February 2007

NASA/TM-2007-214539

Preliminary Considerations for Classifying Hazards of Unmanned Aircraft Systems Kelly J. Hayhurst, Jeffrey M. Maddalon, Paul S. Miner, and George N. Szatkowski Langley Research Center, Hampton, Virginia Michael L. Ulrey The Boeing Company, Seattle, Washington Michael P. DeWalt Certification Services, Inc., East Sound, Washington Cary R. Spitzer AvioniCon, Williamsburg, Virginia

The NASA STI Program Office … in Profile

Since its founding, NASA has been dedicated to the advancement of aeronautics and space science. The NASA Scientific and Technical Information (STI) Program Office plays a key part in helping NASA maintain this important role.

The NASA STI Program Office is operated

by Langley Research Center, the lead center for NASA’s scientific and technical information. The NASA STI Program Office provides access to the NASA STI Database, the largest collection of aeronautical and space science STI in the world. The Program Office is also NASA’s institutional mechanism for disseminating the results of its research and development activities. These results are published by NASA in the NASA STI Report Series, which includes the following report types:

• TECHNICAL PUBLICATION. Reports of

completed research or a major significant phase of research that present the results of NASA programs and include extensive data or theoretical analysis. Includes compilations of significant scientific and technical data and information deemed to be of continuing reference value. NASA counterpart of peer-reviewed formal professional papers, but having less stringent limitations on manuscript length and extent of graphic presentations.

• TECHNICAL MEMORANDUM. Scientific

and technical findings that are preliminary or of specialized interest, e.g., quick release reports, working papers, and bibliographies that contain minimal annotation. Does not contain extensive analysis.

• CONTRACTOR REPORT. Scientific and

technical findings by NASA-sponsored contractors and grantees.

• CONFERENCE PUBLICATION. Collected papers from scientific and technical conferences, symposia, seminars, or other meetings sponsored or co-sponsored by NASA.

• SPECIAL PUBLICATION. Scientific,

technical, or historical information from NASA programs, projects, and missions, often concerned with subjects having substantial public interest.

• TECHNICAL TRANSLATION. English-

language translations of foreign scientific and technical material pertinent to NASA’s mission.

Specialized services that complement the STI Program Office’s diverse offerings include creating custom thesauri, building customized databases, organizing and publishing research results ... even providing videos. For more information about the NASA STI Program Office, see the following: • Access the NASA STI Program Home

Page at http://www.sti.nasa.gov • E-mail your question via the Internet to

help@sti.nasa.gov • Fax your question to the NASA STI Help

Desk at (301) 621-0134 • Phone the NASA STI Help Desk at (301)

621-0390 • Write to:

NASA STI Help Desk NASA Center for AeroSpace Information 7115 Standard Drive Hanover, MD 21076-1320

National Aeronautics and Space Administration Langley Research Center Hampton, Virginia 23681-2199

February 2007

NASA/TM-2007-214539

Preliminary Considerations for Classifying Hazards of Unmanned Aircraft Systems Kelly J. Hayhurst, Jeffrey M. Maddalon, Paul S. Miner, and George N. Szatkowski Langley Research Center, Hampton, Virginia Michael L. Ulrey The Boeing Company, Seattle, Washington Michael P. DeWalt Certification Services, Inc., East Sound, Washington Cary R. Spitzer AvioniCon, Williamsburg, Virginia

Available from: NASA Center for AeroSpace Information (CASI) National Technical Information Service (NTIS) 7115 Standard Drive 5285 Port Royal Road Hanover, MD 21076-1320 Springfield, VA 22161-2171 (301) 621-0390 (703) 605-6000

Acknowledgments The work documented in this report contains technical contributions from joint work between government and industry representatives participating in NASA’s Access 5 program. In particular, Robin Cahhal-Simpson from General Atomics, Jamie Ferensic from Northrop Grumman Corporation, and Paul Myer and Russell Morris from the Boeing Company contributed to discussions about classification of hazards for unmanned systems, and also contributed to conducting a preliminary functional hazard assessment of a generic unmanned aircraft system. Our thanks go to each of them for their contributions to this work.

iii

Table of Contents 1 INTRODUCTION ...................................................................................................................................................1 2 REGULATIONS GOVERNING DESIGN HAZARDS FOR MANNED AIRCRAFT.....................................2 3 DEFINING HAZARD CLASSIFICATIONS FOR A UAS .................................................................................5 4 APPLYING FUNCTIONAL HAZARD ASSESSMENT TO A UAS..................................................................9

4.1 FHA FUNDAMENTALS.......................................................................................................................................10 4.2 FAILURE CONDITIONS FOR A UAS ....................................................................................................................12 4.3 PHASES OF FLIGHT FOR A UAS .........................................................................................................................13

5 FUNCTIONAL DECOMPOSITION OF A GENERIC UAS............................................................................14 5.1 PURPOSE OF FUNCTIONAL DECOMPOSITION ......................................................................................................14 5.2 THE SAE ARP 4761 APPROACH TO FUNCTIONAL DECOMPOSITION ..................................................................14 5.3 UAS FUNCTIONAL DECOMPOSITION..................................................................................................................15

5.3.1 Low-level Function Template....................................................................................................................20 5.3.2 An Example of Low-level Functions..........................................................................................................21

6 FUNCTIONAL HAZARD ASSESSMENT OVERVIEW .................................................................................22 6.1 ASSIGNMENT OF FAILURE CONDITION SEVERITIES ...........................................................................................22 6.2 EXAMPLE FHA ENTRIES ...................................................................................................................................25

6.2.1 Example from the “Execute Flight Path Command” Function ...............................................................26 6.2.2 Example from the “Detect Air Traffic” Function ....................................................................................26 6.2.3 Example from the “Determine Contingency Command” Function .........................................................27

6.3 SUMMARY STATISTICS ......................................................................................................................................28 7 ELECTROMAGNETIC CONSIDERATIONS ..................................................................................................29

7.1 HIRF CONSIDERATIONS....................................................................................................................................30 7.2 SINGLE EVENT UPSET CONSIDERATIONS ..........................................................................................................30

8 SUMMARY............................................................................................................................................................31 9 REFERENCES ......................................................................................................................................................31 APPENDIX: UAS PRELIMINARY FUNCTIONAL HAZARD ASSESSMENT ..............................................35

iv

Acronyms AC Advisory Circular

AGT Air/Ground Transition

ARP Aerospace Recommended Practices

ATC Air Traffic Control

ATM Air Traffic Management

CCA Common Cause Analysis

CFR Code of Federal Regulations

C2 Command and Control

FAR Federal Aviation Regulations

FHA Functional Hazard Assessment

FP Flight Path

FTA Fault Tree Analysis

FMEA Failure Modes and Effects Analysis

FMES Failure Modes and Effects Summary

GP Ground Path

HIRF High Intensity Radiated Fields

NAS National Airspace System

PSSA Preliminary System Safety Assessment

SAE Society of Automotive Engineers

SEU Single Event Upset

SSA System Safety Assessment

UA Unmanned Aircraft

UAS Unmanned Aircraft System

US United States

Abstract

The use of unmanned aircraft in national airspace has been characterized as the next great step forward in the evolution of civil aviation. To make routine and safe operation of these aircraft a reality, a number of technological and regulatory challenges must be overcome. This report discusses some of the regulatory challenges with respect to deriving safety and reliability requirements for unmanned aircraft. In particular, definitions of hazards and their classification are discussed and applied to a preliminary functional hazard assessment of a generic unmanned system.

1 Introduction

Military interest in unmanned aircraft systems (UASs) dates back to the early 1900’s with the experimental development of the Curtiss/Sperry "Flying Bomb" in 1915 by the United States (US) Navy, and the US Army’s development of the Kettering "Bug" in 1918 (ref. 1, 2). From those humble beginnings, unmanned aircraft have become an integral component in military operations today. As of September 2004, some twenty types of unmanned aircraft, large and small, have flown over 100,000 total flight hours in support of military operations, especially in Afghanistan and Iraq (ref. 3). There is little doubt that unmanned aircraft are transforming military operations.

Buoyed by the success in the military sector, UAS vendors are looking to civil and commercial applications for their aircraft, especially applications characterized as dull, dangerous, or dirty. A wide-range of applications such as pipeline inspection, border control, fire fighting, agricultural management, communications relay, and air-freight operations seem ideally suited for unmanned aircraft. Many believe that the time is rapidly approaching when unmanned aircraft will be commonplace in our national airspace system (NAS), and that now is the time for the formulation of governing standards.

A comprehensive safety argument for unmanned aircraft will be necessary for formulating these standards. That safety argument will differ from that of conventional aircraft in at least two fundamental aspects. First, unlike manned aircraft, an unmanned vehicle1 can be lost without necessarily endangering any human life. Second, because the pilot is not on board the vehicle, reliance will be placed on automation to a much greater degree than in conventional aircraft—especially in unusual situations. The NAS already accommodates some degree of autonomous operation, as described by Hadden (ref. 4):

Except during take-off and the final stages of landing, the modern commercial aircraft is routinely being flown by computers, monitored by human pilots. The systems in the latest generation of commercial aircraft commonly have fault monitoring and diagnostic functions which can cope with many failure conditions without pilot intervention. Automatic landing including flare and ground roll has been commonplace for many years. When automation of the take-off segment of

1 The terms unmanned aircraft and unmanned vehicle are used interchangeably to refer specifically to an

air vehicle that does not have an on-board crew. For this paper, we are not considering such aircraft with passengers on board. Conversely, manned aircraft refers to an air vehicle that does have an on-board crew.

2

flight also becomes common it may be the norm for airliners to complete their missions without operation of the primary flying controls by a human pilot at any stage.

It is expected that automatic systems for civil aircraft will become ever more capable and demonstrate increasing reliability. As a consequence the severity of the effect of a flight crew becoming incapacitated whilst airborne will tend to diminish. Whilst the remoteness of the pilot/controller of a UAV raises major issues for aircraft operations in terms of air traffic management, compliance with the Rules of the Air etc, it can be seen that the regulatory process for airworthiness certification is already proven to be able to cope with high levels of automation.

Technological advances, such as reliable command and control, and sense and avoid capability, will play a key role in enabling access to civil airspace. Equally important, and perhaps more difficult, is development of the regulatory framework that will provide the guidance necessary to assure safety. This report focuses attention on one part of the regulations necessary for establishing the airworthiness of a UAS, namely standards for reliability and safety.

The broad issue, informally speaking, is: how reliable does a UAS need to be to operate routinely and safely in civil airspace? Does such a system need to meet the most stringent reliability requirements, such as those levied on commercial transport (Part 25) aircraft? Or, is comparison with general aviation aircraft (Part 23) more appropriate? Answering these questions for a UAS is non-trivial. Unmanned aircraft in operation today range in size from vehicles capable of being hand-launched to vehicles with a wingspan comparable to transport aircraft, with fixed and rotary wings, and with radically different altitude and endurance capabilities. This report does not attempt to answer the reliability question associated with each distinct type of aircraft, but instead covers a few fundamental underpinnings of reliability and safety requirements that will be needed to eventually provide an answer. This report presents initial thinking about definitions of hazards and their classification for UASs, and how those definitions could be applied in a functional hazard assessment of a UAS. This work is preliminary and intended to encourage debate and discussion.

This report is organized as follows. Section 2 provides a brief overview of existing airworthiness guidance for manned aircraft with respect to regulating hazards. Section 3 discusses how terminology used to identify and classify hazards may be adapted for a UAS. In particular, new definitions for hazard classifications are proposed. Next, section 4 describes the hazard assessment process used in civil aviation, and how that process may be tailored to address unique aspects of a UAS. A functional decomposition of a generic UAS is described in section 5. The decomposition is an organized listing of the high-level functions required for the safe and routine flight of a generic UAS. This functional decomposition is used for conducting a preliminary functional hazard assessment (FHA), that is the subject of section 6. Because of its size, the FHA is included as an appendix. Section 7 provides preliminary thoughts on environmental protection from high intensity radiated fields and single event upset. Finally, a summary and concluding remarks are given in section 8.

2 Regulations Governing Design Hazards for Manned Aircraft

An intricate system of rules and regulations governs the design and operation of aircraft within the NAS. Title 14 of the Code of Federal Regulations (14 CFR, Chapter I) contains the Federal Aviation Regulations (FARs) (ref. 5) for the certification process for various product types: FAR Part 25 for large transport airplanes, FAR Part 23 for small airplanes, FAR Part 27 for small

3

helicopters, FAR Part 29 for large transport helicopters, FAR Part 31 for manned free balloons, and FAR Parts 33 and 35 for engines and propellers, respectively. The regulations promote safety of flight by setting minimum standards for the design, materials, workmanship, construction, and performance of aircraft, aircraft engines, and propellers as may be required in the interest of safety.

Current regulations define no category of aircraft that would apply rationally or completely to UAS design and certification. A reasonable assertion from which to start developing such regulations is that unmanned aircraft should pose no greater risk to persons or property in the air or on the ground than that presented by equivalent manned aircraft (ref. 4). Working from that assertion, two related issues come into play: hazard classification and likelihood of failure. Both are factors in evaluating risk.

FAR Sections 23.1309 and 25.1309 deal with hazards to equipment, systems, and installations. The regulations require justification that all probable failures or combinations of failures of any system will not result in unacceptable consequences. The justification is typically in the form of analysis that shows that the probability of a failure or combination of failures which could cause a significant hazard is acceptably low. The FAA recognizes five hazard categories: catastrophic, hazardous, major, minor, and no effect. Figure 1 shows the general relationship expected between likelihood of failure and the hazard categories (ref. 6).

Figure 1. Relationship Between Likelihood of Failure and Hazard Category

For decades, there was no formal distinction in treatment of hazards among aircraft types. For example, prior to 1999, single-engine general aviation aircraft were subject to virtually the same regulatory considerations as large jet transports with respect to definitions of allowable hazards (ref. 7). In 1999, however, the FAA acknowledged that imposing the same standards on transport and general aviation aircraft was inconsistent with the actual risks. That acknowledgement was

Minor Major Hazardous Catastrophic

Severity of Failure Condition Effects

Pro

babi

lity

of F

ailu

re C

ondi

tion Probable

Remote

Extremely Remote

Extremely Improbable

Unacceptable

Acceptable

4

made in FAA Advisory Circular (AC) 23.1309-1C (ref. 6), that redefined many risks for small aircraft. As stated in AC 23.1309-1C,

Incorporation of [standards developed for transport airplanes] into Part 23 resulted in a significant increase in equipment reliability standards. That is, they required much lower probability values for failure conditions than the existing operational safety history of different airplane classes. Current data indicates that these probability values were not realistic. Since most aircraft accidents are caused by something other than equipment failures, increasing the reliability of the installed systems to try to improve safety will have little positive effect on reducing aircraft accidents when compared with reducing accidents due to pilot error.

In accord with this, AC 23.1309-1C established a multi-tiered certification approach for four different classes of Part 23 aircraft: the smallest craft having a single piston engine to the largest being a multiengine commuter jet. Different criteria for probability of failure per flight hour were prescribed for each class, based on historical evidence from the airline industry’s existing safety record. Table 1 compares current requirements for hazard probabilities between Part 23 and other FAR Parts. The probability numbers in table 1 represent only random hardware failures per flight hour.

Table 1. Relationship of Hazard Categories to Probability of Failure for Different Categories of Aircraft

Hazard Classification Requirements for Probability of Failure Per Flight Hour

Part 23 Parts 25, 27, 29, and 33 Catastrophic 10-6 to 10-9, plus no single

functional failure 10-9, plus no single functional failure

Hazardous 10-5 to 10-7 10-7 Major 10-4 to 10-5 10-5 Minor 10-3 >10-5 No Effect None None

FAA AC 23.1309-1C explains the rationale for these probability numbers for Part 23 aircraft as follows:

Historical evidence indicates that the probability of a fatal accident in restricted visibility due to operational and airframe-related causes is approximately one per ten thousand hours of flight for single-engine airplanes under 6,000 pounds. Furthermore, from accident databases, it appears that about 10 percent of the total was attributed to Failure Conditions caused by the airplane’s systems. It is reasonable to expect that the probability of a fatal accident from all such Failure Conditions would not be greater than one per one hundred thousand flight hours or 1 x 10-5 per flight hour for a newly designed airplane. It is also assumed, arbitrarily, that there are about ten potential Failure Conditions in an airplane that could be catastrophic. The allowable target Average Probability Per Flight Hour of 1 x 10-5 was thus apportioned equally among these Failure Conditions, which resulted in an allocation of not greater than 1 x 10-6 to each. The upper limit for the Average Probability per Flight Hour for Catastrophic Failure Conditions

5

would be 1 x 10-6, which establishes an approximate probability value for the term “Extremely Improbable.” Failure Conditions having less severe effects could be relatively more likely to occur. Similarly, airplanes over 6,000 pounds have a lower fatal accident rate; therefore, they have a lower probability value for Catastrophic Failure Conditions.

A similar derivation is given for the probabilities assigned for commercial transport aircraft (ref. 8), except that the probability of a fatal accident due to airplane system failures is assumed to be less than 10-7, with approximately 100 potential failure conditions that could be catastrophic, and a mean flight duration of one hour—giving the 10-9 per flight hour requirement. This derivation becomes problematic for a UAS because little relevant historical data exists on failure of unmanned aircraft in civil applications2. Existing data from military operations (ref. 9) indicates that UAS reliability is about two orders of magnitude worse than the aircraft with the worst documented reliability, namely Part 23 Class 1 aircraft. Introducing a UAS with such low reliability into the NAS has the potential for creating unacceptable hazards.

Assuming that the public will expect new aircraft systems to be no more dangerous than current systems, specifically that a UAS should pose no greater risk than that presented by equivalent manned aircraft, then understanding potentially catastrophic failure conditions of a UAS becomes important to establishing system reliability requirements. But, what does catastrophic failure mean for a UAS? Answering this question for a UAS will help set the stage for airworthiness requirements, as well as system design and equipment requirements.

The next section examines terminology for describing failure conditions for a UAS.

3 Defining Hazard Classifications for a UAS

Hazard categories are defined in a number of regulatory documents. For example, the FAA System Safety Handbook (ref. 10) contains a general set of definitions, AC 23.1309-1C offers definitions specific for Part 23 aircraft, and AC 25.1309-1A (ref. 11) offers definitions for transport aircraft. The various definitions are similar, but not exactly the same. For the purposes of this paper, AC 23.1309-1C was chosen as a model for developing regulatory wording for hazards associated systems and equipment for a UAS. This choice was made, at least in part, because many unmanned aircraft of interest are similar in weight and performance characteristics to Part 23 aircraft. Also, it was assumed that definitions for UASs would more likely gain acceptance if they were similar to existing definitions. Hence, the work here in defining hazard classifications for a UAS started with the definitions of the five hazard classifications from AC 23.1309-1C, as shown in table 2.

The fundamental distinction for unmanned aircraft, of course, is that there are no people on board the aircraft. Hence, one approach to revising the definitions specific to UASs would be to delete references to the on-board flight crew and occupants. Although this may seem reasonable at first, this approach would obfuscate important collateral issues. One such issue is that regulations which aim to protect aircraft occupants by preventing crashes might also protect third parties (people in other aircraft and people on the ground). Most safety analyses, however, do not address this fully. Another issue concerns mitigating hazards. In conventional aircraft, the on-board pilot is willing and able to minimize or eliminate hazards to other aircraft or persons or property on the ground. That ability may be significantly different for a remote or autonomous pilot. Revised hazard definitions for UASs should consider these distinctions.

2 There may be a small amount of data on civilian-like missions such as surveillance operations conducted

by the Coast Guard. But, the context is insufficiently similar to be useful.

6

The definitions for hazard categories actually start with a definition of failure conditions, which include the specific definition of the terms catastrophic, hazardous, major, minor, and no safety effect. AC 23.1309-1C gives the following definition:

Failure Conditions: A condition having an effect on either the airplane or its occupants, or both, either direct or consequential, which is caused or contributed to by one or more failures or errors considering flight phase and relevant adverse operational or environmental conditions or external events. Failure Conditions may be classified according to their severity as follows: [as shown in table 2].

Table 2. Definitions of Hazard Categories for Part 23 Aircraft

No Safety Effect: Failure Conditions that would have no affect [sic]on safety (that is, Failure Conditions that would not affect the operational capability of the airplane or increase crew workload) Minor: Failure Conditions that would not significantly reduce airplane safety and involve crew actions that are well within their capabilities. Minor Failure Conditions may include a slight reduction in safety margins or functional capabilities, a slight increase in crew workload (such as routine flight plan changes), or some physical discomfort to passengers or cabin crew. Major: Failure Conditions that would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be

a significant reduction in safety margins or functional capabilities; a significant increase in crew workload or in conditions impairing crew efficiency; or a discomfort to the flight crew or physical distress to passengers or cabin crew, possibly including injuries.

Hazardous: Failure Conditions that would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be the following:

1. A large reduction in safety margins or functional capabilities; 2. Physical distress or higher workload such that the flight crew cannot be relied upon to perform their tasks

accurately or completely; or 3. Serious or fatal injury to an occupant other than the flight crew.

