hazards of uav

8/8/2019 Hazards of Uav

http://slidepdf.com/reader/full/hazards-of-uav 1/169

THE HAZARDS OF UNMANNED AIR VEHICLEINTEGRATION INTO UNSEGREGATED AIRSPACE

Andrew R Evans

This report is submitted to satisfy the project requirements of the

Master of Science in Safety Critical Systems Engineering

at the Department of Computer Science

September 2006

Number of words = 43,176, as indicated by the Microsoft Word ‘word count’ tool. The count includes the title page, preliminaries, report body, and Annex F, but not the Bibliography. Annexes A – E contain supporting evidence and contextual information for the reader, and have not been included in the word count.



i

ABSTRACT

There is strong interest in expanding Unmanned Air Vehicle Systems (UAVS) usage.Potential military and civil tasks will need them to operate in the same airspace as manned

aircraft and over the general public. While they are currently segregated because ofconcerns for safety, what are the real safety risks and can they be addressed?

A broad literature review has highlighted a range of safety-related issues. In particular:

• The root hazards associated with UAVS integration are not well understood.

• Can a EASA CS.23/25.1309 type safety assessment approach be taken, to identifythe hazards and support clearance into unsegregated airspace?

A hazard identification methodology has been developed based on ARP4761 (an acceptedframework for satisfying EASA CS.23/25.1309). Functional Hazard Assessment (FHA)elements have been modified to be UAVS-applicable, with a UAVS-level assessment,consideration of the wider system of systems, and techniques to draw out UAVS

peculiarities. The method has been applied to a Tactical UAVS case study to derive ahazard listing.

The project has concluded that:

• There are a broad range of safety issues to be overcome, to allow UAVS integrationinto unsegregated airspace – some relating to the differences of UAVS as ‘disruptivetechnology’; others to the manned airspace environment struggling to accommodate UAVS.

• The hazard identification method developed provides a strong supplement toARP4761, allowing the combined framework to be used for UAVS safety assessment.

• In the test application, the method identified around 90% of hazards related tointegrating UAVS into unsegregated airspace. This should improve further in a realapplication, through peer review, stakeholder involvement, and the use of the follow-onsafety assessment techniques that make up ARP4761.



ii

ACKNOWLEDGMENTS

The completion of this project would not have been possible, without the support of manypeople.

I would like to thank Peter Moores and JRA Aerospace Ltd, for their support andsponsorship; and my JRA colleagues Dan Warnes and Mike Shilling for acting as ‘soundingboards’ (or sounding bored?) of my developing ideas.

I would like to thank my project supervisor, Mark Nicholson, for his guidance, advice andhumour throughout the conduct of the project.

I would like to thank Patrick Mana and Mike Strong (EUROCONTROL) for their advice on AirTraffic Management approaches to safety and Unmanned Air Vehicles.

I would like to thank the many people of the UAVS industry with whom I had discussions – too many to mention in full, but a few key personalities being Dr Sue Wolfe (Parc Aberporth),Andre Clot and Mike Lake (the UAVS Association), and Ingo Massey (Remote Aviation Ltd) –

their unwavering enthusiasm and belief that UAVs will become integrated with mannedairspace was infectious.

Finally, I would like to thank my wife, Caroline, my family and friends for their love, supportand preaf-rooding. Yes, I promise that I won’t do any more educational ‘challenges’. Well, fora long while, at least.



iii

TABLE OF CONTENTS

Abstract...................................................................................................................................i Acknowledgments ..................................................................................................................ii Table of Contents.................................................................................................................. iii List of Tables..........................................................................................................................v List of Figures........................................................................................................................vi Introduction ........................................................................................................................... 1 PART 1 – Literature Review .................................................................................................. 4

Overview of Unmanned Aerial Vehicle Systems............................................................. 4 Issues Relating to UAV Safety and Access to Integrated Airspace................................. 7 Note on UAV Classification ............................................................................................ 7

1.1 Safety Issues Relating to UAVs as 'Disruptive Technology'.......................................... 8 1.1.1 Impact of the Variety, Roles and Performance of UAVs......................................... 8 1.1.2 The complex system boundary for UAVs............................................................... 9 1.1.3 UAV autonomy - technology, predictability, complexity........................................ 11 1.1.4 Accident rates and reliability - UAV airworthiness................................................ 15

1.2 Safety Issues Relating to the Manned Airspace Environment 'Coming to Terms' withUAVs ............................................................................................................................... 18

1.2.1 Regulation, Certification and the Drive for Standards .......................................... 18 1.2.2 ATM interaction ................................................................................................... 23 1.2.3 Collision avoidance.............................................................................................. 27 1.2.4 Security and safety.............................................................................................. 30 1.2.5 The Human Element............................................................................................ 31 1.2.6 Public perception of UAV safety .......................................................................... 33

1.3 Summary of UAVS Safety Issues............................................................................... 35 PART 2 - Design and Build: Moving forward in UAVS HazID............................................... 40

2.1 Assessment of ARP4761 Usability for UAVS HazID................................................... 40 2.1.1 Introduction .................................................................................................... 40 2.1.2 Safety Objectives........................................................................................... 40 2.1.3 'Aircraft Level' and 'System Level' FHA .......................................................... 41 2.1.4 FHA Process:................................................................................................. 41 2.1.5 Overall Applicability of ARP4761 for UAVS use.............................................. 42

2.2 Modifying ARP 4761 FHA for UAVS Use ................................................................... 43 2.2.1 Derivation of Safety Criteria and Objectives for UAVS Application....................... 43 2.2.2 FHA Levels to Address System Complexities...................................................... 49 2.2.3 Function Identification.......................................................................................... 51 2.2.4 Identification and Description of Failure Conditions ............................................. 54



iv

2.2.5 Identifying and Managing the Effects of the Failure Conditions............................ 57 2.2.6 Summary of Amended FHA Process................................................................... 59

PART 3 - Test and Evaluation ............................................................................................. 61 3.1 Test Methodology ...................................................................................................... 61 3.2 Evaluation of the Modified HazID Method through Trial Application ........................... 63

3.2.1 Derivation of Safety Criteria and Objectives for UAVS Application....................... 63 3.2.2 FHA Levels to Address System Complexities...................................................... 64 3.2.3 Function Identification.......................................................................................... 65 3.2.4 Identification and Description of Failure Conditions ............................................. 67 3.2.5 Identifying and Managing the Effects of the Failure Conditions............................ 69

3.3 Evaluation of Hazards Identified by the Modified HazID Method ................................ 75 PART 4 – Conclusions and Further Work............................................................................ 78

4.1 Findings, Related to Satisfaction of the Project's Aims............................................... 78 4.1.1 Identifying Current Concerns over UAVS Safety ............................................ 78 4.1.2 A Framework for Considering Safety Risks Related to Integrating UnmannedVehicles into Unsegregated Airspace ........................................................................... 80

4.2 Recommendations for Further Work .......................................................................... 83 4.2.1 UAVS Safety, generally.................................................................................. 83 4.2.2 UAVS Hazard Identification Methodology and Application of ARP4761Framework................................................................................................................... 84

Bibliography ........................................................................................................................ 85 Abbreviations & Acronyms................................................................................................... 88 Annex A Review of ARP 4761, to support ARP 4758, CS 25.1309 etc for UAVapplication…………………………………………………………………………………………. A-1

Annex B Extract from [CAA02] - A Method for Setting Design Standards for New Kinds ofAircraft, Including Unmanned Air Vehicles……………………………………………………..B-1

Annex C 'Guard Dog' - generic TUAV Case Study……………………………………………C-1

Appendix C1 Guard Dog Mission Scenario (Coastal Route)………………………………..C-6

Appendix C2 Guard Dog Mission Scenario (Inland Route)…………………………………..C-7

Annex D FHA for 'Guard Dog' TUAV System (extracts)……………………………………...D-1

Annex E SWIFT Assessment for Comparison (extract of hazards)…………………………E-1

Annex F Listing of Hazards for Integration of UAVS into Unsegregated Airspace (From TUAVCase Study)……………………………………………………………………………………….F-1



v

LIST OF TABLES

Table 2.2.1(i) - Airworthiness Failure Condition Severities (after [SAE96], with additions from [UTF04]as noted) ..........................................................................................................................................44 Table 2.2.1(ii) - EUROCONTROL ATM-Focused Separation / Collision Safety Criteria (from [EUR04])

.........................................................................................................................................................46 Table 2.2.1(iii) - Airworthiness Safety Objectives - probabilities per Flying Hour (from [SAE96], drawnfrom [FAA88] and compared with [FAA99])........................................................................................48 Table 3.2.1(i) - Airworthiness Failure Condition Severities for ‘Guard Dog (drawn from Table 2.2.1(i))63 Table 3.2.4(i) – Example of ‘Loss of Function’ for pseudo-continuous function...................................68 Table 3.2.4(ii) – Example of ‘Uncommanded Function’ ......................................................................69 Table 3.2.4(iii) – Example of ‘Incorrect Function’ for a cross-system function.....................................69 Table 3.2.4(iv) – Example of failure identification for a warning function.............................................69 Table 3.2.5(i) Examples of analysis of the effects of failure conditions, from the ‘Guard Dog’ FFA.....70 Table 4.1.2(i) – Satisfaction matrix for development of HazID methodology.......................................81 Table A(i) - Safety Objective, from ARP 4761 (drawn in turn from CS.25.1309)……………….……..A-3

Table A(ii) - Severity Criteria as defined in ESARR4 by EUROCONTROL…………………….………A-4

Table D(i) - Airworthiness Failure Condition Severities (from Table 2.2.1(i))………………….………D-3

Table D(ii) - Airworthiness Safety Objectives…………………………………………………….………..D-3

Table D(iii) – ATM Separation / Collision Safety objectives…………………………………….………..D-4

Table D(iv) – Flight phases view of functions……………………………………………………….……D-12

Table D(v) – External interactions and derived UAVS functions………………………………….……D-14

Table D(vi) – Functional Failure Conditions for Guard Dog UAVS……………………………….……D-18

Table D(vii) – Failure Effects for (a selection of) Guard Dog failure conditions………………………D-30

Table E(i) – SWIFT hazards identified for Guard Dog case study………………………………………E-2

Table F(i) –Hazards identified for Guard Dog case study, using the proposed modifications toARP4761 FHA technique…………………………………………………………………………………….F-2



vi

LIST OF FIGURESFigure 1a - AQM-34 derivative showing the improving reliability of 'high end' UAV systems [Wes05] ...5 Figure 1b - Aerosonde Laima Crosses the Atlantic (taken fromwww.aa.washington.edu/research/afsl/background.shtml)...................................................................5 Figure 1c - Spectrum of current UAV military types [Wei04].................................................................6 Figure 1.1.3a - Autonomy level variation with required flexibility of mission / environment and certaintyof information....................................................................................................................................12 Figure 1.1.3b Optimising autonomy level to suit operator's [mission] needs .......................................12 Figure 1.1.3c varying the UAVS autonomy level to suit the required level of operator authority for asituation............................................................................................................................................13 Figure 1.1.3d 'Agent' View of the UAVS assets and mission decision-making environment (for a multi-UAV scenario)...................................................................................................................................14 Figure 1.2.1a - EASA / EUROCONTROL 'Total System' vision for aircraft / UAVS regulation............20 Figure 2.2.2a – Example of decomposition of high level policy to lower level agents or cases [Hall05]

.........................................................................................................................................................50 Figure 2.2.2b - Example of Rich Context Diagram (taken from [RQE05, unit 20])...............................51 Figure 2.2.3a – Modified ‘V’ to ‘Y’ model safety assessment process [Jos05].....................................53 Figure 2.2.6a - ARP 4761 FHA Process, with modifications overlaid for UAVS applicability ...............60 Figure 3.1a - "Capture - Recapture" analysis method, to measure the effectiveness of hazardidentification processes.....................................................................................................................62 Figure 3.1b - Overview of Guard Dog UAVS case study ....................................................................63 Figure 3.2.2a - Rich Context Diagram for Guard Dog UAVS and the System of Systems...................64 Figure 3.2.3a – Example of use of mind-map to consider each system element’s view of functions...65 Figure 3.2.3b – Example of derived Functions Tree for ‘Guard Dog’ UAVS........................................67 Figure 3.2.4a – Example of outline Emergency Procedures, to derive functions.................................68 Figure 3.2.5a – Example of mini scenario for consideration of failure effects......................................74 Figure 3.2.5b – Example of graphical scenario ‘MS1 Routine Take-off and climb out’ ........................74 Figure A-1 - ARP4761 Process for an Aircraft-level FHA…………………………………...……….……A-8

Figure B-1 – Unpremeditated Descent Scenario……………………………………………...…….……..B-5

Figure B-2 – Loss of Control Scenario…………………………………………………………...…………B-6

Figure C-1 – Overview of Guard Dog Case Study…………………………………………………………C-2

Figure C1-1 Flight Plan – Westerly Route (to maximize over-water flight)……………….....................C-6Figure C2-1 - Flight Plan – Easterly Route (to maximise overland / ATC interaction…………...……..C-7

Figure D-1 Rich Context Diagram for Guard Dog UAVS and the System of Systems around it…......D-5

Figure D-2 - Outline Emergency Recovery Procedures……………………………………....................D-8

Figure D-3a – UAV Centred view of functions…………………………………………………………......D-9

Figure D-3b – GCS centred view of functions…………………………………………………………….D-10

Figure D-3c TACU and Field Recovery / Launch Unit centred views of functions…………...……….D-11

Figure D-4a – Guard Dog Functions Tree (part 1 of 3)……………………………… …………..……..D-15

Figure D-4b – Guard Dog Functions Tree (part 2 of 3)………………………………… ………..……..D-16

Figure D-4c – Guard Dog Functions Tree (part 3 of 3)………………………………… ………..……..D-17



1

INTRODUCTION

Background

Unmanned Air Vehicles (UAVs), from quiet beginnings alongside manned aviation as targetsand Remotely Piloted Vehicles (RPVs), have been gradually growing in use. In particular,their use by military forces in operational areas such as the Balkans, Afghanistan and Iraqhas started to catch the public eye. Now, with a drive for ‘homelands security’, and withincreasing environmental and financial pressure in carrying out ‘dull, dangerous and dirty’tasks with larger, manned aircraft, interest is growing to expand the use of UAVs in militaryand civil applications. This requires that they be integrated into unsegregated airspace,alongside manned aircraft and over the general public. However, important questions remainover how they can be cleared to operate safely, in airspace infrastructures developed andregulated for safe manned flight.

This report is aimed at safety professionals who may become involved in the assessmentand clearance of UAV Systems (UAVS). It is also intended to be of use to UAVS developers,

operators and regulators, as they face the many issues to be overcome to allow safe,integrated flight.

Objectives and Motivation for the Project

There is strong interest in expanding the use of UAVs. Currently, their operation issegregated from civilian airspace because of safety concerns, but to allow them to reachtheir potential, they need to be integrated into unsegregated airspace. What, then, are thereal safety issues that must be overcome? In particular, it is unclear how they can beintegrated safely with manned aircraft and conventional air traffic control. Partly, withoutprior experience of integrating such systems, the types of hazards involved are notadequately understood. Without a clear framework of UAVS hazards, it is therefore difficult tooperate a risk-based safety assessment process.

This project aims to:

• Identify the current concerns over UAVS safety, in relation to the existing mannedairspace infrastructure;

• Hence, derive a framework for considering the safety risks related to integratingunmanned vehicles into unsegregated airspace. The intent is that this, as part of arobust safety assessment and certification programme, will assist in the eventualclearance of UAVS, to operate routinely alongside manned aircraft.

Project Scope (and Limitations)

There is a large amount of documentation available in the public domain, relating to UAVS

and their integration. With the pace of technological advance being high, the project hasfocussed on the later information as being most relevant (significantly, some issues have notadvanced in recent times, even with this ‘push’).

The first part of the project has thus involved a significant effort, to identify the currentconcerns over safety.

Having established as part of this research that there is a place for a risk-based safetyanalysis process, the project has had to remain focussed on the hazard identification frame-work as the main goal. Hence, while there are suggestions for a complete safetyassessment framework for UAVS development, the project is not intended to provide a ‘onestop shop’ for the safety professional involved in UAVS assessment. It does not providedetailed safety analysis methods for further down the design and implementation path.

The project is intended, however, to provide a robust start to such a safety assessmentprocess, with a sound hazard identification methodology based on the civil standard of ARP



2

4761. It is noted that other forms of hazard identification do exist, and they might also proveUAVS-friendly, but this project has strived to ensure that the hazard identification methodwould be compatible with existing requirements of the regulatory bodies for civil aviation.Without their consensus, the safety assessment method will not support clearance into civilskies. ARP4761 is an accepted standard and, if it can be made UAVS-applicable, it cansupport civil clearance.

In order to assess the hazard identification framework, a case study has been used, featuringa generic Tactical UAV System. This provides a good benchmark for the applicability of themethod and the hazards it produces. However, as is discussed in section 1.1.1, UAVSsdiffer significantly in size, performance and role. Due to limitations of time, it has not beenpossible to assess the framework against all of these varieties. Instead, the Tactical UAVSwas chosen as having broad applicability which may have significant read across to many ofthe other configurations. That said, the method should be reviewed for its applicability beforeits use with the more extreme configurations of UAVS.

Report Structure and Layout

This report presents the research, analysis, development, evaluation, conclusions and

recommendations for the project and is structured as follows:

• Part 1 presents the literature review. A broad review has been carried out, toestablish the context for UAV Systems, and this provides an important introduction to thecharacteristics of such systems for those not overly familiar. The review then focusses onthe safety-related issues, identifying those inherent in the UAVS as ‘disruptive technology’,and those due to the manned airspace environment trying to come to terms with thatdisruption.

• Part 2 represents the ‘design and build’ activity for the project. Here, the ARP4761civil safety assessment process is assessed for its UAVS applicability. Then, a hazardidentification framework is derived, to address the identified gaps and hence provide arobust, UAVS-friendly methodology.

• Part 3 assesses how robust the new hazard identification methodology is. Theframework is evaluated using a Tactical UAV case study, and the results analysed forpracticality of application and robustness of hazard identification.

• Part 4 presents the conclusions and recommendations from the project, assessedagainst the project aims. It also suggests areas of potential further work, identified during theconduct of the project.

The annexes to the report provide supplementary material as context and evidence for themain report body:

• Annex A provides a more detailed review of ARP4761, used to derive the ‘design

requirements’ for the UAVS-friendly Functional Hazard Assessment (FHA) hazardidentification method.

• Annex B provides an extract from a Civil Aviation Authority paper on a method forcomparing UAVSs against manned aircraft, using kinetic energy criteria. This is used, inpart, within the hazard identification method.

• Annex C provides useful contextual information on the Tactical UAVS case studyused throughout the project.

• Annex D contains extracts from the results of applying the hazard identificationmethodology to the case study system. The full results could not be practically annexed dueto document size, so elements have been extracted pertinent to the evaluation in Part 3.



3

• Annex E contains a summary of the hazards identified using Structured What-Iftechnique (SWIFT) as an alternative identification method. The results allow comparison ofthe robustness of the hazard identification from both methods.

• Annex F provides a listing of the hazards identified using the UAVS-friendly FHAmethod, as applied to the Tactical UAVS case study. This is provided as a ‘starter list’ to aid

the assessment of other UAV Systems, and is not intended as being a complete list for allvarieties of UAVS.



4

PART 1 – LITERATURE REVIEW

Overview of Unmanned Aerial Vehicle Systems

What is an Unmanned Aerial Vehicle System (UAVS)?

Let us start with a narrower question - what is an Unmanned Aerial Vehicle, or UAV, as thistends to be the 'business end' of the overall system? This can be surprisingly complex todefine, but the Civil Aviation Authority (CAA) take a nice, broad view in their definition as:

“An aircraft which is designed to operate with no human pilot on board.” [CAA04, section2.1].

This definition is both short and subtle, in that it is inclusive of all flying vehicles that wouldusually be considered under a wide remit as 'aircraft', and covers all aspects of pilotage andcontrol from the fully autonomous vehicle to those under direct ground-based pilot control.

There are more complex definitions, such as that proposed by the United States Departmentof Defense (DoD) for "A powered, aerial vehicle that does not carry a human operator, usesaerodynamic forces to provide vehicle lift, can f ly autonomously or be piloted remotely, canbe expendable or recoverable, and can carry a lethal or non-lethal payload. Ballistic or semi-ballistic vehicles, cruise missiles, and artillery projectiles are not considered unmanned aerialvehicles." [DeG04, section 1.1]. While this is admirable from a legalistic viewpoint, it does notmake for easy reading or general use, so we will stick with the more inclusive CAA definition.What this does indicate is the lack of consensus between agencies involved in gainingairspace access for UAVs, and hence the basic levels of difficulties that will have to beovercome.

What, then, of the UAVS? This is the broader system, which includes not only the UAV itselfbut also all the other necessary elements to operate the vehicle. There are the 'hard'

elements in use during the actual real-time mission, such as the Ground Control Station(GCS) and its Datalink with the UAV, and any hardware required to launch and recover theUAV. Then there are less real-time but still significant aspects such as Mission Planning. The'system' can also include softer aspects, such as the organisation that operates the UAV, itspersonnel and their competence, and the procedures for operation of the system. All ofthese have significance for the safe operation of the UAV.

Brief History of UAVs

The early story of UAVs lies almost solely with military efforts, to alleviate pilots from the 'dull,dangerous and dirty' jobs. The earliest significant attempt was perhaps the Sopwith AT in1916, which was proposed as an 'aerial target' but was actually intended to air intercept / ground attack under remote control. Unfortunately it never flew, being damaged in its hangarand subsequently abandoned.

As might be expected, the major developments occurred in line with the requirements of war,and WWII gave real impetus. The first large numbers of Radio Controlled targets appeared inthe mid-late 1930s, to allow the growing population of air gunners to practice - in the UK, theQueen Bee (from where the term 'drone' emanates) and in the US the Radioplane RP-4 (or'Denny Drones'), which was the first sub-scale target (and hence showed the potential forminiaturisation) [Wes05]. Meanwhile, Germany developed the V1 and V2 weapon systems -not UAVs as such but contributing significantly to the technology required for guidance and

autonomous control. [DeG04]. In the late 1940s, the US began to broaden the role fromtargets, using RC aircraft such as pilotless P-61s for thunderstorm meteorological datacollection, and even large QB-17 Fortresses for Bikini Atoll atomic tests [Wes05]. The Korea

and Vietnam wars saw major US development, introducing the AQM-34 Firebee and itsderivatives [Wes05]. Flying over 3,400 missions (in Vietnam) this system introduced several



5

new developments of the role and capability of UAVs: photo reconnaissance, ElectronicIntelligence (ELINT), decoy, Electronic Counter-Measures (ECM), even weapon deliveryincluding torpedoes and 500lb iron bombs; and technology improvements such as long-range navigation (using LORAN) and datalinks for image data download. An example ofthese more sophisticated UAVs is shown in Figure 1a.

Figure 1a - AQM-34 derivative showing the improving reliability of 'high end' UAVsystems [Wes05]

In the 1980s and 90s, US funding receded in 'low-end' UAV systems, and instead switchedinto higher performance systems such as Predator and Global Hawk. Othercountries continued to see the value of low cost reconnaissance systems as 'forcemultipliers' in dangerous situations. In this period, Israeli, French and UK systems (Phoenix)saw service in the Balkans, Afghanistan and Iraq. The military requirement for UAVs wasnow well established.

The 1990s finally saw some peaceful civilian uses for UAVs, such as NASA Pathfinder and

Helios, for environmental monitoring. In 1998, a 13kg Australian system (Aerosonde Laima)crossed the Atlantic, opening the door for long endurance civil systems with fully autonomousnavigation (using GPS) (see Figure 1b). UAVs are here and cannot be ignored!

Figure 1b - Aerosonde Laima Crosses the Atlantic (taken from

www.aa.washington.edu/research/afsl/background.shtml )



6

Current and Future Directions

New technology is accelerating the pace of UAV development, and hence increasing the'push' into the market-place. As Willbond notes [Wil05], not only has the aviation industryseen major developments, such as in avionics, fault tolerant flight controls and stronger / lighter composite materials, but the world overall is being changed by disruptive technologies

such as Global Positioning navigation, faster / more flexible communications links and theincredible speed of development in computing power ('per pound' of hardware required toperform it). These changes are allowing UAV Systems themselves to develop as adisruptive technology - like the jet engine when it emerged among the piston-engined fleetsof the 1950s, they do not just evolve from previous technology but completely revolutionisewhat can be achieved.

What is less certain at the moment is the directions of the 'pull' into the market-place - whatdo people want UAVs to do for them? As before, the military have more establishedrequirements, based on the UAVs perceived unique capabilities:

o They can perform jobs that are too 'dull, dangerous or dirty' to be undertaken bymanned aircraft.

o However, they also have capabilities beyond those of manned aircraft - in particularto undertake tasks at extreme altitude, or incredible endurance. They can alsolaunch and recover from areas that manned aircraft (even helicopters) cannot get intoor out from.

o With their relative low cost (compared to manned aircraft and helicopters), usingseveral UAVs can perform some persistent tasks more cost-effectively than the fewmanned aircraft that could be deployed for the same resource.

Several military customers have published 'roadmaps' showing their requirements for UAVs,from the current situation out to quite extended timescales in some circumstances. Whatthese declare is a vision, of how they see UAV types and their operational capabilitiesdeveloping. As Figure 1c shows (fairly typically), there is a wide spectrum of UAV typesrequired, from micro (such as the Black Widow) costing a few hundred dollars and easilyman-portable for operational-level deployment, up to large scale High Altitude / LongEndurance (HALE) type UAVs (such as Global Hawk) costing millions of dollars butdelivering strategic-level capability.

Figure 1c - Spectrum of current UAV military types [Wei04]



7

Potential civil applications are held back from deployment in most nations, primarily becauseof the lack of certification and safe integration into the general airspace that this reportexplores ([Wil05]). Civil applications cannot, routinely, fit into a segregated range or battlearea. Hence there are not, currently, many civil UAVs outside of experimental developmentand use. There are, however, many intended uses once the barrier of integration has beensurmounted, such as [Okr05]:

o Environmental monitoring tasks, such as pollution patrolling, earthquake warning,animal population tracking, weather forecasting...

o Catastrophe management, allowing operation management, situation assessment, ordirect action such as fire-fighting

o Patrolling low-population areas, for tasks such as Search and Rescue, or bordersecurity patrol (very useful as part of the US Homelands Security initiative)...

o Survey tasks such as geological surveys, pipeline / cable surveying...

Rather like the Laser once was described, the civil UAV is a solution waiting for a problem,

and uses will multiply once they have gained access to the necessary airspace.

Issues Relating to UAV Safety and Access to Integrated Airspace

In order to gain this routine access to airspace, UAVS designers, operators and regulatorswill have to address a number of significant safety issues, and these are discussed below.The issues identified from the Literature Search fall roughly into two areas:

o Those issues which derive from the UAVs own disruptive technology;

o Those caused by the UAVs developing, not in a vacuum (as manned aerospace didin its first years) but in an already established manned airspace environment, whichmust come to terms with how to handle the newcomers.

These aspects are discussed in the following sections.

Note on UAV Classification

As discussed in CAP 722 [CAA04, Chapter 1], there are several ways of classifying UAVs inorder to apply some common principle, such as by weight, kinetic energy, operating domainor mission type (and we look briefly at the issues this creates in section 1.1.1). However,when discussing the need to integrate UAVs into manned airspace, it is very useful toclassify UAVs by the type of airspace they will operate within. On this basis (as proposed in[CAA04] and the corresponding UK military publications set of Joint Service Publication

(JSP) 550) an appropriate classification, which shall be used elsewhere in this report, may beconsidered as:

Group 1 - Those intended to be flown in permanently or temporarily segregated airspace(normally a Danger Area) over an unpopulated surface (normally the sea following 'clearrange' procedure).

Group 2 - Those intended to be flown in permanently or temporarily segregated airspace(normally a Danger Area) over a surface that may be permanently or temporarily inhabited byhumans.

Group 3 - Those intended to be flown outside Controlled Airspace (Class F&G) in the UnitedKingdom Flight Information Region (UK Flight Information Region (FIR)).



8

Group 4 - Those intended to be flown inside Controlled Airspace (Class A-E) in the UnitedKingdom Flight Information Region and United Kingdom Upper Information Region (UK FIRand UK UIR).

Group 5 - Those intended to be flown in all airspace classifications.

1.1 Safety Issues Relating to UAVs as 'DisruptiveTechnology'

Some issues with potential safety impact stem from the differences UAVs pose, compared totheir manned predecessors. Some inherent issues are due to the very nature of theirdisruptive technology, whether or not there was an existing system to clash with. Theseaspects are discussed here (though some, inevitably, cause knock-on issues for the existingmanned airspace environment and cross-references are given where appropriate).

1.1.1 Impact of the Variety, Roles and Performance of UAVs

Breadth of Scope of UAV System (UAVS) Varieties

The initial problem in discussing safety of UAVSs is the sheer breadth of scope of suchsystems. It is difficult to pin down generalities for a range of systems that embrace the palm-sized / Line of Sight (LOS) controlled micro UAV right up to the Boeing 737-sized HALEcontrolled via satellite datalink. This range is a challenge for the regulators - possibly moreso than their manned counterparts, and we shall look more into this when we discuss issuesof legislation and certification (section 1.2.1). Nelson and DeGarmo [Nel04] paint afascinating set of 7 scenarios for UAV operations in 2020, ranging from a stratosphericairship acting as a telecommunications relay, to a team (swarm?) of UAVs on border patrol,and on to a 'media and traffic reporting' UAV operating under Visual Flight Regulations (VFR)in an urban environment.

At this point, while it may not necessarily be a direct safety issue, the fact that authoritiescannot classify UAVs (or even model aircraft [Deg04]) consistently shows the extent to whichthey challenge regular thinking. The Swedish Aviation Safety Authority believe it isnecessary to define at least 5 classifications of UAV in order to arrive at suitably granularunderstanding of requirements [Wik03]; the military tend to classify based on altitude andendurance, or sometimes on operational characteristics; other schemes by civilian authoritiesconsider kinetic energy (i.e. mass and speed), or mass alone, or range, or operating airspacetype, or potentially some measure of the level of autonomy. The FAA cannot even arrive at aconsistent definition of what constitutes a UAV [DeG04, paragraph 2.4.1].

My concern is that these attempts to pigeon-hole UAVs into existing categories (or

something similar) and manage them accordingly, shows a limited understanding of thenature of UAVSs and the safety risks they may pose: the accent is on trying to keep thestatus quo rather than address the rich differences that UAVSs present. This concern willreappear regularly throughout this report.

UAV Performance

UAVs can perform differently to their manned counterparts, in part due to their different sizeand sometimes unusual planform. Sometimes the performance is possible primarily becausethey are unmanned and aren't limited by human frailties. The fact that they performdifferently means that they can be difficult to slot into a stream of manned aircrafttraffic. Degarmo [DeG04,] in particular notes the variation in performance capabilities ofdifferent UAV systems. Some will operate very slowly, with limited manoeuvrability, while

others may be faster and more agile than their neighbours. Relative differences in velocityand manoeuvrability introduce potential conflict which must be managed.



9

UAV Roles and Mission Profiles

If UAVs lack performance commonality with manned ac, they also lack predictability of flightpath, with their roles and missions introducing unusual flight behaviour. DeGarmo again[DeG04, paragraph 2.3] discusses how UAV types of mission are rarely 'point to point' butinstead have variations of patterned flight, loitering, tracking and orbit activity. There is even

the possibility of planned flight termination, with the vehicle potentially suddenly enteringa 'falling leaf' or parachute recovery in the path of other traffic - while this was not discussedin the literature reviewed, it would be an obvious concern in traffic. [DeG04] does proposethe establishment of designated flight recovery areas, where UAVs could go to 'die' (flightterminate) assuming that power and control was still available. In the CRS Report forCongress [Bol05] there is the interesting prospect of swarms of UAVs operating mutuallyunder a common human controller, on border patrol. This introduces the potential for theUAVs mutual interference, as well as constituting a widespread hazard for other aircraft andground-based population (see 'increased traffic' in section 1.2.2).

Before getting too excited over these differences, though, perhaps we should considerwhether parallels may be drawn with the capabilities, roles and flight patterns of helicopters:

the fixed wing fraternity has managed to accommodate these vehicles, so perhaps there isfair hope for UAV integration.

Launch and Recovery

In [DeG04, paragraph 2.3] DeGarmo discusses the UAVs' next trick - the capability to launchand recover from almost anywhere (in ac terms). While it is true that large UAVs willgenerally operate from airfields (itself something of an issue - see 'airfield operations' insection 1.2.2 of this report), smaller UAVs are designed to operate not just from runways butalso from ships, open country, even buildings and urban environments. The implication (notexplicit in the text) is the safety risk associated with the UAVs sudden and unexpectedinsertion into manned traffic, as it rises from below. Conversely, the UAV may performa sudden change of vector, not expected by manned traffic on a parallel point-to-point flight,

as it turns into a recovery pattern. However, as for the discussion over roles and missionprofiles, the literature does not draw any parallel with the introduction of helicopters into fixedwing aviation, and I feel that there could be useful aspects to draw from the experiencegained with this, in the cause of UAV integration.

1.1.2 The complex system boundary for UAVs

Extended System Criticality

Several sources recognise the criticality of the UAVS overall, and not just the vehicle.Certainly, the ground support environment plays its role in manned aviation, but in UAVSsthere are a number of direct causal links that can affect safety in real time.

The Joint UAV Task force (UTF) [UTF04, sections 7.2 and 7.3] recognised this criticalitywhen they proposed extending the usual definitions of 'airworthiness' to include all safetycritical elements of the system, such as Ground Control System, datalink, Flight Termination System etc. They then took this further to suggest that some of these elements (and otherssuch as Flight Control / Flight Management System, the Control Station and Launch / Recovery equipment) should themselves be subject to Type Certification (discussed more insection 1.2.1 of this report). DeGarmo [DeG04, section 2.3.3] extends the boundary further toconsider the information and data systems used by the UAVS, including those derived fromwider sources. He suggests that we need to consider the data being passed around thesystem internally, such as navigation and position data, telemetered parameters. Then, tolook further out to consider the mission planning / retasking from the ground station; and then

further still to consider the data sources feeding the GCS, such as terrain databases,weather databases / live links, and possibly dynamic Air Traffic Management (ATM) datasuch as time-dependent clearance blocks. DeGarmo goes on to discuss US plans for an



10

ATM information network, but whatever the implementation, the UAVS, vehicle and GCS willinevitably have to interface with various proprietary wide-area networks and even internetbased information networks.

None of the documents agree entirely on what the critical elements are. The CAA offer auseful maxim of "Where any function of a UAVS is essential to, or can prejudice, continued

safe flight and landing of the UAV...have to comply with the applicable airworthinessrequirements" - this allows some flexibility to identify the critical elements pertinent to thesystem under consideration, but without saying what those applicable airworthinessrequirements might be.

It is clear that the overall 'system' is extended even within those elements in control of theUAV organisation. If we consider all the system elements that could affect safety, we have avery extended critical system. In effect, we can view this as a particularly interesting 'Systemof Systems', with varying levels of coupling between the different system elements.

Command Datalink

A key integrating element of the extended system is presented by the Datalink. It links theUAV with its Ground Control System for guidance and telemetry, plus a host of other system-specific possibilities. Being the system 'glue' in this way makes it a critical element of theextended system, a fact not missed among the literature.

Reliability: Schneider [Sch04] notes the need for dependable, Over the Horizon datalinks tobe developed, possibly using dual redundant Satellite Communications (SatComms) (animportant feature for the US current trend for large, long range UAV systems). In [UTF04],reliability requirements are developed further, with proposals that no single failure within thesystem (uplink or downlink) should affect normal control of the system, and the need forElectro-magnetic Interference (EMI) hardening to protect the datalink. They also highlight theneed for link data (such as signal strength or coverage limitations) to be displayed to theUAV pilot (UAV-p), to ensure that he can monitor its continuing reliability. But no matter howreliable command datalinks will prove to be, the requirement to deal with loss of datalink will

remain as a particular risk to be addressed, and regulators will demand Standard Operatingprocedures (SOPs) to deal with the occurrence (see section 1.2.2). [UTF04], [CAA04] andmany others repeat this requirement many times.

Spectrum availability: [Sch04] starts the analysis by initially stating that manned aircraftoperators were bemoaning the rate that UAVs would eat up available frequency spectrum;but then he offsets this by suggesting that, in a networked environment, the presence ofUAVs will allow information to be shared more easily and hence reduce the number of otherairborne sensors needing bandwidth. Somehow, I suspect that this gentle balancing ofsystems is unlikely to occur in reality, but instead the airborne sensors will also grow innumber and compete for spectrum. This view is shared by CAA's Mettrop [Met05], not justbecause of the number of UAVs but because of the growth in the number of sensors and

command frequencies required by both manned and unmanned systems. His paper lookingat the difficulties of trying to negotiate international agreements through the InternationalTelecommunications Union (ITU) paints a fairly bleak picture, and raises the likelihood ofRadio Frequency (RF) interoperability and interference between systems due to sheerdensity of vehicles or simple differences in allowed frequency between countries. DeGarmo[DeG04, 2.3.4] also believes things will be tight, but suggests that, in the future, innovativesolutions may come to light such as flexible frequency use: although nearly all the civilfrequencies are allocated, only 2% are actually in use at any one time, so there couldpotentially be plenty to 'share' - this may be tricky to align with the need for dependability of acommand datalink, but perhaps other uses (such as voice communications (‘comms’) or non-priority sensors) could be re-allocated to use this technology and free-up spectrum.

Connection path: Current, small UAVs generally use VHF / UHF datalinks, giving directLine-of-Sight capability. This can cause problems with terrain masking (as noted in [UTF04],briefly) and affect the possibility for low-level operations. [DeG04] discusses other options:



11

The US has made use of commercial and military SatCom links [Sch04] and potentially thereis access via Iridium Low Earth Orbit (LEO) satellites. Each of these potential connectionpaths changes the system boundary, which returns us neatly to the opening statements ofthis section - the UAV and its extended system criticality.

1.1.3 UAV autonomy - technology, predictability, complexityTim Willbond [Wil05] in his keynote speech at the Royal Aeronautical Society (RAeS)conference in 2005, talked about the two-edged sword of autonomy in UAVs: on one hand, itis a key enabling technology, allowing flexibility to the UAV, capability to the humanoperator and providing fall-back options if the datalink goes down; on the other hand, it willbe a major hurdle to prove its dependability to allow integrated operation in mannedairspace. To consider its hazards, we need to understand a little of what autonomy may belike 'in service'.

Autonomy level factors

When we talk about autonomy levels, we are talking about a continuum of system authority:

at the one extreme, where the system has no autonomy, the human operator has full controlof the system at the most basic level, making inputs to the direct control actuators of thevehicle. At the other extreme, with full autonomy, the system is able to exercise its owncontrol, make its own decisions, learn new tactics and shape the mission, without eveninforming the human operator. Most likely, systems in the near future will exist somewhere inbetween.

The military have traditionally used a simple linear scale (usually 1 - lowest to 10 - highest) todescribe a UAVS level of autonomy. However, Huang [Hua04, 2] suggests that the answeris more complex. He proposes that a number of factors provide the real indicator ofthe autonomy level: difficulty of the environment; complexity of the mission; and operator interaction (inversely proportional - less interaction is more autonomous). For our

consideration of safety, each of these axes would give us a series of issues to beconsidered. Is the UAV autonomy appropriate to the situation it finds itself in? What if one ofthese factors changes?

Platt [PlJ05] takes a broader, less constrained view, and says that Autonomy of a system is afunction of: the operator's interaction and its context; the types of reasoning about theenvironment that the system employs; and the types of knowledge that the system hasavailable or can gather. Figure 1.1.3a, below does two things: it gives a view of how theenvironment and mission context might drive the required level of autonomy; but, again, itindicates how these axes could become safety issues, if our UAVS equipped to a certainlevel of autonomy gets pushed beyond its intended model.



12

Figure 1.1.3a - Autonomy level variation with required flexibility of mission /environment and certainty of information

Autonomy v Ground Control:

The Joint UAV Task Force [UTF04, section 7.9] propose that the Human Machine Interfacewill be a critical area of autonomy design and regulation, with the need for a careful tradebetween autonomy level and the capability of operator intervention. While the spirit of this isclear, it may represent (again) a too black-and-white mental model of autonomy and humaninterchange. Walan [Wal03] instead suggests that the situation changes between differentmission types and even during the same mission. Periods of intense action such as missionplanning and sensor operation may be interspersed by long periods of boredom and lapsesof operator awareness, and this would be much increased for an operator responsible formultiple UAVs in a package. What he offers is a model for variable autonomy, what he calls"sharing control rather than trading control" - "Sharing control means that the human and thecomputer control different aspects of the system at the same time . . . Trading control meansthat either the human or the computer turns over control to the other"

Platt [PlJ05] supports this view. In Figure 1.1.3b, Platt suggests that the scope of anoperator's inputs to and desired outputs from the UAVS can be modelled at different scopes -from direct system control (Tier 1) through tactical system management of the vehicleconfiguration (Tier 2), up to strategic overall mission management (Tier 3). Figure 1.1.3.cthen shows how the autonomy / authority can be varied to suit the operator's needs for agiven situation.

Figure 1.1.3b Optimising autonomy level to suit operator's [mission] needs



13

Figure 1.1.3c varying the UAVS autonomy level to suit the required level of operatorauthority for a situation

Whilst debating the required share of autonomous functions, note should be made that someautonomous behaviour will be demanded by the regulators and ATM providers, primarily foractions in the event of emergency situations - section 1.1.2 refers.

Reliability and predictability

Autonomous behaviour will demand a safety critical consideration of its reliability. AsSchneider notes [Sch04] "Conflict avoidance, especially in a fully autonomous, lost link

situation, will be the Achilles heel challenge for the FAA to prove" - he demands anEquivalent Level of Safety (ELOS) for UAVs with autonomous vehicle operation.

What makes an autonomous system hard to trust? Platt [PlJ05] proposes two generalreasons: the gulf of execution - does the system take actions that correspond to theintentions of the operator; and the gulf of evaluation - can you monitor the state of the systemand what is the difference in state from that intended. When we get to considering autonomyfor high level functions (Tier 3 in the above discussion), Platt assumes that these will mostlikely be controlled using 'agent based' methods (see Figure 1.1.3d below). These introducethree areas of uncertainty:

o These are a novel application in air vehicles and hence there will be issues ofexpertise, trust and clearance

o They require accurate capture and specification of the 'agent' behaviours beforehandgiving issues of knowledge acquisition (and requirements elicitation - see Yorkmodule on Requirements Engineering (RQE)).

o There will probably more be than one 'Artificial Intelligence' method used toimplement the decision making, and these will introduce new issues of architectureand integration



14

Figure 1.1.3d 'Agent' View of the UAVS assets and mission decision-makingenvironment (for a multi-UAV scenario)

Platt echoes the old cry of "It's only software!" and the issues of predictability that entails (seeYork Computers and Software (CAS) course). He proposes that the challenging issue will bein trying to ensure clear distinction is made between safety critical and mission criticalfunctionality such that inevitable changes to the mission critical aspects can not impact onthe safety critical aspects.

UAV 'Airmanship'In section 1.2.2, we look at issues of ATM interaction and the need for 'transparency', i.e. theability of the UAV to behave in the same way as manned aircraft, and (for highly autonomoussystems) this function will fall to the vehicle autonomy. Behaviours and judgments such asapplying rules of the air, navigating, sensing and responding to weather conditions fall intothis vague category of 'airmanship' and are difficult to describe, let alone specify - in somecases, behaviour should be absolutely predictable (such as generally within an airspacecorridor) and in others, instantaneously flexible (such as in collision avoidance). Airmanshipis both planning for expected events, plus reacting (predictably but swiftly) to externalevents. Marsters and Sinclair [Sin03, section 4] say that "The precision and repeatability oftechnological solutions notwithstanding, the knowledge, judgment and skill (sometimes called'airmanship') of the on-board pilot will be difficult to emulate."

DeGarmo [DeG04] looks at various airmanship issues, such as how the UAVS detects andresponds to weather systems and conditions - in some cases coping with the conditions, butin others deciding how to route to avoid them. This may be quite an issue, especially forsmaller UAVs more sensitive to weather (see section 1.1.1). He also looks at how UAVSdecision making matches the expectation of Air Traffic Control (ATC) decision making tools(such as used to effect Traffic alerting & Collision Avoidance System (TCAS) manoeuvres).

A critical aspect of UAV autonomy will be the vehicle response in the event of commanddatalink failure (as noted elsewhere, in sections 1.1.2 and 1.2.2). DeGarmo [DeG04], forexample, calls for pre-programmed actions, diversionary sites / flight termination areas andprocedures to be defined - what this implicitly calls for is that, in the event of datalink failure,

the UAV can successfully analyse the situation (including external factors such as weatherconditions), decide on the course of action, and navigate its way there predictably and



15

dependably. Such functions are identified in a number of other documents, including theCAA in CAP722 [CAA04].

1.1.4 Accident rates and reliability - UAV airworthiness

This section looks at the accident rates and reliability of current UAV systems, related toachieving safety levels acceptable for flight in unsegregated airspace / terrain. It discussesthe inherent safety levels for UAVS, rather than the demands for legislation, standardisationand regulation to achieve such levels, which are covered in section 1.2.1.

