the lower level."
3. "Identification of the supporting material required to justify the failure condition effectclassification."
4. "Identification of the method used to verify compliance with the failure conditionrequirements."
Identification and Classification of failure condition effects
For UAVS, as noted in section 2.1, it is not the effect of a failure on the UAVS that matters, itis predominantly the end effect on other stakeholders, such as airspace users or the
overflown public, so our method needs to ensure that the mission / environmental / ATMcontext is adequately understood. There is already some foundation in the methodologyproposed so far, with definition of the Rich Context diagram (section 2.2.2), Flight Phases(2.2.3) and Environment and Emergency Condition list (2.2.4). This is supplemented further,through the following proposed elements:
1. For the majority of failure conditions assessed, it is proposed that the existing contextual information (as noted above) will be sufficient . However, as mentioned insection 2.2.4 (in defining environmental conditions), there may be some cases where thisis not sufficient. Our existing contextual information is trying to cover the broad scope ofvariations and generally applicable parameters, in essence defining the outer envelope ofhow the system will be used.
2. For more complex failure conditions, use of scenarios is proposed to supplementthe assessment. When used in Human Factors Engineering (as discussed in [HFE05,unit 3]), scenarios are suggested as "episodes in which the [system] is used" - instead ofbeing general applications, each scenario (for HFE) is put forward as a scripted, specificsituation for use of the system, with concrete conditions, events and actors. A scenariothus provides a more detailed representation of a situation within the broader envelopedefined in our other contextual representations. We could not hope to cover the wholeenvelope of environments and usage with scenarios, but used selectively assupplements, they could help draw out some of the complexities of key situations and (inparticular) how conditions and events might come together to affect the UAVS.
Drawing parallels from scenario use for HFE, scenarios could be selected for specificsituations of interest, from the following:
1. (Initially) 'routine' mission stages - all was going well, just like every other day, until...
2. Exceptional circumstances - perhaps extremes of climate, weather or unusual terrain, orvariations of mission type...
3. Disadvantaged or extraordinary users - e.g. operation at the end of a shift (fatigue) orafter shift change (unfamiliarity); under extreme workload (such as busy airspace)...
4. Accident or failure - e.g. specific instances of system failure (e.g. multiple failureconditions); or expected crisis procedures such as Emergency Recovery, weather
diversion...
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 65/169
58
Also from a manipulation of the HFE application in [HFE05], a scenario should consist of thefollowing elements:
1. Scenario name
2. Rationale - why is this scenario of interest?
3. Agents - who is involved (including agents from the wider SoS)?
4. Situation and environment context - physical situation and narrative of the environmentalconditions (including weather, climatic and overflown terrain considerations, wherepertinent).
5. Mission context - replacing 'task context' for our use. i.e. what was the system doing / intended to be doing? What are the goals of the UAVS user?
6. Airspace context - this additional element is added to ensure that the ATM domain isconsidered, e.g. for airspace type and traffic conditions.
7. System context - what condition is the system in during the scenario (e.g. degraded
systems)?8. Actions? - For HFE, this would describe a linear path of actions and events through to
some conclusion. However, for our use, we may be interested in using the samescenario for analysing a number of different action sequences. As such, it may be moreuseful to leave the scenario as a defined 'starting situation' using the fields above, andthen describe the different outcomes and consequences separately in the analysis ofeach appropriate functional failure condition.
Note that it is not intended to subvert the need for specific HFE activities - those will still berequired in their own right, for detailed design. The intent here is to co-opt a HFE techniqueto help analyse complex conditions for functional failure effects.
For the overall classification of the functional failure, the appropriate severity table will needto be applied, as discussed in section 2.2.1. To recap:
o For hazards and potential accidents where the UAV comes to ground - affecting theoverflown population and / or the UAV itself: apply the Airworthiness safety criteria .
o For hazards and potential accidents where the UAV could conflict with other mannedaircraft: apply ATM Separation / Collision safety criteria .
Assignment of requirements to the failure conditions
ARP 4761 discusses the application of appropriate probability requirements, in order toassure adequate safety levels for the system overall. All that needs to be noted here is thatthe requirement will need to be appropriate to the severity criteria applied, i.e. as pertinent toAirworthiness or ATM Separation / Collision safety targets (as discussed in section 2.2.1).
Supporting material required to justify the failure condition effect classification
Currently, it is proposed that the guidance within ARP 4761 will be suitable for UAVSapplication, for this aspect.
Verification method for certifying requirements compliance
As above, it is proposed that the guidance within ARP 4761 will be suitable for UAVSapplication, for this aspect.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 66/169
59
2.2.6 Summary of Amended FHA Process
This section pulls together the various modifications to the ARP 4761 FHA process,proposed in order to apply the method more readily to UAVS safety assessment andcertification. The proposed changes are summarised thus:
1. In section 2.2.1, a duel set of safety criteria is proposed, to satisfy both airworthinessrequirements (where the UAV may come to ground and affect the overflown population)and ATM separation / collision requirements (where the UAV might affect other airspaceusers). The airworthiness criteria and targets may vary with class of UAV according toCAA kinetic equivalence criteria (reproduced in this report at Annex B). The ATMseparation / collision requirements do not vary, being fixed by EUROCONTROL.
2. In section 2.2.2, it was concluded that the complexities of the extended system could beaddressed by carrying out [SAE96]'Aircraft Level' FHA as a 'UAVS-Level FHA'. To bringin consideration of the wider System of Systems, the use of a Rich Context Diagram isproposed, as too much lies out of the UAVS designer's remit or resource for a ‘System ofSystems’ level FHA.
3. Sections 2.2.3 to 2.2.5 go on to consider the conduct of the UAVS-Level FHA. Theseactivities are summarised in Figure 2.2.6a, below. This figure is based heavily (in style)on the original 'Aircraft Level FHA' Figure A1 in ARP 4761 [SAE96], in order to ensurerecognition by experienced users and regulators - the ARP 4761 figure is reproduced inAnnex A to this report (Figure A-1), as part of the more detailed critique of that documentfor UAVS application.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 67/169
60
Figure 2.2.6a - ARP 4761 FHA Process, with modifications overlaid for UAVS
applicability
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 68/169
61
PART 3 - TEST AND EVALUATION
This part of the report seeks to answer the following vital questions, relating to the proposedway forward in HazID for UAVS as put forward in Part 2:
o Does the Revised ARP 4761 HazID Method Work? That is, is it practical to apply anddoes it robustly identify hazards for UAVS?
o If so, then what are the hazards of manned and unmanned aircraft integration, andhow does our listing compare to expectations?
Section 3.1 describes the test and evaluation methodologies used. Section 3.2 looks at thefirst question, evaluating the practicality of application. Section 3.3 considers the secondquestion, evaluating the derived hazard listing.
3.1 Test Methodology
Test Method Selection
In order to determine the practicability of the revised HazID method, it needed to be trialled.To do this, the modified ARP FFA process has been applied to a 'typical' UAVS case study(see description, below). While not possible in this project to consider its application for alltypes of UAVS (see section 1 and 1.1 for the diversity among current UAVS), it was possibleto choose a 'mid-range' system with broad applicability that will soon be facing the prospectof integration into manned airspace. In the longer term, it would be useful to check the widerapplicability, by trialling against case studies at the more extreme ends of the UAVSspectrum such as HALE and micro-UAVs. The results are presented in Annex D, anddiscussed in Section 3.2.
If the method proved practicable, then the HazID should produce a hazard listing. How couldwe test the robustness of our HazID method, to ensure that the hazard listing is sound?Caseley of the Defence Science Technology Laboratory (DSTL), in [dst04], discusses use ofthe "Capture - Recapture" method, a technique borrowed from the Ministry ofAgriculture, Fisheries and Food (MAFF). In MAFF use, a pool is trawled for fish, and allcaught are tagged and released; then the pool is trawled again, and the proportion of fishrecaptured compared to the number newly caught gives an indication of the total fish in thepool. DSTL used this method to provide a rough comparison of the efficiency of hazardidentification by two separate agencies for the same project, and to identify coarsely howmany hazards had gone unfound. A graphical view of the method is shown in Figure 3.1a,below. Caseley quotes the following example figures, to show simple factors of confidence:
o Agency A found 20 hazards, Agency B found 30, with 15 common hazardsbetween the two groups.
o The proportion of hazards captured was estimated as 15/30 = 0.5
o The possible total number of hazards was estimated at 20/0.5 = 40
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 69/169
62
Figure 3.1a - "Capture - Recapture" analysis method, to measure the effectiveness of
hazard identification processes
Obviously, there are many statistical assumptions and simplifications inherent in this method(including a major assumption that the methods are truly independent), but as a simplemeasure it gives reasonable first order results, and should suffice for our purposes. With thisin mind, it was decided to commission a separate FHA for the case study, but using aStructured What If Technique (SWIFT) for diversity of method, and using different personnelfor independence of analysis. SWIFT takes a technology, flow or procedural assessment,using structured categories and key words for hazard elicitation, which (with separatepersonnel for different thought processes) is proposed as ensuring adequate independenceof assessment. The SWIFT results are presented in Annex E; the hazard listing from themodified FFA process is presented in Annex F, and the results are jointly evaluated in
Section 3.3.
Case Study Description
The 'Guard Dog' case study has been defined based on a number of current and near-futureTactical UAV Systems. While intended for over battle-field use, the Armed Forces need totrain in their use, and with extended range and duration, they are keen to operate outsidesegregated range area boundaries. The case study considered a generic Tactical UAV(TUAV) operating out of a 'UAV friendly' airfield and out into integrated general (notcontrolled) airspace, in order to reach a range area for payload operation. The case studyintroduced aspects of interest relating to the performance and operation of the system, aswell as the need to integrate it into a varied terrain and airspace environment. Thebackground to the case study is shown in Annex C to this report, while a graphic overview of
the system is shown in Figure 3.1b, below.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 70/169
63
Figure 3.1b - Overview of Guard Dog UAVS case study
3.2 Evaluation of the Modified HazID Method through TrialApplication
This section looks at the actual application of the proposed FFA method, and evaluates itspracticability of use. Extracts from the FFA are shown below as examples, while a fullerlisting is shown at Annex D.
3.2.1 Derivation of Safety Criteria and Objectives for UAVSApplication
Deriving airworthiness safety criteria using the [UTF04] suggested definitions in Table 2.2.1(i)
was straight forward at this stage – more questions were expected in their application (seeSection 3.2.5).
Minor Major Severe Major / Hazardous Catastrophic
- Slight reduction insafety margins(e.g. loss ofredundancy)
- Significant reduction in safetymargins (e.g., total loss ofcommunication with autonomousflight and landing on a predefinedemergency site)
- Controlled loss of the UAVover an unpopulatedemergency site, usingEmergency Recoveryprocedures where required.
UAV's inability tocontinue controlledflight and reach anypredefined landing site
Table 3.2.1(i) - Airworthiness Failure Condition Severities for ‘Guard Dog (drawn from
Table 2.2.1(i))
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 71/169
64
Defining safety objectives proved almost as straightforward. Using both the CS.23.1309definitions shown in Table 2.2.1(iii) (Single Reciprocating Engine (SRE) / under 6000lbs),and the CAA kinetic energy method (shown in Annex B), both arrived at the same conclusionof CS.23.1309 Class 1 probability criteria.
ATM separation criteria were already fixed, in accordance with Table 2.2.1(ii) (as they do not
change with vehicle class).
3.2.2 FHA Levels to Address System Complexities
At this stage it was not possible to pronounce on the success of a ‘UAVS-level’ FFA – moreis said of this in Section 3.2.3
What did prove very useful was the derivation of a rich context diagram to model the Systemof Systems – see Figure 3.2.2-1 (a larger scale version is shown in ‘landscape’ at Figure D-1in Annex D).
Figure 3.2.2a - Rich Context Diagram for Guard Dog UAVS and the System of Systems
It took quite a while to arrive at a result that seemed satisfactory, but this was a measure ofthe complexity of interactions rather than any difficulty of method.
The figure shown is the result of a one-man application. It would have been very useful atthis stage, to use the diagram as a focus for discussion with key stakeholders, in order todraw out any more interactions.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 72/169
65
3.2.3 Function Identification
Internal Functions
As the case study was intended to be generic, there was no formal documentation such as aUser Requirement Document, or Yourdon diagrams, only the brief outline of the Case Study
(Annex C). The function derivation was thus from first principles.
The simple representation of initial design architecture (Figure 3.1b / Figure C-1) was useful,to help break the system down to manageable pieces (while still being able to consider theoverall system). It helped to be able to look at each element in turn, to draw out functionsfrom that view. In considering each element, a ‘mind map’ was drawn for each element topick out its related functions, then resolve / consolidate any overlaps between differentelements under higher level function. For example, ‘Manage Datalink’ was a function pickedout to cover aspects pertinent to both UAV and GCS viewpoints. Care was needed to notbecome too ‘object’ focused (we still wanted to keep a system-level overview). An exampleof one of the mind maps is shown in Figure 3.2.3a.
MissionPlanning
GCS
NEC
Plan Route
UploadMission Plan
Control UAV?
ChangeMission Plan
manualOverride -
remotepiloting
MonitorMission
Progress
Status of UAVActual path vmission route
ManagePayload
Direct sensors
Downloadpayload data
Distributepayload data Prioritise
sensor / datarequests from
Users
ManageDataLink
ControlDatalink Path
via next GCS?
Via Satellite?
Via UAVRelay?
Monitor Data
link condition
D/L Fail EmgyAction
GCS Centred view
Figure 3.2.3a – Example of use of mind-map to consider eachsystem element’s view of functions
The discipline of making a check of behaviour , control and information functions was alsouseful, though it was less easy (inappropriate?) to consider utility functions at this stage – that would perhaps prove more useful at the next level of sub-system FHA. These typeshelped draw out extra aspects: for example, it was initially thought that there wasn’t much tothe field recovery / launch team element, but the list drew out information and utility aspects
such as mission upload and replenishing consumables.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 73/169
66
The derivation and consideration of flight phases also proved useful as a mind jogger: whilethe initial listing had found 56 functions, consideration of flight phases gained 5 more relatingto internal functions.
It was difficult to not get too pulled into design, especially over aspects such as autonomy.Positive effort was needed to stay up at system level, i.e. not to try and partition functions
into whether they were performed by the UAV or GCS / UAV-p. This proved to have been agood discipline, when it came to considering failure effects later on (see ‘Multiple Failures’, insection 3.2.5).
At this stage, it was becoming evident that the UAVS-level FHA was proving quite effective,in being able to identify (and hence analyse) system interrelations and complexities.
Exchanged Functions
As hoped, the rich context diagram proved very handy for drawing out exchanged functions.A table (Table D(v) in Annex D) was used to list each interaction, then focus on what theUAVS needed to provide to make the interaction work.
Some ‘functions’ were included that might not strictly be functions (perhaps characteristics?),
but they had clear potential safety aspects. For example, ‘Conspicuity to Air Traffic’ is a fairlypassive function but important to make ‘see and avoid’ work for non-cooperative air traffic.The rich context diagram was, again, supportive of drawing out such necessarycharacteristics.
What became evident later on was the need to define basic behavioural functions, to handlekey emergency conditions – this is discussed in section 3.2.4 under ‘EmergencyConfigurations.
Consolidation
From these functional views, 103 functions overall were identified (at all levels). 56 wereextracted from internal views; 42 from the external context; and 5 new from looking at Flight
Phases.There seemed to be no real need for a separation of internal and external functions, andmany were interrelated (see below), so they were combined into a single Functions Tree,ready for consideration in failure identification. Part of the tree is shown in Figure 3.2.3b.The tree in full can be seen in Figures D-4a, b and c at Annex D.
In trying to rationalise these functions into a tree, the interaction between functions grewapparent. E.g. ‘Auto Take-off and Landing’ has lower level functions to determine runwayand landing characteristics for particular wind speed and direction, but functions under‘Monitor weather for changes’ would affect the wind speed determination, and functionsunder ‘Stability and Control’ provide the actual take-off rotation or landing flare. There were‘building block’ functions that, perhaps, higher order functions across the tree would make
use of. These would be considered carefully when looking at functional failures and multiplefailures.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 74/169
67
UAVS Function Tree[Part 1 of 3]
(I) Internal view(F) Flight phase view
(E) External context view
UAVS Function Tree[Part 1 of 3]
(I) Internal view(F) Flight phase view
(E) External context view
1. Stability &Control
(I)
2. Air Navigation(I)
3. Control on theGround
(I)
1.1 Determineattitude,
orientation andspeed (I)
1.2 Stabiliseperturbations (I)
1.3 ManoeuvreUAV
(I)
1.4 ManualOverride -
Remote Piloting
(I)
1.5 Field T/OLaunch Control
(I)(F)
1.6 ControlFlight Path
(I)
1.6.1 ControlAirspeed
(I)
1.6.2 ControlAltitude & Rate
(I)
1.6.3 ControlHeading
(I)
2.1 Position,
Heading &Altitude
Awareness(I)
2.1.1 DeterminePosition,
Heading &Altitude
(I)
2.1.2Determine
Nav Dataaccuracy
(I)(F)
2.2 Store /
Update MissionRoute
(I)
2.3 Monitor /Correct actual vplanned route
(I)
2.4 Auto Takeoff & Landing
(I)(F)
2.4.1 DetermineAirfield T/OClimb-out
profile (F)(E)
2.4.2 DetermineHigh accuracy
Position,heading &
Altitude(F)
2.4.3 Determine
Airfield
Approach, Hold,Circuit, R/Wprofile (F)(E)
2.4.4 High
Accuracymonitor / correctactual v planned
profile (F)(E)
2.4.5 DetermineWindspeed &
direction v R/W
and landingcharacteristics
(F)
3.1 ControlSpeed on the
ground (I)
3.2 ControlPosition on the
ground (I)
3.1.1 Determinespeed onground (I)
3.1.2 ControlledGround thrust (I)
3.1.3 ControlledGround Braking
(I)
3.2.1 Determineground position
& heading (I)
3.2.2 Groundsteering (I)
3.2.3 Determine
Airfield layout /required ground
route (F)(E)
3.2.4 Monitor /
correct actual vrequired ground
route (F)
3.2.5 DetermineAir / Groundtransition (F)
3.2.6 D etermineGround
obstacles (F)(E)
3.2.6.1 Detectmobile
obstacles (F)(E)
3.2.6.2 Fixedobstacles
awareness(F)(E)
2.5 TerrainAvoidance (E)
2.6 SensitiveArea Avoidance
(Danger &Populated
areas) (E) - as2.6.1-3
2.5.1 Awareness
& flight pathproximity (E)
2.5.2 Maintain
separation(ROA) (E)
2.5.3 Emergencyevasion (E)
2.7 ControlledAirspace
avoidance (E) -as 2.6.1-3
2.8 VariableDanger Areas
(NOTAMS)Avoidance (E) -
as 2.6.1-3
Figure 3.2.3b – Example of derived Functions Tree for ‘Guard Dog’ UAVS
3.2.4 Identification and Description of Failure Conditions
Environment List
The domain-review list provided a good structure for derivation of the environment list.
Weather aspects were fairly easy to pick out, from UAVS overall specification (based onworld-wide operation).
Aspects such as overflown terrain were trickier to complete, as they are not a usualspecification item. Looking at the map examples for scenarios (discussed in section 3.2.5)helped significantly. These also helped with extracting the range of electrical / mission / ATC environments . It was useful to define a number of potential missions (see Appendices C1and C2) and use these to define typical scenarios (see 3.2.5), to get a better feel of likelyenvironments. Looking at maps for areas of operation (and training in more domestic climes)teased-out a wide variety of such aspects.
Emergency Configurations
Guard Dog started with the list as initially proposed in section 2.2.4. However, considerationof this list quickly highlighted a need to consider what the UAVS intent would be in event ofsuch emergencies, especially for system failures. Hence, a useful source document would
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 75/169
68
be an initial definition of emergency procedures, as part of the ‘initial design considerations’.The Guard Dog example is shown in Figure 3.2.4a below, or in bigger scale as Figure D-2 inAnnex D.
These considerations spawned additional functions (to be added to the tree), to be assessedfor further functional failures (part of multiple failures consideration).
NORMAL FLIGHT
Determine best diversion andID between GCS and UAV (May
be home or destination)
Maintain flight path over 'safe'terrain and airspace
DIVERT toidentifieddiversion
airfield
Broadcast ControlDatalink Fail
Hold
BroadcastMayday &
EMERGENCYLANDING
BroadcastCollision
Avoidance fail
YES
DATA LINK Signal Loss
DATA LINK SystemFail (total)
DATA LINK SystemFail (single)
FLIGHT CRITICAL SYSTEMSIngle (Redundant) Failur e
COMMUNICATIONS Failure
STOP &Broadcast
GROUNDCONTROL Failure
COLLISIONAVOIDANCEFailure
AIR NAVIGATION Failure(inc. height, speed, position & route control) External Nav
Asistance?
Able to Maintain Safe
Altitude?
NONO
YES
FLIGHT CRITICAL SYSTEMTotal Fail
YES
Regain D/LSignal?
NO
Figure 3.2.4a – Example of outline Emergency Procedures, to derive functions
Failure Conditions Determination
With a significant number of functions, care was needed to ensure that all failurecharacteristics had been considered. In this, the FFA structure proposed worked well, asdiscussed below. Some failure conditions are shown below, but all identified can be viewedin full at Table D(vi) in Annex D.
‘Loss of function’ - could be tricky to assess, for continuous functions (i.e. to search deeperthan just ‘loss of [function X]’). Some interesting conditions were found where a functioncould be pseudo-continuous. For example, ‘Terrain Awareness’ being made on a regular butnot truly continuous basis (function 2.5.1 – see Table 3.2.4(i)): a potential failure conditionwas for sharp terrain to appear in the event horizon, if the update rate was not high enough.
FFAID
Function (a), (b),(c)
Failure Condition (Hazard Description)
2.5 Terrain Avoidance (E)
F2.5A 2.5.1 Awareness & flight pathproximity (E)
(a) Unaware of surrounding terrain
F2.5B (a) Unaware of proximity of surrounding terrain toflight path
F2.5C (a) Terrain proximity determined at low sampling rate
Table 3.2.4(i) – Example of ‘Loss of Function’ for pseudo-continuous function
‘Uncommanded function’ – Some care was needed not to dismiss functions as ‘continuous’.For example, Function 1.6.1 ‘control airspeed’ is indeed continuous overall, but has someimplied sub-functions such as to change airspeed intermittently when required, hence thepotential uncommanded sub-function to change airspeed up or down when not required.
(See Table 3.2.4(ii)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 76/169
69
FFA ID Function (a), (b), (c) Failure Condition (Hazard Description)
F1.6C 1.6.1 Control Airspeed (I) (b) Airspeed runaway up
F1.6D (b) Airspeed runaway down
Table 3.2.4(ii) – Example of ‘Uncommanded Function’
‘Incorrect function’ – as expected, this category generated the widest variety of issues, and it
could be hard to determine that all had been identified. Some of the most interesting failureswere where a function potentially crossed system boundaries. For example, handover ofcontrol between 2 GCS (function 4.2.1) led to several variations of end result (see Table3.2.4(iii)
FFAID
Function (a), (b),(c)
Failure Condition (Hazard Description)
F4.2C 4.2.1 Handover to nextGCS (I)(F)
(c) Datalink control hand over from current GCS, but next GCSunable to take control
F4.2D (c) Datalink control hand over from current GCS, but next GCSunaware it has control
F4.2E (c) Datalink control taken over by next GCS, without current GCSbeing aware
F4.2F (c) Datalink control hand over to next GCS, but current GCS alsoretains control (dual control)
F4.2G (c) Datalink attempted control hand over to next GCS, but neitherGCS retains control
Table 3.2.4(iii) – Example of ‘Incorrect Function’ for a cross-system function
At this stage, hazards weren’t all identified with separate annunciated and unannunciatedversions, as this would have led to a ‘failure condition melt-down’. Instead, each would beevaluated for consequences in the next phase. That said, there were functions wherewarning was a specific aspect, and these were assessed directly. For example, in broadcastof warnings such as for function 9.7 (see Table 3.2.4(iv)).
FFAID
Function (a), (b),(c)
Failure Condition (Hazard Description)
F9.7A 9.7 Emergency Broadcast Actions (E) (Collaware fail; D/L fail; Mayday)
(a) Unable to broadcast – “Collision AvoidanceFail”
F9.7B (a) Unable to broadcast – Data Link Fail
F9.7C (a) Unable to broadcast – Mayday
F9.7D (b) Broadcast ‘Collision awareness fail’ when notrequired
F9.7E (b) Broadcast ‘Data Link fail’ when not required
F9.7F (b) Broadcast ‘Mayday’ when not required
F9.7G (c) Broadcast incorrect emergency messagecompared to that actually required
Table 3.2.4(iv) – Example of failure identification for a warning function
As usual with FFA, there was a lot of output. The initial 105 functions gave rise to about
520 failure conditions. Care was needed to bring this to a manageable number of hazardsat a similar level, to assist hazard management.
3.2.5 Identifying and Managing the Effects of the Failure Conditions
Table 3.2.5(i) shows some examples of the analysis of effects of failure conditions, extractedfrom the fuller analysis shown in Table D(vii) in Annex D. These examples are used toillustrate the discussion of the analysis, contained in this section.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 77/169
70
Table 3.2.5(i) Examples of analysis of the effects of failure conditions,from the ‘Guard Dog’ FFA
FFAID
FailureCondition
FlightPhases
1
Effect of FailureCondition
2- (1) AW; (2)
ATM
Classification Justification
F1.2A Loss of UAV
stability
Tax, TO A,
TO F,Tran,Hand, TranS, Sens,App, LandA, Land F,Rel
(1) Unstable UAV leads
to overall loss of control – unable to continuecontrolled flightKnock-on for Relay UAVwould be loss of data linkfor Sensor UAV
(1) Catastrophic
(2) Severity 1
[Critical safety
requirements will be set, ifthe Relay role is to beviable in unsegregatedairspace.]
F1.2B Undamped / poorlydampedmanoeuvresor speed
TO A, TOF Land A,Land FTran,Hand, TranS, Sens,App, Rel
(1) Significant reductionin safety margins duringT/O or landing, due tooscillations. Potential forground impact close toT/O or landing area(2) Severe oscillations
could cause height bust,deviation from clearanceon approach, or reducedseparation
(1) Hazardous(2) Severity 2
F1.3I Manoeuvrecapabilityexceedsvehiclestructuralstrength
TO A, TOF, Tran,Hand, TranS, Sens,App, LandA, Land F,Rel
(1) UAV break up – unable to continuecontrolled flight
(1) Catastrophic AW issue, as vehiclebreak up takes it out ofthe ATM environment
F1.4A Unable totake manualcontrol of
UAV
Taxi, TO A,TO F,Tran,
Hand, TranS, Sens,App, LandA, Land F,Rel
No immediate effect,UNLESS a coincidentfunctional failure occurs
(in functions 1-10 inc)requiring manualintervention
As for the mostsevere of otherfunctions 1-10:
(1) Catastrophic(2) Severity 1
Manual override isintended as mitigation formany other failure modes.