Catastrophic: Failure Conditions that are expected to result in multiple fatalities of the occupants, or incapacitation or fatal injury to a flight crewmember normally with the loss of the airplane. Notes: (1) The phrase “are expected to result” is not intended to require 100% certainty that the effects will always be catastrophic. Conversely, just because the effects of a given failure, or combination of failures, could conceivably be catastrophic in extreme circumstances, it is not intended to imply that the failure condition will necessarily be considered catastrophic. (2) The term “Catastrophic” was defined in previous versions of the rule and the advisory material as a Failure Condition that would prevent continued safe flight and landing.

Revising the definition of “failure condition”, without the classification definitions, is relatively simple. For this particular term, removing the reference to occupants and replacing “airplane” with “UAS” are easy modifications. It is important to keep in mind that by UAS, we mean all essential systems for safe flight including the aircraft itself, any external components of the system, such as a ground control station, and the command, control, and communication links between the external components and the aircraft. With that in mind, a failure condition for a UAS could be defined as: a condition having an effect on the UAS, either direct or consequential, which is caused or contributed to by one or more failures or errors considering flight phase and relevant adverse operational or environmental conditions or external events.

Modifying the definitions for each hazard classification is more challenging, especially the definition for catastrophic. For this study, we made two assumptions: (1) the severity classifications used for a UAS should be consistent with those used for manned aircraft, and (2) changes to existing definitions should be minimized as much as possible. To that extent, the considerations for revising the definitions included thinking about the effects of failure on three entities: the UAS itself, the flight crew of the UAS (which likely resides in a ground control

7

station), and third parties (any people external to the UAS either on the ground or in other aircraft). These three considerations are comparable to those in AC 23.1309-1C for the effects of failure on the airplane, flight crew, and occupants.

Most of the proposed changes to the definitions deal with references to passengers and cabin crew. One change is to use the term “flight crew” in place of “crew”. Here, the term “flight crew” is defined as individuals authorized to command and control the UAS. Although the flight crew for a UAS would likely be located in a ground control station, issues of workload and physical distress, injury, incapacitation, or death are still relevant. Implicit in this discussion is the assumption that a person or persons are responsible for control of the vehicle—completely autonomous vehicles are not considered. Table 3 shows proposed changes to the original AC 23.1309-1C definitions in table 2 for all of the hazard categories, except catastrophic. Additions to the AC 23.1309-1C definitions are indicated in bold italics font, and deletions are indicated by striking through the original text.

Table 3. Proposed Revisions to the Definitions of Four Hazard Categories

No Safety Effect: Failure Conditions that would have no effect on safety (that is, Failure Conditions that would not affect the operational capability of the airplane or increase flight crew workload). Minor: Failure Conditions that would not significantly reduce airplane UAS safety and involve flight crew actions that are well within their capabilities. Minor Failure Conditions may include a slight reduction in safety margins or functional capabilities or a slight increase in flight crew workload (such as routine flight plan changes). or some physical discomfort to passengers or cabin crew. Major: Failure conditions that would reduce the capability of the airplane UAS or the ability of the flight crew to cope with adverse operating conditions to the extent that there would be:

a significant reduction in safety margins or functional capabilities;

a significant increase in flight crew workload or in conditions impairing flight crew efficiency;

a discomfort to the flight crew, or physical distress to passengers or cabin crew, possibly including injuries; or a potential for physical discomfort to persons

Hazardous: Failure Conditions that would reduce the capability of the airplane UAS or the ability of the flight crew to cope with adverse operating conditions to the extent that there would be the following:

1. A large reduction in safety margins or functional capabilities;

2. Physical distress or higher workload such that the UAS flight crew cannot be relied upon to perform their tasks accurately or completely; or

3. Serious or fatal injury to an occupant other than the flight crew. Physical distress to persons, possibly including injuries.

Revising the definition of catastrophic failure posed more of a challenge. A unique concern for a UAS, especially within the FAA, is the persistent loss of the ability to control the flight path of the aircraft. The worst case assumption is that loss of the aircraft will normally follow at some point after permanent loss of control. Unmanned aircraft have the unique ability to potentially provide controlled loss of the aircraft, without loss of life; for example, controlled flight termination at a pre-designated crash location. The key factor is control, without which no guarantees can be made about safe flight termination.

Because FAA recognizes the seriousness of lost-link situations, current authorizations for a UAS to fly under a Certification of Authorization (ref. 12) or Experimental Certificate predominantly limit operations to unpopulated areas, and, in many cases, require airspace

8

restrictions to reduce potential interference of UAS with other aircraft. Procedures are typically put in place such that “should loss of link occur, the UAS pilot must immediately alert air traffic control (ATC) and inform the controllers of the loss of control link. Information about what the aircraft is programmed to do and when it is programmed to do it is pre-coordinated with the affected ATC facilities in advance of the flight so that FAA can take the appropriate actions to mitigate the situation and preserve safety.” (ref. 13)

With these thoughts in mind, the following revised definition for “catastrophic” was proposed:

Catastrophic: Failure conditions that are expected to result in multiple fatalities of the occupants, or incapacitation or fatal injury to a flight crewmember normally with the loss of the airplane. one or more fatalities or serious injury to persons, or the persistent loss of the ability to control the flight path of the aircraft normally with the loss of the aircraft. Notes: (1) The phrase “are expected to result” is not intended to require 100% certainty that the effects will always be catastrophic. Conversely, just because the effects of a given failure, or combination of failures, could conceivably be catastrophic in extreme circumstances, it is not intended to imply that the failure condition will necessarily be considered catastrophic. (2) The term “Catastrophic” was defined in previous versions of the rule and the advisory material as a Failure Condition that would prevent continued safe flight and landing.

In addition to the definitions of severity levels, the advisory circular provides additional

guidance about the relationship between the severity levels and the effects of failure on the airplane, flight crew, and occupants. Some changes to that guidance are essential for a UAS. Table 4 shows the relationships specified in AC 23.1309-1C, with proposed changes highlighted. Additions to the original text are indicated in bold italics font, and deletions are indicated by striking through the text.

Table 4. Relationship Between Severity Levels and Effects for a UAS

Classification of Failure Conditions

No Safety Effect

Minor Major Hazardous Catastrophic

Effect on Airplane UAS

No effect on operational capabilities or safety

Slight reduction in functional capabilities or safety margins

Significant reduction in functional capabilities or safety margins

Large reduction in functional capabilities or safety margins

Normally with hull loss uncontrolled loss of aircraft

Effect on Occupants

Inconvenience for passengers

Physical discomfort for passengers

Physical distress to passengers, possibly including injuries

Serious or fatal injury to an occupant

Multiple fatalities

Effects External to UAS

No effect

No effect

Potential for physical discomfort

Physical distress, possibly including injuries

Potential for one or more fatalities and/or severe injuries

Effect on UAS Flight Crew

No effect on flight crew.

Slight increase in workload or use of emergency procedures

Physical discomfort or a significant increase in workload

Physical distress or excessive workload impairs ability to perform tasks

Fatal injury or incapacitation

One obvious change involves modifying the guidance for the effect on airplane to be guidance for the effect on UAS. As shown in table 4, the effect on UAS is very similar to the effect on airplane, except that catastrophic failure for a UAS is concerned with uncontrolled hull loss. An

9

uncontrolled hull loss, for example, may result from a permanent lost-link situation. On the other hand, the automatic destruction of the UAS, in a safe circumstance, or controlled flight into a designated crash location may be considered examples of acceptable controlled hull loss.

The effect on flight crew is proposed to be the same, regardless of whether the flight crew supports a manned or unmanned aircraft. However, for unmanned aircraft, the effect on flight crew may not necessarily be tightly coupled with the effect on a UAS. For example, a system failure with a catastrophic consequence to the UAS, may not be catastrophic for the flight crew, although that would likely be the case with a manned aircraft. For example, an uncontrolled loss of a UAS would not likely cause fatal injury or incapacitation to the ground crew. On the other hand, hazards limited to the ground station, such as a fire, may have catastrophic consequences for the crew, but not for the vehicle.

The final change is that guidance for effect on occupants was deleted, and new guidance for effects external to a UAS was added. This new row considers the potential effect of a failure to persons on the ground or in other aircraft. The effects specified here are specific to physical discomfort, injury or death to third parties. As shown in table 4, the severity of each potential effect has been increased with respect to third parties, as compared with the effect on occupants. For example, potential for physical discomfort is considered to be major for third parties, but only minor for aircraft occupants. The rationale for increasing the severity is that the third parties are, in effect, innocent bystanders, whereas aircraft occupants assumed some level of risk by boarding the aircraft.

Table 4 does not include guidance about effects on air traffic management (ATM). Such guidance is not included in AC 23.1309-1C. But, considering the potential effect on ATM may be worthwhile because unmanned aircraft may increase demand on various elements of the civil ATM system, particularly surveillance and communications. Ideally, we would not want unmanned aircraft to place a burden on the system greater than the burden imposed from an equivalent number of manned aircraft. “In essence, the function of maintaining safe separation, passing instructions and providing efficient tactical management of traffic flow should be no more labour intensive, or less safe.” (ref. 14) This may require the adaptation of additional forms of safety analysis such as described in RTCA DO-264, Guidelines For Approval Of The Provision And Use Of Air Traffic Services Supported By Data Communications, (ref. 15) to supplement the traditional aircraft oriented techniques. For the purposes of this report, however, only aircraft oriented techniques are explored.

It is important to note that the hazard definitions presented in this section are intended to be a starting point for thinking about the effects of failures. Further modifications will likely be warranted as potential UAS failures and their effects are better understood.

4 Applying Functional Hazard Assessment to a UAS

Given a starting set of hazard definitions, a next step is to see how they might apply in the assessment of UAS hazards. Functional hazard assessment (FHA) is a systematic, comprehensive examination of functions to identify and classify failure conditions of those functions according to their severity. SAE ARP 4761 (ref. 16) provides guidance for the FHA process used in civil aviation.

10

According to SAE ARP 4761, the FHA process:

• provides the top-level design criteria for a system

• determines the depth of further analysis

• allows for derivation of the system architecture

• is independent of hardware and software

The FHA process, in general, is intended to be iterative and becomes more defined and fixed as a system evolves. The output of the FHA is an identification of the potential failure modes, associated hazards, and their criticalities. This output is the starting point for the generation and allocation of safety requirements of a system.

Some special considerations are worth noting when applying FHA to a UAS. Traditional FHA for manned aircraft is concerned with the functions on board the vehicle and its systems. For a UAS, functions integral to safe operation, such as command and control functions resident with a remote pilot, may not necessarily reside on the vehicle. An FHA of a UAS should include all functions integral to the safe operation of the vehicle, regardless of where those functions reside. Though, where a function resides may affect the possible failure conditions and their consequences and severities.

It is also worth noting that the functions described in our FHA process were for a generic UAS, as opposed to a specific UAS platform. Although there is considerable variation among UAS platforms, there presumably is a core set of functions that most aircraft, including unmanned aircraft, will need to operate routinely and safely within the NAS. For this study, we used colloquial tenets of piloting; namely, to fly the plane (aviate), fly it in the right direction (navigate), and, state your condition or intentions to other people (communicate) to provide a rudimentary framework for organizing functions of a UAS. A fourth category, mitigate hazards, was also added to the framework. This category is intended to capture those actions necessary to (1) stay clear of hazards, including other air traffic, flight or ground path obstructions, and adverse weather conditions, and (2) manage contingency situations that may arise. Managing contingencies (or mitigate in general) is not typically specified as a separate function for manned aircraft, but is included as part of other functions. This category was included here to highlight a class of functions that are performed implicitly by the on-board pilot in a manned aircraft, but may be performed by automation in a UAS. As such, new hazards may arise. The core set of functions used in our FHA is given in a functional decomposition of the generic UAS discussed in the next section.

A final consideration worth noting relates to the types of hazards applicable to a UAS. For manned aircraft, hazards associated with the safety of the crew and passengers are the primary concern. For a UAS, hazards involving impact with people or property on the ground and impact with other aircraft are the primary concern. Reliance on a remote pilot, as well as on-board automation, also introduces different considerations for failure conditions.

In this section, fundamental aspects of the FHA process are described in brief, along with specific tailoring of the process to accommodate unique aspects of unmanned aircraft.

4.1 FHA Fundamentals

The FHA process described in this report is based on the safety assessment methodology specified in SAE ARP 4761. Figure 2 shows a top-level view of the system safety assessment process described in that document. For this project, the “Aircraft FHA” shown in figure 2 is actually a “UAS FHA”.

11

Figure 2. System Safety Assessment Processes from SAE ARP 4761

According to SAE ARP 4761, the objectives of the FHA are to consider functions at the most appropriate level and to identify failure conditions and the associated classifications while considering both loss of functions and malfunctions. The FHA should identify the failure conditions for each phase of flight when the failure effects and classifications vary from one flight phase to another. The FHA should also establish derived safety requirements needed to limit the function failure effects which affect the failure condition classification. The safety requirements may include such things as design constraints, annunciation of failure conditions, or recommended flight crew or maintenance actions.

The FHA process is a top down approach for identifying the functional failure conditions and assessing their effects. This assessment proceeds through the following steps:

a. identifying all functions associated with the system under study (given in this report in the functional decomposition)

b. identifying and describing failure conditions associated with these functions, considering single and multiple failures in normal and degraded environments

c. determining the effects of the failure condition

The essential prerequisite for conducting an FHA is a description of the high level functions of the system. For this study, those functions were captured in the UAS functional decomposition presented in Section 5. This functional decomposition was based on functional requirements for a generic UAS as specified in a functional requirements document developed under NASA’s Access 5 program (ref. 17). It is important to note that a preliminary FHA is performed before the functions have been allocated to equipment, procedures or people; that is, it considers what

SSA

Aircraft FHA - Functions - Hazards - Effects - Classifications

System FHA- Functions - Hazards - Effects - Classifications

Aircraft FTAs - Qualitative - System Budgets - Intersystem Dependencies

PSSA

System FTAs- Qualitative - Failure Rates

CCAParticular Risk Analyses

Common Mode Analyses

Zonal Safety Analyses

Safety Assessment Processes

System FTAs- Qualitative - Subsystem Budgets

SystemFMEAs/FMES

CCA: Common Cause Analysis FTA: Fault Tree Analysis FMEA: Failure Modes and Effects Analysis FMES: Failure Modes and Effects Summary PSSA: Preliminary System Safety

Assessment SSA: System Safety Assessment

12

the proposed system will do, rather than how the functions may be implemented. Preliminary FHA results can be used to support function allocation.

Other aspects of the UAS are important to the FHA process in addition to the functions themselves. These aspects include a description of operational scenarios (how the system will be used and in what environment) and relevant regulatory policy and guidance. For this project, much of that information is given in the Access 5 Concept of Operations (ref. 18). The final output of the FHA process is a comprehensive description of the system to be assessed. Here, that description is mostly embodied in the functional decomposition.

Once the system functions are defined, the next step is to identify possible failure modes or conditions for each function, and what the consequences of those failures might be. Hazards are the results of failures within the system, the combination of failures and interactions with other systems, and external events in the operational environment. To identify potential hazards, it is necessary to consider the various ways each individual function of the system can fail (that is the failure mode). Given each failure mode, the consequence of that failure should be described. Consequences of failures may include effects on the functional capability of the UAS, air traffic management operations, and the operator; e.g., workload. Figure 3 shows the template used in this project for documenting the functions, failure conditions, their consequences, and criticality classification.

Figure 3. FHA Template

Record # Function Flight Phase

Failure Conditions

Operational Consequences

Criticality Remarks

Much of the FHA process as described in SAE ARP 4761 can be applied directly to assessment of a UAS. A few areas, however, need special consideration due to the unique aspects of a UAS, namely, failure conditions and phases of flight.

4.2 Failure Conditions for a UAS

Two approaches to enumerating failure conditions of a UAS were considered. The first approach is shown in the appendix of AC 23.1309-1C, and the second approach is taken from examples in SAE ARP 4761. The example FHA for Class I general aviation aircraft in Appendix A of AC 23.1309-1C identifies failure conditions in three categories: (1) total loss of function, (2) loss of primary means of providing function, and (3) misleading and/or malfunction without warning. Implicit in the example FHA is that the pilot is ultimately responsible for redundancy management. That is, the pilot appears to be responsible for managing the switch between primary and secondary functions. This view of the system also implicitly assumes a systems architecture that may not adequately capture the complexities of highly automated UAS.

SAE ARP 4761 takes a slightly broader approach to failure conditions, identifying failure conditions specific to a single abstracted aircraft function. In an example from Appendix L of that document, failure conditions for the function “Decelerate Aircraft on Ground” are as follows:

• Loss of all deceleration capability • Reduced deceleration capability • Inadvertent deceleration • Loss of all auto stopping features • Asymmetrical deceleration

13

These failure conditions reveal an implied classification: there are two different cases of function degradation, and two types of malfunction. None of these failure conditions is architecture specific (except perhaps for the existence of an “auto stopping” capability).

For the preliminary UAS FHA, the functional failure conditions were listed in a manner similar to the example given in Appendix L of SAE ARP 4761. The functional failure condition classification considered the following potential effects of failures on function capabilities:

• Total loss of function

– Detected and undetected

– Example includes: loss of all deceleration capability

• Partial loss of function/degraded functional capability

– Detected and undetected

– Generic and specific

– Examples include: reduced deceleration capability (generic loss), loss of all auto stopping features (specific loss), loss of accuracy for navigation information, and reduced control authority

• Malfunction (including misleading information)

– Detected and undetected

– Generic and specific

– Examples include: inadvertent deceleration (specific malfunction), asymmetric deceleration (specific malfunction), asymmetric thrust, unintended control action (e.g., in-flight thrust reversal), and persistent offset from correct navigation information

As in the SAE ARP 4761 example, some functions may have several types of degradation and

several potential malfunctions. Consequently, each function may have several rows in the FHA, and different functions may have a different number of failure conditions to consider than other functions. In the FHA, each row identifies some degradation of function combined with flight phase and degree of system knowledge about the failure, and a specific hazard classification (i.e., minor, major, hazardous, or catastrophic).

4.3 Phases of Flight for a UAS

The last aspect of the FHA process worth mentioning is the phase of flight when a failure occurs. In some cases, a particular function may be used throughout the entire flight; while in other cases a function may only be used during one phase of flight. According to SAE ARP 4761, “the FHA should identify the failure conditions for each phase of flight when the failure effects and classifications vary from one flight phase to another.” In some cases, the phase of flight for a particular function may be “all” if the same failure conditions are consistent throughout all flight phases.

A typical FHA includes common phases of flight such as taxi, take-off, climb, enroute, approach, and landing. For the purposes of this study, only those failure conditions relevant to the enroute phase of flight were considered, due specifically to time limitations on the project. Follow-on work might consider extending the FHA for the other phases of flight.

An interesting phase of flight to consider for future work, and one that might be unique to a UAS, is loitering. A number of potential commercial applications involve this phase of flight

14

where the UAS remains within a relatively small local area for an extended period of time. It may be worthwhile to examine whether there are any unique failure conditions to be considered in a loitering phase of flight.

The next section covers the functional description of a generic UAS and the process used for organizing the functions.

5 Functional Decomposition of a Generic UAS

For this study, a functional decomposition refers to a hierarchical organization of all the functions of a system. A simple tree structure is used to represent the basic relationship between the functions. The decomposition proceeds from the top (in our case, UAS) to various levels of functions. When decomposing functions, it is not always obvious when to stop. Following the guidance in AC 23.1309-1C, the decomposition continues until “the lowest defined level of a specific action…that, by itself, provides a complete operational capability” is reached. There are several key points in this criteria. One is that a function refers to a specific action. There are many legitimate requirements that are not functions. For instance, a UAS may be required to comply with certain FARs, but this is not a function because a function must perform some action. Another point is that functions must include a complete operational capability. This means that a function must be observable at the operational level. The effect of this is that the functional decomposition cannot proceed indefinitely. For example, the calculation of navigation accuracy violations is not, by this definition, a function. Conveying navigation state to the flight crew is a function because it is observable at the operational level. In addition, the guidance of SAE ARP 4754 (ref. 19) states that a function includes its interface (human or machine).

5.1 Purpose of Functional Decomposition

Hazard analysis is used to answer questions about the safety of a system. These analyses presume that if all hazards have been adequately addressed, then the system will be safe. Therefore, a major issue with hazard analyses is ensuring that all hazards have been captured. The basic technique used to ensure coverage is one of partitioning the hazards.

The FHA approach, described throughout this document, first partitions the system into functions, then assesses the hazards associated with each function. Because functions have a smaller scope than the system as a whole, it is assumed that if all hazards for all functions have been captured, then all hazards for the system have been captured3. If all hazards for each identified function have been addressed, the question then arises, have all the functions been identified?

The functional decomposition attempts to answer this question. The functional decomposition is a structured way to identify all functions in the system. As should be expected, the functional decomposition is not guaranteed to identify all functions, but it is a tool to help that effort.