The Catastrophic failure rate is too high (currently)

Indications are that the failure rate for UAVs is currently too high. DeGarmo [Deg04, 2.1]quotes US DoD analyses that show the UAV catastrophic failure rate (in terms of vehicleslost rather than induced fatalities ) at around 50 times that of an F16 (itself held to be a fairlyrisky platform), and around 100 times that of more general aviation. Another statisticcompares an accident rate of 0.06 per million flying hours for U.S. commercial aircraft in U.S.airspace to a rate of 1,600 per million flying hours for the Global Hawk. Clearly such figures,

if read across to UAV operation in unsegregated airspace and larger UAV fleets, would notseem tenable. Part of the problem is the data - all of it, currently, is sourced from militaryUAVS which have often been rushed from research into service (e.g. Predator use inAfghanistan); have been employed in fairly high-risk operations; and come from a very smallsample, compared to the manned fleet they are being compared with [DeG04,2.1.2]. Nonetheless, such figures would not currently support integration.

If the situation is to improve, we need to understand the causes for the poor safety record.This is not easy: as Williams [Wil04] notes in his review of UAV Human Factors issues, thereis a lack of good, reported UAV accident data, even in the military: until recently, the USArmy and Navy classified UAVs as 'vehicles', and treated accident investigation similarly todamage to ground vehicles. The US Air Force did carry out more detailed investigations but

would not release information into the public domain. As a result, most UAV accident'statistics' are based on aggregated information or single sentence entries - it is thus difficultto derive significant causal analysis. DeGarmo [DeG04, 2.1.2] tries to pick through what isavailable, quoting DoD analyses again to state that around 75-85% of the failures were dueto equipment failure (37% propulsion, 26% flight control, 11% communications link; 17%human factors, 9% miscellaneous). He states that such figures are not unexpected: as wenoted above, the current generation of UAVS stem from research programmes, and/or havebeen 'thrown' together to satisfy high risk operations at low cost, thus redundancy andreliability have not been high priorities. It is not stated, but we can presume that militaryprogrammes have also assumed a higher acceptable risk level, combined with operationover unfriendly territory, so concerns over ground or air collisions have also been pretty low -we are not assessing the record of systems designed for operation in integrated airspace

over 'friendly' populated areas! Schneider [Sch04] concurs, providing a little more detail onthe equipment failings:

o Propulsion system unreliability relates to the search for a reliable 'heavy fuel' enginethat can cope with the extended endurance requirements, at temperatures andaltitudes not generally experienced.

o The flight control failures, on the other hand, relate to the use of COTS actuators,some drawn from commercial non-aviation sources (hence not intended for this levelof criticality) and often being used outside their intended environment.

Schneider concludes that, while current UAVSs could have been designed, fabricated andmaintained to manned aircraft levels, this had clearly not been the case so far.



16

Bolkcom [Bol05] also highlights the problems due to evolving technology in this generation ofUAVSs, but says that the equipment issues are heightened because the UAV-p is removedfrom the event: rather than being a direct Human Factors accident, instead an equipmentfailure develops into an avoidable accident because the UAV-p is less able to diagnose andcorrect problems; he lacks the 'seat of the pants' sensory inputs. There is further discussionof Human Factors safety-related issues, in section 1.2.5.

What is acceptable Safety Risk?

DeGarmo [DeG04] says that, to gain acceptance, UAVS will have to prove that they have anEquivalent Level of Safety (ELOS) to manned aircraft. But defining this 'equivalence' interms of actual safety requirements is very difficult. The CAA echo this general requirement[CAA04], saying that UAVs operating in the UK “…must not present or create a hazard topersons or property in the air or on the ground greater than that attributable to the operationsof manned aircraft of equivalent class or category”. [UTF04] also starts with a generalprinciple of equivalence, that requirements should be no less demanding than those currentlyapplied to comparable manned aircraft, but does then try to achieve fairness that suchrequirements should not penalise UAV Systems with higher standards simply because

technology permits. This gives us a concept of balanced safety requirements, but how couldwe define such requirements?

The Swedish Aviation Safety Authority in [Wik03] takes a fairly pragmatic view. They arecontent to allow a higher accident risk per flight hour for UAVs during the earlier developmentperiod, provided that this is balanced by a low number of flights / UAVs to ensure that the riskto the overflown public or manned aircraft remains acceptably low. As the number of UAVsincrease, the reliability of systems must increase sharply to keep the individual risk low.They consider an overall balanced target of no more than 1 death on the ground per 50 yearperiod; and in the air, UAV systems shall not give rise to more near collisions, calculated perflight (or flight hour) than manned aircraft have caused during the most recent ten-yearperiod. [Wik03] refers in turn to [Mar03] to calculate the allowable critical failure rate perUAV flight hour. This they derived by reckoning the overall target against the number of flight

hours per annum, the population density (assuming flight over a low density area in the earlyyears) and the 'lethal swathe' area determined by the expected crash mode of the system - ahorizontal crash creating a longer, bigger swathe than a vertical dive. In this way, they say,by controlling the number of allowed flight hours, the failure rate for a given system can beallowed to be higher in the early stages.

Weibel and Hansman [Wei04] take a slightly different approach to achieving balanced safetytargets, in their attempts to identify required levels of reliability to avoid ground and aircollisions. For ground collisions, they start with the FAA requirement for a 'hazardous' event (assuming that the number of fatalities in any event will be small, hence not catastrophic) tooccur less than 1x10-7 per operating hour. From the National Transportation Safety Board(NTSB) records they found the actual number of ground fatalities per operating hour to be

2x10-7 per flying hour; and then set a target level of safety a magnitude higher at 1x10-8 ground fatalities per hour in recognition that, to gain acceptance, UAVs will need a greater level of safety than manned aircraft. For air collisions, the FAA target of less than 1x10-9 collisions per hour was taken, for ELOS. In calculating the required levels of reliability,[Wei04] goes into more depth (than [Mar03]) in assessing the risk, taking into account theUAV mass and barriers to actual fatalities. For ground collisions, these barriers areproposed as: population density, shelter afforded by buildings, and likelihood of fatalpenetration. For air collisions, they propose the 'collision volume' of the UAV and mannedaircraft (their near-miss area extruded along their intended flight route), the size, length andtraffic densities within controlled airspace, and finally a probability that the collision may notactually cause fatalities - the latter does not accord with the CAA view that 'nearly allcollisions result in fatalities' but does allow for the fact that birdstrikes etc are usually

survivable, and we are discussing a wide spectrum of UAV sizes and masses. Interesting(but maybe not unexpected) conclusions from the study are that high mass, high altitude



17

UAVs in controlled airspace will have to achieve a much higher level of safety (because oftheir kinetic energy capability) than smaller vehicles in less dense airspace; but that theformer would be more able to meet such levels from inclusion of redundant systems and co-operative collision avoidance technology, because of their size and sophistication.

Achieving Airworthiness

Marsters [Mar03] is clear that "It is very important that the overall safety-assurance for UAVoperations outside reserved airspace be based upon the design, development andmaintenance of highly reliable air vehicles." He presses on that UAV reliability and theircontingent catastrophic failure rate must be acceptable by civil aviation standards, and thiscan only be achieved by adopting a stringent system-safety design regime for UAVs. Whathe proposes is to incorporate a 'FAR 1309-type' philosophy in the UAV flight-critical systemsafety design, and refers to ARP 4761 [SAE96] as a suitable approach for safety analyses.

The Swedish Aviation Safety Authority [Wik03] also place great faith in airworthiness throughdesign, but note that there will also be requirements for operator and maintenance standards(of which more in section 1.2.1). The paper looks at JAR 25.1309 and JAR 23.1309 requiredanalyses for manned ac, and briefly compares the applicability of such analyses to UAVSs. It

concludes that targets such as allowable failure rates should be adopted, but that themethodology may be amended to suit the differences in UAVS. For example, where theJoint Airworthiness Requirements (JARs) make an assumption of 100 critical systems forlarge aircraft, and 10 critical systems for small single-engined aircraft, the UAVS designermay apportion required reliability more pertinent to the UAVS system breakdown, providedthat the overall demanded reliability is thus achieved. This does seem to be a sensibleproposition, and a suitable way of establishing 'equivalence' with manned systems in termsof reliability, while duly noting the differences that exist for UAVSs.



18

1.2 Safety Issues Relating to the Manned AirspaceEnvironment 'Coming to Terms' with UAVs

Some safety issues are evident, not so much because of the nature of UAVSs, but because

they are having to fit in and around an already established environment. When mannedaerospace was at a similar point of development, the skies were empty - now the skies arefull of manned aircraft and the monolithic environment of Air Traffic Control, procedures,regulations and so on that has been established over time to keep them safe. This sectionlooks at those issues where the environment is struggling to come to terms with UAVSs andtheir nature.

1.2.1 Regulation, Certification and the Drive for Standards

Elsewhere in this report we look at characteristics of the UAVS such as airworthiness, safetyrequirements (section 1.1.4), operations (1.2.5), collision avoidance (1.2.3) and ATM

interaction (1.2.2). The aerospace community's approach to try and ensure the safety ofthese characteristics is to derive regulations, certification and standards that must beapplied. In this section, we look at the safety issues emerging from this 'must-do' philosophy.

Regulation

Manned airspace is a highly regulated environment, and it is worth a brief review of what thisentails for the UAVS. At the top of the regulatory 'tree' is the Chicago convention, specificallyArticle 8 which states that "... no aircraft capable of being flown without a pilot shall be flownwithout a pilot over the territory of a Contracting State without special authorisation by thatState" [CAA04]. The push for regulators is currently to find international agreement on howto open up the skies to unmanned aircraft.

The CAA provide an overview of how regulation is flowed down from the Chicago Conventionfor aircraft generally, both manned and unmanned, in CAP 722 [CAA04, chapter 2]:

o European Aviation Safety Agency (EASA) regulation EC 1592/2002 applies generallyto all aircraft in the European Union, for airworthiness certification and continuingairworthiness (maintenance and modification);

o This excludes 'state aircraft' (military, police, customs), research craft and thoseunder 150Kg, to which national regulations must apply.

o Equipment requirements, operational rules, personnel licensing, aerodromeregulation and regulation of air traffic services are not (yet) dealt with by EuropeanRegulations and so are matters for national regulation for all categories of aircraft.The UK covers these (for non-military aircraft) under the Air Navigation Order 2000

and Rules of the Air Regulations 1996. Aircraft must have a Certificate ofAirworthiness (Design and maintenance), a Permit to Fly (Operations) and LicensedAircrew (for airspace and meteorology / visibility conditions).

CAP 722 then goes on, chapter by chapter, to try and state how general aircraft regulation(civil and military) should be applied to UAVSs. But there are many areas where theregulation becomes vague and stops fairly quickly after demanding 'equivalence' in terms ofperformance, safety levels, certification, interaction et al, without guidance on what theequivalence is to, or how the UAV differences may be resolved in this environment.

The Australian Civil Aviation Safety Authority (CASA) have similarly moved to apply existingregulation, and published their Civil Aviation Safety Regulations Part 101 [CAS04] to define

how that was to be done. 'Define' is perhaps too strong a word - while the text appearsdefinitive at first, this is predominantly for application to small and micro UAVs: once the



19

regulation reaches larger UAV systems and operation, it basically refers the reader back toCASA, to establish written agreements on what can be flown, where and how. Perhaps itsmajor contribution is that it allows small UAVs fairly good access, even to controlledairspace. This will allow building of experience for designers, operators, and ATC personneland hence inform the wider use of UAVS.

DeGarmo [DeG04, section 2.4.3] discusses this worldwide move to try and apply existingmanned regulation - he declares that it is good in principle, to apply existing regulationwherever possible, because it avoids developing new, specific regulation that mightultimately prejudice a developing area of UAV operation. Hence, he notes that thisapproach currently forms the backbone of the US development of a UAV 'roadmap' towardsintegrated airspace (and its equivalent can be found in most of the international roadmaps indevelopment). However, he goes on to note that the wide variety of UAVs could makethis universal application difficult to apply (as we discuss in section 1.1.1).

In their Joint UAV Task Force report [UTF04], Joint Aviation Authority (JAA) / EUROCONTROL provide a useful discussion of their philosophy for regulatory developmentfor UAVs, and this has been flowed on through EASA into their provisional regulation under

Advance – Notice of Proposed Amendment (A-NPA) No.16-2005 ([EAS05]). Their guidingprinciples are that regulation should establish:

o Fairness - between competing UAV systems and with existing manned aircraft:hence the principle is to apply existing regulation wherever possible (in accord withDeGarmo, above).

o Equivalence - regulation covering UAVs should be no less, but also no moredemanding than expected for manned aircraft systems: this they break down intoequivalence of risk (see 1.1.4) and in operations (to meet the expectations of otherairspace users). Few clues are provided on what to establish the equivalence to!

o Responsibility / accountability - clear demarcation of the organisation requirementsfor: design, manufacture, operation and maintenance of UAVS. The report notes the

importance for maintaining the accountability chain in the event of extended UAVoperations causing responsibility to be passed between personnel and organisations,even nations as an operation proceeds.

o Transparency - especially for ATM: this does not seem so much a guideline as apretty hard-line requirement, the fairness and applicability of which is discussed insection 1.2.2.

Eventually, EASA / EUROCONTROL settle down to consider regulation aimed at controllingtheir "5 pillars of safety and security": Airworthiness & Certification; Operations &Maintenance & Licensing; Security; Air Traffic management; and Airports. However, they goon to reiterate that, currently, EASA only regulate airworthiness and environment, and they

propose that a 'Total System' approach is required in the long run ([EAS05, IV-4-b]) as hintedat in [CAA04] above. A graphical representation is shown in Figure 1.2.1a, below.



20

Figure 1.2.1a - EASA / EUROCONTROL 'Total System' vision foraircraft / UAVS regulation

Certification

For the UAVS itself, certification literature falls broadly into two areas: that for the UAVSdesign, and that covering the operation of the system.

Design Certification

The first issue for regulators is to establish the basic strategy for certifying UAVS designs.

For manned aircraft, civil regulators have generally followed a standards-based approachand assume an independence from the operational considerations, while military certificationauthorities have followed a mix of standards and safety target / safety case methods in orderto focus on eventual satisfaction of specific missions and uses. How then, to certify UAVS?DeGarmo [DeG04] discusses a CAA study in 2002 [CAA02], which assessed twoapproaches - safety targets (where, potentially, design requirements could be traded againstoperating requirements, such as operation over unpopulous areas to offset initial reliabilityconcerns) and certification design requirements (standards). While the former was proposedas being easiest to apply, the CAA decided that this was "not consistent with InternationalCivil Aviation Organisation (ICAO) ... legislation". The study went on to say that "the secondapproach, one that is requirements-based, was seen as more practical in that it is familiar tothe aviation industry, it facilitates the development of common standards, and there are no

special, type-specific, operating restrictions to address airworthiness uncertainties, thereforeoffering greater operational freedom". Degarmo suggests that this will be the way mostregulators will opt for, inspite of his earlier observation that there are no establishedstandards for UAV systems.

The Joint UAV Task Force report [UTF04, 6.3.1.1] considered the same two options forcertification. Again, they suggest that, given the current unknowns about the differencesbetween UAV systems, the safety target approach would be easiest for UAVS application,but that the standards approach must be followed for the following reasons:

o In order to accept a safety case approach, the regulator needs to be closely linked tothe operational acceptance side as well, in order to understand and apply controls.While this is possible for military systems, it is not for civil regulators - EASA, as noted

before, do not have control of operations, personnel, airfields etc. Even if theregulator could control operating aspects, it could still prove unfeasible: if a safety



21

case for a system was accepted on a risk-basis underpinned by assumptions ofmission length and frequency, it would be difficult to enforce this generalisedassumption to specific missions and tasks on a daily basis. Civil standards-basedcertification separates the design from the operation and enforces minimumstandards.

o The separation of design and operation will ease the certification process in thelonger term, to allow UAVSs to be used by a wider variety of operators and for a widerange of missions. It also facilitates export of systems and operation across nationalborders.

o In order to support fair competition for civil contracts, designers and operators need toface a 'level playing field' of certification, in order that one system under a particularregulator is not unfairly advantaged.

o The build up of civil standards has delivered manned aircraft systems that havesafety levels accepted by the public, and the same should be expected for UAVSs.Also, civil aircraft manufacturers are comfortable with the standards-based approach,and it ensures clarity that, provided the minimum standard is complied with, the

system will get certified.

Some of the above sounds like "it's worked for us on civil manned aircraft, therefore it mustwork for civil UAVs" and there is still the problem of finding applicable standards (seebelow). I feel it is very difficult to separate the UAV from its mission, in the same way that themilitary have recognised the inter-relationship, and the Joint European Task Force hasalready pushed the need for a 'total systems' approach (see above). There are still the vastdifferences between UAVSs to be dealt with (see 1.1.1). The glimmer of hope within[UTF04] and the related EASA proposed regulation of [EAS05] is that, apart from blunt-edged minimum standards, a safety objective approach based on CS.25 / 23.1309 typerequirements should be established and followed. This at least means that systemdifferences, safety risk assessment and the application of novel technology within the designmay be identified and dealt with appropriately. This approach, and related literaturediscussing it, has already been discussed in section 1.1.4.

The CAA [CAA02] provides some assistance in the issue of deciding the equivalence ofmanned and UAV systems. Briefly, the method involves the consideration of two scenarios:i) impact with the surface at a velocity appropriate to an emergency landing under controland, ii) impact at a velocity resulting from loss of control at altitude. The kinetic energy foreach case is calculated and then compared with the results of similar calculations as appliedto a sample of the existing manned aircraft fleet. Consideration of the results gives a firstorder approximation, to look at the indicated certification requirements (such as EASACS.23) and draw out relevant aspects for the system under consideration. Wherenecessary, different sources can be merged to give the best mix of requirements for the new

system.

The next issue is that we need to be clear on what design aspects need to be addressed,and this is critical if the standards route is to be followed. Degarmo suggests that most of theusual manned aircraft design requirements will apply, such as for structural integrity,performance, reliability, stability and control, but would need to extend to certification of thewider system elements such as the ground control station, data link, data security, launchand recovery mechanisms, and the autonomous systems and software integrated into thevehicle and ground elements. The extended aspects of 'System-of-systems' safety criticalityhave been discussed in section 1.1.2 - these would all need to be addressed forrequirements, while recognising the different criticality of sub-systems between different UAVsystems - this will be a major challenge.



22

Operations Certification

Marsters [Mar03] provides the overall context of operations certification. He suggests thatany operator of UAVs wishing to routinely undertake missions in unsegregated airspace willapply for a UAV Operating Certificate from the relevant regulating authority, and that thisapplication will provide "documented evidence of organisational competence and system

safety", entailing:o a description of the applicant organization, including relevant qualifications of

competent technical and operational staff;

o a full safety history of the vehicles to be used and of the fleet of this same type;

o a global safety analysis for the combined vehicle - mission types;

o a full description of the design standards used for all flight-critical UAV systems (seePart 4, below);

o manufacturer's Flight Manual and manufacturer's Maintenance and InspectionManual (see Part 5); and -

o A Flight Operations Manual for the operating organization, including specification ofthe required qualifications and levels of training and proficiency for crew members(see Part 3, below).

This seems to provide the overall basis for a safety argument for the system in its intendeduse - while not as fully integrating as a safety case would be, elements such as the 'globalsafety analysis' mentioned above should help to bridge the gap between the bounded designcertification discussed above and the actual usage of the system.

The Joint UAV Task Force [UTF04] took a fresh look at operations certification. Their reviewincluded: a brainstorming of particular aspects of UAVs that might not have a parallel inexisting regulations for manned aircraft; a review of existing JAR (now EASA CS) regulations

on operations, maintenance and licensing; and where available a review of EASA regulatorymaterial. Once again, their standpoint is that existing certification requirements should beapplied wherever possible - but then they identify many areas where this is not possible! Forlicencing of personnel, they proposed that it would be possible to modify existingrequirements. But for operating aspects, EASA OPS-1 did not seem to offer equivalent typesof operation (aerial work such as filming, agriculture, customs and police work are allexcluded); similarly for maintenance operations EASA CS145, 147 and 66 did not always fiteasily with UAV operators providing continuing airworthiness for systems undertaking thetype and variety of work expected. The study concluded by reiterating that existingrequirements should be used wherever possible - a not wholly useful conclusion, but it mightbe assumed that the intent is to use the existing requirement as a start point and extend it tocover appropriate UAV characteristics and operations. The CAA [CAA04] do not get much

beyond this principle, suggesting it apply across the board to maintenance and continuingairworthiness, organisation and personnel licensing, and approval to operate.

Standards

DeGarmo ([DeG04] section 2.4.2) takes a broad look at the current initiatives on standards,and some of these are discussed below. He notes activities by US DoD and North AtlanticTreaty Organisation (NATO), the American Institute of Aeronautics and Astronautics (AIAA),ASTM International, the UK UAV Safety Subcommittee (Ministry of Defence (MoD) andindustry group) and RTCA; but he voices concern that there is a competitive spirit betweenthese schemes, and while the current lack of standards makes regulation difficult, a plethoraof different standards would not help either. He identifies that the US government havemandated that global, consensus-based standards should be adopted wherever available,

rather than developing government specific requirements.



23

ASTM International (originally the American Society for Testing and Materials) are one of thegroups trying to establish suitable consensus based standards for UAVs. In [AST04], theirStatement on the role of ASTM International committee F38, they discuss the intent to raisestandards to cover: Airworthiness; Flight Operations; Operator Qualifications. In line with theUS Government requirement (and also, as discussed above, with EASA and CAA principles),these standards are to be established on the prioritised principle of: Adopt; else Modify; else Create as appropriate to suit UAVs. As they note in their review of the US DoD 2005Roadmap for UAV development [AST05-1], standards play a major role within the roadmap -without standards it is difficult to build regulation. One of F38's first priorities was to establishrequirements for Sense and Avoid capability (see 1.2.3)

RTCA Incorporated (originally the Radio Technical Commission for Aeronautics) is anotherAmerican society aiming to produce consensus-based standards, but is perhaps closer to thefederal government (without being an actual government body). This is particularly true forUAV standards activities of Special Committee SC-203, as it was set up with duelsponsorship from the Aircraft Owners and Pilots Association (AOPA) and the FederalAviation Authority (FAA), to consider the standards required to support UAV operationswithin the National Air-space (NAS). In the terms of reference for SC-203 [RTC05], their

objective is set out to produce key supporting standards documents:

o A. Guidance Material and Considerations for Unmanned Aircraft Systems (UAS) – toprovide a definition of UASs, the NAS environment, and taxonomy of UASterminology.

o B. Minimum Aviation System Performance Standards (MASPS) for UnmannedAircraft Systems - containing quantitative performance standards with specific focuson UAS level operational performance.

o C. MASPS for Command, Control and Communication Systems for UnmannedAircraft Systems - recommended standards for command, control and communicationsystems used in conjunction with UAS operations: addressing (but not limited to):

Human Factors; Reliability; Data Links.o D. MASPS for Sense and Avoid Systems for Unmanned Aircraft Systems -

recommended standards and procedures for UAS sense and avoid systems,providing a safety level equivalent to that for manned aircraft operations. This willaddress: Reliability Factors; Traffic Avoidance; Data/Communication Links;Operational Safety Considerations (see section 1.2.3 in this paper).

The Terms of Reference note that SC-203 is not a joint committee with the EuropeanOrganisation for Civil Aviation Electronics (EUROCAE), but does at least indicate that theywill liaise. EUROCAE has recently formed its own Working Group (WG-73) to providesupport to introducing UAVS safely into integrated airspace, and ensure compatibility with

existing infrastructure and systems. In particular, it is to help bridge the gap between existingand necessary regulation and standards, to allow integration. WG-73 will look at a broadspectrum of issues, including: Operations; ATM; Airworthiness and Safety; Test andMaintenance. The working group is intended to draw together the various internationalinitiatives (European and US) and includes setting up joint activity with RTCA. Perhaps thiswill help to establish a more joint approach to regulation and standards than is currently thecase.

1.2.2 ATM interaction

This section looks at the safety issues relating to interoperability of UAVs with Air TrafficManagement (ATM) - particularly the personnel and technical systems. As DeGarmo notes[DeG04 section 2.3.1] a key part of understanding the concern this aspect causes is that,because of current segregation, very few UAVs have interacted with Air Traffic Control



24

(ATC) and the ATM system, it is difficult to predict what the real impacts might be. Hepostulates that it may be more an issue of uncertainty than any specific technical challenge.As I suggested previously (section 1.1.1), when people are faced with the unknown, theyseek to impose their existing understanding and regulations upon it. Let’s look at some ofthe specific issues.

The Requirement for 'Transparency'The CAA's CAP722 Guidance for UAV Operation in UK Airspace [CAA04] sets the tone thatis common to a lot of other authorities: "UAV operation is expected to be transparent to AirTraffic Service (ATS) providers. The UAV-p will be required to comply with any air trafficcontrol instruction or a request for information made by an ATS unit in the same way andwithin the same timeframe that the pilot of a manned aircraft would." I.e. that the onlydifference an Air Traffic Controller would notice would be the 'UAV identifier' on his screens.But is this level of transparency feasible? We have already looked at some ways that UAVsare basically different from manned aircraft (section 1.1.1), so what are the implications formixing them with the existing ATM elements?

ATC Systems

ATM in most developed countries has well established technical systems to assist ATC totrack aircraft, request information from and pass instructions to the pilots of manned aircraft.How well can UAVs fit with these systems? Marsters & Sinclair [Mar03 part 3] in 2003 wassuggesting a requirement for Transponder Mode S in Canadian domestic airspace, to allowATC to interrogate / track UAVs; and the CAA [CAA04] and EUROCONTROL [UTF04] bothspecify an impressive list of required equipage, to be consistent with existing levels formanned aircraft in particular types of airspace. But UAVs (particularly the smaller types) willstruggle to comply because of limitations of space, payload or even the available power.DeGarmo [DeG04 section 2.3.5] takes up this issue of equipage, but focusses on thenavigational requirements. With incoming Area Navigation ('RNAV') procedures, regulations

generally state that aircraft must "retain the capability to navigate relative to ground-basednavigational aids" such as Very High Frequency (VHF) Omni-Directional Range (VOR) forcertain airspace types. However, most UAVs use GPS in isolation, and would not be able tocarry VOR fit. It may be that UAVs will need the eventual back up of the European Galileoand Russian GLONASS systems to provide the required reliability to satisfy the authoritieson navigational reliability in controlled airspace [Bon05] (i.e. Group 4 and 5 UAVs as definedin section 1.1).

[DeG04 section 2.3.1] extends this discussion to consider the Air Traffic Controller's displayinformation. Because UAVs have different characteristics (see Section 1.1.1 of this report),he suggests that it is likely that they will need some specialized attention - hence unique IDor symbol on display. He takes this first simple idea further by proposing that it may also

prove valuable for ATC to know if the UAV is under manual or autonomous control; maybeeven the need for a separate location / registration for the GCS, in case ATC need to speakdirectly with the pilot (while it is not discussed, I would propose that this would be even morecrucial if the same GCS has control of several UAVs - the need for ATC to talk to the 'controlnode' if one or more of the associated UAVs acts out of turn).

[DeG04 section 2.3.2] also turns around the issue of ATM system integration in noting theneed to ensure not just system compatibility but also interoperability - that UAV and ATMsystems do not interfere with each other. In section 1.1.2, we considered the issuesaround datalinks spectrum availability, but there are broader EMI effects due to the high-power nature of some of the ATM ground based systems (such as Precision ApproachRadar) that the system will need to be proofed against.



25

Voice Commands

In Marster's suggested flight approval process, put forward in 2003 [Mar03 part 3],he suggested the requirement for 2 way communications between ATC and 'vehiclecommander', to allow flights in domestic Canadian airspace. Most proposed regulation since[e.g. UK in CAA04, Australia in CAS04] has similarly stipulated or assumed direct voice

communications between ATC and the UAV pilot or controller. DeGarmo, once again[DeG04 section 2.3.4], takes up the practicalities of this proposed requirement, noting theneed for ATC compatible VHF radios for voice comms. This is quite an overhead, as theUAV has to carry two radios (usually) to allow receiving of the voice comms from ATC (say)and simultaneous onward transmission to the GCS (and vice versa). DeGarmo suggeststhat in the long run, it would be useful have ATC comms 'split' with both an air transmissionand a ground relay direct to the GCS - but while this would improve reliability (lesstransmitters and receivers than needed at present) it would require significant resource tobuild up such an infrastructure, and it is hard to see how cash-strapped ATM services would jump to provide this until the requirement on them was made explicit.

All of the writers above have made an implicit assumption of the system - that voice commsmust be relayed to the ground pilot. However Schneider [Sch04, chapter 6] takes a differentview and instead urges the US to push research to allow UAV autonomy, through airspacesituational awareness and speech recognition of ATC voice commands. Particularly where asingle GCS has overall management of a number of UAVs but each has a measure of itsown autonomous control, this must be the eventual approach, with each UAV having theability to understand and communicate in speech, just as it will have in other informationforms.

The expectations of the Air Traffic Controller

Lets turn to look at the human side of the ATM system, and especially how the ATC expectsthe UAVS to react in a 'transparent' manner. As we noted above in the introduction to 'The

Requirement for Transparency', there are some aspects of UAV behaviour andcharacteristics that are plainly different to manned aircraft - how can these truly be absorbedinto the existing ATM system? Some aspects we have discussed elsewhere, in particular theATC expectations with regard to UAV characteristics (see 1.1.1), Airmanship (see 1.1.4),and Collision Avoidance (see 1.2.3). Here we look more generally at ATC expectations ofUAVSs.

Marsters and Sinclair [Mar03 part 3] proposed that UAV operators would need a suite ofStandard Operating Procedures covering all normal and abnormal flight conditions: thereview and approval of these procedures by the ATM authorities would then form the basisfor approval of that operator to conduct UAV flights. The CAA [CAA04] follows thisapproach, with similar requirements for a suite of procedures to foster planning and

authorisation. This seems to be the general civil way, and we have already looked into thisin section 1.2.1. DeGarmo [DeG04 section 2.3.1] looks more specifically into the proceduresand expectations for conduct of flight in controlled airspace (such as might affect a Group 4or 5 UAV). He suggests that where there are existing ATM procedures and routes (e.g. forInstrument Flight Regulations (IFR) ascent through airspace), these will have been builtaround the expected performance capabilities of manned aircraft - some UAVs will fit in thisenvelope, but others won't: thus, the ATM will either have to exclude them (not optimum forour vision of integrated airspace), or develop new routes / procedures to accommodate thesespecifically. DeGarmo's study also considers a UAV specific hazard, due to their sensitivityto wake turbulence (particularly the lighter wing loading of Long Endurance UAVs); currentvertical separation minima may be inadequate for these UAVs, hence they could requirespecial treatment in order to fly safely along existing corridors.

While most regulators are busy hammering home their requirement for transparency from thestart, the Swedish Aviation Safety Authority seem more willing to take a practical approach in



26

these early days of integration. In the paper proposing the Swedish approach until the EASAregulations mature, Wiklund [Wik03, section 3] proposes that, initially, it will be useful for'special Air Traffic Controllers' to be lent to UAV programmes, to provide specific attention toseparation of UAVs from other traffic - in this way, experience can be built for both UAVoperators and the Controllers. This approach seems ideal as an answer to DeGarmo's pointnoted at the very beginning of this section that most issues may be due to inexperience anduncertainty, rather than hard technical concerns.

The Demands of Increased Traffic

Even without the addition of UAVs, ATM systems are facing the problem of trying to reduceaircraft accidents while the number of manned aircraft looks set to increase significantly overthe coming years. How will UAVs add to this? DeGarmo [DeG04 section 2.3.8] says theanswer is... that we don't know! We need to study the effect of UAVs on airspace (andcontroller) capacity, including simulation of UAV numbers and looking at how different typesof UAV and their varying performance characteristics affect the balance (see section 1.1.1 ofthis report). Factors such as the incredible endurance of some types (from 30 hours up tomonths at a time) mean that there aren't just more aircraft (with UAVs) but they are airborne

and loading the system for much longer.Emergency Procedures

ATM systems set particular store in contingency planning, especially how to handle particularrisks associated with aircraft, such as propulsion failure or communications loss. How willUAVSs and ATMs interact for UAV emergencies?

Marsters [Mar03 part 3] suggests that UAV operators establish procedures for dealing withLoss of Control Datalink - flight profiles, recovery areas, diversionary airfields if appropriate.Other critical failures that could require Abort and Flight Termination procedure (a UAVunique feature discussed in 1.1.1) need to be established and briefed to ATC. He also statesthat the UAVS should have the capability to allow the UAV commander to squawk anemergency code independent of the vehicle itself, to allow independent broadcast of the

emergency state to ATC and all potentially affected traffic. This seems like a good idea atfirst, but perhaps should be reflected on after consideration of the particular failures thatmight affect a specific system - e.g. a highly autonomous UAV could fly on perfectly safely,perhaps, without the need to 'frighten the locals' in the event of a communications failure. I'mnot sure if DeGarmo is hinting at this [DeG04 section 2.3.1] when he states that "Theprocedures to be taken by the vehicle will need to be communicated or predictable to thecontroller." I take this to mean that the procedures may be specific to a particular UAVS andits capabilities, provided that they are then made clear to ATC personnel who may interactwith it. DeGarmo does try and standardise some of the emergency procedural aspects ofUAVs [DeG04 section 2.3.7] by suggesting that aspects such as designated flight terminationareas be declared and coded into available ATM databases, to ensure all are aware and planaccordingly. This would go a long way to make the common elements of UAV emergencyprocedures become second nature to operators and ATC alike.

Airfield Operations

A significant aspect of ATM interaction can occur before the UAV even leaves the ground.How does the 'unmanned ground vehicle' cope with taxiing, braking, etc in a groundcontrolled environment such as a shared airfield? DeGarmo [DeG04 section 2.3.9] suggeststhat because taxiing requires precise ground movements and the ability to search forobstacles, most current UAVs lack this and so are towed out to the Take-off position / backfrom the landing position. While simple for the UAV, this must increase the risk to theground-crew and slow down operations - future UAVs will have taxiing capability, there canbe little doubt. Part of the problem is for the UAV to recognise visual signals such as traffic

lights for manoeuvring, as noted by the Joint European UAV Task Force [UTF04 section7.18]. They suggested that UAVs need a Ground Operator to interpret for the UAV andintervene. In a telephone call with Parc Aberporth Operations Manager, it was confirmed



27

that recent UAV operations had been achieved by towing the vehicle out to the launch point,thus avoiding the issue, but that proposed UAVs had a taxiing capability and that it wasconsidered that a Ground Operator would look after the vehicle in the confines of the airfield(on the ground or on Take-off up to 50ft) then hand over to the main GCS for the remainderof the sortie. In the longer run, it is perceived that new UAVs will require autonomous groundoperations to maintain the airfield movement tempo at busier airfields - this may even provesafer than manual control, as some high profile manned aircraft accidents (such as atTenerife) have unfortunately shown.

The paragraph above noted that current UAVs generally use manual take-off and landing. Inthe very near future, automatic TO/L systems are expected to be introduced. [DeG04] andothers suggest that Differential GPS (DGPS) will be a key technology, as plain GPS will notbe precise enough.

One last aspect of UAV airfield operations concerns landing at diversionary airfield - will theybe able to cope? The ASTM [AST05, 2], in their study noted the lack of standards to definehow airports should deal with UAVs, in the event that they became an unexpecteddiversionary. Suddenly, an airfield might find themselves having to cope with the various

issues noted above. Again, I suspect that this is really an issue of inexperience: in mostcases, operators will file a f light plan and declare the diversionary airfields that they mayhave to use. Just as a civil Boeing 737 operator would only nominate a known 737-compatible airfield, the same would surely be true of a UAV operator, and part of planningwill be to liaise and agree on diversionary procedures and facilities (as noted in 'Emergencyprocedures' above).

1.2.3 Collision avoidance

The reader might wonder why there is a specific section on 'collision avoidance', when itseems that the majority of the other sections have already focused on safety issues relatingto potential collisions. The reason is that, as Platt implies in his paper [PlP05], internationalregulators have followed a philosophy of layered defences to avoid collision risks. Platt talksof three layers that must be provided and prove independently effective (i.e. faults in onelayer cannot be offset intentionally by dependence on another layer):

1. The outermost layer - strategic conflict management - is achieved through the overallstructuring of airspace by type (to separate aircraft classes and capabilities) and useof ATM to maintain efficient flows and manage the overall traffic structure.

2. The middle layer is separation provision . This layer exists to ensure that separationminima are maintained if strategic management has been compromised. This isachieved through declared separation minima (to ensure adequately low risks),regulated Rules of the Air for flight planning and Rights of Way for airmanship, andspecified equipment lists to ensure navigational accuracy and aircraft detection.

3. The innermost layer is collision avoidance . At this point, safe minima have beenbreached, and the successful outcome is simply to achieve a miss throughemergency action. This is (currently) achieved for manned aircraft through visuallookout and gradual introduction of assisting systems such as Traffic Alert & CollisionAvoidance Systems (TCAS).

Layer 1 is strongest (i.e. it is mandatory) in controlled airspace (class A-E in the UK FIR - see'Note on UAV classification' in the introduction to the Literature Review), and is advisorywhere available in Class F airspace. In Class G, the home of most General Aviation, conflictmanagement relies on layer 2 initially, and if this breaks down, then layer 3 is required toindependently maintain safety. UAVS issues pertinent to strategic conflict management andseparation provision are discussed in the other sections of this report. This section mainlyfocusses on collision avoidance as defined above.



28

Ground Collision Avoidance

Ground collision avoidance (or terrain avoidance) is somewhat the 'poor man' of UAVSliterature, and not a lot is said about it in any detail. Perhaps this is because it is consideredto be better understood, with more easily identifiable criteria drawn from manned aviation.The CAA in CAP722 [CAA04] merely state that an approved method of assuring terrain

clearance is required, but do not give specifics. We could assume that the requirement isfor 'equivalence' with methods in use in manned aircraft. This is supported by theEUROCONTROL position in [UTF04], which implies this by reference to existing GroundProximity Warning Systems (GPWS).

The Australian and Swedish regulations ([CAS04] and [Wik03] respectively) do not go intodetail about terrain avoidance so much as population avoidance. Both establish restrictionsfor flight over populous areas; the Swedes justify this position with details of their calculationsfor acceptable levels of ground fatalities (see section 1.1.4).

Most literature tries to lump ground collision avoidance into what they consider is the biggerproblem of air-air collision avoidance. Whittaker [Whi05], DeGarmo [DeG04] and Platt[PlP05] infer that ground avoidance will be solved as part of the wider 'sense and avoid'

debate (see below). I suggest that this is somewhat simplistic, because down in the detail,characteristics for ground / obstacle target detection will be very different from point airtargets, and the technical solutions and airmanship requirements will be likewise quitedifferent. Fairly simple ground collision avoidance may be achieved, for example, throughGPS and terrain database use (such as existing GPWS) - and this may be achieved in theUAV, or possibly in the GCS by relating the UAV's telemetered position. Some discussionover the acceptability of such solutions is presented in section 1.2.2, under ATC Systems.

Air-Air Collision Avoidance

Airmanship & Situation Awareness

We have already mentioned the role of procedures and regulations in the layered approachto conflict management, and this continues into the collision avoidance inner layer. The JointEuropean Task Force review the arrangements in [UTF04] - these are summarised here as:ICAO establish basic Rights of Way (RoW) for aircraft depending on their class, airspace andattitude; pilots are expected to respect these RoW using airmanship, in order to either standon or take avoiding action as appropriate to the RoW. In the last-ditch event that theappropriate aircraft does not take action, the stand-on aircraft must take emergency evasiveaction anyway, to suit the particular collision situation. This implies that, in order to respectthe RoW, the UAVS must be aware of its situation in terms of the factors that determine whohas right of way, and be able to react accordingly.

In CAP722 [CAA04], the CAA list a number of factors that affect the outcome in any

particular collision avoidance scenario. The situation will vary depending on: whether allinvolved aircraft comply fully and correctly with the Rules of the Air; the controllability andmanoeuvrability of each aircraft and their respective flight performance; the level ofautonomy of operation and control (in terms of the involvement (or not) of a ground pilot). Ingeneral, these aspects for UAVs are discussed in sections 1.2.1, 1.1.1 and 1.1.3respectively, but it is important to note their implications at this safety critical situation.

Conspicuity - being seen

In order that other aircraft may respect the UAV's position to the RoW, they need to be ableto see the vehicle and its attitude. This issue is identified by the Swedish Aviation SafetyAuthority [Wik03]. Will other traffic be able to see the UAV? Will the UAV carry enhancing

equipment (e.g. transponder, warning lights)? DeGarmo [DeG04] also identifies this



29

issue. Many UAVs are fairly small making them tricky to see, and even if seen can provedifficult for the other pilot to judge their distance and closure rate.

Seeing and Reacting - Detect / Sense & Avoid

The Rules of the Air set requirements for aircraft pilots to See and Avoid other aircraftaccording to the established RoW, as discussed above. Here is the crux of the issue - it isgenerally believed that the UAV-p cannot adequately provide this function, as he will nothave the required field of view and because of the complexity of the data link and controllatency ([LeT02]). Currently, there are no approved collision avoidance systems suitable for'Sense and Avoid' (the non-human equivalent of See and Void) and no accepted criteriaagainst which to develop such technology, and this is the main impediment to UAVintegration into manned airspace ([Ste05]). The issues that lead to this state of affairs arediscussed below.

In CAP722 [CAA04], the CAA provide a list of 'Sense and Avoid' (S&A) factors, most ofwhich are generally applicable to UAVS operation in all layers of conflict management. Thedocument sets the requirement for a 'Method of sensing other airborne objects' but then goeson to say that it is not possible to define suitable criteria for a Sense and Avoid system, untilsuitable technologies and their capabilities start to emerge in more detail. The best that theycan currently suggest is to seek an Equivalent Level of Safety as for current manned aircraft.Schneider [Sch04] on the other hand, pushes the US government to support developmentand validation of robust 'Detect, See and Avoid' (DSA) requirements first, before trying todevelop technology solutions. Personally, I feel these things must happen in parallel -requirements for specific classes of UAVs could be worked up through modelling, but need tobe tailored with the art of the possible, as development of possible technologies yieldsinformation on likely sensor performance. In this way, an effective sense & avoid capabilitymight be achieved by using a combination of methods, rather than coming purely from arequirement or single technology focus. More is discussed on criteria, below.

Marsters, in his earlier attempt at defining UAV regulatory requirements [Mar03], notes theproblems with setting the baseline as 'ELOS' to manned aircraft, due to the examples wherethis has gone catastrophically wrong in the past. He calls for UAVs to be equipped with theemerging technologies of the day - TCAS and GPS-based Automatic DependenceSurveillance - Broadcast (ADS-B). But this is only part of the problem solved. DeGarmo[DeG04 section 2.1.1] notes that such existing systems can help detect co-operative aircraft,i.e. those carrying the required systems and transmitters to make their whereabouts known:but to be allowed into all classes of airspace, UAVs will need to be able to sense andavoid non co-operative objects, such as most general aviation, microlights, even birds andground obstacles such as masts. DeGarmo notes the activities of ASTM and RTCA to tryand establish suitable criteria for such non co-operative S&A systems, to provide ELOS tomanned aircraft (see section 1.2.1). The paper looks at some developing technologies,

discussing aspects such as field of view, detection ranges, false alarms, and performance inreduced visibility (though how does this compare with the human pilot's capability in suchconditions?). Conversely, it notes that, if the Sense & Avoid is not entirely provided on-boardbut requires interaction with the GCS, then there may be issues with decision making anddata latency.

This is a timely point to discuss the shortcomings of manned See & Avoid. As noted byMarsters, in his paper with Sinclair [Sin03], there is a useful consideration of manned See &Avoid, and reference to work on the shortcomings of the unaided pilot. Marsters and Sinclairargue that UAV Detect & Avoid (or Sense & Avoid) must outperform human equivalence toensure safety - though a fair portion of this may come from the fact that technical systemswill provide constant scan, rather than being distracted as the pilot often is. In their review of

a number of studies, results were showing that the performance of an 'alerted pilot' averagedabout 1.6nm detection range, while modelling of Global Hawk closing speeds,



30

manoeuvrability and datalink lags was suggesting a required detection range of ~7nm. Thiswill vary considerably depending on the UAVS and whether the avoidance manoeuvre isinitiated by the vehicle itself or by manned intervention, but show that a simple ELOS willpose some difficulties.

1.2.4 Security and safetyThere is no doubting the increased awareness over security issues that affects aviationgenerally, since the events of '9/11' in 2001. But some suggest that UAVs potentially pose anincreased risk, due to vulnerabilities that we will look at below. Some have evensuggested that UAVs have an added 'attractiveness' for malicious terrorist use, because oftheir unmanned nature [UTF04, 7.15]. Whether these suggestions are realistic or not, thefact is that security is a critical issue that UAVs will have to prove they have mastered, beforebeing allowed into potential threat areas.

The suggested areas of concern all stem from the expanded system boundary thatencompasses the UAVS as a whole (which we have already discussed in section 1.1.2). Let

us now look at the impact of the external, malicious world on the system of systems.Jamming of Navigation Systems

Although talking primarily about military applications, the Defense Science Board study[Sch04] raises the valid point that most current generation UAVs use GPS based navigation,and urges the fitting of jam-resistant GPS as a matter of course. Unless suitably hardened,civil UAVs could likewise suffer loss of their sole position fixing capability, with potentiallycritical consequences.

Communications Signal Security

As the Joint European UAV Task Force note in [UTF04, 7.15], UAVs are currently (and forthe foreseeable future) dependent on the integrity of the command datalink (see discussion

at section 1.1.2). Maintaining integrity from blunt jamming tactics down to more subtlespoofing or stealing of control will have to be addressed. DeGarmo [DeG04, 2.2.2] suggeststhat modern encryption techniques and user authentication methods can help with the latter,but would not be able to assist against high-power jamming. He also suggests (sensibly) thatUAVs will benefit from other signal-based industries which are working to obtain securecommunications techniques.