Safety requiresindependence from otherfailure forms (EITHER -autonomy in case ofmanual failure, OR - useof an independent 3
rd
option such as FlightTermination System togive a safe outcome, ifcritical functions areprovided on a commondatalink with manualcontrol from the GCS)
F2.1A Unable to
determineposition
TO A, TO
F, Tran,Hand, TranS, Sens,App, LandA, Land F,Rel
In isolation – position can
be approximated fromheading, speed etc.In common failure withF2.1B or F1.1B – requires external meansto identify position(functions 9.3 En-routeATC communicationsand 9.4 Tracking‘visibility’Without these, systemfaces emergency landing(function 7.3.2) inunknown terrain, or flight
path through unknownairspaceKnock-on for Relay UAV
In extreme
cases:(1) Catastrophic(2) Severity 2
AW severity assumes
need to make blindemergency landing at last‘known’ position (MS7emergency landingscenario shows that smallinaccuracies could causeimpact on village location,as lesser evil to flying onand possibly crashing inmajor population areaATM severity assumesthat function 10 Collisionavoidance remains active – need to beware of
potential common modefailures.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 78/169
71
FFAID
FailureCondition
FlightPhases
1
Effect of FailureCondition
2- (1) AW; (2)
ATM
Classification Justification
would be loss of data linkfor Sensor UAV
F2.5A Unaware ofsurroundingterrain
Tran,Hand, TranS, Sens,App, Rel
(1) UNDETECTED – Controlled flight intoterrainDETECTED – climb tosafe height and divert
(1) Catastrophic Assumes TO and Landcovered by functions 2.4 – ensure no combinedfunctionality / commonmode failure
F4.3A D/L fail action(hold then divert ) nottaken whenrequired
TO A, TOF, Land A,Land F,Tran,Hand, TranS, Sens,App, Rel
IF UAV does not takenecessary autonomousaction, then effect asF4.3C [UAV willeventually run out of fueland crash land]IF UAV continues on itspre-planned path butwithout diverting, maycause concern to ATM(prolonged exposure to
UAV without mannedoverride capability) butshould act safely iffunctional
No action: (1)Catastrophic
Continues pre-plannedactions: (2)Severity 3
No action - Represents afailure of a criticalautonomous response, toget the UAV down safelyin event of D/L failureContinue previous action – degrades ATM safety,but continuing autonomygets the UAV down safely
F9.7A Unable tobroadcast – “CollisionAvoidanceFail”
TO A, TOF, Tran,Hand, TranS, Sens,App, LandA, Land F,Rel
(2) Failures under F10 forCollision avoidancesystem, following function7.3.1 to divert would beUNDETECTED by ATMand other air traffic – theywould proceed as if UAVwould respect Rules ofthe Air, in extremeallowing collision
(2) Severity 1 [see functions 10,Collision Avoidance, forsafety-related functionswhere this function isintended as mitigation]
F9.7C Unable tobroadcast – Mayday
TO A, TOF, Tran,Hand, TranS, Sens,App, LandA, Land F,Rel
(2) Failures requiringfunction 7.3.2 EmergencyLanding would beUNDETECTED by ATMand other air traffic.Controlled emergencylanding would not beaffected, but could affectability of ATM to alertemergency services tothe site.
(2) Severity 1 Classified as severity 1,on basis that it couldmake a bad situation(Severity 2) much worseby not being able to sendassistance rapidly to thescene.[Difficult to classify, withcriteria as listed]
Notes:
1. Flight Phases – (Pre) Pre-flight; (Tax) Taxiing; (TO A) Take-off – from airfield; (TO F) Take off – ramp
launch from field; (Tran) Transit under control of GCS; (Hand) Hand over control to second GCS; (Tran S) Transitwith GCS relay via satellite; (Sens) On Task – using sensor payload; (Rel) On task - on station to relay TCDL toreach sensor UAV; (App) Approach; (Land A) Landing – at airfield; (Land F) Landing – rough field.
2. Effect of Failure Condition – (1) AW – effect on UAV, safety margins, continued & controlled flight; (2)ATM – effect on UAV Crew, ATCO, other Traffic
Identification of Failure Effects
In general, it was fairly simple to identify the broad effects of potential failures. This wasparticularly true of the ‘building block’ functional failures (as mentioned in section 3.2.3, in‘consolidation’): when these failed, the effects were pretty direct. An example is shown inTable 3.2.5(i) with failure F1.2A “Loss of UAV stability”.
Some effects were worse in particular flight phases and this was noted in deriving the effects.One point of note was the crucial effect on the UAV system overall, when a failure occurred
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 79/169
72
to a vehicle in Relay flight phase (as noted in F1.2A). The criticality of the UAV in this role willset very high safety requirements if this role is to be cleared in unsegregated airspace, andperhaps it may only be cleared for training with a viable alternative datalink path alwaysavailable (so as not to be a critical dependency).
Most failures had both airworthiness and ATM separation effects. An example is shown in
Table 3.2.5(i) for F1.2B “Undamped / poorly damped manoeuvres or speed”, where bothan immediate airworthiness effect could be identified, and a slightly longer term ATMseparation effect if the airworthiness effect was not immediately realised.
A few failures indicated an airworthiness effect only, such as F1.3I “Manoeuvre capabilityexceeds vehicle structural strength” in Table 3.2.5(i). The airworthiness effect here wasusually so cataclysmic that there was little likelihood of further ATM effect.
A few others, such as F9.7A “Unable to broadcast – “Collision Avoidance Fail” ” inTable 3.2.5(i), indicated an ATM effect only. These were usually directly related to ATMprocedural or traffic separation functions.
Some functions had already been added in as emergency ‘warning’ functions, in response toearly consideration of the effects of ‘annunciated’ vs ‘unannunciated’ failures. However, allfailures were considered for the differences with the failure being annunciated detected ornot. F2.5A “Unaware of surrounding terrain” shows a particular example, where detectionwould allow a much safer effect than the alternative, and this would help set particular safetyrequirements on the system to improve detection.
Classification of (Airworthiness and ATM) failure effects
The safety criteria discussed already in section 3.2.1 proved useful, and usually easy toapply. This was especially true of the airworthiness criteria, and (usually) of the ATMseparation criteria.
There were a few exceptions with the ATM separation criteria, where the classification interms of ATC workload, traffic separation or collisions could not easily be applied. Here,
classification came down to a judgment on the level of ‘loss of control’ by ATM and UAV-pand the effective reduction in safety margins. An example is shown in F9.7C “Unable toBroadcast ‘Mayday’” in Table 3.2.5(i), where there is no further airworthiness effect, but thereis an ATM / UAV-p effect, as ATC can’t be alerted to apply their procedures to callemergency services to the site.
Multiple failures
Some key multiple failures had already been considered, by creating emergency intentfunctions (mentioned in section 3.2.4 Emergency Configurations) and then analysing failuresin these follow-on functions (e.g. F9.7A “Unable to broadcast – “Collision AvoidanceFail” ”, already mentioned above). Others were derived from key aspects of the initialsystem architecture, such as the datalink between GCS and UAV.
While not many more ‘failures on failures’ were analysed in detail, there were some failureswhere the criticality of certain other functions remaining effective (for mitigation) were noted.Here, the main drive was to identify safety requirements to ensure effective mitigation,particularly the need to establish independence of such functions and avoid common modefailures. A specific example (among many) is F2.1A “Unable to determine position”,where the potential effect is not so bad, provided that other key functions such as CollisionAvoidance functionality remain operational. If there was a common system factor (such assome datalink dependence for these functions) then the effects would be much worse.
This brings us to a particular issue drawn out by consideration of multiple failures. Up to thispoint, the analysis had avoided partitioning functionality between the UAV, GCS and UAV-p
(i.e. making decisions on autonomy levels). Now it was possible to set requirements oncritical functionality. The primary concern was the need to make safety critical functions independent of the datalink . Safety is thus a driver for increased capability (and
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 80/169
73
assurance) in autonomy for those functions. There are endless examples where dual failurewith datalink would be Catastrophic / Severity 1, but a couple from Table 3.2.5(i) arediscussed below.
This issue of autonomy v datalink was first noted in the FFA during consideration of F1.4A“Unable to take manual control of UAV”. Here, the effect was not serious provided that
the system had adequate autonomy to carry out necessary safety actions such as collisionavoidance, terrain avoidance, air navigation and conducting emergency procedures. Thiswas later backed up by consideration of specific datalink function failures, where the knock-on effect of not carrying out those functions was noted – especially examples such as F4.3A“D/L fail action (hold then divert ) not taken when required”. For this, the effect of failurewas proposed as:
“If the UAV does not take the necessary autonomous action, then the effect is as F4.3C[UAV will eventually run out of fuel and crash land]. IF the UAV continues on its pre-planned path but without diverting, this may cause concern to ATM … but should actsafely if functional.”
UAVS thus need careful use of autonomy, to provide the necessary independence of safety
functions. As a minimum (for smaller systems perhaps, where the public would be lessalarmed), the use of a Flight Termination System would be an alternative, independentmeans of assuring a ‘safe’ outcome.
Use of Scenarios to Aid Effects identification
For the majority of failures analysed, scenarios weren’t necessary, and consideration againstmore general contextual information was appropriate.
Where they were necessary, the initial guidance led to scenarios that were almost too specific. Text based scenarios (as proposed) needed a fair number of words to get thesituation across, and still seemed to be lacking necessary information. An example is shownin Figure 3.2.5a.
An alternative was tried, with better results. This approach was to plan actual missions overtypical terrain, on air maps. Using this, the user got a better idea, more quickly, of the typeand range of challenges – terrain, airspace, obstructions, HIRTAs etc. It was vital to actuallyplan the route on paper, not just look at the maps, in order to think into actual mission-typesituations. For example, identifying where to place a GCS to achieve datalink along fulllength of route; or how to respect airways minimum heights, while being pushed by terrain tomaintain minimum separation – airmanship-type decisions. The map could be annotatedwith other conditions of interest, such as the possible range of weather.
The same proved true when looking at emergency situations. For instance: what if theweather closes out the planned route here; or propulsion fails there; or satellite datalinkbecomes unavailable when ground GCS range is marginal.
Overall, it seemed that graphical mission scenarios were more user friendly and encouragedcreative thinking. They contained more information and felt more ‘real’ than just broadspecification envelopes; but not too specific – they allowed ‘what ifs’ to be raised andassessed quickly, some of the what-ifs being driven by the map terrain and airspace content.
An example of a graphical mission scenario is shown in Figure 3.2.5b, comparable to thetextual scenario shown in Figure 3.2.5a.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 81/169
74
Scenario : Routine Take-off
Rationale : Applying general take-off to realistic situation, at ‘UAV-Friendly’ Parc Aberporth
Agents : UAVS and UAV-p; Aberporth ATC and ground traffic; Cardigan Bay danger area controller
Situation and environment context : Day VFR weather fine. Onshore breeze from the sea, 20kts.Take off and climb out planned over sea (away from Aberporth village at foot of significant hills), then
turn out over sea for first leg. Several wind farms on coast, and steep terrain.Mission context and goals : Start of a routine training mission. Intent is to taxi and take off safely,respecting airfield ATC and ground / circuit traffic. Main goal is to get established on first leg of fly out,at start of a long training mission.
Airspace context : Parc Aberporth is a UAV-friendly airfield, used to UAV activities. Some lightmanned aircraft traffic in circuit, including military aircraft incoming from / outbound to the danger area(range).
Danger area is a sea range, for aircraft and ships weapon trials (closed to traffic during attack runs).
First leg to Talybont, crosses under Airway A (at 6,500 ft, under airway starting at 16,500 ft)
System context : Full system functionality, as checked during pre-flight and taxi checks
Actions : UAV-p contacts airfield ATC for clearance to taxi – this is given and UAV taxis out to stop atHold ‘CHARLIE’. After other traffic clears, ATC clears UAV onto runway 26 for take off. UAV appliespower and takes off, correcting for slight cross-wind. After clearing obstruction height and reaching2000ft, UAV told to switch to danger area controller frequency.
Danger area controller clears UAV to the north, commanding to keep clear of south end of rangewhere ships are operating on range. UAV heads onto northerly track, climbing until reaching 6,500ft.
As it leaves the danger area, UAV switches to Holyhead Airspace Controller and requests FlightInformation Service for transit to Spadeadam.
Figure 3.2.5a – Example of mini scenario for consideration of failure effects
Figure 3.2.5b – Example of graphical scenario ‘MS1 Routine Take-off and climb out’
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 82/169
75
The scenarios were used in a few analyses of the effects of failures. This was usually asfollow-on to trying to assess the effect with broader information, to check and improve on the justification behind an effect analysis. For failures like F4.2F “Datalink control hand overto next GCS, but current GCS also retains control (dual control)” (in table 3.2.5(i)) thiswas useful, where the impact is not clearly apparent on first analysis.
Occasionally, they were used to help ‘put flesh on the bones’ behind an analysis, to ensurethat the ensuing classification was suitably robust. Failures such as F2.1C “Unable todetermine altitude” show such a use, where the effect was already felt to be quite severe,but the emergency landing scenario provided an alternative context to re-assess theclassification.
3.3 Evaluation of Hazards Identified by the Modified HazIDMethod
The functional failures (in Annex D) produced by the FFA process have been reviewed bythe author, in order to determine a list of hazards at a common, appropriate level. This
hazard listing is shown at Annex F to this report. Some 88 hazards are listed in all, withreferences to the functional failures that spawned them.
Numerical assessment
How robust is this hazard listing and (accordingly) the FFA HazID process that has beenused? As discussed in Section 3.1, a SWIFT technique was commissioned to provide acomparison, with the overall results shown in Annex E. Both Annexes E and F cross refer tothe appropriate comparable hazard(s) identified in the alternative technique.
The comparison of techniques is interesting, if not straightforward. Our FFA methodproduced 88 hazards, while SWIFT produced 77. Of these, 48 were in close agreement.
Using the MAFF ‘capture / recapture’ method as discussed in Section 3.1, this wouldindicate, initially, the following metrics:
Initial metrics for hazard capture confidence:
‘Proportion of hazards captured’ = 48 / 88 = 0.55
‘Possible total number of hazards’ = 77 / 0.55 = 140
This was not overly inspiring of confidence in the results, so further investigation was madeto see if they were overly pessimistic. From the first pass comparison, 29 SWIFT hazards
did not directly match FFA hazards. However, the comparison was not always made on alevel footing:
• Several of the SWIFT hazards (10) were related to ground personnel, whereas theFFA focus was on operating hazards more relevant to manned / unmanned aircraftintegration. The ARP 4761 process would eventually draw these out through complementaryanalyses such as Operating & Support Hazard Analysis.
• About 10 of the SWIFT hazards were more causal than directly hazardous, related tosystem implementation. These (through ARP4761) would be considered under Fault TreeAnalysis at the UAVS level, or FHA and FMEA for lower level systems. A further 2 wererelated to uncontained engine failure and fuel fire, and would be considered under Particular
Risk Analysis with the [SAE96] process.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 83/169
76
• A further 3 SWIFT hazards related to general procedural aspects, covered byregulation, such as maintenance policy and crew training.
Having removed these hazards (for now) to achieve a common level, a revised comparisoncould be made. SWIFT now had identified 52 hazards, with 48 agreeing with the FFA:
Revised metrics for hazard capture confidence:
‘Proportion of hazards captured’ = 48 / 88 = 0.55
‘Possible total number of hazards’ = 52 / 0.55 = 95
This suggests that the FFA has identified about 90% of the total hazards for manned / unmanned aircraft integration.
Subjective assessment of differences
As noted above, the SWIFT had already identified some ground-based and causal hazardsthat the FFA (at this stage) had not – we can propose that these would be identified bysubsequent stages of the ARP4761 process.
Four SWIFT hazards remain that cannot be explained in this way, and these are shownbelow.
• S13 Inadvertent launch• S25 Poor preparation of launch site (inadequate runway quality)
• S41 Loss of GCS communications
• S48 Pilot fatigue (long endurance shifts)
These indicate two issues with the FFA. Firstly, the FFA is only as good as the initialfunction tree, and this application had missed out a small number of functions – e.g. ‘InterGCS Communications’. A peer review of the Rich Context Diagram and Functions Treemight have picked these (and maybe more) out. Second, in spite of the intent to pick outfunctions including human issues, it was still difficult for the FFA to consider and drawhazards out of high level human factors, such as the resource issue of long endurance shifts.This is why it is still important to ensure that Human Factors are adequately assessed anddesigned for, in their own right.
The FFA of our proposed method had, in turn, identified 38 additional hazards relating tointegration of UAVs into unsegregated airspace – these are shown below:
• A4 Flight instrumentation (attitude and speed) errors • A5 Inability to identify flight instrumentation errors
• A9 Unable to transfer to autonomous UAV control• A10 Conflicting authority between UAV controllers (manual / autonomous or differentground controllers)• A11 Control mode error (where control laws differ with phase of flight)
• A13 Asymmetric thrust / power
• A16 High accuracy navigation instrumentation errors (altitude, position, heading; for taxi,take off, approach, landing)• A17 Inability to identify navigation instrumentation errors• A19 Planned mission route not achievable by UAVS (not capable within performance)
• A20 Planned mission route not safe (by Rules of the Air)•
A25 Minimum terrain separation (i.a.w. Rules of the Air) not maintained• A26 Terrain separation / emergency evasion triggered when not required / appropriate
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 84/169
77
• A27 Separation from sensitive areas (danger areas / populated areas / NOTAMS areas)not maintained• A29 Incorrect type / identifier of controlled airspace determined (if cleared for controlledairspace operations)• A35 Incorrect airfield layout / ground taxi route determined• A36 Inability to determine ground / air transition clearly
• A37 Unable to correctly determine position of fixed / mobile ground obstacles• A38 Inability to accurately determine command datalink signal strength
• A39 Incorrect status of command datalink system serviceability determined• A41 Command datalink handed to GCS, but GCS unaware it has control
• A43 Command datalink lags via satellite / relay
• A45 satellite / relay UAV passes control datalink commands to incorrect UAV• A47 Command Datalink jammed
• A49 Valid command datalink rejected as jammed / stolen
• A52 Inability to monitor initial / changing weather conditions along the mission route
• A53 Bad weather re-routing infringes sensitive airspace / overflown areas• A54 Bad weather re-routing exceeds UAV capability (performance)
• A58 Diversionary airfield / route not communicated between UAV and GCS (UAV not
aware of appropriate action to take, or GCS not aware what action the UAV will take)• A62 GCS moding initiates ground mode displays and controls (e.g. mission planning),when in-flight monitoring / control required• A68 UAV centre of gravity adversely affected by fuel charge
• A70 Different mission plans loaded - UAV; relay UAV; first GCS; other GCS in mission
• A72 inability to correctly detect, interpret and respect airfield visual signals• A77 Radio frequency changed in error (e.g. to emergency frequency)
• A78 UAV does not correctly comply with Airfield ATC procedures: ground movement(clearance & direction); enter runway; take-off; climb out direction and final height; approachdirection; circuit direction; runway allocation; hold height & direction; landing clearance; exitrunway clearance• A79 UAV does not correctly comply with en-route airspace ATC procedures: Climb / descend and final cruising altitude; heading change; hold position, height and direction;
diversion• A80 UAV complies with Airfield or En-route ATC procedure intended for another aircraft
• A81 Unable to correctly broadcast emergency message: “Collision Avoidance Fail”; Datalink fail"; "Mayday"• A82 Emergency broadcast made when none necessary• A88 UAV resembles other aircraft types of different size or performance
This list seems eclectic, and it is awkward to pick out particular aspects where the FFAmethod might have been ‘better’ than SWIFT. Overall, the longer listing was due to therigour applied to identifying functions, especially using the Rich Context Diagram to identifyexternal functions (the SWIFT perhaps focussed on the internal). The FFA also performedwell in identifying hazards related to the operating environment and their airworthiness
implications, such as in collision and terrain avoidance, and in airmanship through airspaceand airfield environments.
Summary of Hazard Identification Robustness
In all, the FFA performed well in hazard identification, identifying around 90% of hazardsrelating to integration of UAVS into non-segregated airspace even as a one-man techniquecarried out in isolation. With team input and peer review, this would improve further.
However, it is important to remember that FFA is just the first part of the ARP4761 process,and subsequent causal and sub-system analyses are important to draw out all pertinenthazards. Additionally, techniques such as Operation & Health Safety Analysis and especiallyHuman Factors Engineering will be necessary, to ensure all potential hazards are identifiedand managed.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 85/169
78
PART 4 – CONCLUSIONS AND FURTHER WORK
This part of the report aims to pull together the key findings of the project, and relate them tothe original aims. It also provides a ‘shopping list’ of recommendations for further work, in
order to advance the cause of UAVS integration.
4.1 Findings, Related to Satisfaction of the Project's Aims
The overall motivation for the project was to assist the process of integration of UAVS intounsegregated airspace, by addressing the lack of understanding of the safety issues andhazards involved. More specifically, the following aims were identified:
• To identify the current concerns over UAVS safety, in relation to the existing mannedairspace infrastructure;
• Hence, to derive a framework for considering the safety risks related to integrating
unmanned vehicles into unsegregated airspace. The intent is that this, as part of arobust safety assessment and certification programme, will assist in the eventualclearance of UAVS, to operate routinely alongside manned aircraft.
Each of the reports key findings is considered below, in relation to these aims. Conclusionsare numbered 1-14 in this section.
4.1.1 Identifying Current Concerns over UAVS Safety
Part 1 went somewhat further than the initial intent of identifying current concerns in relationto the existing manned airspace infrastructure. Because of the complex, interrelated natureof UAVs, a more complete view of safety concerns was taken, which included the airspace
infrastructure but also covered design airworthiness, operations, airmanship and the inherent‘differences’ introduced by UAVSs. As a result, a broad range of safety issues wasidentified, in two main areas:
Safety issues relating to UAVs as ‘disruptive technology’
UAVs have some vital differences from the current general experience with manned aviation,and these introduce some potential safety issues to be overcome:
1. UAVS come in wide varieties, in terms of shape size and performance, and the types ofroles they undertake. This makes them difficult to ‘pigeon-hole’, and means that theymay be difficult to manage or predict, among manned traffic. (Section 1.1.1).
2. The UAVS system boundary is much broader (and less well understood) than for manned
aviation, with inclusion of additional critical aspects such as datalinks, Ground ControlSystems, data flows, data sources etc. This leads to questions of airworthiness as acomplex system, reliability of datalinks, and availability of RF spectrum for critical links.(Section 1.1.2 ).
3. Vehicle autonomy creates several issues, starting with its definition! Clear indication isneeded of ‘who is in control’, especially when emergency action is required. There is adichotomy between requiring a predictable response (especially for ATM decisionmaking), yet needing flexibility of response to achieve a safe outcome. New technologiessuch as agent-based control could provide the necessary flexibility, but introducequestions of expertise, trust and software clearance – they also require strongspecification of required behaviour, when this is not explicitly defined for manned
aviation. (Section 1.1.3 )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 86/169
79
4. The ‘headline’ catastrophic failure rate for UAVs is currently too high for acceptance intoa manned environment. This is due to: poor accident data gathering; the experimental / military roles they are currently undertaking; lack of reliable purpose-built components;and not applying appropriate design, fabrication and maintenance processes to build insafety (as per their manned counterparts). While it is difficult to define ‘equivalent levelsof safety’ between UAVs and manned systems, it is suggested that FAR 1309 / ARP4761 type safety processes could be applied to the design and certification of novel,safety critical aspects, with suitable amendments. (Section 1.1.4 )
Safety issues relating to the manned airspace environment coming to terms withUAVs
5. While it is agreed that a ‘safety targets’ (Safety Case) approach would be easiest to applyfor UAVS, standards and certification must be applied to achieve internationalacceptance. Hence, regulation, certification and standards are critical to integration ofUAVS into unsegregated airspace, but are currently struggling to achieve consensusbetween different bodies. Thus, while there are proposals for a ‘total system’ approach tosafety, currently airworthiness, operations and ATM are managed by different regulators.
What little current regulation exists is very generic, demanding equivalence to mannedsystems but without addressing UAV differences. (Section 1.2.1)
6. Because of current segregation of traffic, very few UAVs have interacted with ATMsystems, and so it is difficult to predict the real implications. Because the nature of ATMchange is ‘monolithic’, ATM suppliers demand no change, i.e. that UAVS operations mustbe transparent, while there are numerous ways in which UAVs will react differently frommanned aircraft. There are issues of equipage, traffic levels, RF interoperability, voicecommunications, even basic routes and procedures that have been built around mannedaircraft and their performance expectations. (Section 1.2.2 )
7. Collision avoidance from terrain and, more difficult, from other aircraft is a big issue forUAVS integration, and UAVs will require a non-cooperative Sense & Avoid capability to
match their manned counterparts. It is difficult to define equivalent levels of safety tomanned aircraft, as human visual performance is so fallible, hence regulators anddesigners cannot agree on which should come first – the technology to provide Senseand Avoid, or the criteria that it must meet. (Section 1.2.3 )
8. UAVS navigation, datalinks and ground systems vulnerabilities to jamming or malicioustake-over must be addressed to ensure security of operation. (Section 1.2.4 )
9. For a system ‘unmanned’ in the air, there are significant Human Factors issues to beovercome. Some revolve around the ground cockpit environment, the cues to the UAV-p,the organisation of pilots and commanders, and the interaction with variable autonomoussystems. Others involve the experience / competence levels of the pilots, maintainersand operating organisations, plus the extended human network that provides critical data
to the UAVS. (Section 1.2.5 )
10. As with all safety critical systems, public opinion over safety levels may not match theactuality. However, UAVSs are expected to face a more critical media and publicresponse in the event of a safety occurrence, because of their unmanned nature.(Section 1.2.6 )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 87/169
80
4.1.2 A Framework for Considering Safety Risks Related toIntegrating Unmanned Vehicles into Unsegregated Airspace
At the end of Part 1, the focus for the project development was set out in order to satisfy the
study aims, as follows:A. A better understanding of what the root hazards associated with UAVS integration are.
B. Can a .1309 / ARP4761 safety assessment approach be used for UAVS, to identify hazards for solution during design / manufacture / operation?
Each of these sub-goals is reviewed in the following paragraphs, to provide a structure toassess whether the main aim has been achieved. The order of the sub-goals has beenchanged, to reflect the design (Part 2) and test (Part 3) order of the project.
Can a .1309 / ARP4761 safety assessment approach be used for UAVS, to identify hazards for solution during design / manufacture / operation?
Part 2 has reviewed ARP4761 (which is based on satisfaction of 23.1309 and 25.1309
requirements) to see where it might fall short, in its applicability to UAVS. The concludingstatement from Section 2.1 was “The intent of ARP4761 to support the safety assessment(and hence clearance) of novel aircraft systems remains good. If the issues identified abovecan be addressed, then the revised framework should equally support safety assessmentand clearance of UAVS.”
The focus for Part 2 of the project has thus been to address these issues with a modifiedhazard identification methodology, to supplement ARP4761 and thus provide a safetyassessment framework suitable for UAVS application. The identified ‘issues’ from Section2.1 formed the ‘requirements’ for ‘design and build’ in Part 2, Section 2.2.