5.2 The SAE ARP 4761 Approach to Functional Decomposition

Examples in SAE ARP 4761 served as a model for separating the functions of a system. Figure 4 shows the SAE ARP 4761 view of a functional decomposition.

3 The validity of this assumption should not be taken for granted. It is typically very hard to identify

hazards that arise from situations where there are small deviations from expected behavior.

15

Figure 4. Example Function Decomposition from SAE ARP 4761

Figure 4 provides a guide for the granularity of the functions in a functional decomposition. The notation in this figure is as follows: the boxes followed by diamonds indicate that the decomposition of that function continues, but is not shown; boxes followed by a circle indicate the lowest level functions that cannot be decomposed further. In this example, actions such as controlling thrust, controlling flight path, and determining orientation are relatively high-level actions that can be refined further, whereas the function “decelerate aircraft on the ground” is the lowest level action that is operationally visible and is not decomposed further.

The process described in SAE ARP 4761 assumes that the functional decomposition is for a specific vehicle. For this example, decelerating aircraft on the ground is the lowest-level operational action. On other aircraft, there may be multiple ways for pilots to decelerate the aircraft on the ground such as braking, parachute, or thrust reversers. For this alternate vehicle, “decelerate aircraft on the ground” would not be the lowest-level action and this function would need to be decomposed further.

The functional decomposition presented here is intended to be as generic as possible, while capturing the significant functions necessary for safe flight of any UAS. A number of aircraft function lists from major transport and general aviation aircraft venders were reviewed in the development of the decomposition to provide a check for consistency and completeness of the function list. Because of the wide variation in UAS types and operations, no single functional decomposition of a UAS can possibly cover the range of functions of all vehicles. The functional decomposition in this report leans more towards those unmanned aircraft that are similar to conventional transport or general aviation aircraft.

5.3 UAS Functional Decomposition

The full functional decomposition is relatively large, with 69 functions at the lowest level under the major functions of aviate, navigate, communicate, and mitigate. Figure 5 shows a top level view of these functions.

1st

2nd

Aircraft

Control Thrust

Control Flight Path

DetermineOrientation

Determine Position & Heading

Control Aircraft on the Ground

Control CabinEnvironment

Determine Air/Ground Transition

Decelerate Aircraft

on the Ground

Control Aircraft Direction on the Ground

…

16

Figure 5. Top-level of the Functional Decomposition

Aviate includes not only actions involved in flying the aircraft, but also actions for moving the aircraft on the ground, providing command and control, and managing sub-systems. Navigate includes actions involved in the management and execution of a flight plan. Communicate provides functionality for the communication between the UAS, ATC and other aircraft. All actions associated with the command and control link to the vehicle are contained within the Aviate category. Mitigate includes actions such as avoiding traffic, avoiding ground objects, avoiding weather or other types of environmental effects, and handling contingencies. The motivation for this particular top-level decomposition is to capture, as a category, each of the basic actions that pilots perform in a manned aircraft.

The Mitigate function is not typically included as a top level aircraft function. The common saying is that when pilots are taught to fly, they are taught to aviate, navigate, and communicate. By explicitly calling out a mitigate function, the hope was to capture a category of functions that in many aircraft are performed by the pilot, but will likely be performed by automation in a UAS. To help ensure these functions are adequately emphasized for discussion and debate, the Mitigate category was created. Figures 6 through 11 give the complete decomposition under each of the four major functions.

1. Aviate 2. Navigate 3. Communicate 4. Mitigate

1.1 Control flight path

1.5 Control UAS subsystems

1.4 Command and control between control

station and UAS

1.3 Control air/ground transition

1.2 Control ground path

2.1 Convey navigation state

2.4 Determine navigation command

status

2.3 Produce navigation command

2.2 Determine navigation intent

3.1 Broadcast info to ATC and other aircraft

3.2 Receive info from ATC and other aircraft

4.1 Avoid collisions

4.3 Manage contingencies

4.2 Avoid adverse environmental conditions

UAS

17

Figure 6. Aviate Functions

1. Aviate

1.1 Control flight path (FP)

1.2 Control ground path

(GP)

1.3 Control air/ground

transition (AGT)

1.3.1 Convey AGT state

1.1.1 Convey FP state

1.2.1 Convey GP state

1.4 Command & control between

control station and UAS

1.4.1 Maintain command & control during all phases of

flight

1.4.2 Prevent unauthorized access

to command & control

1.1.2 Determine guidance command

1.1.3 Produce FP command

1.1.4 Execute FP command

1.1.5 Convey FP command

status

1.2.2 Determine

ground intent

1.2.3 Produce GP command

1.2.4 Execute GP command

1.2.5 Convey GP command

status

1.3.2 Determine AGT intent

1.3.3 Produce AGT command

1.3.4 Execute AGT command

1.3.5 Convey AGT command

status

1.4.3 Prioritize command & control data

1.5 Control UAS subsystems

1.5.1 Control power subsystems (hydraulic /electrical)

1.5.2 Control fire suppression subsystem

1.5.3 Control center of gravity

1.5.4 Control environment

inside the UAS

1.5.5 Monitor and record UAS state

data

18

Figure 7. Navigate Functions

Figure 8. Communicate Functions

2. Navigate

2.1 Convey navigation state

2.2 Determine navigation intent

2.3 Produce navigation command

2.4 Determine navigation command status

2.2.1 Determine flight plan

2.2.2 Determine next waypoint

2.2.3 Determine long-term required separation

2.2.4 Determine right-of-way rules

3. Communicate

3.1 Broadcast information to ATC and other aircraft

3.2 Receive information from ATC and other aircraft

3.1.1 Broadcast communications 3.2.1 Receive communications

3.1.2 Broadcast transponder data 3.2.2 Receive transponder data

3.2.3 Monitor communication from ATC and other aircraft

3.1.3 Participate in lost command and control (C2) link procedures

19

Figure 9. Mitigate Functions

Figure 10. Avoid Collisions

4. Mitigate

4.1 Avoid collisions 4.3 Manage contingencies

4.3.1 Convey system status

4.3.2 Determine contingency command

4.3.3 Produce mitigation command

4.3.4 Prioritize mitigation command

4.3.5 Convey status of commands

4.2 Avoid adverse environmental conditions

4.2.1 Detect adverse environmental conditions

4.2.2 Track relative location of adverse environmental

conditions

4.2.3 Convey relative location of adverse environmental

conditions

4.2.4 Determine corrective action

4.2.5 Produce corrective action command

4.2.6 Execute corrective action command

(accomplished under Aviate)

4.2.7 Convey post corrective action status to ATC

(see Figure 10)

4.1 Avoid collisions

4.1.1 Avoid air traffic 4.1.2 Avoid ground & vertical structures (while airborne)

4.1.1.1 Detect air traffic

4.1.1.2 Track air traffic

4.1.1.3 Provide air traffic tracks

4.1.3 Avoid ground path obstructions (while landing

or on ground)

4.1.1.6 Execute corrective action command (accomplished

in Aviate)

4.1.1.5 Select corrective action command

4.1.1.4 Determine corrective action

4.1.1.7 Convey post corrective action status to ATC

4.1.3.1 Detect ground path obstructions

4.1.3.2 Track relative location of ground path obstruction

4.1.3.3 Provide relative location of ground path obstruction

4.1.3.4 Determine corrective action

4.1.3.5 Produce corrective action command

4.1 3 7 Convey post corrective action status to ATC

4.1.3.6 Execute corrective action command (accomplished in

Aviate)

4.1.2.1 Detect ground & vertical structures

4.1.2.2 Track relative location of ground & vertical structures

4.1.2.3 Provide relative location of ground & vertical structures

4.1.2.4 Determine corrective action

4.1.2.5 Produce corrective action command

4.1.2.6 Execute corrective action command (accomplished in

Aviate)

4.1.2.7 Convey post corrective action status to ATC

20

One important point about functions in these categories is that they often rely on the existence of other functions in other categories. For instance, the functions within Navigate perform tasks such as finding the next waypoint and determining guidance commands. However, the actual moving of control surfaces and changing propulsion settings to reach that waypoint are handled by the functions within Aviate. In a similar way, the Mitigate function relies on functions within Communicate, Navigate, and Aviate. As an example, handling contingencies may require communication to alert ATC, navigation to fly to a contingency waypoint, and aviation to move control surfaces.

5.3.1 Low-level Function Template

In the early stages of developing the decomposition, a definite pattern emerged. This pattern, included five basic actions related to a given function, which may be executed sequentially or concurrently (or some combination thereof). To help provide consistency in terminology, a template for those actions or low-level functions was developed, as shown in Figure 11.

The first action is to convey any state that is relevant to the function. This action includes all aspects of conveying the state: sensing, communicating, and displaying. Originally, we used the term “display;” which is common in function lists for manned aircraft. This term was rejected, however, because it could imply a design decision that the information is to be visually presented to the operator. Because we cannot assume that all unmanned aircraft will present the information to the operator (visually or otherwise), a more generic term was chosen: convey. For example, conveying the state of a navigation function would involve sensing and communicating information about latitude, longitude, and altitude (and perhaps other quantities).

Figure 11. Low-level Function Template

The determine function means gathering and selecting the appropriate high level command. For instance, the determine command may involve gathering flight plan information for a navigation command.

The produce function involves the translation of a strategic goal into a tactical command. One example is the behavior of a traditional flight control system: high-level attitude commands are translated into low-level flight control surface commands.

…

XYZ Function

Convey XYZ state

Determine XYZ command

Produce XYZ command

Execute XYZ command

Convey XYZ command status

21

The execute function refers to physically maneuvering the vehicle in some way. All execute functions are listed in the Aviate category.

The final function in the template is to convey the command status. This function is intended to address the difference between command and execution; that is, what is commanded and what is executed may be different. The command status informs the operator or perhaps some diagnostic system about what was commanded and the actual effect of the commanded action.

5.3.2 An Example of Low-level Functions

To demonstrate how the template was used, consider function 4.3 Manage Contingencies, as shown in figure 12. In this example, no decision has been made about where (control station or vehicle) or who (operator or automation) manages contingencies.

Figure 12. Manage Contingencies

Convey the system status (function 4.3.1) means gathering information about the state of the UAS related to contingencies, such as the communication status. Determine the contingency command (function 4.3.2) means analyzing the system to determine what contingencies have occurred. Because there may be multiple failures, determining what is actually wrong with the UAS may not be trivial. Producing a mitigation command (function 4.3.3) means deciding which actions should be taken to respond to the current contingencies. Prioritize the mitigation commands (function 4.3.4) attempts to reconcile that sometimes one event will cause multiple contingencies. Some of these contingencies may be very important and need to be dealt with right away, whereas other contingencies can be dealt with later. Finally conveying the status of the mitigation commands (function 4.3.5) means that the operator (and perhaps automation) will want to know what mitigation actions have taken place. For instance, if the fire detectors are

UAS

…

1. Aviate 2. Navigate 3. Communicate 4. Mitigate

4.1 Avoid collisions

4.3 Manage contingencies

4.3.1 Convey system status

4.3.2 Determine contingency command

4.3.3 Produce mitigation command

4.3.4 Prioritize mitigation command

4.3.5 Convey status of commands

…

…

4.2 Avoid adverse

environmental conditions

…

…

22

going off and fire extinguishers have been deployed, then that could mean the fire is too extensive for the fire extinguishers to extinguish, that the fire detector sensor is faulty, or that the design of the fire detection system is faulty. There could be other explanations, as well. In any case, it is important that the operator knows that the fire extinguishers have been deployed so that time is not wasted attempting to deploy them again.

Notice that in this example, the execute function is not listed. This is because executing a mitigation command may require the resources of aviate, navigate, and communicate. In addition, a “prioritize” function was added which was not part of the functional template. For managing contingencies, the act of prioritizing contingency commands was considered a significant function whose failure could have safety consequences.

6 Functional Hazard Assessment Overview

The preliminary FHA discussed here and shown in the appendix is not, in any way, intended to represent a complete, validated FHA. Significant effort was put into correct and complete identification of potential UAS failure conditions and characterization of their severity, for single failure events in the enroute phase of flight only. Additional work remains to be done for other phases of flight and multiple failure events.

To understand the FHA, it is helpful to know some of the ground rules and assumptions used in the FHA process. Rule number one is “do no harm”. The safety goal is to avoid any UAS-initiated decrease in the safety of the NAS. As a result, failure condition criticality is determined by its effect on people on the ground or in other aircraft. The latter case includes stress or injury to occupants of other aircraft as a result of an evasive maneuver. Damage to material assets is out-of-scope, unless it affects human safety.

The following assumptions were made in the development of the preliminary FHA. For the purposes of this study, the FHA shall:

• assume no specific architecture or design

• make no presumption about where a function resides

• consider the enroute flight phase only. Because of the Access 5 focus on high-altitude aircraft, the enroute phase of flight was assumed to be at flight level 430 or above, where air traffic control is responsible for separation.

• consider single failures only

• assume current air traffic control operations, procedures and technologies (that is, concepts such as “free flight”, 4-D trajectory, or fully data-linked, autonomous concepts of operation are not considered)

• use the FHA table format from SAE ARP 4761, with minor variations, as described in section 4.1

• consider failure condition classifications as described in section 4.2

6.1 Assignment of Failure Condition Severities

A significant step in the FHA process is assigning criticality or severity levels to each of the failure conditions that are defined for each function. The definitions for the failure condition severities are given in Section 3. Here we discuss how to interpret and apply those definitions for specific failure conditions. The operational consequence and corresponding severity is obvious

23

for some failure conditions, while others are controversial or difficult to classify. When controversy does arise, it is usually due to a couple of factors:

• natural tension between the desire to be conservative when it comes to safety, but on the other hand, not to be so conservative as to impose unreasonable requirements

• sensitivity of the outcome of a given failure condition to operational or environmental circumstances

A “catastrophic” assessment for a particular failure condition may appear to impose an onerous burden on product development, not only in terms of the hardware and software design and equipment costs, but also in the certification costs. This is due to the fact that the more severe a failure condition is, the less likely it must be proved to be. For example, some catastrophic failures are assigned a frequency of occurrence somewhere between 10-6 and 10-9 per flight hour4, depending on aircraft category, whereas major failures are assigned in the 10-4 to 10-5

range. Reaching such levels for catastrophic failures has traditionally been very costly, and may even be prohibitive, especially for a small UAS manufacturer.

During and after the subsequent architecture development and system design phases, the manufacturer will have ample opportunity to address the concerns by various means. One option is to produce an architecture and a design that includes effective redundancy management and mitigation strategies. Based on this or other strategies, the supplier may petition the FAA to acknowledge lower levels of hazard categories in specific areas of concern, that is, from architectural mitigations for certain failure conditions formerly labeled as catastrophic.

For this study, we defined and documented a method for assigning a severity to any particular failure condition. This method was intended to help clarify why particular severity assignments were made, and also to facilitate consistency for assigning severities.

A worst-case, single-failure assessment strategy was used to assign a severity to each failure condition. Failure conditions that are not the worst case may be included to better describe system behavior in certain situations; however, the worst case was always captured. Only single failures were considered in the FHA due to time limitations on the project5. For this discussion, it is assumed that the function, flight phase, and failure condition have already been determined. The operational consequence and the severity classification are developed together, using the following steps.

Step 1. The first consideration is a creative process of imagining the operating conditions in which the failure occurs. The hazard severity definitions disallow the assumption of perfect conditions. Therefore, if the consequence is made worse by any of the following adverse operating conditions, a more severe classification should be given:

a. Flight crew is busy with another task.

b. Weather (visibility, winds, turbulence) conditions are bad.

c. Traffic conditions are heavy.

Recall that failures are not included in this list of adverse operating conditions. At this phase in the analysis, multiple failures were not considered.

4 It is important to recognize that target reliability figures specific for UAS have not been developed.

Determining reasonable estimates for such numbers requires extensive analysis beyond that given in this report. Ultimately, regulatory authorities will determine the final values.

5 Multiple failure conditions should be considered in future phases of the analysis.

24

Step 2. The assessment proceeds by assessing the effects on three entities: the UAS itself, the flight crew of the UAS, and any people external to the UAS, as shown in table 4 in section 3. The specific evaluation of each of these effects is described in the three steps that follow; however, the evaluation is usually easier if the effects on flight crew and people external to the UAS are considered first. Because this is a worst case analysis, when the effects on one entity are determined, effects on other entities are only relevant if they have a more severe consequence.

Step 2a. The assessment on the UAS is performed in two dimensions: safety margins and operational capabilities. Safety margin refers to the gap between expected use and an unsafe condition. Safety margins are added to mitigate the normal uncertainties involved in aviation systems including: design, manufacture, flight crew abilities and training, sensor inaccuracies, etc. By definition, some safety margin can be lost, and the UAS will continue to be safe. Safety margins include separation standards between vehicles, between a vehicle and the ground, between a vehicle and weather, etc.

If a failure condition causes a complete loss of safety margins (normally involving a loss of the vehicle), then this condition is designated catastrophic. An example of this is if the UAS can no longer be controlled. If a failure condition has no effect on safety margins, then this condition is labeled “no effect.” A significant reduction of safety margins means some condition where—absent other failures and all but the most extreme adverse operating conditions—it is reasonably expected that safe flight and landing can occur. Such a failure condition is labeled major. Even though a UAS which experiences one of these failures is expected to be safe, the safe use of the UAS may result in damage to the UAS. For instance, a vehicle may run off the end of the runway into a field and have the landing gear collapse. If the effect of the failure condition causes more than a significant reduction of safety margin, but does not cause a complete loss of safety margin, then this condition is designated hazardous. If a failure condition has more than no effect but less than a significant effect (as just described), then this failure condition is labeled minor.

Loss of operational capabilities is important to safety because as operational capabilities are lost, possible actions which can mitigate unsafe situations are eliminated. Therefore, if a failure condition causes loss of all operational capabilities—normally including loss of the vehicle—then this condition is designated catastrophic. If the failure condition causes no loss of operational capabilities, then this condition is labeled no effect. A significant loss of operational capabilities means that a failure condition causes cascading failures of only a few less critical functions such that, at most, one mitigating action is lost6. Such a failure condition is designated major. If the effect on the UAS of the failure condition causes more than a significant loss of operational capability, but does not cause a complete loss of operational capabilities, then this condition is designated hazardous. If a failure condition has more than no effect but less than a significant effect (as just described), then this failure condition is labeled minor.

6 Communication with air traffic control is an example of one mitigating action.

25

Step 2b. Next, an assessment of the effects on the flight crew is performed. If the crew is no longer able to perform their assigned tasks (due to either incapacitation or death), then the event that caused this is catastrophic. Other effects on the flight crew are examined in two dimensions: physical effects and workload effects. In terms of physical effects on the flight crew, if any member of the flight crew sustains an injury that would normally require significant medical attention (for example, a broken leg), then this is considered physical distress and is designated hazardous. If any member of the flight crew sustains an injury that normally does not require medical attention (for example, scrapes and bruises), then this effect is considered physical discomfort and is designated major.

In terms of workload, if the expected result from a failure condition is that any member of the flight crew is unable to perform one of their important7 tasks, then this condition is considered hazardous. If the failure condition requires any member of the flight crew to slightly increase their workload, then this failure condition is classified as minor. If the workload of any member of the flight crew is more than slightly impacted, but not impacted enough to preclude them from performing tasks, then this failure condition is designated major. When assessing workload, a flight crew of average training and ability is assumed. It is immaterial that the presence of a flight crew of exceptional ability or training would result in a less severe event.

Step 2c. Finally, an assessment of the effects on anyone who is not a member of the flight crew is performed. This includes people on board other aircraft, people located at airports, and the public at large. If anyone is killed or severely injured (that is, requiring an extended hospital stay), then this failure condition is classified as catastrophic. If anyone sustains an injury that normally requires significant medical attention (for example, a broken leg), then this is considered physical distress and is designated hazardous. If anyone sustains an injury that does not normally require medical attention (for example, scrapes and bruises), then this effect is considered physical discomfort and is designated major.

Step 3. Because this is a worst-case analysis, the most severe consequence of these three effects is captured in the FHA.

Step 4. The hazard classification from Step 3 is compared to the classification of other failure conditions for this function. Is the classification uniform? Is it clear that more severe failure conditions have more severe operational consequences and therefore, more severe classifications?

Step 5. As an initial validation, the example FHA in appendices A and B of AC 23.1309-1C should be consulted to determine if a similar function and failure condition exists. If so, then the severity classification should be the same, or a clear reason should exist as to why the classification is different.

6.2 Example FHA Entries

The preliminary FHA to date is extensive, and is thus relegated to the appendix. In this section, several examples of FHA entries are discussed to illustrate how the FHA was done. In

7 Not all required tasks are of equal importance or complexity.

26

each example, the record number for the FHA entry is given, along with the name of the function, specific failure condition under consideration, assigned criticality level, phase of flight, and remarks as appropriate. These examples are chosen from the functions 1.1 Control Flight Path (under 1. Aviate), and 4.1 Avoid Collisions and 4.3 Manage Contingencies (under 4. Mitigate). Several possible failure conditions are described for each function. The examples are taken directly from the FHA in the appendix.