None of the papers reviewed discussed the basic visibility of the signal to unwanted parties -an aspect of security can be to use specific frequencies to minimise 'broadcast' of the UAVSoperation, or frequency-agile systems that both minimise possibility of detection, and reducethe effect of jamming to those frequency segments in-band.

Ground Infrastructure

This aspect relates to the simple physical security of the ground-based elements, of whichthere may be many in an extended system of systems. DeGarmo [DeG04, 2.2.1] states thatthis has seen little interest shown by UAV operators to date, but could be a major and directway to affect or overthrow the control of the UAV. This would be particularly true for mobilesystems (having less opportunity for fixed barrier based security); and for distributed systemswith control elements located at various points around the world (such as recent US Predatoroperations in Iraq, controlled via datalink from Nevada but with Iraq-local control elementsinvolved also).

Flight Planning and Data Security

DeGarmo [DeG04 2.2.3] goes on to consider the security implications of the data elements of

the UAVS. All manner of digital data is involved in a successful UAV operation, from thedatabases used to plan missions and avoid terrain, to the specified flight plan itself,the coding of ground and UAV control functions, etc. The US (and UK CAA repeat the



31

requirement in [CAA04]) require security of systems to detect and counter all attemptsto corrupt critical systems and data before / during / after loading.

1.2.5 The Human Element

There are human aspects cutting across many of the other issues we highlight - in ATM(section 1.2.2), collision avoidance (1.2.3), security (1.2.4), and notably in our discussionsover UAV accident rates (1.1.4) and the man / machine boundary of autonomy (1.1.3). Inthis section we focus specifically on the human element of the UAVS. From very generalHuman Factors issues, we extend the discussion to cover organisational issues and thenpersonnel qualification and skill levels.

Human factors

We have already looked at UAV accident rates, in section 1.1.4. There, we notedDeGarmo's assessment [DeG04, 2.1.3] that Human Factors (HF) accounted for some 17% ofthe UAV accidents where information was available. He commented that this was lower than

the comparable figure for manned aircraft (~80%) and seemed to be proportional toautomation levels and (where responsibility lay with the UAV-p) the datalink update rates.The dominant Human / Machine Interface (HMI) aspects related to: the ground 'cockpit'environment; the available cues from the UAV and displays; the UAV-p skill levels; levels ofsituational awareness and a suggestion that the low personal risk to the UAV-p removed himsomewhat from trying to recover difficult situations. Schneider [Sch04, chapter 3] suggeststhat the majority of UAV mishaps were due to the relatively low experience level of operators& maintainers, and LaFranchi [LaF05-2] echoes this with his account of Canadian Armyexperience with deploying the Sperwer system in Afghanistan. After only a short trainingcourse, they found themselves having to adapt their training to a new and hostileenvironment. In the second of 2 crashes (in 3 months), the GCS took manual control onapproach to land and flew the vehicle into a ridge, in spite of a ground proximity alarm

sounding for some 30 seconds before impact, and there being 4 personnel in the GCSincluding a certified manned aircraft pilot.

The JAA / EUROCONTROL Task Force cover HF as a specific discussion topic, focusing onthe HMI ([UTF04, section 7.10]). They saw issues with the lack of physical (and particularlyvisual) cues that allow the pilot on board to recognize some failure scenarios and to decidethe suitable decisions and actions to take. They were also concerns at the current shortageof experience in civil UAV operations, which compares well with Schneider's and LaFranchi'sconcerns noted above.

However, Williams [Wil04] believes that it is difficult to draw general Human Factorsconclusions, because the HMI is so very different between systems. He could not findconsistent HF causes between the US military accidents that he analysed (see more generaldiscussion in section 1.1.4). He does, though, raise two interesting points at different ends ofthe human factors / automation / airmanship spectrum:

o Predator is a UAV which acts very much as an RPV - it is 'flown' by a pilot usingcockpit-type controls from the GCS, using a camera in the UAV to present a 30degree forward view to the pilot. Predator suffered the highest percentage HFaccidents (~65%) of the 5 systems he analysed.

o Global Hawk is another US Air Force UAVS but is very automated with the UAV-pmerely monitoring the aircraft progress. Global Hawk had relatively low HF accidents(~30%). However, the system is automated through fully pre-programmed missions

from take-off to landing (rather than autonomous decision making) and the planningfor a mission can take up to 270 days to achieve. Hence there have been HF



32

accidents caused by small but significant errors buried within the complex missionplanning.

Human Factors is a tricky issue for UAVS, due to the complex system boundary, and inparticular due to the growing influence of autonomy. In part, this is necessary to offload thepilot and allow aspects such as multiple UAV operation (see 'autonomy v ground control'in 1.1.3). Nevertheless, we should not forget that accidents can occur when the humanoperator does not understand what the highly automated system is doing, and tries tooverride it with disastrous consequences. This key issue is discussed in several YorkAdvanced MSc course modules (Human Factors Engineering (HFE) and Foundations ofSafety Engineering (FSE) especially).

Organisation

In section 1.2.1 (Regulation etc), we noted the EASA drive [EAS05] for 'Total safety' asshown in Figure 1.2.1a. This clearly indicates the involvement of the operating organisationand personnel, in the safe maintenance and operation of the UAVS. In 1.2.1 we discussedthe push for 'equivalence' with manned aircraft based regulation, where here we try to

discuss the inherent safety issues.Marsters [Mar03] assumes that an applicant for a UAV clearance will have already obtaineda UAV Operating Certificate covering global activities for his system, with an approvedorganisation and competent staff / operators, vehicle safety history and analysis, designstandards, operating manuals, etc. He does not explicitly discuss why these are required.EASA and the Joint European Task Force discuss organisations [UTF04 section 6.3.3.3] butdo not get beyond the requirement for equivalence to manned systems and application oflicencing regulations. The CAA likewise in [CAA04] state requirements against existingregulation.

The Swedish Aviation Safety Authority also discuss organisational requirements [Wik 03],initially suggesting parity between UAV and manned aircraft organisations, but then

suggesting that there could be flexibility - the UAV system operation organisationrequires proportionality with the UAV system complexity and operating conditions - simplersystems and environments would allow simpler organisations. Wiklund suggests that theorganisation will probably vary at different stages of a project. "During the design stage theemphasis may for example be on technical competence with advisory operationalcompetence, while in the test stage further practical operational competence will be addedand in the operational stage the emphasis will be on practical operating competence." It isclear that the drive here is for competence within the organisation, with experience, to beable to recognise and resolve the safety issues arising at that point in the programme.

Schneider [Sch04] sees the organisation playing a key role in addressing the HF safetyissues noted above, due to low experience among UAVS maintainers and operators. He

pushes the US government that operator and maintenance organisations should explicitlyplan for the recruitment, training, career development of personnel to improve retention of theexperience necessary to operate UAVS safely. Schneider suggest that military organisationscurrently do the very opposite, by forced posting and promotion of experienced operators outof the organisation.

From the literature reviewed, there did not seem to be specific organisational issues relatedto UAV operation and maintenance, other than that noted by Schneider, above. Else, theliterature was driven by the requirement for equivalence with manned aircraft, on the read-across assumption that a competent organisation (with competent personnel and appropriateprocedures and plans) supports the overall aims for safe UAV operation and maintenance.However, from our discussion over aspects such as ATM (1.2.2) and the complex systemboundary (1.1.2), I would propose that there could be issues related to the transfer of databetween organisations, to support accurate mission planning, establishment of appropriate



33

emergency procedures, etc. What is a safety issue is thus the complex organisationalinterfaces within the overall system of systems.

Suitably Qualified and Experienced Personnel

Experience levels among personnel are clearly an issue, as noted in both sub-sections

above. Here we discuss the qualification aspect of their necessary competence.

The CAA in CAP722 [CAA04] discuss the UAVS 'crew' consisting of a UAV commander and(potentially) one or more UAV pilots (UAV-p). While the UAV-p is a qualified person who isactively exercising remote control of a non-autonomous UAV flight, or monitoring anautonomous UAV flight, the commander is the person charged with overall responsibility tothe CAA: he assumes the same operational and safety responsibilities as the captain of apiloted aircraft performing a similar mission in similar airspace. Hence the commander mustbe qualified to meet manned aircraft equivalents for the airspace and meteorological rulesthat the UAV will operate within, while the UAV-p may be less stringently qualified to meetthe training, experience and currency requirements set out by the organisation. This wouldallow UAV operation in accordance with current military training regimes, where the UAV iscontrolled by an operator who may not have manned aircraft qualifications but who can directthe UAV to a specific location (rather than fly it manually using traditional controls) - butwould require an overall commander to oversee and ensure safe operation in accordancewith the Rules of the Air. The Australian Civil Aviation Safety Regulations in CAS 101[CAS04] have rolled out a similar view of pilot certification. The issue here might be howmany UAV-p could safely operate under one commander, while ensuring safe operations.The issue is heightened when a single UAV-p could conceivably be controlling more thanone UAV, due to the apparent simplicity of the interface. DeGarmo [DeG04, section 2.4.5]picks up on these aspects. He says that UAV-p certification is not simple, because of thevariation in UAVS and their operating intent: simple UAVs may act like model aircraft, stayingwithin visual contact; others will be operated beyond Line of Sight, possibly in swarms of

multiple UAVs; some will require direct pilot-like input as RPVs; others will have automatedsystems requiring only location designation, or even be operating near-fully autonomously.While the UAV design will force part of the training regime, predominant factors might be theoutside world, e.g. the operational environment (other traffic, ATC, etc). DeGarmo suggestthat a similar licencing system could be operated to that currently for aircraft pilots, wherespecific ratings are earned appropriate to the type of aircraft being flown and the type ofoperation to be undertaken. This would, he says, require extensive tailoring to suit UAVdifferences (as discussed in 1.1.1). DeGarmo finishes with a discussion of the role of theUAV-p compared to the commander (or controller as he calls it). While this is a potentialsolution to the training / skills issue, he implies that it is another interface that would needcareful implementation.

1.2.6 Public perception of UAV safety

As we touched on briefly in Section 1 under 'Current and Future Directions', the pull of themarket for civil use is still uncertain, and gaining public acceptance of the safety of UAVs willbe an important part of any success. So what is the public perception?

The CAA has, so far, taken a 'gut instincts' view that the perception is at best neutral and atworst fearful / mistrusting. Whittaker in [Whi05] looks briefly at potential ground and aircollisions featuring UAVs: in the former, he contrasts the manned aircraft ground collisionheadlines ("AIRCRAFT CRASHES NEAR SCHOOL - Pilot swerves into trees to avoid risk tochildren") with those for a UAV ("TERROR AS GUIDED MISSILE ALMOST HITS SCHOOL -Shocked parents demand Public Inquiry"). For collisions in the air between UAV and

manned aircraft, he takes the view that such occurrences are seldom survivable for thepeople involved, and the unmanned aircraft will doubtless be blamed by the public, no matter



34

what the reality of the situation. In essence, he is talking about a media led onslaught, (mis-)informing a public with no alternative positive views of the benefits of UAVs.

DeGarmo [DeG04, Section 2.5.2] takes a broader view. He proposes that the public can becourted with a reasoned debate over the benefits that can be gained (i.e., greater security,improved information, more services, lower costs) versus the potential costs (i.e., increased

noise, pollution, privacy concerns, safety risks, delays) and that this 'marketing' will be a keyrequirement to gain acceptance and enable market forces. However, he also notes that sucha build up of trust will take time and be fragile, as it would be easily damaged by any highprofile accident. He quotes a public opinion survey of air users in 2003, which stated that68% were happy with the idea of UAVs for cargo and commercial use, but only a smallpercentage would be happy to allow unmanned passenger-flying aircraft. While this, at facevalue, suggests that people might be happy with the risk associated with UAVs flyingoverhead, to me it implies that, as soon as the risk might actually impinge on them, theiracceptance drops massively.

In the end, then, DeGarmo under the microscope brings us to the same conclusion: that inthe event of an accident, the media will hold sway over any expert discussion over the

significance of risks posed by UAVs to the public, be they in the air or on the ground. UAVswill have to prove themselves 'safer than safe' or face a similar bad press over safety as therail industry, say. However, there is some hope that the public will have been educatedbeforehand, and the perceived benefits of UAVs will ultimately help restore confidence morequickly.



35

1.3 Summary of UAVS Safety Issues

1.3.1 Review of current UAVS safety issues relating to integration into unsegregatedairspace

Sections 1.1 and 1.2 have covered a lot of issues with respect to UAV safety, and it is worthsummarising these here, before proceeding further. Note that ** indicates an issue that hasbeen taken forward in this project, as discussed in ‘Focus for Project Development’.

(1.1.1) Impact of the Variety, Roles and Performance of UAVs

1. UAV differences may introduce additional, unexpected hazards, for regulators tryingto pigeon-hole them into manned aircraft categories **.

2. UAV performance differences from manned aircraft make them difficult to manage ina stream of manned aircraft traffic **.

3. UAV roles and missions make their behaviour unpredictable for manned aircraft traffic / ATC **.

4. UAV 'ad hoc' launch sites cause unexpected insertion into manned traffic.

(1.1.2) The complex system boundary for UAVs

1. Confusion over what the safety critical elements of a UAVS are (and then how toregulate them, if not currently covered by manned systems): elements such asdatalinks, GCS, data flow around the UAVS, data sources outside the UAVS pushbeyond current manned aircraft experience.

2. The need for reliable datalinks (including Over the Horizon), teamed with therequirement to deal safely with datalink failure / corruption.

3. UAV sensors, datalinks, will compete for limited RF spectrum availability or faceinteroperability / interference problems.

4. Use of Beyond Line of Sight datalinks to overcome terrain masking extends thesystem boundary and hence the number of critical systems incorporated within theUAV system of systems.

(1.1.3) UAV autonomy - technology, predictability, complexity

1. Current in-use definitions of autonomy level are over simplistic; but there is confusionover what factors give a better indication of system authority. Some are very broad,making it difficult to arrive at a clear indication (clear indication of autonomy level iscalled for in various papers, to give visibility over who is in charge of the UAV in case

of emergency action being required).2. Environment and mission context are proposed as drivers for required levels of

autonomy - how will the system respond if pushed outside its parameters?

3. Autonomy level should be varied ("traded") to suit the operator's needs throughoutthe mission - will the operator know the extent of his control? Will the needs of theoperator align with the needs of the regulators to enforce human control?

4. 'Agent Based' autonomous control introduces new areas of uncertainty:

a. These are novel application in air vehicles and hence there will be issues ofexpertise, trust and clearance

b. They require accurate capture and specification of the 'agent' behavioursbeforehand - issues of knowledge acquisition (and requirements elicitation -see York module on RQE).



36

c. There will probably more be than one 'AI' method used to implement thedecision making, and these will introduce new issues of architecture andintegration.

5. Autonomy through software will entail solving the usual issues over systempredictability. In particular, there may be difficulties trying to clearly separate safety

critical elements from other functionality.6. The knowledge, judgment and skill ('airmanship') necessary to fly predictably and yet

flexibly to react to changing situations (such as weather) may be difficult to automate,or even specify.

7. UAV autonomous decision making must somehow be matched to expectation of ATCdecision making tools (such as used to effect TCAS).

8. UAV actions in the event of datalink failure need to be predictable and dependable(for ATM interaction), yet airmanship demands the ability of flexible response **.

(1.1.4) Accident rates and reliability - UAV airworthiness

1. The catastrophic failure rate for UAVs is currently too high.

2. There is little reliable accident data for UAVS occurrences - none sourced outsidemilitary programs, research-based systems, in high risk (non-civil) usage, and eventhat data is from a small sample compared to manned aviation data availability.

3. UAVs lack available, reliable system components (they currently have to useresearch-standard equipment or COTS items operating outside their intendedenvironment).

4. UAVSs have not currently been designed, fabricated and maintained to mannedaircraft levels **.

5. It is difficult to define what the 'Equivalent Level of Safety' or balanced safety targets

should be for UAVSs.

a. Difficulties in identifying the equivalent class.

b. Differences in the lethality of UAVSs, from manned aircraft, and betweendifferent UAV classes.

6. To improve airworthiness, there are suggestions to apply FAR 1309-type philosophyto UAV flight-critical system safety design, and referrals to ARP 4761 as a suitableapproach for safety analyses, but that these may require some amendment to suitdifferences in UAVSs **.

(1.2.1) Regulation, Certification and the Drive for Standards

1. Current UAV regulation demands 'equivalence' to manned systems, without beingable to address UAV differences.

2. There are proposals that a 'total system' approach is required to address UAV-relatedregulation, but that airworthiness is currently regulated separately (by EASA) fromoperations, maintenance, ATM and airports (by national bodies such as CAA) **.

3. How to certify UAVSs? Studies suggest that, while a 'safety targets' [safety case]approach would be easiest to apply, it is necessary to apply a standards / requirements based approach to be consistent with ICAO rules, and becausedifferent regulators [see ‘2’ above] force separate consideration of design fromoperation - but can the UAVS design and operation be cleanly separated without

missing potential safety risks?



37

4. EASA suggest application of a .1309 safety assessment philosophy, to address novelaspects of UAVS design [refer with 1.1.4 item 6, above ] **.

5. To apply standards-based certification requires standards to be defined for clear,safety critical design aspects, but these are difficult to define for UAVS [refer to 1.1.2 item 1, above ].

6. Regulators wish to apply existing certification for operations (such as maintenance,flight operations) 'wherever possible', but their own studies show that many aspects ofUAVS operations are not adequately covered, mainly because the scope of UAVwork lies far outside the aspects that the regulation was intended to cover.

7. Several international organisations are pushing to establish consensus-basedstandards, but there is currently a competitive spirit between them, which may lead toseveral conflicting standards.

(1.2.2) ATM interaction

1. Because of current segregation of traffic, very few UAVs have interacted with Air

Traffic Control (ATC) and the ATM system; hence it is difficult to predict what the realimpacts might be**.

2. Regulators and ATM providers demand that UAV operation will be 'transparent' toATM services, that UAVs will "...comply with any air traffic control instruction or arequest for information made by an ATS unit in the same way and within the sametimeframe that the pilot of a manned aircraft would." Yet there are many ways inwhich UAVs will react differently from manned aircraft [see 1.1.1 items 2, 3, 4 above,as well as the following items ].

3. Regulators require specific lists of equipage for flight in controlled airspace, but(most) current UAVs lack the available space, payload or power to carry them all.

4. ATC controllers may require additional data feeds to inform them of UAV specificstatus (such as autonomy level), which conflicts with the drive for ATM transparency.

5. How will ATC controllers handle potential 'swarms' of UAVs under a common controlnode?

6. High powered ATM RF equipment may pose interoperability problems for someUAVSs [especially with reference to the crowded spectrum in 1.1.2 item 3 ].

7. UAVs will ultimately require capability for speech recognition and voice response aspart of their autonomous behaviour.

8. Existing ATM routes and procedures have been built around manned aircraft: it issuggested that, for UAVs that don't fit the pattern, they will either have to be excluded(and forced into general airspace) or have new routes / procedures to accommodatethem.

9. For lighter UAVs subject to wake turbulence, current vertical separation minima maybe inadequate to allow safe flight.

10. The impact of UAVs (their numbers and long endurance) on air traffic, and its effecton ATC controllers and systems overall, has not been adequately modelled thus far.

11. ATM procedures want to hard-define procedures and flight termination areas to dealwith UAV particular risks and emergencies, but the actual procedures may need to bevaried to best suit specific systems (e.g. highly autonomous systems may be safer tofly on, rather than flight terminate, in response to the particular risk of datalink failure).

12. There are concerns over UAV operations on the ground, on shared airfields -associated with taxiing into obstructions / other aircraft, and being able to recogniseand respond to visual signals that are used in airfield operations**.



38

13. Diversionary airfields may pose additional problems for UAVs, if the airfield is notadequately prepared to handle UAV traffic, or appropriate navigation facilities (suchas D-GPS) are not available to provide sufficient accuracy for auto-land systems .

(1.2.3) Collision avoidance

1. 'Approved' methods of terrain avoidance have yet to be identified for UAVSs.2. Most literature sources imply that terrain avoidance will be solved as part of the

airborne collision avoidance / Sense & Avoid effort - but characteristics for ground / obstacle target detection will be very different from point air targets, and the technicalsolutions and airmanship requirements will be likewise quite different.

3. In order to respect the Rights of Way, the UAVS must be aware of its situation interms of the factors that determine who has right of way, and be able to reactaccordingly. But each situation will be different depending on: whether all involvedaircraft comply fully and correctly with the Rules of the Air; the controllability andmanoeuvrability of each aircraft and their respective flight performance; the level ofautonomy of operation and control (in terms of the involvement (or not) of a ground

pilot) [refer to autonomy specification, in 1.1.3 item 6 above ].

4. Due to the size, role and performance of UAVs, will manned aircraft pilots be able tospot them in order to respect the Rights of Way?

5. Some authorities believe that it is not possible to set criteria for Sense & Avoidsystems - they must develop once the available technology performance and UAVsystems definition become clearer. But others believe that the technologies forSense & Avoid should not be developed until the necessary criteria are defined.Currently, there are no defined criteria.

6. Current technologies such as TCAS cannot be relied on, as they require all traffic toco-operate in carrying interrogating equipment. UAVs in general airspace must have

Sense & Avoid that can detect non-cooperative traffic (which manned aircraftcurrently attempt to do using the pilot's visual acuity).

7. The nearest thing to S&A criteria is currently to establish 'equivalent level of safety' tomanned aircraft. But high profile accidents have shown the fallibility of human visualcollision avoidance. Also, initial modelling has indicated that human eye perceptionranges fall short of the required detection range to avoid collisions.

(1.2.4) Security and safety

1. UAVS dependent on GPS based navigation may be susceptible to jamming unless jam-resistant systems can be fitted.

2. The command datalink significantly extends the responsibility to ensure safe controlof the UAV, and practical solutions to avoid jamming, spoofing or stealing of thedatalink need to be found.

3. The use of ground-based control elements (some distributed globally) extends theneed for physical security of the system, beyond the airframe considerations ofmanned systems.

4. The data elements of the UAVS present a key security issue, to avoid corruption ofmission planning, airspace and terrain databases, flight programmes, GCS functionsetc.



39

(1.2.5) Human factors, Suitably Qualified & Experienced Personnel (SQEP) andorganisations

1. Human / Machine Interface (HMI) aspects affecting UAV flight safety exist relating to:the ground 'cockpit' environment; the available cues from the UAV and displays; theUAV-p and maintainers skill levels; levels of situational awareness and a suggestionthat the low personal risk to the UAV-p removed him somewhat from trying to recoverdifficult situations.

2. Human factors issues are difficult to analyse for UAVSs, due to the wide variety ofHMI currently in use, and big questions over the interaction between the humanoperator and the autonomous level of the system [refer to 1.1.3 item 3 above ]

3. There is a huge assumption that a UAV Operating Certificate covering globalactivities for the UAVS system, with an approved organisation and competent staff / operators, vehicle safety history and analysis, design standards, operating manuals,etc, will provide the main route to a safe UAVS operating within manned airspace. Isthis tenable?

4. Current military organisations force regular rotation of personnel, so that there is not

adequate build up of UAVS operating experience within the organisations.

5. The complex network of organisations, running the UAVS system of systems, controlsafety-involved data interfaces for the UAVS. This network is not adequatelydiscussed or understood in the literature reviewed.

6. Where several UAV-ps (with lesser skills) may be under control of an officiallyrecognised UAV Commander, what issues influence how many may be safelycontrolled without compromise? How does this vary with UAVS complexity / role / interface / autonomy levels? While regulators depend on the skills and experience ofthe UAV Commander, how does the interface between Commander and Pilot(s)affect the efficacy?

(1.2.6) Public perception of UAV safety 1. CAA perspective is that airborne collisions are seldom survivable, but other agencies

are pursuing UAV characteristics (such as frangible materials) such that collisionsmay not be so catastrophic. Is this approach practical in terms of safety, and could itinfluence public opinion sufficiently?

2. How do media perspectives of UAV safety compare with actual public opinion, andwith achievable levels of safety for UAV systems?

1.3.2 Focus for project developmentFrom a review of the issues above, and the overall aims of the project, several optionsexisted to take this particular study forward. After much reflection, it was decided that there

was a common core of issues that could be addressed, related to the need for:

A. A better understanding of what the root hazards associated with UAVS integration are. [Predominantly 1.1.1 issues 1-3; 1.2.2 issues 1 and 12]In exploring this aspect, the project would need a robust Hazard Identification(HazID) methodology, and understanding of the system(s) being assessed. Thus, it couldalso contribute to other, related aspects along the way, in particular:B. Can a .1309 / ARP4761 safety assessment approach be used for UAVS, to identify hazards for solution during design / manufacture / operation? [Relating to 1.1.4 issue 6,1.2.1 issue 4]

This approach thus relates to a number of the issues shown above - these are indicated witha double asterisk **. Along the way, it was hoped that the study would also provide usefulinformation on other aspects, such as those on system complexity in section 1.1.2, but thesewould not be the primary focus.



40

PART 2 - DESIGN AND BUILD: MOVING FORWARD INUAVS HAZID

The intent of Part 2 is to identify a robust method for Hazard Identification (HazID), based on

ARP 4761. This would be used in Part 3 to assess a UAVS case study and henceinvestigate the root hazards of integrating UAVS into manned airspace.

This part of the project can be likened to Design and Build for a product-based project. Werequire a clear set of Design Requirements, to which a sound methodology can then bebuilt.

o In general, the design requirements were outlined at the end of section 1.3, but therewas a need to define the full requirement list more robustly. Section 2.1 assesses theexisting ARP 4761HazID methodology for its usability for UAVS assessment, andhence establishes where improvements are required.

o Section 2.2 then works through the requirements, to establish a proposed improvedmethodology for UAVS HazID.

2.1 Assessment of ARP4761 Usability for UAVS HazID

2.1.1 Introduction

ARP 4761 [SAE96] has the following scope:

"This document describes guidelines and methods of performing the safetyassessment for certification of civil aircraft. It is primarily associated with showingcompliance with FAR/JAR 25.1309. The methods outlined here identify a systematicmeans, but not the only means, to show compliance. A subset of this material may be

applicable to non-25.1309 equipment. The concept of Aircraft Level SafetyAssessment is introduced and the tools to accomplish this task are outlined. Theoverall aircraft operating environment is considered.”

Clearly, the current intent is to support safety assessment of civil (predominantly heavytransport) aircraft. In has been reviewed for its applicability in supporting safety assessmentfor UAVS certification, primarily for the Hazard Identification elements at this stage. The fullreview is at Annex A to this report; a summary of the issues identified is presented below. Atthis point, the focus has been on hazard identification through Functional Hazard Analysis(FHA); only a cursory look has been taken at the lower-level Preliminary System SafetyAnalysis (PSSA) and System Safety Analysis (SSA) elements.

2.1.2 Safety Objectives

Safety objectives and criteria are drawn in from FAR / JAR 25.1309 (becoming EASACS.25.1309 in Europe). These talk in terms that are focused on manned, large aircraftairworthiness - for example, a Catastrophic consequence is defined as "All failure conditionswhich prevent continued safe flight and landing" with a target probability of better than 1 in10-9 per flying hour.

For airworthiness considerations for UAVs, criteria need to reflect the variety of UAV systemsat least in terms of their lethality, such as the variation between transport and smaller aircraftin 25.1309 and 23.1309 from 1 in 10-9 to 1 in 10-6 per flying hour for catastrophicoccurrences.



41

Criteria descriptions need to reflect UAV potential occurrences, such as those proposed bythe JAA / EUROCONTROL Joint Task Force in [UTF04 chapter 7.5] - for example, theysuggested modifying the catastrophic definition to "UAV’s inability to continue controlled flightand reach any predefined landing site".

For 'total system safety' as required by EASA (see section 1.2.1), rather than justairworthiness, the criteria need to reflect occurrences that compromise safety through ATMor operational context. EUROCONTROL have established related (but different!) criteria thatthey insist are applied where an occurrence could affect the ATM environment, throughEUROCONTROL Safety Regulatory Requirement 4 (ESARR 4) [EUR01].

2.1.3 'Aircraft Level' and 'System Level' FHA

[SAE96]proposes that Functional Hazard Assessment (FHA) be carried out at what it callsthe 'Aircraft-Level', then lower-level 'System-Level' assessment once the design work startsin earnest.

If the 'Aircraft Level' is to equate to the UAVS, then care / guidance is needed to address thecomplexity of the system:

o The extended critical boundary (for elements such as the Ground Control System(GCS) and mission planning?).

o The people and procedural elements.

How should the System of Systems or 'super-system' elements be considered? There issome reference to looking at 'exchange functions' (see below) but not in sufficient detail todefine and address these critical interfaces for the UAVS.

2.1.4 FHA Process:

[SAE96] describes how "The FHA process is a top down approach for identifying thefunctional failure conditions and assessing their effects. This assessment is made inaccordance with the following processes.” [Square brackets refer to further discussion ofeach aspect in later paragraphs]:

1. "Identification of all the functions associated with the level under study (internalfunctions and exchanged functions).” [Function Identification]

2. "Identification and description of failure conditions associated with these functions,considering single and multiple failures in normal and degraded environments.”

[Identification of Failure Conditions]

3. "Determination of the effects of the failure condition.” [Identifying and ManagingEffects]

4. "Classification of failure condition effects on the aircraft (Catastrophic, Severe-Major/Hazardous, Major, Minor and No Safety Effect). [Identifying and ManagingEffects]

5. "Assignment of requirements to the failure conditions to be considered at the lowerlevel.” [FHA Outputs]

6. "Identification of the supporting material required to justify the failure condition effectclassification.” [FHA Outputs]

7. "Identification of the method used to verify compliance with the failure conditionrequirements." [FHA Outputs]



42

Function Identification:

o Source data requirements for input to the 'aircraft level' FHA assume a single,homogenous aircraft.

o This does not reflect the more complex UAVS structure.

o It does not draw out the more complex interfaces with the wider SOS.o The 'Aircraft level' Internal Functions list guidance does not reflect the more complex

UAVS structure. These may vary with the initial design assumptions over the UAVSoverall architecture.

o The aircraft-level Exchanged Functions list assumes a simple interaction with theoutside world - this area requires careful guidance for the UAVS to ensure that theinterfaces with the wider System of Systems (SoS) are adequately assessed forexchanged functions.

o Flight Phases need guidance to ensure they are adequately defined for the UAVS.UAVS missions are more complex and variable than those for transport aircraft(around which [SAE96]is based).

Identification of Failure Conditions:

o New and different Emergency and Environmental Conditions are likely to be requiredfor UAVS considerations.

o Environmental conditions and events may come from the more extremeclimatic or mission conditions they experience, due to the unusualperformance and roles they undertake.

o Particular Emergency conditions will be applicable, from both regulatory andsystem architecture sources, such as datalink failure response.

o There will be new types of single functional failure, but potentially many new multiplefailure conditions to consider, due to the extended system and the wider SoS. Morecare will be required to ensure all credible combinations are considered.

Identifying and Managing the Effects of the Failure Conditions:

o For UAVS, Flight Phases and other sources of mission context will be critical inevaluating the consequential effects of failures on other airspace users or theoverflown public. The loss of the UAV itself is not as significant as hull loss for atransport aircraft; instead, it is the second tier effect on other persons that is crucial,and that is dependent on where the UAV is and what it does when the failure occurs.ARP 4761 does not adequately support the significance of establishing this mission /

environmental / ATM context.

FHA Outputs:

o [SAE96]proposed outputs seem appropriate at this point, but would need to be testedmore thoroughly through actual input to the PSSA process.

2.1.5 Overall Applicability of ARP4761 for UAVS use

The intent of ARP4761 to support the safety assessment (and hence clearance) of novelaircraft systems remains good. If the issues identified above can be addressed, then therevised framework should equally support safety assessment and clearance of UAVS.



43

2.2 Modifying ARP 4761 FHA for UAVS Use

Each of the areas of ARP 4761 FHA requiring modification has been worked through in turn,to arrive at a justified, proposed revised HazID methodology. Key elements of the proposedmethodology are shown in bold, italicised text .

It is worth including a note here on the use of Functional Failure Analysis for FHA. Otherforms of FHA are available, such as HazOp, Structured What If technique (SWIFT) et al (see[HRA03 session 12] for further guidance). However, it was decided to continue on the basisof Functional Failure Analysis (FFA), in order to conform with the basic process behind ARP4761. It is a sound method for initial hazard investigation, where the design is still in itsinfancy but its purpose can be identified; and it is an accepted method recognised forcertification through previous use of ARP 4761 and ARP 4754. To abandon FFA for anothermethod at this stage would have required strong reasons – and none were identified at thisearly stage of investigation.

2.2.1 Derivation of Safety Criteria and Objectives for UAVS

Application

Safety Criteria

We need to define suitable safety criteria in order to assess the effects and consequences ofpotential UAVS hazards. It is important to note that safety criteria have been separated fromsafety objectives - the latter are considered later in this section. Our focus here is howhazardous effects are to be defined.

The first consideration is "who is likely to be affected by the UAVS". A quick review ofexisting airworthiness criteria such as in AC 23.1309 [FAA99] leads us to the following

traditional parties:

o Passengers of the vehicle? NO, this should not be an issue for a UAV.

o Flight crew - NO (but possibly indirect effects on UAVS operators?).

o The air vehicle itself

ARP 4761, looking to support ARP 4754 (and hence EASA CS.25.1309) focuses on this list,to give a set of airworthiness criteria. It can be argued that, if the aircraft is kept safely in theair, then the safety of the 3rd parties on the ground is necessarily protected. As noted insection 2.1 of the report, EUROCONTROL suggested modifications to these criteria to makethem more UAVS applicable. Hence a modified set of airworthiness criteria has been

drawn together as shown in Table 2.2.1(i) below:



4 4

F a i l u r e C o

n d i t i o n

S e v e r i t y C

l a s s i f i c a t i o n

F A A M i n o r

M a j o r

S e v e r e M a j o r

C a t a s t r o p h i c

J A A M i n o r

M a j o r

H a z a r d o u s


E x i s t i n g F

a i l u r e

C o n d i t i o n

E f f e c t

c r i t e r i a

( F A A & J A

A / E A S A )

- S l i g h t r e d u c t i o n i n

s a f e t y m a r g i n s

- S l i g h t i n c r e a s e i n c r e w

w o r k l o a d

- S o m e i n c o n v e n i e n c e

t o o c c u p a n t s

- S i g n i f i c a n t r e d u c t i o n i n s a f e t y m a r g i n s o r

f u n c t i o n a l c a p a b i l i t i e s

- S i g n i f i c a n t i n c r e a s e i n

c r e w w o r k l o a d o r

i n c o n d i t i o n s i m p a i r i n g

c r e w e f f i c i e n c y

- S o m e d i s c o m f o r t t o o c c u p a n t s

- L a r g e r e d u c t i o n i n s a f e t y m a r g i n s

o r f u n c t i o n a l c

a p a b i l i t i e s

- H i g h e r w o r k l o a d o r p h y s i c a l

d i s t r e s s s u c h

t h a t t h e c r e w c o u l d

n o t b e r e l i e d o

n t o p e r f o r m t a s k s

a c c u r a t e l y o r c o m p l e t e l y

- A d v e r s e e f f e

c t s u p o n o c c u p a n t s

- A l l f a i l u r e

c o n d i t i o n s w h i c h

p r e v e n t c o n t i n u e d s a f e

f l i g h t a n d l a

n d i n g

P r o p o s e d

U A V S

c r i t e r i a ( t a k e n f r o m U A V

T a s k F o r c e

[ U T F 0 4 ] )

- S l i g h t r e d u c t i o n i n

s a f e t y m a r g i n s ( e . g .

l o s s o f r e d u n d

a n c y )

- S i g n i f i c a n t r e d u c t i o n i n s a f e t y m a r g i n s

( e . g . , t o t a l l o s s o f c o m m

u n i c a t i o n w i t h

a u t o n o m o u s f l i g h t a n d

l a n d i n g o n a

p r e d e f i n e d e m e r g e n c y

s i t e )

- C o n t r o l l e d l o

s s o f t h e U A V o v e r

a n u n p o p u l a t e

d e m e r g e n c y s i t e ,

u s i n g E m e r g e

n c y R e c o v e r y

p r o c e d u r e s w h e r e r e q u i r e d .

U A V ' s i n a b

i l i t y t o c o n t i n u e

c o n t r o l l e d f

l i g h t a n d r e a c h

a n y p r e d e f i n e d l a n d i n g s i t e

T a b l e 2 . 2 . 1 ( i ) - A i r w o r t h

i n e s s F a i l u r e C o n d i t i o n S e v e r i t i e s ( a f t e r [ S A E 9 6 ] , w i t h a d

d i t i o n s f r o m [

U T F 0 4 ] a s n o t e

d )



45

While it was tempting to modify the criteria further, such as to include factors for UAVSoperators’ workload under ‘Major’ and ‘Severe Major’, it was decided to leave the criteriaalone at this stage. The baseline FAA / JAA criteria are well established to support regulatedrequirements; similarly, the UAV Task Force criteria were arrived at by a multi-national teamand, it is assumed, have reached a high level of consensus. With this in mind, it was felt

better to try out the criteria first, so that if proposed changes were found necessary, theywould be underpinned by a demonstrable need to overcome specific shortcomings. Thedomain is slow to change (as we have seen evidence for, throughout section 1).

That said, the criteria above do provide a very airworthiness-centric view. Looking at a widerrequirement for safety leads us to the following affected parties, additionally:

o 3rd parties on the ground - the overflown public.o 3rd parties in other aircraft - in the air or on the ground at airfields.o ATM personnel

It could be argued that, in providing criteria aimed at keeping the aircraft reliably in the air,the requirements of the overflown public are met (especially as the [UTF04] criteria includeconsideration of whether the vehicle can reach an unpopulated site) - this is consistent withthe view that UAVS must meet an Equivalent Level of Safety to that for manned aircraft, andthe criteria above are set for manned aircraft. What then should be done about the secondtwo parties, other aircraft occupants and ATM personnel, where the criteria currently say littlespecifically applicable?

As noted in section 2.1, EUROCONTROL are insistent that their criteria must be applied inall instances where the ATM environment may be affected. Although the criteria arefocussed on applications for ATM system developments, it can be seen that they would beapplicable for a UAVS and particular concerns over manned aerospace integration. The

criteria are shown in Table 2.2.1(ii) below:



4 6

F a i l u r e

C o n d i t i o n

S e v e r i t y

C l a s s i f i c a t i o n

S e v e r i t y 5 - N o

I m m e d i a t e E f f e c t

o n S a f e t y

S e v e r i t y 4 - M i n o r

I n c i d e n

t s

S e v e r i t y 3 - S

i g n i f i c a n t I n c i d e n t s

S e v e r i t y

2 - M a j o r I n c i d e n t s

S e v e r i t y 1

- A c c i d e n t s

F a i l u r e C o n d i t i o n

E f f e c t

- N o h a z a r d o u s

c o n d i t i o n i . e . n o

i m m e d i a t e d i r e c t

o r i n d i r e c t i m p a c t

o n t h e o p e r a t i o n s

- I n c r e a s i n g w o r k l o a d o f

t h e a i r t r a f f i c c o n t r o l l e r o r

[ U A V S ]

c r e w , o r s l i g h t l y

d e g r a d i n g t h e f u n c t i o n a l

c a p a b i l i t y o f t h e e n a b l i n g

C N S S y

s t e m .

- M i n o r r e d u c t i o n ( e . g . , a

s e p a r a t i o n o f m o r e t h a n

h a l f t h e

s e p a r a t i o n m i n i m a )

i n s e p a r

a t i o n w i t h [ U A V S ]

c r e w o r

A T C c o n t r o l l i n g t h e

s i t u a t i o n

a n d f u l l y a b l e t o

r e c o v e r

f r o m t h e s i t u a t i o n .

- L a r g e r e d u c t i o n ( e . g . , a s e p a r a t i o n o f

l e s s t h a n h a l f

t h e s e p a r a t i o n m i n i m a )

i n s e p a r a t i o n w i t h [ U A V S ] c r e w o r

A T C c o n t r o l l i n

g t h e s i t u a t i o n a n d a b l e

t o r e c o v e r f r o m

t h e s i t u a t i o n .

- M i n o r r e d u c t

i o n ( e . g . , a s e p a r a t i o n o f

m o r e t h a n h a l f t h e s e p a r a t i o n m i n i m a )

i n s e p a r a t i o n w i t h o u t [ U A V S ] c r e w o r

A T C f u l l y c o n t r o l l i n g t h e s i t u a t i o n ,

h e n c e j e o p a r d

i s i n g t h e a b i l i t y t o

r e c o v e r f r o m t

h e s i t u a t i o n ( w i t h o u t t h e

u s e o f c o l l i s i o n o r t e r r a i n a v o i d a n c e

m a n o e u v r e s ) .

- L a r g e r

e d u c t i o n i n s e p a r a t i o n

( e . g . , a s

e p a r a t i o n o f l e s s t h a n

h a l f t h e s e p a r a t i o n m i n i m a ) ,

w i t h o u t [ U A V S ] c r e w o r A T C

f u l l y c o n t r o l l i n g t h e s i t u a t i o n o r

a b l e t o r e c o v e r f r o m t h e

s i t u a t i o n .

- O n e o r

m o r e a i r c r a f t d e v i a t i n g

f r o m t h e i r i n t e n d e d c l e a r a n c e ,

s o t h a t a

b r u p t m a n o e u v r e i s

r e q u i r e d

t o a v o i d c o l l i s i o n w i t h

a n o t h e r a i r c r a f t o r w i t h t e r r a i n

( o r w h e n

a n a v o i d a n c e a c t i o n

w o u l d b e

a p p r o p r i a t e ) .

- O n e o r m

o r e c a t a s t r o p h i c

a c c i d e n t s

- O n e o r m

o r e m i d - a i r

c o l l i s i o n s

- O n e o r m

o r e c o l l i s i o n s o n

t h e g r o u n d

b e t w e e n t w o

a i r c r a f t

- O n e o r m

o r e C o n t r o l l e d

F l i g h t I n t o

T e r r a i n

- T o t a l l o s s o f f l i g h t c o n t r o l .

- N o i n d e p

e n d e n t s o u r c e o f

r e c o v e r y m

e c h a n i s m , s u c h

a s s u r v e i l l a n c e o r A T C

a n d / o r [ U A

V S ] c r e w

p r o c e d u r e s c a n r e a s o n a b l y

b e e x p e c t e d t o p r e v e n t t h e

a c c i d e n t ( s ) .

N o t e : m y s u b s t i t u t i o n o f [ U A V S ] f o r f l i g h t

c r e w r e f e r e n c e s .

T a b l e 2 . 2 . 1 ( i i ) - E

U R O C O N T R O L A T M - F o c u s e d S e p a r a t i o n / C o l l i s i o n S a f e t y C r i t e r i a ( f r o m [

E U R 0 4 ] )



47

First thought was to try and combine these criteria with those previously, e.g. to add the'Severity 1' criteria to those for 'Catastrophic'. However, on further consideration, this wasrejected:

o The criteria are specifically separation and collision focussed, and do not map well

onto airworthiness criteria.

o The criteria introduce issues which may have no airworthiness causes - particularly inthe way they consider effects on ATM personnel and 'flight crew' (or UAVS operatorsin our case). Looked at another way, they provide a means to assess hazards thatare caused by ATM personnel and UAVS operators, and start to address thepersonnel issues within the System of Systems.

o The associated probability targets required by EUROCONTROL under the ESARR 4regulation do not line up directly with those for airworthiness under CS.23.1309 orCS.25.1309; hence the requirements for a merged category would be out of step. Itwas felt clearer to maintain the different severity titles in order to dissuade readers’instinctive attempts to merge the safety objectives (see below).

What is arrived at is a dual-criteria system , to satisfy different hazard types and regulatorybodies. This might seem unwieldy, but should be fairly simple to apply in practice:

o For hazards and potential accidents where the UAV comes to ground - affecting theoverflown population and / or the UAV itself: apply the Airworthiness safety criteria . These will be predominantly due to airworthiness and reliability causes, andthe effect will vary with the system size and speed (see Safety Objectives below).They will also fit within the airworthiness occurrence reporting regime.

o For hazards and potential accidents where the UAV could conflict with other mannedaircraft: apply ATM Separation / Collision safety criteria . These may have a

system reliability / airworthiness cause, but could also be due to failures within thewider System of Systems, including personnel and procedural issues. They will alsofit within the ATM occurrence reporting regime.

o If a situation arises with potential overlap, i.e. it could cause both an airworthinessand collision risk, what then? It is not so easy to say ‘pick the highest severity’ as thedifferent criteria have different safety targets (see below) and hence a highairworthiness severity might indicate a lower risk overall. A different view is that suchsituations will need the different criteria at different times (e.g. a failure in controlcauses a UAV to wander off through controlled airspace first, before ultimatelycrashing to the ground). Hence my proposal is to split the potential hazard into itsairworthiness and collision components, and apply each criterion to the applicable

component.

Airworthiness-based Safety Objectives

Safety Objectives, in terms of acceptable probabilities, from ARP 4761 are predominantlyaimed at heavy transport aircraft. This is in line with FAA / JAA Part 25.1309 (now EASACS.25.1309 in Europe) and defined in [FAA88]. For smaller manned aircraft, CS.23.1309would usually apply - this refers in turn to AC 23.1309 [FAA99] for guidance on showingcompliance. Both refer to ARP 4761 for guidance on carrying out suitable safety analyses,but AC 23.1309 notes the need to amend the safety objectives. To this end, SafetyObjectives for CS.23 and CS.25 aircraft for acceptable probabilities per flying hour arecompared in Table 2.2.1(iii) below:



48

Severity of Outcome Minor Major Hazardous Catastrophic

Category of Aircraft:

CS.23.1309 Class I: Single ReciprocatingEngine (SRE) / under 6000lbs

<10-3 <10-4 <10-5 <10-6

CS.23.1309 Class II: SRE and Multi-

Reciprocating Engine (MRE) / under 6000lbs

<10-3 <10-5 <10-6 <10-7

CS.23.1309 Class III (1): SRE, MRE, SingleTurbine Engine (STE), Multi-Turbine Engine(MTE) >= 6000lbs

<10-3 <10-5 <10-7 <10-8

CS.23.1309 Class IV (2): Commuter Category <10-3 <10-5 <10-7 <10-9

CS.25.1309 Heavy Transport <10-3 <10-5 <10-7 <10-9

Notes:

(1) Aeroplanes in the normal, utility and aerobatic categories that have a seating configuration,excluding the pilot seat(s), of nine or fewer and a maximum certificated take-off weight of 5670kg (12 500 lb) or less.