In order to pull together and relate the conclusions for build of the hazard identificationmethodology, Table 4.1.2(i) has been created (see following pages). This shows thedevelopment of conclusions, from the assessment of requirements in Section 2.1, throughdesign and build in Section 2.2. To complete the picture, the conclusions from test andevaluation of the proposed method have been placed alongside (Part 3, section 3.2).
11. In summary, it is concluded that the development of the hazard identificationmethodology, using a modified functional failure analysis, has resulted in a practicableapproach that addresses the gaps in ARP4761 previously identified. As such, the HazIDmethodology supplements ARP4761 to allow the combined safety assessmentframework to be used for UAVS, to identify hazards for solution during design,manufacture and/or operation.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 88/169
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 89/169
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 90/169
83
A better understanding of what the root hazards associated with UAVS integration are.
The hazard identification method, designed in Part 2, was assessed in Part 3 against ageneric Tactical UAVS. From this application, a listing of potential hazards has beendeveloped (Annex F).
Part 3, section 3.3 evaluated the hazards identified, using an alternative hazard identificationtechnique and personnel. From this, the following conclusions have been reached:
12. The proposed HazID method, using a modified ARP4761 FFA approach) has identifiedaround 90% of the likely hazards associated with integrating a (generic) Tactical UAVsystem into unsegregated airspace.
The shortfall is likely to be due to:
• the functional analysis being a ‘one-man’ effort, which would benefit from peerreview;
• the difficulty in drawing out high-level Human Factors issues with FFA, and theimportance of Human Factors Engineering to address such issues;
• FFA being just part of the ARP4761 framework – additional sub-systemanalyses such as FTA, FMEA, Common Cause Analysis etc would draw out furtherhazards.
13. The proposed method was strong in identifying hazards related to the external System ofSystems, especially in areas such as the operating environment, in airmanship concerns,and interfacing with airfield and ATM environments. In these respects, it is proposed thatthe hazard listing has contributed to the understanding of UAVS integration hazards.
14. It should be borne in mind that the hazard listing is specific to the generic Tactical UAVSused for the case study. However, as has been stated (in the introduction and in Section3.3), the results should have good read across for specific Tactical UAVS, and broadapplicability for other types of UAVS, but should be assessed carefully for applicability toparticular systems.
4.2 Recommendations for Further Work
4.2.1 UAVS Safety, generally
This project has addressed only a few of the safety aspects identified that currently stopUAVS from being integrated into unsegregated airspace. The list at Section 1.3 provides arich seam of safety issues that require further work:
• Impact of the Variety, Roles and Performance of UAVs
• The complex system boundary for UAVs
• UAV autonomy - technology, predictability, complexity
• Accident rates and reliability - UAV airworthiness
• Regulation, Certification and the Drive for Standards
• ATM interaction
• Collision avoidance
• Security and safety
•
Human factors, Suitably Qualified & Experienced Personnel (SQEP) andorganisations
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 91/169
84
• Public perception of UAV safety
4.2.2 UAVS Hazard Identification Methodology and Application ofARP4761 Framework
This project has shown that it should be practicable to apply the hazard identificationmethodology, as part of an ARP4761 framework approach to safety assessment for a UAVS.However, several areas for further work exist, to provide confidence in the framework overall:
• The project focussed on the hazard identification aspects of ARP4761. It would beuseful to extend assessment to look more closely at the follow-on safety assessmentactivities of ARP4761, including sub-system analyses, PSSA and SSA.
• The evaluation work looked at a generic tactical UAV, a broad area in the middle ofpotential UAVS types. Because of the wide range of UAVS types, it would be beneficial toevaluate application nearer the ends of the spectrum, perhaps for a HALE / UCAV system,and a Micro / Urban system.
• The evaluation was also a one-man application to a generic system. Furtherconfidence would be built through documented application to an actual system indevelopment. This could seek to use team / stakeholder involvement to improve the contextand functional identification; and apply the revised ARP4761 framework through tocertification.
• An ATM environment-level FHA (including principles for integration of UAVS) couldbe undertaken, with involvement of EUROCONTROL, the CAA and/or other regulators. Thiscould aid the development of UAVS policy and (perhaps through decomposition of suchpolicy using methods such as discussed in [Hall05]) support satisfaction of such policy asinput to the UAVS-level FHA by the system developers.
• A key finding was the suspected criticality of autonomy to the effects of failure. Itwould be useful to apply the FFA to a known system, but looking at the effects of varying theUAV autonomy level, for each failure.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 92/169
85
BIBLIOGRAPHY
[AST04] “ASTM International Support to the U.S. Unmanned Air Vehicle Systems Industry- Position Statement”, 2004, ASTM International
[AST05-1] “Role of standards in the latest OSD UAS Roadmap”, May 2005, ASTMInternational
[AST05-2] “Roadmap for Unmanned Aircraft Standards”, May 2005, ASTM International
[Bol05] “CRS Report for Congress: Homeland Security: Unmanned Aerial Vehicles andBorder Surveillance”, RS21698, Bolkcom C., Feb 2005, Congressional ResearchService, Library of Congress
[Bon05] “Global Satellite Navigation Systems: Advantages and Vulnerability”, Bonnor N,Feb 2005, Royal Institute of Navigation (RAeS Conference proceedings)
[Bow05] “Unmanned Aerial Vehicle Flights in UK Airspace”, 8AP/15/19/02, Bowker, Lt CdrGN, May 2005, Civil Aviation Authority - Directorate of Airspace Policy
[CAA02] “Aircraft Airworthiness Certification Standards for Civil UAVs”, Haddon DR &Whittaker CJ, Aug 2002, Civil Aviation Authority - Directorate of Airspace Policy
[CAA04] “Unmanned Aerial Vehicle Operations in UK Airspace – Guidance”, CAP722 (2ndEdition), Nov 2004, Civil Aviation Authority - Directorate of Airspace Policy
[CAS04] “Civil Aviation Safety Regulations - Part 101 Unmanned aircraft and rocketoperations”, CASR Part 101, Dec 2004, [Australian] Civil Aviation Safety Authority
[CSI04] “MSc in Safety Critical Engineering -Computers, Software & ISA”, CAS,McDermid J & Pumfrey D, Apr 2004, The University of York, Department of
Computer Science
[DeG04] “Issues Concerning Integration of Unmanned Aerial Vehicles in Civil Airspace”,MP 04W0000323, DeGarmo MT, Nov 2004, Mitre Corporation - Center forAdvanced Aviation System Development
[dst04] “Applying Safety Process Measures”, Caseley P, Jun 2004, DSTL (through SafetyCritical Systems Club Seminar 'Life Saving Second Opinions')
[EAS05] “Advance - Notice of Proposed Amendment - Policy for Unmanned Aerial VehicleCertification”, A-NPA No 16-2005, 2005, EASA
[EUR01] “EUROCONTROL Safety Regulatory Requirement 4 - Risk Assessment andMitigation in ATM”, ESARR 4, Apr 2001, EUROCONTROL
[FAA88] “Advisory Circular: Transport Category Airplanes, Federal Aviation Regulations -System Design and Analysis”, AC 25.1309-1A, Jun 88, Federal Aviation Authority
[FAA99] “Advisory Circular: Normal, Utility, Aerobatic and Commuter Category Aeroplanes- Equipment, Systems, and Installations In Part 23 Airplanes”, AC 23.1309-1C,Mar 1999, Federal Aviation Authority
[Hall05] “Defining and Decomposing Safety Policy for Systems of Systems”, SAFECOMP2005/ LNCS 3688/ pp. 37-51, Hall-May M & Kelly T, 2005, University of York Deptof Computer Science
[HFE05] “MSc in Safety Critical Engineering - Human Factors Engineering”, HFE, WrightP, Feb 2005, the University of York Department of Computer Science
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 93/169
86
[HRA03] “MSc in Safety Critical Engineering - Hazard & Risk Assessment”, HRA, Kelly T etal, Nov 2003, The University of York, Department of Computer Science
[Hua04-1] “Autonomy Levels for Unmanned Systems (ALFUS) Framework - Volume I:Terminology (Version 1.1)”, NIST Special Publication 1011, Huang HM, Sep2004, National Institute of Standards and Technology
[Hua04-2] “Autonomy Measures For Robots: Proceedings of IMECE”, IMECE2004-61812,Huang et al, November 2004, International Mechanical Engineering Congress
[Jos05] “Model-Based Safety Analysis of Simulink Models Using SCADE Design Verifier”,Joshi A & Heimdahl M, 2005, University of Minnesota Department of ComputerScience & Engineering
[LaF05-1] “Mapping A Future”, LaFranchi P, March 2005, Flight Magazine (Reed BusinessInformation)
[LaF05-2] “Crash Course”, LaFranchi P, March 2005, Flight Magazine (Reed BusinessInformation)
[LeT02] “VFR General Aviation Aircraft and UAV Flights Deconfliction”, AIAA-2002-3422,Le Tallec C, 2002, ONERA Long-term Design and Systems IntegrationDepartment
[Man06] Meeting with Patrick Mana to discuss EUROCONTROL safety criteria, Apr 2006
[MaP05] “EADS Current UAV Programmes”, MacPherson W, Feb 2005, EADS / RAeSConference proceedings
[Mar03] “Suggested Flight Approval Process for Unmanned Air Vehicles (UAVS)”,Marsters GF & Sinclair M, 2003, AeroVations Associates
[McD03] “Extending PSSA for Complex Systems”, McDermid J & Nicholson M, 2003,University of York
[Met05] “UAV Access to UK Airspace - Spectrum Availability”, Mettrop J, Feb 2005, CAA / RAeS Conference Proceedings
[Nel04] “Prospective UAV operations in the future NAS”, Case#04-0936, DeGarmo Mand Nelson G, 2004, Mitre Corporation - Center for Advanced Aviation SystemDevelopment
[Okr05] “25 Nations for an Aeronautics Breakthrough”, Okrent M, Feb 2005, UAVNET / RAeS Conference proceedings
[PlJ05] “Approach to Autonomy”, Platts J, Feb 2005, QinetiQ / RAeS Conferenceproceedings
[PlP05] “UAVs and ATM - A Holistic Approach”, Platt P, Feb 2005, QinetiQ / RAeS
Conference proceedings
[RQE05] “MSc in Safety Critical Engineering - RQE: Requirements Engineering”, RQE,Luettgen G & Stepney S, Oct 2005, the University of York Department ofComputer Science
[RTC05] “Special Committee 203 Minimum Performance Standards for Unmanned AircraftSystems and Unmanned Aircraft - Terms of Reference, revision 1”, RTCA PaperNo. 006-06/PMC-438, Dec 2005, RTCA
[SAE96] “Guidelines and Methods for Conducting the Safety Assessment Process on CivilAirborne Systems and Equipment”, ARP 4761, 1996, SAE
[Sch04] “Defense Science Board Study on UAVs and UCAVs”, Schneider W (Chairman),Feb 2004, DSB for Secretary of Defense
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 94/169
87
[Sin03] “Integrating UAVs With Conventional Air Operations: Some Regulatory Issues”,Marsters GF & Sinclair M, Mar 2003, AeroVations Associates
[Ste05] “UAV Access to UK Airspace”, Stenson J, Feb 2005, CAA / RAeS Conferenceproceedings
[UTF04] “UAV Task Force Final Report”, JAA / EUROCONTROL, May 2004, EASA
[Wal03] “Application Of Manoeuvre-Based Control In Variable Autonomy UnmannedCombat Aerial Vehicles”, AFIT/GAE/ENY/03-09, Walan Capt AM, March 2003,[US] Air Force Institute of Technology
[Wei03] “Safety Considerations for Operation of Small Unmanned Aerial Vehicles in CivilAirspace”, Weibel R & Hansman RJ, Oct 2003, MIT International Centre for AirTransportation
[Wei04] “Safety Considerations for Operation of Different Classes of UAVs in the NAS”,AIAA-2004-6421, Weibel RE and Hansman RJ, Sep 2004, American Institute ofAeronautics and Astronautics
[Wes05] “Meggitt Aerial Target Services - History, Utility and the Future”, Westlake-TomsS, Feb 05, Meggitt / RAeS Conference Proceedings
[Whi05] “Aircraft Airworthiness Standards for Civil Unmanned Aerial Vehicle Systems”,Whittaker C, Feb 2005, CAA / RAeS Conference proceedings
[Wik03] “Flying with Unmanned Aircraft (UAVs) In Airspace Involving Civil Aviation Activity- Air Safety and the Approvals Procedure”, Wiklund E, March 2003, SwedishAviation Safety Authority
[Wil04] “A Summary of Unmanned Aircraft Accident/Incident Data: Human FactorsImplications”, DOT/FAA/AM-04/24, Williams K, 2004, Federal Aviation Authority
[Wil05] “Keynote Address to the RAeS 2nd FEBRUARY 2005”, Willbond T, Feb 2005,
RAES / UAVSA
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 95/169
88
ABBREVIATIONS & ACRONYMS
Autonomy (A) The condition or quality of being self-governing. (B) A [UAV's] own ability of sensing,perceiving, analyzing, communicating, planning, decision-making, and acting, to achieveits goals as assigned by its human operator(s) through designed HRI. Autonomy is
characterized into levels by factors including mission complexity, environmental difficulty,and level of HRI to accomplish the missions. [Hua04-1]
A-NPA Advance – Notice of Proposed Amendment EASA advance issue of a document,advising of proposed changes to regulation and inviting comment from stakeholders
AOPA Aircraft Owners & Pilots AssociationASTM American Society for Testing and Materials US society for development of
consensus based standards.ATC Air Traffic Control Relates to the interaction with (or inputs to) the aircraft, as
defined by the Air Traffic Controller - Output of the ATMATS Air Traffic ServiceATM Air Traffic Management The wider ground, personnel and procedural system that
provides Air Traffic Control as its output
BLOS Beyond Line Of Sight Long range guidance and command datalinks, where signalsmust be bounced, bent or relayed to reach beyond terrain or earth's curvature masking.See also OTH.
Chicago Convention The Convention on International Civil Aviation set out that "...the undersignedgovernments having agreed on certain principles and arrangements in order thatinternational civil aviation may be developed in a safe and orderly manner and thatinternational air transport services may be established on the basis of equality ofopportunity and operated soundly and economically."
CAA Civil Aviation Authority Where not otherwise qualified, refers to the UK authorityCCA Common Cause Analysis Generic term encompassing Zonal Analysis,
Particular Risks Analysis and Common Mode Analysis. In these methods, analysis ismade of common modes of failure, which could affect a number of elements otherwise
considered to be independent. [SAE96]C4 Command, Control, Communications, Computers Description of military
command elements pertinent to a system. May refer to C2, C3 etc as applicable to thesystem under consideration.
Comms Communications Usually referring to technology or infrastructureConOps Concept of Operations Documentation describing how a system is intended to be
used in-service.
DoD Department of Defense (United States)DSA Detect, Sense and Avoid US terminology for S&Adstl Defence Science & Technology Laboratory UK MoD centre of scientific
excellence, providing scientific advice to the Armed Forces.
EASA European Aviation Safety Agency The European Aviation Safety Agency is theorgan of the European Union to set strategy for aviation safety. While nationalauthorities continue to carry out the majority of operational tasks… the Agency ensurescommon safety and environmental standards at the European level."
ELINT Electronic IntelligenceECM Electronic Counter-MeasuresEMC Electro-Magnetic CompatibilityEMI Electro-Magnetic InterferenceEU European UnionEUROCAE European Organisation for Civil Aviation Electronics European regulatory body,
advising EUROCONTROL and EASA
FAA Federal Aviation Authority US government organisation for the advancement,
safety and regulation of civil aviationFAR Federal Aviation Regulations Aviation regulations as issued by the FAA
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 96/169
89
FHA Functional Hazard Assessment A systematic, comprehensive examination offunctions to identify and classify Failure Conditions of those functions according to theirseverity - see also PSSA and SSA [SAE96]. The intent is to be predictive of systemfailure conditions, to allow safety targets to be set for system component reliabilities, inorder to achieve an acceptable overall platform safety level once the design is realised.
FFA Functional Failure Analysis A technique which is part of FHA. Applies a
systematic review of system functions to determine the ways in which failure may occur;then analyses these failures for potential accident consequences. Can be used todetermine the criticality of each function (and failure mode) and set appropriate SafetyIntegrity or Design Assurance Levels, or more specific reliability requirements.
FIR Flight Information Region As in the UK FIR, describes the majority of airspacecovered by advisory rather than mandatory Air Traffic Control.
FMEA Failure Modes and Effects Analysis Safety analysis to determine hazard effectsof lower level system and component failures – part of SSA and PSSA
FTA Fault Tree Analysis Subsequent safety analysis to determine contributory causesfor potential hazards – part of SSA and PSSA
FTS Flight Termination System System that (usually small) UAVs may be fitted with,to ensure that the vehicle can be commanded to ‘stop flying’ safely, in the event of someother critical system failure. Such systems include parachute retrieval, and control hard-
over.
Galileo European / US / ICAO supported civilian controlled GNSSGCS Ground Control SystemGround-based system elements that allow the UAV-p to
control the UAVGLONASS Global'naya Navigatsiomaya Sputnikova Sistema Russian GNSSGNSS Global Navigation Satellite System Generic name for GPSGPS Global Positioning System Navigation system set up by the DoD, using 24
orbiting satellites to transmit timing information and allow receiving systems to calculatetheir position by triangulation and measured signal timing differences (pseudo-ranges)
HALE High Altitude, Long Endurance UAV type characterised by its intended operatingaltitude and endurance. See also MALE
HazID Hazard Identification Collection of safety assessment techniques that enable thehazardous characteristics of a system under study to be identified early on, in a reliableand systematic manner.
HF Human FactorsHIRF High Intensity Radio Frequency HIRF transmitters have the potential to cause EMI
with the UAV or its datalink with the GCS. Usually refers to actual sources of HIRF, suchas high-power transmitters for radio, radar, telecomms etc
HIRTA High Intensity Radio Transmission Area HIRF transmitter of known location, identifiedon maps to alert pilots (and hence to avoid them)
HMI Human / Machine Interface See HRIHRI Human-Robot Interaction / Interface Also known as Human Interaction, Operator
Interaction (or more generally as Human / Machine Interface). The activity by whichhuman operators engage with [UAVs] to achieve the mission goals. [Hua04-1]. As an
interface, term is an extension of earlier considerations of 'Man-Machine Interface' and'Human-Computer Interface'.
ISTAR Intelligence, Surveillance, Targeting and ReconnaissanceICAO International Civil Aviation OrganisationThe International Civil Aviation Organization,
a UN Specialized Agency, is the global forum for civil aviation. See web site atwww.icao.int
IFR Instrument Flight Regulations Set of specific regulations that a pilot / aircraft mustcomply with (including required equipment) in order to fly when defined visibility criteriafor VFR are not met
JAA Joint Aviation AuthorityAdvisory group consisting of the various European civilaviation authorities. Now superceded by EASA
JAR Joint Airworthiness Requirement Airworthiness requirement issued by JAA.Now superceded by EASA CS regulations
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 97/169
90
MAFF Ministry of Agriculture, Fisheries and Food UK government ministryMALE Medium Altitude, Long Endurance UAV type characterised by its intended
operating altitude and endurance. See also HALE.MASPS Minimum Aviation System performance Standards UAV standards being
developed by RTCA
MoD Ministry of Defence (United Kingdom)Mode S / Mode S ELS Mode Selective / Mode Selective Elementary Surveillance Mode S is amodification to SSR that permits selective interrogation of aircraft by means of a uniqueaddress, thus avoiding the risk of mis-identification due to overlapping signals. Mode SELS is the elementary implementation for aircraft under 5,700 Kg and 250kts capability.It responds with a unique Aircraft Identification code, and limited other information, mostnotably aircraft altitude.
MP Mission Planning The process to generate tactical goals, a route (general orspecific), commanding structure, coordination, and timing for one or teams of UAVs. Themission plans can be generated either in advance [and pre-loaded to the UAV beforeflight] or in real-time by the onboard, distributed software systems. [Hua04-1]
NAS National Air Space Term covering airspace under US regulatory control
NATO North Atlantic Treaty Organisation Military organisation originally set up bywestern countries forces, to counter the threat from the Soviet bloc.
NEC Network Enabled Capability UK MoD approach to ensure that all Systems can belinked into a military command and control network, for sharing of information.
nm Nautical MilesNTSB National Transportation Safety Board US Federal agency that investigates civil
transportation accidents (including aviation), conducts safety studies, and issues safetyrecommendations to prevent future accidents.
OTH Over The Horizon Long range guidance and control datalinks - see BLOS also
PSSA Preliminary System Safety Assessment A systematic evaluation of a proposedsystem architecture and implementation based on the Functional Hazard Assessment
and failure condition classification to determine safety requirements for all items - seealso FHA and SSA [SAE96]
RC Remote Control See RPVRF Radio FrequencyRoW Right of Way Agreed principles for aircraft rights of way (who has
precedence), in accordance with ICAO and national Rules of the Air.RNAV Area NavigationRPA Remotely Piloted AircraftSee RPVRPV Remotely Piloted VehicleUsually indicates a UAV with virtually no autonomy, in that its
flight controls are directed manually (and continually) by a ground-based pilot.RTCA Radio Technical Commission for Aeronautics US society for production of
consensus based standards
Sensor Equipment that detects, measures, and/or records physical phenomena, and indicatesobjects and activities by means of energy or particles emitted, reflected, or modified bythe objects and activities. [Hua04-1]
S&A Sense and Avoid Function / technology that allows a UAV to match / improveupon a manned aircraft pilot's ability to See conflicting traffic and take avoiding action.Intended as a last defence, when other formal barriers such as ATC segregation (byairspace, flight level, instruction etc) and co-operative technologies such as TCAS haveproved ineffective for a particular situation.
SCADE Safety Critical Application Development EnvironmentSOP Standard Operating Procedures Defined procedures to be manually followed, in the
event of expected normal or emergency arisings.SoS System of Systems Where a tightly-coupled system under consideration can be
shown to be part of a wider, more loosely-coupled set of systems, each affecting eachother with potential safety implications.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 98/169
91
SQEP Suitably Qualified and Experienced Personnel Term used to reflect the need forpersonnel to be competent to perform safety-related duties
SSA System Safety Assessment A systematic, comprehensive evaluation of theimplemented system to show that the relevant requirements are met - see also FHA andPSSA [SAE96]
SSR Secondary Surveillance Radar ATM system where aircraft fitted with transponders
are interrogated by the ground radar, and are indicated on the controller's radar screenat the calculated bearing and range. An aircraft without an operating transponder maystill be observed by primary radar, but without an identifying tag. See also ‘Mode S’.
SWIFT Structured 'What If' Technique FHA method assessing system physical elements,flows and procedures, using structured categories and key words to help draw outpotential hazards.
TAWS Terrain Awareness & Warning System [See also GPWS]TCAS Traffic awareness & Collision Avoidance System Co-operative system, based
on transponder responses from equipped aircraft - each aircraft in a potential collisionpath is given a mutually compatible avoidance manoeuvre to fly, to avert the risk.
TUAV Tactical UAV UAV type characterised by the scope of its operations forgathering military intelligence
UAV Commander A suitably qualified person responsible for the safe operation of a UAV Systemduring a particular flight and who has the authority to direct a flight under her/hiscommand [CAA04].
UAV Operator The legal entity operating a UAV System.[CAA04]UAS Unmanned Aerial System See UAVSUAV Unmanned Aerial Vehicle Usually refers to the flying vehicle itself (see UAVS
below). CAA definition is 'An aircraft which is designed to operate with no human pilot onboard.' [CAA04]
UAV-p UAV Pilot Person directly in control of the UAV, under command of the UAVCommander.
UAVS Unmanned Aerial Vehicle System Includes all aspects of the system (includingground elements such as the GCS and sometimes even the 'soft' elements such as the
operating organisation and procedures). Sometimes referred to as UAS - UnmannedAerial System.
UCAV Unmanned Combat Air Vehicle UAV designed and intended to deliver weaponsagainst other air vehicles or ground targets. The definition is usually intended to cover asystem that has some level of autonomy (not purely under manual guidance), and thatcan return (i.e. not just a guided weapon)
UK United Kingdom ...of Great Britain and Northern IrelandUML Unified Modelling Language A standardised language for specifying, visualizing,
constructing, and documenting the artefacts of complex systems (usually but notnecessarily software), using graphical notation.
URD User Requirement Document High level requirement document, setting out theuser-focused requirements for a system (i.e. what the end-user must be able to achievewith a system, rather than how it is to be achieved).
US United States ...of AmericaUTF UAV Task Force Joint task force between JAA and EUROCONTROL, to explore
UAV integration and implications for ATM.
VFR Visual Flight RegulationsAirmanship regulations that must be followed by pilots / aircraft, when visibility and weather conditions conform to required criteria.
VHF Very High Frequency Radio Frequency range used for ATC communicationsVOR VHF Omni-directional Range Ground beacon-based navigation systemVmo Maximum Operating Speed Defined velocity criteria for an aircraft design. The
speed that the design cannot exceed, without damage to the airframe or loss of controlVs Stalling Speed Defined velocity criteria for an aircraft design. The speed that
the design cannot fly below, without stalling (losing lift and possibly control).
www World Wide Web
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 99/169
A-1
ANNEX AREVIEW OF ARP 4761, TO SUPPORT ARP 4758, CS
25.1309 ETC FOR UAV APPLICATION
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 100/169
A-2
Reference: [SAE96] - ARP 4761 Issue 1996-12
INTRODUCTION TO REVIEW
SAE International - "the Engineering Society for advancing mobility - Land, Sea, Air, Space"
publish various ARPs (Aerospace Recommended Practice) to aid industry in achievingrequired standards. ARP4761 [SAE96] provides "Guidelines And Methods For ConductingThe Safety Assessment Process On Civil Airborne Systems And Equipment": it is acompanion to ARP 4754 which is aimed at the certification methods for complex airbornesystems, but both are intended to provide a systematic means by which satisfaction of FAR25.1309 [FAA88] and its JAR (now EASA CS) equivalent can be shown, for civil aircraft.
The comments below discuss the applicability of the guidelines and methods in terms ofassessment for a UAV System. In particular, the review looks at the hazard identificationaspects (predominantly the Functional Hazard Assessment (FHA) proposed by ARP 4761).
SECTION 1. SCOPE
This sets the scope for 'aircraft level safety assessment' - this would need to be developedfor the broader UAVS scope (or System of Systems (SoS) scope - see section 1.1.2).
SECTION 2. REFERENCES
The references to standards would need to be revised in light of the standards beingadopted, adapted and created for UAVS applicability (see section 1.2.1).