6.2.1 Example from the “Execute Flight Path Command” Function

The first example is based on function 1.1.4 Execute Flight Path (FP) Command, under Aviate. This function involves using the flight path command to change the physical state of the vehicle. Tables 5 presents two entries in the FHA for this function.

Table 5. FHA Example: Execute Flight Path Command

Number Function Flight Phase

Failure Condition Operational Consequence

Classification Remark

1.1.4.a Execute FP command

enroute Loss of function with soft landing flight termination function

Vehicle will not be controllable; landing will be somewhat controllable.

hazardous Execution of a soft landing function assumes that people will not be killed or seriously injured.

1.1.4.b Execute FP command

enroute Loss of function without soft landing flight termination function

Vehicle will not be controllable.

catastrophic

In both of these failure modes, the vehicle is unable to execute a flight path command in the enroute phase of flight. This situation means the vehicle is uncontrollable. By Step 2a of section 6.1.1, a failure mode that results in an uncontrolled vehicle is designated catastrophic. In record number 1.1.4.a, the failure condition assumes the existence of some type of function that will “gently” end the flight. Because of this mitigating action, the hazard classification for this failure mode is lowered from catastrophic. This mode is designated hazardous because there has been a reduction in safety margins such that “safe flight and landing” cannot be reasonably assured.

6.2.2 Example from the “Detect Air Traffic” Function

The next example is based on the detect air traffic function, which is function 4.1.1.1 in the functional decomposition. This function is the first step in any “sense and avoid” function. Table 6 gives the FHA entry of three failure conditions for this function. Each of these failure modes has been assigned a hazard classification of “major.”

One might imagine that if the UAS is unable to detect air traffic, then there is the possibility that collisions will result; and, therefore this failure mode should be designated catastrophic. However, in the enroute flight phase, the vehicle is in class A airspace where ATC has the main responsibility for separation. In this case, it is assumed that ATC is functioning normally, with situational awareness of the UAS and other air traffic. If the potential for conflict arises, it is assumed that ATC would vector the UAS or other aircraft as needed to mitigate the conflict. In this phase of flight, there is the reasonable expectation that safe flight and landing can still occur.

27

In other phases of flight, especially where there is reduced separation, a different severity classification may be justified.

Table 6. FHA Example: Detect Air Traffic

Number Function Flight Phase

Failure Condition

Operational Consequence Classification Remark

4.1.1.1.a Detect air traffic

enroute Total loss of function

Possibility of conflict with another aircraft. However, assumption of being in Class A airspace under IFR means that ATC will provide separation.

major

4.1.1.1.b Detect air traffic

enroute Intruder is "detected" when none is there (false alarm)

Possibility of loss of control and/or conflict with another (real) aircraft. Could result in unnecessary avoidance maneuver that endangers another aircraft.

major Hazard severity assigned per FAA practice for manned aircraft

4.1.1.1.c Detect air traffic

enroute Intruder is not detected when there is a real threat.

Possibility of conflict with another aircraft. If both aircraft are being tracked by service provider and time permits, ATC will attempt to warn one or both aircraft to avoid collision.

major Hazard severity assigned per FAA practice for manned aircraft

6.2.3 Example from the “Determine Contingency Command” Function

This example is based on function 4.3.2 Determine Contingency Command, which is a sub-function of 4.3 Manage Contingencies. Table 7 shows two FHA entries of various failure conditions for this function.

Table 7. FHA Example: Determine Contingency Command

Number Function Flight Phase

Failure Condition

Operational Consequence

Classification Remark

4.3.2.a Determine contingency command

enroute Loss or malfunction when C2 link is up.

Flight crew/UAS will not be able to initiate a contingency. Since C2 link is up, vehicle is still controllable. Significant loss of safety margin results.

major Situations where this failure has more dire consequences involve other systems failing. These multiple-failure scenarios must be dealt with later.

4.3.2.b Determine contingency command

enroute Loss or malfunction when C2 link is down.

Flight crew/UAS will not be able to initiate a contingency. Since C2 link is down, the vehicle is uncommanded.

catastrophic

28

These failure conditions are predicated on whether the command and control (C2) link is up or down. The reason for this distinction is that a transient loss of the C2 link is considered a normal part of operation of the vehicle and not a failure. For example, a banking turn may shield the antenna and cause the link to be temporarily lost. The manage contingencies function is normally only used when another failure has occurred. In many cases, the failure of this function in this functional group only becomes dangerous when it is being used; that is, when a failure in some other function has occurred. These circumstances would mean that multiple failures have occurred. Because this FHA only covers single failure conditions, the operational consequences listed in table 7 only reflect the failure to the determine contingency command without any other functional failures.

6.3 Summary Statistics

Even though the preliminary FHA does not cover multiple failures or all phases of flight, it is interesting to examine a few statistics. The functional decomposition shows 69 leaf nodes, which equates to 69 different functions to which the FHA process was applied. Figure 13 shows the total number of failure conditions by the four major categories in the functional decomposition.

Figure 13. Failure Condition Totals, by Functional Category

As shown in figure 13, the majority of potential failure conditions fall under the Aviate or Mitigate functions. Out of a total of 132 failure conditions described in the FHA, 49 of them are under Aviate and 52 of them are under Mitigate. The remaining failure conditions are almost evenly split between Navigate and Communicate. Figure 14 presents the same data, with detail regarding the number of failure conditions per each severity level.

Aviate 49

Navigate 15

Communicate16

Mitigate 52

16

Avoid Adverse Environmental Conditions

19

17

Avoid Collisions

Manage Contingencies

19

Control Ground Path

11

5

Control Flight Path

Control Air/GroundTransition

Control UAS Subsystems

Command & Control

9

5

Total

132 Failure Conditions

29

Figure 14. Failure Condition Severities by Major Functional Category

0

5

10

15

20

25

Num

ber o

f Fai

lure

Con

ditio

ns

Avia

te

Navi

gate

Com

mun

icat

e

Miti

gate

Catastrophic

Hazardous

Major

Minor

No Safety Effect

0

5

10

15

20

25

Num

ber o

f Fai

lure

Con

ditio

ns

Avia

te

Navi

gate

Com

mun

icat

e

Miti

gate

Catastrophic

Hazardous

Major

Minor

No Safety Effect

Catastrophic

Hazardous

Major

Minor

No Safety Effect

As shown in figure 14, the majority of failure conditions with catastrophic and hazardous consequences are found in the Aviate and Mitigate functions. Catastrophic failure conditions are less prominent in Navigate and Communicate. It is important at this stage to keep in mind that only single failures have been considered in the FHA. The ratios for the various severity levels may change as multiple failure events and other phases of flight are considered.

In this assessment, twenty-six potentially catastrophic failure conditions were identified, considering only single failures in the enroute phase of flight. An interesting observation to make at this point is how the number of catastrophic failure conditions for a generic UAS compares with those numbers assumed for commercial transport (Part 25) aircraft and for general aviation (Part 23) aircraft. According to AC 23.1309-1C, there are ten catastrophic failure conditions assumed for a general aviation aircraft (covering single and multiple failures over all phases of flight); and there are 100 catastrophic failure conditions assumed for a commercial transport aircraft according to AC 25.1309-1A. While recognizing that these are broad generalizations, preliminary indications are that the number of potential catastrophic failure conditions for a generic UAS will be greater than the number for general aviation aircraft. How close the estimate will be to commercial transport aircraft depends on further assessment of failure conditions in all phases of flight.

7 Electromagnetic Considerations

As discussed in Section 2, FAR Parts 23.1309 and 25.1309 specify that equipment, systems and installations must be designed to ensure that they perform their intended functions under any foreseeable operating condition. In particular, because unmanned aircraft do not have an on-board pilot, they will necessarily rely on electronic components for safe operation. Therefore,

30

foreseeable operating conditions must include the electromagnetic effects on safety-relevant electronic components. In particular, FAR 23.1309 subpart (e) states

In showing compliance with this section with regard to the electrical power system and to equipment design and installation, critical environmental and atmospheric conditions, including radio frequency energy and the effects (both direct and indirect) of lightning strikes, must be considered.

This statement formalizes the regulation in which electromagnetic effects, including high intensity radiated electromagnetic fields (HIRF) must be considered and appropriate guidelines must be followed. Due to the high altitude flight profile of some unmanned aircraft, consideration should also be made for single event upset (SEU) effects. The following subsections provide a brief discussion of issues relevant to HIRF and SEU for a UAS.

7.1 HIRF Considerations

High intensity radiated electromagnetic fields are created by transmissions from high-power radio emitters such as radio and television broadcast stations, radars, and satellite uplink transmitters. The emitters may be ground-based, ship-borne, or airborne. Although these transmissions can have serious effects on electronic equipment, engineering and design methods to protect against HIRF effects are well documented and understood. Shielding cables and bulkhead connectors from spurious electromagnetic emissions is a common practice. Metal enclosures surrounding electronic circuits (e.g., Faraday cages) usually provide sufficient protection against HIRF.

The FAA requires testing of aircraft electronic systems, in accordance with the procedures outlined in RTCA DO-160E, Environmental Conditions and Test Procedures for Airborne Equipment, (ref. 20) to guard against possible interruptions, erroneous operation, or loss of function due to HIRF exposure. A UAS flying similar mission profiles to fixed wing, manned aircraft will be exposed to the same HIRF environment and therefore should be tested to the same standards. UAS mission profiles that include long loiter times may increase the duration of exposure to HIRF; however, current FAA guidelines do not consider exposure time as part of the certification process. UAS mission profiles that require flight close to the earth, more closely matching the rotorcraft flight profiles, should be tested to the rotorcraft standards of DO-160E. Very low altitude flying aircraft may encounter an even harsher HIRF environment than typical rotorcraft missions and thus may require more stringent guidelines. Electronic payloads operating aboard UAS platforms that can interfere with critical systems may also need to comply with FAA radio frequency emission and susceptibility guidelines outlined in section 21 of the DO-160E document.

7.2 Single Event Upset Considerations

Single event upset phenomena are the result of cosmic ray interactions with the atmosphere, and occur more frequently at higher altitudes. These interactions can produce a number of decay products, including atmospheric neutrons that can intercept and corrupt the operation of semiconductor devices. A particle that strikes a processor at just the wrong place and time can cause it to latch-up. The most critical SEU sensitivities in modern aircraft systems occur with memory devices.

SEU is of particular concern for unmanned aircraft that fly high altitude and long endurance missions (ref. 21, 22). High altitude aircraft would be expected to encounter more frequent SEU than aircraft flying at lower altitudes. Long mission times increase exposure to SEU, as well. Finally, because there is no on-board pilot, a UAS relies on electronic components for safety

31

critical functions and these electronic components have grown more susceptible to SEU as integrated circuit geometries have decreased. Therefore, the design of high altitude or long-endurance aircraft must account for SEU effects to achieve acceptably safe and reliable UAS operations.

Approaches exist for mitigating HIRF and SEU effects, including shielding, fault tolerant architectures, and error detection and correcting schemes. The eventual development of “1309” regulations for unmanned aircraft will clearly need to address HIRF and SEU effects as part of the expected operating environment. Further research may be required to establish the analysis and testing methods for electronic systems, beyond those already prescribed in DO-160E, necessary to assure safe operation of a UAS in adverse environments.

8 Summary

In recent testimony before Congress, Nicholas Sabatini, FAA Associate Administrator for Aviation Safety stated that the “development and use of unmanned aircraft (UAs) is the next great step forward in the evolution of aviation.” (ref. 13) This step, however, involves overcoming significant challenges with respect to developing the technology and regulatory infrastructure necessary for integrating unmanned aircraft safely into the NAS. A notable challenge for the regulatory infrastructure involves defining safety and reliability requirements necessary for providing assurance that a UAS poses no greater risk to persons or property in the air or on the ground than that presented by conventional aircraft.

This report discusses some of the basic considerations necessary for setting requirements for UASs consistent with those in current FAR paragraphs “1309”. These considerations include definitions of hazards and their classification for unmanned aircraft. New definitions for the five standard hazard classes (catastrophic, hazardous, major, minor, and no effect) were proposed, with rationale given for deviation from existing definitions. In particular, the definition of “catastrophic” was modified to deal with concerns about loss of control situations.

The proposed definitions for hazard classification were applied in a preliminary functional hazard assessment of a generic UAS. The preliminary FHA identified failure conditions for a generic UAS model, for single failure events occurring in the enroute phase of flight. Much of the purpose of conducting the preliminary FHA was to help explore potential hazards unique to unmanned aircraft and how those hazards could be classified.

The revised hazard definitions and preliminary FHA are intended only as very initial steps in thinking about regulating the hazards that a UAS will pose to the NAS. Further exploration is necessary to better understand potential UAS failures and their effects on remote flight crews and communications, as well as the effect on the air traffic management system. Understanding these effects is essential to establishing a truly reasonable basis for setting reliability and safety standards for unmanned aircraft.

9 References

1. Pearson, Lee: Developing the Flying Bomb. http://www.history.navy.mil/download/ww1-10.pdf, pp. 70-73, Accessed May 12, 2006.

2. DeGaspari, John: look, Ma, no pilot! Mechanical Engineering, November 2003, http://www.memagazine.org/backissues/nov03/features/lookma/lookma.html, Accessed July 12, 2006.

3. Office of the Secretary of Defense, Unmanned Aircraft Systems Roadmap, 2005-2030. August 2005.

32

4. Haddon, D. R., Whittaker, C. J.: Aircraft Airworthiness Certification Standards for Civil UAVs. Civil Aviation Authority, UK, August 2002.

5. Code of Federal Regulations, Title 14, Aeronautics and Space, Chapter I, Federal Aviation Administration, Department of Transportation.

6. Federal Aviation Administration, Advisory Circular AC 23.1309-1C, Equipment, Systems, and Installations in Part 23 Airplanes. March, 12, 1999.

7. DeWalt, Michael P.: Design Assurance Levels in Experimental Airworthiness Certificates for UASs. (unpublished) white paper from Certification Services, Inc, December 30, 2005.

8. Federal Aviation Administration, Draft Advisory Circular/Advisory Material Joint AC 25.1309-1B, System Design and Analysis. June 10, 2002, (to be published).

9. Office of the Secretary of Defense, Unmanned Aerial Vehicle Reliability Study. February 2003.

10. Federal Aviation Administration, FAA System Safety Handbook. December 30, 2000, http://www.faa.gov/library/manuals/aviation/risk_management/ss_handbook/media/chap1_1200.PDF. Accessed May 12, 2006.

11. Federal Aviation Administration, Advisory Circular AC 25.1309-1A, System Design and Analysis. June 21, 1988.

12. McGraw, J. W.: Unmanned Aircraft Systems Operations in the U.S. National Airspace System–Interim Operational Approval Guidance. AFS-400 UAS Policy 05-01, Dept. of Transportation, Federal Aviation Administration, Washington, DC, September 2005.

13. Statement of Nicholas A. Sabatini, Associate Administrator for Aviation Safety, Before the House Committee on Transportation and Infrastructure, Subcommittee on Aviation on Unmanned Aircraft Activities, March 29, 2006.

14. CNS ATM Technology Evolution Workgroup: Developing Guidance Material for ANSPs on UAS (Unmanned Aerial Systems). UVS International – News Flash, February 18, 2006, pp. 14-18.

15. RTCA, DO-264: Guidelines for Approval of the Provision and Use of Air Traffic Services Supported by Data Communications. Issued 12-14-00.

16. Society of Automotive Engineers, International SAE ARP 4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, 1996-12.

17. Access 5 Systems Engineering and Integration Team, Functional Requirements Document For HALE UAS Operations in the NAS Step 1, Version 2, September 2005, (unpublished).

18. Access 5 Systems Engineering and Integration Team, Access 5 HALE ROA Concept of Operations, rev 4, 30 September 2003 (unpublished).

19. Society of Automotive Engineers, International. SAE ARP 4754, Certification Considerations for Highly-Integrated or Complex Aircraft Systems, 1996-11.

20. RTCA, DO-160E: Environmental Conditions and Test Procedures for Airborne Equipment, Issued December 9, 2004.

21. Taber, A. and Normand, E.: Single Event Upset in Avionics, IEEE Transactions on Nuclear Science, vol. 40, no. 2, April 1993, pp. 120-126.

33

22. Edwards, Robert; Dyer, Clive; and Normand, Eugene: Technical Standard for Atmospheric Radiation Single Event Effects, (SEE) on Avionics Electronics, 2004 IEEE Radiation Effects Data Workshop, 22 July 2004.

34

THIS PAGE INTENTIONALLY LEFT BLANK

35

App

endi

x: U

AS

Prel

imin

ary

Func

tiona

l Haz

ard

Ass

essm

ent

This

app

endi

x co

ntai

ns a

pre

limin

ary

func

tiona

l ha

zard

ass

essm

ent

of a

gen

eric

UA

S.

It is

rec

ogni

zed

that

the

re i

s co

nsid

erab

le v

aria

tion

amon

g un

man

ned

airc

raft

plat

form

s. F

or th

is s

tudy

, a c

ore

set o

f fun

ctio

ns th

at m

ost a

ircra

ft, in

clud

ing

UA

Ss, w

ill n

eed

to o

pera

te ro

utin

ely

and

safe

ly w

ithin

the

NA

S w

ere

iden

tifie

d. T

he c

ore

set o

f fun

ctio

ns is

bas

ed o

n fu

ndam

enta

l ten

ets o

f pilo

ting;

nam

ely,

to fl

y th

e pl

ane

(avi

ate)

, fly

it

in th

e rig

ht d

irect

ion

(nav

igat

e), a

nd, f

inal

ly, t

o st

ate

your

con

ditio

n or

inte

ntio

ns to

oth

er p

eopl

e (c

omm

unic

ate)

. Fo

r the

gen

eric

UA

S m

odel

, a

four

th fu

ndam

enta

l fun

ctio

n w

as a

dded

: m

itiga

te h

azar

ds.

This

func

tion

is in

tend

ed to

cap

ture

thos

e ac

tions

nec

essa

ry to

(1) s

tay

clea

r of h

azar

ds,

incl

udin

g ot

her

air

traff

ic, f

light

or

grou

nd p

ath

obst

ruct

ions

, and

adv

erse

wea

ther

con

ditio

ns, a

nd (

2) m

anag

e co

ntin

genc

y si

tuat

ions

that

may

ar

ise.

The

FHA

con

sist

s of

a li

stin

g of

the

func

tions

spe

cifie

d in

the

func

tiona

l dec

ompo

sitio

n di

scus

sed

in s

ectio

n 5

of th

e re

port,

iden

tific

atio

n of

po

tent

ial f

ailu

re c

ondi

tions

and

thei

r ope

ratio

nal c

onse

quen

ces i

n th

e en

rout

e ph

ase

of fl

ight

, and

a h

azar

d cl

assi

ficat

ion

for e

ach

failu

re c

ondi

tion.

Rec

ord

Num

ber

Func

tion

Flig

ht

Phas

e Fa

ilure

Con

ditio

ns

Ope

ratio

nal C

onse

quen

ces (

effe

ct o

f fa

ilure

on

UA

S)

Haz

ard

Cla

ssifi

catio

n (C

ritic

ality

) R

emar

ks

1.0

Avi

ate

1.

1 C

ontro

l Flig

ht P

ath

(FP)

Th

is fu

nctio

n in

volv

es

cont

rolli

ng th

e ve

hicl

e w

hile

in th

e ai

r.

1.1.

1 C

onve

y FP

stat

e

B

ecau

se o

f the

per

iodi

c na

ture

of t

his

info

rmat

ion,

ther

e ca

nnot

be

an u

ndet

ecte

d lo

ss o

f thi

s fun

ctio

n.

1.1.

1.a

Con

vey

FP st

ate

enro

ute

Det

ecte

d lo

ss o

f fu

nctio

n W

ithou

t bas

ic in

form

atio

n su

ch a

s at

titud

e co

ntin

ued

safe

flig

ht c

anno

t be

assu

med

. Fl

ight

term

inat

ion

shou

ld b

e in

itiat

ed.

Effe

ctiv

enes

s of f

light

te

rmin

atio

n sy

stem

s, m

ay b

e co

mpr

omis

ed w

ithou

t FP

stat

e in

form

atio

n.

haza

rdou

s A

sim

ilar f

ailu

re in

the

AC

23.

1309

exa

mpl

e is

cl

assi

fied

as

cata

stro

phic

, bec

ause

of

the

unm

anne

d na

ture

of

UA

S, th

is c

lass

ifica

tion

has b

een

low

ered

.

36

1.1.

1.b

Con

vey

FP st

ate

enro

ute

Dis

play

s "fr

eeze

" w

ith

old

info

rmat

ion

Flig

ht c

rew

/UA

S do

es n

ot k

now

FP

stat

e. It

is e

xpec

ted

that

the

fligh

t cre

w

will

reco

gniz

e th

at th

e ve

hicl

e is

not

pe

rfor

min

g co

rrec

tly so

on a

nd w

ill

initi

ate

a fli

ght t

erm

inat

ion.