(2) Propeller-driven twin-engine airplanes in the commuter category that have a seatingconfiguration, excluding the pilot seat(s), of nineteen or fewer and a maximum certificated take-off weight of 8618 kg (19 000 lb) or less.

Table 2.2.1(iii) - Airworthiness Safety Objectives - probabilities per Flying Hour (from[SAE96], drawn from [FAA88] and compared with [FAA99])

If we wished to apply these variations to UAVs airworthiness safety objectives, we wouldneed to identify the equivalent class of vehicle. While we could not consider the seating

aspects, it would seem sensible to take the engine configuration and mass into account, andthus arrive at a practical equivalent. However, it is worth noting that the CAA [CAA02] pushfor a kinetic energy equivalence to be determined in deciding which certification criteria toapply (see section 1.2.1), and this should be considered for the safety objectives too. Inmost cases, the comparison will probably come out about the same - e.g. a 500Kg UAV,powered by a Single Reciprocating Engine, with stalling speed (Vs) of 40kts and maximumoperating speed (Vmo) of 100kts would indicate as a Class I by either criteria. Unfortunately,this is not always the case - Global Hawk could be considered similar to a CS.23 Class IIImanned aircraft, but through kinetic energy considerations indicates as a CS.25 classaircraft. With the likely public sensitivity to UAVs entering the media eye (see section 1.2.6)it would seem sensible to take the higher indicated safety objectives.

In summary, for UAVS Airworthiness-based safety objectives, it is proposed:

o To determine the UAV kinetic equivalence to manned aircraft (using the methodextracted from [CAA02] and shown in Annex B to this report)

o Review the applicable objectives for that class of vehicle (as presented in Table2.2.1(iii) above) and hence establish the airworthiness objectives for the UAVS.

ATM Separation / Collision based Safety Objectives

It is important to note that the ATM separation / collision based safety objectives will notchange with the class of vehicle. The acceptable probability of a Severity 1 accident remains

fixed by ESARR 4 [EUR04] at 1.55 x 10-8

per flight/hour.



49

2.2.2 FHA Levels to Address System Complexities

Currently, ARP 4761 calls for Aircraft Level then deeper System level Functional HazardAnalyses (FHAs), in order to identify significant hazards (see discussion at section 2.1). Whatlevels are appropriate for assessment of a UAVS?

Dealing with the UAV System boundary & complexity

As noted in section 1.1.2 of this report, there were concerns over the 'airworthiness'boundary for the UAVS. It was clear that the critical elements extended beyond just the UAVitself, and probably included elements such as the GCS, the Datalink, the Flight TerminationSystem (FTS) (if used), but did it include wider aspects such as mission planning systemsand so on? The boundary was unclear.

However, if we consider that the aim of the Aircraft Level FHA in ARP 4761 is to explore thecritical functions that lie within the designer's control, then the boundary does not reallymatter at this stage. The bulk of functionality within the planned UAVS is to replace thosetaken for granted in manned systems. Thus, by extending the Aircraft Level FHA to be aUAVS Level FHA, looking at all functions of the UAVS within the designer's control, then theoutcome would be an identification of all the functions that are critical to the safe behaviour ofthe system and the consequences of their breakdown.

These would then flow down into the System level FHA, et al, as described in the ARP, to beanalysed as functional sub-systems within the UAVS.

In section 2.1, it was suggested that the extended criticality criteria should consider peopleand procedural aspects of system, as these were not specifically addressed by the ARP.However, in the early stages of UAVS design, the specific nature of these elements may notbe known. Instead, I would propose that it is important to understand the role they playrather than the details - essentially to understand the functions they might perform. In thisway, after having performed the UAVS-level FHA, the designer would use the results to

inform decisions on where to partition functions between the hardware, software and humanelements of the system. By doing this, a proactive approach can be taken to ensure that thehuman and procedural elements are well designed and part of an integrated approach tosafety, rather than just dumping ad hoc safety monitoring tasks there in order to keep thesystem simple (as has been the way in the past with some system designs). Furtherguidance on the human elements of safety and designing for human factors can be found inthe York University HFE course [HFE05].

Dealing with the System of Systems around the UAVS

As was discussed in sections 1.1.2, UAVS operate within a wide System of Systems (SoS),and in section 2.1 it was noted that [SAE96] was not strong in analysing these relationships.

One consideration was to introduce a 'Super-system' level FHA to the process, to assess thefunctions of the wider SoS. However, this was not felt to be practical for the UAVS designerto attempt: while he wishes to understand the SoS to the extent that it affects his system, hecan control only a (relatively) small element of it and a full analysis would take excessiveresources. On reflection, this level of analysis might be useful for a wider SoS player suchas EUROCONTROL or EASA to conduct, and provide resulting information to inform systemdesigners.

A research area of interest is the work ongoing towards decomposition of safety policy, forSystems of Systems. This is discussed by Hall-May and Kelly in [Hall05], looking at howpolicy (that is, permitted and required behaviours) can be flowed down from top-level goalsfor different agents, or different situational cases, within a SoS. An example from the paperis shown in Figure 2.2.2a, below.



50

Figure 2.2.2a – Example of decomposition of high level policy tolower level agents or cases [Hall05]

Such decomposition causes (usually implicit) assumptions over the context behind suchpolicies to be made explicit. It also requires the policy setter to understand (even at a fairlysimple level) a model of expectations, over how the agents can behave – e.g. glider pilotscannot be expected to climb to satisfy policy. If EUROCONTROL or EASA (say) were todevelop such a policy model, this would be of great use: both for UAVS designers tounderstand explicitly what was required (and hence allocate suitable functions for safetyanalyses – see 2.2.3); and for EUROCONTROL / EASA to better understand how UAVS and

other novel systems may / should behave within their wider SoS. It would also allow areas ofpolicy failure to be explored, to determine where the SoS overall may be sensitive to single-point breakdown.

The UAVS designer's interest is to achieve a better understanding of the interactionsbetween the UAVS and the SoS. This suggested that parallels could be drawn withRequirements Engineers, trying to understand the 'problem domain' and how the World andtheir potential Machine interface. From a review of their methodologies in [RQE05], it isproposed that a Rich Context Diagram could provide a suitable visual model to help drawout complexities and interactions. An example is shown in Figure 2.2.2b below, for a TrainControl System.

The Rich Context diagram as proposed assists by:

o Helping to gather domain information - we can use it to establish the existing contextthrough: observed behaviour (as functions of the systems and people elements);processes (people); data (systems).

o Helping to define the machine / world boundary - the world is all that we cannot control; the system is all that we can control. Note that there are occasions where theboundary can be negotiated, but many where it cannot (such as over ATM systeminterfaces, for example).

o Establishing the problem context - identifying the relevant parts of the world; theirinteractions with each other and the machine.



51

Figure 2.2.2b - Example of Rich Context Diagram (taken from [RQE05, unit 20])

This latter point is a key element of how Rich Context Diagrams differ from the traditionalContext Diagram: In the traditional form, only direct interactions with the machine areidentified, so in the example, the driver would not be shown. It was felt that this would be amajor shortcoming to understanding the SoS, as the bulk of the 'world' has already been setup for manned aircraft, and it was suspected that there were key interactions betweenexisting elements that would need to be understood.

Thus to summarise for this section:

o FHA levels should be established at UAVS-level (rather than Aircraft Level), andsubsequently down into system-level as per the ARP.

o Instead of a Super-System FHA, establish a Rich Context Diagram, to ensure that theSoS and its interactions with the UAVS are suitably understood, to inform the UAVS-level FHA.

2.2.3 Function Identification

Our analysis method needs a robust identification of functions, as these are the buildingblocks for the hazard identification. We do not want to miss out vital functions (and thusareas of hazard analysis and design requirement) due to assumption or error, which will laterbe found to have critical safety implications for the system in-service. ARP 4761 provides alittle guidance on function identification aimed at Aircraft Level FHA, but what is thereis aimed at a primarily unitary overall system. This guidance needs to be built upon, toensure a more structured approach for a UAVS made up of several system elements andworking within a wider SoS.

ARP 4761 Annex A starts by looking at Source document requirements, but we will return tothis once the needs for information to support the functional identification have been explored(see below).



52

ARP 4761 also suggests an 'Aircraft Level generic hazard list' to help get started. As wasnoted in ‘Focus for project development’ at section 1.3.2, such a list would be useful todevelop for UAVS-level assessments and so would a starter list of generic UAVS functions,to act as a catalyst for assessment of new UAVSs.

Internal Functions

The ARP [SAE96] suggests that, for the Aircraft Level "...these are main functions of theaircraft and functions exchanged between the internal systems of the aircraft." Our concernhere is to ensure that the identification adequately explores the complexity of the UAVS, bothin its overall capabilities and in its internal interactions (see sections 1.1.1, 1.1.2 and 2.1). Toachieve this, the following structured approach has been developed, to identify the FunctionsList (or Functions Tree as preferred):

1. Consider UAVS functions overall :

a. Ideally, there will be an established User Requirement Document or similarspecification to draw upon.

2. Consider functions determined by the UAVS internal structure :

a. Is there a simple representation of the initial design concept? These could be asformal as Yourdon diagrams or Functional Block Diagrams (as discussed in[HRA03]), or could be a simple architectural model (like an internal Context Diagram)showing interactions between the UAV, the GCS, use of the datalink etc.

b. Consider each major element of the structure and identify any additional internalfunctions - it may help to consider each as a transform mechanism, that is to considerthe inputs and the resultant modified set of outputs, in order to determine whatfunctions that element needs to perform the transformation:

(i) Does the element have particular behaviour functions - e.g. does it reactphysically to inputs?

(ii) Does it have control functions - does it monitor and/or control the behaviour ofother elements?

(iii) Does it have information functions - does it generate information or process data,to be used elsewhere?

(iv) Does it have utility functions - such as power generation, needed to providesupport elsewhere in the system?

c. Care will be needed to balance what is sensible to achieve at the UAVS levelanalysis, and what can be left to the more in-depth System-Level analyses. The

balance may be self-imposed by the limited design information available at the earlystages of the project.

3. Consider the effect of flight phases , as UAVS usually have a broader mission profilethan the transport aircraft that [SAE96] was intended for originally:

a. See ‘Flight Phases’ below for discussion on identifying flight phases.

b. Review the function list (so far) for each proposed flight phase and mission variation,to identify any additional functions or sub-functions.

At this point, some concern was felt over how complete the function list could be, and couldthere be improvement possible through use of more formal modelling of the system throughUnified Modelling Language (UML) or similar specification tools. A further review of literatureshowed that there is a developing theme for model-based safety analyses. Joshi andHeimdahl [Jos05] for instance, discuss application of Simulink modelling tools to transfer a



53

design representation of the ARP 4761 Wheel Braking System example into the SCADEDesign Verifier tool, and from there progress through automated FHA into Fault TreeAnalyses and Failure Mode Effects Analysis generation. This work is very promising forUAVS application in terms of: developing formal system models; formalizing fault conditions;automated analysis and verification (including assessing multiple failures – see 2.2.4 below);and developing formal methods to ensure completeness of assessment. However, thisapproach needs a detailed model of the system design, and [Jos05] notes that it is intendedto fit into the bottom of the system / safety ‘V’ (to make it a system / safety ‘Y’ and henceimprove the efficiency of developing and integrating the system safely). Thus, it willultimately be more suited to the later stages of the safety assessment, through detailedPSSA and SSA. – see figure 2.2.3a, below.

Figure 2.2.3a – Modified ‘V’ to ‘Y’ model safety assessment process [Jos05]

Exchanged Functions

[SAE96] suggests that, for the Aircraft Level "...these are functions that interface with otheraircraft or with ground systems." As discussed earlier (sections 2.1 and 2.2.2), moreguidance is needed to ensure that the interactions with the wider SoS are identified, hence

the following additional advice is proposed:

1. Using the Rich Context Diagram identified in section 2.2.2:

a. Consider each element in turn that the UAVS will interact with.

b. Consider each Rich Context Diagram interaction for implied functions on the UAVS . Again it may help to consider the UAVS as a transform mechanism:

(i) Are there particular behaviour functions - e.g. does it react physically to inputs?

(ii) Are there control functions - does it monitor and/or control the behaviour of otherelements?

(iii) Are there information functions - does it generate information or process data, tobe used elsewhere?



54

(iv) Are there utility functions - such as power generation, needed to provide supportelsewhere in the system?

Flight Phases

Flight phases can be somewhat more exotic for UAVs than the transport aircraft originallyconsidered by ARP 4761 (as discussed in section 1.1.1). It is important that all phases areidentified, for the main mission and also any variations (e.g. a UAV might act as a sensorgathering target information, but might also be able to act as a datalink relay for anotherUAV). For this reason, the following modification is proposed to supplement the HazIDmethod:

1. Mission types and parameters should be reviewed to identify the various flight phases possible , for main and alternate mission types.

a. This could be gleaned from the User Requirement Document (URD), or maybe thereis a simple Concept of Operation (ConOps) that can be used

UAVS-Level FHA Source Data Input Requirements

From the work above, there are obvious additions to the initial list of source documents for the UAVS-Level assessment. The proposed list would now read:

1. List of generic UAVS functions (when available ).

2. The UAVS objectives and customer requirements

a. Ideally from a URD or similar specification.

3. Initial design decisions or constraints (e.g. size and type of UAV, scope of GCS, scope ofDatalink)

a. Perhaps a simple design representation, such as Yourdon or Functional BlockDiagram

b. Or an initial architectural representation of the system elements (such as an 'internal'Context Diagram).

4. A representation (such as a Rich Context Diagram) showing the interactions of the UAVSwith the outside world (the SoS) and any critical interactions between those externalelements (such as between ATM and other, manned aircraft).

5. Initial mission types or constraints.

a. From a simple ConOps for the system.

From the above input data, it should prove feasible to draw up a suitably robust Function Listor Function Tree, and hence get the FHA off on a sound basis.

2.2.4 Identification and Description of Failure Conditions

ARP 4761 proposes that identification and description of failure conditions for a particularfunction begins with definition of an Environment and Emergency Configuration list (in orderto understand 'normal' and 'degraded' aspects of operation), before going on to considerfailure conditions in depth. Each of these aspects is discussed below - note that it isproposed to separate the environment and emergency configurations into two lists, in order

to make them more manageable.



55

Environment List

[SAE96]starts with suggestions of weather, High Intensity Radio Frequency (HIRF) andvolcanic ash as examples pertinent to transport aircraft.

For UAVS, the list of possible environments to consider needs to grow. As noted in section1.1.1, UAVs may operate in a very different environment from manned aircraft, due to acombination of their performance and role / mission differences.

1. The Environment List should be defined from a review of appropriate domains :

a. Weather aspects - e.g. temperature, icing, precipitation, winds, visibility...

b. Overflown terrain aspects - this may raise additional 'weather' aspects, such aswind-shear, sand and dust storms. It may also indicate other aspects such as forlanding and take-off, or communications masking.

c. Electrical environment - in particular, man-made or natural RF fields such as HighIntensity Radio Transmission Areas (HIRTAs), and perhaps aspects of limited oroverlapping spectrum, where problems can be foreseen.

d. Mission environment - such as personnel shift-changeovers (for long endurancemissions), or action of hostile forces for military uses, or use in day or night.

e. Air traffic environment - such as the classes of airspace that may be flown throughor nearby, and the levels and types of traffic.

2. Some of these aspects might already have come to light from creation of the RichContext Diagram (section 2.2.2). However, in order to define this list adequately, it mayprove necessary to extend the assessment through use of a series of simple scenarios or vignettes, to define typical situations - more is proposed on this aspect under section2.2.5.

Emergency Configuration List

Consider any specific emergency or 'expected' abnormal flight conditions that may occur . Some will be defined in regulation (see section 1.2.2, under Emergency Procedures),others might be necessary due to initial design choices. A preliminary listing of aspectsof regulation and guidance from material discussed in the Literature Review (Part 1) hasbeen identified below, though it is not proposed as being complete in all respects:

1. Single failure of the UAV communication link, and/or control link (uplink and/or downlink,depending on implementation)

2. Operation of Flight Termination System (if fitted)

3. Else, conduct of other Emergency Recovery procedures due to loss of critical system(s)

a. With UAV-p control

b. Without UAV-p control (i.e. autonomous)

4. Emergency landing due to loss of thrust

5. Collision avoidance with co-operative and non-cooperative aircraft

a. Including evasive manoeuvre

6. Terrain avoidance

7. Interception by military aircraft

8. Failure of onboard Sense and Avoid equipment



56

9. Operation with degraded systems

10. Degradation of weather conditions

11. Security threats to upload data, commands and transmissions

Items 1-8 are drawn from [UTF04]; items 1, 3, 6,7, 9 - 11 from [CAA04]. Clearly the intent ofthese sources is to try and mitigate what are seen as the inherent hazards of UAVS: it will beinteresting to see if the list is appropriate and complete.

Failure Condition Determination

[SAE96]suggests that single failures may be determined by "examining the original[functions] list created in the previous steps and, in addition, applying an analysis of theconcept design created in the initial design process". While not UAVS specific, it is proposedthat the Functional Failure Analysis advice contained in [HRA03, session 12] providesvaluable guidance, to help structure the determination of failure conditions. This proposesthree categories of failures to assess:

1. Function not provided – this is fairly easy to interpret for responsive functions, but care isrequired with continuous or periodic functions, to ensure that variations are assessed:single failure; periodic failure; complete loss.

2. Function provided when not required – obviously, this is not applicable to continuousfunctions.

3. Incorrect operation of function – this can be a tricky catch-all, which needs care to ensurecompleteness. Examples include: asymmetry; substitution; partial; timing.

One aspect of interest is that ARP 4761 implies that there can be significantdifferences whether failures are annunciated or unannunciated . This is worth noting forthe UAVS analysis, and it may be more interesting when we consider whom of the variousstakeholders (from our Rich Context Diagram) the failures would / could / should beannunciated to.

To identify multiple failures, [SAE96]suggests that "...this process is aided by anunderstanding of the aircraft and system architecture. Multiple failures have to beconsidered, especially when the effect of a certain failure depends on the availability ofanother system". To apply some structure to this, we should consider multiple failureconditions:

1. Through assessment of the initial design architecture (perhaps represented by our

internal context diagram). In particular consider any elements that could suffer somecommon cause for failure (such as EMI affecting both navigation and communicationsfunctions).

2. Where mitigation for a critical function failure is expected by the successful operation of another function . Here, we should reconsider the criticality of thatfunction, and review 'what if' that function failed also, to give us a more roundedassessment overall.

In part, some of this multiple failure analysis will occur through application of the EmergencyCondition list, where regulation and guidance has already highlighted some expected areasof criticality such as datalink and propulsion functions. Application of the method will need

care to ensure that variables caused by design implementation (as it develops) are suitablyidentified and assessed.



57

2.2.5 Identifying and Managing the Effects of the Failure Conditions

From ARP 4761, this covers the following elements of the FHA process:

1. "Classification of failure condition effects on the aircraft (Catastrophic, Severe-

Major/Hazardous, Major, Minor and No Safety Effect)."2. "Assignment of requirements to the failure conditions to be considered at the lower level."

3. "Identification of the supporting material required to justify the failure condition effectclassification."

4. "Identification of the method used to verify compliance with the failure conditionrequirements."

Identification and Classification of failure condition effects

For UAVS, as noted in section 2.1, it is not the effect of a failure on the UAVS that matters, itis predominantly the end effect on other stakeholders, such as airspace users or the

overflown public, so our method needs to ensure that the mission / environmental / ATMcontext is adequately understood. There is already some foundation in the methodologyproposed so far, with definition of the Rich Context diagram (section 2.2.2), Flight Phases(2.2.3) and Environment and Emergency Condition list (2.2.4). This is supplemented further,through the following proposed elements:

1. For the majority of failure conditions assessed, it is proposed that the existing contextual information (as noted above) will be sufficient . However, as mentioned insection 2.2.4 (in defining environmental conditions), there may be some cases where thisis not sufficient. Our existing contextual information is trying to cover the broad scope ofvariations and generally applicable parameters, in essence defining the outer envelope ofhow the system will be used.

2. For more complex failure conditions, use of scenarios is proposed to supplementthe assessment. When used in Human Factors Engineering (as discussed in [HFE05,unit 3]), scenarios are suggested as "episodes in which the [system] is used" - instead ofbeing general applications, each scenario (for HFE) is put forward as a scripted, specificsituation for use of the system, with concrete conditions, events and actors. A scenariothus provides a more detailed representation of a situation within the broader envelopedefined in our other contextual representations. We could not hope to cover the wholeenvelope of environments and usage with scenarios, but used selectively assupplements, they could help draw out some of the complexities of key situations and (inparticular) how conditions and events might come together to affect the UAVS.

Drawing parallels from scenario use for HFE, scenarios could be selected for specificsituations of interest, from the following:

1. (Initially) 'routine' mission stages - all was going well, just like every other day, until...

2. Exceptional circumstances - perhaps extremes of climate, weather or unusual terrain, orvariations of mission type...

3. Disadvantaged or extraordinary users - e.g. operation at the end of a shift (fatigue) orafter shift change (unfamiliarity); under extreme workload (such as busy airspace)...

4. Accident or failure - e.g. specific instances of system failure (e.g. multiple failureconditions); or expected crisis procedures such as Emergency Recovery, weather

diversion...



58

Also from a manipulation of the HFE application in [HFE05], a scenario should consist of thefollowing elements:

1. Scenario name

2. Rationale - why is this scenario of interest?

3. Agents - who is involved (including agents from the wider SoS)?

4. Situation and environment context - physical situation and narrative of the environmentalconditions (including weather, climatic and overflown terrain considerations, wherepertinent).

5. Mission context - replacing 'task context' for our use. i.e. what was the system doing / intended to be doing? What are the goals of the UAVS user?

6. Airspace context - this additional element is added to ensure that the ATM domain isconsidered, e.g. for airspace type and traffic conditions.

7. System context - what condition is the system in during the scenario (e.g. degraded

systems)?8. Actions? - For HFE, this would describe a linear path of actions and events through to

some conclusion. However, for our use, we may be interested in using the samescenario for analysing a number of different action sequences. As such, it may be moreuseful to leave the scenario as a defined 'starting situation' using the fields above, andthen describe the different outcomes and consequences separately in the analysis ofeach appropriate functional failure condition.

Note that it is not intended to subvert the need for specific HFE activities - those will still berequired in their own right, for detailed design. The intent here is to co-opt a HFE techniqueto help analyse complex conditions for functional failure effects.

For the overall classification of the functional failure, the appropriate severity table will needto be applied, as discussed in section 2.2.1. To recap:

o For hazards and potential accidents where the UAV comes to ground - affecting theoverflown population and / or the UAV itself: apply the Airworthiness safety criteria .

o For hazards and potential accidents where the UAV could conflict with other mannedaircraft: apply ATM Separation / Collision safety criteria .

Assignment of requirements to the failure conditions

ARP 4761 discusses the application of appropriate probability requirements, in order toassure adequate safety levels for the system overall. All that needs to be noted here is thatthe requirement will need to be appropriate to the severity criteria applied, i.e. as pertinent toAirworthiness or ATM Separation / Collision safety targets (as discussed in section 2.2.1).

Supporting material required to justify the failure condition effect classification

Currently, it is proposed that the guidance within ARP 4761 will be suitable for UAVSapplication, for this aspect.

Verification method for certifying requirements compliance

As above, it is proposed that the guidance within ARP 4761 will be suitable for UAVSapplication, for this aspect.



59

2.2.6 Summary of Amended FHA Process

This section pulls together the various modifications to the ARP 4761 FHA process,proposed in order to apply the method more readily to UAVS safety assessment andcertification. The proposed changes are summarised thus:

1. In section 2.2.1, a duel set of safety criteria is proposed, to satisfy both airworthinessrequirements (where the UAV may come to ground and affect the overflown population)and ATM separation / collision requirements (where the UAV might affect other airspaceusers). The airworthiness criteria and targets may vary with class of UAV according toCAA kinetic equivalence criteria (reproduced in this report at Annex B). The ATMseparation / collision requirements do not vary, being fixed by EUROCONTROL.

2. In section 2.2.2, it was concluded that the complexities of the extended system could beaddressed by carrying out [SAE96]'Aircraft Level' FHA as a 'UAVS-Level FHA'. To bringin consideration of the wider System of Systems, the use of a Rich Context Diagram isproposed, as too much lies out of the UAVS designer's remit or resource for a ‘System ofSystems’ level FHA.

3. Sections 2.2.3 to 2.2.5 go on to consider the conduct of the UAVS-Level FHA. Theseactivities are summarised in Figure 2.2.6a, below. This figure is based heavily (in style)on the original 'Aircraft Level FHA' Figure A1 in ARP 4761 [SAE96], in order to ensurerecognition by experienced users and regulators - the ARP 4761 figure is reproduced inAnnex A to this report (Figure A-1), as part of the more detailed critique of that documentfor UAVS application.



60

Figure 2.2.6a - ARP 4761 FHA Process, with modifications overlaid for UAVS

applicability



61

PART 3 - TEST AND EVALUATION

This part of the report seeks to answer the following vital questions, relating to the proposedway forward in HazID for UAVS as put forward in Part 2:

o Does the Revised ARP 4761 HazID Method Work? That is, is it practical to apply anddoes it robustly identify hazards for UAVS?

o If so, then what are the hazards of manned and unmanned aircraft integration, andhow does our listing compare to expectations?

Section 3.1 describes the test and evaluation methodologies used. Section 3.2 looks at thefirst question, evaluating the practicality of application. Section 3.3 considers the secondquestion, evaluating the derived hazard listing.

3.1 Test Methodology

Test Method Selection

In order to determine the practicability of the revised HazID method, it needed to be trialled.To do this, the modified ARP FFA process has been applied to a 'typical' UAVS case study(see description, below). While not possible in this project to consider its application for alltypes of UAVS (see section 1 and 1.1 for the diversity among current UAVS), it was possibleto choose a 'mid-range' system with broad applicability that will soon be facing the prospectof integration into manned airspace. In the longer term, it would be useful to check the widerapplicability, by trialling against case studies at the more extreme ends of the UAVSspectrum such as HALE and micro-UAVs. The results are presented in Annex D, anddiscussed in Section 3.2.

If the method proved practicable, then the HazID should produce a hazard listing. How couldwe test the robustness of our HazID method, to ensure that the hazard listing is sound?Caseley of the Defence Science Technology Laboratory (DSTL), in [dst04], discusses use ofthe "Capture - Recapture" method, a technique borrowed from the Ministry ofAgriculture, Fisheries and Food (MAFF). In MAFF use, a pool is trawled for fish, and allcaught are tagged and released; then the pool is trawled again, and the proportion of fishrecaptured compared to the number newly caught gives an indication of the total fish in thepool. DSTL used this method to provide a rough comparison of the efficiency of hazardidentification by two separate agencies for the same project, and to identify coarsely howmany hazards had gone unfound. A graphical view of the method is shown in Figure 3.1a,below. Caseley quotes the following example figures, to show simple factors of confidence:

o Agency A found 20 hazards, Agency B found 30, with 15 common hazardsbetween the two groups.

o The proportion of hazards captured was estimated as 15/30 = 0.5

o The possible total number of hazards was estimated at 20/0.5 = 40



62

Figure 3.1a - "Capture - Recapture" analysis method, to measure the effectiveness of

hazard identification processes

Obviously, there are many statistical assumptions and simplifications inherent in this method(including a major assumption that the methods are truly independent), but as a simplemeasure it gives reasonable first order results, and should suffice for our purposes. With thisin mind, it was decided to commission a separate FHA for the case study, but using aStructured What If Technique (SWIFT) for diversity of method, and using different personnelfor independence of analysis. SWIFT takes a technology, flow or procedural assessment,using structured categories and key words for hazard elicitation, which (with separatepersonnel for different thought processes) is proposed as ensuring adequate independenceof assessment. The SWIFT results are presented in Annex E; the hazard listing from themodified FFA process is presented in Annex F, and the results are jointly evaluated in

Section 3.3.

Case Study Description

The 'Guard Dog' case study has been defined based on a number of current and near-futureTactical UAV Systems. While intended for over battle-field use, the Armed Forces need totrain in their use, and with extended range and duration, they are keen to operate outsidesegregated range area boundaries. The case study considered a generic Tactical UAV(TUAV) operating out of a 'UAV friendly' airfield and out into integrated general (notcontrolled) airspace, in order to reach a range area for payload operation. The case studyintroduced aspects of interest relating to the performance and operation of the system, aswell as the need to integrate it into a varied terrain and airspace environment. Thebackground to the case study is shown in Annex C to this report, while a graphic overview of

the system is shown in Figure 3.1b, below.



63

Figure 3.1b - Overview of Guard Dog UAVS case study

3.2 Evaluation of the Modified HazID Method through TrialApplication

This section looks at the actual application of the proposed FFA method, and evaluates itspracticability of use. Extracts from the FFA are shown below as examples, while a fullerlisting is shown at Annex D.

3.2.1 Derivation of Safety Criteria and Objectives for UAVSApplication

Deriving airworthiness safety criteria using the [UTF04] suggested definitions in Table 2.2.1(i)

was straight forward at this stage – more questions were expected in their application (seeSection 3.2.5).

Minor Major Severe Major / Hazardous Catastrophic

- Slight reduction insafety margins(e.g. loss ofredundancy)

- Significant reduction in safetymargins (e.g., total loss ofcommunication with autonomousflight and landing on a predefinedemergency site)

- Controlled loss of the UAVover an unpopulatedemergency site, usingEmergency Recoveryprocedures where required.

UAV's inability tocontinue controlledflight and reach anypredefined landing site

Table 3.2.1(i) - Airworthiness Failure Condition Severities for ‘Guard Dog (drawn from

Table 2.2.1(i))



64

Defining safety objectives proved almost as straightforward. Using both the CS.23.1309definitions shown in Table 2.2.1(iii) (Single Reciprocating Engine (SRE) / under 6000lbs),and the CAA kinetic energy method (shown in Annex B), both arrived at the same conclusionof CS.23.1309 Class 1 probability criteria.

ATM separation criteria were already fixed, in accordance with Table 2.2.1(ii) (as they do not

change with vehicle class).

3.2.2 FHA Levels to Address System Complexities

At this stage it was not possible to pronounce on the success of a ‘UAVS-level’ FFA – moreis said of this in Section 3.2.3

What did prove very useful was the derivation of a rich context diagram to model the Systemof Systems – see Figure 3.2.2-1 (a larger scale version is shown in ‘landscape’ at Figure D-1in Annex D).

Figure 3.2.2a - Rich Context Diagram for Guard Dog UAVS and the System of Systems

It took quite a while to arrive at a result that seemed satisfactory, but this was a measure ofthe complexity of interactions rather than any difficulty of method.

The figure shown is the result of a one-man application. It would have been very useful atthis stage, to use the diagram as a focus for discussion with key stakeholders, in order todraw out any more interactions.



65

3.2.3 Function Identification

Internal Functions

As the case study was intended to be generic, there was no formal documentation such as aUser Requirement Document, or Yourdon diagrams, only the brief outline of the Case Study

(Annex C). The function derivation was thus from first principles.

The simple representation of initial design architecture (Figure 3.1b / Figure C-1) was useful,to help break the system down to manageable pieces (while still being able to consider theoverall system). It helped to be able to look at each element in turn, to draw out functionsfrom that view. In considering each element, a ‘mind map’ was drawn for each element topick out its related functions, then resolve / consolidate any overlaps between differentelements under higher level function. For example, ‘Manage Datalink’ was a function pickedout to cover aspects pertinent to both UAV and GCS viewpoints. Care was needed to notbecome too ‘object’ focused (we still wanted to keep a system-level overview). An exampleof one of the mind maps is shown in Figure 3.2.3a.

MissionPlanning

GCS

NEC

Plan Route

UploadMission Plan

Control UAV?

ChangeMission Plan

manualOverride -

remotepiloting

MonitorMission

Progress

Status of UAVActual path vmission route

ManagePayload

Direct sensors

Downloadpayload data

Distributepayload data Prioritise

sensor / datarequests from

Users

ManageDataLink

ControlDatalink Path

via next GCS?

Via Satellite?

Via UAVRelay?

Monitor Data

link condition

D/L Fail EmgyAction

GCS Centred view

Figure 3.2.3a – Example of use of mind-map to consider eachsystem element’s view of functions

The discipline of making a check of behaviour , control and information functions was alsouseful, though it was less easy (inappropriate?) to consider utility functions at this stage – that would perhaps prove more useful at the next level of sub-system FHA. These typeshelped draw out extra aspects: for example, it was initially thought that there wasn’t much tothe field recovery / launch team element, but the list drew out information and utility aspects

such as mission upload and replenishing consumables.



66

The derivation and consideration of flight phases also proved useful as a mind jogger: whilethe initial listing had found 56 functions, consideration of flight phases gained 5 more relatingto internal functions.

It was difficult to not get too pulled into design, especially over aspects such as autonomy.Positive effort was needed to stay up at system level, i.e. not to try and partition functions

into whether they were performed by the UAV or GCS / UAV-p. This proved to have been agood discipline, when it came to considering failure effects later on (see ‘Multiple Failures’, insection 3.2.5).

At this stage, it was becoming evident that the UAVS-level FHA was proving quite effective,in being able to identify (and hence analyse) system interrelations and complexities.

Exchanged Functions

As hoped, the rich context diagram proved very handy for drawing out exchanged functions.A table (Table D(v) in Annex D) was used to list each interaction, then focus on what theUAVS needed to provide to make the interaction work.

Some ‘functions’ were included that might not strictly be functions (perhaps characteristics?),

but they had clear potential safety aspects. For example, ‘Conspicuity to Air Traffic’ is a fairlypassive function but important to make ‘see and avoid’ work for non-cooperative air traffic.The rich context diagram was, again, supportive of drawing out such necessarycharacteristics.

What became evident later on was the need to define basic behavioural functions, to handlekey emergency conditions – this is discussed in section 3.2.4 under ‘EmergencyConfigurations.

Consolidation

From these functional views, 103 functions overall were identified (at all levels). 56 wereextracted from internal views; 42 from the external context; and 5 new from looking at Flight

Phases.There seemed to be no real need for a separation of internal and external functions, andmany were interrelated (see below), so they were combined into a single Functions Tree,ready for consideration in failure identification. Part of the tree is shown in Figure 3.2.3b.The tree in full can be seen in Figures D-4a, b and c at Annex D.

In trying to rationalise these functions into a tree, the interaction between functions grewapparent. E.g. ‘Auto Take-off and Landing’ has lower level functions to determine runwayand landing characteristics for particular wind speed and direction, but functions under‘Monitor weather for changes’ would affect the wind speed determination, and functionsunder ‘Stability and Control’ provide the actual take-off rotation or landing flare. There were‘building block’ functions that, perhaps, higher order functions across the tree would make

use of. These would be considered carefully when looking at functional failures and multiplefailures.



67

UAVS Function Tree[Part 1 of 3]

(I) Internal view(F) Flight phase view

(E) External context view

UAVS Function Tree[Part 1 of 3]

(I) Internal view(F) Flight phase view

(E) External context view

1. Stability &Control

(I)

2. Air Navigation(I)

3. Control on theGround

(I)

1.1 Determineattitude,

orientation andspeed (I)

1.2 Stabiliseperturbations (I)

1.3 ManoeuvreUAV

(I)

1.4 ManualOverride -

Remote Piloting

(I)

1.5 Field T/OLaunch Control

(I)(F)

1.6 ControlFlight Path

(I)

1.6.1 ControlAirspeed

(I)

1.6.2 ControlAltitude & Rate

(I)

1.6.3 ControlHeading

(I)

2.1 Position,

Heading &Altitude

Awareness(I)

2.1.1 DeterminePosition,

Heading &Altitude

(I)

2.1.2Determine

Nav Dataaccuracy

(I)(F)

2.2 Store /

Update MissionRoute

(I)

2.3 Monitor /Correct actual vplanned route

(I)

2.4 Auto Takeoff & Landing

(I)(F)

2.4.1 DetermineAirfield T/OClimb-out

profile (F)(E)

2.4.2 DetermineHigh accuracy

Position,heading &

Altitude(F)

2.4.3 Determine

Airfield

Approach, Hold,Circuit, R/Wprofile (F)(E)

2.4.4 High

Accuracymonitor / correctactual v planned

profile (F)(E)

2.4.5 DetermineWindspeed &

direction v R/W

and landingcharacteristics

(F)

3.1 ControlSpeed on the

ground (I)

3.2 ControlPosition on the

ground (I)

3.1.1 Determinespeed onground (I)

3.1.2 ControlledGround thrust (I)

3.1.3 ControlledGround Braking

(I)

3.2.1 Determineground position

& heading (I)

3.2.2 Groundsteering (I)

3.2.3 Determine

Airfield layout /required ground

route (F)(E)

3.2.4 Monitor /

correct actual vrequired ground

route (F)

3.2.5 DetermineAir / Groundtransition (F)

3.2.6 D etermineGround

obstacles (F)(E)

3.2.6.1 Detectmobile

obstacles (F)(E)

3.2.6.2 Fixedobstacles

awareness(F)(E)

2.5 TerrainAvoidance (E)

2.6 SensitiveArea Avoidance

(Danger &Populated

areas) (E) - as2.6.1-3

2.5.1 Awareness

& flight pathproximity (E)

2.5.2 Maintain

separation(ROA) (E)

2.5.3 Emergencyevasion (E)

2.7 ControlledAirspace

avoidance (E) -as 2.6.1-3

2.8 VariableDanger Areas

(NOTAMS)Avoidance (E) -

as 2.6.1-3

Figure 3.2.3b – Example of derived Functions Tree for ‘Guard Dog’ UAVS

3.2.4 Identification and Description of Failure Conditions

Environment List

The domain-review list provided a good structure for derivation of the environment list.

Weather aspects were fairly easy to pick out, from UAVS overall specification (based onworld-wide operation).

Aspects such as overflown terrain were trickier to complete, as they are not a usualspecification item. Looking at the map examples for scenarios (discussed in section 3.2.5)helped significantly. These also helped with extracting the range of electrical / mission / ATC environments . It was useful to define a number of potential missions (see Appendices C1and C2) and use these to define typical scenarios (see 3.2.5), to get a better feel of likelyenvironments. Looking at maps for areas of operation (and training in more domestic climes)teased-out a wide variety of such aspects.

Emergency Configurations

Guard Dog started with the list as initially proposed in section 2.2.4. However, considerationof this list quickly highlighted a need to consider what the UAVS intent would be in event ofsuch emergencies, especially for system failures. Hence, a useful source document would



68

be an initial definition of emergency procedures, as part of the ‘initial design considerations’.The Guard Dog example is shown in Figure 3.2.4a below, or in bigger scale as Figure D-2 inAnnex D.

These considerations spawned additional functions (to be added to the tree), to be assessedfor further functional failures (part of multiple failures consideration).

NORMAL FLIGHT

Determine best diversion andID between GCS and UAV (May

be home or destination)

Maintain flight path over 'safe'terrain and airspace

DIVERT toidentifieddiversion

airfield

Broadcast ControlDatalink Fail

Hold

BroadcastMayday &

EMERGENCYLANDING

BroadcastCollision

Avoidance fail

YES

DATA LINK Signal Loss

DATA LINK SystemFail (total)

DATA LINK SystemFail (single)

FLIGHT CRITICAL SYSTEMSIngle (Redundant) Failur e

COMMUNICATIONS Failure

STOP &Broadcast

GROUNDCONTROL Failure

COLLISIONAVOIDANCEFailure

AIR NAVIGATION Failure(inc. height, speed, position & route control) External Nav

Asistance?

Able to Maintain Safe

Altitude?

NONO

YES

FLIGHT CRITICAL SYSTEMTotal Fail

YES

Regain D/LSignal?

NO

Figure 3.2.4a – Example of outline Emergency Procedures, to derive functions

Failure Conditions Determination

With a significant number of functions, care was needed to ensure that all failurecharacteristics had been considered. In this, the FFA structure proposed worked well, asdiscussed below. Some failure conditions are shown below, but all identified can be viewedin full at Table D(vi) in Annex D.

‘Loss of function’ - could be tricky to assess, for continuous functions (i.e. to search deeperthan just ‘loss of [function X]’). Some interesting conditions were found where a functioncould be pseudo-continuous. For example, ‘Terrain Awareness’ being made on a regular butnot truly continuous basis (function 2.5.1 – see Table 3.2.4(i)): a potential failure conditionwas for sharp terrain to appear in the event horizon, if the update rate was not high enough.

FFAID

Function (a), (b),(c)

Failure Condition (Hazard Description)

2.5 Terrain Avoidance (E)

F2.5A 2.5.1 Awareness & flight pathproximity (E)

(a) Unaware of surrounding terrain

F2.5B (a) Unaware of proximity of surrounding terrain toflight path

F2.5C (a) Terrain proximity determined at low sampling rate

Table 3.2.4(i) – Example of ‘Loss of Function’ for pseudo-continuous function

‘Uncommanded function’ – Some care was needed not to dismiss functions as ‘continuous’.For example, Function 1.6.1 ‘control airspeed’ is indeed continuous overall, but has someimplied sub-functions such as to change airspeed intermittently when required, hence thepotential uncommanded sub-function to change airspeed up or down when not required.

(See Table 3.2.4(ii)



69

FFA ID Function (a), (b), (c) Failure Condition (Hazard Description)

F1.6C 1.6.1 Control Airspeed (I) (b) Airspeed runaway up

F1.6D (b) Airspeed runaway down

Table 3.2.4(ii) – Example of ‘Uncommanded Function’

‘Incorrect function’ – as expected, this category generated the widest variety of issues, and it

could be hard to determine that all had been identified. Some of the most interesting failureswere where a function potentially crossed system boundaries. For example, handover ofcontrol between 2 GCS (function 4.2.1) led to several variations of end result (see Table3.2.4(iii)

FFAID



F4.2C 4.2.1 Handover to nextGCS (I)(F)

(c) Datalink control hand over from current GCS, but next GCSunable to take control

F4.2D (c) Datalink control hand over from current GCS, but next GCSunaware it has control

F4.2E (c) Datalink control taken over by next GCS, without current GCSbeing aware

F4.2F (c) Datalink control hand over to next GCS, but current GCS alsoretains control (dual control)

F4.2G (c) Datalink attempted control hand over to next GCS, but neitherGCS retains control

Table 3.2.4(iii) – Example of ‘Incorrect Function’ for a cross-system function

At this stage, hazards weren’t all identified with separate annunciated and unannunciatedversions, as this would have led to a ‘failure condition melt-down’. Instead, each would beevaluated for consequences in the next phase. That said, there were functions wherewarning was a specific aspect, and these were assessed directly. For example, in broadcastof warnings such as for function 9.7 (see Table 3.2.4(iv)).

FFAID



F9.7A 9.7 Emergency Broadcast Actions (E) (Collaware fail; D/L fail; Mayday)

(a) Unable to broadcast – “Collision AvoidanceFail”

F9.7B (a) Unable to broadcast – Data Link Fail

F9.7C (a) Unable to broadcast – Mayday

F9.7D (b) Broadcast ‘Collision awareness fail’ when notrequired

F9.7E (b) Broadcast ‘Data Link fail’ when not required

F9.7F (b) Broadcast ‘Mayday’ when not required

F9.7G (c) Broadcast incorrect emergency messagecompared to that actually required

Table 3.2.4(iv) – Example of failure identification for a warning function

As usual with FFA, there was a lot of output. The initial 105 functions gave rise to about

520 failure conditions. Care was needed to bring this to a manageable number of hazardsat a similar level, to assist hazard management.

3.2.5 Identifying and Managing the Effects of the Failure Conditions

Table 3.2.5(i) shows some examples of the analysis of effects of failure conditions, extractedfrom the fuller analysis shown in Table D(vii) in Annex D. These examples are used toillustrate the discussion of the analysis, contained in this section.



70

Table 3.2.5(i) Examples of analysis of the effects of failure conditions,from the ‘Guard Dog’ FFA

FFAID

FailureCondition

FlightPhases

1

Effect of FailureCondition

2- (1) AW; (2)

ATM

Classification Justification

F1.2A Loss of UAV

stability

Tax, TO A,

TO F,Tran,Hand, TranS, Sens,App, LandA, Land F,Rel

(1) Unstable UAV leads

to overall loss of control – unable to continuecontrolled flightKnock-on for Relay UAVwould be loss of data linkfor Sensor UAV

(1) Catastrophic

(2) Severity 1

[Critical safety

requirements will be set, ifthe Relay role is to beviable in unsegregatedairspace.]

F1.2B Undamped / poorlydampedmanoeuvresor speed

TO A, TOF Land A,Land FTran,Hand, TranS, Sens,App, Rel

(1) Significant reductionin safety margins duringT/O or landing, due tooscillations. Potential forground impact close toT/O or landing area(2) Severe oscillations

could cause height bust,deviation from clearanceon approach, or reducedseparation

(1) Hazardous(2) Severity 2

F1.3I Manoeuvrecapabilityexceedsvehiclestructuralstrength

TO A, TOF, Tran,Hand, TranS, Sens,App, LandA, Land F,Rel

(1) UAV break up – unable to continuecontrolled flight

(1) Catastrophic AW issue, as vehiclebreak up takes it out ofthe ATM environment

F1.4A Unable totake manualcontrol of

UAV

Taxi, TO A,TO F,Tran,

Hand, TranS, Sens,App, LandA, Land F,Rel

No immediate effect,UNLESS a coincidentfunctional failure occurs

(in functions 1-10 inc)requiring manualintervention

As for the mostsevere of otherfunctions 1-10:

(1) Catastrophic(2) Severity 1

Manual override isintended as mitigation formany other failure modes.