SECTION 3. SAFETY ASSESSMENT PROCESS
Section 3.1 Safety Assessment OverviewThis section draws in the safety objectives from FAR / JAR 25.1309 (becoming EASACS.25.1309), as shown below:
Table A(i) - Safety Objective, from ARP 4761 (drawn in turn from CS.25.1309)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 101/169
A-3
On initial review, it can be seen that the criteria are driven to the most demanding, asrequired for EASA and FAA requirements at the '25.1309' heavy-end of the vehicle spectrum.As noted in [Wik03], in section 1.1.4 of this report, there is a spectrum of requirementspertinent to the scale of the vehicle - 10-9 per fg hr for a heavy transport increases to 10-6per fg hr for a single engine aircraft under 6000lbs.
It can also be seen that these criteria are lacking in their UAVS applicability, such as havingno occupants, the remote / autonomous nature of their crew, and (implicit) differences insystem arrangements. These aspects were noted by the JAA / Eurocontrol UAV Task Force- in their report [UTF04, chapter 7.5], they suggested modifications to the criteria, as follows:
o The worst UAV Hazard Event designated as 'Catastrophic' or Severity I Event may bedefined as the UAV's inability to continue controlled flight and reach any predefinedlanding site, i.e. an UAV uncontrolled flight followed by an uncontrolled crash,potentially leading to fatalities or severe damage on the ground.
o The overall (qualitative) Safety Objective for UAV System may subsequently be "toreduce the risk of UAV Catastrophic Event to a level comparable to the risk existingwith manned aircraft of equivalent category".
o Quantitative safety objective for the individual UAV 'Catastrophic' or 'Severity I'conditions and/or for the sum of all failure conditions leading to a UAV Severity IEvent should be set, per UAV category, considering:
o The probability level for catastrophic failure conditions that is considered asacceptable by the airworthiness requirements applicable to manned aircraft of"equivalent class or category".
o The historical evidence and statistics related to manned aircraft 'equivalentclass or category', including, where relevant, consideration of subsequentground fatalities.
o Categories lower than Severity I could be defined as follows.
o Severity II would correspond to failure conditions leading to the controlled lossof the UAV over an unpopulated emergency site, using Emergency Recoveryprocedures where required.
o Severity III would correspond to failure conditions leading to significantreduction in safety margins (e.g., total loss of communication with autonomousflight and landing on a predefined emergency site)
o Severity IV would correspond to failure conditions leading to slight reduction insafety margins (e.g. loss of redundancy)
o Severity V would correspond to failure conditions leading to no Safety Effect.
o The quantitative probability ranges required for lower severities should be derivedfrom the quantitative required objective for the worst severity.
While these suggestions clarify the qualitative aspects of the criteria, care would beneeded where a quantitative assessment was to be applied. Some of the issues associatedwith this are discussed in this report at section 1.1.4.
In the above, what do the Severity I-V categories refer to? Discussion with Patrick Mana ofEUROCONTROL [Man06] clarified their concern that the ARP 4761 criteria reflected anairworthiness-focused accident consequence (i.e. loss of the aircraft with its occupants and / or harm to personnel on the ground). In order to focus safety management within ATMsystem development, EUROCONTROL considered that further criteria were required to deal
with the effects on the ATM environment. For this reason, they have published their riskmanagement regulations (at system level) in EUROCONTROL Safety RegulatoryRequirement 4 (ESARR 4) [EUR01]. These criteria covered:
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 102/169
A-4
o Effect of hazard on air crew, (E.g., workload, ability to perform his/her functions);
o Effect of hazard on the Air Traffic Controllers, (E.g., workload, ability toperform his/her functions);
o Effect of hazard on the aircraft functional capabilities;
o Effect of hazard on the functional capabilities of the ground part of the ATM System;o Effect of hazard on the ability to provide safe Air Traffic Management Services; (E.g.,
magnitude of loss or corruption of Air Traffic Management Services/functions).
The discussion with Patrick concluded that, to support EASA's requirement for total systemsafety, and EUROCONTROL's particular requirements for air collision risk, a UAV-focussedsafety process would need to accommodate both cs.1309 airworthiness criteria and,somehow, the ATM criteria. These are reproduced in Table A-2 below from [EUR01] forcomparison. Note that, unlike the FAA / EASA ‘airworthiness’ requirements of 25.1309 and23.1309, these requirements are absolute and do not vary with the size or category of theaircraft. Also, EUROCONTROL have only identified one end of the risk spectrum: Severity 1
accidents must not occur more than 1.55 x10-8 per fg hr.
Table A(ii) - Severity Criteria as defined in ESARR4 by EUROCONTROL
Section 3.2 Functional Hazard Assessment (FHA)
The usual route proposed by ARP4761 is to carry out an Aircraft Level FHA, a high level,qualitative assessment of the basic functions of the 'aircraft' as defined at the beginning ofaircraft development. This is then followed with a System Level FHA, which is iterative innature and becomes more defined and fixed as the system evolves. It considers a failure orcombination of system failures that affect an aircraft function. The intent is to work towardsidentification of the appropriate Development Assurance Level (DAL) for each aircraftfunction and the system functions that affect it. These in turn help to identify the level ofdevelopment, qualification and certification activity required to provide adequate assurancethat each function has been safely implemented. The output from the aircraft and systemlevel FHAs is used to set the safety requirements for the detailed design process, so it is vitalthat all pertinent safety hazards have been identified by this point. A number of questionsemerge at this point, in trying to apply this process to UAVS:
o Is an 'aircraft level' FHA appropriate as the start point for UAVS assessment?ARP4761 propose this as the highest level for consideration, but for UAVS there is
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 103/169
A-5
the 'super-system', the SoS whose support is critical to mission (and safety)assurance.
o How is the integration of systems best handled, to ensure all hazards are identified?In particular, integration of the people and procedural systems, as well as theextended system technical elements?
Here, ARP4761provides comment over the integration of systems:
"The safety assessment process for integrated systems should take into account anyadditional complexities and interdependencies which arise due to integration. In allcases involving integrated systems, the safety assessment process is of fundamentalimportance in establishing appropriate safety objectives for the system anddetermining that the implementation satisfies these objectives."
As noted in section 1.1.2 of this report, this is particularly pertinent (and challenging) forUAVS and the extended boundary of the System of Systems (SoS). The section goes on todiscuss the role of Functional Hazard Assessment (FHA) at the beginning of thedevelopment process, to set appropriate safety objectives and requirements. One of the
problems I foresee is that, because of the loose and fluid nature of the UAVS systemboundary, the complex interaction with the SoS, and the variable nature of where functionsare controlled (through autonomy), there may be a whole mess of 'exchanged functions' thatwill be difficult to identify and assess, until at least initial UAVS high-level architectures areoutlined. The ARP does suggest that the FHA is reviewed once the functions begin to beallocated to systems, but this could prove to be a significant part of the assessment for aUAVS. The follow-on work for Preliminary System Safety Assessment (PSSA) and SystemSafety Assessment (SSA) could draw out such interactions, especially through workelements such as Common Cause Analysis (CCA), but the ideal would be to identify thesehazards early on, before the system architecture begins to 'harden-up' in the developmentprocess, and change becomes more difficult. Also, these latter analyses are aimed more atidentifying and mitigating causes for the potential hazards already identified, rather thanidentification of new hazards.
Section 3.3 and on: Preliminary System Safety Assessment (PSSA), SystemSafety Assessment (SSA)
This report will not look in any detail at the PSSA-onwards part of the process, as the ARPassumes that all hazards have (in the main) been identified during FHA, and our focus is onhazard identification. As ARP4761 describes this aspect:
"A PSSA is used to complete the failure conditions list [i.e. the causes of hazards ]and the corresponding safety requirements. It is also used to demonstrate how the
system will meet the qualitative and quantitative requirements for the various hazardsidentified. The PSSA process identifies protective strategies, taking into account failsafe concepts and architectural attributes which may be needed to meet the safetyobjectives. It should identify and capture all derived system safety requirements (e.g.,protective strategies such as partitioning, built-in-test, dissimilarity, monitoring, safety-related tasks and intervals, etc.). The PSSA outputs should be used as inputs to theSSA and other documents, including, but not limited to, system requirements,hardware requirements and software requirements."
What is useful to consider here, is that other reviewers have found aspects of ARP4761 thatneed bolstering, in order to apply PSSA to complex systems and SoS. McDermid andNicholson [McD03] proposed that some extensions to the guidelines and methods werenecessary to deal with (in particular) the people, processes and software that characterise
such complex systems and their interactions with other systems. [McD03] focuses on thedesign-centred PSSA part of the cycle, where the comments will, of course, be especially
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 104/169
A-6
applicable for UAVS. However, the comments could apply equally to the up-front FHAaspects, especially where the UAVS will have to fit into an existing SoS with pre-definedequipment and people elements (such as ATM and, perhaps, common mission planning andGCS systems). The paper suggests that additional hazard identification methods arerequired to deal with software-rich and people-centred aspects - elements of this could bebrought forward into FHA for UAVS assessment, where pre-existing systems have to beintegrated with, or could be adapted to help deal with the system interactions known to existat the FHA stage.
For the SSA stage, the assessment requires a defined design to be validated against thedeveloped safety requirements - this is not the focus for our report, but there could beinteresting questions over use of traditional safety analyses such as Failure Modes andEffects Analysis (FMEA) in people- and software-rich systems, and interactions acrosscomplex SoS.
SECTION 4. SAFETY ASSESSMENT ANALYSISMETHODS
The ARP describes a number of useful PSSA and SSA related safety assessmenttechniques, and little needs to be said here. However, there are some aspects of interestrelating to Common Cause Analyses (CCA) that should be touched on here, perhaps aspointers for future studies:
o Zonal Hazard Analyses - the question here is over the definition of zones. With theextended UAVS and SoS, potentially zone definition needs to be extended likewise.For example, the SoS includes critical navigation elements in space (if using GPS),and datalinks transmitting through a common RF environment with other transmitters.
o Particular Risk Analysis - the suggested list could be extended to consider particularrisks specific to UAVS, such as datalink failure.
APPENDIX A - FUNCTIONAL HAZARD ASSESSMENT
A fair amount has already been said about FHA above, relating to UAVS. Here, we will onlydiscuss new aspects that become pertinent from the ARP text.
In A.1, the ARP again sets the intent to conduct the FHA at ‘Aircraft’ and ‘System’ levels – this we have discussed above, with the complications for UAVS of the complex systemboundary, and the system of systems interactions.
The section goes on to suggest that "It is desirable to establish an aircraft level generalhazard list to be used on future projects so that known hazards are not overlooked." Thiswould be a useful step forward, provided that it is not used to limit the application to a newUAVS, where additional and different hazards might exist.
A.3 introduces the ARP-proposed FHA process. The suggested process for conducting theAircraft level FHA is reproduced below in Figure A-1 (a separate figure is presented in theARP for the System-level FHA, but does not differ significantly, for our purposes).
Section A3.1 Function Identification
A3.1.1 provides guidance on source data for the FHA. For the Aircraft-level, a fairly simplelist is proposed:
• The list of the top-level aircraft functions (e.g., lift, thrust, etc.)
• The aircraft objectives and customer requirements (e.g., number ofpassengers, range, etc.)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 105/169
A-7
• Initial design decisions (e.g., number of engines, conventional tail, etc.)
This is based on an assumption of simple interfaces between the ‘aircraft’ and the externalworld, because the ARP provides a much more detailed list for the System-level FHA, whereinterfaces between system elements, and initial design decisions are critical. For ourconsideration of the UAVS being part of a complex System-of-Systems, the listing for the
system-level FHA (or similar) might be more appropriate? We will touch more on this later, aswe look at the FHA process and its needs.
Figure A-1 - ARP4761 Process for an Aircraft-level FHA
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 106/169
A-8
Following the process model outlined in Figure A-1 above, A.3.1.2 looks at creation of thefunction list.
• A.3.1.2a refers to ‘internal’ functions, which are the main high-level functionsof the aircraft, and the functions assumed to exchange internally within the aircraftsystem (presumably from initial design assumptions). For our UAVS with its complex
system boundary (even when just looking internally, with the UAV, the GCS andimmediate high-level system assumptions), the list of ‘typical’ internal functions wouldneed to grow considerably – and guidance needs to be given on defining what is thehigh-level system (as discussed in this report at section 1.1.2). These internalfunctions might vary with our initial design assumptions over the UAVS architecture,and it will be difficult to keep our view to the overall system (e.g. not to dive down intosystem design, or discussions of autonomy, but to cover all functions within thesystem ‘bag’ together).
• A.3.1.2b refers to ‘exchanged’ functions, put simply as functions that interfacewith other aircraft or ground systems. This is where our SoS would really take effect,and needs careful guidance on how to ensure no functions are missed. Perhaps this
is where the scope of the ARP application extends beyond the airworthiness it wasoriginally intended for, into the total safety approach desired by EASA / JointEuropean UAV Task Force.
The A.3.1.2 process box in Figure A-1 also refers to identification of flight phases, thoughlittle guidance is given in the text. Where flight phases for an airliner might be fairly simple todefine (ground handling; take-off; climb-out; etc…) for a typical operation, the problem withUAVS will be the variety of mission types (as discussed in this report at section 1.1.1). Also,within aerial work mission types, the mission may be made up of several different phases, orhave optional phases, rather than the predominant cruise-phase in transport flying. Theseflight phases are required to help draw out the ‘aircraft’ functions and also to understand theconsequences of functional failures (see A.3.2.2 below), so it is important that they are wellexplored for the UAVS. A problem here might also be the lack of suitably experiencedpersonnel with expertise in such operations for UAVSs, to support the analysis.
Section A.3.2 - Identification and Description of “Failure Conditions”
A.3.2.1 discusses the creation of a list of Environmental and Emergency Configurations, toadd to the consideration of failure effects. Environmental aspects may require more detaileddefinition, as UAVs may operate in significantly different environments from manned aircraft,due to their performance or role. For example, a HALE type UAV will operate at extremelyhigh altitudes, where environment effects such as icing, Jetstream winds, or even obscurephenomena such as gravity waves might have an effect. Small, low level UAVs used for(say) pipeline surveying may be susceptible to terrain induced turbulence or wind shear. In
general, UAVs are more sensitive to climatic effects than their manned counterparts([DeG04, para 2.1.4]). UAV roles and performance may also introduce other peculiarenvironmental events, such as personnel change-over during long endurance missions.
For the emergency configurations, some may need to be specified from regulatory sources(such as the particular risk for data-link loss); others may come from the initial assumptionsover the UAV performance, role, or overall architecture.
A.3.2.2 considers how failures could occur singly, or combine into multiple failures. This maybe tricky to achieve sensibly for the UAVS because of the wide SoS: the potential for multiplefailures exists from so many sources.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 107/169
A-9
Section A.3.3 to A.3.8 – Identifying and Managing the Effects of FailureConditions
The remainder of A.3 looks at how the effects of failure conditions are determined thenflowed down into safety objectives for lower level design and safety analyses.
What is not stated here, but is discussed in A.3.1.2 and is implied from the process chart, isthat flight phases provide a key input in determining the severity of effects. In fact, becauseUAVs have no occupants and hence less generic airworthiness concerns, the context ofwhere they are and what they are doing when failure occurs, is critical in determining theconsequential effect on other airspace users or overflown populations. ARP 4761 seems tolack the necessary direction to establish this mission / environmental / ATM context in whichto place the UAVS failure.
Section A.4 – FHA Outputs
A.4 looks at the outputs from aircraft and system FHAs, into the remaining PSSA and SSA
processes. Without going in depth into the implications of UAVS analysis for theseprocesses, the requirements seem fairly valid, but would need further validation to supportactual use. What is encouraging is the message to document the process thus far, not justto support the further analyses but also to improve the knowledge base for when the nextFHA analyses are required. UAVS lack the overall expertise and experience that has grownover the years for manned aircraft, and concerted efforts are required to build the knowledgebase of available information, to save future engineers having to develop such experiencethemselves in real-time!
ANNEXES B – L
Annexes B to K cover more in depth safety analyses aimed at implementing the safety
requirements identified herein, and are not covered in this review. Annex L provides aworked example that is pertinent to the manned aircraft, and again is not covered here.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 108/169
B-1
ANNEX BEXTRACT FROM [CAA02] - A METHOD FOR SETTING
DESIGN STANDARDS FOR NEW KINDS OF
AIRCRAFT, INCLUDING UNMANNED AIR VEHICLES
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 109/169
B-2
Extracted from [CAA02]
This [document] describes a method for obtaining a first outline of the airworthinessstandards which should be applied to aircraft of novel design. The method compares thehazard presented by the new aircraft with that of existing conventional aircraft to obtain anindication of the appropriate level of requirements which should be applied. The most
significant feature of the proposal is that it relies on a comparison with existing conventionalaircraft design requirements which contribute to a currently accepted level of safety, andavoids controversial assumptions about future contributions to that level of safety fromoperational, environmental or design factors.
COMPARISON CRITERIA
The capability of a vehicle to harm any third parties is broadly proportional to its kineticenergy on impact. For the purposes of the comparison method it is assumed that there areonly two kinds of impact; either the impact arises as a result of an attempted emergencylanding under control, or it results from complete loss of control. More precisely, the twoimpact scenarios are defined as:
1. Unpremeditated Descent Scenario
- A failure (or a combination of failures) occurs which results in the inability to maintain a safealtitude above the surface. (e.g. loss of power, WAT limits etc).
2. Loss of control scenario - A failure (or a combination of failures) which results in loss of controland may lead to an impact at high velocity.
Unpremeditated Descent Scenario:
For many air vehicles the likelihood of the unpremeditated descent will be dominated by thereliability of the propulsion systems. For the calculation of kinetic energy at impact the massis the maximum take-off mass and the velocity used is the (engine-off) approach velocity. i.e.
For aeroplanes V = 1.3 X Stalling Speed (Landing configuration, MTOW)
For Rotorcraft V = Scalar value of the auto-rotation velocity vector,
For Airships/Balloons V = The combination of the terminal velocity resulting from the staticheaviness, and the probable wind velocity.
Loss of Control Scenario:
For the calculation of kinetic energy at impact for the loss of control case the mass is themaximum take-off mass and the velocity used is the probable terminal velocity. i.e.
For aeroplanes V = 1.4 X Vmo (the maximum operating speed)
For Rotorcraft V = Terminal velocity with rotors stationary.
For Airships/Balloons V = Terminal velocity with the envelope ruptured or deflated to the extentthat no lifting medium remains.
For each scenario the kinetic energy has been calculated for a selection of 28 different civilaircraft; (21 aeroplanes, and 7 rotorcraft). The results are shown in Figures [B-1] and [B-2].On each Figure the “applicability region” for each of the existing aeroplane and rotorcraftcodes is shown. These regions have been established using practical constraints basedupon the sample of the existing fleet, plus any weight and speed limitations specified in theapplicability criteria of the codes of airworthiness requirements.
METHOD OF COMPARISON
To obtain the indication of the level of requirements appropriate to a novel kind of aircraft thefollowing steps are carried out:
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 110/169
B-3
1. Calculate the kinetic energy of the new aircraft for each scenario.
2. Using these values and Figures [B-1] and [B-2] separately, determine the appropriate code to beapplied with the intent of preventing the occurrence of each scenario. i.e:
Figure 1 will provide an indication of the standards to be applied to any feature of the designwhose failure would affect the ability to maintain safe altitude above the surface.
Figure 2 will provide an indication of the standards to be applied to any feature of the designwhose failure would affect the ability to maintain control, (particularly rate of descent). Clearly,this must include primary structure.
If it is found that the aircraft fits within the region for more than one code then this would indicatethat it may be appropriate to apply a combination of standards. (e.g. JAR-25 with reversions toJAR-23 in some areas, or JAR-23 with Special Conditions taken from JAR-25).
3. Construct a certification basis which addresses the same aspects of the design as the existingcodes and to the level indicated by the kinetic energy comparison. Clearly, Special Conditionswill need to be considered for any novel features of the design not addressed by the existingcodes. However, the extent of such special conditions should be comparable with the generallevel of airworthiness identified.
Note: In addition, operational requirements may dictate the inclusion of particular designfeatures which may in-turn necessitate the inclusion of additional certification requirements.For example, the Rules of the Air specify that an aircraft operating over a congested areamust be able to maintain a safe altitude following the failure of one power unit.
WORKED EXAMPLES
Application to Global Hawk
Global Hawk is a High Altitude Long Endurance (HALE) UAV produced by NorthropGrumman in the USA with a primary role of reconnaissance/surveillance. Global Hawk is
powered by a single turbofan engine. Its estimated characteristics are: a gross weight of25,600lbs (11,600kg), a maximum operating speed (V
MO) of 345kts and a stall speed (V
S) of
95kts. Using these parameters gives energy levels of 0.177 (unpremeditated descentscenario) and 3.53 (Loss of control). These are illustrated in Figures [B-1 & B-2] and indicatethat JAR-25 standards are applicable throughout.
Application to Predator
The RQ-1A Predator UAV from General Atomics is a Medium Altitude Long Endurance(MALE) UAV which has seen extensive operational experience within the military. Poweredby a single piston-engine, the estimated parameters for Predator are: MTOW of 1,900lbs
(855kg), Vmo of 120kts and Vs in the region of 56kts. For the “unpremeditated descent”scenario, this equates to energy levels of 0.0046 (JAR-23 single-engine) and for the “loss ofcontrol” scenario 0.024 (JAR-23 single-engine). The certification basis for the Predator wouldtherefore be JAR 23.
Application to Hunter
Hunter from IAI is a short range UAV which was/is operated by the armies of USA, Israel,Belgium and France. The Hunter comes in both standard and endurance versions and ispowered by 2 Motto-Guzzi engines. The two versions of the aircraft have gross weights of726 kg and 952 kg respectively. The values for each version and each scenario are shown in
Figures [B-1 and B-2]. Although there is a small overlap with JAR-VLA in one case, it can beseen that the guideline standard is JAR-23 for both versions of the aircraft.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 111/169
B-4
Application to StratSat
StratSat is an unmanned communications airship intended for long duration missionsstationed above population centres. For this aircraft the “unpremeditated descent” analysisindicates that a standard equivalent to JAR-23 as applied to single-engine aeroplanes would
be appropriate. This is convenient as the existing UK requirements for airships, BCARSection Q, provide a standard which is equivalent to JAR-23. The “loss of control descent”analysis indicates that standards equivalent to a combination of JAR-25 and JAR-23Commuter Category should be applied to reduce the probability of such an event. Thus thebasis for civil certification of this aircraft should be BCAR Section Q supplemented asnecessary by requirements from JAR-25 and JAR-23 Commuter.
CONCLUSIONS
A method of comparing novel aircraft with existing manned aircraft is presented together withexamples of its application to specific UAV projects. It is appreciated that no simple methodcan give a complete answer to the definition of the certification bases, and the conventionalprocesses using judgment and debate will still be required. However, the method presentedprovides a useful tool for anticipating the general level of airworthiness requirements to beset.
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 112/169
B-5
[Velocity = 1.3 x Vstall]
Figure B-1 – Unpremeditated Descent Scenario
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 113/169
B-6
[Velocity =1.4 x Vmax operating]
Figure B-2 – Loss of Control Scenario
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 114/169
C-1
ANNEX C'GUARD DOG' - GENERIC TUAV CASE STUDY
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 115/169
C-2
This annex provides the system overview and operational background for the Guard Dogcase study. Appendices C1 and C2 provide two potential operational routes for the system,in order to exercise its integration with airfields, terrain and airspace.
SYSTEM DESCRIPTION
Overview:
The Guard Dog UAV system is intended to provide imagery and intelligence (as well astarget designation) for land and sea commanders, across the spectrum of conflict:Intelligence, Surveillance, Target Acquisition and Reconnaissance (ISTAR)
Figure C-1 – Overview of Guard Dog Case Study
The system comprises: The Unmanned Air Vehicles (UAV); the Ground Control Station(s)(GCS); the Tactical Units (TacU) positioned with field commanders; the Field Teams for take-off and recovery other than from prepared airfields.
The system interfaces (on a mission basis) with the battlefield network provided throughNetwork Enabled Capability (NEC). Other interfaces are envisioned to deal with trainingoperations in a peacetime, civilian environment!
In operational use, the system will operate under military jurisdiction within the battle-space.However, to facilitate peacetime training, the system will need to be able to operate in ClassF & G civilian airspace (uncontrolled airspace – a Group 3 UAV iaw CAP722 [CAA04]). It isnot intended to operate in Class A-E airspace (controlled airspace – Group 4 and 5 UAVs,requiring an extensive equipment list to be compliant).
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 116/169
C-3
Unmanned Air Vehicle:
KEY PARAMETERSWingspan 10mMTOW 500KgSpeed Max: 100kts
Cruise: 70kts
Stall: 40ktsRate of Climb 900 fpmAltitude Max: 20,000 ft
Operating: 10-18,000 ftEndurance 20 hrsTake-off / Landing (TO/L): Conventional: Short prepared strip or airfield, using
wheeled undercarriage
Field: Robonic launcher (pneumatic ramp) / prepared strip
Engine 1 x 50HP Petrol, driving fixed 2 blade prop
EQUIPMENT
Actuation Redundancy of cabling and actuatorsPower Supply Redundancy in case of single failure; and reserve (battery) power in
event of engine failureData-link LOS: Dual redundant TCDL, controllable from any GCS;
Relay for onward Tx / Rx to other UAV
[Option for satellite link, but key cost / weight driver]Navigation Dual Global Positioning System (GPS) receiversController High Integrity, Dual redundant; Pre-programmable for autonomous
mission; re-directable by operator from groundSensors Variable EO/SAR/ESMAutomatic TO/L
(ATO/L)
Using GPS from satellite and Differential GPS (DGPS) errorcorrection signal from ground station
TargetDesignation
Laser
FlightTermination?
Emergency Recovery Capability [iaw UTF04 ]
CollisionAvoidance
Air: Sense & Avoid system [TBD] (Non-cooperative)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 117/169
C-4
[TCAS not included on grounds of weight and no intent of usingcontrolled airspace]
Ground: DTED used for mission planning; RadAlt on boardATC Systems Mode S Transponder (for position on RADAR);
Twin V/UHF radio for voice comms relay to GCS
Ground Control Station:
Dual redundant operator consoles, provide:
• Mission planning
• Payload control, data analysis and NEC distribution
• Pilot control (to redirect autonomous mission / take manualcommand)• GCS can hand-over control to any other GCS
• GCS can control up to 3 UAVsTactical Common Data-Link (TCDL):
• Payload data downlink; telemetry downlink; command & control uplink• Line-of-Sight (LOS) - Range 200km; 10.7Mbps payload data, 200kbps command link
• Dual redundant
• Option for Satellite link for Beyond LOS (BLOS).
• Data link can be relayed to a UAV beyond LOS range, by another UAV.
TacU
• Positioned with field commanders, can obtain payload data direct fromUAV.
• Limited control of UAV payload sensors, to optimise data collection.
Field Recovery Team
For deployed operations, UAV can be launched from pneumatic launcher, and
recovered onto flat ground / prepared strip, hence avoiding need for formalairfield.
Operational Scenario
• Tactical UAV to be launched from a ‘UAV friendly’ civil airfield such as that at ParcAberporth, but not with the intention of using the oversea range nearby.
• Instead, TUAV turns inland, and follows a specified route overland from Aberporth, toexercise the system / operators in navigation over representative distances.