Ef

fect

iven

ess o

f flig

ht te

rmin

atio

n sy

stem

s, m

ay b

e co

mpr

omis

ed w

ithou

t FP

stat

e in

form

atio

n.

haza

rdou

s A

sim

ilar f

ailu

re in

the

AC

23.

1309

exa

mpl

e is

cl

assi

fied

as

cata

stro

phic

, bec

ause

of

the

unm

anne

d na

ture

of

UA

S, th

is c

lass

ifica

tion

has b

een

low

ered

.

1.1.

1.c

Con

vey

FP st

ate

enro

ute

Inco

rrec

t inf

orm

atio

n Fl

ight

cre

w/U

AS

does

not

kno

w F

P st

ate.

The

flig

ht c

rew

may

or m

ay n

ot

reco

gniz

e th

at th

e ve

hicl

e is

not

pe

rfor

min

g co

rrec

tly: f

light

term

inat

ion

may

or m

ay n

ot b

e in

itiat

ed.

cata

stro

phic

1.1.

2 D

eter

min

e gu

idan

ce c

omm

and

1.1.

2.a

Det

erm

ine

guid

ance

com

man

d en

rout

e D

etec

ted

loss

of

func

tion,

with

alte

rnat

e m

eans

to c

hang

e FP

st

ate

Flig

ht c

rew

/UA

S no

t abl

e to

use

gu

idan

ce c

omm

ands

to c

hang

e FP

stat

e. m

inor

1.1.

2.b

Det

erm

ine

guid

ance

com

man

d en

rout

e U

ndet

ecte

d lo

ss o

f fu

nctio

n, w

ith a

ltern

ate

mea

ns to

cha

nge

FP

stat

e

Flig

ht c

rew

/UA

S is

tryi

ng to

con

trol F

P st

ate,

but

this

isin

effe

ctiv

e. B

y fu

nctio

n 1.

1.5,

the

UA

S/fli

ght c

rew

will

re

cogn

ize

that

gui

danc

e co

mm

ands

are

in

effe

ctiv

e th

en u

se o

ther

mea

ns to

co

ntro

l FP

stat

e.

maj

or

1.1.

2.c

Det

erm

ine

guid

ance

com

man

d en

rout

e In

corr

ect c

omm

and

dete

rmin

ed, w

ith

alte

rnat

e m

eans

to

chan

ge F

P st

ate

Flig

ht c

rew

/UA

S is

tryi

ng to

con

trol F

P st

ate,

but

this

isin

effe

ctiv

e. B

y fu

nctio

n 1.

1.5,

the

UA

S/fli

ght c

rew

will

re

cogn

ize

that

gui

danc

e co

mm

ands

are

in

effe

ctiv

e th

en u

se o

ther

mea

ns to

co

ntro

l FP

stat

e.

maj

or

1.1.

2.d

Det

erm

ine

guid

ance

com

man

d en

rout

e Lo

ss o

f fun

ctio

n,

with

out a

ltern

ate

mea

ns

to c

hang

e FP

stat

e, w

ith

"sof

t lan

ding

" flig

ht

term

inat

ion

func

tion

Flig

ht c

rew

/UA

S no

t abl

e to

cha

nge

FP

stat

e. V

ehic

le is

unc

ontro

llabl

e. "

Soft

land

ing"

flig

ht te

rmin

atio

n fu

nctio

n is

us

ed.

haza

rdou

s Ex

ecut

ion

of a

soft

land

ing

func

tion

assu

mes

that

peo

ple

will

no

t be

kille

d or

serio

usly

in

jure

d.

37

1.1.

2.e

Det

erm

ine

guid

ance

com

man

d en

rout

e Lo

ss o

f fun

ctio

n,

with

out a

ltern

ate

mea

ns

to c

hang

e FP

stat

e,

with

out "

soft

land

ing"

fli

ght t

erm

inat

ion

func

tion

Flig

ht c

rew

/UA

S no

t abl

e to

cha

nge

FP

stat

e. V

ehic

le is

unc

ontro

llabl

e.

cata

stro

phic

1.1.

3 Pr

oduc

e FP

com

man

d

1.1.

3.a

Prod

uce

FP c

omm

and

enro

ute

Det

ecte

d lo

ss o

f fu

nctio

n, w

ith "s

oft

land

ing"

flig

ht

term

inat

ion

func

tion

Loss

of a

bilit

y to

tran

slat

e hi

gh-le

vel

dire

ctio

n to

spec

ific

vehi

cle

actio

ns.

"sof

t lan

ding

" flig

ht te

rmin

atio

n is

ex

ecut

ed.

haza

rdou

s Ex

ecut

ion

of a

soft

land

ing

func

tion

assu

mes

that

peo

ple

will

no

t be

kille

d or

serio

usly

in

jure

d.

1.1.

3.b

Prod

uce

FP c

omm

and

enro

ute

Det

ecte

d lo

ss o

f fu

nctio

n, w

ithou

t "so

ft la

ndin

g" fl

ight

te

rmin

atio

n fu

nctio

n

Loss

of a

bilit

y to

tran

slat

e hi

gh-le

vel

dire

ctio

n to

spec

ific

vehi

cle

actio

ns.

Veh

icle

is u

ncon

trolla

ble.

It m

ay b

e po

ssib

le to

pre

dict

whe

re th

e ve

hicl

e w

ill

land

and

get

peo

ple

and

prop

erty

out

of

the

way

.

cata

stro

phic

1.1.

3.c

Prod

uce

FP c

omm

and

enro

ute

Und

etec

ted

loss

of

func

tion

or in

corr

ect

oper

atio

n

Loss

of a

bilit

y to

tran

slat

e hi

gh-le

vel

dire

ctio

n to

spec

ific

vehi

cle

actio

ns.

Veh

icle

is u

ncon

trolla

ble.

cata

stro

phic

1.1.

4 Ex

ecut

e FP

com

man

d

1.1.

4.a

Exec

ute

FP c

omm

and

enro

ute

Loss

of f

unct

ion

with

so

ft la

ndin

g fli

ght

term

inat

ion

func

tion

Veh

icle

will

not

be

cont

rolla

ble;

land

ing

will

be

som

ewha

t con

trolla

ble.

ha

zard

ous

Exec

utio

n of

a so

ft la

ndin

g fu

nctio

n as

sum

es th

at p

eopl

e w

ill

not b

e ki

lled

or se

rious

ly

inju

red.

1.

1.4.

b Ex

ecut

e FP

com

man

d en

rout

e Lo

ss o

f fun

ctio

n w

ithou

t sof

t lan

ding

fli

ght t

erm

inat

ion

func

tion

Veh

icle

will

not

be

cont

rolla

ble.

ca

tast

roph

ic

1.1.

4.c

Exec

ute

FP c

omm

and

enro

ute

Prim

ary

surf

aces

re

spon

d sl

owly

V

ehic

le w

ill re

spon

d sl

owly

. M

ay

crea

te "

pilo

t ind

uced

osc

illat

ion.

" ha

zard

ous

38

1.1.

4.d

Exec

ute

FP c

omm

and

enro

ute

Prim

ary

surf

aces

do

not

have

full

auth

ority

. V

ehic

le w

ill n

ot b

e ab

le to

take

act

ions

w

ithin

its n

orm

al p

erfo

rman

ce e

nvel

ope.

maj

or

1.1.

4.e

Exec

ute

FP c

omm

and

enro

ute

Det

ecte

d lo

ss o

f pr

opul

sion

V

ehic

le c

an n

o lo

nger

mai

ntai

n al

titud

e. h

azar

dous

A

ssum

es c

ritic

al

syst

ems (

cont

rol

surf

aces

, avi

onic

s, et

c.)

have

an

alte

rnat

e po

wer

so

urce

. 1.

1.4.

f Ex

ecut

e FP

com

man

d en

rout

e U

ndet

ecte

d lo

ss o

f pr

opul

sion

V

ehic

le c

an n

o lo

nger

mai

ntai

n al

titud

e.

This

shou

ld b

e de

tect

able

fairl

y so

on.

haza

rdou

s A

ssum

es c

ritic

al

syst

ems (

cont

rol

surf

aces

, avi

onic

s, et

c.)

have

an

alte

rnat

e po

wer

so

urce

. 1.

1.5

Con

vey

FP c

omm

and

stat

us

1.1.

5.a

Con

vey

FP c

omm

and

stat

us

enro

ute

Det

ecte

d lo

ss o

f fu

nctio

n Fl

ight

cre

w/U

AS

will

not

kno

w w

hat t

he

vehi

cle

is a

ttem

ptin

g to

do.

No

miti

gatin

g ac

tions

are

lost

.

min

or

1.1.

5.b

Con

vey

FP c

omm

and

stat

us

enro

ute

Inco

rrec

t com

man

d st

atus

con

veye

d Fl

ight

cre

w/U

AS

will

not

kno

w w

hat t

he

vehi

cle

is a

ttem

ptin

g to

do.

Flig

ht c

rew

m

ay ta

ke a

ctio

n on

this

bad

info

rmat

ion.

Fl

ight

cre

w's

resp

onse

will

be

dela

yed

beca

use

of la

ck o

f kno

wle

dge

of st

atus

of

UA

S.

maj

or

1.2

Con

trol g

roun

d pa

th (G

P)

1.

2.1

Con

vey

GP

stat

e

1.2.

1.a

Con

vey

GP

stat

e en

rout

e A

ny m

alfu

nctio

n no

ne

no e

ffec

t

1.2.

2 D

eter

min

e gr

ound

inte

nt

1.2.

2.a

Det

erm

ine

grou

nd in

tent

en

rout

e A

ny m

alfu

nctio

n no

ne

no e

ffec

t

1.2.

3 Pr

oduc

e G

P co

mm

and

1.2.

3.a

Prod

uce

GP

com

man

d en

rout

e A

ny m

alfu

nctio

n no

ne

no e

ffec

t

1.2.

4 Ex

ecut

e G

P C

omm

and

39

1.2.

4.a

Exec

ute

GP

Com

man

d en

rout

e A

ny m

alfu

nctio

n no

ne

no e

ffec

t

1.2.

5 C

onve

y G

P co

mm

and

stat

us

1.2.

5.a

Con

vey

GP

com

man

d st

atus

en

rout

e A

ny m

alfu

nctio

n no

ne

no e

ffec

t

1.3

Con

trol a

ir/gr

ound

tran

sitio

n (A

GT)

Th

e on

ly A

GT

func

tion

used

in th

e en

rout

e fli

ght

phas

e is

flig

ht

term

inat

ion.

1.3.

1 C

onve

y A

GT

stat

e

A

GT

stat

e in

clud

es

heig

ht a

bove

terr

ain,

w

eigh

t on

whe

els,

etc.

B

ecau

se o

f the

per

iodi

c na

ture

of t

his

info

rmat

ion,

ther

e ca

nnot

be

an u

ndet

ecte

d lo

ss o

f thi

s fun

ctio

n.

1.3.

1.a

Con

vey

AG

T st

ate

enro

ute

Any

mal

func

tion

none

no

eff

ect

1.

3.2

Det

erm

ine

AG

T in

tent

1.3.

2.a

Det

erm

ine

AG

T in

tent

en

rout

e A

ny m

alfu

nctio

n N

one.

Ass

umes

miti

gatio

n of

func

tion

bein

g "o

ff"

in th

is fl

ight

pha

se

no e

ffec

t

1.3.

3 Pr

oduc

e A

GT

com

man

d

1.3.

3.a

Prod

uce

AG

T co

mm

and

enro

ute

Any

mal

func

tion

Non

e. A

ssum

es m

itiga

tion

of fu

nctio

n be

ing

"off

" in

this

flig

ht p

hase

no

eff

ect

1.3.

4 Ex

ecut

e A

GT

Com

man

d

1.3.

4.a

Exec

ute

AG

T C

omm

and

enro

ute

Inad

verte

nt d

eplo

ymen

t of

flap

s/sl

ats

Veh

icle

mak

es la

rge

altit

ude

dive

rsio

ns.

maj

or

Stru

ctur

al p

robl

ems

shou

ld b

e co

nsid

ered

for

a sp

ecifi

c U

AS.

1.3.

4.b

Exec

ute

AG

T C

omm

and

enro

ute

Inad

verte

nt d

eplo

ymen

t of

thru

st re

vers

ers

Maj

or st

ruct

ural

and

pro

puls

ion

syst

em

failu

res

cata

stro

phic

Th

is fa

ilure

mod

e is

irr

elev

ant i

f a U

AS

does

no

t hav

e re

tract

able

th

rust

reve

rser

s.

40

1.3.

4.c

Exec

ute

AG

T C

omm

and

enro

ute

Inad

verte

nt la

ndin

g ge

ar d

eplo

ymen

t V

ehic

le's

perf

orm

ance

cha

nges

si

gnifi

cant

ly

maj

or

Stru

ctur

al p

robl

ems

shou

ld b

e co

nsid

ered

for

a sp

ecifi

c U

AS.

If a

U

AS

does

not

hav

e re

tract

able

land

ing

gear

, th

en th

is fa

ilure

mod

e is

irr

elev

ant.

1.3.

4.d

Exec

ute

AG

T C

omm

and

enro

ute

Det

ecte

d lo

ss o

f flig

ht

term

inat

ion

func

tion

Veh

icle

is n

ot a

ble

to te

rmin

ate

fligh

t in

cont

inge

ncy

or e

mer

genc

y si

tuat

ions

. Th

is is

the

loss

of a

sing

le m

itiga

ting

actio

n.

maj

or

A fl

ight

term

inat

ion

func

tion

is n

ot

nece

ssar

ily a

par

achu

te

or a

"des

truct

ive"

sy

stem

. 1.

3.4.

e Ex

ecut

e A

GT

Com

man

d en

rout

e U

ndet

ecte

d lo

ss o

f fli

ght t

erm

inat

ion

func

tion

Veh

icle

is n

ot a

ble

to te

rmin

ate

fligh

t in

cont

inge

ncy

or e

mer

genc

y si

tuat

ions

. Th

is is

the

loss

of a

miti

gatin

g ac

tion.

Fl

ight

cre

w's

reac

tion

to a

dver

se e

vent

s is

impa

cted

due

to la

ck o

f kno

wle

dge

of

the

stat

e of

this

func

tion.

haza

rdou

s Th

is c

ondi

tion

is m

ore

seve

re th

en th

e de

tect

ed

loss

sinc

e th

e fli

ght c

rew

do

es n

ot k

now

of t

he

loss

. A

flig

ht

term

inat

ion

func

tion

is

not n

eces

saril

y a

para

chut

e or

a

"des

truct

ive"

syst

em.

1.3.

4.f

Exec

ute

AG

T C

omm

and

enro

ute

Inad

verte

nt d

eplo

ymen

t of

flig

ht te

rmin

atio

n fu

nctio

n

Veh

icle

goe

s thr

ough

em

erge

ncy

actio

ns

whe

n no

ne is

war

rant

ed.

maj

or

The

asse

ssm

ent o

f thi

s fu

nctio

n is

hig

hly

depe

nden

t on

the

char

acte

ristic

s of t

he

spec

ific

UA

S an

d its

fli

ght t

erm

inat

ion

syst

em.

A "

retu

rn to

ba

se"

com

man

d m

ay

invo

lve

a si

gnifi

cant

loss

of

safe

ty m

argi

n. A

fli

ght t

erm

inat

ion

func

tion

is n

ot

nece

ssar

ily a

par

achu

te

or a

"des

truct

ive"

sy

stem

.

41

1.3.

5 C

onve

y A

GT

com

man

d st

atus

1.3.

5.a

Con

vey

AG

T co

mm

and

stat

us

enro

ute

Mis

lead

ing

stat

us o

f fli

ght t

erm

inat

ion

com

man

d

Flig

ht c

rew

/UA

S is

una

war

e th

at fl

ight

te

rmin

atio

n sy

stem

has

bee

n de

ploy

ed.

Flig

ht c

rew

/UA

S w

ill n

ot im

med

iate

ly

aler

t ATC

of s

ituat

ion.

How

ever

, fai

rly

soon

bec

ause

of t

he b

ehav

ior o

f the

ve

hicl

e w

ill b

e kn

own

to th

e fli

ght c

rew

an

d A

TC.

maj

or

1.3.

5.b

Con

vey

AG

T co

mm

and

stat

us

enro

ute

Any

mal

func

tion

othe

r th

an lo

ss o

f sta

tus o

f fli

ght t

erm

inat

ion

com

man

d.

Non

e no

eff

ect

1.4

Com

man

d &

Con

trol b

etw

een

cont

rol s

tatio

n an

d U

AS

1.4.

1 M

aint

ain

Com

man

d an

d C

ontro

l dur

ing

all p

hase

s of

fligh

t

1.4.

1.a

Mai

ntai

n C

omm

and

and

Con

trol d

urin

g al

l pha

ses o

f fli

ght

enro

ute

Tota

l los

s of C

2 da

ta

link

func

tion.

U

AS

may

mak

e an

unp

redi

ctab

le

man

euve

r res

ultin

g in

unc

ontro

lled

cras

h po

ssib

ly c

ausi

ng in

jury

and

/or d

eath

.

cata

stro

phic

Th

ere

are

man

y le

vels

of

Aut

onom

y th

at c

an b

e de

ploy

ed in

cas

e of

C

omm

and

and

Con

trol

loss

. A

s an

exam

ple

som

e U

ASs

are

gui

ded

to a

spec

ific

way

poin

t lo

catio

n an

d fly

a p

atte

rn

wai

ting

for n

ew

com

man

ds.

Som

e ev

en

have

aut

onom

ous r

etur

n ho

me

capa

bilit

y. T

hese

ar

e al

l miti

gatin

g fa

ctor

s to

be

used

in a

low

er

leve

l FH

A.

1.4.

1.b

Mai

ntai

n C

omm

and

and

Con

trol d

urin

g al

l pha

ses o

f fli

ght

enro

ute

Slow

resp

onse

of C

2

data

link

func

tion

Sign

ifica

nt re

duct

ion

in sa

fety

mar

gin

and

incr

ease

in p

ilot w

orkl

oad.

m

ajor

42

1.4.

1.c

Mai

ntai

n C

omm

and

and

Con

trol d

urin

g al

l pha

ses o

f fli

ght

enro

ute

Deg

rade

d C

2 da

ta li

nk

func

tion

resu

lting

in

inco

rrec

t sig

nal

UA

S m

ay m

ake

an u

npre

dict

able

m

aneu

ver r

esul

ting

in u

ncon

trolle

d cr

ash

poss

ibly

cau

sing

inju

ry a

nd/o

r dea

th.

cata

stro

phic

1.4.

2 Pr

even

t una

utho

rized

acc

ess t

o C

omm

and

and

Con

trol

1.4.

2.a

Prev

ent u

naut

horiz

ed a

cces

s to

Com

man

d an

d C

ontro

l en

rout

e U

naut

horiz

ed a

cces

s of

C2

data

U

AS

may

mak

e an

unp

redi

ctab

le

man

euve

r res

ultin

g in

unc

ontro

lled

cras

h po

ssib

ly c

ausi

ng in

jury

and

/or d

eath

.

cata

stro

phic

1.4.

3 Pr

iorit

ize

Com

man

d &

Con

trol

data

1.4.

3.a

Prio

ritiz

e C

omm

and

& C

ontro

l da

ta

enro

ute

Loss

of p

riorit

izat

ion

func

tion

unde

tect

ed

UA

S m

ay m

ake

an u

npre

dict

able

m

aneu

ver r

esul

ting

in u

ncon

trolle

d cr

ash

poss

ibly

cau

sing

inju

ry a

nd/o

r dea

th.

cata

stro

phic

1.5

Con

trol U

AS

subs

yste

ms

1.5.

1 C

ontro

l pow

er

subs

yste

ms(

hydr

aulic

/ele

ctric

al)en

rout

e

The

Pow

er S

ubsy

stem

s ar

e de

fined

as t

he

com

pone

nts t

hat

gene

rate

and

dis

tribu

te

the

pow

er su

ch a

s the

el

ectri

cal

gene

rato

r/dis

tribu

tion,

hy

drau

lic

pum

ps/m

anifo

lds/

valv

es,

but n

ot th

e en

d ite

m

com

pone

nts t

hat m

ove

the

UA

S A

V su

ch a

s pr

opul

sion

, and

flig

ht

cont

rols

. Th

e fu

nctio

ns

of th

e en

d ite

m

com

pone

nts a

re c

over

ed

unde

r oth

er n

odes

with

in

Avi

ate.

43

1.5.

1.a

Con

trol p

ower

su

bsys

tem

s(hy

drau

lic/e

lect

rical

)enro

ute

Tota

l los

s of f

unct

ion

Loss

of t

he p

ower

subs

yste

m m

ay re

sult

in lo

ss o

f con

trol o

f the

UA

S A

V a

nd

poss

ible

out

of c

ontro

l lan

ding

.

cata

stro

phic

1.5.