Safety requiresindependence from otherfailure forms (EITHER -autonomy in case ofmanual failure, OR - useof an independent 3

rd

option such as FlightTermination System togive a safe outcome, ifcritical functions areprovided on a commondatalink with manualcontrol from the GCS)

F2.1A Unable to

determineposition

TO A, TO

F, Tran,Hand, TranS, Sens,App, LandA, Land F,Rel

In isolation – position can

be approximated fromheading, speed etc.In common failure withF2.1B or F1.1B – requires external meansto identify position(functions 9.3 En-routeATC communicationsand 9.4 Tracking‘visibility’Without these, systemfaces emergency landing(function 7.3.2) inunknown terrain, or flight

path through unknownairspaceKnock-on for Relay UAV

In extreme

cases:(1) Catastrophic(2) Severity 2

AW severity assumes

need to make blindemergency landing at last‘known’ position (MS7emergency landingscenario shows that smallinaccuracies could causeimpact on village location,as lesser evil to flying onand possibly crashing inmajor population areaATM severity assumesthat function 10 Collisionavoidance remains active – need to beware of

potential common modefailures.



71

FFAID

FailureCondition

FlightPhases

1

Effect of FailureCondition

2- (1) AW; (2)

ATM

Classification Justification

would be loss of data linkfor Sensor UAV

F2.5A Unaware ofsurroundingterrain

Tran,Hand, TranS, Sens,App, Rel

(1) UNDETECTED – Controlled flight intoterrainDETECTED – climb tosafe height and divert

(1) Catastrophic Assumes TO and Landcovered by functions 2.4 – ensure no combinedfunctionality / commonmode failure

F4.3A D/L fail action(hold then divert ) nottaken whenrequired

TO A, TOF, Land A,Land F,Tran,Hand, TranS, Sens,App, Rel

IF UAV does not takenecessary autonomousaction, then effect asF4.3C [UAV willeventually run out of fueland crash land]IF UAV continues on itspre-planned path butwithout diverting, maycause concern to ATM(prolonged exposure to

UAV without mannedoverride capability) butshould act safely iffunctional

No action: (1)Catastrophic

Continues pre-plannedactions: (2)Severity 3

No action - Represents afailure of a criticalautonomous response, toget the UAV down safelyin event of D/L failureContinue previous action – degrades ATM safety,but continuing autonomygets the UAV down safely

F9.7A Unable tobroadcast – “CollisionAvoidanceFail”


(2) Failures under F10 forCollision avoidancesystem, following function7.3.1 to divert would beUNDETECTED by ATMand other air traffic – theywould proceed as if UAVwould respect Rules ofthe Air, in extremeallowing collision

(2) Severity 1 [see functions 10,Collision Avoidance, forsafety-related functionswhere this function isintended as mitigation]

F9.7C Unable tobroadcast – Mayday


(2) Failures requiringfunction 7.3.2 EmergencyLanding would beUNDETECTED by ATMand other air traffic.Controlled emergencylanding would not beaffected, but could affectability of ATM to alertemergency services tothe site.

(2) Severity 1 Classified as severity 1,on basis that it couldmake a bad situation(Severity 2) much worseby not being able to sendassistance rapidly to thescene.[Difficult to classify, withcriteria as listed]

Notes:

1. Flight Phases – (Pre) Pre-flight; (Tax) Taxiing; (TO A) Take-off – from airfield; (TO F) Take off – ramp

launch from field; (Tran) Transit under control of GCS; (Hand) Hand over control to second GCS; (Tran S) Transitwith GCS relay via satellite; (Sens) On Task – using sensor payload; (Rel) On task - on station to relay TCDL toreach sensor UAV; (App) Approach; (Land A) Landing – at airfield; (Land F) Landing – rough field.

2. Effect of Failure Condition – (1) AW – effect on UAV, safety margins, continued & controlled flight; (2)ATM – effect on UAV Crew, ATCO, other Traffic

Identification of Failure Effects

In general, it was fairly simple to identify the broad effects of potential failures. This wasparticularly true of the ‘building block’ functional failures (as mentioned in section 3.2.3, in‘consolidation’): when these failed, the effects were pretty direct. An example is shown inTable 3.2.5(i) with failure F1.2A “Loss of UAV stability”.

Some effects were worse in particular flight phases and this was noted in deriving the effects.One point of note was the crucial effect on the UAV system overall, when a failure occurred



72

to a vehicle in Relay flight phase (as noted in F1.2A). The criticality of the UAV in this role willset very high safety requirements if this role is to be cleared in unsegregated airspace, andperhaps it may only be cleared for training with a viable alternative datalink path alwaysavailable (so as not to be a critical dependency).

Most failures had both airworthiness and ATM separation effects. An example is shown in

Table 3.2.5(i) for F1.2B “Undamped / poorly damped manoeuvres or speed”, where bothan immediate airworthiness effect could be identified, and a slightly longer term ATMseparation effect if the airworthiness effect was not immediately realised.

A few failures indicated an airworthiness effect only, such as F1.3I “Manoeuvre capabilityexceeds vehicle structural strength” in Table 3.2.5(i). The airworthiness effect here wasusually so cataclysmic that there was little likelihood of further ATM effect.

A few others, such as F9.7A “Unable to broadcast – “Collision Avoidance Fail” ” inTable 3.2.5(i), indicated an ATM effect only. These were usually directly related to ATMprocedural or traffic separation functions.

Some functions had already been added in as emergency ‘warning’ functions, in response toearly consideration of the effects of ‘annunciated’ vs ‘unannunciated’ failures. However, allfailures were considered for the differences with the failure being annunciated detected ornot. F2.5A “Unaware of surrounding terrain” shows a particular example, where detectionwould allow a much safer effect than the alternative, and this would help set particular safetyrequirements on the system to improve detection.

Classification of (Airworthiness and ATM) failure effects

The safety criteria discussed already in section 3.2.1 proved useful, and usually easy toapply. This was especially true of the airworthiness criteria, and (usually) of the ATMseparation criteria.

There were a few exceptions with the ATM separation criteria, where the classification interms of ATC workload, traffic separation or collisions could not easily be applied. Here,

classification came down to a judgment on the level of ‘loss of control’ by ATM and UAV-pand the effective reduction in safety margins. An example is shown in F9.7C “Unable toBroadcast ‘Mayday’” in Table 3.2.5(i), where there is no further airworthiness effect, but thereis an ATM / UAV-p effect, as ATC can’t be alerted to apply their procedures to callemergency services to the site.

Multiple failures

Some key multiple failures had already been considered, by creating emergency intentfunctions (mentioned in section 3.2.4 Emergency Configurations) and then analysing failuresin these follow-on functions (e.g. F9.7A “Unable to broadcast – “Collision AvoidanceFail” ”, already mentioned above). Others were derived from key aspects of the initialsystem architecture, such as the datalink between GCS and UAV.

While not many more ‘failures on failures’ were analysed in detail, there were some failureswhere the criticality of certain other functions remaining effective (for mitigation) were noted.Here, the main drive was to identify safety requirements to ensure effective mitigation,particularly the need to establish independence of such functions and avoid common modefailures. A specific example (among many) is F2.1A “Unable to determine position”,where the potential effect is not so bad, provided that other key functions such as CollisionAvoidance functionality remain operational. If there was a common system factor (such assome datalink dependence for these functions) then the effects would be much worse.

This brings us to a particular issue drawn out by consideration of multiple failures. Up to thispoint, the analysis had avoided partitioning functionality between the UAV, GCS and UAV-p

(i.e. making decisions on autonomy levels). Now it was possible to set requirements oncritical functionality. The primary concern was the need to make safety critical functions independent of the datalink . Safety is thus a driver for increased capability (and



73

assurance) in autonomy for those functions. There are endless examples where dual failurewith datalink would be Catastrophic / Severity 1, but a couple from Table 3.2.5(i) arediscussed below.

This issue of autonomy v datalink was first noted in the FFA during consideration of F1.4A“Unable to take manual control of UAV”. Here, the effect was not serious provided that

the system had adequate autonomy to carry out necessary safety actions such as collisionavoidance, terrain avoidance, air navigation and conducting emergency procedures. Thiswas later backed up by consideration of specific datalink function failures, where the knock-on effect of not carrying out those functions was noted – especially examples such as F4.3A“D/L fail action (hold then divert ) not taken when required”. For this, the effect of failurewas proposed as:

“If the UAV does not take the necessary autonomous action, then the effect is as F4.3C[UAV will eventually run out of fuel and crash land]. IF the UAV continues on its pre-planned path but without diverting, this may cause concern to ATM … but should actsafely if functional.”

UAVS thus need careful use of autonomy, to provide the necessary independence of safety

functions. As a minimum (for smaller systems perhaps, where the public would be lessalarmed), the use of a Flight Termination System would be an alternative, independentmeans of assuring a ‘safe’ outcome.

Use of Scenarios to Aid Effects identification

For the majority of failures analysed, scenarios weren’t necessary, and consideration againstmore general contextual information was appropriate.

Where they were necessary, the initial guidance led to scenarios that were almost too specific. Text based scenarios (as proposed) needed a fair number of words to get thesituation across, and still seemed to be lacking necessary information. An example is shownin Figure 3.2.5a.

An alternative was tried, with better results. This approach was to plan actual missions overtypical terrain, on air maps. Using this, the user got a better idea, more quickly, of the typeand range of challenges – terrain, airspace, obstructions, HIRTAs etc. It was vital to actuallyplan the route on paper, not just look at the maps, in order to think into actual mission-typesituations. For example, identifying where to place a GCS to achieve datalink along fulllength of route; or how to respect airways minimum heights, while being pushed by terrain tomaintain minimum separation – airmanship-type decisions. The map could be annotatedwith other conditions of interest, such as the possible range of weather.

The same proved true when looking at emergency situations. For instance: what if theweather closes out the planned route here; or propulsion fails there; or satellite datalinkbecomes unavailable when ground GCS range is marginal.

Overall, it seemed that graphical mission scenarios were more user friendly and encouragedcreative thinking. They contained more information and felt more ‘real’ than just broadspecification envelopes; but not too specific – they allowed ‘what ifs’ to be raised andassessed quickly, some of the what-ifs being driven by the map terrain and airspace content.

An example of a graphical mission scenario is shown in Figure 3.2.5b, comparable to thetextual scenario shown in Figure 3.2.5a.



74

Scenario : Routine Take-off

Rationale : Applying general take-off to realistic situation, at ‘UAV-Friendly’ Parc Aberporth

Agents : UAVS and UAV-p; Aberporth ATC and ground traffic; Cardigan Bay danger area controller

Situation and environment context : Day VFR weather fine. Onshore breeze from the sea, 20kts.Take off and climb out planned over sea (away from Aberporth village at foot of significant hills), then

turn out over sea for first leg. Several wind farms on coast, and steep terrain.Mission context and goals : Start of a routine training mission. Intent is to taxi and take off safely,respecting airfield ATC and ground / circuit traffic. Main goal is to get established on first leg of fly out,at start of a long training mission.

Airspace context : Parc Aberporth is a UAV-friendly airfield, used to UAV activities. Some lightmanned aircraft traffic in circuit, including military aircraft incoming from / outbound to the danger area(range).

Danger area is a sea range, for aircraft and ships weapon trials (closed to traffic during attack runs).

First leg to Talybont, crosses under Airway A (at 6,500 ft, under airway starting at 16,500 ft)

System context : Full system functionality, as checked during pre-flight and taxi checks

Actions : UAV-p contacts airfield ATC for clearance to taxi – this is given and UAV taxis out to stop atHold ‘CHARLIE’. After other traffic clears, ATC clears UAV onto runway 26 for take off. UAV appliespower and takes off, correcting for slight cross-wind. After clearing obstruction height and reaching2000ft, UAV told to switch to danger area controller frequency.

Danger area controller clears UAV to the north, commanding to keep clear of south end of rangewhere ships are operating on range. UAV heads onto northerly track, climbing until reaching 6,500ft.

As it leaves the danger area, UAV switches to Holyhead Airspace Controller and requests FlightInformation Service for transit to Spadeadam.

Figure 3.2.5a – Example of mini scenario for consideration of failure effects

Figure 3.2.5b – Example of graphical scenario ‘MS1 Routine Take-off and climb out’



75

The scenarios were used in a few analyses of the effects of failures. This was usually asfollow-on to trying to assess the effect with broader information, to check and improve on the justification behind an effect analysis. For failures like F4.2F “Datalink control hand overto next GCS, but current GCS also retains control (dual control)” (in table 3.2.5(i)) thiswas useful, where the impact is not clearly apparent on first analysis.

Occasionally, they were used to help ‘put flesh on the bones’ behind an analysis, to ensurethat the ensuing classification was suitably robust. Failures such as F2.1C “Unable todetermine altitude” show such a use, where the effect was already felt to be quite severe,but the emergency landing scenario provided an alternative context to re-assess theclassification.

3.3 Evaluation of Hazards Identified by the Modified HazIDMethod

The functional failures (in Annex D) produced by the FFA process have been reviewed bythe author, in order to determine a list of hazards at a common, appropriate level. This

hazard listing is shown at Annex F to this report. Some 88 hazards are listed in all, withreferences to the functional failures that spawned them.

Numerical assessment

How robust is this hazard listing and (accordingly) the FFA HazID process that has beenused? As discussed in Section 3.1, a SWIFT technique was commissioned to provide acomparison, with the overall results shown in Annex E. Both Annexes E and F cross refer tothe appropriate comparable hazard(s) identified in the alternative technique.

The comparison of techniques is interesting, if not straightforward. Our FFA methodproduced 88 hazards, while SWIFT produced 77. Of these, 48 were in close agreement.

Using the MAFF ‘capture / recapture’ method as discussed in Section 3.1, this wouldindicate, initially, the following metrics:

Initial metrics for hazard capture confidence:

‘Proportion of hazards captured’ = 48 / 88 = 0.55

‘Possible total number of hazards’ = 77 / 0.55 = 140

This was not overly inspiring of confidence in the results, so further investigation was madeto see if they were overly pessimistic. From the first pass comparison, 29 SWIFT hazards

did not directly match FFA hazards. However, the comparison was not always made on alevel footing:

• Several of the SWIFT hazards (10) were related to ground personnel, whereas theFFA focus was on operating hazards more relevant to manned / unmanned aircraftintegration. The ARP 4761 process would eventually draw these out through complementaryanalyses such as Operating & Support Hazard Analysis.

• About 10 of the SWIFT hazards were more causal than directly hazardous, related tosystem implementation. These (through ARP4761) would be considered under Fault TreeAnalysis at the UAVS level, or FHA and FMEA for lower level systems. A further 2 wererelated to uncontained engine failure and fuel fire, and would be considered under Particular

Risk Analysis with the [SAE96] process.



76

• A further 3 SWIFT hazards related to general procedural aspects, covered byregulation, such as maintenance policy and crew training.

Having removed these hazards (for now) to achieve a common level, a revised comparisoncould be made. SWIFT now had identified 52 hazards, with 48 agreeing with the FFA:

Revised metrics for hazard capture confidence:

‘Proportion of hazards captured’ = 48 / 88 = 0.55

‘Possible total number of hazards’ = 52 / 0.55 = 95

This suggests that the FFA has identified about 90% of the total hazards for manned / unmanned aircraft integration.

Subjective assessment of differences

As noted above, the SWIFT had already identified some ground-based and causal hazardsthat the FFA (at this stage) had not – we can propose that these would be identified bysubsequent stages of the ARP4761 process.

Four SWIFT hazards remain that cannot be explained in this way, and these are shownbelow.

• S13 Inadvertent launch• S25 Poor preparation of launch site (inadequate runway quality)

• S41 Loss of GCS communications

• S48 Pilot fatigue (long endurance shifts)

These indicate two issues with the FFA. Firstly, the FFA is only as good as the initialfunction tree, and this application had missed out a small number of functions – e.g. ‘InterGCS Communications’. A peer review of the Rich Context Diagram and Functions Treemight have picked these (and maybe more) out. Second, in spite of the intent to pick outfunctions including human issues, it was still difficult for the FFA to consider and drawhazards out of high level human factors, such as the resource issue of long endurance shifts.This is why it is still important to ensure that Human Factors are adequately assessed anddesigned for, in their own right.

The FFA of our proposed method had, in turn, identified 38 additional hazards relating tointegration of UAVs into unsegregated airspace – these are shown below:

• A4 Flight instrumentation (attitude and speed) errors • A5 Inability to identify flight instrumentation errors

• A9 Unable to transfer to autonomous UAV control• A10 Conflicting authority between UAV controllers (manual / autonomous or differentground controllers)• A11 Control mode error (where control laws differ with phase of flight)

• A13 Asymmetric thrust / power

• A16 High accuracy navigation instrumentation errors (altitude, position, heading; for taxi,take off, approach, landing)• A17 Inability to identify navigation instrumentation errors• A19 Planned mission route not achievable by UAVS (not capable within performance)

• A20 Planned mission route not safe (by Rules of the Air)•

A25 Minimum terrain separation (i.a.w. Rules of the Air) not maintained• A26 Terrain separation / emergency evasion triggered when not required / appropriate



77

• A27 Separation from sensitive areas (danger areas / populated areas / NOTAMS areas)not maintained• A29 Incorrect type / identifier of controlled airspace determined (if cleared for controlledairspace operations)• A35 Incorrect airfield layout / ground taxi route determined• A36 Inability to determine ground / air transition clearly

• A37 Unable to correctly determine position of fixed / mobile ground obstacles• A38 Inability to accurately determine command datalink signal strength

• A39 Incorrect status of command datalink system serviceability determined• A41 Command datalink handed to GCS, but GCS unaware it has control

• A43 Command datalink lags via satellite / relay

• A45 satellite / relay UAV passes control datalink commands to incorrect UAV• A47 Command Datalink jammed

• A49 Valid command datalink rejected as jammed / stolen

• A52 Inability to monitor initial / changing weather conditions along the mission route

• A53 Bad weather re-routing infringes sensitive airspace / overflown areas• A54 Bad weather re-routing exceeds UAV capability (performance)

• A58 Diversionary airfield / route not communicated between UAV and GCS (UAV not

aware of appropriate action to take, or GCS not aware what action the UAV will take)• A62 GCS moding initiates ground mode displays and controls (e.g. mission planning),when in-flight monitoring / control required• A68 UAV centre of gravity adversely affected by fuel charge

• A70 Different mission plans loaded - UAV; relay UAV; first GCS; other GCS in mission

• A72 inability to correctly detect, interpret and respect airfield visual signals• A77 Radio frequency changed in error (e.g. to emergency frequency)

• A78 UAV does not correctly comply with Airfield ATC procedures: ground movement(clearance & direction); enter runway; take-off; climb out direction and final height; approachdirection; circuit direction; runway allocation; hold height & direction; landing clearance; exitrunway clearance• A79 UAV does not correctly comply with en-route airspace ATC procedures: Climb / descend and final cruising altitude; heading change; hold position, height and direction;

diversion• A80 UAV complies with Airfield or En-route ATC procedure intended for another aircraft

• A81 Unable to correctly broadcast emergency message: “Collision Avoidance Fail”; Datalink fail"; "Mayday"• A82 Emergency broadcast made when none necessary• A88 UAV resembles other aircraft types of different size or performance

This list seems eclectic, and it is awkward to pick out particular aspects where the FFAmethod might have been ‘better’ than SWIFT. Overall, the longer listing was due to therigour applied to identifying functions, especially using the Rich Context Diagram to identifyexternal functions (the SWIFT perhaps focussed on the internal). The FFA also performedwell in identifying hazards related to the operating environment and their airworthiness

implications, such as in collision and terrain avoidance, and in airmanship through airspaceand airfield environments.

Summary of Hazard Identification Robustness

In all, the FFA performed well in hazard identification, identifying around 90% of hazardsrelating to integration of UAVS into non-segregated airspace even as a one-man techniquecarried out in isolation. With team input and peer review, this would improve further.

However, it is important to remember that FFA is just the first part of the ARP4761 process,and subsequent causal and sub-system analyses are important to draw out all pertinenthazards. Additionally, techniques such as Operation & Health Safety Analysis and especiallyHuman Factors Engineering will be necessary, to ensure all potential hazards are identifiedand managed.



78

PART 4 – CONCLUSIONS AND FURTHER WORK

This part of the report aims to pull together the key findings of the project, and relate them tothe original aims. It also provides a ‘shopping list’ of recommendations for further work, in

order to advance the cause of UAVS integration.

4.1 Findings, Related to Satisfaction of the Project's Aims

The overall motivation for the project was to assist the process of integration of UAVS intounsegregated airspace, by addressing the lack of understanding of the safety issues andhazards involved. More specifically, the following aims were identified:

• To identify the current concerns over UAVS safety, in relation to the existing mannedairspace infrastructure;

• Hence, to derive a framework for considering the safety risks related to integrating

unmanned vehicles into unsegregated airspace. The intent is that this, as part of arobust safety assessment and certification programme, will assist in the eventualclearance of UAVS, to operate routinely alongside manned aircraft.

Each of the reports key findings is considered below, in relation to these aims. Conclusionsare numbered 1-14 in this section.

4.1.1 Identifying Current Concerns over UAVS Safety

Part 1 went somewhat further than the initial intent of identifying current concerns in relationto the existing manned airspace infrastructure. Because of the complex, interrelated natureof UAVs, a more complete view of safety concerns was taken, which included the airspace

infrastructure but also covered design airworthiness, operations, airmanship and the inherent‘differences’ introduced by UAVSs. As a result, a broad range of safety issues wasidentified, in two main areas:

Safety issues relating to UAVs as ‘disruptive technology’

UAVs have some vital differences from the current general experience with manned aviation,and these introduce some potential safety issues to be overcome:

1. UAVS come in wide varieties, in terms of shape size and performance, and the types ofroles they undertake. This makes them difficult to ‘pigeon-hole’, and means that theymay be difficult to manage or predict, among manned traffic. (Section 1.1.1).

2. The UAVS system boundary is much broader (and less well understood) than for manned

aviation, with inclusion of additional critical aspects such as datalinks, Ground ControlSystems, data flows, data sources etc. This leads to questions of airworthiness as acomplex system, reliability of datalinks, and availability of RF spectrum for critical links.(Section 1.1.2 ).

3. Vehicle autonomy creates several issues, starting with its definition! Clear indication isneeded of ‘who is in control’, especially when emergency action is required. There is adichotomy between requiring a predictable response (especially for ATM decisionmaking), yet needing flexibility of response to achieve a safe outcome. New technologiessuch as agent-based control could provide the necessary flexibility, but introducequestions of expertise, trust and software clearance – they also require strongspecification of required behaviour, when this is not explicitly defined for manned

aviation. (Section 1.1.3 )



79

4. The ‘headline’ catastrophic failure rate for UAVs is currently too high for acceptance intoa manned environment. This is due to: poor accident data gathering; the experimental / military roles they are currently undertaking; lack of reliable purpose-built components;and not applying appropriate design, fabrication and maintenance processes to build insafety (as per their manned counterparts). While it is difficult to define ‘equivalent levelsof safety’ between UAVs and manned systems, it is suggested that FAR 1309 / ARP4761 type safety processes could be applied to the design and certification of novel,safety critical aspects, with suitable amendments. (Section 1.1.4 )

Safety issues relating to the manned airspace environment coming to terms withUAVs

5. While it is agreed that a ‘safety targets’ (Safety Case) approach would be easiest to applyfor UAVS, standards and certification must be applied to achieve internationalacceptance. Hence, regulation, certification and standards are critical to integration ofUAVS into unsegregated airspace, but are currently struggling to achieve consensusbetween different bodies. Thus, while there are proposals for a ‘total system’ approach tosafety, currently airworthiness, operations and ATM are managed by different regulators.

What little current regulation exists is very generic, demanding equivalence to mannedsystems but without addressing UAV differences. (Section 1.2.1)

6. Because of current segregation of traffic, very few UAVs have interacted with ATMsystems, and so it is difficult to predict the real implications. Because the nature of ATMchange is ‘monolithic’, ATM suppliers demand no change, i.e. that UAVS operations mustbe transparent, while there are numerous ways in which UAVs will react differently frommanned aircraft. There are issues of equipage, traffic levels, RF interoperability, voicecommunications, even basic routes and procedures that have been built around mannedaircraft and their performance expectations. (Section 1.2.2 )

7. Collision avoidance from terrain and, more difficult, from other aircraft is a big issue forUAVS integration, and UAVs will require a non-cooperative Sense & Avoid capability to

match their manned counterparts. It is difficult to define equivalent levels of safety tomanned aircraft, as human visual performance is so fallible, hence regulators anddesigners cannot agree on which should come first – the technology to provide Senseand Avoid, or the criteria that it must meet. (Section 1.2.3 )

8. UAVS navigation, datalinks and ground systems vulnerabilities to jamming or malicioustake-over must be addressed to ensure security of operation. (Section 1.2.4 )

9. For a system ‘unmanned’ in the air, there are significant Human Factors issues to beovercome. Some revolve around the ground cockpit environment, the cues to the UAV-p,the organisation of pilots and commanders, and the interaction with variable autonomoussystems. Others involve the experience / competence levels of the pilots, maintainersand operating organisations, plus the extended human network that provides critical data

to the UAVS. (Section 1.2.5 )

10. As with all safety critical systems, public opinion over safety levels may not match theactuality. However, UAVSs are expected to face a more critical media and publicresponse in the event of a safety occurrence, because of their unmanned nature.(Section 1.2.6 )



80

4.1.2 A Framework for Considering Safety Risks Related toIntegrating Unmanned Vehicles into Unsegregated Airspace

At the end of Part 1, the focus for the project development was set out in order to satisfy the

study aims, as follows:A. A better understanding of what the root hazards associated with UAVS integration are.

B. Can a .1309 / ARP4761 safety assessment approach be used for UAVS, to identify hazards for solution during design / manufacture / operation?

Each of these sub-goals is reviewed in the following paragraphs, to provide a structure toassess whether the main aim has been achieved. The order of the sub-goals has beenchanged, to reflect the design (Part 2) and test (Part 3) order of the project.

Can a .1309 / ARP4761 safety assessment approach be used for UAVS, to identify hazards for solution during design / manufacture / operation?

Part 2 has reviewed ARP4761 (which is based on satisfaction of 23.1309 and 25.1309

requirements) to see where it might fall short, in its applicability to UAVS. The concludingstatement from Section 2.1 was “The intent of ARP4761 to support the safety assessment(and hence clearance) of novel aircraft systems remains good. If the issues identified abovecan be addressed, then the revised framework should equally support safety assessmentand clearance of UAVS.”

The focus for Part 2 of the project has thus been to address these issues with a modifiedhazard identification methodology, to supplement ARP4761 and thus provide a safetyassessment framework suitable for UAVS application. The identified ‘issues’ from Section2.1 formed the ‘requirements’ for ‘design and build’ in Part 2, Section 2.2.

In order to pull together and relate the conclusions for build of the hazard identificationmethodology, Table 4.1.2(i) has been created (see following pages). This shows thedevelopment of conclusions, from the assessment of requirements in Section 2.1, throughdesign and build in Section 2.2. To complete the picture, the conclusions from test andevaluation of the proposed method have been placed alongside (Part 3, section 3.2).

11. In summary, it is concluded that the development of the hazard identificationmethodology, using a modified functional failure analysis, has resulted in a practicableapproach that addresses the gaps in ARP4761 previously identified. As such, the HazIDmethodology supplements ARP4761 to allow the combined safety assessmentframework to be used for UAVS, to identify hazards for solution during design,manufacture and/or operation.



83

A better understanding of what the root hazards associated with UAVS integration are.

The hazard identification method, designed in Part 2, was assessed in Part 3 against ageneric Tactical UAVS. From this application, a listing of potential hazards has beendeveloped (Annex F).

Part 3, section 3.3 evaluated the hazards identified, using an alternative hazard identificationtechnique and personnel. From this, the following conclusions have been reached:

12. The proposed HazID method, using a modified ARP4761 FFA approach) has identifiedaround 90% of the likely hazards associated with integrating a (generic) Tactical UAVsystem into unsegregated airspace.

The shortfall is likely to be due to:

• the functional analysis being a ‘one-man’ effort, which would benefit from peerreview;

• the difficulty in drawing out high-level Human Factors issues with FFA, and theimportance of Human Factors Engineering to address such issues;

• FFA being just part of the ARP4761 framework – additional sub-systemanalyses such as FTA, FMEA, Common Cause Analysis etc would draw out furtherhazards.

13. The proposed method was strong in identifying hazards related to the external System ofSystems, especially in areas such as the operating environment, in airmanship concerns,and interfacing with airfield and ATM environments. In these respects, it is proposed thatthe hazard listing has contributed to the understanding of UAVS integration hazards.

14. It should be borne in mind that the hazard listing is specific to the generic Tactical UAVSused for the case study. However, as has been stated (in the introduction and in Section3.3), the results should have good read across for specific Tactical UAVS, and broadapplicability for other types of UAVS, but should be assessed carefully for applicability toparticular systems.

4.2 Recommendations for Further Work

4.2.1 UAVS Safety, generally

This project has addressed only a few of the safety aspects identified that currently stopUAVS from being integrated into unsegregated airspace. The list at Section 1.3 provides arich seam of safety issues that require further work:

• Impact of the Variety, Roles and Performance of UAVs

• The complex system boundary for UAVs

• UAV autonomy - technology, predictability, complexity

• Accident rates and reliability - UAV airworthiness

• Regulation, Certification and the Drive for Standards

• ATM interaction

• Collision avoidance

• Security and safety

•

Human factors, Suitably Qualified & Experienced Personnel (SQEP) andorganisations



84

• Public perception of UAV safety

4.2.2 UAVS Hazard Identification Methodology and Application ofARP4761 Framework

This project has shown that it should be practicable to apply the hazard identificationmethodology, as part of an ARP4761 framework approach to safety assessment for a UAVS.However, several areas for further work exist, to provide confidence in the framework overall:

• The project focussed on the hazard identification aspects of ARP4761. It would beuseful to extend assessment to look more closely at the follow-on safety assessmentactivities of ARP4761, including sub-system analyses, PSSA and SSA.

• The evaluation work looked at a generic tactical UAV, a broad area in the middle ofpotential UAVS types. Because of the wide range of UAVS types, it would be beneficial toevaluate application nearer the ends of the spectrum, perhaps for a HALE / UCAV system,and a Micro / Urban system.

• The evaluation was also a one-man application to a generic system. Furtherconfidence would be built through documented application to an actual system indevelopment. This could seek to use team / stakeholder involvement to improve the contextand functional identification; and apply the revised ARP4761 framework through tocertification.

• An ATM environment-level FHA (including principles for integration of UAVS) couldbe undertaken, with involvement of EUROCONTROL, the CAA and/or other regulators. Thiscould aid the development of UAVS policy and (perhaps through decomposition of suchpolicy using methods such as discussed in [Hall05]) support satisfaction of such policy asinput to the UAVS-level FHA by the system developers.

• A key finding was the suspected criticality of autonomy to the effects of failure. Itwould be useful to apply the FFA to a known system, but looking at the effects of varying theUAV autonomy level, for each failure.



85

BIBLIOGRAPHY

[AST04] “ASTM International Support to the U.S. Unmanned Air Vehicle Systems Industry- Position Statement”, 2004, ASTM International

[AST05-1] “Role of standards in the latest OSD UAS Roadmap”, May 2005, ASTMInternational

[AST05-2] “Roadmap for Unmanned Aircraft Standards”, May 2005, ASTM International

[Bol05] “CRS Report for Congress: Homeland Security: Unmanned Aerial Vehicles andBorder Surveillance”, RS21698, Bolkcom C., Feb 2005, Congressional ResearchService, Library of Congress

[Bon05] “Global Satellite Navigation Systems: Advantages and Vulnerability”, Bonnor N,Feb 2005, Royal Institute of Navigation (RAeS Conference proceedings)

[Bow05] “Unmanned Aerial Vehicle Flights in UK Airspace”, 8AP/15/19/02, Bowker, Lt CdrGN, May 2005, Civil Aviation Authority - Directorate of Airspace Policy

[CAA02] “Aircraft Airworthiness Certification Standards for Civil UAVs”, Haddon DR &Whittaker CJ, Aug 2002, Civil Aviation Authority - Directorate of Airspace Policy

[CAA04] “Unmanned Aerial Vehicle Operations in UK Airspace – Guidance”, CAP722 (2ndEdition), Nov 2004, Civil Aviation Authority - Directorate of Airspace Policy

[CAS04] “Civil Aviation Safety Regulations - Part 101 Unmanned aircraft and rocketoperations”, CASR Part 101, Dec 2004, [Australian] Civil Aviation Safety Authority

[CSI04] “MSc in Safety Critical Engineering -Computers, Software & ISA”, CAS,McDermid J & Pumfrey D, Apr 2004, The University of York, Department of

Computer Science

[DeG04] “Issues Concerning Integration of Unmanned Aerial Vehicles in Civil Airspace”,MP 04W0000323, DeGarmo MT, Nov 2004, Mitre Corporation - Center forAdvanced Aviation System Development

[dst04] “Applying Safety Process Measures”, Caseley P, Jun 2004, DSTL (through SafetyCritical Systems Club Seminar 'Life Saving Second Opinions')

[EAS05] “Advance - Notice of Proposed Amendment - Policy for Unmanned Aerial VehicleCertification”, A-NPA No 16-2005, 2005, EASA

[EUR01] “EUROCONTROL Safety Regulatory Requirement 4 - Risk Assessment andMitigation in ATM”, ESARR 4, Apr 2001, EUROCONTROL

[FAA88] “Advisory Circular: Transport Category Airplanes, Federal Aviation Regulations -System Design and Analysis”, AC 25.1309-1A, Jun 88, Federal Aviation Authority

[FAA99] “Advisory Circular: Normal, Utility, Aerobatic and Commuter Category Aeroplanes- Equipment, Systems, and Installations In Part 23 Airplanes”, AC 23.1309-1C,Mar 1999, Federal Aviation Authority

[Hall05] “Defining and Decomposing Safety Policy for Systems of Systems”, SAFECOMP2005/ LNCS 3688/ pp. 37-51, Hall-May M & Kelly T, 2005, University of York Deptof Computer Science

[HFE05] “MSc in Safety Critical Engineering - Human Factors Engineering”, HFE, WrightP, Feb 2005, the University of York Department of Computer Science



86

[HRA03] “MSc in Safety Critical Engineering - Hazard & Risk Assessment”, HRA, Kelly T etal, Nov 2003, The University of York, Department of Computer Science

[Hua04-1] “Autonomy Levels for Unmanned Systems (ALFUS) Framework - Volume I:Terminology (Version 1.1)”, NIST Special Publication 1011, Huang HM, Sep2004, National Institute of Standards and Technology

[Hua04-2] “Autonomy Measures For Robots: Proceedings of IMECE”, IMECE2004-61812,Huang et al, November 2004, International Mechanical Engineering Congress

[Jos05] “Model-Based Safety Analysis of Simulink Models Using SCADE Design Verifier”,Joshi A & Heimdahl M, 2005, University of Minnesota Department of ComputerScience & Engineering

[LaF05-1] “Mapping A Future”, LaFranchi P, March 2005, Flight Magazine (Reed BusinessInformation)

[LaF05-2] “Crash Course”, LaFranchi P, March 2005, Flight Magazine (Reed BusinessInformation)

[LeT02] “VFR General Aviation Aircraft and UAV Flights Deconfliction”, AIAA-2002-3422,Le Tallec C, 2002, ONERA Long-term Design and Systems IntegrationDepartment

[Man06] Meeting with Patrick Mana to discuss EUROCONTROL safety criteria, Apr 2006

[MaP05] “EADS Current UAV Programmes”, MacPherson W, Feb 2005, EADS / RAeSConference proceedings

[Mar03] “Suggested Flight Approval Process for Unmanned Air Vehicles (UAVS)”,Marsters GF & Sinclair M, 2003, AeroVations Associates

[McD03] “Extending PSSA for Complex Systems”, McDermid J & Nicholson M, 2003,University of York

[Met05] “UAV Access to UK Airspace - Spectrum Availability”, Mettrop J, Feb 2005, CAA / RAeS Conference Proceedings

[Nel04] “Prospective UAV operations in the future NAS”, Case#04-0936, DeGarmo Mand Nelson G, 2004, Mitre Corporation - Center for Advanced Aviation SystemDevelopment

[Okr05] “25 Nations for an Aeronautics Breakthrough”, Okrent M, Feb 2005, UAVNET / RAeS Conference proceedings

[PlJ05] “Approach to Autonomy”, Platts J, Feb 2005, QinetiQ / RAeS Conferenceproceedings

[PlP05] “UAVs and ATM - A Holistic Approach”, Platt P, Feb 2005, QinetiQ / RAeS

Conference proceedings

[RQE05] “MSc in Safety Critical Engineering - RQE: Requirements Engineering”, RQE,Luettgen G & Stepney S, Oct 2005, the University of York Department ofComputer Science

[RTC05] “Special Committee 203 Minimum Performance Standards for Unmanned AircraftSystems and Unmanned Aircraft - Terms of Reference, revision 1”, RTCA PaperNo. 006-06/PMC-438, Dec 2005, RTCA

[SAE96] “Guidelines and Methods for Conducting the Safety Assessment Process on CivilAirborne Systems and Equipment”, ARP 4761, 1996, SAE

[Sch04] “Defense Science Board Study on UAVs and UCAVs”, Schneider W (Chairman),Feb 2004, DSB for Secretary of Defense



87

[Sin03] “Integrating UAVs With Conventional Air Operations: Some Regulatory Issues”,Marsters GF & Sinclair M, Mar 2003, AeroVations Associates

[Ste05] “UAV Access to UK Airspace”, Stenson J, Feb 2005, CAA / RAeS Conferenceproceedings

[UTF04] “UAV Task Force Final Report”, JAA / EUROCONTROL, May 2004, EASA

[Wal03] “Application Of Manoeuvre-Based Control In Variable Autonomy UnmannedCombat Aerial Vehicles”, AFIT/GAE/ENY/03-09, Walan Capt AM, March 2003,[US] Air Force Institute of Technology

[Wei03] “Safety Considerations for Operation of Small Unmanned Aerial Vehicles in CivilAirspace”, Weibel R & Hansman RJ, Oct 2003, MIT International Centre for AirTransportation

[Wei04] “Safety Considerations for Operation of Different Classes of UAVs in the NAS”,AIAA-2004-6421, Weibel RE and Hansman RJ, Sep 2004, American Institute ofAeronautics and Astronautics

[Wes05] “Meggitt Aerial Target Services - History, Utility and the Future”, Westlake-TomsS, Feb 05, Meggitt / RAeS Conference Proceedings

[Whi05] “Aircraft Airworthiness Standards for Civil Unmanned Aerial Vehicle Systems”,Whittaker C, Feb 2005, CAA / RAeS Conference proceedings

[Wik03] “Flying with Unmanned Aircraft (UAVs) In Airspace Involving Civil Aviation Activity- Air Safety and the Approvals Procedure”, Wiklund E, March 2003, SwedishAviation Safety Authority

[Wil04] “A Summary of Unmanned Aircraft Accident/Incident Data: Human FactorsImplications”, DOT/FAA/AM-04/24, Williams K, 2004, Federal Aviation Authority

[Wil05] “Keynote Address to the RAeS 2nd FEBRUARY 2005”, Willbond T, Feb 2005,

RAES / UAVSA



88

ABBREVIATIONS & ACRONYMS

Autonomy (A) The condition or quality of being self-governing. (B) A [UAV's] own ability of sensing,perceiving, analyzing, communicating, planning, decision-making, and acting, to achieveits goals as assigned by its human operator(s) through designed HRI. Autonomy is

characterized into levels by factors including mission complexity, environmental difficulty,and level of HRI to accomplish the missions. [Hua04-1]

A-NPA Advance – Notice of Proposed Amendment EASA advance issue of a document,advising of proposed changes to regulation and inviting comment from stakeholders

AOPA Aircraft Owners & Pilots AssociationASTM American Society for Testing and Materials US society for development of

consensus based standards.ATC Air Traffic Control Relates to the interaction with (or inputs to) the aircraft, as

defined by the Air Traffic Controller - Output of the ATMATS Air Traffic ServiceATM Air Traffic Management The wider ground, personnel and procedural system that

provides Air Traffic Control as its output

BLOS Beyond Line Of Sight Long range guidance and command datalinks, where signalsmust be bounced, bent or relayed to reach beyond terrain or earth's curvature masking.See also OTH.

Chicago Convention The Convention on International Civil Aviation set out that "...the undersignedgovernments having agreed on certain principles and arrangements in order thatinternational civil aviation may be developed in a safe and orderly manner and thatinternational air transport services may be established on the basis of equality ofopportunity and operated soundly and economically."

CAA Civil Aviation Authority Where not otherwise qualified, refers to the UK authorityCCA Common Cause Analysis Generic term encompassing Zonal Analysis,

Particular Risks Analysis and Common Mode Analysis. In these methods, analysis ismade of common modes of failure, which could affect a number of elements otherwise

considered to be independent. [SAE96]C4 Command, Control, Communications, Computers Description of military

command elements pertinent to a system. May refer to C2, C3 etc as applicable to thesystem under consideration.

Comms Communications Usually referring to technology or infrastructureConOps Concept of Operations Documentation describing how a system is intended to be

used in-service.

DoD Department of Defense (United States)DSA Detect, Sense and Avoid US terminology for S&Adstl Defence Science & Technology Laboratory UK MoD centre of scientific

excellence, providing scientific advice to the Armed Forces.

EASA European Aviation Safety Agency The European Aviation Safety Agency is theorgan of the European Union to set strategy for aviation safety. While nationalauthorities continue to carry out the majority of operational tasks… the Agency ensurescommon safety and environmental standards at the European level."

ELINT Electronic IntelligenceECM Electronic Counter-MeasuresEMC Electro-Magnetic CompatibilityEMI Electro-Magnetic InterferenceEU European UnionEUROCAE European Organisation for Civil Aviation Electronics European regulatory body,

advising EUROCONTROL and EASA

FAA Federal Aviation Authority US government organisation for the advancement,

safety and regulation of civil aviationFAR Federal Aviation Regulations Aviation regulations as issued by the FAA



89

FHA Functional Hazard Assessment A systematic, comprehensive examination offunctions to identify and classify Failure Conditions of those functions according to theirseverity - see also PSSA and SSA [SAE96]. The intent is to be predictive of systemfailure conditions, to allow safety targets to be set for system component reliabilities, inorder to achieve an acceptable overall platform safety level once the design is realised.

FFA Functional Failure Analysis A technique which is part of FHA. Applies a

systematic review of system functions to determine the ways in which failure may occur;then analyses these failures for potential accident consequences. Can be used todetermine the criticality of each function (and failure mode) and set appropriate SafetyIntegrity or Design Assurance Levels, or more specific reliability requirements.

FIR Flight Information Region As in the UK FIR, describes the majority of airspacecovered by advisory rather than mandatory Air Traffic Control.

FMEA Failure Modes and Effects Analysis Safety analysis to determine hazard effectsof lower level system and component failures – part of SSA and PSSA

FTA Fault Tree Analysis Subsequent safety analysis to determine contributory causesfor potential hazards – part of SSA and PSSA

FTS Flight Termination System System that (usually small) UAVs may be fitted with,to ensure that the vehicle can be commanded to ‘stop flying’ safely, in the event of someother critical system failure. Such systems include parachute retrieval, and control hard-

over.

Galileo European / US / ICAO supported civilian controlled GNSSGCS Ground Control SystemGround-based system elements that allow the UAV-p to

control the UAVGLONASS Global'naya Navigatsiomaya Sputnikova Sistema Russian GNSSGNSS Global Navigation Satellite System Generic name for GPSGPS Global Positioning System Navigation system set up by the DoD, using 24

orbiting satellites to transmit timing information and allow receiving systems to calculatetheir position by triangulation and measured signal timing differences (pseudo-ranges)

HALE High Altitude, Long Endurance UAV type characterised by its intended operatingaltitude and endurance. See also MALE

HazID Hazard Identification Collection of safety assessment techniques that enable thehazardous characteristics of a system under study to be identified early on, in a reliableand systematic manner.

HF Human FactorsHIRF High Intensity Radio Frequency HIRF transmitters have the potential to cause EMI

with the UAV or its datalink with the GCS. Usually refers to actual sources of HIRF, suchas high-power transmitters for radio, radar, telecomms etc

HIRTA High Intensity Radio Transmission Area HIRF transmitter of known location, identifiedon maps to alert pilots (and hence to avoid them)

HMI Human / Machine Interface See HRIHRI Human-Robot Interaction / Interface Also known as Human Interaction, Operator

Interaction (or more generally as Human / Machine Interface). The activity by whichhuman operators engage with [UAVs] to achieve the mission goals. [Hua04-1]. As an

interface, term is an extension of earlier considerations of 'Man-Machine Interface' and'Human-Computer Interface'.