• The route leads out to a land range such as Spadeadam, where the system / operators exercise the sensor & information gathering capabilities.
GCS
NEC
NEC
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 118/169
C-5
• The TUAV then returns via the same (or a different) route, to re-enter the controlledairspace at Parc Aberporth.
• Potentially, a number of TUAVs could be operated in parallel / series, to simulate thenear-continuous operational tempo situation.
Alternative Operational Scenarios
• GCS has to control a second UAV, on station to relay TCDL to reach sensor UAV
• Initial GCS hands over control to a second GCS for furthest part of the mission
• GCS has to relay TCDL via satellite to reach sensor UAV
[Emergency conditions and configurations ]
• Loss of GPS / drift in GPS accuracy
• Loss of TCDL
• Weather effects – cloud / precipitation / lighting
• Diversion (for propulsion / non-propulsion failures; weather conditions etc)
• Incursion of GA aircraft
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 119/169
C-6
APPENDIX C1GUARD DOG MISSION SCENARIO (COASTAL ROUTE)
Figure C1-1 Flight Plan – Westerly Route (to maximize over-water flight)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 120/169
C-7
APPENDIX C2GUARD DOG MISSION SCENARIO (INLAND ROUTE)
Figure C2-1 - Flight Plan – Easterly Route (to maximise overland / ATC interaction
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 121/169
D-1
ANNEX DFHA FOR 'GUARD DOG' TUAV SYSTEM (EXTRACTS)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 122/169
D-2
‘GUARD DOG’ UAVS FUNCTIONAL HAZARD ANALYSIS
FHA conducted to ARP 4761 with UAVS modifications as report section 2.
CONTENTS OF ANNEX D
System Description ............................................................................................................D-2 Safety Criteria.....................................................................................................................D-3
Airworthiness Safety Criteria and objectives................................................................D-3 ATM Separation / Collision based safety Objectives....................................................D-4
System Context [In Accordance with report section 2.2.2] ..................................................D-5 Derivation of Functions.......................................................................................................D-6
Flight Phases ..............................................................................................................D-6 Environment List..........................................................................................................D-6 Emergency Configurations List....................................................................................D-7
System interactions view [See Individual function maps for each system element] – Derived from initial design assumptions over system elements and interactions .........D-9
Failure Analysis................................................................................................................D-18 Effects Consideration .......................................................................................................D-30
Scenarios for Effects Consideration...........................................................................D-39
SYSTEM DESCRIPTION
[See Guard Dog Case Study document]
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 123/169
D - 3
S A F E T
Y C R I T E R I A
[ D r a w n f r o m
m e t h o d a t r e p o r t s e c t i o n 2 .
2 . 1
]
A i r w o r t h i n e s s S a f e t y C r i t e r i a a n d o b j e c t i v e s
M i n o r
M a j o r
S e v e r e M a j o r / H a z a r d o u s
C a t a s t r o p h i c
- S l i g h t r e d u c t i o n i n s a f e t y
m a r g i n s ( e . g .
l o s s o f
r e d u n d a n c y )
- S i g n i f i c a n t r e d u c t i o n i n s a f e t y m a r g i n s ( e . g . ,
t o t a l l o s s
o f c o m m u n i c a t i o n w
i t h a u t o n o m o u s f l i g h t a n d l a n d i n g
o n a p r e d e f i n e d e m
e r g e n c y s i t e )
- C o n t r o l l e d l o s s o f t h e U A V o v e r a n
u n p o p u l a t e d e m e r g e n c y s i t e , u s i n g E m e r g e n c y
R e c o v e r y p r o c e d u r e s w h e r e r e q u i r e d .
U A V ' s i n a b i l i t y t o c o n t i n u e
c o n t r o l l e d f l i g h t
a n d r e a c h a n y
p r e d e f i n e d l a n d
i n g s i t e
T a b l
e D ( i ) - A i r w o r t h i n e s s F a i l u r e
C o n d i t i o n S e v e r i t i e s ( f r o m T
a b l e 2 . 2 . 1 ( i ) )
S a f e t y O b j e c t i v e s : A 5 0 0 K g U A V , p o w e r e d b y a S i n g l e R e c i p r o c a t i n g E
n g i n e , w i t h s t a l l i n g s p e e d ( V s ) o f 4 0 k t s a n d m a x i m u m o p e r a t i n g s p e e d ( V m o )
o f 1 0 0 k t s
i n d i c a t e s a s a C l a s s I u s i n g b o
t h C A A k i n e t i c e n e r g y c r i t e r i a f r o m A n n e x B o f t h e r e p o r t , a n d t h e e s t a b l i s h e d d e f i n i t i o n o f C
l a s s I a i r c r a f t
f r o m C S . 2 3 . 1
3 0 9 .
S e v e r i t y o f O u t c o m
e M i n o r
M a j o r
H a z a r d o u s
C a t a s t r o p h
i c
C a t e g o r y
o f A i r c r a f t :
C S . 2
3 . 1 3
0 9 C l a s s I : S i n g l e R e c i p r o c a t i n
g E n g i n e ( S R E ) / u n d e r 6 0 0 0 l b
s < 1 0 - 3 p e r o p h r < 1 0 - 4 p e r o p
h r < 1 0 - 5 p e r o p h r < 1 0 - 6 p e r o
p h r
T a b l e D ( i i ) - A i r w o
r t h i n e s s S a f e t y O b j e c t i v e s
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 124/169
D - 4
A T M S e p
a r a t i o n / C o l l i s i o n b a s e d s a f e t y O b j e c t i v e s
[ D r a w n f r o m T a b l e 2 . 2 . 1
( i i ) ]
S e v e r i t y 5 - N
o
I m m e d i a t e E f
f e c t
o n S a f e t y
S e v e r i t y 4 - M i n o r I n c i d e n
t s
S e v e r i t y 3 - S i g n i f i c a n t I n c
i d e n t s
S e v e r i t y 2 - M a j o r I n c i d e n t s
S e v e r i t y 1 - A c c i d e n t s
- N o h a z a r d o u
s
c o n d i t i o n i . e . n
o
i m m e d i a t e d i r e c t o r
i n d i r e c t i m p a c t o n
t h e o p e r a t i o n s
- I n c r e a s i n g w o r k l o a d o f t h e a i r
t r a f f i c c o n t r o l l e r o r [ U A V S ] c r e w ,
o r s l i g h t l y d e g r a d i n g t h e
f u n c t i o n a l c a p a b i l i t y o f t h e
e n a b l i n g C N S S y s t e m .
- M i n o r r e d u c t i o n ( e . g . , a
s e p a r a t i o n o f m o r e t h a n h a
l f t h e
s e p a r a t i o n m i n i m a ) i n
s e p a r a t i o n w i t h [ U A V S ] c r e
w o r
A T C c o n t r o l l i n g t h e s i t u a t i o
n
a n d f u l l y a b l e t o r e c o v e r f r o
m
t h e s i t u a t i o n .
- L a r g e r e d u c t i o n ( e . g . , a s e p a r a t i o n o f l e s s
t h a n h a l f t h e s e p a r a t i o n m i n
i m a ) i n s e p a r a t i o n
w i t h [ U A V S ] c r e w o r A T C c o
n t r o l l i n g t h e
s i t u a t i o n a n d a b l e t o r e c o v e r f r o m t h e
s i t u a t i o n .
- M i n o r r e d u c t i o n ( e . g . , a s e p a r a t i o n o f m o r e
t h a n h a l f t h e s e p a r a t i o n m i n
i m a ) i n s e p a r a t i o n
w i t h o u t [ U A V S ] c r e w o r A T C
f u l l y c o n t r o l l i n g
t h e s i t u a t i o n ,
h e n c e j e o p a r d i s i n g t h e a b i l i t y t o
r e c o v e r f r o m t h e s i t u a t i o n ( w
i t h o u t t h e u s e o f
c o l l i s i o n o r t e r r a i n a v o i d a n c e m a n o e u v r e s ) .
- L a r g e r e d u c t i o n i n s e p a r a t i o n ( e . g . ,
a s e p a r a t i o n o f
l e s s t h a n h a l f t h e
s e p a r a t i o n m i n i m a ) , w i t h o u t [ U A V S ]
c r e w o r A T C f u l l y c o n t r o l l i n g t h e
s i t u a t i o n o r a b l e t o r e c o v e r f r o m t h e
s i t u a t i o n .
- O n e o r m o r e a i r c r a f t d e v i a t i n g f r o m
t h e i r i n t e n d e d c
l e a r a n c e , s o t h a t
a b r u p t m a n o e u v r e i s r e q u i r e d t o
a v o i d c o l l i s i o n w i t h a n o t h e r a i r c r a f t
o r w i t h t e r r a i n ( o r w h e n a n
a v o i d a n c e a c t i o
n w o u l d b e
a p p r o p r i a t e ) .
- O n e o r m o
r e c a t a s t r o p h i c
a c c i d e n t s
- O n e o r m o
r e m i d - a i r c o l l i s i o n s
- O n e o r m o
r e c o l l i s i o n s o n t h e
g r o u n d b e t w
e e n t w o a i r c r a f t
- O n e o r m o
r e C o n t r o l l e d F l i g h t
I n t o T e r r a i n
- T o t a l l o s s
o f f l i g h t c o n t r o l .
- N o i n d e p e
n d e n t s o u r c e o f
r e c o v e r y m e c h a n i s m , s u c h a s
s u r v e i l l a n c e
o r A T C a n d / o r
[ U A V S ] c r e w p r o c e d u r e s c a n
r e a s o n a b l y
b e e x p e c t e d t o
p r e v e n t t h e
a c c i d e n t ( s ) .
T a b l e D ( i i i ) – A T M S e p a r a t i o n / C o l l i s i o n S a f e t y o b j e c t i v e s
A T M s e p a r a t i o n / c o l l i s i o n b a s e d s a f e t y
o b j e c t i v e s w i l l n o t c h a n g e w i t h
t h e c l a s s o f v e h i c l e .
T h e a c c e
p t a b l e p r o b a b i l i t y o f a S e v e r i t y
1 a c c i d e n t
r e m a i n s f
i x e d b y E S A R R 4 [ E U R 0 4 ] a t 1
. 5 5 x 1 0 - 8 p e r f l i g h t / h o u r .
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 125/169
D - 5
S Y S T E
M
C O N T E X T [ I N A C C O R D A N C E W I T H R E P O R T
S E C T I O N 2 . 2 . 2 ]
F i g u r e D - 1 R i c h C o n t e x t D i a g r a m f o r G u a r
d D o g U A V S a n d t h e S y s t e m
o f S y s t e m s a r o u n d i t
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 126/169
D-6
DERIVATION OF FUNCTIONS
Flight Phases
• Pre-flight
• Taxiing
• Take-off – from airfield• Transit
• On Task – using sensor payload
• Approach• Landing – at airfieldAlternative Phases:
• Take off – ramp launch from field• On task - on station to relay TCDL to reach sensor UAV
• Hand over - Initial GCS hands over control to a second GCS
• Transit with satellite link - GCS has to relay TCDL via satellite to reach sensor UAV.• Landing – rough field
Environment List
a. Weather aspects
(i) Temperature +55 / -45°C (with altitude)
(ii) Altitude Sea Level / 20,000ft
(iii) Rain, hail, snow, sand, dust
(iv) icing accretion after take off (de-icing before)
(v) lightning
(vi) Visibility - intended to be VMC (i.e. before take-off), occasional IMC onset duringmission
(vii) Wind-speeds usually temperate (to 30kts intended for launch & landing), but upto 100kts onset in extremis.
b. Overflown terrain aspects
(i) Oversea – sea state flat to mountainous
(ii) Overland covering worldwide extremes – flat lands, swamps, desert, jungle,mountainous, urban areas (operationally, not intentionally in training).
(iii) Sensor performance ensures no need to operate below 1000ft AGL.
(iv) Obstructions include masts, wind farms, gas platforms, pylons and cables…
c. Electrical environment
(i) Operationally, in high RF environment of battlefield
(ii) In training, in busy UHF/VHF communications environment (see Air Traffic below),and with several identified HF/VHF/UHF/ milli-metric HIRTAS in locality
d. Mission environment
(i) Includes day or night usage
(ii) Potential for crew changeover due to extended ‘on station’ times (15-20 hrs total
flight time)(iii) Potential for non-aircrew personnel to operate the system directly, under certified
pilot-in-command as supervisory
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 127/169
D-7
e. Air traffic environment
(i) Primarily, flight within general airspace (Class F&G)
(ii) Over several military Areas of Intense Aerial Activity (AIAA) – occasionallyentering AIAA (with permission) to facilitate route around more stringent airspace(such as TMA, CTA)
(iii) Under / next to Airways(iv) Close to Terminal Manoeuvre Areas (TMA) at airway intersections near major
airports, and under the Control Terminal Area (CTA) for major airports
(v) Into civil and military airfields with UAV clearance
(vi) Into military Danger Areas to exercise sensors
Emergency Configurations List
Single failure of the UAV communication link, and/or control link
Operation of Flight Termination System (None fitted ) - Instead, conduct of Emergency
Recovery Procedures due to loss of critical system(s) - With UAV-p control; Without UAV-pcontrol (i.e. autonomous)
Emergency landing due to loss of thrust
Collision avoidance with co-operative and non-cooperative aircraft - Including evasivemanoeuvre
Terrain avoidance
Interception by military aircraft
Failure of onboard Sense and Avoid equipment
Operation with degraded systems
Degradation of weather conditions
Security threats to upload data, commands and transmissions
PLUS: Loss of GPS / drift in GPS accuracy
[As part of defining the emergency configurations, and identifying related functions, it wasfound necessary to define some outline Emergency Recovery Procedures, as shown below:
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 128/169
D - 8
N O
R M A L F L I G H T
D e t e r m i n e b e s t d i v e r s i o n a n d
I D b e t w e e
n G C S a n d U A V ( M a y
b e h o m
e o r d e s t i n a t i o n )
M a i n t a i n f l i g h t p a t h o v e r ' s a f e '
t e r r a i n a n d a i r s p a c e
D I V E R T t o
i d e n t i f i e d
d i v e r s i o n
a i r f i e l d
B r o a d c a s t C o n t r o l
D a t a l i n k F a i l
H o l d
B r o a d c a s t
M a y d a y &
E M E R G E N C Y
L A N D I N G
B r o a d c a s t
C o l l i s i o n
A v o i d a n c e f a i l
Y E S
D A T A L I N K
S i g n a l L o s s
D A T A L I N K S y
s t e m F a i l ( t o t a l )
D A T A L I N K S y s t e m F a i l ( s i n g l e )
F L I G H T C R I T I C A L S Y S T E M S I n g l e ( R e d u n d a n t ) F a i l u r e
C O M M U N I C A T I O N S F a i l u r e
S T O P &
B r o a d c a s t
G R O U N D C O N T R
O L F a i l u r e
C O L L I S I O N A V O I D A N C E F a i l u r e
A I R N A
V I G A T I O N F a i l u r e
( i n c . h e i g h t , s p e e d , p o s i t i o n & r o u t e c o n t r o l )
E x t e r n a l N a v
A s i s t a n c e ?
A b l e t o M a
i n t a i n S a f e
A l t i t u d e ?
N O
N O
Y E S
F L I G H T C R I T I C A
L S Y S T E M T o t a l F a i l
Y E S
R e g a i n D / L
S i g n a l ?
N O
F i g u r e D - 2 - O u t l i n e E m
e r g e n c y R e c o v e r y P r o c e d u r e s
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 129/169
D - 9
S y s t e m
i n t e r a c t i o n s v i e w
[ S e e I n d i v i d
u a l f u n c t i o n m a p s f o r e a c h s y s t e m
e l e m e n t ] – D e r i v e d f r o m i n i t i a l d e s i g n a s s u m p t i o n s o v e r s y
s t e m
e l e m e n t s a n d
i n t e r a c t i o n
s
M a n a g e
D a t a l i n k
A u t o T / O &
L a n d
U A V S t a b i l i t y
& C o n t r o l
A i r n a v i g a t i o n
C o n t r o l o n
G r o u n d
M a n a g e
P a y l o a d
M o n i t o r
m i s s i o n
p r o g r e s s
M a n a g e F l i g h t
S y s t e m s
D e t e r m i n e
A l t i t u d e ,
O r i e n t a t i o n &
S p e e d
S t a b i l i s e
p e r t u r b a t i o n s
M a n o e u v r e
U A V
M a n u a l
O v e r r i d e -
r e m o t e
p i l o t i n g
R a m p T / O
-
L a u n c h
c o n t r o l
R e l a y D / L t o
o t h e r U A V
C o n t r o l
h a n d o v e r
b e t w e e n
G C S s
S e n s o r c o n t r o l P
a y l o a d d a t a
d o w n l o a d
D e t e r m i n e
s y s t e m
s
s t a t u s
T e l e m e t e r
U A V
p a r a m e t e r s
R e d u n d a n t
s y s t e m s
c o n t r o l ?
D e g r a d e d
s y s t e m s
e m e r g e n c y
a c t i o n s ?
D e t e r m i n e T / O ,
c l i m b o u t ,
a p p r o a c h ,
l a n d
p r o f i l e s
H i g h A c c u r a c y
p o s i t i o n ,
h d g , a l t
a w a r e n e s s
H i g h a c c ' y
m o n i t o r / c o r r e c t
p o s i t i o n ,
h d g , a l t
C o n t r o l F l i g h t
P a t h
P o s
i t i o n ,
h e a d
i n g &
A l t i t u d e
a w a r e n e s s
S t o r e / u p d a t e
M i s s i o n R o u t e
M o n i t o r /
c o r r e c t a c t u a l
v p l a n n e d
r o u t e
D e t e r m i n e
p o s i t i o n
D e t e r m i n e
a c c u r a c y
C o n t r o l
p o s i t i o n o n
t h e g r o u n d
C o n t r o l s p e e d
o n t h e g r o u n d
D e t e
r m i n e A i r /
G r o u n d
t r
a n s i t i o n
D e t e r m i n e
G r o u n d
o b s t a c l e s
D e t e r m i n e
g r o u n d s p e e d
G r o u n d t h r u s t
c o n t r o l
G r o u n d
b r a k i n g
M o n i t o r /
c o r r e c t a c t u a l
v p l a n n e d
g r o u n d r o u t e
G r o u n d
s t e e r i n g
D e t e r m i n e
a c t u a l g r o u n d
l o c a t i o n &
h e a d i n g
U A V C e n t r e d v i e w
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 130/169
D - 1 0
F i g u r e D - 3 a – U A V
C e n t r e d v i e w o f f u n c t i o n s
M i s s i o n
P l a n n i n g
G
C S N
E C
P l a n R o u t e U
p l o a d
M
i s s i o n P l a n
C o n t r o l U A V ?
C h a n g e
M i s s i o n P l a n
m a n u a l
O v e r r i d e -
r e m o t e
p i l o t i n g
M o n i t o r
M i s s i o n
P
r o g r e s s
S t a t u s o f U A V
A
c t u a l p a t h v
m
i s s i o n r o u t e
M a n a g e
P a y l o a d
D i r e c t s e n s o r s
D o w
n l o a d
p a y l o
a d d a t a
D i s t r i b u t e
p a y l o a d d a t a
P r i o r i t i s e
s e n s o r / d a t a
r e q u e s t s f r o m
U s e r s
M a n a g e
D a t a L i n k
C o n t r o l
D a
t a l i n k P a t h
v i a n e x t G C S ?
V i a S a t e l l i t e ?
V i a U A V
R e l a y ?
M o n i t o r D a t a
l i n k c o n d i t i o n
D / L F a i l E m g y
A c t i o n
G C S C e n t r e d v i e w
F i g u r e D - 3 b – G C S
c e n t r e d v i e w o f f u n c t i o n s
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 131/169
D - 1 1
S e n s o r / D a t a
r e q u e s t s
N E C
D a t a
d o w n l o a d /
s t o r a g e
D i s t r i b u t e
p a y l o a d d a t a
P r e F l i g h t
p r e p a r a t i o n s
R e f u e
l /
r e c h a r g e
c o n s u m a
b l e s
P r e f l i g h t t e s t
L a u n c h U A V
L o c a t e U A V
T A C U C e n t r e d v i e w
F i e l d R e c o v e r y / L a u n c h U n
i t C e n t r e d v i e w
F i g u r e
D - 3 c T A C U a n d F i e l d R e c o v e r y / L a u n c h U n i t c e n t r e d v i e w s o f f u n c t i o n s
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 132/169
D-12
Flight Phases view
[Additional possible functions derived from mission phases –merged with functions from systeminteractions view].
Mission Phase System Function (1st
Level) (2nd
Level?)
Pre-flight System Test
Load Mission PlanTaxiing Controlled Taxiing Ground obstacle sensing?
Airfield pattern awarenessCorrect steering to planned layout
Take-off Airfield Take-Off[Auto / Manual? ]
Climb-out profile
Position & Direction Sensing AccuracyCollision Avoidance
Terrain Avoidance
Field Take-Off Launch controlClimb-out
Transit
Position & Direction Sensing accuracy - normalCollision AvoidanceTerrain Avoidance
Monitor weather for changes
On Task(As Transit +)
Relay TCDL[when acting as airborne relay for 2
nd UAV ]
Handover between GCSs
Approach(As Transit + )
Approach Control Determine wind speed & directionDetermine landing strip directionDetermine circuit height & directionDetermine glide-slope pattern
Fly pattern (correct v planned pattern)Landing(As Transit +)
Controlled Landing Detect air / ground transition
Table D(iv) – Flight phases view of functions
External context view
[Derived from external rich context diagram interactions]
UAVS Interacts with…
Agent Nature of Interaction Additional Derived Function?
Airfield Airfield ATC instruction > Understand / reply to airfield ATC - Voice
Airfield ATC Visual Signals > Observe / respect airfield visual signalsAirfield layout for taxiing > [3.2.3]
Airfield Runway profile / Take Off > [2.4.1]
Airfield Climb out profile / obstacleclearance
[2.4.1]
Approach and Hold procedures > [2.4.3]
Airfield Circuit direction / procedures > [2.4.3]
Airfield Runway / arrestor layout / Land andrecover >
[2.4.5][3.2]
Airfield RF systems Interoperability > [Characteristic of system – Non FunctionalReq’t]
ATM En-Route < Communication > Understand / reply to En Route ATC – Voice,Digital
Track UAV > Provide tracking signal
< Comply with advice Comply with ATC – confirm, act
< Select appropriate radio frequency Manage ATC Frequency Selection
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 133/169
D-13
UAVS Interacts with…
Agent Nature of Interaction Additional Derived Function?
ISTAR Data Users < Direct Payload data feed [5]
< NEC data feed [5]
Data requests > [5]
Malicious Threats < Break Data Link D/L Anti jamming
< Steal Data Link Verify / encrypt D/L< Hack GCS via NEC – affect missionplanning; planning source data; outputpayload data
Defend / verify mission plan, planning data,output data
Mission Target < Identify target ID Target
< Gather reconnaissance data Gather recce data
< Designate target for attack Designate target
HIRF Sources Direct EM Interference with UAVS > [Non Functional Requirement]
Mission planning – awareness of HIRFlocations
Noise affects LOS Command Link signalstrength >
Non-Cooperative AirTraffic (Class F-GAirspace)
< Detect traffic and sense relative track Collision avoidance – detect traffic – non co-op; co-op.
Determine traffic relative track
< Maintain separation (normal actionaccording to Rules of the Air)
Maintain traffic separation (ROA)
< Emergency Collision avoidance (evasion) Collision Emergency evasionSee and avoid > Conspicuity to air traffic (visual, RF)
Ground Terrain /
Obstructions
< Terrain Awareness Terrain avoidance – terrain awareness
< Route Planning [add to 8.1]
< Terrain Avoidance (Rules of the Air) Maintain Terrain separation (ROA)
Terrain emergency evasion
LOS calculations > Monitor Datalink – LOS to terrain (and 8.1also)
Fixed Ground Dangerareas / Populated areas
< Awareness Danger areas / populated areas avoidance -awareness
< Route planning [add to 8.1]
< Avoid overflight (Rules of the Air) Maintain danger area / populated area
separation (ROA)Emergency redirection in event of incursion>
Danger area / populated area emergencyincursion action
Controlled Airspace(Class A-E)
< Awareness Controlled airspace avoidance - awareness
< Route planning [add to 8.1]
< Avoid through flight (Rules of the Air) Maintain controlled airspace separation(ROA)
Emergency redirection in event of incursion>
Controlled airspace emergency incursionaction
Variable Danger areas(NOTAMS)
< Awareness NOTAMS avoidance - awareness
< Route planning [add to 8.1]< Avoid through flight (Rules of the Air) Maintain NOTAMS separation (ROA)
Emergency redirection in event of incursion>
NOTAMS emergency incursion action
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 134/169
D-14
UAVS Interacts with…
Agent Nature of Interaction Additional Derived Function?