1.b

Con

trol p

ower

su

bsys

tem

s(hy

drau

lic/e

lect

rical

)enro

ute

Mis

lead

ing

com

man

d M

isle

adin

g in

form

atio

n to

/from

the

pow

er su

bsys

tem

may

resu

lt in

loss

of

cont

rol o

f the

UA

S A

V a

nd p

ossi

ble

out

of c

ontro

l lan

ding

.

cata

stro

phic

1.5.

2 C

ontro

l fire

supp

ress

ion

syst

em e

nrou

te

All

failu

re c

ondi

tions

Th

e fir

e su

ppre

ssio

n sy

stem

is a

bac

k-up

sy

stem

that

is o

nly

requ

ired

whe

n a

prim

ary

syst

em h

as fa

iled.

Los

s of t

his

syst

em is

a si

gnifi

cant

loss

of s

afet

y m

argi

n, b

ut d

oesn

't af

fect

the

oper

atio

n of

the

UA

S (A

ir V

ehic

le o

r Con

trol

Stat

ion)

maj

or

If th

e lo

ss o

f fun

ctio

n is

de

tect

ed, t

he U

AS

AV

op

erat

or c

an a

bort

the

m

issi

on a

nd m

ake

a co

ntro

l lan

ding

at b

ase

of o

pera

tion

or a

n al

tern

ate

site

. Ev

en if

th

e lo

ss o

f sta

te is

un

dete

cted

or

mis

lead

ing

and

the

mis

sion

con

tinue

s, lo

ss

of sa

fety

mar

gin

incr

ease

s but

not

eno

ugh

to c

hang

e ha

zard

ca

tego

ry.

1.5.

3 C

ontro

l cen

ter o

f gra

vity

1.5.

3.a

Con

trol c

ente

r of g

ravi

ty

enro

ute

Tota

l los

s of c

ontro

l of

cent

er o

f gra

vity

Lo

ss o

f abi

lity

to c

ontro

l cen

ter o

f gr

avity

func

tion

may

resu

lt in

the

UA

S be

ing

oper

ated

out

side

its e

nvel

ope

and/

or re

sult

in th

e op

erat

ors i

nabi

lity

to

cont

rol t

he U

AS.

The

se c

ondi

tions

can

re

sult

in a

n ou

t of c

ontro

l lan

ding

.

cata

stro

phic

1.5.

3.b

Con

trol c

ente

r of g

ravi

ty

enro

ute

Deg

rade

d co

ntro

l of

cent

er o

f gra

vity

A

sign

ifica

nt in

crea

se in

the

pilo

t w

orkl

oad

to m

aint

ain

cont

rolle

d fli

ght o

fth

e U

AS

and

a si

gnifi

cant

redu

ctio

n in

sa

fety

maj

or

Ass

umed

ther

e is

en

ough

con

trol t

o ab

ort

mis

sion

and

retu

rn U

AS

to a

safe

land

ing

44

1.5.

4 C

ontro

l env

ironm

ent i

nsid

e th

e U

AS

enro

ute

1.5.

4.a

Con

trol e

nviro

nmen

t ins

ide

the

UA

S en

rout

e To

tal l

oss o

f fun

ctio

n Lo

ss o

f abi

lity

to c

ontro

l env

ironm

ent

insi

de th

e U

AS

may

cau

se c

onsu

min

g fu

nctio

n to

take

the

wro

ng a

ctio

n re

sulti

ng in

the

UA

S A

V to

be

oper

ated

ou

tsid

e its

env

elop

e an

d/or

resu

lt in

the

oper

ator

s ina

bilit

y to

con

trol t

he U

AS

AV

. The

se c

ondi

tions

can

resu

lt in

an

out o

f con

trol l

andi

ng.

cata

stro

phic

1.5.

4.b

Con

trol e

nviro

nmen

t ins

ide

the

UA

S en

rout

e M

isle

adin

g co

mm

and

mis

lead

ing

info

rmat

ion

may

cau

se

cons

umin

g fu

nctio

n to

take

the

wro

ng

actio

n re

sulti

ng in

the

UA

S A

V to

be

oper

ated

out

side

its e

nvel

ope

and/

or

resu

lt in

the

oper

ator

s ina

bilit

y to

con

trol

the

UA

S A

V. T

hese

con

ditio

ns c

an

resu

lt in

an

out o

f con

trol l

andi

ng.

cata

stro

phic

1.5.

4.c

Con

trol e

nviro

nmen

t ins

ide

the

UA

S en

rout

e D

egra

ded

cont

rol

A la

rge

incr

ease

in th

e pi

lot w

orkl

oad

to

mai

ntai

n co

ntro

lled

fligh

t of t

he U

AS

and

a la

rge

redu

ctio

n in

safe

ty

maj

or

Ass

umes

the

degr

adat

ion

is k

now

n an

d sl

ow e

noug

h to

al

low

a m

issi

on a

bort

and

cont

rolle

d la

ndin

g 1.

5.5

Mon

itor a

nd re

cord

UA

S st

ate

data

en

rout

e A

ll fa

ilure

con

ditio

ns

UA

S w

ould

not

be

able

to re

prod

uce

stat

e da

ta in

cas

e of

inci

dent

/mis

hap.

no

eff

ect

This

syst

em is

onl

y in

pl

ace

to re

cord

dat

a in

ca

se th

ere

is a

cra

sh o

r m

isha

p so

ther

e is

no

effe

ct o

n th

e U

AS

durin

g no

rmal

op

erat

ions

. H

owev

er,

ther

e is

the

poss

ibili

ty o

f de

sign

ass

uran

ce le

vels

be

ing

plac

ed o

n th

is

syst

em, s

uch

as L

evel

B

softw

are

requ

irem

ents

. 2.

0 N

avig

ate

45

2.1

Con

vey

navi

gatio

n st

ate

Nav

igat

ion

stat

e in

form

atio

n is

upd

ated

pe

riodi

cally

. B

ecau

se o

f th

is, u

ndet

ecte

d lo

ss o

f th

is fu

nctio

n is

not

a

reas

onab

le fa

ilure

mod

e.2.

1.a

Con

vey

navi

gatio

n st

ate

enro

ute

Tota

l los

s of f

unct

ion

(det

ecte

d)

The

UA

S lo

ses a

war

enes

s of A

V

loca

tion

and

envi

ronm

enta

l con

ditio

ns

affe

ctin

g its

inte

nded

flig

ht p

ath.

Pi

lot/o

pera

tor w

ill h

ave

to re

ly o

n A

TC

for t

actic

al g

uida

nce.

Wor

kloa

ds o

f ATC

an

d U

AS

pilo

t/ope

rato

r are

incr

ease

d,

thus

redu

cing

safe

ty m

argi

ns.

maj

or

2.1.

b C

onve

y na

viga

tion

stat

e en

rout

e To

tal l

oss o

f fun

ctio

n (u

ndet

ecte

d)

no

eff

ect

Not

a re

ason

able

failu

re

mod

e. R

ow re

tain

ed to

av

oid

renu

mbe

ring.

46

2.1.

c C

onve

y na

viga

tion

stat

e en

rout

e In

corr

ect n

avig

atio

n st

ate

is c

onve

yed

The

UA

S is

mis

lead

abo

ut th

e cu

rren

t na

viga

tiona

l sta

te. I

n th

e w

orst

cas

e,

ther

e is

a p

ossi

bilit

y of

con

flict

with

ot

her a

ir tra

ffic

. At b

est,

ATC

will

not

ice

fligh

t pla

n de

viat

ion

or o

ther

ano

mal

y,

and

will

pro

vide

tact

ical

gui

danc

e.

Wor

kloa

ds o

f ATC

and

UA

S pi

lot/o

pera

tor a

re in

crea

sed,

thus

re

duci

ng sa

fety

mar

gins

. Po

tent

ial m

id-

air c

ollis

ion

resu

lting

from

use

of

mis

lead

ing

navi

gatio

nal i

nfor

mat

ion.

Th

e m

ost p

ress

ing

conc

ern

is a

pot

entia

l lo

ss o

f ver

tical

sepa

ratio

n du

e to

m

isle

adin

g al

titud

e.

Not

reco

gniz

ing

that

the

navi

gatio

nal s

tate

is m

isle

adin

g w

ill li

kely

resu

lt in

mor

e th

an a

si

gnifi

cant

incr

ease

in c

rew

/ATC

w

orkl

oad,

and

mor

e th

an a

sign

ifica

nt

decr

ease

in sa

fety

mar

gin.

haza

rdou

s Th

is c

lass

ifica

tion

is

mor

e se

vere

than

the

corr

espo

ndin

g fu

nctio

n in

AC

23.

1309

-1C

. Th

ere,

a c

omm

ent

indi

cate

s tha

t rou

tine

eye

scan

miti

gate

s los

s of

navi

gatio

nal

info

rmat

ion.

For

a

UA

S, w

e do

not

hav

e th

e po

tent

ial m

itiga

ting

effe

cts o

f an

eye

scan

, so

the

seve

rity

leve

l is

high

er.

In th

e en

rout

e ph

ase,

the

mos

t ser

ious

ty

pe o

f mis

lead

ing

info

rmat

ion

is a

ltitu

de,

as th

is c

ould

read

ily le

ad

to p

oten

tial c

onfli

ct w

ith

othe

r airc

raft.

Whe

n th

is

FHA

is e

xpan

ded

to

cons

ider

oth

er fl

ight

ph

ases

, mis

lead

ing

navi

gatio

nal s

tate

cou

ld

also

con

tribu

te to

CFI

T ac

cide

nts.

The

se m

ay

elev

ate

the

seve

rity

to

cata

stro

phic

. 2.

2 D

eter

min

e na

viga

tion

inte

nt

2.2.

1 D

eter

min

e fli

ght p

lan

47

2.2.

1.a

Det

erm

ine

fligh

t pla

n en

rout

e To

tal l

oss o

f fun

ctio

n (d

etec

ted)

M

issi

on w

ill b

e de

laye

d un

til fl

ight

-pl

anni

ng c

apab

ility

can

be

rest

ored

. no

eff

ect

This

pre

sum

es th

at th

is

func

tion

refe

rs o

nly

to

the

pre-

fligh

t pha

se o

f fli

ght p

lann

ing.

C

onse

quen

ces o

f the

lo

ss o

f flig

ht p

lann

ing

durin

g th

e m

issi

on m

ay

be m

ore

seve

re.

2.2.

1.b

Det

erm

ine

fligh

t pla

n en

rout

e To

tal l

oss o

f fun

ctio

n (u

ndet

ecte

d)

Not

a m

eani

ngfu

l fai

lure

mod

e.

no e

ffec

t

2.2.

1.c

Det

erm

ine

fligh

t pla

n en

rout

e In

corr

ect f

light

pla

n is

de

term

ined

Po

tent

ial c

onfli

ct w

ith o

ther

airc

raft,

ad

vers

e en

viro

nmen

tal c

ondi

tions

, te

rrai

n or

obs

tacl

es. M

onito

ring

by A

TC

will

pro

vide

safe

ty b

acku

p if

anom

alie

s in

flig

ht p

ath

are

notic

ed in

tim

e. T

his

cons

titut

es a

sign

ifica

nt re

duct

ion

in

safe

ty m

argi

ns a

nd si

gnifi

cant

incr

ease

in

cre

w/A

TC w

orkl

oad.

maj

or

Con

sequ

ence

s cou

ld b

e m

ore

seve

re in

a h

igh-

traff

ic d

ensi

ty

envi

ronm

ent.

2.2.

2 D

eter

min

e ne

xt w

aypo

int

2.2.

2.a

Det

erm

ine

next

way

poin

t en

rout

e To

tal l

oss o

f fun

ctio

n (d

etec

ted)

U

AS

unab

le to

con

tinue

on

desi

red

fligh

t pat

h. W

ill h

ave

to w

ork

with

ATC

to

pla

n ne

xt p

ortio

n of

flig

ht. W

ill

incr

ease

wor

kloa

ds o

f pilo

t-ope

rato

r and

A

TC. M

ay re

quire

mis

sion

abo

rt.

min

or

2.2.

2.b

Det

erm

ine

next

way

poin

t en

rout

e To

tal l

oss o

f fun

ctio

n (u

ndet

ecte

d)

Not

a m

eani

ngfu

l fai

lure

mod

e.

no e

ffec

t

48

2.2.

2.c

Det

erm

ine

next

way

poin

t en

rout

e N

ext w

ay p

oint

is

inco

rrec

tly d

eter

min

ed Po

tent

ial c

onfli

ct w

ith o

ther

airc

raft

or

adve

rse

envi

ronm

enta

l con

ditio

ns.

Mon

itorin

g by

ATC

will

pro

vide

safe

ty

back

up if

ano

mal

ies i

n fli

ght p

ath

are

notic

ed in

tim

e. T

his c

onst

itute

s a

sign

ifica

nt re

duct

ion

in sa

fety

mar

gins

an

d si

gnifi

cant

incr

ease

in c

rew

/ATC

w

orkl

oad.

maj

or

Con

sequ

ence

s cou

ld b

e m

ore

seve

re in

a h

igh-

traff

ic d

ensi

ty

envi

ronm

ent.

2.2.

3 D

eter

min

e lo

ng-te

rm re

quire

d se

para

tion

2.2.

3.a

Det

erm

ine

long

-term

requ

ired

sepa

ratio

n en

rout

e To

tal l

oss o

f fun

ctio

n (d

etec

ted)

U

AS

pilo

t/ope

rato

r will

follo

w A

TC

clea

ranc

es to

mai

ntai

n re

quire

d se

para

tions

from

oth

er a

ircra

ft.

no e

ffec

t If

ATC

is th

e so

le m

eans

of

pro

vidi

ng se

para

tion

requ

irem

ent

info

rmat

ion,

then

this

fa

ilure

impl

ies a

loss

of

cont

act w

ith A

TC,

whi

ch is

a m

uch

mor

e se

rious

situ

atio

n.

2.2.

3.b

Det

erm

ine

long

-term

requ

ired

sepa

ratio

n en

rout

e To

tal l

oss o

f fun

ctio

n (u

ndet

ecte

d)

Not

a m

eani

ngfu

l fai

lure

mod

e.

2.2.

3.c

Det

erm

ine

long

-term

requ

ired

sepa

ratio

n en

rout

e In

corr

ect l

ong-

term

re

quire

d se

para

tion

is

dete

rmin

ed

Pote

ntia

l for

con

flict

with

oth

er tr

affic

. H

owev

er, A

TC w

ill b

e m

onito

ring

situ

atio

n an

d pr

ovid

ing

clea

ranc

es to

av

oid

sepa

ratio

n vi

olat

ions

.

min

or

Con

sequ

ence

s dep

end

upon

the

sour

ce o

f the

in

form

atio

n. O

bvio

usly

, if

it w

as p

rovi

ded

by

ATC

to b

egin

with

, thi

s m

ay p

ose

a m

uch

mor

e se

rious

pro

blem

. 2.

2.4

Det

erm

ine

right

-of-

way

rule

s

49

2.2.

4.a

Det

erm

ine

right

-of-

way

rule

s en

rout

e To

tal l

oss o

f fun

ctio

n (d

etec

ted)

U

AS

pilo

t/ope

rato

r will

con

sult

with

A

TC a

s nee

ded.

no

eff

ect

If A

TC is

the

sole

mea

ns

of p

rovi

ding

righ

t-of-

way

rule

s inf

orm

atio

n,

then

this

failu

re im

plie

s a

loss

of c

onta

ct w

ith

ATC

, whi

ch is

a m

uch

mor

e se

rious

situ

atio

n.

2.2.

4.b

Det

erm

ine

right

-of-

way

rule

s en

rout

e To

tal l

oss o

f fun

ctio

n (u

ndet

ecte

d)

Not

a m

eani

ngfu

l fai

lure

mod

e.

2.2.

4.c

Det

erm

ine

right

-of-

way

rule

s en

rout

e In

corr

ect r

ight

-of-

way

ru

les a

re d

eter

min

ed

Pote

ntia

l for

con

flict

with

oth

er tr

affic

. H

owev

er, A

TC w

ill b

e m

onito

ring

situ

atio

n an

d pr

ovid

ing

clea

ranc

es to

av

oid

sepa

ratio

n vi

olat

ions

. Thi

s co

nstit

utes

a si

gnifi

cant

redu

ctio

n in

sa

fety

mar

gins

and

sign

ifica

nt in

crea

se

in c

rew

/ATC

wor

kloa

d.

maj

or

Con

sequ

ence

s dep

end

upon

the

sour

ce o

f the

in

form

atio

n. O

bvio

usly

, if

it w

as p

rovi

ded

by

ATC

to b

egin

with

, thi

s m

ay p

ose

a m

uch

mor

e se

rious

pro

blem

. 2.

3 Pr

oduc

e na

viga

tion

com

man

d

2.3.

a Pr

oduc

e na

viga

tion

com

man

d en

rout

e To

tal l

oss o

f fun

ctio

n (d

etec

ted)

U

AS

unab

le to

con

tinue

on

desi

red

fligh

t pat

h. W

ill h

ave

to w

ork

with

ATC

to

pla

n ne

xt p

ortio

n of

flig

ht. W

ill

incr

ease

wor

kloa

ds o

f pilo

t-ope

rato

r and

A

TC. M

ay re

quire

mis

sion

abo

rt.

min

or

2.3.

b Pr

oduc

e na

viga

tion

com

man

d en

rout

e To

tal l

oss o

f fun

ctio

n (u

ndet

ecte

d)

UA

S A

V m

ay c

ontin

ue o

n cu

rren

t flig

ht

path

whe

n it

shou

ld b

e ch

angi

ng p

ath.

Po

tent

ial c

onfli

ct w

ith o

ther

airc

raft

or

adve

rse

envi

ronm

enta

l con

ditio

ns.

Mon

itorin

g by

ATC

will

pro

vide

safe

ty

back

up if

ano

mal

ies i

n fli

ght p

ath

are

notic

ed in

tim

e.

no e

ffec

t

50

2.3.

c Pr

oduc

e na

viga

tion

com

man

d en

rout

e In

corr

ect n

avig

atio

n co

mm

and

is p

rodu

ced

Pote

ntia

l con

flict

with

oth

er a

ircra

ft or

ad

vers

e en

viro

nmen

tal c

ondi

tions

. M

onito

ring

by A

TC w

ill p

rovi

de sa

fety

ba

ckup

if a

nom

alie

s in

fligh

t pat

h ar

e no

ticed

in ti

me.

Thi

s con

stitu

tes a

si

gnifi

cant

redu

ctio

n in

safe

ty m

argi

ns

and

sign

ifica

nt in

crea

se in

cre

w/A

TC

wor

kloa

d.

maj

or

Con

sequ

ence

s cou

ld b

e m

ore

seve

re in

a h

igh-

traff

ic d

ensi

ty

envi

ronm

ent.

2.4

Det

erm

ine

navi

gatio

n co

mm

and

stat

us

2.4.

a D

eter

min

e na

viga

tion

com

man

d st

atus

en

rout

e To

tal l

oss o

f fun

ctio

n (d

etec

ted)

U

AS

pilo

t/ope

rato

r will

con

sult

with

A

TC a

s nee

ded.

Will

incr

ease

pi

lot/o

pera

tor a

nd A

TC w

orkl

oad.

min

or

2.4.

b D

eter

min

e na

viga

tion

com

man

d st

atus

en

rout

e To

tal l

oss o

f fun

ctio

n (u

ndet

ecte

d)

Not

a m

eani

ngfu

l fai

lure

mod

e.

no e

ffec

t Pr

esum

es th

at

pilo

t/ope

rato

r will

be

expe

ctin

g st

atus

and

will

no

tice

a m

issi

ng st

atus

, ev

en if

ther

e is

no

aler

t. 2.

4.c

Det

erm

ine

navi

gatio

n co

mm

and

stat

us

enro

ute

Nav

igat

ion

com

man

d st

atus

is in

corr

ectly

de

term

ined

UA

S A

V m

ay b

e m

aneu

vere

d in

to

dang

er a

s a re

sult

of m

isun

ders

tood

na

viga

tiona

l sta

tus.

Pote

ntia

l con

flict

w

ith o

ther

airc

raft

or a

dver

se

envi

ronm

enta

l con

ditio

ns. M

onito

ring

by A

TC w

ill p

rovi

de sa

fety

bac

kup

if an

omal

ies i

n fli

ght p

ath

are

notic

ed in

tim

e. T

his c

onst

itute

s a si

gnifi

cant

re

duct

ion

in sa

fety

mar

gins

and

si

gnifi

cant

incr

ease

in c

rew

/ATC

w

orkl

oad.

maj

or

3.0

Com

mun

icat

e

51

3.1

Bro

adca

st in

form

atio

n to

ATC

an

d ot

her a

ircra

ft

Unl

ess o

ther

wis

e no

ted,

co

mm

unic

ate

refe

rs to

vo

ice.

3.1.

1 B

road

cast

com

mun

icat

ions

3.1.