ISTAR Intelligence, Surveillance, Targeting and ReconnaissanceICAO International Civil Aviation OrganisationThe International Civil Aviation Organization,

a UN Specialized Agency, is the global forum for civil aviation. See web site atwww.icao.int

IFR Instrument Flight Regulations Set of specific regulations that a pilot / aircraft mustcomply with (including required equipment) in order to fly when defined visibility criteriafor VFR are not met

JAA Joint Aviation AuthorityAdvisory group consisting of the various European civilaviation authorities. Now superceded by EASA

JAR Joint Airworthiness Requirement Airworthiness requirement issued by JAA.Now superceded by EASA CS regulations



90

MAFF Ministry of Agriculture, Fisheries and Food UK government ministryMALE Medium Altitude, Long Endurance UAV type characterised by its intended

operating altitude and endurance. See also HALE.MASPS Minimum Aviation System performance Standards UAV standards being

developed by RTCA

MoD Ministry of Defence (United Kingdom)Mode S / Mode S ELS Mode Selective / Mode Selective Elementary Surveillance Mode S is amodification to SSR that permits selective interrogation of aircraft by means of a uniqueaddress, thus avoiding the risk of mis-identification due to overlapping signals. Mode SELS is the elementary implementation for aircraft under 5,700 Kg and 250kts capability.It responds with a unique Aircraft Identification code, and limited other information, mostnotably aircraft altitude.

MP Mission Planning The process to generate tactical goals, a route (general orspecific), commanding structure, coordination, and timing for one or teams of UAVs. Themission plans can be generated either in advance [and pre-loaded to the UAV beforeflight] or in real-time by the onboard, distributed software systems. [Hua04-1]

NAS National Air Space Term covering airspace under US regulatory control

NATO North Atlantic Treaty Organisation Military organisation originally set up bywestern countries forces, to counter the threat from the Soviet bloc.

NEC Network Enabled Capability UK MoD approach to ensure that all Systems can belinked into a military command and control network, for sharing of information.

nm Nautical MilesNTSB National Transportation Safety Board US Federal agency that investigates civil

transportation accidents (including aviation), conducts safety studies, and issues safetyrecommendations to prevent future accidents.

OTH Over The Horizon Long range guidance and control datalinks - see BLOS also

PSSA Preliminary System Safety Assessment A systematic evaluation of a proposedsystem architecture and implementation based on the Functional Hazard Assessment

and failure condition classification to determine safety requirements for all items - seealso FHA and SSA [SAE96]

RC Remote Control See RPVRF Radio FrequencyRoW Right of Way Agreed principles for aircraft rights of way (who has

precedence), in accordance with ICAO and national Rules of the Air.RNAV Area NavigationRPA Remotely Piloted AircraftSee RPVRPV Remotely Piloted VehicleUsually indicates a UAV with virtually no autonomy, in that its

flight controls are directed manually (and continually) by a ground-based pilot.RTCA Radio Technical Commission for Aeronautics US society for production of

consensus based standards

Sensor Equipment that detects, measures, and/or records physical phenomena, and indicatesobjects and activities by means of energy or particles emitted, reflected, or modified bythe objects and activities. [Hua04-1]

S&A Sense and Avoid Function / technology that allows a UAV to match / improveupon a manned aircraft pilot's ability to See conflicting traffic and take avoiding action.Intended as a last defence, when other formal barriers such as ATC segregation (byairspace, flight level, instruction etc) and co-operative technologies such as TCAS haveproved ineffective for a particular situation.

SCADE Safety Critical Application Development EnvironmentSOP Standard Operating Procedures Defined procedures to be manually followed, in the

event of expected normal or emergency arisings.SoS System of Systems Where a tightly-coupled system under consideration can be

shown to be part of a wider, more loosely-coupled set of systems, each affecting eachother with potential safety implications.



91

SQEP Suitably Qualified and Experienced Personnel Term used to reflect the need forpersonnel to be competent to perform safety-related duties

SSA System Safety Assessment A systematic, comprehensive evaluation of theimplemented system to show that the relevant requirements are met - see also FHA andPSSA [SAE96]

SSR Secondary Surveillance Radar ATM system where aircraft fitted with transponders

are interrogated by the ground radar, and are indicated on the controller's radar screenat the calculated bearing and range. An aircraft without an operating transponder maystill be observed by primary radar, but without an identifying tag. See also ‘Mode S’.

SWIFT Structured 'What If' Technique FHA method assessing system physical elements,flows and procedures, using structured categories and key words to help draw outpotential hazards.

TAWS Terrain Awareness & Warning System [See also GPWS]TCAS Traffic awareness & Collision Avoidance System Co-operative system, based

on transponder responses from equipped aircraft - each aircraft in a potential collisionpath is given a mutually compatible avoidance manoeuvre to fly, to avert the risk.

TUAV Tactical UAV UAV type characterised by the scope of its operations forgathering military intelligence

UAV Commander A suitably qualified person responsible for the safe operation of a UAV Systemduring a particular flight and who has the authority to direct a flight under her/hiscommand [CAA04].

UAV Operator The legal entity operating a UAV System.[CAA04]UAS Unmanned Aerial System See UAVSUAV Unmanned Aerial Vehicle Usually refers to the flying vehicle itself (see UAVS

below). CAA definition is 'An aircraft which is designed to operate with no human pilot onboard.' [CAA04]

UAV-p UAV Pilot Person directly in control of the UAV, under command of the UAVCommander.

UAVS Unmanned Aerial Vehicle System Includes all aspects of the system (includingground elements such as the GCS and sometimes even the 'soft' elements such as the

operating organisation and procedures). Sometimes referred to as UAS - UnmannedAerial System.

UCAV Unmanned Combat Air Vehicle UAV designed and intended to deliver weaponsagainst other air vehicles or ground targets. The definition is usually intended to cover asystem that has some level of autonomy (not purely under manual guidance), and thatcan return (i.e. not just a guided weapon)

UK United Kingdom ...of Great Britain and Northern IrelandUML Unified Modelling Language A standardised language for specifying, visualizing,

constructing, and documenting the artefacts of complex systems (usually but notnecessarily software), using graphical notation.

URD User Requirement Document High level requirement document, setting out theuser-focused requirements for a system (i.e. what the end-user must be able to achievewith a system, rather than how it is to be achieved).

US United States ...of AmericaUTF UAV Task Force Joint task force between JAA and EUROCONTROL, to explore

UAV integration and implications for ATM.

VFR Visual Flight RegulationsAirmanship regulations that must be followed by pilots / aircraft, when visibility and weather conditions conform to required criteria.

VHF Very High Frequency Radio Frequency range used for ATC communicationsVOR VHF Omni-directional Range Ground beacon-based navigation systemVmo Maximum Operating Speed Defined velocity criteria for an aircraft design. The

speed that the design cannot exceed, without damage to the airframe or loss of controlVs Stalling Speed Defined velocity criteria for an aircraft design. The speed that

the design cannot fly below, without stalling (losing lift and possibly control).

www World Wide Web



A-1

ANNEX AREVIEW OF ARP 4761, TO SUPPORT ARP 4758, CS

25.1309 ETC FOR UAV APPLICATION



A-2

Reference: [SAE96] - ARP 4761 Issue 1996-12

INTRODUCTION TO REVIEW

SAE International - "the Engineering Society for advancing mobility - Land, Sea, Air, Space"

publish various ARPs (Aerospace Recommended Practice) to aid industry in achievingrequired standards. ARP4761 [SAE96] provides "Guidelines And Methods For ConductingThe Safety Assessment Process On Civil Airborne Systems And Equipment": it is acompanion to ARP 4754 which is aimed at the certification methods for complex airbornesystems, but both are intended to provide a systematic means by which satisfaction of FAR25.1309 [FAA88] and its JAR (now EASA CS) equivalent can be shown, for civil aircraft.

The comments below discuss the applicability of the guidelines and methods in terms ofassessment for a UAV System. In particular, the review looks at the hazard identificationaspects (predominantly the Functional Hazard Assessment (FHA) proposed by ARP 4761).

SECTION 1. SCOPE

This sets the scope for 'aircraft level safety assessment' - this would need to be developedfor the broader UAVS scope (or System of Systems (SoS) scope - see section 1.1.2).

SECTION 2. REFERENCES

The references to standards would need to be revised in light of the standards beingadopted, adapted and created for UAVS applicability (see section 1.2.1).

SECTION 3. SAFETY ASSESSMENT PROCESS

Section 3.1 Safety Assessment OverviewThis section draws in the safety objectives from FAR / JAR 25.1309 (becoming EASACS.25.1309), as shown below:

Table A(i) - Safety Objective, from ARP 4761 (drawn in turn from CS.25.1309)



A-3

On initial review, it can be seen that the criteria are driven to the most demanding, asrequired for EASA and FAA requirements at the '25.1309' heavy-end of the vehicle spectrum.As noted in [Wik03], in section 1.1.4 of this report, there is a spectrum of requirementspertinent to the scale of the vehicle - 10-9 per fg hr for a heavy transport increases to 10-6per fg hr for a single engine aircraft under 6000lbs.

It can also be seen that these criteria are lacking in their UAVS applicability, such as havingno occupants, the remote / autonomous nature of their crew, and (implicit) differences insystem arrangements. These aspects were noted by the JAA / Eurocontrol UAV Task Force- in their report [UTF04, chapter 7.5], they suggested modifications to the criteria, as follows:

o The worst UAV Hazard Event designated as 'Catastrophic' or Severity I Event may bedefined as the UAV's inability to continue controlled flight and reach any predefinedlanding site, i.e. an UAV uncontrolled flight followed by an uncontrolled crash,potentially leading to fatalities or severe damage on the ground.

o The overall (qualitative) Safety Objective for UAV System may subsequently be "toreduce the risk of UAV Catastrophic Event to a level comparable to the risk existingwith manned aircraft of equivalent category".

o Quantitative safety objective for the individual UAV 'Catastrophic' or 'Severity I'conditions and/or for the sum of all failure conditions leading to a UAV Severity IEvent should be set, per UAV category, considering:

o The probability level for catastrophic failure conditions that is considered asacceptable by the airworthiness requirements applicable to manned aircraft of"equivalent class or category".

o The historical evidence and statistics related to manned aircraft 'equivalentclass or category', including, where relevant, consideration of subsequentground fatalities.

o Categories lower than Severity I could be defined as follows.

o Severity II would correspond to failure conditions leading to the controlled lossof the UAV over an unpopulated emergency site, using Emergency Recoveryprocedures where required.

o Severity III would correspond to failure conditions leading to significantreduction in safety margins (e.g., total loss of communication with autonomousflight and landing on a predefined emergency site)

o Severity IV would correspond to failure conditions leading to slight reduction insafety margins (e.g. loss of redundancy)

o Severity V would correspond to failure conditions leading to no Safety Effect.

o The quantitative probability ranges required for lower severities should be derivedfrom the quantitative required objective for the worst severity.

While these suggestions clarify the qualitative aspects of the criteria, care would beneeded where a quantitative assessment was to be applied. Some of the issues associatedwith this are discussed in this report at section 1.1.4.

In the above, what do the Severity I-V categories refer to? Discussion with Patrick Mana ofEUROCONTROL [Man06] clarified their concern that the ARP 4761 criteria reflected anairworthiness-focused accident consequence (i.e. loss of the aircraft with its occupants and / or harm to personnel on the ground). In order to focus safety management within ATMsystem development, EUROCONTROL considered that further criteria were required to deal

with the effects on the ATM environment. For this reason, they have published their riskmanagement regulations (at system level) in EUROCONTROL Safety RegulatoryRequirement 4 (ESARR 4) [EUR01]. These criteria covered:



A-4

o Effect of hazard on air crew, (E.g., workload, ability to perform his/her functions);

o Effect of hazard on the Air Traffic Controllers, (E.g., workload, ability toperform his/her functions);

o Effect of hazard on the aircraft functional capabilities;

o Effect of hazard on the functional capabilities of the ground part of the ATM System;o Effect of hazard on the ability to provide safe Air Traffic Management Services; (E.g.,

magnitude of loss or corruption of Air Traffic Management Services/functions).

The discussion with Patrick concluded that, to support EASA's requirement for total systemsafety, and EUROCONTROL's particular requirements for air collision risk, a UAV-focussedsafety process would need to accommodate both cs.1309 airworthiness criteria and,somehow, the ATM criteria. These are reproduced in Table A-2 below from [EUR01] forcomparison. Note that, unlike the FAA / EASA ‘airworthiness’ requirements of 25.1309 and23.1309, these requirements are absolute and do not vary with the size or category of theaircraft. Also, EUROCONTROL have only identified one end of the risk spectrum: Severity 1

accidents must not occur more than 1.55 x10-8 per fg hr.

Table A(ii) - Severity Criteria as defined in ESARR4 by EUROCONTROL

Section 3.2 Functional Hazard Assessment (FHA)

The usual route proposed by ARP4761 is to carry out an Aircraft Level FHA, a high level,qualitative assessment of the basic functions of the 'aircraft' as defined at the beginning ofaircraft development. This is then followed with a System Level FHA, which is iterative innature and becomes more defined and fixed as the system evolves. It considers a failure orcombination of system failures that affect an aircraft function. The intent is to work towardsidentification of the appropriate Development Assurance Level (DAL) for each aircraftfunction and the system functions that affect it. These in turn help to identify the level ofdevelopment, qualification and certification activity required to provide adequate assurancethat each function has been safely implemented. The output from the aircraft and systemlevel FHAs is used to set the safety requirements for the detailed design process, so it is vitalthat all pertinent safety hazards have been identified by this point. A number of questionsemerge at this point, in trying to apply this process to UAVS:

o Is an 'aircraft level' FHA appropriate as the start point for UAVS assessment?ARP4761 propose this as the highest level for consideration, but for UAVS there is



A-5

the 'super-system', the SoS whose support is critical to mission (and safety)assurance.

o How is the integration of systems best handled, to ensure all hazards are identified?In particular, integration of the people and procedural systems, as well as theextended system technical elements?

Here, ARP4761provides comment over the integration of systems:

"The safety assessment process for integrated systems should take into account anyadditional complexities and interdependencies which arise due to integration. In allcases involving integrated systems, the safety assessment process is of fundamentalimportance in establishing appropriate safety objectives for the system anddetermining that the implementation satisfies these objectives."

As noted in section 1.1.2 of this report, this is particularly pertinent (and challenging) forUAVS and the extended boundary of the System of Systems (SoS). The section goes on todiscuss the role of Functional Hazard Assessment (FHA) at the beginning of thedevelopment process, to set appropriate safety objectives and requirements. One of the

problems I foresee is that, because of the loose and fluid nature of the UAVS systemboundary, the complex interaction with the SoS, and the variable nature of where functionsare controlled (through autonomy), there may be a whole mess of 'exchanged functions' thatwill be difficult to identify and assess, until at least initial UAVS high-level architectures areoutlined. The ARP does suggest that the FHA is reviewed once the functions begin to beallocated to systems, but this could prove to be a significant part of the assessment for aUAVS. The follow-on work for Preliminary System Safety Assessment (PSSA) and SystemSafety Assessment (SSA) could draw out such interactions, especially through workelements such as Common Cause Analysis (CCA), but the ideal would be to identify thesehazards early on, before the system architecture begins to 'harden-up' in the developmentprocess, and change becomes more difficult. Also, these latter analyses are aimed more atidentifying and mitigating causes for the potential hazards already identified, rather thanidentification of new hazards.

Section 3.3 and on: Preliminary System Safety Assessment (PSSA), SystemSafety Assessment (SSA)

This report will not look in any detail at the PSSA-onwards part of the process, as the ARPassumes that all hazards have (in the main) been identified during FHA, and our focus is onhazard identification. As ARP4761 describes this aspect:

"A PSSA is used to complete the failure conditions list [i.e. the causes of hazards ]and the corresponding safety requirements. It is also used to demonstrate how the

system will meet the qualitative and quantitative requirements for the various hazardsidentified. The PSSA process identifies protective strategies, taking into account failsafe concepts and architectural attributes which may be needed to meet the safetyobjectives. It should identify and capture all derived system safety requirements (e.g.,protective strategies such as partitioning, built-in-test, dissimilarity, monitoring, safety-related tasks and intervals, etc.). The PSSA outputs should be used as inputs to theSSA and other documents, including, but not limited to, system requirements,hardware requirements and software requirements."

What is useful to consider here, is that other reviewers have found aspects of ARP4761 thatneed bolstering, in order to apply PSSA to complex systems and SoS. McDermid andNicholson [McD03] proposed that some extensions to the guidelines and methods werenecessary to deal with (in particular) the people, processes and software that characterise

such complex systems and their interactions with other systems. [McD03] focuses on thedesign-centred PSSA part of the cycle, where the comments will, of course, be especially



A-6

applicable for UAVS. However, the comments could apply equally to the up-front FHAaspects, especially where the UAVS will have to fit into an existing SoS with pre-definedequipment and people elements (such as ATM and, perhaps, common mission planning andGCS systems). The paper suggests that additional hazard identification methods arerequired to deal with software-rich and people-centred aspects - elements of this could bebrought forward into FHA for UAVS assessment, where pre-existing systems have to beintegrated with, or could be adapted to help deal with the system interactions known to existat the FHA stage.

For the SSA stage, the assessment requires a defined design to be validated against thedeveloped safety requirements - this is not the focus for our report, but there could beinteresting questions over use of traditional safety analyses such as Failure Modes andEffects Analysis (FMEA) in people- and software-rich systems, and interactions acrosscomplex SoS.

SECTION 4. SAFETY ASSESSMENT ANALYSISMETHODS

The ARP describes a number of useful PSSA and SSA related safety assessmenttechniques, and little needs to be said here. However, there are some aspects of interestrelating to Common Cause Analyses (CCA) that should be touched on here, perhaps aspointers for future studies:

o Zonal Hazard Analyses - the question here is over the definition of zones. With theextended UAVS and SoS, potentially zone definition needs to be extended likewise.For example, the SoS includes critical navigation elements in space (if using GPS),and datalinks transmitting through a common RF environment with other transmitters.

o Particular Risk Analysis - the suggested list could be extended to consider particularrisks specific to UAVS, such as datalink failure.

APPENDIX A - FUNCTIONAL HAZARD ASSESSMENT

A fair amount has already been said about FHA above, relating to UAVS. Here, we will onlydiscuss new aspects that become pertinent from the ARP text.

In A.1, the ARP again sets the intent to conduct the FHA at ‘Aircraft’ and ‘System’ levels – this we have discussed above, with the complications for UAVS of the complex systemboundary, and the system of systems interactions.

The section goes on to suggest that "It is desirable to establish an aircraft level generalhazard list to be used on future projects so that known hazards are not overlooked." Thiswould be a useful step forward, provided that it is not used to limit the application to a newUAVS, where additional and different hazards might exist.

A.3 introduces the ARP-proposed FHA process. The suggested process for conducting theAircraft level FHA is reproduced below in Figure A-1 (a separate figure is presented in theARP for the System-level FHA, but does not differ significantly, for our purposes).

Section A3.1 Function Identification

A3.1.1 provides guidance on source data for the FHA. For the Aircraft-level, a fairly simplelist is proposed:

• The list of the top-level aircraft functions (e.g., lift, thrust, etc.)

• The aircraft objectives and customer requirements (e.g., number ofpassengers, range, etc.)



A-7

• Initial design decisions (e.g., number of engines, conventional tail, etc.)

This is based on an assumption of simple interfaces between the ‘aircraft’ and the externalworld, because the ARP provides a much more detailed list for the System-level FHA, whereinterfaces between system elements, and initial design decisions are critical. For ourconsideration of the UAVS being part of a complex System-of-Systems, the listing for the

system-level FHA (or similar) might be more appropriate? We will touch more on this later, aswe look at the FHA process and its needs.

Figure A-1 - ARP4761 Process for an Aircraft-level FHA



A-8

Following the process model outlined in Figure A-1 above, A.3.1.2 looks at creation of thefunction list.

• A.3.1.2a refers to ‘internal’ functions, which are the main high-level functionsof the aircraft, and the functions assumed to exchange internally within the aircraftsystem (presumably from initial design assumptions). For our UAVS with its complex

system boundary (even when just looking internally, with the UAV, the GCS andimmediate high-level system assumptions), the list of ‘typical’ internal functions wouldneed to grow considerably – and guidance needs to be given on defining what is thehigh-level system (as discussed in this report at section 1.1.2). These internalfunctions might vary with our initial design assumptions over the UAVS architecture,and it will be difficult to keep our view to the overall system (e.g. not to dive down intosystem design, or discussions of autonomy, but to cover all functions within thesystem ‘bag’ together).

• A.3.1.2b refers to ‘exchanged’ functions, put simply as functions that interfacewith other aircraft or ground systems. This is where our SoS would really take effect,and needs careful guidance on how to ensure no functions are missed. Perhaps this

is where the scope of the ARP application extends beyond the airworthiness it wasoriginally intended for, into the total safety approach desired by EASA / JointEuropean UAV Task Force.

The A.3.1.2 process box in Figure A-1 also refers to identification of flight phases, thoughlittle guidance is given in the text. Where flight phases for an airliner might be fairly simple todefine (ground handling; take-off; climb-out; etc…) for a typical operation, the problem withUAVS will be the variety of mission types (as discussed in this report at section 1.1.1). Also,within aerial work mission types, the mission may be made up of several different phases, orhave optional phases, rather than the predominant cruise-phase in transport flying. Theseflight phases are required to help draw out the ‘aircraft’ functions and also to understand theconsequences of functional failures (see A.3.2.2 below), so it is important that they are wellexplored for the UAVS. A problem here might also be the lack of suitably experiencedpersonnel with expertise in such operations for UAVSs, to support the analysis.

Section A.3.2 - Identification and Description of “Failure Conditions”

A.3.2.1 discusses the creation of a list of Environmental and Emergency Configurations, toadd to the consideration of failure effects. Environmental aspects may require more detaileddefinition, as UAVs may operate in significantly different environments from manned aircraft,due to their performance or role. For example, a HALE type UAV will operate at extremelyhigh altitudes, where environment effects such as icing, Jetstream winds, or even obscurephenomena such as gravity waves might have an effect. Small, low level UAVs used for(say) pipeline surveying may be susceptible to terrain induced turbulence or wind shear. In

general, UAVs are more sensitive to climatic effects than their manned counterparts([DeG04, para 2.1.4]). UAV roles and performance may also introduce other peculiarenvironmental events, such as personnel change-over during long endurance missions.

For the emergency configurations, some may need to be specified from regulatory sources(such as the particular risk for data-link loss); others may come from the initial assumptionsover the UAV performance, role, or overall architecture.

A.3.2.2 considers how failures could occur singly, or combine into multiple failures. This maybe tricky to achieve sensibly for the UAVS because of the wide SoS: the potential for multiplefailures exists from so many sources.



A-9

Section A.3.3 to A.3.8 – Identifying and Managing the Effects of FailureConditions

The remainder of A.3 looks at how the effects of failure conditions are determined thenflowed down into safety objectives for lower level design and safety analyses.

What is not stated here, but is discussed in A.3.1.2 and is implied from the process chart, isthat flight phases provide a key input in determining the severity of effects. In fact, becauseUAVs have no occupants and hence less generic airworthiness concerns, the context ofwhere they are and what they are doing when failure occurs, is critical in determining theconsequential effect on other airspace users or overflown populations. ARP 4761 seems tolack the necessary direction to establish this mission / environmental / ATM context in whichto place the UAVS failure.

Section A.4 – FHA Outputs

A.4 looks at the outputs from aircraft and system FHAs, into the remaining PSSA and SSA

processes. Without going in depth into the implications of UAVS analysis for theseprocesses, the requirements seem fairly valid, but would need further validation to supportactual use. What is encouraging is the message to document the process thus far, not justto support the further analyses but also to improve the knowledge base for when the nextFHA analyses are required. UAVS lack the overall expertise and experience that has grownover the years for manned aircraft, and concerted efforts are required to build the knowledgebase of available information, to save future engineers having to develop such experiencethemselves in real-time!

ANNEXES B – L

Annexes B to K cover more in depth safety analyses aimed at implementing the safety

requirements identified herein, and are not covered in this review. Annex L provides aworked example that is pertinent to the manned aircraft, and again is not covered here.



B-1

ANNEX BEXTRACT FROM [CAA02] - A METHOD FOR SETTING

DESIGN STANDARDS FOR NEW KINDS OF

AIRCRAFT, INCLUDING UNMANNED AIR VEHICLES



B-2

Extracted from [CAA02]

This [document] describes a method for obtaining a first outline of the airworthinessstandards which should be applied to aircraft of novel design. The method compares thehazard presented by the new aircraft with that of existing conventional aircraft to obtain anindication of the appropriate level of requirements which should be applied. The most

significant feature of the proposal is that it relies on a comparison with existing conventionalaircraft design requirements which contribute to a currently accepted level of safety, andavoids controversial assumptions about future contributions to that level of safety fromoperational, environmental or design factors.

COMPARISON CRITERIA

The capability of a vehicle to harm any third parties is broadly proportional to its kineticenergy on impact. For the purposes of the comparison method it is assumed that there areonly two kinds of impact; either the impact arises as a result of an attempted emergencylanding under control, or it results from complete loss of control. More precisely, the twoimpact scenarios are defined as:

1. Unpremeditated Descent Scenario

- A failure (or a combination of failures) occurs which results in the inability to maintain a safealtitude above the surface. (e.g. loss of power, WAT limits etc).

2. Loss of control scenario - A failure (or a combination of failures) which results in loss of controland may lead to an impact at high velocity.

Unpremeditated Descent Scenario:

For many air vehicles the likelihood of the unpremeditated descent will be dominated by thereliability of the propulsion systems. For the calculation of kinetic energy at impact the massis the maximum take-off mass and the velocity used is the (engine-off) approach velocity. i.e.

For aeroplanes V = 1.3 X Stalling Speed (Landing configuration, MTOW)

For Rotorcraft V = Scalar value of the auto-rotation velocity vector,

For Airships/Balloons V = The combination of the terminal velocity resulting from the staticheaviness, and the probable wind velocity.

Loss of Control Scenario:

For the calculation of kinetic energy at impact for the loss of control case the mass is themaximum take-off mass and the velocity used is the probable terminal velocity. i.e.

For aeroplanes V = 1.4 X Vmo (the maximum operating speed)

For Rotorcraft V = Terminal velocity with rotors stationary.

For Airships/Balloons V = Terminal velocity with the envelope ruptured or deflated to the extentthat no lifting medium remains.

For each scenario the kinetic energy has been calculated for a selection of 28 different civilaircraft; (21 aeroplanes, and 7 rotorcraft). The results are shown in Figures [B-1] and [B-2].On each Figure the “applicability region” for each of the existing aeroplane and rotorcraftcodes is shown. These regions have been established using practical constraints basedupon the sample of the existing fleet, plus any weight and speed limitations specified in theapplicability criteria of the codes of airworthiness requirements.

METHOD OF COMPARISON

To obtain the indication of the level of requirements appropriate to a novel kind of aircraft thefollowing steps are carried out:



B-3

1. Calculate the kinetic energy of the new aircraft for each scenario.

2. Using these values and Figures [B-1] and [B-2] separately, determine the appropriate code to beapplied with the intent of preventing the occurrence of each scenario. i.e:

Figure 1 will provide an indication of the standards to be applied to any feature of the designwhose failure would affect the ability to maintain safe altitude above the surface.

Figure 2 will provide an indication of the standards to be applied to any feature of the designwhose failure would affect the ability to maintain control, (particularly rate of descent). Clearly,this must include primary structure.

If it is found that the aircraft fits within the region for more than one code then this would indicatethat it may be appropriate to apply a combination of standards. (e.g. JAR-25 with reversions toJAR-23 in some areas, or JAR-23 with Special Conditions taken from JAR-25).

3. Construct a certification basis which addresses the same aspects of the design as the existingcodes and to the level indicated by the kinetic energy comparison. Clearly, Special Conditionswill need to be considered for any novel features of the design not addressed by the existingcodes. However, the extent of such special conditions should be comparable with the generallevel of airworthiness identified.

Note: In addition, operational requirements may dictate the inclusion of particular designfeatures which may in-turn necessitate the inclusion of additional certification requirements.For example, the Rules of the Air specify that an aircraft operating over a congested areamust be able to maintain a safe altitude following the failure of one power unit.

WORKED EXAMPLES

Application to Global Hawk

Global Hawk is a High Altitude Long Endurance (HALE) UAV produced by NorthropGrumman in the USA with a primary role of reconnaissance/surveillance. Global Hawk is

powered by a single turbofan engine. Its estimated characteristics are: a gross weight of25,600lbs (11,600kg), a maximum operating speed (V

MO) of 345kts and a stall speed (V

S) of

95kts. Using these parameters gives energy levels of 0.177 (unpremeditated descentscenario) and 3.53 (Loss of control). These are illustrated in Figures [B-1 & B-2] and indicatethat JAR-25 standards are applicable throughout.

Application to Predator

The RQ-1A Predator UAV from General Atomics is a Medium Altitude Long Endurance(MALE) UAV which has seen extensive operational experience within the military. Poweredby a single piston-engine, the estimated parameters for Predator are: MTOW of 1,900lbs

(855kg), Vmo of 120kts and Vs in the region of 56kts. For the “unpremeditated descent”scenario, this equates to energy levels of 0.0046 (JAR-23 single-engine) and for the “loss ofcontrol” scenario 0.024 (JAR-23 single-engine). The certification basis for the Predator wouldtherefore be JAR 23.

Application to Hunter

Hunter from IAI is a short range UAV which was/is operated by the armies of USA, Israel,Belgium and France. The Hunter comes in both standard and endurance versions and ispowered by 2 Motto-Guzzi engines. The two versions of the aircraft have gross weights of726 kg and 952 kg respectively. The values for each version and each scenario are shown in

Figures [B-1 and B-2]. Although there is a small overlap with JAR-VLA in one case, it can beseen that the guideline standard is JAR-23 for both versions of the aircraft.



B-4

Application to StratSat

StratSat is an unmanned communications airship intended for long duration missionsstationed above population centres. For this aircraft the “unpremeditated descent” analysisindicates that a standard equivalent to JAR-23 as applied to single-engine aeroplanes would

be appropriate. This is convenient as the existing UK requirements for airships, BCARSection Q, provide a standard which is equivalent to JAR-23. The “loss of control descent”analysis indicates that standards equivalent to a combination of JAR-25 and JAR-23Commuter Category should be applied to reduce the probability of such an event. Thus thebasis for civil certification of this aircraft should be BCAR Section Q supplemented asnecessary by requirements from JAR-25 and JAR-23 Commuter.

CONCLUSIONS

A method of comparing novel aircraft with existing manned aircraft is presented together withexamples of its application to specific UAV projects. It is appreciated that no simple methodcan give a complete answer to the definition of the certification bases, and the conventionalprocesses using judgment and debate will still be required. However, the method presentedprovides a useful tool for anticipating the general level of airworthiness requirements to beset.



B-5

[Velocity = 1.3 x Vstall]

Figure B-1 – Unpremeditated Descent Scenario



B-6

[Velocity =1.4 x Vmax operating]

Figure B-2 – Loss of Control Scenario



C-1

ANNEX C'GUARD DOG' - GENERIC TUAV CASE STUDY



C-2

This annex provides the system overview and operational background for the Guard Dogcase study. Appendices C1 and C2 provide two potential operational routes for the system,in order to exercise its integration with airfields, terrain and airspace.

SYSTEM DESCRIPTION

Overview:

The Guard Dog UAV system is intended to provide imagery and intelligence (as well astarget designation) for land and sea commanders, across the spectrum of conflict:Intelligence, Surveillance, Target Acquisition and Reconnaissance (ISTAR)

Figure C-1 – Overview of Guard Dog Case Study

The system comprises: The Unmanned Air Vehicles (UAV); the Ground Control Station(s)(GCS); the Tactical Units (TacU) positioned with field commanders; the Field Teams for take-off and recovery other than from prepared airfields.

The system interfaces (on a mission basis) with the battlefield network provided throughNetwork Enabled Capability (NEC). Other interfaces are envisioned to deal with trainingoperations in a peacetime, civilian environment!

In operational use, the system will operate under military jurisdiction within the battle-space.However, to facilitate peacetime training, the system will need to be able to operate in ClassF & G civilian airspace (uncontrolled airspace – a Group 3 UAV iaw CAP722 [CAA04]). It isnot intended to operate in Class A-E airspace (controlled airspace – Group 4 and 5 UAVs,requiring an extensive equipment list to be compliant).



C-3

Unmanned Air Vehicle:

KEY PARAMETERSWingspan 10mMTOW 500KgSpeed Max: 100kts

Cruise: 70kts

Stall: 40ktsRate of Climb 900 fpmAltitude Max: 20,000 ft

Operating: 10-18,000 ftEndurance 20 hrsTake-off / Landing (TO/L): Conventional: Short prepared strip or airfield, using

wheeled undercarriage

Field: Robonic launcher (pneumatic ramp) / prepared strip

Engine 1 x 50HP Petrol, driving fixed 2 blade prop

EQUIPMENT

Actuation Redundancy of cabling and actuatorsPower Supply Redundancy in case of single failure; and reserve (battery) power in

event of engine failureData-link LOS: Dual redundant TCDL, controllable from any GCS;

Relay for onward Tx / Rx to other UAV

[Option for satellite link, but key cost / weight driver]Navigation Dual Global Positioning System (GPS) receiversController High Integrity, Dual redundant; Pre-programmable for autonomous

mission; re-directable by operator from groundSensors Variable EO/SAR/ESMAutomatic TO/L

(ATO/L)

Using GPS from satellite and Differential GPS (DGPS) errorcorrection signal from ground station

TargetDesignation

Laser

FlightTermination?

Emergency Recovery Capability [iaw UTF04 ]

CollisionAvoidance

Air: Sense & Avoid system [TBD] (Non-cooperative)



C-4

[TCAS not included on grounds of weight and no intent of usingcontrolled airspace]

Ground: DTED used for mission planning; RadAlt on boardATC Systems Mode S Transponder (for position on RADAR);

Twin V/UHF radio for voice comms relay to GCS

Ground Control Station:

Dual redundant operator consoles, provide:

• Mission planning

• Payload control, data analysis and NEC distribution

• Pilot control (to redirect autonomous mission / take manualcommand)• GCS can hand-over control to any other GCS

• GCS can control up to 3 UAVsTactical Common Data-Link (TCDL):

• Payload data downlink; telemetry downlink; command & control uplink• Line-of-Sight (LOS) - Range 200km; 10.7Mbps payload data, 200kbps command link

• Dual redundant

• Option for Satellite link for Beyond LOS (BLOS).

• Data link can be relayed to a UAV beyond LOS range, by another UAV.

TacU

• Positioned with field commanders, can obtain payload data direct fromUAV.

• Limited control of UAV payload sensors, to optimise data collection.

Field Recovery Team

For deployed operations, UAV can be launched from pneumatic launcher, and

recovered onto flat ground / prepared strip, hence avoiding need for formalairfield.

Operational Scenario

• Tactical UAV to be launched from a ‘UAV friendly’ civil airfield such as that at ParcAberporth, but not with the intention of using the oversea range nearby.

• Instead, TUAV turns inland, and follows a specified route overland from Aberporth, toexercise the system / operators in navigation over representative distances.

• The route leads out to a land range such as Spadeadam, where the system / operators exercise the sensor & information gathering capabilities.

GCS

NEC

NEC



C-5

• The TUAV then returns via the same (or a different) route, to re-enter the controlledairspace at Parc Aberporth.

• Potentially, a number of TUAVs could be operated in parallel / series, to simulate thenear-continuous operational tempo situation.

Alternative Operational Scenarios

• GCS has to control a second UAV, on station to relay TCDL to reach sensor UAV

• Initial GCS hands over control to a second GCS for furthest part of the mission

• GCS has to relay TCDL via satellite to reach sensor UAV

[Emergency conditions and configurations ]

• Loss of GPS / drift in GPS accuracy

• Loss of TCDL

• Weather effects – cloud / precipitation / lighting

• Diversion (for propulsion / non-propulsion failures; weather conditions etc)

• Incursion of GA aircraft



C-6

APPENDIX C1GUARD DOG MISSION SCENARIO (COASTAL ROUTE)

Figure C1-1 Flight Plan – Westerly Route (to maximize over-water flight)



C-7

APPENDIX C2GUARD DOG MISSION SCENARIO (INLAND ROUTE)

Figure C2-1 - Flight Plan – Easterly Route (to maximise overland / ATC interaction



D-1

ANNEX DFHA FOR 'GUARD DOG' TUAV SYSTEM (EXTRACTS)



D-2

‘GUARD DOG’ UAVS FUNCTIONAL HAZARD ANALYSIS

FHA conducted to ARP 4761 with UAVS modifications as report section 2.

CONTENTS OF ANNEX D

System Description ............................................................................................................D-2 Safety Criteria.....................................................................................................................D-3

Airworthiness Safety Criteria and objectives................................................................D-3 ATM Separation / Collision based safety Objectives....................................................D-4

System Context [In Accordance with report section 2.2.2] ..................................................D-5 Derivation of Functions.......................................................................................................D-6

Flight Phases ..............................................................................................................D-6 Environment List..........................................................................................................D-6 Emergency Configurations List....................................................................................D-7

System interactions view [See Individual function maps for each system element] – Derived from initial design assumptions over system elements and interactions .........D-9

Failure Analysis................................................................................................................D-18 Effects Consideration .......................................................................................................D-30

Scenarios for Effects Consideration...........................................................................D-39

SYSTEM DESCRIPTION

[See Guard Dog Case Study document]



D - 3

S A F E T

Y C R I T E R I A

[ D r a w n f r o m

m e t h o d a t r e p o r t s e c t i o n 2 .

2 . 1

]

A i r w o r t h i n e s s S a f e t y C r i t e r i a a n d o b j e c t i v e s

M i n o r

M a j o r

S e v e r e M a j o r / H a z a r d o u s


- S l i g h t r e d u c t i o n i n s a f e t y

m a r g i n s ( e . g .

l o s s o f

r e d u n d a n c y )

- S i g n i f i c a n t r e d u c t i o n i n s a f e t y m a r g i n s ( e . g . ,

t o t a l l o s s

o f c o m m u n i c a t i o n w

i t h a u t o n o m o u s f l i g h t a n d l a n d i n g

o n a p r e d e f i n e d e m

e r g e n c y s i t e )

- C o n t r o l l e d l o s s o f t h e U A V o v e r a n

u n p o p u l a t e d e m e r g e n c y s i t e , u s i n g E m e r g e n c y

R e c o v e r y p r o c e d u r e s w h e r e r e q u i r e d .

U A V ' s i n a b i l i t y t o c o n t i n u e

c o n t r o l l e d f l i g h t

a n d r e a c h a n y

p r e d e f i n e d l a n d

i n g s i t e

T a b l

e D ( i ) - A i r w o r t h i n e s s F a i l u r e

C o n d i t i o n S e v e r i t i e s ( f r o m T

a b l e 2 . 2 . 1 ( i ) )

S a f e t y O b j e c t i v e s : A 5 0 0 K g U A V , p o w e r e d b y a S i n g l e R e c i p r o c a t i n g E

n g i n e , w i t h s t a l l i n g s p e e d ( V s ) o f 4 0 k t s a n d m a x i m u m o p e r a t i n g s p e e d ( V m o )

o f 1 0 0 k t s

i n d i c a t e s a s a C l a s s I u s i n g b o

t h C A A k i n e t i c e n e r g y c r i t e r i a f r o m A n n e x B o f t h e r e p o r t , a n d t h e e s t a b l i s h e d d e f i n i t i o n o f C

l a s s I a i r c r a f t

f r o m C S . 2 3 . 1

3 0 9 .

S e v e r i t y o f O u t c o m

e M i n o r

M a j o r

H a z a r d o u s

C a t a s t r o p h

i c

C a t e g o r y

o f A i r c r a f t :

C S . 2

3 . 1 3

0 9 C l a s s I : S i n g l e R e c i p r o c a t i n

g E n g i n e ( S R E ) / u n d e r 6 0 0 0 l b

s < 1 0 - 3 p e r o p h r < 1 0 - 4 p e r o p

h r < 1 0 - 5 p e r o p h r < 1 0 - 6 p e r o

p h r

T a b l e D ( i i ) - A i r w o

r t h i n e s s S a f e t y O b j e c t i v e s



D - 4

A T M S e p

a r a t i o n / C o l l i s i o n b a s e d s a f e t y O b j e c t i v e s

[ D r a w n f r o m T a b l e 2 . 2 . 1

( i i ) ]

S e v e r i t y 5 - N

o

I m m e d i a t e E f

f e c t

o n S a f e t y

S e v e r i t y 4 - M i n o r I n c i d e n

t s

S e v e r i t y 3 - S i g n i f i c a n t I n c

i d e n t s

S e v e r i t y 2 - M a j o r I n c i d e n t s

S e v e r i t y 1 - A c c i d e n t s

- N o h a z a r d o u

s

c o n d i t i o n i . e . n

o

i m m e d i a t e d i r e c t o r

i n d i r e c t i m p a c t o n

t h e o p e r a t i o n s

- I n c r e a s i n g w o r k l o a d o f t h e a i r

t r a f f i c c o n t r o l l e r o r [ U A V S ] c r e w ,

o r s l i g h t l y d e g r a d i n g t h e

f u n c t i o n a l c a p a b i l i t y o f t h e

e n a b l i n g C N S S y s t e m .

- M i n o r r e d u c t i o n ( e . g . , a

s e p a r a t i o n o f m o r e t h a n h a

l f t h e

s e p a r a t i o n m i n i m a ) i n

s e p a r a t i o n w i t h [ U A V S ] c r e

w o r

A T C c o n t r o l l i n g t h e s i t u a t i o

n

a n d f u l l y a b l e t o r e c o v e r f r o

m

t h e s i t u a t i o n .

- L a r g e r e d u c t i o n ( e . g . , a s e p a r a t i o n o f l e s s

t h a n h a l f t h e s e p a r a t i o n m i n

i m a ) i n s e p a r a t i o n

w i t h [ U A V S ] c r e w o r A T C c o

n t r o l l i n g t h e

s i t u a t i o n a n d a b l e t o r e c o v e r f r o m t h e

s i t u a t i o n .

- M i n o r r e d u c t i o n ( e . g . , a s e p a r a t i o n o f m o r e

t h a n h a l f t h e s e p a r a t i o n m i n

i m a ) i n s e p a r a t i o n

w i t h o u t [ U A V S ] c r e w o r A T C

f u l l y c o n t r o l l i n g

t h e s i t u a t i o n ,

h e n c e j e o p a r d i s i n g t h e a b i l i t y t o

r e c o v e r f r o m t h e s i t u a t i o n ( w

i t h o u t t h e u s e o f

c o l l i s i o n o r t e r r a i n a v o i d a n c e m a n o e u v r e s ) .

- L a r g e r e d u c t i o n i n s e p a r a t i o n ( e . g . ,

a s e p a r a t i o n o f

l e s s t h a n h a l f t h e

s e p a r a t i o n m i n i m a ) , w i t h o u t [ U A V S ]

c r e w o r A T C f u l l y c o n t r o l l i n g t h e

s i t u a t i o n o r a b l e t o r e c o v e r f r o m t h e

s i t u a t i o n .

- O n e o r m o r e a i r c r a f t d e v i a t i n g f r o m

t h e i r i n t e n d e d c

l e a r a n c e , s o t h a t

a b r u p t m a n o e u v r e i s r e q u i r e d t o

a v o i d c o l l i s i o n w i t h a n o t h e r a i r c r a f t

o r w i t h t e r r a i n ( o r w h e n a n

a v o i d a n c e a c t i o

n w o u l d b e

a p p r o p r i a t e ) .

- O n e o r m o

r e c a t a s t r o p h i c

a c c i d e n t s

- O n e o r m o

r e m i d - a i r c o l l i s i o n s

- O n e o r m o

r e c o l l i s i o n s o n t h e

g r o u n d b e t w

e e n t w o a i r c r a f t

- O n e o r m o

r e C o n t r o l l e d F l i g h t

I n t o T e r r a i n

- T o t a l l o s s

o f f l i g h t c o n t r o l .

- N o i n d e p e

n d e n t s o u r c e o f

r e c o v e r y m e c h a n i s m , s u c h a s

s u r v e i l l a n c e

o r A T C a n d / o r

[ U A V S ] c r e w p r o c e d u r e s c a n

r e a s o n a b l y

b e e x p e c t e d t o

p r e v e n t t h e

a c c i d e n t ( s ) .

T a b l e D ( i i i ) – A T M S e p a r a t i o n / C o l l i s i o n S a f e t y o b j e c t i v e s

A T M s e p a r a t i o n / c o l l i s i o n b a s e d s a f e t y

o b j e c t i v e s w i l l n o t c h a n g e w i t h

t h e c l a s s o f v e h i c l e .

T h e a c c e

p t a b l e p r o b a b i l i t y o f a S e v e r i t y

1 a c c i d e n t

r e m a i n s f

i x e d b y E S A R R 4 [ E U R 0 4 ] a t 1

. 5 5 x 1 0 - 8 p e r f l i g h t / h o u r .



D - 5

S Y S T E

M

C O N T E X T [ I N A C C O R D A N C E W I T H R E P O R T

S E C T I O N 2 . 2 . 2 ]

F i g u r e D - 1 R i c h C o n t e x t D i a g r a m f o r G u a r

d D o g U A V S a n d t h e S y s t e m

o f S y s t e m s a r o u n d i t



D-6

DERIVATION OF FUNCTIONS

Flight Phases

• Pre-flight

• Taxiing

• Take-off – from airfield• Transit

• On Task – using sensor payload

• Approach• Landing – at airfieldAlternative Phases:

• Take off – ramp launch from field• On task - on station to relay TCDL to reach sensor UAV

• Hand over - Initial GCS hands over control to a second GCS

• Transit with satellite link - GCS has to relay TCDL via satellite to reach sensor UAV.• Landing – rough field

Environment List

a. Weather aspects

(i) Temperature +55 / -45°C (with altitude)

(ii) Altitude Sea Level / 20,000ft

(iii) Rain, hail, snow, sand, dust

(iv) icing accretion after take off (de-icing before)

(v) lightning

(vi) Visibility - intended to be VMC (i.e. before take-off), occasional IMC onset duringmission

(vii) Wind-speeds usually temperate (to 30kts intended for launch & landing), but upto 100kts onset in extremis.

b. Overflown terrain aspects

(i) Oversea – sea state flat to mountainous

(ii) Overland covering worldwide extremes – flat lands, swamps, desert, jungle,mountainous, urban areas (operationally, not intentionally in training).