Satellite Data Link(Option)
Availability > [4, 4.2]
Signal strength >
Security of extended data link > [4.x – defend d/l]
GNSS Satellite position and time > [2.1.1]Navigation accuracy / errors > [2.1.1]
DGPS Reference Station DGPS error correction > [2.4.2]
Weather < Awareness Manage for Weather – weather conditionsawareness – precip’n, icing, lightning, w/s &dir, visibility[add to 8.1 also]
Modify route > Assess proximity to route and effect on UAV
Determine separation routeForce diversion for landing > Determine diversionary airfield
Determine diversionary routeAffect LOS command signal strength >
< Respect VMC / IMC Flight Rules (Rulesof the Air)
(as above)
Gusts > [1.2]
Precipitation / Icing > (affects [1], [1.6.2], [4.1.1])Lightning > (Non functional requirement
Table D(v) – External interactions and derived UAVS functions
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 135/169
D - 1 5
R e s u l t i n g F u n c t i o n s T r e e f o r G u a r d D
o g U A V S
U A V S F u n c t i o n T r e e
[ P a r t 1 o f 3 ]
( I ) I n t e r n a l v i e w
( F ) F l i g h t p h a s e v i e w
( E ) E x t e r n a l c o n t e x t v i e w
U A V S F u n c t i o n T r e e
[ P a r t 1 o f 3 ]
( I ) I n t e r n a l v i e w
( F ) F l i g h t p h a s e v i e w
( E ) E x t e r n a l c o n t e x t v i e w
1 . S t a b i l i t y &
C o n t r o l
( I )
2 . A i r N a v i g a t i o n
( I )
3 . C o n t r o l o n t h e
G r o u n d
( I )
1 . 1 D e t e r m i n e
a t t i t u d e ,
o r i e n t a t i o n a n d
s p e e d ( I )
1 . 2 S t a b i l i s e
p e r t u r b a t i o n s
( I )
1 . 3 M a n o e u v r e
U A V ( I )
1 . 4 M a n u a l
O v e r r i d e -
R e m o t e P i l o t i n g
( I )
1 . 5 F i e l d T / O
L a u n c h C o n t r o l
( I ) ( F )
1 . 6 C o n t r o l
F l i g h t P a t h
( I )
1 . 6 . 1 C o n t r o
l
A i r s p e e d
( I )
1 . 6 . 2 C o n t r o l
A l t i t u d e & R a t e
( I )
1 . 6 . 3 C o n t r o
l
H e a d i n g
( I )
2 . 1 P o s i t i o n ,
H e a d i n g &
A l t i t u d e
A w a r e n e s s
( I )
2 . 1 . 1 D e t e r m i n e
P o s i t i o n ,
H e a d i n g &
A l t i t u d e
( I )
2 . 1 . 2 D e t e r m i n e
N a v D a t a
a c c u r a c y
( I ) ( F )
2 . 2
S t o r e /
U p d a
t e M i s s i o n
R o u t e
( I )
2 . 3 M o n i t o r /
C o r r e c t a c t u a l v
p l a n n e d r o u t e
( I )
2 . 4 A u t o T a k e
o f f & L a n d i n g
( I ) ( F )
2 . 4 . 1
D e t e r m i n e
A i r f i e l d T / O
C l i m b - o u t
p r o f i l e ( F ) ( E )
2 . 4 . 2 D e t e r m i n e
H i g h a c c u r a c y
P o s i t i o n ,
h e a d i n g &
A l t i t u d e
( F )
2 . 4 . 3
D e t e r m i n e
A
i r f i e l d
A p p r o
a c h , H o l d ,
C i r c u i t , R / W
p r o f i l e ( F ) ( E )
2 . 4 . 4 H i g h
A c c u r a c y
m o n i t o r / c o r r e c t
a c t u a l v p l a n n e d
p r o f i l e ( F ) ( E )
2 . 4 . 5
D e t e r m i n e
W i n d s p e e d &
d i r e c t i o n v R / W
a n d
l a n d i n g
c h a r a c t e r i s t i c s
( F )
3 . 1 C o n t r o l
S p e e d o n t h e
g r o u n d ( I )
3 . 2 C o n t r o l
P o s i t i o n o n t h e
g r o u n d ( I )
3 . 1 . 1 D e t e r m i n e
s p e e d o n
g r o u n d ( I )
3 . 1 . 2 C o n t r o l l e d
G r o u n d t h r u s t ( I )
3 . 1 . 3 C o n t r o l l e d
G r o u n d B r a k i n g
( I )
3 . 2 . 1 D e t e r m i n e
g r o u n d p o s i t i o n
& h e a d i n g ( I )
3 . 2 . 2 G r o u n d
s t e e r i n g ( I )
3 . 2 . 3 D e t e r m i n e
A i r f i e l d l a y o u t /
r e q u i r e d g r o u n d
r o u t e ( F ) ( E )
3 . 2 . 4 M o n i t o r /
c o r r e c t a c t u a l v
r e q u i r e d g r o u n d
r o u t e ( F )
3 . 2 . 5 D e t e r m i n e
A i r / G r o u n d
t r a n s i t i o n ( F )
3 . 2 . 6 D e t e r m i n e
G r o u n d
o b s t a c l e s ( F ) ( E )
3 . 2 . 6 . 1 D e t e c t
m o b i l e
o b s t a c l e s ( F ) ( E )
3 . 2 . 6 . 2 F i x e d
o b s t a c l e s
a w a r e n e s s
( F ) ( E )
2 . 5 T e r r a i n
A v o i d a n c e ( E )
2 . 6 S e n s i t i v e
A r e a
A v o i d a n c e
( D a n g e r &
P o
p u l a t e d
a r e a s ) ( E ) - a s
2
. 6 . 1 - 3
2 . 5 . 1 A w a r e n e s s
& f l i g h t p a t h
p r o x i m i t y ( E )
2 . 5 . 2 M a i n t a i n
s e p a r a t i o n
( R O A ) ( E )
2 . 5 . 3 E m e r g e n c y
e v a s i o n ( E )
2 . 7 C o n t r o l l e d
A i r s p a c e
a v o i d a n c e ( E ) -
a s 2 . 6 . 1 - 3
2 . 8
V a r i a b l e
D a n g e r A r e a s
( N O T A M S )
A v o i d
a n c e ( E ) -
a s
2 . 6 . 1 - 3
F i g u r e D - 4 a – G u a r d D
o g F u n c t i o n s T r e e ( p a r t 1 o f
3 )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 136/169
D - 1 6
U A V S F u n c t i o n T r e e
[ P a r t 2 o f 3 ]
( I ) I n t e r n a l v i e w
( F ) F l i g h t p h a s e v i e w
( E ) E x t e r n a l c o n t e x t v i e w
U A V S F u n c t i o n T r e e
[ P a r t 2 o f 3 ]
( I ) I n t e r n a l v i e w
( F ) F l i g h t p h a s e v i e w
( E ) E x t e r n a l c o n t e x t v i e w
4 . M a n a g e
D a t a l i n k
( I )
5 . M a n a g e
P a y l o a d
( I )
6 . M o n i t o r M i s s i o n
p r o g r e s s
( I )
7 . M a n a g e F l g h t
S y s t e m s
( I )
4 . 1 M o n i t o r
d a t a l i n k
c o n d i t i o n ( I )
4 . 2 C o n t r o l
D a t a l i n k p a t h ( I )
4 . 1 . 1 S i g n a
l
s t r e n g t h ( I )
4 . 1 . 2 D / L
E q u i p m e n t
s t a t u s ( I )
4 . 3 D a t a l i n k F a i l
E m e r g e n c y
A c t i o n ( I )
4 . 2 . 1 H a n d o
v e r
t o n e x t G C S
( I ) ( F )
4 . 2 . 2 R o u t e v i a
S a t e l l i t e ( I ) ( F )
4 . 2 . 3 R e l a y
b e t w e e n U A V s
( I ) ( F )
4 . 3 . 1 S i n g l e D
/ L
f a i l /
d e g r a d a t i o n
a c t i o n ( I )
4 . 3 . 2 C o m p l e t e
D / L f a i l /
d e g r a d a t i o n
a c t i o n ( I )
5 . 1 S e n s o r
c o n t r o l
( I )
5 . 2 P a y l o a d d a t a
d o w n l o a d ( I )
5 . 3 D i s t r i b u t e
P a y l o a d d a t a ( I )
5 . 4 P r i o r i t i s e
U s e r s ' P a y l o a d
r e q u e s t s ( I )
6 . 1 T e l e
m e t e r
S & C p a r a m s t o
G C S
( I )
6 . 2 T e l e m e t e r
A i r N a v p a r a m s
t o G C S ( I )
6 . 3 T e l e
m e t e r
G r o u n d C o n t r o l
p a r a m s t o G C S
( I )
6 . 4 T e l e m e t e r
F l i g h t S y s t e m s
s t a t u s t o G C S ( I )
7 . 1 D e t e r m i n e
f l i g h t s y s t e m s
s t a t u s ( I )
7 . 2 R e d u n d a n t
s y s t e m s
c o n t r o l ? ( I )
7 . 3 D e g r a d e d
s y s t e m s
e m e r g e n c y
a c t i o n s ( I )
6 . 5 M o n i t o r
W e a t h e r f o r
c h a n g e s ( F ) ( E )
4 . 4 D e f e n d
D / L
( J a m m i n g ,
s t e a l i n g ) ( E )
4 . 5 M o n i t o r
T e r r a i n
p r o x i m i t y t o
L O S ( E )
6 . 5 . 1 W e a t h e r
a w a r e n e s s e n -
r o u t e ( E )
6 . 5 . 2 A s s e s s W x
p r o x i m
i t y t o
p l a n n e d
r o u t e
( E )
[ P r e c i p i t a t i o n ,
i c i n g ,
w i n d s p e e d /
d i r e c t i o n ,
v i s i b i l i t y V M C /
I M C ]
6 . 5 . 3 D e t e r m i n e
W x s e p a r a t i o n
r o u t e a r o u n d ( E )
6 . 5 . 4 D e t e r m i n e
n e a r e s t , W x
s a f e ,
d i v e r s i o n a r y
a i r f i e l d &
r o u t e
( E )
7
. 3 . 1 D i v e r t
7 . 3 . 2 E m e r g e n c y
L a n d i n g
F i g u r e D - 4 b – G u a r d D
o g F u n c t i o n s T r e e ( p a r t 2 o f
3 )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 137/169
D - 1 7
U A V S F u n
c t i o n T r e e
[ P a r t 3 o f 3 ]
( I ) I n t e r n
a l v i e w
( F ) F l i g h t p
h a s e v i e w
( E ) E x t e r n a l c o n t e x t v i e w
U A V S F u n c t i o n T r e e
[ P a r t 3 o
f 3 ]
( I ) I n t e r n a l v i e w
( F ) F l i g h t p h a
s e v i e w
( E ) E x t e r n a l c o n t e x t v i e w 8
. 2 . 2 P r e f l i g h t
s y s t e m s t e s t
( I ) ( F )
8 . P r e F l i g h t
P r e p a r a t i o
n s ( I )
8 . 1 M i s s i o n
P l a n n i n g ( I )
8 . 2 T / O / L a u n c h
P r e p a r a t i o n ( F )
8 . 2 . 1 R e f u e l /
r e c h a r g e
c o n s u m a b l e s ( I )
8 . 2 . 3 U p l o a d
M i s s i o n P l a n
( I ) ( F )
8 . 1 . 1 P l a n
m i s s i o n r o
u t e ( I )
9 . M a n a g e
C o m m u n i c a t i o n
s ( E )
1 0 . C o l l i s i o n
A v o i d a n
c e ( F ) ( E )
9 . 1 U n d e r s t a n d /
r e p l y t o A i r f i e l d
A T C
v o i c e
c o m
m s ( E )
9 . 2 D e t e c t &
r e s p e c t a i r f i e l d
v i s u a l s i g n a l s
( E )
9 . 3 U n d e r s t a n d /
r e p l y t o E n -
R o u
t e A T C
a d v i c e - v o i c e /
d i g
i t a l ( E )
9 . 4 P r o v i d e
T r a c k i n g
' v i s i b i l i t y '
( s i g n a l , v i s u a l )
( E )
9 . 5 M a
n a g e A T C
F r e q u e n c y
s e l e c
t i o n s ( E )
9 . 6 C o m p l y w i t h
A T C p r o c e d u r e s
( E )
9 . 6 . 1 D e t e r m i n e
r e q u i r e d
m a n o e u v r e f r o m
A T C c o m m s ( E )
9 . 6 . 2 C o n f i r m
m a n o e u v r e w i t h
A T C ( E )
8 . 1 . 2 H I R F
L o c a t i o n
a w a r e n e s s ( E )
1 0 . 1 D e t e c t
T r a f f i c ( C o - o p ;
N o n C o - o p ) ( E )
1 0 . 2 D e t e r m i n e
t r a f f i c r e l a t i v e
t r a c k ( E )
1 0 . 3 M a i n t a i n
t r a f f i c
s e p a r a t i o n
( R O A ) ( E )
1 0 . 4 C o l l i s i o n
e m e r g e n c y
e v a s i o n ( E )
8 . 1 . 3 T e r r a i n
A w a r e n e s s ( E )
8 . 1 . 4 D a n g e r
A r e a / p o p u l a t e d
a r e a a w a r e n e s s
( E )
8 . 1 . 5 C o n t r o l l e d
A i r s p a
c e
a w a r e n e s s ( E )
8 . 1 . 6 W e a t h e r
a w a r e n e s s ( E )
1 0 . 5 C o n s p i c u i t y
t o A i r T r a f f i c
( v i s u a l , R F ) ( E )
9 . 7 E m
e r g e n c y
B r o
a d c a s t
a c t i o n s ( E )
F i g u r e D - 4 c – G u a r d D
o g F u n c t i o n s T r e e ( p a r t 3 o f
3 )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 138/169
D-18
FAILURE ANALYSIS
Preliminary notes on columns:
Failure Condition (Hazard Description) – (a) Loss of Function; (b) Uncommanded Function; (c)Incorrect Function
Failure Conditions
Table D(vi) – Functional Failure Conditions for Guard Dog UAVS
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
1. Stability & Control (I)
F1.1A 1.1 Determine attitude and speed(I)
(a) Unable to determine UAV roll, pitch or yaw attitude
F1.1B (a) Unable to determine UAV airspeed(b) (not applicable – continuous function)
F1.1C (c) Accuracy error in measured attitude or speed
F1.1D (c) Measured attitude or speed freezes at last reading
F1.1E (c) Measured attitude or speed goes to maximum scale
F1.1F (c) Measured attitude or speed goes to minimum scale
F1.1G (c) Transient spikes in measured attitude or speed
F1.2A 1.2 Stabilise perturbations (I) (a) Loss of UAV stability
(b) (continuous function)
F1.2B (c) Undamped / poorly damped manoeuvres or speed
F1.2C (c) Over damped manoeuvres or speed
F1.2D (c) Phase lag drives oscillations
F1.3A 1.3 Manoeuvre UAV (I) (a) Unable to manoeuvre UAV at all when demandedF1.3B (a) Unable to manoeuvre UAV in certain axes, when demanded
F1.3C (b) Undemanded manoeuvre
F1.3D (c) Asymmetric manoeuvre control – demand in one axis causesuncontrollable manoeuvre in another axis
F1.3E (c) Transient control deflections
F1.3F (c) Manoeuvre control restriction – limited manoeuvre
F1.3G (c) Manoeuvre control jams – unable to stop manoeuvre
F1.3H (c) Excessive manoeuvre control deflections
F1.3I (c) Manoeuvre capability exceeds vehicle structural strength
F1.3J (c) Manoeuvre control time delay (lag)
F1.4A 1.4 Manual Override - Remote
Piloting (I)
(a) Unable to take manual control of UAV
F1.4B (b) Unable to fly UAV with autonomy
F1.4C (c) Conflicting authority between manual and autonomous control
F1.4D (c) Conflicting authority between separate ground sources formanual control
F1.5A 1.5 Field T/O Launch Control (I)(F) (a) Launch control not provided during ramp t/o
F1.5B (a) Launcher fails to reach necessary speed
F1.5C (b) Launch control initiated during other flight phase
F1.5D (c) Launch speed excessive
1.6 Control Flight Path (I)
F1.6A 1.6.1 Control Airspeed (I) (a) Airspeed cannot be increased when necessary
F1.6B (a) Airspeed cannot be decreased when necessary
F1.6C (b) Airspeed runaway upF1.6D (b) Airspeed runaway down
F1.6E (c) Asymmetric thrust (power) causing uncontrollable yaw or roll(depending on propulsion configuration )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 139/169
D-19
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F1.6F (c) Incorrect airspeed achieved – too high
F1.6G (c) Incorrect airspeed achieved – too low
F1.6H 1.6.2 Control Altitude & Rate (I) (a) Altitude cannot be increased when required
F1.6I (a) Altitude cannot be decreased when required
F1.6J (b) Altitude runaway up
F1.6K (b) Altitude runaway down
F1.6L (c) Incorrect altitude achieved – too high
F1.6M (c) Incorrect altitude achieved – too low
F1.6N (c) Altitude achieved at incorrect climb / descent rate
F1.6O 1.6.3 Control Heading (I) (a) Heading not variable
F1.6P (b) Heading changes without demand
F1.6Q (b) Heading runaway
F1.6R (c) Incorrect heading achieved
2. Air Navigation (I)
2.1 Position, Heading & AltitudeAwareness (I)
F2.1A 2.1.1 Determine Position, Heading& Altitude (I)
(a) Unable to determine position
F2.1B (a) Unable to determine heading
F2.1C (a) Unable to determine altitude
(b) (continuous function)
F2.1D (c) Accuracy error in measured position, heading or altitude
F2.1E (c) Lag in position, heading or altitude data measurement (phaseshift)
F2.1F (c) Measured position, heading or altitude freezes at last reading
F2.1G (c) Measured position, heading or altitude goes to maximum scale
F2.1H (c) Measured position, heading or altitude goes to minimum scale
F2.1I (c) Transient spikes in measured position, heading or altitude
F2.1J 2.1.2Determine Nav Data accuracy(I)(F)
(a) Unable to determine Nav data accuracy
(b) (continuous function)
F2.1K (c) Nav data erroneously determined as accurate
F2.1L (c) Nav data erroneously determined as inaccurate
F2.2A 2.2 Store / Update Mission Route (I) (a) Loss of stored mission route
F2.2B (a) Unable to update / change route once stored
F2.2C (b) Mission route changed without demand
F2.2D (c) Mission route stored / updated with incorrect data elements(stale / zero / default / random data)
F2.2E (c) Mission route stored / updated partially – elements missing
F2.2F (c) Mission route not achievable (performance)
F2.2G (c) Mission route not safe (ROA)
F2.3A 2.3 Monitor / Correct actual vplanned route (I)
(a) Unable to determine route error
F2.3B (a) Unable to determine route correction
(b) (Continuous function)
F2.3C (c) Erroneous route error or correction determined
2.4 Auto Take off & Landing (I)(F)
F2.4A 2.4.1 Determine Airfield T/O Climb-out profile (F)(E)
(a) Airfield T/O (runway) profile lost
F2.4B (a) Airfield climb-out profile lost
F2.4C (b) Climb out profile initiated in other phase
F2.4D (c) Airfield T/O (runway) profile for wrong airfield / runwayF2.4E (c) Airfield climb-out profile for wrong airfield / runway
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 140/169
D-20
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F2.4F (c) Airfield climb out profile corrupted (spikes, dips, truncated,capped)
F2.4G 2.4.2 Determine High accuracyPosition, heading & Altitude (F)
(a) Unable to determine high accuracy position
F2.4H (a) Unable to determine high accuracy heading
F2.4I (a) Unable to determine high accuracy altitude
F2.4J (b) High accuracy data presented in other phases
F2.4K (c) Incorrect position determined
F2.4L (c) Inaccurate position determined
F2.4M (c) Incorrect heading determined
F2.4N (c) Inaccurate heading determined
F2.4O (c) Incorrect altitude determined
F2.4P (c) Inaccurate altitude determined – too high
F2.4Q (c) Inaccurate altitude determined – too low
F2.4R 2.4.3 Determine Airfield Approach,Hold, Circuit, R/W profile (F)(E)
(a) Airfield approach lost
F2.4S (a) Airfield hold lost
F2.4T (a) Airfield circuit lost
F2.4U (a) Airfield R/W profile lost
F2.4V (b) Airfield approach, hold, circuit initiated in other phase
F2.4W (c) Airfield approach, hold, circuit runway profile for wrong airfield / runway
F2.4X (c) Airfield approach, hold, circuit runway profile corrupted (spikes,dips, truncated, capped)
F2.4Y 2.4.4 High Accuracy monitor / correct actual v planned profile(F)(E)
(a) Unable to determine T/O path error / correction
F2.4Z (a) Unable to determine landing path error / correction
(b) (Continuous function)F2.4AA (c) Erroneous T/O path error or correction determined
F2.4AB (c) Erroneous landing path error or correction determined
F2.4AC 2.4.5 Determine Wind speed &direction v R/W and landingcharacteristics (F)
(a) Not possible to determine W/S or direction
(b) (continuous function)
F2.4AD (c) Incorrect w/s determined – too high
F2.4AE (c) Incorrect w/s determined – too low
F2.4AF (c) Incorrect wind direction determined
F2.4AG (c) Noisy, oscillating wind direction
2.5 Terrain Avoidance (E)
F2.5A 2.5.1 Awareness & flight pathproximity (E)
(a) Unaware of surrounding terrain
F2.5B (a) Unaware of proximity of surrounding terrain to flight path
F2.5C (a) Terrain proximity determined at low sampling rate
(b) (continuous function)
F2.5D (c) Incorrect surrounding terrain determined
F2.5E (c) Incorrect distance to terrain determined – lower than actual
F2.5F (c) Incorrect distance to terrain determined – higher than actual
F2.5G 2.5.2 Maintain separation (ROA) (E) (a) Terrain separation (minimum) not maintained
F2.5H (b) Terrain separation driven down / up to minimum
F2.5I (c) Terrain separation maintained but below ROA requirement(highest point +1000ft)
F2.5J (c) Flight profile to maintain terrain separation exceeds vehicleclimb performance
F2.5K 2.5.3 Emergency evasion (E) (a) Need for emergency terrain evasion not determined
F2.5L (a) Need for emergency terrain evasion determined late
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 141/169
D-21
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F2.5M (b) Emergency evasion manoeuvre triggered when not necessary
F2.5N (c) Required emergency evasion manoeuvre exceeds vehiclemanoeuvre performance
F2.5O (c) Incorrect emergency evasion manoeuvre identified
2.6 Sensitive Area Avoidance(Fixed Danger & Populated areas)(E)
F2.6A 2.6.1 Awareness & flight pathproximity (E)
(a) Unaware of Sensitive Area
F2.6B (a) Unaware of proximity of Sensitive Area to flight path
(b) (continuous function)
F2.6C (c) Incorrect Sensitive Area determined
F2.6D (c) Incorrect distance to Sensitive Area determined – nearer thanactual
F2.6E (c) Incorrect distance to Sensitive Area determined – further thanactual
F2.6F 2.6.2 Maintain separation (ROA) (E) (a) Sensitive Area separation (minimum) not maintained(b) (continuous function)
F2.6G 2.6.3 Emergency incursion action(E)
(a) Need for emergency evasion not determined
F2.6H (a) Need for emergency evasion determined late
F2.6I (b) Emergency evasion manoeuvre triggered when not necessary
F2.6J (c) Incorrect emergency evasion manoeuvre identified
2.7 Controlled Airspace avoidance(E)
F2.7A 2.7.1 Awareness & flight pathproximity (E)
(a) Unaware of Controlled Airspace
F2.7B (a) Unaware of proximity of Controlled Airspace to flight path
(b) (continuous function)
F2.7C (c) Incorrect Controlled Airspace determined
F2.7D (c) Incorrect distance to Controlled Airspace determined – nearerthan actual
F2.7E (c) Incorrect distance to Controlled Airspace determined – furtherthan actual
F2.7F 2.7.2 Maintain separation (ROA) (E) (a) Controlled Airspace separation (minimum) not maintained
(b) (continuous function)
F2.7G 2.7.3 Emergency incursion action(E)
(a) Need for emergency evasion not determined
F2.7H (a) Need for emergency evasion determined late
F2.7I (b) Emergency evasion manoeuvre triggered when not necessary
F2.7J (c) Incorrect emergency evasion manoeuvre identified
2.8 Variable Danger Areas(NOTAMS) Avoidance (E)
F2.8A 2.8.1 Awareness & flight pathproximity (E)
(a) Unaware of NOTAMS Area
F2.8B (a) Unaware of proximity of NOTAMS Area to flight path
(b) (continuous function)
F2.8C (c) Incorrect NOTAMS Area determined
F2.8D (c) Incorrect distance to NOTAMS Area determined – nearer thanactual
F2.8E (c) Incorrect distance to NOTAMS Area determined – further thanactual
F2.8F 2.8.2 Maintain separation (ROA) (E) (a) NOTAMS Area separation (minimum) not maintained
(b) (continuous function)
F2.8G 2.8.3 Emergency incursion action(E)
(a) Need for emergency evasion not determined
F2.8H (a) Need for emergency evasion determined late
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 142/169
D-22
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F2.8I (b) Emergency evasion manoeuvre triggered when not necessary
F2.8J (c) Incorrect emergency evasion manoeuvre identified
3. Control on the Ground (I)
3.1 Control Speed on the ground (I)
F3.1A 3.1.1 Determine speed on ground(I)
(a) Unable to determine speed on the ground
F3.1B (b) Attempt to determine ground speed while in the air
F3.1C (c) Ground speed inaccuracy - too high
F3.1D (c) Ground speed inaccuracy – too low
F3.1E 3.1.2 Controlled Ground thrust (I) (a) Unable to increase ground thrust
F3.1F (a) Unable to decrease ground thrust
F3.1G (b) Ground thrust increases without demand – runaway up
F3.1H (b) Ground thrust decreases without demand – runaway down
F3.1I (c) Ground thrust change lags demand
F3.1J (c) Excessive ground thrust change for required demand (scaleerror)
F3.1K (c) Inadequate ground thrust change for required demand (scaleerror)
F3.1L (c) Ground thrust asymmetry (roll or yaw depending on propulsionconfiguration)
F3.1M 3.1.3 Controlled Ground Braking (I) (a) Unable to apply / increase ground braking
F3.1N (a) Unable to decrease / release ground braking
F3.1O (b) Ground braking increases / on without demand
F3.1P (b) Ground braking decreases / releases without demand
F3.1Q (c) Ground braking change lags demand
F3.1R (c) Excessive ground braking for required demand (scale error)
F3.1S (c) Inadequate ground braking for required demand (scale error)
F3.1T (c) Ground braking asymmetry
3.2 Control Position on the ground(I)
F3.2A 3.2.1 Determine ground position &heading (I)
(a) Unable to determine ground position
F3.2B (a) Unable to determine ground heading
F3.2C (b) Attempt to determine ground position / heading while in the air
F3.2C (c) Ground position or heading inaccurate
F3.2D 3.2.2 Ground steering (I) (a) Ground steering not available – steering fixed
F3.2E (a) Ground steering not available – steering free
F3.2F (b) Ground steering when not on the ground
F3.2G (c) Incorrect sense ground steering applied
F3.2H (c) Excessive ground steering appliedF3.2I (c) Inadequate ground steering applied
F3.2J (c) Ground steering lags demand
F3.2K 3.2.3 Determine Airfield layout / required ground route (F)(E)
(a) Unable to determine airfield layout / required ground route
F3.2L (b) Ground route identified when not on the ground
F3.2M (c) Incorrect airfield identified
F3.2N (c) Incorrect ground route (at correct airfield) identified
F3.2O 3.2.4 Monitor / correct actual vrequired ground route (F)
(a) Unable to determine ground route error
F3.2P (a) Unable to determine ground route correction
(b) (Continuous function on the ground)
F3.2Q (c) Erroneous ground route error or correction determinedF3.2R 3.2.5 Determine Air / Ground
transition (F)(a) Unable to determine air / ground transition
(b) (continuous function)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 143/169
D-23
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F3.2S (c) Air to ground transition erroneously determined
F3.2T (c) Ground to air transition erroneously determined
F3.2U (c) Air / ground transition identified during transient ground contact
F3.2V (c) Air / ground transition not identified during transient groundcontact
F3.2W 3.2.6 Determine Ground obstacles(F)(E) (Fixed or mobile)
(a) Unable to determine position of fixed ground obstacles
F3.2X (a) Unable to detect mobile ground obstacles
F3.2Y (b) Attempt to identify ground obstacles while not on the ground
F3.2Z (c) Ground obstacle identified where there is none
F3.2AA (c) Ground obstacle not identified where there is
F3.2AB (c) Ground obstacle identified position inaccurate
F3.2AC (c) Mobile ground obstacle identified but speed / direction not
4. Manage Datalink (I) Classification of datalink functional failures is criticallydependent on level of autonomy of UAV in event of failure, inreaching a safe outcome.