1.a

Bro

adca

st c

omm

unic

atio

ns

enro

ute

Tota

l los

s of

com

mun

icat

ions

fu

nctio

n de

tect

ed

The

airc

raft

dete

cts t

he lo

ss o

f Voi

ce

Com

mun

icat

ion,

may

not

end

the

mis

sion

and

retu

rn to

bas

e if

alte

rnat

e A

TC c

omm

unic

atio

n lin

k ex

ists

.

min

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Pilo

t has

al

tern

ate

mea

ns o

f co

mm

unic

atio

n, v

ia la

nd

line

3.1.

1.b

Bro

adca

st c

omm

unic

atio

ns

enro

ute

Loss

of

com

mun

icat

ions

fu

nctio

n un

dete

cted

No

resp

onse

is re

ceiv

ed w

hen

com

mun

icat

ion

is a

ttem

pted

usi

ng th

e U

A sy

stem

s. A

ltern

ate

com

mun

icat

ion

syst

em, s

uch

as la

nd li

ne c

an b

e ut

ilize

d.

maj

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Lat

ency

in

dete

rmin

ing

loss

of

voic

e co

mm

unic

atio

n po

ses a

n ad

ditio

nal

haza

rd b

ecau

se A

TC o

r ot

her a

ir tra

ffic

in

stru

ctio

ns w

ill n

ot b

e re

ceiv

ed.

3.1.

1.c

Bro

adca

st c

omm

unic

atio

ns

enro

ute

Deg

rade

d co

mm

unic

atio

ns

func

tion

All

Com

mun

icat

ion

bein

g se

nt is

not

re

ceiv

ed b

y in

tend

ed re

ceiv

er. A

ltern

ate

com

mun

icat

ion

syst

em, s

uch

as la

nd li

ne

can

be u

tiliz

ed.

maj

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Inc

lude

s dr

oppe

d w

ords

, gar

bled

in

form

atio

n.

52

3.1.

2 B

road

cast

tran

spon

der d

ata

3.1.

2.a

Bro

adca

st tr

ansp

onde

r dat

a

enro

ute

Tota

l los

s of f

unct

ion

dete

cted

Si

nce

the

loss

of c

apab

ility

is d

etec

ted,

U

AS

pilo

t/ope

rato

r can

turn

to A

TC fo

r as

sist

ance

to c

onve

y ra

nge,

bea

ring

and

altit

ude.

maj

or

Miti

gatio

n by

the

serv

ice

prov

ider

ass

umes

that

U

AS

is n

ot e

ntire

ly

depe

nden

t on

ATC

for

colli

sion

avo

idan

ce a

nd

has s

ome

met

hod

of

dete

ct a

nd a

void

. ATC

ha

s prim

ary

and

seco

ndar

y ra

dar.

Tran

spon

der p

icke

d up

by

seco

ndar

y. A

TC w

ill

know

that

UA

S tra

nspo

nder

func

tion

has

been

lost

. 3.

1.2.

b B

road

cast

tran

spon

der d

ata

en

rout

e Lo

ss o

f fun

ctio

n un

dete

cted

If

bot

h ai

rcra

ft ar

e be

ing

track

ed b

y se

rvic

e pr

ovid

er, a

nd ti

me

perm

its, A

TC

will

atte

mpt

to w

arn

one

or b

oth

airc

raft

to a

void

col

lisio

n.

maj

or

Prim

ary

rada

r stil

l av

aila

ble

3.1.

2.c

Bro

adca

st tr

ansp

onde

r dat

a

enro

ute

Mis

lead

ing/

degr

aded

fu

nctio

n In

corr

ect d

ata

bein

g se

nt to

oth

er a

ircra

ft m

ay c

ause

pos

sibl

e co

nflic

t with

oth

er

airc

raft.

ATC

is u

nabl

e to

dire

ct sa

fe

sepa

ratio

n.

cata

stro

phic

3.1.

3 Pa

rtici

pate

in lo

st C

2 lin

k pr

oced

ures

This

ass

umes

a d

oubl

e fu

nctio

n fa

ilure

ha

s occ

urre

d.

3.1.

3.a

Parti

cipa

te in

lost

C2

link

proc

edur

es

enro

ute

Tota

l los

s of f

unct

ion

Sinc

e th

e lo

ss o

f cap

abili

ty is

det

ecte

d,

UA

S pi

lot/o

pera

tor c

an tu

rn to

ATC

for

assi

stan

ce b

y al

tern

ate

met

hod

(land

lin

e).

maj

or

Miti

gatio

n by

the

serv

ice

prov

ider

ass

umes

that

U

AS

is n

ot e

ntire

ly

depe

nden

t on

ATC

for

colli

sion

avo

idan

ce.

3.2

Rec

eive

info

from

ATC

and

ot

her a

ircra

ft en

rout

e

53

3.2.

1 R

ecei

ve c

omm

unic

atio

ns

3.

2.1.

a R

ecei

ve c

omm

unic

atio

ns

enro

ute

Tota

l los

s of

com

mun

icat

ions

fu

nctio

n de

tect

ed

The

airc

raft

dete

cts t

he lo

ss o

f voi

ce

com

mun

icat

ion,

may

not

end

the

mis

sion

and

retu

rn to

bas

e if

alte

rnat

e A

TC c

omm

unic

atio

n lin

k ex

ists

.

min

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Pilo

t has

al

tern

ate

mea

ns o

f co

mm

unic

atio

n, v

ia la

nd

line

3.2.

1.b

Rec

eive

com

mun

icat

ions

en

rout

e Lo

ss o

f co

mm

unic

atio

ns

func

tion

unde

tect

ed

No

resp

onse

is re

ceiv

ed w

hen

com

mun

icat

ion

is a

ttem

pted

usi

ng th

e U

A sy

stem

s. A

ltern

ate

com

mun

icat

ion

syst

em, s

uch

as la

nd li

ne c

an b

e ut

ilize

d.

min

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Lat

ency

in

dete

rmin

ing

loss

of

voic

e co

mm

unic

atio

n po

ses a

n ad

ditio

nal

haza

rd b

ecau

se A

TC o

r ot

her a

ir tra

ffic

in

stru

ctio

ns w

ill n

ot b

e re

ceiv

ed .

3.2.

1.c

Rec

eive

com

mun

icat

ions

en

rout

e D

egra

ded

com

mun

icat

ions

fu

nctio

n de

tect

ed

All

com

mun

icat

ion

bein

g se

nt is

not

re

ceiv

ed b

y in

tend

ed re

ceiv

er. A

ltern

ate

com

mun

icat

ion

syst

em, s

uch

as la

nd li

ne

can

be u

tiliz

ed.

min

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Inc

lude

s dr

oppe

d w

ords

, gar

bled

in

form

atio

n,

3.2.

2 R

ecei

ve tr

ansp

onde

r dat

a

54

3.2.

2.a

Rec

eive

tran

spon

der d

ata

en

rout

e To

tal l

oss o

f fun

ctio

n de

tect

ed

Sinc

e th

e lo

ss o

f cap

abili

ty is

det

ecte

d,

UA

S pi

lot/o

pera

tor c

an tu

rn to

ATC

for

assi

stan

ce.

min

or

Miti

gatio

n by

the

serv

ice

prov

ider

ass

umes

that

U

AS

is n

ot e

ntire

ly

depe

nden

t on

ATC

for

colli

sion

avo

idan

ce a

nd

has s

ome

met

hod

of

dete

ct a

nd a

void

. ATC

ha

s prim

ary

and

seco

ndar

y ra

dar.

Tran

spon

der p

icke

d up

by

seco

ndar

y. A

TC w

ill

know

that

UA

S tra

nspo

nder

func

tion

has

been

lost

. 3.

2.2.

b R

ecei

ve tr

ansp

onde

r dat

a

enro

ute

Loss

of f

unct

ion

unde

tect

ed

If b

oth

airc

raft

are

bein

g tra

cked

by

serv

ice

prov

ider

, an

d tim

e pe

rmits

, ATC

w

ill a

ttem

pt to

war

n on

e or

bot

h ai

rcra

ft to

avo

id c

ollis

ion.

min

or

Ass

ignm

ent o

f "M

inor

" is

bas

ed o

n th

e pr

esum

ptio

n th

at A

TC is

m

onito

ring

the

situ

atio

n.

Prim

ary

rada

r stil

l av

aila

ble

3.2.

2.c

Rec

eive

tran

spon

der d

ata

en

rout

e M

isle

adin

g fu

nctio

n In

corr

ect d

ata

bein

g se

nt to

oth

er a

ircra

ft m

y ca

use

conf

lict w

ith o

ther

airc

raft.

In

corr

ect d

ata

coul

d al

so re

sult

in

unne

cess

ary

avoi

danc

e m

aneu

ver t

hat

enda

nger

s ano

ther

airc

raft.

cata

stro

phic

3.2.

3 M

onito

r com

mun

icat

ion

from

A

TC a

nd o

ther

airc

raft

3.

2.3.

a M

onito

r com

mun

icat

ion

from

A

TC a

nd o

ther

airc

raft

enro

ute

Tota

l los

s of f

unct

ion

dete

cted

Th

e pi

lot d

etec

ts th

e lo

ss o

f voi

ce

com

mun

icat

ion,

may

not

end

the

mis

sion

and

retu

rn to

bas

e if

alte

rnat

e A

TC c

omm

unic

atio

n lin

k ex

ists

.

min

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Pilo

t has

al

tern

ate

mea

ns o

f co

mm

unic

atio

n, v

ia la

nd

line

55

3.2.

3.b

Mon

itor c

omm

unic

atio

n fr

om

ATC

and

oth

er a

ircra

ft en

rout

e Lo

ss o

f fun

ctio

n un

dete

cted

Th

e pi

lot d

oes n

ot re

ceiv

e vo

ice

traff

ic

from

oth

er a

ir tra

ffic

or A

TC. A

ltern

ate

com

mun

icat

ion

syst

em, s

uch

as la

nd li

ne

can

be u

tiliz

ed.

min

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Lat

ency

in

dete

rmin

ing

loss

of

voic

e co

mm

unic

atio

n po

ses a

n ad

ditio

nal

haza

rd b

ecau

se A

TC o

r ot

her a

ir tra

ffic

in

stru

ctio

ns w

ill n

ot b

e re

ceiv

ed .

3.2.

3.c

Mon

itor c

omm

unic

atio

n fr

om

ATC

and

oth

er a

ircra

ft en

rout

e D

egra

ded

func

tion

dete

cted

A

ll co

mm

unic

atio

n be

ing

sent

is n

ot

rece

ived

by

inte

nded

rece

iver

. Alte

rnat

e co

mm

unic

atio

n sy

stem

, suc

h as

land

line

ca

n be

util

ized

.

min

or

Ass

umpt

ion

is th

at

Com

mun

icat

e re

fers

on

ly to

voi

ce tr

ansf

er,

and

that

com

man

d an

d co

ntro

l dat

a lin

k re

mai

ns

oper

able

. Inc

lude

s dr

oppe

d w

ords

, gar

bled

in

form

atio

n, L

aten

cy in

de

term

inin

g th

at v

oice

co

mm

unic

atio

n ha

s bee

n de

grad

ed p

oses

an

addi

tiona

l haz

ard

beca

use

ATC

or o

ther

ai

r tra

ffic

inst

ruct

ions

w

ill n

ot b

e re

ceiv

ed .

4.0

Miti

gate

4.1

Avo

id c

ollis

ions

56

4.1.

1 A

void

air

traff

ic

The

func

tion

here

shou

ld

real

ly b

e "A

void

C

ollis

ions

", an

d fu

rther

el

abor

atio

n is

un

nece

ssar

y at

this

leve

l. Th

e "D

etec

t", "

Trac

k",

"Det

erm

ine"

, "Se

lect

",

"Exe

cute

", a

nd "

Con

vey

Stat

us"

sub-

func

tions

im

pose

a p

artic

ular

im

plem

enta

tion.

H

owev

er, w

e de

cide

d to

as

sum

e th

is st

ruct

ure

in

orde

r to

expl

ore

som

e is

sues

of i

nter

est i

n co

nflic

t and

col

lisio

n av

oida

nce.

4.

1.1.

1 D

etec

t air

traff

ic

4.1.

1.1.

a D

etec

t air

traff

ic

enro

ute

Tota

l los

s of f

unct

ion

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft. H

owev

er, a

ssum

ptio

n of

bei

ng

in C

lass

A a

irspa

ce u

nder

IFR

mea

ns

that

ATC

will

pro

vide

sepa

ratio

n.

maj

or

4.1.

1.1.

b D

etec

t air

traff

ic

enro

ute

Intru

der i

s "de

tect

ed"

whe

n no

ne is

ther

e (f

alse

ala

rm)

Poss

ibili

ty o

f los

s of c

ontro

l and

/or

conf

lict w

ith a

noth

er (r

eal)

airc

raft.

C

ould

resu

lt in

unn

eces

sary

avo

idan

ce

man

euve

r tha

t end

ange

rs a

noth

er

airc

raft.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.1.

c D

etec

t air

traff

ic

enro

ute

Intru

der i

s not

det

ecte

d w

hen

ther

e is

a re

al

thre

at.

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft. If

bot

h ai

rcra

ft ar

e be

ing

track

ed

by se

rvic

e pr

ovid

er, a

nd ti

me

perm

its,

ATC

will

atte

mpt

to w

arn

one

or b

oth

airc

raft

to a

void

col

lisio

n.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.2

Trac

k ai

r tra

ffic

57

4.1.

1.2.

a Tr

ack

air t

raff

ic

enro

ute

Tota

l los

s of f

unct

ion

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft.

How

ever

, ass

umpt

ion

of b

eing

in C

lass

A

airs

pace

und

er IF

R m

eans

that

ATC

w

ill p

rovi

de se

para

tion.

maj

or

4.1.

1.2.

b Tr

ack

air t

raff

ic

enro

ute

Air

traff

ic n

ot o

n a

colli

sion

cou

rse

is

inco

rrec

tly tr

acke

d as

a

thre

at to

ow

nshi

p.

Poss

ibili

ty o

f los

s of c

ontro

l and

/or

conf

lict w

ith a

noth

er (r

eal)

airc

raft.

C

ould

resu

lt in

unn

eces

sary

avo

idan

ce

man

euve

r tha

t end

ange

rs a

noth

er

airc

raft.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.2.

c Tr

ack

air t

raff

ic

enro

ute

Air

traff

ic o

n a

colli

sion

cou

rse

is

inco

rrec

tly tr

acke

d as

a

non-

thre

at to

ow

nshi

p.

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft.

If b

oth

airc

raft

are

bein

g tra

cked

by

serv

ice

prov

ider

, an

d tim

e pe

rmits

, ATC

w

ill a

ttem

pt to

war

n on

e or

bot

h ai

rcra

ft to

avo

id c

ollis

ion.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.3

Prov

ide

air t

raff

ic tr

acks

4.1.

1.3.

a Pr

ovid

e ai

r tra

ffic

trac

ks

enro

ute

Tota

l los

s of f

unct

ion

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft.

How

ever

, ass

umpt

ion

of b

eing

in C

lass

A

airs

pace

und

er IF

R m

eans

that

ATC

w

ill p

rovi

de se

para

tion.

maj

or

4.1.

1.3.

b Pr

ovid

e ai

r tra

ffic

trac

ks

enro

ute

Rel

ativ

e lo

catio

n of

air

traff

ic o

n a

colli

sion

co

urse

is in

corr

ectly

co

nvey

ed n

ot to

be

a th

reat

to o

wns

hip.

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft.

If b

oth

airc

raft

are

bein

g tra

cked

by

serv

ice

prov

ider

, an

d tim

e pe

rmits

, ATC

w

ill a

ttem

pt to

war

n on

e or

bot

h ai

rcra

ft to

avo

id c

ollis

ion.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.4

Det

erm

ine

corr

ectiv

e ac

tion

4.1.

1.4.

a D

eter

min

e co

rrec

tive

actio

n en

rout

e To

tal l

oss o

f fun

ctio

n Po

ssib

ility

of c

onfli

ct w

ith a

noth

er

airc

raft.

How

ever

, ass

umpt

ion

of b

eing

in

Cla

ss A

airs

pace

und

er IF

R m

eans

th

at A

TC w

ill p

rovi

de se

para

tion.

maj

or

58

4.1.

1.4.

b D

eter

min

e co

rrec

tive

actio

n en

rout

e R

elat

ive

loca

tion

of a

ir tra

ffic

not

on

a co

llisi

on

cour

se is

inco

rrec

tly

conv

eyed

to b

e a

thre

at

to o

wns

hip.

Poss

ibili

ty o

f los

s of c

ontro

l and

/or

conf

lict w

ith a

noth

er (r

eal)

airc

raft.

C

ould

resu

lt in

unn

eces

sary

avo

idan

ce

man

euve

r tha

t end

ange

rs a

noth

er

airc

raft.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.4.

c D

eter

min

e co

rrec

tive

actio

n en

rout

e R

elat

ive

loca

tion

of a

ir tra

ffic

on

a co

llisi

on

cour

se is

inco

rrec

tly

conv

eyed

not

to b

e a

thre

at to

ow

nshi

p.

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft.

If b

oth

airc

raft

are

bein

g tra

cked

by

serv

ice

prov

ider

, an

d tim

e pe

rmits

, ATC

w

ill a

ttem

pt to

war

n on

e or

bot

h ai

rcra

ft to

avo

id c

ollis

ion.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.5

Sele

ct c

orre

ctiv

e ac

tion

com

man

d

4.1.

1.5.

a Se

lect

cor

rect

ive

actio

n co

mm

and

enro

ute

Tota

l los

s of f

unct

ion

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft.

How

ever

, ass

umpt

ion

of b

eing

in C

lass

A

airs

pace

und

er IF

R m

eans

that

ATC

w

ill p

rovi

de se

para

tion.

maj

or

4.1.

1.5.

b Se

lect

cor

rect

ive

actio

n co

mm

and

enro

ute

Unn

eces

sary

cor

rect

ive

actio

n co

mm

and

prod

uced

.

Poss

ibili

ty o

f los

s of c

ontro

l and

/or

conf

lict w

ith a

noth

er (r

eal)

airc

raft.

C

ould

resu

lt in

unn

eces

sary

avo

idan

ce

man

euve

r tha

t end

ange

rs a

noth

er

airc

raft.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

4.1.

1.5.

c Se

lect

cor

rect

ive

actio

n co

mm

and

enro

ute

Nec

essa

ry c

orre

ctiv

e ac

tion

com

man

d no

t pr

oduc

ed.

Poss

ibili

ty o

f con

flict

with

ano

ther

ai

rcra

ft. If

bot

h ai

rcra

ft ar

e be

ing

track

ed

by se

rvic

e pr

ovid

er,

and

time

perm

its,

ATC

will

atte

mpt

to w

arn

one

or b

oth

airc

raft

to a

void

col

lisio

n.

maj

or

Haz

ard

seve

rity

assi

gned

pe

r FA

A p

ract

ice

for

man

ned

airc

raft

59

4.1.

1.6

Exec

ute

corr

ectiv

e ac

tion

com

man

d (a

ccom

plis

hed

unde

r A

viat

e)

Cov

ered

und

er A

viat

e fu

nctio

n

4.1.

1.7

Con

vey

Post

Cor

rect

ive

Act

ion

Stat

us to

ATC

N

ot y

et c

lear

if th

is

func

tion

is re

leva

nt si

nce

it th

e ef

fect

s are

not

di

rect

ly c

ause

d by

the

UA

S.

4.1.

1.7.

a C

onve

y Po

st C

orre

ctiv

e A

ctio

n St

atus

to A

TC

enro

ute

Tota

l los

s of f

unct

ion

A

TC w

ill b

e ex

pect

ing

a st

atus

upd

ate,

an

d w

ill c

onsu

lt ra

dar d

ispl

ays a

nd

cont

inue

to a

ttem

pt to

reac

h U

AS

pilo

t/ope

rato

r for

out

com

e.

min

or

Ass

umes

ATC

can

de

duce

situ

atio

n ba

sed

on ra

dar d

ispl

ay.

4.1.

1.7.

b C

onve

y Po

st C

orre

ctiv

e A

ctio

n St

atus

to A

TC

enro

ute

Cor

rect

ive

actio

n st

atus

in

form

atio

n is

m

isle

adin

g.

Will

cre

ate

diff

eren

t situ

atio

nal

perc

eptio

ns b

etw

een

pilo

t/ope

rato

r and

A

TC. I

ncre

ased

wor

kloa

d fo

r ATC

and

pi

lot/o

pera

tor.

maj

or

Con

fusi

on m

ay re

sult

in

an in

corr

ect a

nd

pote

ntia

lly h

azar

dous

re

actio

n.

4.1.

2 A

void

Gro

und

and

Ver

tical

St

ruct

ures

(whi

le a

irbor

ne)

enro

ute

W

hile

airb

orne

--

impl

ies a

2nd

failu

re

cond

ition

for t

his

(enr

oute

) pha

se o

f flig

ht.

To b

e co

nsid

ered

in

subs

eque

nt a

naly

sis.

4.1.