(iii) Sensor performance ensures no need to operate below 1000ft AGL.

(iv) Obstructions include masts, wind farms, gas platforms, pylons and cables…

c. Electrical environment

(i) Operationally, in high RF environment of battlefield

(ii) In training, in busy UHF/VHF communications environment (see Air Traffic below),and with several identified HF/VHF/UHF/ milli-metric HIRTAS in locality

d. Mission environment

(i) Includes day or night usage

(ii) Potential for crew changeover due to extended ‘on station’ times (15-20 hrs total

flight time)(iii) Potential for non-aircrew personnel to operate the system directly, under certified

pilot-in-command as supervisory



D-7

e. Air traffic environment

(i) Primarily, flight within general airspace (Class F&G)

(ii) Over several military Areas of Intense Aerial Activity (AIAA) – occasionallyentering AIAA (with permission) to facilitate route around more stringent airspace(such as TMA, CTA)

(iii) Under / next to Airways(iv) Close to Terminal Manoeuvre Areas (TMA) at airway intersections near major

airports, and under the Control Terminal Area (CTA) for major airports

(v) Into civil and military airfields with UAV clearance

(vi) Into military Danger Areas to exercise sensors

Emergency Configurations List

Single failure of the UAV communication link, and/or control link

Operation of Flight Termination System (None fitted ) - Instead, conduct of Emergency

Recovery Procedures due to loss of critical system(s) - With UAV-p control; Without UAV-pcontrol (i.e. autonomous)

Emergency landing due to loss of thrust

Collision avoidance with co-operative and non-cooperative aircraft - Including evasivemanoeuvre

Terrain avoidance

Interception by military aircraft

Failure of onboard Sense and Avoid equipment

Operation with degraded systems

Degradation of weather conditions

Security threats to upload data, commands and transmissions

PLUS: Loss of GPS / drift in GPS accuracy

[As part of defining the emergency configurations, and identifying related functions, it wasfound necessary to define some outline Emergency Recovery Procedures, as shown below:



D - 8

N O

R M A L F L I G H T

D e t e r m i n e b e s t d i v e r s i o n a n d

I D b e t w e e

n G C S a n d U A V ( M a y

b e h o m

e o r d e s t i n a t i o n )

M a i n t a i n f l i g h t p a t h o v e r ' s a f e '

t e r r a i n a n d a i r s p a c e

D I V E R T t o

i d e n t i f i e d

d i v e r s i o n

a i r f i e l d

B r o a d c a s t C o n t r o l

D a t a l i n k F a i l

H o l d

B r o a d c a s t

M a y d a y &

E M E R G E N C Y

L A N D I N G

B r o a d c a s t

C o l l i s i o n

A v o i d a n c e f a i l

Y E S

D A T A L I N K

S i g n a l L o s s

D A T A L I N K S y

s t e m F a i l ( t o t a l )

D A T A L I N K S y s t e m F a i l ( s i n g l e )

F L I G H T C R I T I C A L S Y S T E M S I n g l e ( R e d u n d a n t ) F a i l u r e

C O M M U N I C A T I O N S F a i l u r e

S T O P &

B r o a d c a s t

G R O U N D C O N T R

O L F a i l u r e

C O L L I S I O N A V O I D A N C E F a i l u r e

A I R N A

V I G A T I O N F a i l u r e

( i n c . h e i g h t , s p e e d , p o s i t i o n & r o u t e c o n t r o l )

E x t e r n a l N a v

A s i s t a n c e ?

A b l e t o M a

i n t a i n S a f e

A l t i t u d e ?

N O

N O

Y E S

F L I G H T C R I T I C A

L S Y S T E M T o t a l F a i l

Y E S

R e g a i n D / L

S i g n a l ?

N O

F i g u r e D - 2 - O u t l i n e E m

e r g e n c y R e c o v e r y P r o c e d u r e s



D - 9

S y s t e m

i n t e r a c t i o n s v i e w

[ S e e I n d i v i d

u a l f u n c t i o n m a p s f o r e a c h s y s t e m

e l e m e n t ] – D e r i v e d f r o m i n i t i a l d e s i g n a s s u m p t i o n s o v e r s y

s t e m

e l e m e n t s a n d

i n t e r a c t i o n

s

M a n a g e

D a t a l i n k

A u t o T / O &

L a n d

U A V S t a b i l i t y

& C o n t r o l

A i r n a v i g a t i o n

C o n t r o l o n

G r o u n d

M a n a g e

P a y l o a d

M o n i t o r

m i s s i o n

p r o g r e s s

M a n a g e F l i g h t

S y s t e m s

D e t e r m i n e

A l t i t u d e ,

O r i e n t a t i o n &

S p e e d

S t a b i l i s e

p e r t u r b a t i o n s

M a n o e u v r e

U A V

M a n u a l

O v e r r i d e -

r e m o t e

p i l o t i n g

R a m p T / O

-

L a u n c h

c o n t r o l

R e l a y D / L t o

o t h e r U A V

C o n t r o l

h a n d o v e r

b e t w e e n

G C S s

S e n s o r c o n t r o l P

a y l o a d d a t a

d o w n l o a d

D e t e r m i n e

s y s t e m

s

s t a t u s

T e l e m e t e r

U A V

p a r a m e t e r s

R e d u n d a n t

s y s t e m s

c o n t r o l ?

D e g r a d e d

s y s t e m s

e m e r g e n c y

a c t i o n s ?

D e t e r m i n e T / O ,

c l i m b o u t ,

a p p r o a c h ,

l a n d

p r o f i l e s

H i g h A c c u r a c y

p o s i t i o n ,

h d g , a l t

a w a r e n e s s

H i g h a c c ' y

m o n i t o r / c o r r e c t

p o s i t i o n ,

h d g , a l t

C o n t r o l F l i g h t

P a t h

P o s

i t i o n ,

h e a d

i n g &

A l t i t u d e

a w a r e n e s s

S t o r e / u p d a t e

M i s s i o n R o u t e

M o n i t o r /

c o r r e c t a c t u a l

v p l a n n e d

r o u t e

D e t e r m i n e

p o s i t i o n

D e t e r m i n e

a c c u r a c y

C o n t r o l

p o s i t i o n o n

t h e g r o u n d

C o n t r o l s p e e d

o n t h e g r o u n d

D e t e

r m i n e A i r /

G r o u n d

t r

a n s i t i o n

D e t e r m i n e

G r o u n d

o b s t a c l e s

D e t e r m i n e

g r o u n d s p e e d

G r o u n d t h r u s t

c o n t r o l

G r o u n d

b r a k i n g

M o n i t o r /

c o r r e c t a c t u a l

v p l a n n e d

g r o u n d r o u t e

G r o u n d

s t e e r i n g

D e t e r m i n e

a c t u a l g r o u n d

l o c a t i o n &

h e a d i n g

U A V C e n t r e d v i e w



D - 1 0

F i g u r e D - 3 a – U A V

C e n t r e d v i e w o f f u n c t i o n s

M i s s i o n

P l a n n i n g

G

C S N

E C

P l a n R o u t e U

p l o a d

M

i s s i o n P l a n

C o n t r o l U A V ?

C h a n g e

M i s s i o n P l a n

m a n u a l

O v e r r i d e -

r e m o t e

p i l o t i n g

M o n i t o r

M i s s i o n

P

r o g r e s s

S t a t u s o f U A V

A

c t u a l p a t h v

m

i s s i o n r o u t e

M a n a g e

P a y l o a d

D i r e c t s e n s o r s

D o w

n l o a d

p a y l o

a d d a t a

D i s t r i b u t e

p a y l o a d d a t a

P r i o r i t i s e

s e n s o r / d a t a

r e q u e s t s f r o m

U s e r s

M a n a g e

D a t a L i n k

C o n t r o l

D a

t a l i n k P a t h

v i a n e x t G C S ?

V i a S a t e l l i t e ?

V i a U A V

R e l a y ?

M o n i t o r D a t a

l i n k c o n d i t i o n

D / L F a i l E m g y

A c t i o n

G C S C e n t r e d v i e w

F i g u r e D - 3 b – G C S

c e n t r e d v i e w o f f u n c t i o n s



D - 1 1

S e n s o r / D a t a

r e q u e s t s

N E C

D a t a

d o w n l o a d /

s t o r a g e

D i s t r i b u t e

p a y l o a d d a t a

P r e F l i g h t

p r e p a r a t i o n s

R e f u e

l /

r e c h a r g e

c o n s u m a

b l e s

P r e f l i g h t t e s t

L a u n c h U A V

L o c a t e U A V

T A C U C e n t r e d v i e w

F i e l d R e c o v e r y / L a u n c h U n

i t C e n t r e d v i e w

F i g u r e

D - 3 c T A C U a n d F i e l d R e c o v e r y / L a u n c h U n i t c e n t r e d v i e w s o f f u n c t i o n s



D-12

Flight Phases view

[Additional possible functions derived from mission phases –merged with functions from systeminteractions view].

Mission Phase System Function (1st

Level) (2nd

Level?)

Pre-flight System Test

Load Mission PlanTaxiing Controlled Taxiing Ground obstacle sensing?

Airfield pattern awarenessCorrect steering to planned layout

Take-off Airfield Take-Off[Auto / Manual? ]

Climb-out profile

Position & Direction Sensing AccuracyCollision Avoidance

Terrain Avoidance

Field Take-Off Launch controlClimb-out

Transit

Position & Direction Sensing accuracy - normalCollision AvoidanceTerrain Avoidance

Monitor weather for changes

On Task(As Transit +)

Relay TCDL[when acting as airborne relay for 2

nd UAV ]

Handover between GCSs

Approach(As Transit + )

Approach Control Determine wind speed & directionDetermine landing strip directionDetermine circuit height & directionDetermine glide-slope pattern

Fly pattern (correct v planned pattern)Landing(As Transit +)

Controlled Landing Detect air / ground transition

Table D(iv) – Flight phases view of functions

External context view

[Derived from external rich context diagram interactions]

UAVS Interacts with…

Agent Nature of Interaction Additional Derived Function?

Airfield Airfield ATC instruction > Understand / reply to airfield ATC - Voice

Airfield ATC Visual Signals > Observe / respect airfield visual signalsAirfield layout for taxiing > [3.2.3]

Airfield Runway profile / Take Off > [2.4.1]

Airfield Climb out profile / obstacleclearance

[2.4.1]

Approach and Hold procedures > [2.4.3]

Airfield Circuit direction / procedures > [2.4.3]

Airfield Runway / arrestor layout / Land andrecover >

[2.4.5][3.2]

Airfield RF systems Interoperability > [Characteristic of system – Non FunctionalReq’t]

ATM En-Route < Communication > Understand / reply to En Route ATC – Voice,Digital

Track UAV > Provide tracking signal

< Comply with advice Comply with ATC – confirm, act

< Select appropriate radio frequency Manage ATC Frequency Selection



D-13



ISTAR Data Users < Direct Payload data feed [5]

< NEC data feed [5]

Data requests > [5]

Malicious Threats < Break Data Link D/L Anti jamming

< Steal Data Link Verify / encrypt D/L< Hack GCS via NEC – affect missionplanning; planning source data; outputpayload data

Defend / verify mission plan, planning data,output data

Mission Target < Identify target ID Target

< Gather reconnaissance data Gather recce data

< Designate target for attack Designate target

HIRF Sources Direct EM Interference with UAVS > [Non Functional Requirement]

Mission planning – awareness of HIRFlocations

Noise affects LOS Command Link signalstrength >

Non-Cooperative AirTraffic (Class F-GAirspace)

< Detect traffic and sense relative track Collision avoidance – detect traffic – non co-op; co-op.

Determine traffic relative track

< Maintain separation (normal actionaccording to Rules of the Air)

Maintain traffic separation (ROA)

< Emergency Collision avoidance (evasion) Collision Emergency evasionSee and avoid > Conspicuity to air traffic (visual, RF)

Ground Terrain /

Obstructions

< Terrain Awareness Terrain avoidance – terrain awareness

< Route Planning [add to 8.1]

< Terrain Avoidance (Rules of the Air) Maintain Terrain separation (ROA)

Terrain emergency evasion

LOS calculations > Monitor Datalink – LOS to terrain (and 8.1also)

Fixed Ground Dangerareas / Populated areas

< Awareness Danger areas / populated areas avoidance -awareness

< Route planning [add to 8.1]

< Avoid overflight (Rules of the Air) Maintain danger area / populated area

separation (ROA)Emergency redirection in event of incursion>

Danger area / populated area emergencyincursion action

Controlled Airspace(Class A-E)

< Awareness Controlled airspace avoidance - awareness

< Route planning [add to 8.1]

< Avoid through flight (Rules of the Air) Maintain controlled airspace separation(ROA)

Emergency redirection in event of incursion>

Controlled airspace emergency incursionaction

Variable Danger areas(NOTAMS)

< Awareness NOTAMS avoidance - awareness

< Route planning [add to 8.1]< Avoid through flight (Rules of the Air) Maintain NOTAMS separation (ROA)

Emergency redirection in event of incursion>

NOTAMS emergency incursion action



D-14



Satellite Data Link(Option)

Availability > [4, 4.2]

Signal strength >

Security of extended data link > [4.x – defend d/l]

GNSS Satellite position and time > [2.1.1]Navigation accuracy / errors > [2.1.1]

DGPS Reference Station DGPS error correction > [2.4.2]

Weather < Awareness Manage for Weather – weather conditionsawareness – precip’n, icing, lightning, w/s &dir, visibility[add to 8.1 also]

Modify route > Assess proximity to route and effect on UAV

Determine separation routeForce diversion for landing > Determine diversionary airfield

Determine diversionary routeAffect LOS command signal strength >

< Respect VMC / IMC Flight Rules (Rulesof the Air)

(as above)

Gusts > [1.2]

Precipitation / Icing > (affects [1], [1.6.2], [4.1.1])Lightning > (Non functional requirement

Table D(v) – External interactions and derived UAVS functions



D - 1 5

R e s u l t i n g F u n c t i o n s T r e e f o r G u a r d D

o g U A V S

U A V S F u n c t i o n T r e e

[ P a r t 1 o f 3 ]

( I ) I n t e r n a l v i e w

( F ) F l i g h t p h a s e v i e w

( E ) E x t e r n a l c o n t e x t v i e w


[ P a r t 1 o f 3 ]




1 . S t a b i l i t y &

C o n t r o l

( I )

2 . A i r N a v i g a t i o n

( I )

3 . C o n t r o l o n t h e

G r o u n d

( I )

1 . 1 D e t e r m i n e

a t t i t u d e ,

o r i e n t a t i o n a n d

s p e e d ( I )

1 . 2 S t a b i l i s e

p e r t u r b a t i o n s

( I )

1 . 3 M a n o e u v r e

U A V ( I )

1 . 4 M a n u a l

O v e r r i d e -

R e m o t e P i l o t i n g

( I )

1 . 5 F i e l d T / O

L a u n c h C o n t r o l

( I ) ( F )

1 . 6 C o n t r o l

F l i g h t P a t h

( I )

1 . 6 . 1 C o n t r o

l

A i r s p e e d

( I )

1 . 6 . 2 C o n t r o l

A l t i t u d e & R a t e

( I )

1 . 6 . 3 C o n t r o

l

H e a d i n g

( I )

2 . 1 P o s i t i o n ,

H e a d i n g &

A l t i t u d e

A w a r e n e s s

( I )

2 . 1 . 1 D e t e r m i n e

P o s i t i o n ,

H e a d i n g &

A l t i t u d e

( I )

2 . 1 . 2 D e t e r m i n e

N a v D a t a

a c c u r a c y

( I ) ( F )

2 . 2

S t o r e /

U p d a

t e M i s s i o n

R o u t e

( I )

2 . 3 M o n i t o r /

C o r r e c t a c t u a l v

p l a n n e d r o u t e

( I )

2 . 4 A u t o T a k e

o f f & L a n d i n g

( I ) ( F )

2 . 4 . 1

D e t e r m i n e

A i r f i e l d T / O

C l i m b - o u t

p r o f i l e ( F ) ( E )

2 . 4 . 2 D e t e r m i n e

H i g h a c c u r a c y

P o s i t i o n ,

h e a d i n g &

A l t i t u d e

( F )

2 . 4 . 3

D e t e r m i n e

A

i r f i e l d

A p p r o

a c h , H o l d ,

C i r c u i t , R / W

p r o f i l e ( F ) ( E )

2 . 4 . 4 H i g h

A c c u r a c y

m o n i t o r / c o r r e c t

a c t u a l v p l a n n e d

p r o f i l e ( F ) ( E )

2 . 4 . 5

D e t e r m i n e

W i n d s p e e d &

d i r e c t i o n v R / W

a n d

l a n d i n g

c h a r a c t e r i s t i c s

( F )

3 . 1 C o n t r o l

S p e e d o n t h e

g r o u n d ( I )

3 . 2 C o n t r o l

P o s i t i o n o n t h e

g r o u n d ( I )

3 . 1 . 1 D e t e r m i n e

s p e e d o n

g r o u n d ( I )

3 . 1 . 2 C o n t r o l l e d

G r o u n d t h r u s t ( I )

3 . 1 . 3 C o n t r o l l e d

G r o u n d B r a k i n g

( I )

3 . 2 . 1 D e t e r m i n e

g r o u n d p o s i t i o n

& h e a d i n g ( I )

3 . 2 . 2 G r o u n d

s t e e r i n g ( I )

3 . 2 . 3 D e t e r m i n e

A i r f i e l d l a y o u t /

r e q u i r e d g r o u n d

r o u t e ( F ) ( E )

3 . 2 . 4 M o n i t o r /

c o r r e c t a c t u a l v

r e q u i r e d g r o u n d

r o u t e ( F )

3 . 2 . 5 D e t e r m i n e

A i r / G r o u n d

t r a n s i t i o n ( F )

3 . 2 . 6 D e t e r m i n e

G r o u n d

o b s t a c l e s ( F ) ( E )

3 . 2 . 6 . 1 D e t e c t

m o b i l e

o b s t a c l e s ( F ) ( E )

3 . 2 . 6 . 2 F i x e d

o b s t a c l e s

a w a r e n e s s

( F ) ( E )

2 . 5 T e r r a i n

A v o i d a n c e ( E )

2 . 6 S e n s i t i v e

A r e a

A v o i d a n c e

( D a n g e r &

P o

p u l a t e d

a r e a s ) ( E ) - a s

2

. 6 . 1 - 3

2 . 5 . 1 A w a r e n e s s

& f l i g h t p a t h

p r o x i m i t y ( E )

2 . 5 . 2 M a i n t a i n

s e p a r a t i o n

( R O A ) ( E )

2 . 5 . 3 E m e r g e n c y

e v a s i o n ( E )

2 . 7 C o n t r o l l e d

A i r s p a c e

a v o i d a n c e ( E ) -

a s 2 . 6 . 1 - 3

2 . 8

V a r i a b l e

D a n g e r A r e a s

( N O T A M S )

A v o i d

a n c e ( E ) -

a s

2 . 6 . 1 - 3

F i g u r e D - 4 a – G u a r d D

o g F u n c t i o n s T r e e ( p a r t 1 o f

3 )



D - 1 6


[ P a r t 2 o f 3 ]





[ P a r t 2 o f 3 ]




4 . M a n a g e

D a t a l i n k

( I )

5 . M a n a g e

P a y l o a d

( I )

6 . M o n i t o r M i s s i o n

p r o g r e s s

( I )

7 . M a n a g e F l g h t

S y s t e m s

( I )

4 . 1 M o n i t o r

d a t a l i n k

c o n d i t i o n ( I )

4 . 2 C o n t r o l

D a t a l i n k p a t h ( I )

4 . 1 . 1 S i g n a

l

s t r e n g t h ( I )

4 . 1 . 2 D / L

E q u i p m e n t

s t a t u s ( I )

4 . 3 D a t a l i n k F a i l

E m e r g e n c y

A c t i o n ( I )

4 . 2 . 1 H a n d o

v e r

t o n e x t G C S

( I ) ( F )

4 . 2 . 2 R o u t e v i a

S a t e l l i t e ( I ) ( F )

4 . 2 . 3 R e l a y

b e t w e e n U A V s

( I ) ( F )

4 . 3 . 1 S i n g l e D

/ L

f a i l /

d e g r a d a t i o n

a c t i o n ( I )

4 . 3 . 2 C o m p l e t e

D / L f a i l /

d e g r a d a t i o n

a c t i o n ( I )

5 . 1 S e n s o r

c o n t r o l

( I )

5 . 2 P a y l o a d d a t a

d o w n l o a d ( I )

5 . 3 D i s t r i b u t e

P a y l o a d d a t a ( I )

5 . 4 P r i o r i t i s e

U s e r s ' P a y l o a d

r e q u e s t s ( I )

6 . 1 T e l e

m e t e r

S & C p a r a m s t o

G C S

( I )

6 . 2 T e l e m e t e r

A i r N a v p a r a m s

t o G C S ( I )

6 . 3 T e l e

m e t e r

G r o u n d C o n t r o l

p a r a m s t o G C S

( I )

6 . 4 T e l e m e t e r

F l i g h t S y s t e m s

s t a t u s t o G C S ( I )

7 . 1 D e t e r m i n e

f l i g h t s y s t e m s

s t a t u s ( I )

7 . 2 R e d u n d a n t

s y s t e m s

c o n t r o l ? ( I )

7 . 3 D e g r a d e d

s y s t e m s

e m e r g e n c y

a c t i o n s ( I )

6 . 5 M o n i t o r

W e a t h e r f o r

c h a n g e s ( F ) ( E )

4 . 4 D e f e n d

D / L

( J a m m i n g ,

s t e a l i n g ) ( E )

4 . 5 M o n i t o r

T e r r a i n

p r o x i m i t y t o

L O S ( E )

6 . 5 . 1 W e a t h e r

a w a r e n e s s e n -

r o u t e ( E )

6 . 5 . 2 A s s e s s W x

p r o x i m

i t y t o

p l a n n e d

r o u t e

( E )

[ P r e c i p i t a t i o n ,

i c i n g ,

w i n d s p e e d /

d i r e c t i o n ,

v i s i b i l i t y V M C /

I M C ]

6 . 5 . 3 D e t e r m i n e

W x s e p a r a t i o n

r o u t e a r o u n d ( E )

6 . 5 . 4 D e t e r m i n e

n e a r e s t , W x

s a f e ,

d i v e r s i o n a r y

a i r f i e l d &

r o u t e

( E )

7

. 3 . 1 D i v e r t

7 . 3 . 2 E m e r g e n c y

L a n d i n g

F i g u r e D - 4 b – G u a r d D


3 )



D - 1 7

U A V S F u n

c t i o n T r e e

[ P a r t 3 o f 3 ]

( I ) I n t e r n

a l v i e w

( F ) F l i g h t p

h a s e v i e w



[ P a r t 3 o

f 3 ]


( F ) F l i g h t p h a

s e v i e w

( E ) E x t e r n a l c o n t e x t v i e w 8

. 2 . 2 P r e f l i g h t

s y s t e m s t e s t

( I ) ( F )

8 . P r e F l i g h t

P r e p a r a t i o

n s ( I )

8 . 1 M i s s i o n

P l a n n i n g ( I )

8 . 2 T / O / L a u n c h

P r e p a r a t i o n ( F )

8 . 2 . 1 R e f u e l /

r e c h a r g e

c o n s u m a b l e s ( I )

8 . 2 . 3 U p l o a d

M i s s i o n P l a n

( I ) ( F )

8 . 1 . 1 P l a n

m i s s i o n r o

u t e ( I )

9 . M a n a g e

C o m m u n i c a t i o n

s ( E )

1 0 . C o l l i s i o n

A v o i d a n

c e ( F ) ( E )

9 . 1 U n d e r s t a n d /

r e p l y t o A i r f i e l d

A T C

v o i c e

c o m

m s ( E )

9 . 2 D e t e c t &

r e s p e c t a i r f i e l d

v i s u a l s i g n a l s

( E )

9 . 3 U n d e r s t a n d /

r e p l y t o E n -

R o u

t e A T C

a d v i c e - v o i c e /

d i g

i t a l ( E )

9 . 4 P r o v i d e

T r a c k i n g

' v i s i b i l i t y '

( s i g n a l , v i s u a l )

( E )

9 . 5 M a

n a g e A T C

F r e q u e n c y

s e l e c

t i o n s ( E )

9 . 6 C o m p l y w i t h

A T C p r o c e d u r e s

( E )

9 . 6 . 1 D e t e r m i n e

r e q u i r e d

m a n o e u v r e f r o m

A T C c o m m s ( E )

9 . 6 . 2 C o n f i r m

m a n o e u v r e w i t h

A T C ( E )

8 . 1 . 2 H I R F

L o c a t i o n

a w a r e n e s s ( E )

1 0 . 1 D e t e c t

T r a f f i c ( C o - o p ;

N o n C o - o p ) ( E )

1 0 . 2 D e t e r m i n e

t r a f f i c r e l a t i v e

t r a c k ( E )

1 0 . 3 M a i n t a i n

t r a f f i c

s e p a r a t i o n

( R O A ) ( E )

1 0 . 4 C o l l i s i o n

e m e r g e n c y

e v a s i o n ( E )

8 . 1 . 3 T e r r a i n

A w a r e n e s s ( E )

8 . 1 . 4 D a n g e r

A r e a / p o p u l a t e d

a r e a a w a r e n e s s

( E )

8 . 1 . 5 C o n t r o l l e d

A i r s p a

c e


8 . 1 . 6 W e a t h e r


1 0 . 5 C o n s p i c u i t y

t o A i r T r a f f i c

( v i s u a l , R F ) ( E )

9 . 7 E m

e r g e n c y

B r o

a d c a s t

a c t i o n s ( E )

F i g u r e D - 4 c – G u a r d D


3 )



D-18

FAILURE ANALYSIS

Preliminary notes on columns:

Failure Condition (Hazard Description) – (a) Loss of Function; (b) Uncommanded Function; (c)Incorrect Function

Failure Conditions

Table D(vi) – Functional Failure Conditions for Guard Dog UAVS

FFA ID Function(a),(b),(c)


1. Stability & Control (I)

F1.1A 1.1 Determine attitude and speed(I)

(a) Unable to determine UAV roll, pitch or yaw attitude

F1.1B (a) Unable to determine UAV airspeed(b) (not applicable – continuous function)

F1.1C (c) Accuracy error in measured attitude or speed

F1.1D (c) Measured attitude or speed freezes at last reading

F1.1E (c) Measured attitude or speed goes to maximum scale

F1.1F (c) Measured attitude or speed goes to minimum scale

F1.1G (c) Transient spikes in measured attitude or speed

F1.2A 1.2 Stabilise perturbations (I) (a) Loss of UAV stability

(b) (continuous function)

F1.2B (c) Undamped / poorly damped manoeuvres or speed

F1.2C (c) Over damped manoeuvres or speed

F1.2D (c) Phase lag drives oscillations

F1.3A 1.3 Manoeuvre UAV (I) (a) Unable to manoeuvre UAV at all when demandedF1.3B (a) Unable to manoeuvre UAV in certain axes, when demanded

F1.3C (b) Undemanded manoeuvre

F1.3D (c) Asymmetric manoeuvre control – demand in one axis causesuncontrollable manoeuvre in another axis

F1.3E (c) Transient control deflections

F1.3F (c) Manoeuvre control restriction – limited manoeuvre

F1.3G (c) Manoeuvre control jams – unable to stop manoeuvre

F1.3H (c) Excessive manoeuvre control deflections

F1.3I (c) Manoeuvre capability exceeds vehicle structural strength

F1.3J (c) Manoeuvre control time delay (lag)

F1.4A 1.4 Manual Override - Remote

Piloting (I)

(a) Unable to take manual control of UAV

F1.4B (b) Unable to fly UAV with autonomy

F1.4C (c) Conflicting authority between manual and autonomous control

F1.4D (c) Conflicting authority between separate ground sources formanual control

F1.5A 1.5 Field T/O Launch Control (I)(F) (a) Launch control not provided during ramp t/o

F1.5B (a) Launcher fails to reach necessary speed

F1.5C (b) Launch control initiated during other flight phase

F1.5D (c) Launch speed excessive

1.6 Control Flight Path (I)

F1.6A 1.6.1 Control Airspeed (I) (a) Airspeed cannot be increased when necessary

F1.6B (a) Airspeed cannot be decreased when necessary

F1.6C (b) Airspeed runaway upF1.6D (b) Airspeed runaway down

F1.6E (c) Asymmetric thrust (power) causing uncontrollable yaw or roll(depending on propulsion configuration )



D-19



F1.6F (c) Incorrect airspeed achieved – too high

F1.6G (c) Incorrect airspeed achieved – too low

F1.6H 1.6.2 Control Altitude & Rate (I) (a) Altitude cannot be increased when required

F1.6I (a) Altitude cannot be decreased when required

F1.6J (b) Altitude runaway up

F1.6K (b) Altitude runaway down

F1.6L (c) Incorrect altitude achieved – too high

F1.6M (c) Incorrect altitude achieved – too low

F1.6N (c) Altitude achieved at incorrect climb / descent rate

F1.6O 1.6.3 Control Heading (I) (a) Heading not variable

F1.6P (b) Heading changes without demand

F1.6Q (b) Heading runaway

F1.6R (c) Incorrect heading achieved

2. Air Navigation (I)

2.1 Position, Heading & AltitudeAwareness (I)

F2.1A 2.1.1 Determine Position, Heading& Altitude (I)

(a) Unable to determine position

F2.1B (a) Unable to determine heading

F2.1C (a) Unable to determine altitude


F2.1D (c) Accuracy error in measured position, heading or altitude

F2.1E (c) Lag in position, heading or altitude data measurement (phaseshift)

F2.1F (c) Measured position, heading or altitude freezes at last reading

F2.1G (c) Measured position, heading or altitude goes to maximum scale

F2.1H (c) Measured position, heading or altitude goes to minimum scale

F2.1I (c) Transient spikes in measured position, heading or altitude

F2.1J 2.1.2Determine Nav Data accuracy(I)(F)

(a) Unable to determine Nav data accuracy


F2.1K (c) Nav data erroneously determined as accurate

F2.1L (c) Nav data erroneously determined as inaccurate

F2.2A 2.2 Store / Update Mission Route (I) (a) Loss of stored mission route

F2.2B (a) Unable to update / change route once stored

F2.2C (b) Mission route changed without demand

F2.2D (c) Mission route stored / updated with incorrect data elements(stale / zero / default / random data)

F2.2E (c) Mission route stored / updated partially – elements missing

F2.2F (c) Mission route not achievable (performance)

F2.2G (c) Mission route not safe (ROA)

F2.3A 2.3 Monitor / Correct actual vplanned route (I)

(a) Unable to determine route error

F2.3B (a) Unable to determine route correction

(b) (Continuous function)

F2.3C (c) Erroneous route error or correction determined

2.4 Auto Take off & Landing (I)(F)

F2.4A 2.4.1 Determine Airfield T/O Climb-out profile (F)(E)

(a) Airfield T/O (runway) profile lost

F2.4B (a) Airfield climb-out profile lost

F2.4C (b) Climb out profile initiated in other phase

F2.4D (c) Airfield T/O (runway) profile for wrong airfield / runwayF2.4E (c) Airfield climb-out profile for wrong airfield / runway



D-20



F2.4F (c) Airfield climb out profile corrupted (spikes, dips, truncated,capped)

F2.4G 2.4.2 Determine High accuracyPosition, heading & Altitude (F)

(a) Unable to determine high accuracy position

F2.4H (a) Unable to determine high accuracy heading

F2.4I (a) Unable to determine high accuracy altitude

F2.4J (b) High accuracy data presented in other phases

F2.4K (c) Incorrect position determined

F2.4L (c) Inaccurate position determined

F2.4M (c) Incorrect heading determined

F2.4N (c) Inaccurate heading determined

F2.4O (c) Incorrect altitude determined

F2.4P (c) Inaccurate altitude determined – too high

F2.4Q (c) Inaccurate altitude determined – too low

F2.4R 2.4.3 Determine Airfield Approach,Hold, Circuit, R/W profile (F)(E)

(a) Airfield approach lost

F2.4S (a) Airfield hold lost

F2.4T (a) Airfield circuit lost

F2.4U (a) Airfield R/W profile lost

F2.4V (b) Airfield approach, hold, circuit initiated in other phase

F2.4W (c) Airfield approach, hold, circuit runway profile for wrong airfield / runway

F2.4X (c) Airfield approach, hold, circuit runway profile corrupted (spikes,dips, truncated, capped)

F2.4Y 2.4.4 High Accuracy monitor / correct actual v planned profile(F)(E)

(a) Unable to determine T/O path error / correction

F2.4Z (a) Unable to determine landing path error / correction

(b) (Continuous function)F2.4AA (c) Erroneous T/O path error or correction determined

F2.4AB (c) Erroneous landing path error or correction determined

F2.4AC 2.4.5 Determine Wind speed &direction v R/W and landingcharacteristics (F)

(a) Not possible to determine W/S or direction


F2.4AD (c) Incorrect w/s determined – too high

F2.4AE (c) Incorrect w/s determined – too low

F2.4AF (c) Incorrect wind direction determined

F2.4AG (c) Noisy, oscillating wind direction

2.5 Terrain Avoidance (E)


(a) Unaware of surrounding terrain

F2.5B (a) Unaware of proximity of surrounding terrain to flight path

F2.5C (a) Terrain proximity determined at low sampling rate


F2.5D (c) Incorrect surrounding terrain determined

F2.5E (c) Incorrect distance to terrain determined – lower than actual

F2.5F (c) Incorrect distance to terrain determined – higher than actual

F2.5G 2.5.2 Maintain separation (ROA) (E) (a) Terrain separation (minimum) not maintained

F2.5H (b) Terrain separation driven down / up to minimum

F2.5I (c) Terrain separation maintained but below ROA requirement(highest point +1000ft)

F2.5J (c) Flight profile to maintain terrain separation exceeds vehicleclimb performance

F2.5K 2.5.3 Emergency evasion (E) (a) Need for emergency terrain evasion not determined

F2.5L (a) Need for emergency terrain evasion determined late



D-21



F2.5M (b) Emergency evasion manoeuvre triggered when not necessary

F2.5N (c) Required emergency evasion manoeuvre exceeds vehiclemanoeuvre performance

F2.5O (c) Incorrect emergency evasion manoeuvre identified

2.6 Sensitive Area Avoidance(Fixed Danger & Populated areas)(E)


(a) Unaware of Sensitive Area

F2.6B (a) Unaware of proximity of Sensitive Area to flight path


F2.6C (c) Incorrect Sensitive Area determined

F2.6D (c) Incorrect distance to Sensitive Area determined – nearer thanactual

F2.6E (c) Incorrect distance to Sensitive Area determined – further thanactual

F2.6F 2.6.2 Maintain separation (ROA) (E) (a) Sensitive Area separation (minimum) not maintained(b) (continuous function)

F2.6G 2.6.3 Emergency incursion action(E)

(a) Need for emergency evasion not determined

F2.6H (a) Need for emergency evasion determined late

F2.6I (b) Emergency evasion manoeuvre triggered when not necessary

F2.6J (c) Incorrect emergency evasion manoeuvre identified

2.7 Controlled Airspace avoidance(E)


(a) Unaware of Controlled Airspace

F2.7B (a) Unaware of proximity of Controlled Airspace to flight path


F2.7C (c) Incorrect Controlled Airspace determined

F2.7D (c) Incorrect distance to Controlled Airspace determined – nearerthan actual

F2.7E (c) Incorrect distance to Controlled Airspace determined – furtherthan actual

F2.7F 2.7.2 Maintain separation (ROA) (E) (a) Controlled Airspace separation (minimum) not maintained







2.8 Variable Danger Areas(NOTAMS) Avoidance (E)


(a) Unaware of NOTAMS Area

F2.8B (a) Unaware of proximity of NOTAMS Area to flight path


F2.8C (c) Incorrect NOTAMS Area determined

F2.8D (c) Incorrect distance to NOTAMS Area determined – nearer thanactual

F2.8E (c) Incorrect distance to NOTAMS Area determined – further thanactual

F2.8F 2.8.2 Maintain separation (ROA) (E) (a) NOTAMS Area separation (minimum) not maintained







D-22





3. Control on the Ground (I)

3.1 Control Speed on the ground (I)

F3.1A 3.1.1 Determine speed on ground(I)

(a) Unable to determine speed on the ground

F3.1B (b) Attempt to determine ground speed while in the air

F3.1C (c) Ground speed inaccuracy - too high

F3.1D (c) Ground speed inaccuracy – too low

F3.1E 3.1.2 Controlled Ground thrust (I) (a) Unable to increase ground thrust

F3.1F (a) Unable to decrease ground thrust

F3.1G (b) Ground thrust increases without demand – runaway up

F3.1H (b) Ground thrust decreases without demand – runaway down

F3.1I (c) Ground thrust change lags demand

F3.1J (c) Excessive ground thrust change for required demand (scaleerror)

F3.1K (c) Inadequate ground thrust change for required demand (scaleerror)

F3.1L (c) Ground thrust asymmetry (roll or yaw depending on propulsionconfiguration)

F3.1M 3.1.3 Controlled Ground Braking (I) (a) Unable to apply / increase ground braking

F3.1N (a) Unable to decrease / release ground braking

F3.1O (b) Ground braking increases / on without demand

F3.1P (b) Ground braking decreases / releases without demand

F3.1Q (c) Ground braking change lags demand

F3.1R (c) Excessive ground braking for required demand (scale error)

F3.1S (c) Inadequate ground braking for required demand (scale error)

F3.1T (c) Ground braking asymmetry

3.2 Control Position on the ground(I)

F3.2A 3.2.1 Determine ground position &heading (I)

(a) Unable to determine ground position

F3.2B (a) Unable to determine ground heading

F3.2C (b) Attempt to determine ground position / heading while in the air

F3.2C (c) Ground position or heading inaccurate

F3.2D 3.2.2 Ground steering (I) (a) Ground steering not available – steering fixed

F3.2E (a) Ground steering not available – steering free

F3.2F (b) Ground steering when not on the ground

F3.2G (c) Incorrect sense ground steering applied

F3.2H (c) Excessive ground steering appliedF3.2I (c) Inadequate ground steering applied

F3.2J (c) Ground steering lags demand

F3.2K 3.2.3 Determine Airfield layout / required ground route (F)(E)

(a) Unable to determine airfield layout / required ground route

F3.2L (b) Ground route identified when not on the ground

F3.2M (c) Incorrect airfield identified

F3.2N (c) Incorrect ground route (at correct airfield) identified

F3.2O 3.2.4 Monitor / correct actual vrequired ground route (F)

(a) Unable to determine ground route error

F3.2P (a) Unable to determine ground route correction

(b) (Continuous function on the ground)

F3.2Q (c) Erroneous ground route error or correction determinedF3.2R 3.2.5 Determine Air / Ground

transition (F)(a) Unable to determine air / ground transition




D-23



F3.2S (c) Air to ground transition erroneously determined

F3.2T (c) Ground to air transition erroneously determined

F3.2U (c) Air / ground transition identified during transient ground contact

F3.2V (c) Air / ground transition not identified during transient groundcontact

F3.2W 3.2.6 Determine Ground obstacles(F)(E) (Fixed or mobile)

(a) Unable to determine position of fixed ground obstacles

F3.2X (a) Unable to detect mobile ground obstacles

F3.2Y (b) Attempt to identify ground obstacles while not on the ground

F3.2Z (c) Ground obstacle identified where there is none

F3.2AA (c) Ground obstacle not identified where there is

F3.2AB (c) Ground obstacle identified position inaccurate

F3.2AC (c) Mobile ground obstacle identified but speed / direction not

4. Manage Datalink (I) Classification of datalink functional failures is criticallydependent on level of autonomy of UAV in event of failure, inreaching a safe outcome.

4.1 Monitor datalink condition (I)F4.1A 4.1.1 Signal strength (I) (a) Unable to determine datalink signal strength

F4.1B (b) (continuous function)

F4.1C (c) Datalink signal strength erroneously indicated too high

F4.1D (c) Datalink signal strength erroneously indicated too low

F4.1E (c) Datalink signal strength very noisy – high / low oscillation

F4.1F 4.1.2 D/L Equipment status (I) (a) Datalink equipment status not available


F4.1G (c) Datalink equipment status shown ‘no fail’ with actual single fail

F4.1H (c) Datalink equipment status shown ‘no fail’ with actual total fail

F4.1I (c) Datalink equipment status shown ‘single fail’ when actually nofail

F4.1J (c) Datalink equipment status shown ‘total fail’ when actually no failF4.1K (c) Datalink equipment status oscillates between fail / no fail status

4.2 Control Datalink path (I)

F4.2A 4.2.1 Handover to next GCS (I)(F) (a) Datalink control cannot hand over from current to next GCS

F4.2B (b) Datalink attempts control hand over from current GCS withoutdemand

F4.2C (c) Datalink control hand over from current GCS, but next GCSunable to take control

F4.2D (c) Datalink control hand over from current GCS, but next GCSunaware it has control

F4.2E (c) Datalink control taken over by next GCS, without current GCSbeing aware

F4.2F (c) Datalink control hand over to next GCS, but current GCS alsoretains control (dual control)

F4.2G (c) Datalink attempted control hand over to next GCS, but neitherGCS retains control

F4.2H 4.2.2 Route via Satellite (I)(F) (a) Unable to route datalink via satellite

F4.2I (b) Datalink routed via satellite without demand

F4.2J (c) Datalink routed via wrong satellite

F4.2K (c) Datalink ‘cross talk’ with other satellite traffic

F4.2L (c) Satellite link saturates with other satellite traffic – datalink dropouts

F4.2M (c) Satellite link saturates with other satellite traffic – datalinkdelays

F4.2N (c) Satellite link fails totally

F4.2N 4.2.3 Relay between UAVs (I)(F) (a) Unable to route datalink to 1st UAV via relay UAVF4.2O (b) Datalink routed via relay UAV without demand

F4.2P (c) Datalink routed via wrong relay UAV



D-24



F4.2Q (c) Datalink routed via relay UAV to wrong 1st

UAV

F4.2R (c) Relay Datalink ‘cross talk’ with RF noise

F4.2S (c) Datalink command confusion between those meant for relayUAV and those for 1

stUAV

F4.2T (c) Relay datalink drop outs

F4.2U (c) Relay datalink delays

F4.2V (c) Relay link fails totally

F4.3A 4.3 Datalink Fail / DegradeEmergency Action(I)(see function 7.3.1 for divertfunction failures)

(a) D/L fail action (hold then divert ) not taken when required

F4.3B (b) D/L fail action (hold then divert ) taken without demand

F4.3C (c) D/L fail action partially taken – UAV remains in hold

F4.3D (c) D/L fail action partially taken – UAV diverts immediately

F4.3E (c) D/L fail action partially taken – D/L fail broadcast not issued

F4.4A 4.4 Defend D/L (Jamming, stealing)

(E)

(a) Datalink jammed

F4.4B (a) Datalink stolen


F4.4C (c) Valid datalink control rejected as jamming / stealing

F4.5A 4.5 Monitor Terrain proximity toLOS (E)

(a) Fail to monitor terrain proximity to control LOS


F4.5B (c) Terrain proximity inaccuracy – judged closer than actual

F4.5C (c) Terrain proximity inaccuracy – judged further than actual

5. Manage Payload (I)

F5.1A 5.1 Sensor control (I) [including visual sensor ]

(a) Unable to direct sensor at point of interest [including forwards,for flight assistance ]

F5.1B (b) Sensor slews off point of interest without demandF5.1C (c) Sensor not stabilized on point of interest (subject to flight

motion / noise)

F5.1D (c) Sensor field of view / zoom incorrect – too wide

F5.1E (c) Sensor field of view / zoom incorrect – too narrow

5.2 Payload data download (I)[including visuals ]

5.3 Distribute Payload data (I)

5.4 Prioritise Users' Payloadrequests (I)

6. Monitor Mission progress (I)

F6.1A 6.1 Telemeter S&C params to GCS

(I)

(a) Unable to telemeter S&C parameters to GCS


F6.1B (c) Inaccurate S&C parameters telemetered

F6.1C (c) Other parameters telemetered as S&C

F6.2A 6.2 Telemeter Air Nav params toGCS (I)

(a) Unable to telemeter Air Nav parameters to GCS, at all


F6.2B (c) Inaccurate Air Nav parameters telemetered

F6.2C (c) Other parameters telemetered as Air Nav

F6.3A 6.3 Telemeter Ground Controlparams to GCS (I)

(a) Unable to telemeter Ground Control parameters to GCS, at all


F6.3B (c) Inaccurate Ground Control parameters telemeteredF6.3C (c) Other parameters telemetered as Ground Control

F6.4A 6.4 Telemeter Flight Systems statusto GCS (I)

(a) Unable to telemeter Flight Systems status to GCS, at all



D-25




F6.4B (c) Inaccurate Flight Systems status telemetered

F6.4C (c) Other parameters telemetered as Flight Systems status

6.5 Monitor Weather for changes(F)(E)

F6.5A 6.5.1 Weather awareness en-route(E) [Precipitation, icing, windspeed / direction, visibility VMC / IMC]

(a) Unaware of weather conditions en route

F6.5B (a) Unaware of wind speed or direction en route


F6.5C (c) Erroneous indication of precipitation, icing or visibility conditionsen route – better than actual

F6.5D (c) Erroneous indication of precipitation, icing or visibility conditionsen route – worse than actual

F6.5E (c) Inaccurate indication of wind speed or direction en route

F6.5F 6.5.2 Assess Wx proximity to

planned route (E)

(a) Unable to determine Wx proximity to planned route

(b) (continuous function )

F6.5G (c) Wx proximity inaccurately determined nearer than actual

F6.5H (c) Wx proximity inaccurately determined further than actual

F6.5I (c) Wx movement inaccurately predicted – slower than actual

F6.5J (c) Wx movement inaccurately predicted – faster than actual

F6.5K 6.5.3 Determine Wx separationroute around (E) [to reach finaldestination]

(a) Unable to determine a separation route around the weather – UAVS failure

F6.5L (a) Unable to determine a separation route around the weather – weather close out

F6.5M (a) Flight path not modified to avoid bad Wx

F6.5N (b) Unnecessary route around inserted in flight path

F6.5O (c) Revised bad Wx route does not avoid the weather

F6.5P (c) Revised bad Wx route exceeds range capability of vehicle

F6.5Q (c) Revised bad Wx route infringes other separation zones

F6.5R 6.5.4 Determine nearestdiversionary airfield & route (E)

(a) Unable to determine a diversionary airfield

F6.5S (a) Unable to determine a route to the diversionary airfield


F6.5T (c) Incorrect diversion airfield determined – at increased flightdistance

F6.5U (c) Incorrect diversion airfield determined – weather close out

F6.5V (c) Diversion airfield determined only periodically (i.e. not continuous function )

F6.5W (c) Diversion airfield not communicated between UAV and GCS,immediately after determination

F6.5X (c) Diversion route not communicated between UAV and GCS,immediately after determination

7. Manage Flight Systems(I)

F7.1A 7.1 Determine flight systems status(I)

(a) Unable to determine flight critical systems status


F7.1B (c) Flight critical system indicates a single fail, incorrectly

F7.1C (c) Flight critical system indicates a total fail, incorrectly

F7.1D (c) Flight critical system single fail not indicated

F7.1E (c) Flight critical system total fail not indicated

F7.1F (c) Incorrect flight system shown as having failure

7.2 Redundant systems control? (I) [leave to system level FHA]



D-26



7.3 Degraded systems emergencyactions (I)

F7.3A 7.3.1 Divert (E) (a) Failure to divert when expected

F7.3B (b) Divert carried out when not necessary

F7.3C (c) Divert carried out to different divert airfield than determined

F7.3D (c) Divert carried out on different route to that determined

F7.3E (c) (Divert demanded but no airfield or route available)

F7.3F (c) (Divert due to Collision Avoidance failure partially carried out – without broadcast )

F7.3G (c) (Divert carried out when Emergency Landing should be )

F7.3H (c) (Emergency Landing carried out when divert should be)

F7.3I 7.3.2 Emergency Landing (E) (a) Failure to carry out controlled Emergency Landing, whennecessary

F7.3J (b) Emergency Landing carried out when not necessary

F7.3K (c) (Emergency landing carried out partially – without MAYDAYbroadcast)

F7.3L (c) Emergency landing attempted in populated area

8. Pre Flight Preparations (I)

8.1 Mission Planning (I)

F8.1A 8.1.1 Plan mission (I) (a) Unable to plan mission

F8.1B (a) Mission plan completed but not retained and loaded

F8.1C (b) (Mission planning initiated when not required?)