4.1 Monitor datalink condition (I)F4.1A 4.1.1 Signal strength (I) (a) Unable to determine datalink signal strength
F4.1B (b) (continuous function)
F4.1C (c) Datalink signal strength erroneously indicated too high
F4.1D (c) Datalink signal strength erroneously indicated too low
F4.1E (c) Datalink signal strength very noisy – high / low oscillation
F4.1F 4.1.2 D/L Equipment status (I) (a) Datalink equipment status not available
(b) (continuous function)
F4.1G (c) Datalink equipment status shown ‘no fail’ with actual single fail
F4.1H (c) Datalink equipment status shown ‘no fail’ with actual total fail
F4.1I (c) Datalink equipment status shown ‘single fail’ when actually nofail
F4.1J (c) Datalink equipment status shown ‘total fail’ when actually no failF4.1K (c) Datalink equipment status oscillates between fail / no fail status
4.2 Control Datalink path (I)
F4.2A 4.2.1 Handover to next GCS (I)(F) (a) Datalink control cannot hand over from current to next GCS
F4.2B (b) Datalink attempts control hand over from current GCS withoutdemand
F4.2C (c) Datalink control hand over from current GCS, but next GCSunable to take control
F4.2D (c) Datalink control hand over from current GCS, but next GCSunaware it has control
F4.2E (c) Datalink control taken over by next GCS, without current GCSbeing aware
F4.2F (c) Datalink control hand over to next GCS, but current GCS alsoretains control (dual control)
F4.2G (c) Datalink attempted control hand over to next GCS, but neitherGCS retains control
F4.2H 4.2.2 Route via Satellite (I)(F) (a) Unable to route datalink via satellite
F4.2I (b) Datalink routed via satellite without demand
F4.2J (c) Datalink routed via wrong satellite
F4.2K (c) Datalink ‘cross talk’ with other satellite traffic
F4.2L (c) Satellite link saturates with other satellite traffic – datalink dropouts
F4.2M (c) Satellite link saturates with other satellite traffic – datalinkdelays
F4.2N (c) Satellite link fails totally
F4.2N 4.2.3 Relay between UAVs (I)(F) (a) Unable to route datalink to 1st UAV via relay UAVF4.2O (b) Datalink routed via relay UAV without demand
F4.2P (c) Datalink routed via wrong relay UAV
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 144/169
D-24
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F4.2Q (c) Datalink routed via relay UAV to wrong 1st
UAV
F4.2R (c) Relay Datalink ‘cross talk’ with RF noise
F4.2S (c) Datalink command confusion between those meant for relayUAV and those for 1
stUAV
F4.2T (c) Relay datalink drop outs
F4.2U (c) Relay datalink delays
F4.2V (c) Relay link fails totally
F4.3A 4.3 Datalink Fail / DegradeEmergency Action(I)(see function 7.3.1 for divertfunction failures)
(a) D/L fail action (hold then divert ) not taken when required
F4.3B (b) D/L fail action (hold then divert ) taken without demand
F4.3C (c) D/L fail action partially taken – UAV remains in hold
F4.3D (c) D/L fail action partially taken – UAV diverts immediately
F4.3E (c) D/L fail action partially taken – D/L fail broadcast not issued
F4.4A 4.4 Defend D/L (Jamming, stealing)
(E)
(a) Datalink jammed
F4.4B (a) Datalink stolen
(b) (continuous function)
F4.4C (c) Valid datalink control rejected as jamming / stealing
F4.5A 4.5 Monitor Terrain proximity toLOS (E)
(a) Fail to monitor terrain proximity to control LOS
(b) (continuous function)
F4.5B (c) Terrain proximity inaccuracy – judged closer than actual
F4.5C (c) Terrain proximity inaccuracy – judged further than actual
5. Manage Payload (I)
F5.1A 5.1 Sensor control (I) [including visual sensor ]
(a) Unable to direct sensor at point of interest [including forwards,for flight assistance ]
F5.1B (b) Sensor slews off point of interest without demandF5.1C (c) Sensor not stabilized on point of interest (subject to flight
motion / noise)
F5.1D (c) Sensor field of view / zoom incorrect – too wide
F5.1E (c) Sensor field of view / zoom incorrect – too narrow
5.2 Payload data download (I)[including visuals ]
5.3 Distribute Payload data (I)
5.4 Prioritise Users' Payloadrequests (I)
6. Monitor Mission progress (I)
F6.1A 6.1 Telemeter S&C params to GCS
(I)
(a) Unable to telemeter S&C parameters to GCS
(b) (continuous function)
F6.1B (c) Inaccurate S&C parameters telemetered
F6.1C (c) Other parameters telemetered as S&C
F6.2A 6.2 Telemeter Air Nav params toGCS (I)
(a) Unable to telemeter Air Nav parameters to GCS, at all
(b) (continuous function)
F6.2B (c) Inaccurate Air Nav parameters telemetered
F6.2C (c) Other parameters telemetered as Air Nav
F6.3A 6.3 Telemeter Ground Controlparams to GCS (I)
(a) Unable to telemeter Ground Control parameters to GCS, at all
(b) (continuous function)
F6.3B (c) Inaccurate Ground Control parameters telemeteredF6.3C (c) Other parameters telemetered as Ground Control
F6.4A 6.4 Telemeter Flight Systems statusto GCS (I)
(a) Unable to telemeter Flight Systems status to GCS, at all
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 145/169
D-25
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
(b) (continuous function)
F6.4B (c) Inaccurate Flight Systems status telemetered
F6.4C (c) Other parameters telemetered as Flight Systems status
6.5 Monitor Weather for changes(F)(E)
F6.5A 6.5.1 Weather awareness en-route(E) [Precipitation, icing, windspeed / direction, visibility VMC / IMC]
(a) Unaware of weather conditions en route
F6.5B (a) Unaware of wind speed or direction en route
(b) (continuous function)
F6.5C (c) Erroneous indication of precipitation, icing or visibility conditionsen route – better than actual
F6.5D (c) Erroneous indication of precipitation, icing or visibility conditionsen route – worse than actual
F6.5E (c) Inaccurate indication of wind speed or direction en route
F6.5F 6.5.2 Assess Wx proximity to
planned route (E)
(a) Unable to determine Wx proximity to planned route
(b) (continuous function )
F6.5G (c) Wx proximity inaccurately determined nearer than actual
F6.5H (c) Wx proximity inaccurately determined further than actual
F6.5I (c) Wx movement inaccurately predicted – slower than actual
F6.5J (c) Wx movement inaccurately predicted – faster than actual
F6.5K 6.5.3 Determine Wx separationroute around (E) [to reach finaldestination]
(a) Unable to determine a separation route around the weather – UAVS failure
F6.5L (a) Unable to determine a separation route around the weather – weather close out
F6.5M (a) Flight path not modified to avoid bad Wx
F6.5N (b) Unnecessary route around inserted in flight path
F6.5O (c) Revised bad Wx route does not avoid the weather
F6.5P (c) Revised bad Wx route exceeds range capability of vehicle
F6.5Q (c) Revised bad Wx route infringes other separation zones
F6.5R 6.5.4 Determine nearestdiversionary airfield & route (E)
(a) Unable to determine a diversionary airfield
F6.5S (a) Unable to determine a route to the diversionary airfield
(b) (continuous function)
F6.5T (c) Incorrect diversion airfield determined – at increased flightdistance
F6.5U (c) Incorrect diversion airfield determined – weather close out
F6.5V (c) Diversion airfield determined only periodically (i.e. not continuous function )
F6.5W (c) Diversion airfield not communicated between UAV and GCS,immediately after determination
F6.5X (c) Diversion route not communicated between UAV and GCS,immediately after determination
7. Manage Flight Systems(I)
F7.1A 7.1 Determine flight systems status(I)
(a) Unable to determine flight critical systems status
(b) (continuous function)
F7.1B (c) Flight critical system indicates a single fail, incorrectly
F7.1C (c) Flight critical system indicates a total fail, incorrectly
F7.1D (c) Flight critical system single fail not indicated
F7.1E (c) Flight critical system total fail not indicated
F7.1F (c) Incorrect flight system shown as having failure
7.2 Redundant systems control? (I) [leave to system level FHA]
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 146/169
D-26
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
7.3 Degraded systems emergencyactions (I)
F7.3A 7.3.1 Divert (E) (a) Failure to divert when expected
F7.3B (b) Divert carried out when not necessary
F7.3C (c) Divert carried out to different divert airfield than determined
F7.3D (c) Divert carried out on different route to that determined
F7.3E (c) (Divert demanded but no airfield or route available)
F7.3F (c) (Divert due to Collision Avoidance failure partially carried out – without broadcast )
F7.3G (c) (Divert carried out when Emergency Landing should be )
F7.3H (c) (Emergency Landing carried out when divert should be)
F7.3I 7.3.2 Emergency Landing (E) (a) Failure to carry out controlled Emergency Landing, whennecessary
F7.3J (b) Emergency Landing carried out when not necessary
F7.3K (c) (Emergency landing carried out partially – without MAYDAYbroadcast)
F7.3L (c) Emergency landing attempted in populated area
8. Pre Flight Preparations (I)
8.1 Mission Planning (I)
F8.1A 8.1.1 Plan mission (I) (a) Unable to plan mission
F8.1B (a) Mission plan completed but not retained and loaded
F8.1C (b) (Mission planning initiated when not required?)
F8.1D (c) Mission plan partially complete
F8.1E (c) Mission plan partially in error – random error
F8.1F (c) Mission plan partially in error – stale information from earliermission
F8.1G (c) Mission plan for incorrect mission loaded
F8.1H (c) Mission plan confuses ident of UAVS system elements (UAVs;GCSs)
F8.1I (c) Mission plan completed but not within capability of UAVSperformance
F8.1J 8.1.2 HIRF Location awareness (E) (a) Unaware of HIRF locations for mission planning
(b) (continuous function)
F8.1K (c) Not all HIRF locations known for mission planning
F8.1L (c) Some HIRF locations incorrect for mission planning
F8.1M (c) Some HIRF height / range information incorrect for missionplanning
F8.1N (c) Some HIRF types incorrect for mission planning
F8.1O 8.1.3 Terrain Awareness (E) (a) Unaware of terrain for mission planning
(b) (continuous function)F8.1P (c) Not all terrain known for mission planning
F8.1Q (c) Some terrain positions incorrect for mission planning
F8.1R (c) Some terrain heights incorrect for mission planning
F8.1S (c) Some terrain types incorrect for mission planning
F8.1T 8.1.4 Danger Area / populated areaawareness (E)
(a) Unaware of Danger / populated areas for mission planning
(b) (continuous function)
F8.1U (c) Not all Danger / populated areas known for mission planning
F8.1V (c) Some Danger / populated areas locations incorrect for missionplanning
F8.1W (c) Some Danger / populated areas height information incorrect formission planning
F8.1X 8.1.5 Controlled Airspaceawareness (E)
(a) Unaware of Controlled Airspace for mission planning
(b) (continuous function)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 147/169
D-27
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F8.1Y (c) Not all Controlled Airspace known for mission planning
F8.1Z (c) Some Controlled Airspace locations incorrect for missionplanning
F8.1AA (c) Some Controlled Airspace height information incorrect for
mission planning
F8.1AB (c) Some controlled airspace types incorrect
F8.1AC 8.1.6 Weather awareness (E) (a) Unaware of current weather conditions
F8.1AD (a) Unaware of predicted weather conditions
(b) (continuous function)
F8.1AE (c) Weather conditions incorrect - optimistic
F8.1AF (c) Weather conditions incorrect - pessimistic
F8.1AG (c) Weather conditions incorrect – location or path
(c) (also as function 6.5)
8.2 T/O / Launch Preparation (F)
F8.2A 8.2.1 Refuel / recharge
consumables (I)
(a) Unable to refuel / recharge consumables
F8.2B (b) (Refuel / recharge at incorrect phase?)
F8.2C (b) Refuelling / recharging still underway at launch
F8.2D (c) Partially refuelled / recharged
F8.2E (c) Fuelled / charged with incorrect consumables
F8.2F (c) Fuel / charge contaminated
F8.2G (c) Fuelled asymmetrically (fore / aft; left / right)
F8.2H 8.2.2 Pre flight systems test (I)(F) (a) Unable to pre-flight systems test
F8.2I (b) (Pre-flight systems test at incorrect phase?)
F8.2J (b) Still in pre-flight test at launch
F8.2K (c) Partial pre-flight systems test carried out
F8.2L (c) Pre-flight systems test returns incorrect pass for critical system
F8.2M (c) Pre-flight systems test returns incorrect fail for critical system
F8.2N (c) Pre-flight systems test confuses Ident of systems test results
F8.2O 8.2.3 Upload Mission Plan (I)(F) (a) Unable to upload mission plan
F8.2P (b) (Upload mission plan at incorrect phase?)
F8.2Q (b) Still uploading mission plan at launch
F8.2R (c) Partial upload of mission plan carried out
F8.2S (c) Mission plan uploaded but not retained – no plan
F8.2T (c) Mission plan uploaded but not retained – stale plan retained
F8.2U (c) Incorrect mission plan uploaded – UAV differs from GCS
F8.2V (c) Incorrect mission plan uploaded – both UAV and GCS
F8.2W (c) Incorrect mission plan uploaded – current and next GCS differ
F8.2X (c) Incorrect mission plan uploaded – both current and next GCSF8.2Y (c) Mission plan corrupted during upload
F8.2Z (c) Mission plan upload confuses ident of UAVs (relay / sensorUAVs)
9. Manage Communications (E)
F9.1A 9.1 Understand / reply to AirfieldATC voice comms (E)
(a) Unable to hear ATC airfield voice comms at all
F9.1B (a) Unable to hear ATC airfield voice comms intermittently
F9.1C (a) Unable to understand airfield ATC voice comms
F9.1D (a) Unable to reply to airfield ATC voice comms
F9.1E (b) Transmit on ATC airfield comms channel when not intended
F9.1F (b) Comply with / reply to airfield ATC message intended foranother aircraft
(b) (Comply with / reply to airfield ATC message from incorrect airfield )
F9.1G (c) Misunderstand ATC airfield comms
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 148/169
D-28
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F9.1H (c) Delay responding to airfield ATC comms
F9.1I (c) Incorrect message transmitted to airfield ATC comms
F9.2A 9.2 Detect & respect airfield visualsignals (E)
(a) Unable to detect or respect airfield visual signals
F9.2B (b) Detect / respect airfield visual signals that are not pertinent toUAV position (incorrect signal detected / respected)
F9.2C (c) Misinterpret airfield visual signal
F9.3A 9.3 Understand / reply to En-RouteATC advice - voice / digital (E)
(a) Unable to detect ATC en-route comms at all
F9.3B (a) Unable to detect ATC en-route comms intermittently
F9.3C (a) Unable to understand en-route ATC comms
F9.3D (a) Unable to reply to en-route ATC comms
F9.3E (b) Transmit on en-route ATC comms channel when not intended
F9.3F (b) (Comply with / reply to en-route ATC message from incorrectATC service)
F9.3G (b) Comply with / reply to en-route ATC message intended for
another aircraftF9.3H (c) Misunderstand en-route ATC comms
F9.3I (c) Delay responding to en-route ATC comms
F9.3J (c) Incorrect message transmitted to en-route ATC comms
F9.4A 9.4 Provide Tracking 'visibili ty'(signal, visual) (E)
(a) UAV not visible to ATC for transponder tracking
F9.4B (a) UAV not visible to ATC for RADAR tracking by RF signature
F9.4C (a) UAV not visible to ATC for tracking visually
(b) (RF signature / visual are continuous functions )
F9.4D (b) Provide transponder response when not required
F9.4E (c) Provide transponder response late when interrogated
F9.4F (c) Provide incorrect Aircraft Identifier when interrogated
F9.4G (c) Provide incorrect aircraft altitude when interrogatedF9.5A 9.5 Manage ATC Frequency
selections (E)(a) Unable to change ATC frequency selection
F9.5B (a) Unable to hold required ATC frequency
F9.5C (b) ATC frequency changed when not required
F9.5D (c) ATC frequency changed to incorrect frequency (not in usefrequency)
F9.5E (c) ATC frequency changed to incorrect frequency (in-usefrequency)
F9.5F (c) ATC frequency changed to emergency frequency in error
9.6 Comply with ATC procedures(E)
Possible range of procedures constrained to following:Airfield – ground movement (clearance & direction); enterrunway; take-off; climb out direction and final height; approach
direction; circuit direction; runway allocation; hold height &direction; landing clearance; exit runway clearanceEn-route – Climb / descend and cruising altitude; headingchange; hold position, height and direction; diversion
F9.6A 9.6.1 Determine requiredmanoeuvre from ATC comms (E)
(a) Unable to determine required manoeuvre from ATC comms
F9.6B (b) Manoeuvre determined from ATC comms, where none wasrequested
F9.6C (c) Incorrect manoeuvre determined from ATC comms and carriedout
F9.6D (c) ATC required Manoeuvre partially completed
F9.6E 9.6.2 Confirm manoeuvre with ATC(E)
(a) Unable to confirm initiating manoeuvre with ATC
F9.6F (a) Unable to confirm completing manoeuvre with ATCF9.6G (b) ATC manoeuvre ‘confirmed’ when none was requested
F9.6H (c) Incorrect ATC manoeuvre ‘confirmed’ to ATC (compared to thatbeing actually carried out)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 149/169
D-29
FFA ID Function(a),(b),(c)
Failure Condition (Hazard Description)
F9.7A 9.7 Emergency Broadcast Actions(E) (Coll aware fail; D/L fail;Mayday)
(a) Unable to broadcast – “Collision Avoidance Fail”
F9.7B (a) Unable to broadcast – Data Link Fail
F9.7C (a) Unable to broadcast – Mayday
F9.7D (b) Broadcast ‘Collision awareness fail’ when not required
F9.7E (b) Broadcast ‘Data Link fail’ when not required
F9.7F (b) Broadcast ‘Mayday’ when not required
F9.7G (c) Broadcast incorrect emergency message compared to thatactually required
10. Collision Avoidance (F)(E)
F10.1A 10.1 Detect Traffic (E) (a) Unable to detect ‘co-operative’ traffic
F10.1B (a) Unable to detect ‘non co-operative’ traffic
F10.1C (b) Traffic detected when not present
F10.1D (c) Traffic detected late
F10.1E (c) Traffic detected in incorrect position
F10.1F (c) Traffic detected at incorrect height
F10.2A 10.2 Determine traffic relative track(E)
(a) Unable to determine traffic relative track
F10.2B (a) Traffic relative track determined at low update rate
(b) (continuous function when traffic detected )
F10.2C (c) Traffic relative track incorrectly indicated as converging
F10.2D (c) Traffic relative track incorrectly indicated as not converging
F10.3A 10.3 Maintain traffic separation(ROA) (E)
(a) Failure to manoeuvre (adequately) to maintain traffic separationi.a.w. Rules of the Air (right of way / minimum separation)
F10.3B (b) Traffic separation manoeuvre initiated when UAV shouldmaintain current track (right of way)
F10.3C (c) Incorrect traffic separation manoeuvre initiated (turn direction)F10.4A 10.4 Collision emergency evasion
(E)(a) Failure to manoeuvre (adequately) for collision emergency
evasion
F10.4B (a) Collision emergency evasion manoeuvre initiated late
F10.4C (b) Collision emergency evasion manoeuvre initiated whenunnecessary
F10.4D (c) Incorrect collision emergency evasion manoeuvre initiated (turndirection / height change)
F10.4E (c) Collision emergency evasion manoeuvre successful but UAVaffected by aircraft wake turbulence
F10.5A 10.5 Conspicuity to air traffic(visual, RF) (E)
(a) Unable to be detected by ‘co-operative’ traffic
F10.5B (a) Unable to be seen by other air traffic
F10.5C (a) UAV RF (Radar) Conspicuity varies significantly withobservation aspect
F10.5D (a) UAV visual conspicuity varies significantly with observationaspect
(b) (continuous function for civil operation – i.e. not switchable stealth)
F10.5E (c) UAV resembles other aircraft types of different size orperformance
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 150/169
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 151/169
D - 3 1
F F A I D
F a
i l u r e C o n d i t i o n
F l i g h t
P h a s e s
E f f e c t o f F a i l u r e C o n d i t i o n - ( 1 ) A W ; ( 2 ) A T M
C l a s s i f i
c a t i o n
J u s t i f i c a t i o n
1 . S t a b i l i t y
& C o n t r o l ; 1 . 3 M a n o e u v r e U A V ( I )
F 1 . 3
A
U n
a b l e t o m a n o e u v r e
U A
V a t a l l w h e n
d e
m a n d e d
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( 1 ) , ( 2 ) E v e n t u a l l y ,
U A V w i l l i m p i n g e o n t e r r a i n o r
c o n t r o l l e d a i r s p a c e
( K n o c k o n e f f e c t – a c a u s e o f F 2
. 5 G t e r r a i n s e p a r a t i o n f a i l ;
F 2 . 6
F c o n t r o l l e d a i r s p a c e s e p a r a t i o n f a i l ; F 2 . 7
F d a n g e r /
p o p u l a t e d a r e a s e p a r a t i o n f a i l ; F
1 0 . 3
A T r a f f i c s e p a r a t i o n
f a i l )
( 1 ) C a t a
s t r o p h i c
( 2 ) S e v e
r i t y 1
( d e p e n d e n t o n k n o c k - o n
e f f e c t f a i l u r e b e i n g
r e a l i s e d )
F 1 . 3
B
U n
a b l e t o m a n o e u v r e
U A
V i n c e r t a i n a x e s ,
w h
e n d e m a n d e d
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( 1 ) L i m i t e d c o n t r o l a v a i l a b l e f r o m
s e c o n d a r y e f f e c t s ( s e e
F 1 . 3
D b e l o w ) , s u f f i c i e n t t o e f f e c t c o n t r o l l e d l o s s o f t h e
U A V o v e r a n u n p o p u l a t e d s i t e
( 2 ) L i k e l y t o c a u s e i n f r i n g e m e n t o f c o n t r o l l e d a i r s p a c e ,
b u t
s o m e c o n t r o l t o m i n i m i s e e f f e c t ( i . e . m a i n t a i n l i m i t e d t r a f f i c
s e p a r a t i o n )
( 1 ) H a z a
r d o u s
( 2 ) S e v e
r i t y 2
S c e n a r i o s f o r t y p i c a l m i s
s i o n s j u s t i f y l i k e l y
A T M e f f e c t
F 1 . 3
C
U n
d e m a n d e d
m a n o e u v r e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( 1 ) I n e x t r e m e , a t c r i t i c a l f l i g h t c o
n d i t i o n ( T O o r L a n d i n g )
l o s s o f c o n t r o l
( 2 ) C o u l d b e a c a u s e f o r s e p a r a
t i o n m i n i m a b e i n g
b r e a c h e d – i n e x t r e m e ,
( a m o n g t r a f f i c ) c a u s e c o l l i s i o n
( 1 ) C a t a
s t r o p h i c
( 2 ) S e v e
r i t y 1
F 1 . 3
D
A s
y m m e t r i c m a n o e u v r e
c o
n t r o l – d e m a n d i n
o n
e a x i s c a u s e s
u n
c o n t r o l l a b l e
m a n o e u v r e i n a n o t h e r
a x
i s
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( 1 ) I n e x t r e m e , a t c r i t i c a l f l i g h t c o
n d i t i o n ( T O o r L a n d i n g )
l o s s o f c o n t r o l
( 2 ) C o u l d b e a c a u s e f o r s e p a r a
t i o n m i n i m a b e i n g
b r e a c h e d – i n e x t r e m e ,
( a m o n g t r a f f i c ) c a u s e c o l l i s i o n
( 1 ) C a t a
s t r o p h i c
( 2 ) S e v e
r i t y 1
S o m e s e c o n d a r y e f f e c t s
o f c o n t r o l s a r e O k
( a n d n o r m a l a e r o d y n a m i c e f f e c t ) , p r o v i d e d
t h e r e i s s u f f i c i e n t c o n t r o l a u t h o r i t y t o
c o u n t e r a c t t h e m .
P o t e n t i a l m i t i g a t i o n f o r F
1 . 3
B
F 1 . 3
E
T r a n s i e n t c o n t r o l
d e
f l e c t i o n s
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 1 . 3
C )
F 1 . 3
F
M a n o e u v r e c o n t r o l
r e s t r i c t i o n – l i m i t e d
m a n o e u v r e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s 1 . 3
B )
F 1 . 3
G
M a n o e u v r e c o n t r o l
j a m s – u n a b l e t o s t o p
m a n o e u v r e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 1 . 3
C )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 152/169
D - 3 2
F F A I D
F a
i l u r e C o n d i t i o n
F l i g h t
P h a s e s
E f f e c t o f F a i l u r e C o n d i t i o n - ( 1 ) A W ; ( 2 ) A T M
C l a s s i f i
c a t i o n
J u s t i f i c a t i o n
F 1 . 3
H
E x
c e s s i v e m a n o e u v r e
c o
n t r o l d e f l e c t i o n s
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 1 . 2
B )
F 1 . 3
I
M a n o e u v r e c a p a b i l i t y
e x
c e e d s v e h i c l e
s t r u c t u r a l s t r e n g t h
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( 1 ) U A V b r e a k u p – u n a b l e t o c o
n t i n u e c o n t r o l l e d f l i g h t
( 1 ) C a t a
s t r o p h i c
A W i s
s u e , a s v e h i c l e b r e
a k u p t a k e s i t o u t o f
t h e A T M e n v i r o n m e n t
F 1 . 3
J
M a n o e u v r e c o n t r o l t i m e
d e
l a y ( l a g )
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 1 . 2
C a n d D )
1 . S t a b i l i t y
& C o n t r o l ; 1 . 4 M a n u a l O v e r r i d e - R
e m o t e P i l o t i n g ( I )
F 1 . 4
A
U n
a b l e t o t a k e m a n u a l
c o
n t r o l o f U A V
T a x i , T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S
,
S e n s ,
A p p ,
L a n d A ,
L a n d
F ,
R e l
N o i m m e d i a t e e f f e c t , U N L E S S a
c o i n c i d e n t f u n c t i o n a l
f a i l u r e o c c u r s ( i n f u n c t i o n s 1 - 1 0 i n c ) r e q u i r i n g m a n u a l
i n t e r v e n t i o n
A s f o r t h
e m o s t
s e v e r e o
f o t h e r
f u n c t i o n s 1 - 1 0 :
( 1 ) C a t a
s t r o p h i c
( 2 ) S e v e
r i t y 1
M a n u a l o v e r r i d e i s i n t e n d e d a s m i t i g a t i o n f o r
m a n y o t h e r f a i l u r e m o d e s .
S a f e t y r e q u i r e s i n d e p e n d e n c e f r o m o t h e r
f a i l u r e f o r m s ( E I T H E R -
a u t o n o m y i n c a s e o f
m a n u a l f a i l u r e ,
O R - u s e
o f a n i n d e p e n d e n t 3 r d
o p t i o n s u c h a s F l i g h t T e r m i n a t i o n S y s t e m t o
g i v e a s a f e o u t c o m e ,
i f c
r i t i c a l f u n c t i o n s a r e
p r o v i d e d o n a c o m m o n d
a t a l i n k w i t h m a n u a l
c o n t r o l f r o m t h e G C S )
F 1 . 4
B
U n
a b l e t o f l y U A V w i t h
a u
t o n o m y
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
H i g h e r w o r k l o a d o n U A V - p i n i t i a l l y .