F8.1D (c) Mission plan partially complete

F8.1E (c) Mission plan partially in error – random error

F8.1F (c) Mission plan partially in error – stale information from earliermission

F8.1G (c) Mission plan for incorrect mission loaded

F8.1H (c) Mission plan confuses ident of UAVS system elements (UAVs;GCSs)

F8.1I (c) Mission plan completed but not within capability of UAVSperformance

F8.1J 8.1.2 HIRF Location awareness (E) (a) Unaware of HIRF locations for mission planning


F8.1K (c) Not all HIRF locations known for mission planning

F8.1L (c) Some HIRF locations incorrect for mission planning

F8.1M (c) Some HIRF height / range information incorrect for missionplanning

F8.1N (c) Some HIRF types incorrect for mission planning

F8.1O 8.1.3 Terrain Awareness (E) (a) Unaware of terrain for mission planning

(b) (continuous function)F8.1P (c) Not all terrain known for mission planning

F8.1Q (c) Some terrain positions incorrect for mission planning

F8.1R (c) Some terrain heights incorrect for mission planning

F8.1S (c) Some terrain types incorrect for mission planning

F8.1T 8.1.4 Danger Area / populated areaawareness (E)

(a) Unaware of Danger / populated areas for mission planning


F8.1U (c) Not all Danger / populated areas known for mission planning

F8.1V (c) Some Danger / populated areas locations incorrect for missionplanning

F8.1W (c) Some Danger / populated areas height information incorrect formission planning

F8.1X 8.1.5 Controlled Airspaceawareness (E)

(a) Unaware of Controlled Airspace for mission planning




D-27



F8.1Y (c) Not all Controlled Airspace known for mission planning

F8.1Z (c) Some Controlled Airspace locations incorrect for missionplanning

F8.1AA (c) Some Controlled Airspace height information incorrect for

mission planning

F8.1AB (c) Some controlled airspace types incorrect

F8.1AC 8.1.6 Weather awareness (E) (a) Unaware of current weather conditions

F8.1AD (a) Unaware of predicted weather conditions


F8.1AE (c) Weather conditions incorrect - optimistic

F8.1AF (c) Weather conditions incorrect - pessimistic

F8.1AG (c) Weather conditions incorrect – location or path

(c) (also as function 6.5)

8.2 T/O / Launch Preparation (F)

F8.2A 8.2.1 Refuel / recharge

consumables (I)

(a) Unable to refuel / recharge consumables

F8.2B (b) (Refuel / recharge at incorrect phase?)

F8.2C (b) Refuelling / recharging still underway at launch

F8.2D (c) Partially refuelled / recharged

F8.2E (c) Fuelled / charged with incorrect consumables

F8.2F (c) Fuel / charge contaminated

F8.2G (c) Fuelled asymmetrically (fore / aft; left / right)

F8.2H 8.2.2 Pre flight systems test (I)(F) (a) Unable to pre-flight systems test

F8.2I (b) (Pre-flight systems test at incorrect phase?)

F8.2J (b) Still in pre-flight test at launch

F8.2K (c) Partial pre-flight systems test carried out

F8.2L (c) Pre-flight systems test returns incorrect pass for critical system

F8.2M (c) Pre-flight systems test returns incorrect fail for critical system

F8.2N (c) Pre-flight systems test confuses Ident of systems test results

F8.2O 8.2.3 Upload Mission Plan (I)(F) (a) Unable to upload mission plan

F8.2P (b) (Upload mission plan at incorrect phase?)

F8.2Q (b) Still uploading mission plan at launch

F8.2R (c) Partial upload of mission plan carried out

F8.2S (c) Mission plan uploaded but not retained – no plan

F8.2T (c) Mission plan uploaded but not retained – stale plan retained

F8.2U (c) Incorrect mission plan uploaded – UAV differs from GCS

F8.2V (c) Incorrect mission plan uploaded – both UAV and GCS

F8.2W (c) Incorrect mission plan uploaded – current and next GCS differ

F8.2X (c) Incorrect mission plan uploaded – both current and next GCSF8.2Y (c) Mission plan corrupted during upload

F8.2Z (c) Mission plan upload confuses ident of UAVs (relay / sensorUAVs)

9. Manage Communications (E)

F9.1A 9.1 Understand / reply to AirfieldATC voice comms (E)

(a) Unable to hear ATC airfield voice comms at all

F9.1B (a) Unable to hear ATC airfield voice comms intermittently

F9.1C (a) Unable to understand airfield ATC voice comms

F9.1D (a) Unable to reply to airfield ATC voice comms

F9.1E (b) Transmit on ATC airfield comms channel when not intended

F9.1F (b) Comply with / reply to airfield ATC message intended foranother aircraft

(b) (Comply with / reply to airfield ATC message from incorrect airfield )

F9.1G (c) Misunderstand ATC airfield comms



D-28



F9.1H (c) Delay responding to airfield ATC comms

F9.1I (c) Incorrect message transmitted to airfield ATC comms

F9.2A 9.2 Detect & respect airfield visualsignals (E)

(a) Unable to detect or respect airfield visual signals

F9.2B (b) Detect / respect airfield visual signals that are not pertinent toUAV position (incorrect signal detected / respected)

F9.2C (c) Misinterpret airfield visual signal

F9.3A 9.3 Understand / reply to En-RouteATC advice - voice / digital (E)

(a) Unable to detect ATC en-route comms at all

F9.3B (a) Unable to detect ATC en-route comms intermittently

F9.3C (a) Unable to understand en-route ATC comms

F9.3D (a) Unable to reply to en-route ATC comms

F9.3E (b) Transmit on en-route ATC comms channel when not intended

F9.3F (b) (Comply with / reply to en-route ATC message from incorrectATC service)

F9.3G (b) Comply with / reply to en-route ATC message intended for

another aircraftF9.3H (c) Misunderstand en-route ATC comms

F9.3I (c) Delay responding to en-route ATC comms

F9.3J (c) Incorrect message transmitted to en-route ATC comms

F9.4A 9.4 Provide Tracking 'visibili ty'(signal, visual) (E)

(a) UAV not visible to ATC for transponder tracking

F9.4B (a) UAV not visible to ATC for RADAR tracking by RF signature

F9.4C (a) UAV not visible to ATC for tracking visually

(b) (RF signature / visual are continuous functions )

F9.4D (b) Provide transponder response when not required

F9.4E (c) Provide transponder response late when interrogated

F9.4F (c) Provide incorrect Aircraft Identifier when interrogated

F9.4G (c) Provide incorrect aircraft altitude when interrogatedF9.5A 9.5 Manage ATC Frequency

selections (E)(a) Unable to change ATC frequency selection

F9.5B (a) Unable to hold required ATC frequency

F9.5C (b) ATC frequency changed when not required

F9.5D (c) ATC frequency changed to incorrect frequency (not in usefrequency)

F9.5E (c) ATC frequency changed to incorrect frequency (in-usefrequency)

F9.5F (c) ATC frequency changed to emergency frequency in error

9.6 Comply with ATC procedures(E)

Possible range of procedures constrained to following:Airfield – ground movement (clearance & direction); enterrunway; take-off; climb out direction and final height; approach

direction; circuit direction; runway allocation; hold height &direction; landing clearance; exit runway clearanceEn-route – Climb / descend and cruising altitude; headingchange; hold position, height and direction; diversion

F9.6A 9.6.1 Determine requiredmanoeuvre from ATC comms (E)

(a) Unable to determine required manoeuvre from ATC comms

F9.6B (b) Manoeuvre determined from ATC comms, where none wasrequested

F9.6C (c) Incorrect manoeuvre determined from ATC comms and carriedout

F9.6D (c) ATC required Manoeuvre partially completed

F9.6E 9.6.2 Confirm manoeuvre with ATC(E)

(a) Unable to confirm initiating manoeuvre with ATC

F9.6F (a) Unable to confirm completing manoeuvre with ATCF9.6G (b) ATC manoeuvre ‘confirmed’ when none was requested

F9.6H (c) Incorrect ATC manoeuvre ‘confirmed’ to ATC (compared to thatbeing actually carried out)



D-29



F9.7A 9.7 Emergency Broadcast Actions(E) (Coll aware fail; D/L fail;Mayday)

(a) Unable to broadcast – “Collision Avoidance Fail”

F9.7B (a) Unable to broadcast – Data Link Fail

F9.7C (a) Unable to broadcast – Mayday

F9.7D (b) Broadcast ‘Collision awareness fail’ when not required

F9.7E (b) Broadcast ‘Data Link fail’ when not required

F9.7F (b) Broadcast ‘Mayday’ when not required

F9.7G (c) Broadcast incorrect emergency message compared to thatactually required

10. Collision Avoidance (F)(E)

F10.1A 10.1 Detect Traffic (E) (a) Unable to detect ‘co-operative’ traffic

F10.1B (a) Unable to detect ‘non co-operative’ traffic

F10.1C (b) Traffic detected when not present

F10.1D (c) Traffic detected late

F10.1E (c) Traffic detected in incorrect position

F10.1F (c) Traffic detected at incorrect height

F10.2A 10.2 Determine traffic relative track(E)

(a) Unable to determine traffic relative track

F10.2B (a) Traffic relative track determined at low update rate

(b) (continuous function when traffic detected )

F10.2C (c) Traffic relative track incorrectly indicated as converging

F10.2D (c) Traffic relative track incorrectly indicated as not converging

F10.3A 10.3 Maintain traffic separation(ROA) (E)

(a) Failure to manoeuvre (adequately) to maintain traffic separationi.a.w. Rules of the Air (right of way / minimum separation)

F10.3B (b) Traffic separation manoeuvre initiated when UAV shouldmaintain current track (right of way)

F10.3C (c) Incorrect traffic separation manoeuvre initiated (turn direction)F10.4A 10.4 Collision emergency evasion

(E)(a) Failure to manoeuvre (adequately) for collision emergency

evasion

F10.4B (a) Collision emergency evasion manoeuvre initiated late

F10.4C (b) Collision emergency evasion manoeuvre initiated whenunnecessary

F10.4D (c) Incorrect collision emergency evasion manoeuvre initiated (turndirection / height change)

F10.4E (c) Collision emergency evasion manoeuvre successful but UAVaffected by aircraft wake turbulence

F10.5A 10.5 Conspicuity to air traffic(visual, RF) (E)

(a) Unable to be detected by ‘co-operative’ traffic

F10.5B (a) Unable to be seen by other air traffic

F10.5C (a) UAV RF (Radar) Conspicuity varies significantly withobservation aspect

F10.5D (a) UAV visual conspicuity varies significantly with observationaspect

(b) (continuous function for civil operation – i.e. not switchable stealth)

F10.5E (c) UAV resembles other aircraft types of different size orperformance



D - 3 1

F F A I D

F a

i l u r e C o n d i t i o n

F l i g h t

P h a s e s

E f f e c t o f F a i l u r e C o n d i t i o n - ( 1 ) A W ; ( 2 ) A T M

C l a s s i f i

c a t i o n

J u s t i f i c a t i o n

1 . S t a b i l i t y

& C o n t r o l ; 1 . 3 M a n o e u v r e U A V ( I )

F 1 . 3

A

U n

a b l e t o m a n o e u v r e

U A

V a t a l l w h e n

d e

m a n d e d

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( 1 ) , ( 2 ) E v e n t u a l l y ,

U A V w i l l i m p i n g e o n t e r r a i n o r

c o n t r o l l e d a i r s p a c e

( K n o c k o n e f f e c t – a c a u s e o f F 2

. 5 G t e r r a i n s e p a r a t i o n f a i l ;

F 2 . 6

F c o n t r o l l e d a i r s p a c e s e p a r a t i o n f a i l ; F 2 . 7

F d a n g e r /

p o p u l a t e d a r e a s e p a r a t i o n f a i l ; F

1 0 . 3

A T r a f f i c s e p a r a t i o n

f a i l )

( 1 ) C a t a

s t r o p h i c

( 2 ) S e v e

r i t y 1

( d e p e n d e n t o n k n o c k - o n

e f f e c t f a i l u r e b e i n g

r e a l i s e d )

F 1 . 3

B

U n

a b l e t o m a n o e u v r e

U A

V i n c e r t a i n a x e s ,

w h

e n d e m a n d e d

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( 1 ) L i m i t e d c o n t r o l a v a i l a b l e f r o m

s e c o n d a r y e f f e c t s ( s e e

F 1 . 3

D b e l o w ) , s u f f i c i e n t t o e f f e c t c o n t r o l l e d l o s s o f t h e

U A V o v e r a n u n p o p u l a t e d s i t e

( 2 ) L i k e l y t o c a u s e i n f r i n g e m e n t o f c o n t r o l l e d a i r s p a c e ,

b u t

s o m e c o n t r o l t o m i n i m i s e e f f e c t ( i . e . m a i n t a i n l i m i t e d t r a f f i c

s e p a r a t i o n )

( 1 ) H a z a

r d o u s

( 2 ) S e v e

r i t y 2

S c e n a r i o s f o r t y p i c a l m i s

s i o n s j u s t i f y l i k e l y

A T M e f f e c t

F 1 . 3

C

U n

d e m a n d e d

m a n o e u v r e

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( 1 ) I n e x t r e m e , a t c r i t i c a l f l i g h t c o

n d i t i o n ( T O o r L a n d i n g )

l o s s o f c o n t r o l

( 2 ) C o u l d b e a c a u s e f o r s e p a r a

t i o n m i n i m a b e i n g

b r e a c h e d – i n e x t r e m e ,

( a m o n g t r a f f i c ) c a u s e c o l l i s i o n

( 1 ) C a t a

s t r o p h i c

( 2 ) S e v e

r i t y 1

F 1 . 3

D

A s

y m m e t r i c m a n o e u v r e

c o

n t r o l – d e m a n d i n

o n

e a x i s c a u s e s

u n

c o n t r o l l a b l e

m a n o e u v r e i n a n o t h e r

a x

i s

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( 1 ) I n e x t r e m e , a t c r i t i c a l f l i g h t c o

n d i t i o n ( T O o r L a n d i n g )

l o s s o f c o n t r o l

( 2 ) C o u l d b e a c a u s e f o r s e p a r a

t i o n m i n i m a b e i n g

b r e a c h e d – i n e x t r e m e ,

( a m o n g t r a f f i c ) c a u s e c o l l i s i o n

( 1 ) C a t a

s t r o p h i c

( 2 ) S e v e

r i t y 1

S o m e s e c o n d a r y e f f e c t s

o f c o n t r o l s a r e O k

( a n d n o r m a l a e r o d y n a m i c e f f e c t ) , p r o v i d e d

t h e r e i s s u f f i c i e n t c o n t r o l a u t h o r i t y t o

c o u n t e r a c t t h e m .

P o t e n t i a l m i t i g a t i o n f o r F

1 . 3

B

F 1 . 3

E

T r a n s i e n t c o n t r o l

d e

f l e c t i o n s

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 1 . 3

C )

F 1 . 3

F

M a n o e u v r e c o n t r o l

r e s t r i c t i o n – l i m i t e d

m a n o e u v r e

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s 1 . 3

B )

F 1 . 3

G

M a n o e u v r e c o n t r o l

j a m s – u n a b l e t o s t o p

m a n o e u v r e

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 1 . 3

C )



D - 3 2

F F A I D

F a


F l i g h t

P h a s e s


C l a s s i f i

c a t i o n


F 1 . 3

H

E x

c e s s i v e m a n o e u v r e

c o

n t r o l d e f l e c t i o n s

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 1 . 2

B )

F 1 . 3

I

M a n o e u v r e c a p a b i l i t y

e x

c e e d s v e h i c l e

s t r u c t u r a l s t r e n g t h

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( 1 ) U A V b r e a k u p – u n a b l e t o c o

n t i n u e c o n t r o l l e d f l i g h t

( 1 ) C a t a

s t r o p h i c

A W i s

s u e , a s v e h i c l e b r e

a k u p t a k e s i t o u t o f

t h e A T M e n v i r o n m e n t

F 1 . 3

J

M a n o e u v r e c o n t r o l t i m e

d e

l a y ( l a g )

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 1 . 2

C a n d D )

1 . S t a b i l i t y

& C o n t r o l ; 1 . 4 M a n u a l O v e r r i d e - R

e m o t e P i l o t i n g ( I )

F 1 . 4

A

U n

a b l e t o t a k e m a n u a l

c o

n t r o l o f U A V

T a x i , T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S

,

S e n s ,

A p p ,

L a n d A ,

L a n d

F ,

R e l

N o i m m e d i a t e e f f e c t , U N L E S S a

c o i n c i d e n t f u n c t i o n a l

f a i l u r e o c c u r s ( i n f u n c t i o n s 1 - 1 0 i n c ) r e q u i r i n g m a n u a l

i n t e r v e n t i o n

A s f o r t h

e m o s t

s e v e r e o

f o t h e r

f u n c t i o n s 1 - 1 0 :

( 1 ) C a t a

s t r o p h i c

( 2 ) S e v e

r i t y 1

M a n u a l o v e r r i d e i s i n t e n d e d a s m i t i g a t i o n f o r

m a n y o t h e r f a i l u r e m o d e s .

S a f e t y r e q u i r e s i n d e p e n d e n c e f r o m o t h e r

f a i l u r e f o r m s ( E I T H E R -

a u t o n o m y i n c a s e o f

m a n u a l f a i l u r e ,

O R - u s e

o f a n i n d e p e n d e n t 3 r d

o p t i o n s u c h a s F l i g h t T e r m i n a t i o n S y s t e m t o

g i v e a s a f e o u t c o m e ,

i f c

r i t i c a l f u n c t i o n s a r e

p r o v i d e d o n a c o m m o n d

a t a l i n k w i t h m a n u a l

c o n t r o l f r o m t h e G C S )

F 1 . 4

B

U n

a b l e t o f l y U A V w i t h

a u

t o n o m y

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

H i g h e r w o r k l o a d o n U A V - p i n i t i a l l y .

C r i t i c a l e f f e c t I F d a t a l i n k f a i l s c o i n c i d e n t l y ( e f f e c t i v e l y

c o i n c i d e n t w i t h F 1 . 4

A ) – U A V t h e n r e a c t s a s F 1 . 3

A

A s f o r F 1 . 3

A :

( 1 ) C a t a

s t r o p h i c

( 2 ) S e v e

r i t y 1

A u t o n o m o u s f l i g h t / m a n

u a l o v e r r i d e n e e d t o

b e i n d e p e n d e n t , a s e i t h e

r / o r i s r e q u i r e d f o r

s u c c e s s f u l c o n t i n u i n g s a

f e f l i g h t

F 1 . 4

C

C o

n f l i c t i n g a u t h o r i t y

b e

t w e e n m a n u a l a n d

a u

t o n o m o u s c o n t r o l

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 1 . 4

A a n d F 1 . 4

B )



D - 3 4

F F A I D

F a


F l i g h t

P h a s e s


C l a s s i f i

c a t i o n


F 1 . 6

G

I n c o r r e c t a i r s p e e d

a c

h i e v e d – t o o l o w

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 1 . 6

D )

2 . A i r N a v i g a t i o n ( I ) ; 2 . 1 P o s i t i o n , H e a d i n g & A

l t i t u d e A w a r e n e s s ( I ) ; 2 . 1 . 1 D e t e r m

i n e P o s i t i o n , H e a d i n g & A l t i t u d e ( I )

F 2 . 1

A

U n

a b l e t o d e t e r m i n e

p o

s i t i o n

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

I n i s o l a t i o n – p o s i t i o n c a n b e a p p r o x i m a t e d f r o m h e a d i n g ,

s p e e d e t c .

I n c o m m o n f a i l u r e w i t h F 2 . 1

B o r

F 1 . 1

B – r e q u i r e s e x t e r n a l

m e a n s t o i d e n t i f y p o s i t i o n ( f u n c t i o n s 9 . 3

E n - r o u t e A T C

c o m m u n i c a t i o n s a n d 9 . 4

T r a c k i n

g ‘ v i s i b i l i t y ’

W i t h o u t t h e s e , s y s t e m f a c e s e m e r g e n c y l a n d i n g ( f u n c t i o n

7 . 3 . 2

) i n u n k n o w n t e r r a i n , o r f l i g h t p a t h t h r o u g h u n k n o w n

a i r s p a c e

K n o c k - o n f o r R e l U A V w o u l d b e

l o s s o f d a t a l i n k f o r S e n s

U A V

I n e x t r e m

e c a s e s :

( 1 ) C a t a

s t r o p h i c

( 2 ) S e v e

r i t y 2

A W s

e v e r i t y a s s u m e s n e

e d t o m a k e b l i n d

e m e r g e n c y l a n d i n g a t l a s t ‘ k n o w n ’ p o s i t i o n

( M S 7 e m e r g e n c y l a n d i n g s c e n a r i o s h o w s t h a t

s m a l l i n a c c u r a c i e s c o u l d

c a u s e i m p a c t o n

v i l l a g e l o c a t i o n , a s l e s s e r e v i l t o f l y i n g o n a n d

p o s s i b l y c r a s h i n g i n m a j o r p o p u l a t i o n a r e a

A T M s e v e r i t y a s s u m e s t h a t f u n c t i o n 1 0

C o l l i s i o n a v o i d a n c e r e m a i n s a c t i v e – n e e d t o

b e w a r e o f p o t e n t i a l c o m m o n m o d e f a i l u r e s .

F 2 . 1

B

U n


h e

a d i n g

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 2 . 1

A )

F 2 . 1

C

U n


a l t i t u d e

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

I f D E T E C T E D - C o u l d m a n a g e b

y i n c r e a s i n g a l t i t u d e ( f r o m

p r e v i o u s s a f e a l t i t u d e ) a n d s t e e r i n g w h e r e g r o u n d k n o w n

t o b e l o w e r

U N D E T E C T E D - a s F 2 . 5

G U n a b

l e t o m a i n t a i n s a f e

a l t i t u d e o v e r t e r r a i n

A T M – i f D E T E C T E D , c a l l A T C a n d d e c l a r e P A N P A N

P A N .

I f U N D E T E C T E D , u n a b l e

t o m a i n t a i n s a f e v e r t i c a l

s e p a r a t i o n b e l o w c o n t r o l l e d a i r s p a c e ( a s F 2 . 7

F )

D e t e c t e d :

( 1 ) M a j o

r

( 2 ) S e v e

r i t y 4

U n d e t e c

t e d :

( 1 ) C a t a

s t r o p h i c

( 2 ) S e v e

r i t y 2

M S 8 r o u t i n e a p p r o a c h t o

A b e r p o r t h o v e r

t e r r a i n a s s e s s e d ; M S 5 e m e r g e n c y r e c o v e r y

u n d e r D a v C T A a s s e s s e

d .

U n d e t e c t e d A T M s e v e r i t y a s s u m e s f u n c t i o n 1 0

C o l l i s i o n a v o i d a n c e r e m a i n s a c t i v e – n e e d t o

b e w a r e o f p o t e n t i a l c o m m o n m o d e f a i l u r e s .

F 2 . 1

D

A c

c u r a c y e r r o r i n

m e a s u r e d p o s i t i o n ,

h e

a d i n g o r a l t i t u d e

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 2 . 1

A , B , C

)

F 2 . 1

E

L a

g i n p o s i t i o n ,

h e a d i n g

o r

a l t i t u d e d a t a

m e a s u r e m e n t ( p h a s e

s h

i f t )

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 2 . 1

A , B , C

)



D - 3 5

F F A I D

F a


F l i g h t

P h a s e s


C l a s s i f i

c a t i o n


F 2 . 1

F

M e a s u r e d p o s i t i o n ,

h e


f r e

e z e s a t l a s t r e a d i n g

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 2 . 1

A , B , C

)

F 2 . 1

G


h e


g o

e s t o m a x i m u m s c a l e

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 2 . 1

A , B , C

)

F 2 . 1

H


h e


g o

e s t o m i n i m u m s c a l e

T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

( a s F 2 . 1

A , B , C

)

F 2 . 1

I

T r a n s i e n t s p i k e s i n

m e a s u r e d p o s i t i o n ,

h e


T O A ,

T O F ,

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

L a n d A ,

L a n d F ,

R e l

M a n a g e a b l e ,

i f s p i k e s a l l o w t r e n

d i n p o s i t i o n a n d a l t i t u d e

t o b e a s s e s s e d a d e q u a t e l y .

E l s e

, t r e a t a s F 2 . 1

A , B , C

2 . 5 T e r r a i n

A v o i d a n c e ( E ) ; 2 . 5 . 1 A w a r e n e s s &

f l i g h t p a t h p r o x i m i t y ( E )

F 2 . 5

A

U n

a w a r e o f

s u

r r o u n d i n g t e r r a i n

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

R e l

( 1 ) U N D E T E C T E D – C o n t r o l l e d

f l i g h t i n t o t e r r a i n

D E T E C T E D – c l i m b t o s a f e h e i g

h t a n d d i v e r t

( 1 ) C a t a

s t r o p h i c

A s s u m e s T O a n d L a n d c

o v e r e d b y f u n c t i o n s

2 . 4 – e n s u r e n o c o m b i n e

d f u n c t i o n a l i t y /

c o m m o n m o d e f a i l u r e

F 2 . 5

B

U n

a w a r e o f p r o x i m i t y o f

s u

r r o u n d i n g t e r r a i n t o

f l i g

h t p a t h

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

R e l

( 1 ) U N D E T E C T E D - C F I T

( 1 ) C a t a

s t r o p h i c

F 2 . 5

C

T e

r r a i n p r o x i m i t y

d e

t e r m i n e d a t l o w

s a

m p l i n g r a t e

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

R e l

( 1 ) U N D E T E C T E D – S t e e p T e r r a i n e n c r o a c h e s i n t o s a f e

m a n e u v e r i n g z o n e – a s F 2 . 5

G t e r r a i n s e p a r a t i o n

( m i n i m u m ) n o t m a i n t a i n e d .

I n e x

t r e m e ,

C F I T a s F 2 . 5

B

( 1 ) C a t a

s t r o p h i c

M a y b e a c a u s e f o r F 2 . 5

B – s y s t e m b e l i e v e s

t e r r a i n i s b e i n g m o n i t o r e d , u n a w a r e o f

d e f i c i e n c y i n m e a s u r e m e

n t s

F 2 . 5

D

I n c o r r e c t s u r r o u n d i n g

t e r r a i n d e t e r m i n e d

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

R e l

C a u s e s F 2 . 5

G ,

F 2 . 5

K ,

F 2 . 5

M ( t e

r r a i n s e p a r a t i o n

b r e a c h e d ; e m e r g e n c y e v a s i o n n

o t t r i g g e r e d ; e m e r g e n c y

e v a s i o n t r i g g e r e d u n n e c e s s a r i l y )

K n o c k - o n f o r R e l U A V c o u l d b e l o s s o f d a t a l i n k f o r S e n s

U A V

( c a u s e d b y F 2 . 1

D p o s i t i o

n a l i n a c c u r a c y , o r

F 2 . 2

D i n c o r r e c t m i s s i o n

d a t a e l e m e n t s )

F 2 . 5

E

I n c o r r e c t d i s t a n c e t o

t e r r a i n d e t e r m i n e d –

l o w e r t h a n a c t u a l

T r a n ,

H a n d ,

T r a n S ,

S e n s

,

A p p ,

R e l

( c a u s e s F 2 . 5

M e m e r g e n c y e v a s

i o n t r i g g e r e d w h e n n o t

n e c e s s a r y )



D-39

Scenarios for Effects Consideration

(1) Consider broad effects of environment and emergency configurations

(2) Consider the following graphical mini-scenarios (appended to route plan maps):

• MS1 – Routine take-off from Aberporth and transit danger area

• MS2 – Airspace pinch point, between floor of Airway B3 (3500ft) and above LivHPZ (2000ft) (over gas rigs)

• MS3 – GCS handover, 20nm band where Aberporth GCS and Spadeadam GCSboth have datalink range

• MS4 – UAV Relay duty, in area between Colwyn Bay and Liv HPZ

• MS5 – Emergency Recovery, under Daventry CTA divert into Calton Moor militaryairfield (next to E Mids CTA)

• MS6 – Airmanship conflict, to maintain separation under Man TMA (3500ft) forces

flight below safe altitude over terrain + mast (2490ft)

• MS7(a) – Emergency landing, East of Burnley, from low altitude (2800ft due toMan TMA)

• MS7(b) – Emergency landing, Teesdale, from high altitude (6000ft) but over steepterrain and valleys

• MS8 – Routine approach and landing into Aberporth, coming in over terrain, windfarms and villages



E-1

ANNEX ESWIFT ASSESSMENT FOR COMPARISON (EXTRACT

OF HAZARDS)



E-2

This annex provides the summarised results of a Structured What If Technique (SWIFT)hazard identification of the Guard Dog case study.

SWIFT was applied in ‘quick and dirty’ fashion by a group of 3 safety engineers with UAVassessment experience, independently from the Functional Failure Analysis carried out toapply the method defined in the body of this report. The intent was to provide a cross-check

of hazards, to determine how well the FFA had identified hazards and whether, overall, therewere still hazards left unidentified by either method. The evaluation of the two methods iscovered in section 3.3 of the report.

The results of the SWIFT are shown below, along with an indication where the FFA mayhave identified the same / similar hazard.

Table E(i) – SWIFT hazards identified for Guard Dog case study

SWIFT ID What If / Hazard indicated Comment w.r.t.UAVS level assessment

FFAComparable Hazard

Pre-flight / launch (upto and including

engine start)S1 Manual handling Ground hazard -

OHSA

S2 Incorrect assembly Causal – FTA or system FHA

S3 Undetected prior damage Causal – FTA

S4 Miss-matched program / mission A63

S5 Corrupted mission data A18

S6 Incorrect fuel-type / mixture A67

S7 Incomplete program / mission A18

S8 Incorrect fuel load A65

S9 Inadequate pre-flight checks A69

S10 Fuel fire Particular Risk Analysis

S11 Electrocution by electrics Ground hazard - OHSA

S12 Propeller strike Ground hazard – OHSA

S13 Inadvertent launchS14 Uncontained engine failure Particular Risk

Analysis

S15 Poor launch site information(incomplete recce)

A22

S16 Structural failure of pneumatics(of launcher)

Causal – FTA or system FHA

Launch (field take off)to clear of launch

S17 Unable to reach launch velocity A12

S18 Unable to reach controlled flight A12, A1, A2

S19 Structural break up A7

S20 Obstacle clearance A22, A14

S21 Launch out of wind limits A24

S22 Engine failure A14, A6

S23 Flight control system failure A1, A2, A3

S24 Incorrect flight mode(autonomous or manual control)

A8, A9

Airfield launch (As above plus:)

S25 Poor preparation of launch site(inadequate runway quality)



E-3



Flight

S26 Deviation from flight plan A21

S27 Flight into controlled airspace

(when not allowed)

A28

S28 Avionics failure (e.g. Nav system) A15

S29 Loss of positional informationfrom UAV to GCS

A51

S30 Failure of transponder A75, A76

S31 Low Radar signature A74

S32 Bird strike Causal – FTA or system FHA

S33 EMC / EMI from transmissionmasts

A42

S34 General Aviation threat (collisionavoidance system malfunctions)

A83, A84

S35 Weather extremes (e.g. lightning,turbulence etc) A55

S36 Icing A55

S37 Loss of power supply to GCS Causal – FTA or system FHA

S38 Incorrect / corrupted signal fromGCS


S39 Unable to handover to next GCS A40

S40 Unable to relay info to furthestUAV

A44

S41 Loss of GCS communicationsS42 Loss of GPS A15

S43 RF Radiation Hazard to GCS

occupants

Ground hazard –

OHSAS44 Uncommanded collision

avoidanceA85

S45 Digital terrain / obstacle databasenot current

A64

S46 Loss of communications with ATC A71, A73

S47 Failure to respect VFR / IFR rules A56

S48 Pilot fatigue (long enduranceshifts)

S49 Flying 2 UAVs and inadvertentlycommanding the wrong one


S50 Spurious system monitoring

signal from UAV to GCS

A59

S51 Lasing / identifying the wrongtarget

Ground hazard - OHSA

S52 EMI between UAVS internalsystems


S53 Incompetent pilot Causal – FTA or system FHA

S54 Security risk – control by terrorist A48

S55 Flight into aircraft wake A86

S56 Navigation visibility lights failure A87

Approach andLanding

S57 Approach / land too fast A23, A6

S58 Approach / land too slow A23, A6

S59 Approach / land too high A23, A14



E-4



S60 Approach / land too low A23, A14

S61 Incorrectly aligned with runway A23, A24

S62 Landing out of wind limits A24

S63 Terrain masking during approach A50 S64 Loss of control after landing

(speed or direction)A31, A32, A33,A34

Maintenance

S65 COSHH assessment Ground hazard – OHSA

S66 Maintenance error Causal – FTA or system FHA

S67 Lack of maintenance policy / philosophy

Procedural,regulatory

S68 Radiation hazards Ground hazard – OHSA

S69 Electrical hazards Ground hazard – OHSA

S70 Stored energy Ground hazard – OHSA

S71 Inadequate in-service supporte.g. logistics, airworthiness,configuration control, spares

Procedural,regulatory

S72 Incompetent maintainers Procedural,regulatory

S73 Disposal aspects Ground hazard - OHSA

Emergency Actions

S74 Incursion into airspace A30

S75 Crash landing A60, A61S76 Datalink Out of range A46

S77 Diversion A57



F-1

ANNEX FLISTING OF HAZARDS FOR INTEGRATION OF UAVS

INTO UNSEGREGATED AIRSPACE (FROM TUAVCASE STUDY)



F-2

This annex provides the summarised hazard listing, after review of the FHA results fromapplying the modified ARP4761 method to the Guard Dog case study.

The results are, obviously, based on a specific consideration, but the case study wasintended to be a generic Tactical UAVS (TUAVS), so there should be good read across toother TUAVS applications and, perhaps, fair read across to broader UAVS types. It is

suggested that there is enough read across for the list to provide a ‘starter’ for other systems,to be added to by more specific application of the proposed HazID method.

The listing also indicates where there is commonality with the hazards identified using theSWIFT analysis (see Annex E to this report).

Table F(i) –Hazards identified for Guard Dog case study, using the proposedmodifications to ARP4761 FHA technique

ID UAVS Hazard indicated Relating to UAVSFHA FunctionalFailures

Relating to SWIFT Comparable Hazard

A1 Flight control instability F1.1-, F1.2-, F1.5A S18, S23

A2 Inability to control (external) perturbations F1.2A S23

A3 Inability to manoeuvre / maintain UAV on requiredflight path

F1.3-, F1.6O-R, F2.3-, F6.5B

S23, S26

A4 Flight instrumentation (attitude and speed) errors F1.1-

A5 Inability to identify flight instrumentation errors [derived from F2.1-and assessment ofeffects - detected andundetected]

A6 Inability to achieve, maintain and control requiredairspeed

F1.6- S22, S57, S58

A7 Lack of structural integrity F1.3H, F1.5D S19

A8 Unable to take manual control of the UAV (UAV-p) F1.4A S24

A9 Unable to transfer to autonomous UAV control F1.4B

A10 Conflicting authority between UAV controllers (manual / autonomous) (different ground controllers)

F1.4C,D, F4.2F

A11 Control mode error (where control laws differ withphase of flight)

F1.5C

A12 Launcher fails to provide correct take-off speed F1.5B S17, S18

A13 Asymmetric thrust / power F1.6EA14 Unable to achieve / maintain / control required altitude

or rate

F1.6- S20, S22

A15 Navigation instrumentation errors (altitude, position,heading; for general air navigation)

F2.1 S28, S42

A16 High accuracy navigation instrumentation errors(altitude, position, heading; for taxi, take off, approach,landing)

F2.4C-AB

A17 Inability to identify navigation instrumentation errors F2.1-

A18 Planned mission route stored with errors F2.2- S5, S7

A19 Planned mission route not achievable by UAVS (notcapable within performance)

F2.2F, F6.5B, F6.5N,F8.1I



F-3



A20 Planned mission route not safe (by Rules of the Air) F2.2G

A21 UAV deviates from planned route without correction F2.3- S26

A22 Correct airfield and runway take-off and climb-outpattern data not used

F2.4A-F S15, S20

A23 Correct airfield and runway approach, hold, circuit andlanding data not used

F2.4R-X S57, S58, S61

A24 Inability to determine correct wind-speed and directionin relation to runway (take-off or landing)

F2.4AC-AG S21, S62

A25 Minimum terrain separation (i.a.w. Rules of the Air) notmaintained

F2.5A-O

A26 Terrain separation / emergency evasion triggered

when not required / appropriate

F2.5M

A27 Separation from sensitive areas (danger areas / populated areas / NOTAMS areas) not maintained

F2.6-, F2.8-

A28 Separation from controlled airspace not maintained(when not equipped / cleared for controlled airspaceoperations)

F2.7- S27, S75

A29 Incorrect type / identifier of controlled airspacedetermined (if cleared for controlled airspaceoperations)

[outside scope ofTUAV case study, butextrapolated

A30 Incorrect emergency incursion action taken (for ROA)if controlled airspace entered in error

F2.7I,J S74

A31 Inability to control ground speed F3.1A-J S64

A32 Excessive braking when not required F3.1N, F3.1R S64

A33 Asymmetric braking F3.1T S64

A34 Inability to provide controlled ground steering F3.2A-J S64

A35 Incorrect airfield layout / ground taxi route determined F3.2K-Q

A36 Inability to determine ground / air transition clearly F3.2R-V

A37 Unable to correctly determine position of fixed / mobileground obstacles

F3.2W-AC

A38 Inability to accurately determine command datalinksignal strength

F4.1A-E

A39 Incorrect status of command datalink systemserviceability determined

F4.1F-K

A40 Command datalink lost during attempt to hand overbetween GCS stations

F4.2A-G S39

A41 Command datalink handed to GCS, but GCS unawareit has control

F4.2D

A42 Command Datalink suffers from EMI 'cross talk' withother RF traffic

F4.2K,R S33

A43 Command datalink lags via satellite / relay F4.2M,U

A44 Command datalink drop outs via satellite / relay F4.2L,N,T,V S40



F-4



A45 satellite / relay UAV passes control datalinkcommands to incorrect UAV

F4.2Q

A46 Failure to take correct emergency recovery action ifcommand datalink fails

F4.3- S76

A47 Command Datalink jammed F4.4A

A48 Command Datalink stolen F4.4B S54

A49 Valid command datalink rejected as jammed / stolen F4.4C

A50 Inability to accurately determine terrain proximity tocommand datalink line of sight

F4.5- S63

A51 Inability to telemeter accurate UAV parameters(control parameters, navigation parameters, flightsystem status) to GCS

F6.1-,F6.2-,F6.3-,F6.4-

S29

A52 Inability to monitor initial / changing weather conditionsalong the mission route

F6.5A-J, F8.1AC-AG

A53 Bad weather re-routing infringes sensitive airspace / overflown areas

F6.5Q

A54 Bad weather re-routing exceeds UAV capability(performance)

F6.5P

A55 Weather effects on UAV - icing, precipitation, dust,sand

[implied fromfunctionalconsideration to avoidbad weather andF6.5M,O]

S35, S36

A56 UAV flight in reduced visibility / IFR conditions [implied fromfunctionalconsideration to avoidbad weather andF6.5M,O]

S46

A57 Unable to determine a valid diversionary airfield (foremergency / bad weather recovery)

F6.5K,L,R-V S77

A58 Diversionary airfield / route not communicatedbetween UAV and GCS (UAV not aware ofappropriate action to take, or GCS not aware whataction the UAV will take)

F6.5W,X

A59 Unable to accurately determine the status of criticalflight systems

F7.1- S50

A60 Incorrect emergency action taken - no action / divert / emergency landing

F7.3A-K S75

A61 Emergency landing attempted in populated area F7.3L S75

A62 GCS moding initiates ground mode displays andcontrols (e.g. mission planning), when in flightmonitoring / control required

F8.1C

A63 Incorrect mission plan completed / loaded F8.1A-H S4

A64 Incomplete / incorrect supporting data available formission planning (e.g. HIRF locations, terrain, dangerareas, controlled airspace)

F8.1K-AB S45

A65 Consumables not fully refuelled / recharged prior totake-off / launch

F8.2A,D S8



F-5



A66 Consumables still being refuelled / recharged atlaunch (or other inappropriate flight phase)

F8.2B S13

A67 Consumables refuelled / recharged with incorrect orcontaminated materials

F8.2E,F S6

A68 UAV centre of gravity adversely affected by fuelcharge

F8.2G

A69 pre-flight systems test returns incomplete / incorrectsystem status

F8.2H-N S9

A70 Different mission plans loaded - UAV; relay UAV; firstGCS; other GCS in mission

F8.2U-X

A71 Inability to correctly understand and reply to airfieldATC communications

F9.1-, F9.5- S46

A72 inability to correctly detect, interpret and respect

airfield visual signals

F9.2-

A73 Inability to correctly understand and reply to en-routeATC communications (e.g. advisory Flight InformationService)

F9.3-, F9.5- S46

A74 UAV poor Radar visibility for tracking by ATC F9.4B,C S31

A75 Transponder failure to squawk or squawks incorrectidentifier

F9.4A,D-F S30

A76 Transponder returns incorrect altitude to ATC (if ModeS / Mode C)

F9.4G S30

A77 Radio frequency changed in error (e.g. to emergencyfrequency)

F9.5-

A78 UAV does not correctly comply with Airfield ATCprocedures: ground movement (clearance & direction);enter runway; take-off; climb out direction and finalheight; approach direction; circuit direction; runwayallocation; hold height & direction; landing clearance;exit runway clearance

F9.6-

A79 UAV does not correctly comply with en-route airspaceATC procedures: Climb / descend and final cruisingaltitude; heading change; hold position, height anddirection; diversion

F9.6-

A80 UAV complies with Airfield or En-route ATC procedureintended for another aircraft

F9.6C

A81 Unable to correctly broadcast emergency message:“Collision Avoidance Fail”; Data link fail"; "Mayday"

F9.7A-G

A82 Emergency broadcast made when none necessary F9.7D-F

A83 Inability to maintain correct, normal traffic separation ,i.a.w. Rules of the Air 'Right of Way'

F10.1-, F10.2-, F10.3- S34

A84 Inability to carry out appropriate emergency evasivemanoeuvre for collision avoidance

F10.4A-D S34

A85 Collision avoidance emergency evasion manoeuvrecarried out when not appropriate

F10.4C S44





A86 UAV susceptibility to wake turbulence from otheraircraft

F10.4E S55

A87 UAV inconspicuous to other aircraft by RF or visualmeans (all round visibility, or when viewed fromparticular aspects)

F10.5A-D S56

A88 UAV resembles other aircraft types of different size orperformance

F10.5E

hazards of uav

Documents