C r i t i c a l e f f e c t I F d a t a l i n k f a i l s c o i n c i d e n t l y ( e f f e c t i v e l y
c o i n c i d e n t w i t h F 1 . 4
A ) – U A V t h e n r e a c t s a s F 1 . 3
A
A s f o r F 1 . 3
A :
( 1 ) C a t a
s t r o p h i c
( 2 ) S e v e
r i t y 1
A u t o n o m o u s f l i g h t / m a n
u a l o v e r r i d e n e e d t o
b e i n d e p e n d e n t , a s e i t h e
r / o r i s r e q u i r e d f o r
s u c c e s s f u l c o n t i n u i n g s a
f e f l i g h t
F 1 . 4
C
C o
n f l i c t i n g a u t h o r i t y
b e
t w e e n m a n u a l a n d
a u
t o n o m o u s c o n t r o l
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 1 . 4
A a n d F 1 . 4
B )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 153/169
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 154/169
D - 3 4
F F A I D
F a
i l u r e C o n d i t i o n
F l i g h t
P h a s e s
E f f e c t o f F a i l u r e C o n d i t i o n - ( 1 ) A W ; ( 2 ) A T M
C l a s s i f i
c a t i o n
J u s t i f i c a t i o n
F 1 . 6
G
I n c o r r e c t a i r s p e e d
a c
h i e v e d – t o o l o w
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 1 . 6
D )
2 . A i r N a v i g a t i o n ( I ) ; 2 . 1 P o s i t i o n , H e a d i n g & A
l t i t u d e A w a r e n e s s ( I ) ; 2 . 1 . 1 D e t e r m
i n e P o s i t i o n , H e a d i n g & A l t i t u d e ( I )
F 2 . 1
A
U n
a b l e t o d e t e r m i n e
p o
s i t i o n
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
I n i s o l a t i o n – p o s i t i o n c a n b e a p p r o x i m a t e d f r o m h e a d i n g ,
s p e e d e t c .
I n c o m m o n f a i l u r e w i t h F 2 . 1
B o r
F 1 . 1
B – r e q u i r e s e x t e r n a l
m e a n s t o i d e n t i f y p o s i t i o n ( f u n c t i o n s 9 . 3
E n - r o u t e A T C
c o m m u n i c a t i o n s a n d 9 . 4
T r a c k i n
g ‘ v i s i b i l i t y ’
W i t h o u t t h e s e , s y s t e m f a c e s e m e r g e n c y l a n d i n g ( f u n c t i o n
7 . 3 . 2
) i n u n k n o w n t e r r a i n , o r f l i g h t p a t h t h r o u g h u n k n o w n
a i r s p a c e
K n o c k - o n f o r R e l U A V w o u l d b e
l o s s o f d a t a l i n k f o r S e n s
U A V
I n e x t r e m
e c a s e s :
( 1 ) C a t a
s t r o p h i c
( 2 ) S e v e
r i t y 2
A W s
e v e r i t y a s s u m e s n e
e d t o m a k e b l i n d
e m e r g e n c y l a n d i n g a t l a s t ‘ k n o w n ’ p o s i t i o n
( M S 7 e m e r g e n c y l a n d i n g s c e n a r i o s h o w s t h a t
s m a l l i n a c c u r a c i e s c o u l d
c a u s e i m p a c t o n
v i l l a g e l o c a t i o n , a s l e s s e r e v i l t o f l y i n g o n a n d
p o s s i b l y c r a s h i n g i n m a j o r p o p u l a t i o n a r e a
A T M s e v e r i t y a s s u m e s t h a t f u n c t i o n 1 0
C o l l i s i o n a v o i d a n c e r e m a i n s a c t i v e – n e e d t o
b e w a r e o f p o t e n t i a l c o m m o n m o d e f a i l u r e s .
F 2 . 1
B
U n
a b l e t o d e t e r m i n e
h e
a d i n g
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 2 . 1
A )
F 2 . 1
C
U n
a b l e t o d e t e r m i n e
a l t i t u d e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
I f D E T E C T E D - C o u l d m a n a g e b
y i n c r e a s i n g a l t i t u d e ( f r o m
p r e v i o u s s a f e a l t i t u d e ) a n d s t e e r i n g w h e r e g r o u n d k n o w n
t o b e l o w e r
U N D E T E C T E D - a s F 2 . 5
G U n a b
l e t o m a i n t a i n s a f e
a l t i t u d e o v e r t e r r a i n
A T M – i f D E T E C T E D , c a l l A T C a n d d e c l a r e P A N P A N
P A N .
I f U N D E T E C T E D , u n a b l e
t o m a i n t a i n s a f e v e r t i c a l
s e p a r a t i o n b e l o w c o n t r o l l e d a i r s p a c e ( a s F 2 . 7
F )
D e t e c t e d :
( 1 ) M a j o
r
( 2 ) S e v e
r i t y 4
U n d e t e c
t e d :
( 1 ) C a t a
s t r o p h i c
( 2 ) S e v e
r i t y 2
M S 8 r o u t i n e a p p r o a c h t o
A b e r p o r t h o v e r
t e r r a i n a s s e s s e d ; M S 5 e m e r g e n c y r e c o v e r y
u n d e r D a v C T A a s s e s s e
d .
U n d e t e c t e d A T M s e v e r i t y a s s u m e s f u n c t i o n 1 0
C o l l i s i o n a v o i d a n c e r e m a i n s a c t i v e – n e e d t o
b e w a r e o f p o t e n t i a l c o m m o n m o d e f a i l u r e s .
F 2 . 1
D
A c
c u r a c y e r r o r i n
m e a s u r e d p o s i t i o n ,
h e
a d i n g o r a l t i t u d e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 2 . 1
A , B , C
)
F 2 . 1
E
L a
g i n p o s i t i o n ,
h e a d i n g
o r
a l t i t u d e d a t a
m e a s u r e m e n t ( p h a s e
s h
i f t )
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 2 . 1
A , B , C
)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 155/169
D - 3 5
F F A I D
F a
i l u r e C o n d i t i o n
F l i g h t
P h a s e s
E f f e c t o f F a i l u r e C o n d i t i o n - ( 1 ) A W ; ( 2 ) A T M
C l a s s i f i
c a t i o n
J u s t i f i c a t i o n
F 2 . 1
F
M e a s u r e d p o s i t i o n ,
h e
a d i n g o r a l t i t u d e
f r e
e z e s a t l a s t r e a d i n g
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 2 . 1
A , B , C
)
F 2 . 1
G
M e a s u r e d p o s i t i o n ,
h e
a d i n g o r a l t i t u d e
g o
e s t o m a x i m u m s c a l e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 2 . 1
A , B , C
)
F 2 . 1
H
M e a s u r e d p o s i t i o n ,
h e
a d i n g o r a l t i t u d e
g o
e s t o m i n i m u m s c a l e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
( a s F 2 . 1
A , B , C
)
F 2 . 1
I
T r a n s i e n t s p i k e s i n
m e a s u r e d p o s i t i o n ,
h e
a d i n g o r a l t i t u d e
T O A ,
T O F ,
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
L a n d A ,
L a n d F ,
R e l
M a n a g e a b l e ,
i f s p i k e s a l l o w t r e n
d i n p o s i t i o n a n d a l t i t u d e
t o b e a s s e s s e d a d e q u a t e l y .
E l s e
, t r e a t a s F 2 . 1
A , B , C
2 . 5 T e r r a i n
A v o i d a n c e ( E ) ; 2 . 5 . 1 A w a r e n e s s &
f l i g h t p a t h p r o x i m i t y ( E )
F 2 . 5
A
U n
a w a r e o f
s u
r r o u n d i n g t e r r a i n
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
R e l
( 1 ) U N D E T E C T E D – C o n t r o l l e d
f l i g h t i n t o t e r r a i n
D E T E C T E D – c l i m b t o s a f e h e i g
h t a n d d i v e r t
( 1 ) C a t a
s t r o p h i c
A s s u m e s T O a n d L a n d c
o v e r e d b y f u n c t i o n s
2 . 4 – e n s u r e n o c o m b i n e
d f u n c t i o n a l i t y /
c o m m o n m o d e f a i l u r e
F 2 . 5
B
U n
a w a r e o f p r o x i m i t y o f
s u
r r o u n d i n g t e r r a i n t o
f l i g
h t p a t h
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
R e l
( 1 ) U N D E T E C T E D - C F I T
( 1 ) C a t a
s t r o p h i c
F 2 . 5
C
T e
r r a i n p r o x i m i t y
d e
t e r m i n e d a t l o w
s a
m p l i n g r a t e
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
R e l
( 1 ) U N D E T E C T E D – S t e e p T e r r a i n e n c r o a c h e s i n t o s a f e
m a n e u v e r i n g z o n e – a s F 2 . 5
G t e r r a i n s e p a r a t i o n
( m i n i m u m ) n o t m a i n t a i n e d .
I n e x
t r e m e ,
C F I T a s F 2 . 5
B
( 1 ) C a t a
s t r o p h i c
M a y b e a c a u s e f o r F 2 . 5
B – s y s t e m b e l i e v e s
t e r r a i n i s b e i n g m o n i t o r e d , u n a w a r e o f
d e f i c i e n c y i n m e a s u r e m e
n t s
F 2 . 5
D
I n c o r r e c t s u r r o u n d i n g
t e r r a i n d e t e r m i n e d
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
R e l
C a u s e s F 2 . 5
G ,
F 2 . 5
K ,
F 2 . 5
M ( t e
r r a i n s e p a r a t i o n
b r e a c h e d ; e m e r g e n c y e v a s i o n n
o t t r i g g e r e d ; e m e r g e n c y
e v a s i o n t r i g g e r e d u n n e c e s s a r i l y )
K n o c k - o n f o r R e l U A V c o u l d b e l o s s o f d a t a l i n k f o r S e n s
U A V
( c a u s e d b y F 2 . 1
D p o s i t i o
n a l i n a c c u r a c y , o r
F 2 . 2
D i n c o r r e c t m i s s i o n
d a t a e l e m e n t s )
F 2 . 5
E
I n c o r r e c t d i s t a n c e t o
t e r r a i n d e t e r m i n e d –
l o w e r t h a n a c t u a l
T r a n ,
H a n d ,
T r a n S ,
S e n s
,
A p p ,
R e l
( c a u s e s F 2 . 5
M e m e r g e n c y e v a s
i o n t r i g g e r e d w h e n n o t
n e c e s s a r y )
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 156/169
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 157/169
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 158/169
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 159/169
D-39
Scenarios for Effects Consideration
(1) Consider broad effects of environment and emergency configurations
(2) Consider the following graphical mini-scenarios (appended to route plan maps):
• MS1 – Routine take-off from Aberporth and transit danger area
• MS2 – Airspace pinch point, between floor of Airway B3 (3500ft) and above LivHPZ (2000ft) (over gas rigs)
• MS3 – GCS handover, 20nm band where Aberporth GCS and Spadeadam GCSboth have datalink range
• MS4 – UAV Relay duty, in area between Colwyn Bay and Liv HPZ
• MS5 – Emergency Recovery, under Daventry CTA divert into Calton Moor militaryairfield (next to E Mids CTA)
• MS6 – Airmanship conflict, to maintain separation under Man TMA (3500ft) forces
flight below safe altitude over terrain + mast (2490ft)
• MS7(a) – Emergency landing, East of Burnley, from low altitude (2800ft due toMan TMA)
• MS7(b) – Emergency landing, Teesdale, from high altitude (6000ft) but over steepterrain and valleys
• MS8 – Routine approach and landing into Aberporth, coming in over terrain, windfarms and villages
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 160/169
E-1
ANNEX ESWIFT ASSESSMENT FOR COMPARISON (EXTRACT
OF HAZARDS)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 161/169
E-2
This annex provides the summarised results of a Structured What If Technique (SWIFT)hazard identification of the Guard Dog case study.
SWIFT was applied in ‘quick and dirty’ fashion by a group of 3 safety engineers with UAVassessment experience, independently from the Functional Failure Analysis carried out toapply the method defined in the body of this report. The intent was to provide a cross-check
of hazards, to determine how well the FFA had identified hazards and whether, overall, therewere still hazards left unidentified by either method. The evaluation of the two methods iscovered in section 3.3 of the report.
The results of the SWIFT are shown below, along with an indication where the FFA mayhave identified the same / similar hazard.
Table E(i) – SWIFT hazards identified for Guard Dog case study
SWIFT ID What If / Hazard indicated Comment w.r.t.UAVS level assessment
FFAComparable Hazard
Pre-flight / launch (upto and including
engine start)S1 Manual handling Ground hazard -
OHSA
S2 Incorrect assembly Causal – FTA or system FHA
S3 Undetected prior damage Causal – FTA
S4 Miss-matched program / mission A63
S5 Corrupted mission data A18
S6 Incorrect fuel-type / mixture A67
S7 Incomplete program / mission A18
S8 Incorrect fuel load A65
S9 Inadequate pre-flight checks A69
S10 Fuel fire Particular Risk Analysis
S11 Electrocution by electrics Ground hazard - OHSA
S12 Propeller strike Ground hazard – OHSA
S13 Inadvertent launchS14 Uncontained engine failure Particular Risk
Analysis
S15 Poor launch site information(incomplete recce)
A22
S16 Structural failure of pneumatics(of launcher)
Causal – FTA or system FHA
Launch (field take off)to clear of launch
S17 Unable to reach launch velocity A12
S18 Unable to reach controlled flight A12, A1, A2
S19 Structural break up A7
S20 Obstacle clearance A22, A14
S21 Launch out of wind limits A24
S22 Engine failure A14, A6
S23 Flight control system failure A1, A2, A3
S24 Incorrect flight mode(autonomous or manual control)
A8, A9
Airfield launch (As above plus:)
S25 Poor preparation of launch site(inadequate runway quality)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 162/169
E-3
SWIFT ID What If / Hazard indicated Comment w.r.t.UAVS level assessment
FFAComparable Hazard
Flight
S26 Deviation from flight plan A21
S27 Flight into controlled airspace
(when not allowed)
A28
S28 Avionics failure (e.g. Nav system) A15
S29 Loss of positional informationfrom UAV to GCS
A51
S30 Failure of transponder A75, A76
S31 Low Radar signature A74
S32 Bird strike Causal – FTA or system FHA
S33 EMC / EMI from transmissionmasts
A42
S34 General Aviation threat (collisionavoidance system malfunctions)
A83, A84
S35 Weather extremes (e.g. lightning,turbulence etc) A55
S36 Icing A55
S37 Loss of power supply to GCS Causal – FTA or system FHA
S38 Incorrect / corrupted signal fromGCS
Causal – FTA or system FHA
S39 Unable to handover to next GCS A40
S40 Unable to relay info to furthestUAV
A44
S41 Loss of GCS communicationsS42 Loss of GPS A15
S43 RF Radiation Hazard to GCS
occupants
Ground hazard –
OHSAS44 Uncommanded collision
avoidanceA85
S45 Digital terrain / obstacle databasenot current
A64
S46 Loss of communications with ATC A71, A73
S47 Failure to respect VFR / IFR rules A56
S48 Pilot fatigue (long enduranceshifts)
S49 Flying 2 UAVs and inadvertentlycommanding the wrong one
Causal – FTA or system FHA
S50 Spurious system monitoring
signal from UAV to GCS
A59
S51 Lasing / identifying the wrongtarget
Ground hazard - OHSA
S52 EMI between UAVS internalsystems
Causal – FTA or system FHA
S53 Incompetent pilot Causal – FTA or system FHA
S54 Security risk – control by terrorist A48
S55 Flight into aircraft wake A86
S56 Navigation visibility lights failure A87
Approach andLanding
S57 Approach / land too fast A23, A6
S58 Approach / land too slow A23, A6
S59 Approach / land too high A23, A14
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 163/169
E-4
SWIFT ID What If / Hazard indicated Comment w.r.t.UAVS level assessment
FFAComparable Hazard
S60 Approach / land too low A23, A14
S61 Incorrectly aligned with runway A23, A24
S62 Landing out of wind limits A24
S63 Terrain masking during approach A50 S64 Loss of control after landing
(speed or direction)A31, A32, A33,A34
Maintenance
S65 COSHH assessment Ground hazard – OHSA
S66 Maintenance error Causal – FTA or system FHA
S67 Lack of maintenance policy / philosophy
Procedural,regulatory
S68 Radiation hazards Ground hazard – OHSA
S69 Electrical hazards Ground hazard – OHSA
S70 Stored energy Ground hazard – OHSA
S71 Inadequate in-service supporte.g. logistics, airworthiness,configuration control, spares
Procedural,regulatory
S72 Incompetent maintainers Procedural,regulatory
S73 Disposal aspects Ground hazard - OHSA
Emergency Actions
S74 Incursion into airspace A30
S75 Crash landing A60, A61S76 Datalink Out of range A46
S77 Diversion A57
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 164/169
F-1
ANNEX FLISTING OF HAZARDS FOR INTEGRATION OF UAVS
INTO UNSEGREGATED AIRSPACE (FROM TUAVCASE STUDY)
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 165/169
F-2
This annex provides the summarised hazard listing, after review of the FHA results fromapplying the modified ARP4761 method to the Guard Dog case study.
The results are, obviously, based on a specific consideration, but the case study wasintended to be a generic Tactical UAVS (TUAVS), so there should be good read across toother TUAVS applications and, perhaps, fair read across to broader UAVS types. It is
suggested that there is enough read across for the list to provide a ‘starter’ for other systems,to be added to by more specific application of the proposed HazID method.
The listing also indicates where there is commonality with the hazards identified using theSWIFT analysis (see Annex E to this report).
Table F(i) –Hazards identified for Guard Dog case study, using the proposedmodifications to ARP4761 FHA technique
ID UAVS Hazard indicated Relating to UAVSFHA FunctionalFailures
Relating to SWIFT Comparable Hazard
A1 Flight control instability F1.1-, F1.2-, F1.5A S18, S23
A2 Inability to control (external) perturbations F1.2A S23
A3 Inability to manoeuvre / maintain UAV on requiredflight path
F1.3-, F1.6O-R, F2.3-, F6.5B
S23, S26
A4 Flight instrumentation (attitude and speed) errors F1.1-
A5 Inability to identify flight instrumentation errors [derived from F2.1-and assessment ofeffects - detected andundetected]
A6 Inability to achieve, maintain and control requiredairspeed
F1.6- S22, S57, S58
A7 Lack of structural integrity F1.3H, F1.5D S19
A8 Unable to take manual control of the UAV (UAV-p) F1.4A S24
A9 Unable to transfer to autonomous UAV control F1.4B
A10 Conflicting authority between UAV controllers (manual / autonomous) (different ground controllers)
F1.4C,D, F4.2F
A11 Control mode error (where control laws differ withphase of flight)
F1.5C
A12 Launcher fails to provide correct take-off speed F1.5B S17, S18
A13 Asymmetric thrust / power F1.6EA14 Unable to achieve / maintain / control required altitude
or rate
F1.6- S20, S22
A15 Navigation instrumentation errors (altitude, position,heading; for general air navigation)
F2.1 S28, S42
A16 High accuracy navigation instrumentation errors(altitude, position, heading; for taxi, take off, approach,landing)
F2.4C-AB
A17 Inability to identify navigation instrumentation errors F2.1-
A18 Planned mission route stored with errors F2.2- S5, S7
A19 Planned mission route not achievable by UAVS (notcapable within performance)
F2.2F, F6.5B, F6.5N,F8.1I
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 166/169
F-3
ID UAVS Hazard indicated Relating to UAVSFHA FunctionalFailures
Relating to SWIFT Comparable Hazard
A20 Planned mission route not safe (by Rules of the Air) F2.2G
A21 UAV deviates from planned route without correction F2.3- S26
A22 Correct airfield and runway take-off and climb-outpattern data not used
F2.4A-F S15, S20
A23 Correct airfield and runway approach, hold, circuit andlanding data not used
F2.4R-X S57, S58, S61
A24 Inability to determine correct wind-speed and directionin relation to runway (take-off or landing)
F2.4AC-AG S21, S62
A25 Minimum terrain separation (i.a.w. Rules of the Air) notmaintained
F2.5A-O
A26 Terrain separation / emergency evasion triggered
when not required / appropriate
F2.5M
A27 Separation from sensitive areas (danger areas / populated areas / NOTAMS areas) not maintained
F2.6-, F2.8-
A28 Separation from controlled airspace not maintained(when not equipped / cleared for controlled airspaceoperations)
F2.7- S27, S75
A29 Incorrect type / identifier of controlled airspacedetermined (if cleared for controlled airspaceoperations)
[outside scope ofTUAV case study, butextrapolated
A30 Incorrect emergency incursion action taken (for ROA)if controlled airspace entered in error
F2.7I,J S74
A31 Inability to control ground speed F3.1A-J S64
A32 Excessive braking when not required F3.1N, F3.1R S64
A33 Asymmetric braking F3.1T S64
A34 Inability to provide controlled ground steering F3.2A-J S64
A35 Incorrect airfield layout / ground taxi route determined F3.2K-Q
A36 Inability to determine ground / air transition clearly F3.2R-V
A37 Unable to correctly determine position of fixed / mobileground obstacles
F3.2W-AC
A38 Inability to accurately determine command datalinksignal strength
F4.1A-E
A39 Incorrect status of command datalink systemserviceability determined
F4.1F-K
A40 Command datalink lost during attempt to hand overbetween GCS stations
F4.2A-G S39
A41 Command datalink handed to GCS, but GCS unawareit has control
F4.2D
A42 Command Datalink suffers from EMI 'cross talk' withother RF traffic
F4.2K,R S33
A43 Command datalink lags via satellite / relay F4.2M,U
A44 Command datalink drop outs via satellite / relay F4.2L,N,T,V S40
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 167/169
F-4
ID UAVS Hazard indicated Relating to UAVSFHA FunctionalFailures
Relating to SWIFT Comparable Hazard
A45 satellite / relay UAV passes control datalinkcommands to incorrect UAV
F4.2Q
A46 Failure to take correct emergency recovery action ifcommand datalink fails
F4.3- S76
A47 Command Datalink jammed F4.4A
A48 Command Datalink stolen F4.4B S54
A49 Valid command datalink rejected as jammed / stolen F4.4C
A50 Inability to accurately determine terrain proximity tocommand datalink line of sight
F4.5- S63
A51 Inability to telemeter accurate UAV parameters(control parameters, navigation parameters, flightsystem status) to GCS
F6.1-,F6.2-,F6.3-,F6.4-
S29
A52 Inability to monitor initial / changing weather conditionsalong the mission route
F6.5A-J, F8.1AC-AG
A53 Bad weather re-routing infringes sensitive airspace / overflown areas
F6.5Q
A54 Bad weather re-routing exceeds UAV capability(performance)
F6.5P
A55 Weather effects on UAV - icing, precipitation, dust,sand
[implied fromfunctionalconsideration to avoidbad weather andF6.5M,O]
S35, S36
A56 UAV flight in reduced visibility / IFR conditions [implied fromfunctionalconsideration to avoidbad weather andF6.5M,O]
S46
A57 Unable to determine a valid diversionary airfield (foremergency / bad weather recovery)
F6.5K,L,R-V S77
A58 Diversionary airfield / route not communicatedbetween UAV and GCS (UAV not aware ofappropriate action to take, or GCS not aware whataction the UAV will take)
F6.5W,X
A59 Unable to accurately determine the status of criticalflight systems
F7.1- S50
A60 Incorrect emergency action taken - no action / divert / emergency landing
F7.3A-K S75
A61 Emergency landing attempted in populated area F7.3L S75
A62 GCS moding initiates ground mode displays andcontrols (e.g. mission planning), when in flightmonitoring / control required
F8.1C
A63 Incorrect mission plan completed / loaded F8.1A-H S4
A64 Incomplete / incorrect supporting data available formission planning (e.g. HIRF locations, terrain, dangerareas, controlled airspace)
F8.1K-AB S45
A65 Consumables not fully refuelled / recharged prior totake-off / launch
F8.2A,D S8
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 168/169
F-5
ID UAVS Hazard indicated Relating to UAVSFHA FunctionalFailures
Relating to SWIFT Comparable Hazard
A66 Consumables still being refuelled / recharged atlaunch (or other inappropriate flight phase)
F8.2B S13
A67 Consumables refuelled / recharged with incorrect orcontaminated materials
F8.2E,F S6
A68 UAV centre of gravity adversely affected by fuelcharge
F8.2G
A69 pre-flight systems test returns incomplete / incorrectsystem status
F8.2H-N S9
A70 Different mission plans loaded - UAV; relay UAV; firstGCS; other GCS in mission
F8.2U-X
A71 Inability to correctly understand and reply to airfieldATC communications
F9.1-, F9.5- S46
A72 inability to correctly detect, interpret and respect
airfield visual signals
F9.2-
A73 Inability to correctly understand and reply to en-routeATC communications (e.g. advisory Flight InformationService)
F9.3-, F9.5- S46
A74 UAV poor Radar visibility for tracking by ATC F9.4B,C S31
A75 Transponder failure to squawk or squawks incorrectidentifier
F9.4A,D-F S30
A76 Transponder returns incorrect altitude to ATC (if ModeS / Mode C)
F9.4G S30
A77 Radio frequency changed in error (e.g. to emergencyfrequency)
F9.5-
A78 UAV does not correctly comply with Airfield ATCprocedures: ground movement (clearance & direction);enter runway; take-off; climb out direction and finalheight; approach direction; circuit direction; runwayallocation; hold height & direction; landing clearance;exit runway clearance
F9.6-
A79 UAV does not correctly comply with en-route airspaceATC procedures: Climb / descend and final cruisingaltitude; heading change; hold position, height anddirection; diversion
F9.6-
A80 UAV complies with Airfield or En-route ATC procedureintended for another aircraft
F9.6C
A81 Unable to correctly broadcast emergency message:“Collision Avoidance Fail”; Data link fail"; "Mayday"
F9.7A-G
A82 Emergency broadcast made when none necessary F9.7D-F
A83 Inability to maintain correct, normal traffic separation ,i.a.w. Rules of the Air 'Right of Way'
F10.1-, F10.2-, F10.3- S34
A84 Inability to carry out appropriate emergency evasivemanoeuvre for collision avoidance
F10.4A-D S34
A85 Collision avoidance emergency evasion manoeuvrecarried out when not appropriate
F10.4C S44
8/8/2019 Hazards of Uav
http://slidepdf.com/reader/full/hazards-of-uav 169/169
ID UAVS Hazard indicated Relating to UAVSFHA FunctionalFailures
Relating to SWIFT Comparable Hazard
A86 UAV susceptibility to wake turbulence from otheraircraft
F10.4E S55
A87 UAV inconspicuous to other aircraft by RF or visualmeans (all round visibility, or when viewed fromparticular aspects)
F10.5A-D S56
A88 UAV resembles other aircraft types of different size orperformance
F10.5E