3 A

void

gro

und

path

obs

truct

ions

(w

hile

land

ing

or o

n gr

ound

) en

rout

e

No

haza

rds f

or e

nrou

te

phas

e

60

4.2

Avo

id a

dver

se e

nviro

nmen

tal

cond

ition

s

Th

e fu

nctio

n he

re sh

ould

re

ally

be

"Pro

vide

A

dver

se E

nviro

nmen

tal

Info

rmat

ion"

, and

fu

rther

ela

bora

tion

is

unne

cess

ary

at th

is le

vel.

The

"Det

ect"

, "Tr

ack"

, "P

rovi

de",

"Det

erm

ine"

, "P

rodu

ce",

"Exe

cute

",

and

"Con

vey

Stat

us"

sub-

func

tions

impo

se a

pa

rticu

lar

impl

emen

tatio

n.

How

ever

, we

deci

ded

to

assu

me

this

stru

ctur

e in

or

der t

o ex

plor

e so

me

issu

es o

f int

eres

t in

avoi

ding

adv

erse

en

viro

nmen

tal

cond

ition

s. A

lso,

we

adm

it th

at

som

e of

thes

e fu

nctio

ns

don'

t eve

n m

ake

sens

e in

ce

rtain

situ

atio

ns --

for

exam

ple,

wha

t doe

s it

mea

n to

"Tr

ack"

an

icin

g co

nditi

on?

4.2.

1 D

etec

t adv

erse

env

ironm

enta

l co

nditi

ons

61

4.2.

1.a

Det

ect a

dver

se e

nviro

nmen

tal

cond

ition

s en

rout

e To

tal l

oss o

f fun

ctio

n C

ould

lead

to lo

ss o

f con

trol o

f UA

S A

V

or o

pera

tion

of th

e U

AS

AV

out

side

of

perf

orm

ance

env

elop

e. P

ossi

bilit

y of

co

nflic

t with

ano

ther

airc

raft

or

enco

unte

r with

gro

und

or g

roun

d st

ruct

ures

. If p

ossi

ble,

ATC

will

pro

vide

in

stru

ctio

ns to

UA

S op

erat

or in

ord

er to

m

itiga

te e

ffec

ts o

f fai

lure

.

haza

rdou

s

4.2.

1.b

Det

ect a

dver

se e

nviro

nmen

tal

cond

ition

s en

rout

e A

dver

se e

nviro

nmen

tal

cond

ition

s doe

s not

ex

ist b

ut is

"de

tect

ed"

In b

est c

ase,

alte

rnat

e w

eath

er so

urce

m

ay p

rovi

de U

AS

with

cor

rect

wea

ther

in

form

atio

n. In

wor

st c

ase,

UA

S A

V

will

man

euve

r to

avoi

d no

n-ex

iste

nt

envi

ronm

enta

l con

ditio

ns.

min

or

Bes

t cas

e as

sum

es th

ere

is a

bac

kup

wea

ther

in

form

atio

n so

urce

. In

wor

st c

ase,

co

nseq

uenc

es c

ould

be

mor

e se

vere

in a

hig

h-de

nsity

traf

fic

envi

ronm

ent.

4.

2.1.

c D

etec

t adv

erse

env

ironm

enta

l co

nditi

ons

enro

ute

Adv

erse

env

ironm

enta

l co

nditi

ons e

xist

s but

is

not d

etec

ted

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or

ope

ratio

n of

the

UA

S A

V o

utsi

de o

f pe

rfor

man

ce e

nvel

ope.

Pos

sibi

lity

of

conf

lict w

ith a

noth

er a

ircra

ft or

en

coun

ter w

ith g

roun

d or

gro

und

stru

ctur

es. I

f a p

robl

em is

not

iced

by

ATC

in ti

me,

ATC

will

atte

mpt

to

prov

ide

inst

ruct

ions

to U

AS

oper

ator

in

orde

r to

miti

gate

eff

ects

of f

ailu

re.

cata

stro

phic

A

ssum

es th

at A

TC-U

AS

pilo

t loo

p ca

nnot

be

clos

ed fa

st e

noug

h to

pr

even

t los

s of c

ontro

l.

62

4.2.

2 Tr

ack

rela

tive

loca

tion

of

adve

rse

envi

ronm

enta

l co

nditi

ons

This

func

tion

mus

t be

inte

rpre

ted

broa

dly.

For

ex

ampl

e, "

track

ing"

ic

ing

cond

ition

s is

diff

eren

t tha

n tra

ckin

g a

stor

m c

ell.

Icin

g co

nditi

ons c

anno

t be

seen

lite

rally

, onl

y in

ferr

ed fr

om o

ther

w

eath

er d

ata.

(How

ever

, ic

e on

the

win

g ca

n be

se

en in

som

e si

tuat

ions

-- d

oes t

hat c

ount

?)

4.2.

2.a

Trac

k re

lativ

e lo

catio

n of

ad

vers

e en

viro

nmen

tal

cond

ition

s

enro

ute

Tota

l los

s of f

unct

ion

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or

ope

ratio

n of

the

UA

S A

V o

utsi

de o

f pe

rfor

man

ce e

nvel

ope.

Pos

sibi

lity

of

conf

lict w

ith a

noth

er a

ircra

ft or

en

coun

ter w

ith g

roun

d or

gro

und

stru

ctur

es. I

f pos

sibl

e, A

TC w

ill p

rovi

de

inst

ruct

ions

to U

AS

oper

ator

in o

rder

to

miti

gate

eff

ects

of f

ailu

re.

haza

rdou

s

4.2.

2.b

Trac

k re

lativ

e lo

catio

n of

ad

vers

e en

viro

nmen

tal

cond

ition

s

enro

ute

Adv

erse

env

ironm

enta

l co

nditi

ons a

re

"tra

cked

" as

a th

reat

w

hen

none

exi

st.

In b

est c

ase,

alte

rnat

e w

eath

er so

urce

m

ay p

rovi

de U

AS

with

cor

rect

wea

ther

in

form

atio

n. In

wor

st c

ase,

UA

S A

V

will

man

euve

r to

avoi

d no

n-ex

iste

nt

wea

ther

con

ditio

ns.

min

or

Bes

t cas

e as

sum

es th

ere

is a

bac

kup

wea

ther

in

form

atio

n so

urce

. In

wor

st c

ase,

co

nseq

uenc

es c

ould

be

mor

e se

vere

in a

hig

h-de

nsity

traf

fic

envi

ronm

ent.

63

4.2.

2.c

Trac

k re

lativ

e lo

catio

n of

ad

vers

e en

viro

nmen

tal

cond

ition

s

enro

ute

Adv

erse

env

ironm

enta

l co

nditi

ons a

re n

ot

track

ed a

s a th

reat

.

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or

ope

ratio

n of

the

UA

S A

V o

utsi

de o

f pe

rfor

man

ce e

nvel

ope.

Pos

sibi

lity

of

conf

lict w

ith a

noth

er a

ircra

ft or

en

coun

ter w

ith g

roun

d or

gro

und

stru

ctur

es. I

f a p

robl

em is

not

iced

by

ATC

in ti

me,

ATC

will

atte

mpt

to

prov

ide

inst

ruct

ions

to U

AS

oper

ator

in

orde

r to

miti

gate

eff

ects

of f

ailu

re.

cata

stro

phic

A

ssum

es th

at A

TC-U

AS

pilo

t loo

p ca

nnot

be

clos

ed fa

st e

noug

h to

pr

even

t los

s of c

ontro

l.

4.2.

3 C

onve

y re

lativ

e lo

catio

n of

ad

vers

e en

viro

nmen

tal

cond

ition

s

4.2.

3.a

Con

vey

rela

tive

loca

tion

of

adve

rse

envi

ronm

enta

l co

nditi

ons

enro

ute

Tota

l los

s of a

bilit

y to

co

nvey

rela

tive

loca

tion

of a

dver

se

envi

ronm

enta

l co

nditi

ons

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or o

pera

tion

of th

e U

AS

AV

out

side

of

per

form

ance

env

elop

e. P

ossi

bilit

y of

co

nflic

t with

ano

ther

airc

raft

or

enco

unte

r with

gro

und

or g

roun

d st

ruct

ures

. If p

ossi

ble,

ATC

will

pro

vide

in

stru

ctio

ns to

UA

S op

erat

or in

ord

er to

m

itiga

te e

ffec

ts o

f fai

lure

.

haza

rdou

s

4.2.

3.b

Con

vey

rela

tive

loca

tion

of

adve

rse

envi

ronm

enta

l co

nditi

ons

enro

ute

Adv

erse

env

ironm

enta

l co

nditi

ons c

onve

yed

as

a th

reat

whe

n in

fact

no

ne e

xist

.

In b

est c

ase,

alte

rnat

e w

eath

er so

urce

m

ay p

rovi

de U

AS

with

cor

rect

wea

ther

in

form

atio

n. In

wor

st c

ase,

UA

S A

V

will

man

euve

r to

avoi

d no

n-ex

iste

nt

envi

ronm

enta

l con

ditio

ns.

min

or

Bes

t cas

e as

sum

es th

ere

is a

bac

kup

wea

ther

in

form

atio

n so

urce

. In

wor

st c

ase,

co

nseq

uenc

es c

ould

be

mor

e se

vere

in a

hig

h-de

nsity

traf

fic

envi

ronm

ent.

64

4.2.

3.c

Con

vey

rela

tive

loca

tion

of

adve

rse

envi

ronm

enta

l co

nditi

ons

enro

ute

Adv

erse

env

ironm

enta

l co

nditi

ons n

ot

conv

eyed

.

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or

ope

ratio

n of

the

UA

S A

V o

utsi

de o

f pe

rfor

man

ce e

nvel

ope.

Pos

sibi

lity

of

conf

lict w

ith a

noth

er a

ircra

ft or

en

coun

ter w

ith g

roun

d or

gro

und

stru

ctur

es. I

f a p

robl

em is

not

iced

by

ATC

in ti

me,

ATC

will

atte

mpt

to

prov

ide

inst

ruct

ions

to U

AS

oper

ator

in

orde

r to

miti

gate

eff

ects

of f

ailu

re.

cata

stro

phic

A

ssum

es th

at A

TC-U

AS

pilo

t loo

p ca

nnot

be

clos

ed fa

st e

noug

h to

pr

even

t los

s of c

ontro

l.

4.2.

4 D

eter

min

e co

rrec

tive

actio

n

4.2.

4.a

Det

erm

ine

corr

ectiv

e ac

tion

enro

ute

Tota

l los

s of a

bilit

y to

as

sess

adv

erse

en

viro

nmen

tal

cond

ition

s thr

eat

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or

ope

ratio

n of

the

UA

S A

V o

utsi

de o

f pe

rfor

man

ce e

nvel

ope.

Pos

sibi

lity

of

conf

lict w

ith a

noth

er a

ircra

ft or

en

coun

ter w

ith g

roun

d or

gro

und

stru

ctur

es. I

f pos

sibl

e, A

TC w

ill p

rovi

de

inst

ruct

ions

to U

AS

oper

ator

in o

rder

to

miti

gate

eff

ects

of f

ailu

re.

haza

rdou

s

4.2.

4.c

Det

erm

ine

corr

ectiv

e ac

tion

enro

ute

Adv

erse

env

ironm

enta

l co

nditi

ons a

sses

sed

as a

th

reat

whe

n in

fact

no

ne e

xist

.

In b

est c

ase,

alte

rnat

e w

eath

er so

urce

m

ay p

rovi

de U

AS

with

cor

rect

wea

ther

in

form

atio

n. In

wor

st c

ase,

UA

S A

V

will

man

euve

r to

avoi

d no

n-ex

iste

nt

envi

ronm

enta

l con

ditio

ns.

min

or

Bes

t cas

e as

sum

es th

ere

is a

bac

kup

wea

ther

in

form

atio

n so

urce

. In

wor

st c

ase,

co

nseq

uenc

es c

ould

be

mor

e se

vere

in a

hig

h-de

nsity

traf

fic

envi

ronm

ent.

4.

2.4.

d D

eter

min

e co

rrec

tive

actio

n en

rout

e A

dver

se e

nviro

nmen

tal

cond

ition

s not

ass

esse

d as

a th

reat

.

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or

ope

ratio

n of

the

UA

S A

V o

utsi

de o

f pe

rfor

man

ce e

nvel

ope.

Pos

sibi

lity

of

conf

lict w

ith a

noth

er a

ircra

ft or

en

coun

ter w

ith g

roun

d or

gro

und

stru

ctur

es. I

f a p

robl

em is

not

iced

by

ATC

in ti

me,

ATC

will

atte

mpt

to

prov

ide

inst

ruct

ions

to U

AS

oper

ator

in

orde

r to

miti

gate

eff

ects

of f

ailu

re.

cata

stro

phic

A

ssum

es th

at A

TC-U

AS

pilo

t loo

p ca

nnot

be

clos

ed fa

st e

noug

h to

pr

even

t los

s of c

ontro

l.

65

4.2.

5 Pr

oduc

e co

rrec

tive

actio

n co

mm

and

4.2.

5.a

Prod

uce

corr

ectiv

e ac

tion

com

man

d en

rout

e To

tal l

oss o

f abi

lity

to

prod

uce

corr

ectiv

e ac

tion

com

man

d

Cou

ld le

ad to

loss

of c

ontro

l of U

AS

AV

or o

pera

tion

of th

e U

AS

AV

out

side

of

per

form

ance

env

elop

e. P

ossi

bilit

y of

co

nflic

t with

ano

ther

airc

raft

or

enco

unte

r with

gro

und

or g

roun

d st

ruct

ures

. If p

ossi

ble,

ATC

will

pro

vide

in

stru

ctio

ns to

UA

S op

erat

or in

ord

er to

m

itiga

te e

ffec

ts o

f fai

lure

.

haza

rdou

s M

itiga

tion

by th

e se

rvic

e pr

ovid

er a

ssum

es th

at

UA

S is

not

ent

irely

de

pend

ent o

n A

TC fo

r av

oida

nce

of a

void

ad

vers

e en

viro

nmen

tal

cond

ition

.

4.2.

5.b

Prod

uce

corr

ectiv

e ac

tion

com

man

d en

rout

e U

nnec

essa

ry c

orre

ctiv

e ac

tion

prod

uced

. In

bes

t cas

e, a

ltern

ate

wea

ther

sour

ce

may

pro

vide

UA

S w

ith c

orre

ct w

eath

er

info

rmat

ion.

In w

orst

cas

e, U

AS

AV

w

ill m

aneu

ver t

o av

oid

non-

exis

tent

en

viro

nmen

tal c

ondi

tions

.

min

or

Bes

t cas

e as

sum

es th

ere

is a

bac

kup

wea

ther

in

form

atio

n so

urce

. In

wor

st c

ase,

co

nseq

uenc

es c

ould

be

mor

e se

vere

in a

hig

h-de

nsity

traf

fic

envi

ronm

ent.

4.

2.5.

c Pr

oduc

e co

rrec

tive

actio

n co

mm

and

enro

ute

Nec

essa

ry c

orre

ctiv

e ac

tion

not p

rodu

ced.

C

ould

lead

to lo

ss o

f con

trol o

f UA

S A

V

or o

pera

tion

of th

e U

AS

AV

out

side

of

perf

orm

ance

env

elop

e. P

ossi

bilit

y of

co

nflic

t with

ano

ther

airc

raft

or

enco

unte

r with

gro

und

or g

roun

d st

ruct

ures

. If a

pro

blem

is n

otic

ed b

y A

TC in

tim

e, A

TC w

ill a

ttem

pt to

pr

ovid

e in

stru

ctio

ns to

UA

S op

erat

or in

or

der t

o m

itiga

te e

ffec

ts o

f fai

lure

.

cata

stro

phic

A

ssum

es th

at A

TC-U

AS

pilo

t loo

p ca

nnot

be

clos

ed fa

st e

noug

h to

pr

even

t los

s of c

ontro

l.

4.2.

6 Ex

ecut

e co

rrec

tive

actio

n co

mm

and

(acc

ompl

ishe

d un

der

Avi

ate)

Cov

ered

und

er A

viat

e fu

nctio

n

4.2.

7 C

onve

y po

st c

orre

ctiv

e ac

tion

stat

us to

ATC

N

ot y

et c

lear

if th

is

func

tion

is re

leva

nt si

nce

it th

e ef

fect

s are

not

di

rect

ly c

ause

d by

the

UA

S.

66

4.2.

7.a

Con

vey

post

cor

rect

ive

actio

n st

atus

to A

TC

enro

ute

Tota

l los

s of f

unct

ion

A

TC w

ill b

e ex

pect

ing

a st

atus

upd

ate,

an

d w

ill c

onsu

lt ra

dar d

ispl

ays a

nd

cont

inue

to a

ttem

pt to

reac

h U

AS

pilo

t/ope

rato

r for

out

com

e.

min

or

Ass

umes

ATC

can

de

duce

situ

atio

n ba

sed

on ra

dar d

ispl

ay.

4.2.

7.b

Con

vey

post

cor

rect

ive

actio

n st

atus

to A

TC

enro

ute

Cor

rect

ive

actio

n st

atus

in

form

atio

n is

m

isle

adin

g.

Will

cre

ate

diff

eren

t situ

atio

nal

perc

eptio

ns b

etw

een

pilo

t/ope

rato

r and

A

TC. I

ncre

ased

wor

kloa

d fo

r ATC

and

pi

lot/o

pera

tor.

maj

or

Con

fusi

on m

ay re

sult

in

an in

corr

ect a

nd

pote

ntia

lly h

azar

dous

re

actio

n.

4.3

Man

age

cont

inge

ncie

s

Th

is fu

nctio

n is

a

colle

ctio

n of

man

y sm

alle

r fun

ctio

ns.

The

smal

ler f

unct

ions

are

not

sp

ecifi

cally

def

ined

si

nce

thes

e fu

nctio

ns

wou

ld b

e ve

ry

depe

ndan

t on

func

tions

im

plem

ente

d in

the

vehi

cle.

A re

ason

able

ca

se c

an b

e m

ade

that

a

spec

ific

miti

gatio

n fu

nctio

n sh

ould

be

plac

ed a

long

side

of t

he

func

tion

it is

miti

gatin

g.4.

3.1

Con

vey

syst

em st

atus

Sy

stem

stat

us in

clud

es

stat

us o

f sub

syst

ems o

f th

e U

AS:

com

m.,

com

man

d an

d co

ntro

l, pr

opul

sion

, pow

er, f

ire,

etc.

As i

n m

anne

d ai

rcra

ft, w

e as

sum

e th

at

loss

of c

omm

. bet

wee

n fli

ght c

rew

and

ATC

is

alw

ays d

etec

tabl

e by

the

fligh

t cre

w a

nd A

TC.

67

4.3.

1.a

Con

vey

syst

em st

atus

en

rout

e D

etec

ted

loss

of

func

tion

Flig

ht c

rew

/UA

S w

ill re

cogn

ize

the

syst

em st

atus

is n

ot a

vaila

ble,

but

will

no

t be

able

to re

spon

d to

con

tinge

ncie

s ba

sed

on th

is n

on-in

form

atio

n. F

light

cr

ew h

as a

slig

htly

incr

ease

d w

orkl

oad.

min

or

For t

his s

ituat

ion

to g

et

dang

erou

s, an

othe

r fa

ilure

mus

t occ

ur.

Expe

ct o

pera

tiona

l co

nstra

ints

will

dic

tate

th

at th

e fli

ght c

rew

/UA

S w

ill a

bort

the

fligh

t, bu

t th

is c

an b

e do

ne in

a

cont

rolle

d m

anne

r. 4.

3.1.

b C

onve

y sy

stem

stat

us

enro

ute

Und

etec

ted

loss

of

func

tion

for a

ll bu

t C2

syst

em st

atus

Syst

em st

atus

is n

ot a

vaila

ble,

ther

efor

e no

act

ions

can

be

take

n to

resp

ond

to

thes

e co

ntin

genc

ies.

Sig

nific

ant l

oss o

f sa

fety

mar

gin.

maj

or

This

haz

ard

clas

sific

atio

n is

not

hi

gher

, bec

ause

any

da

nger

ous s

cena

rio

requ

ires a

mul

tiple

-fa

ilure

con

ditio

n.

Abs

ent o

ther

failu

res,

cont

inue

d sa

fe fl

ight

and

la

ndin

g ca

n oc

cur.

4.3.

1.c

Con

vey

syst

em st

atus

en

rout

e U

ndet

ecte

d lo

ss o

f fu

nctio

n fo

r C2

syst

em

stat

us

C2

syst

em st

atus

is n

ot a

vaila

ble,

th

eref

ore

if C

2 is

lost

als

o, th

en th

e ve

hicl

e ca

nnot

be

cont

rolle

d an

d no

ac

tion

(hum

an o

r aut

omat

ion)

can

co

mpe

nsat

e.

cata

stro

phic

A

tran

sien

t los

s of C

2 is

co

nsid

ered

a n

orm

al p

art

of fl

ight

not

a fa

ilure

, th

eref

ore

C2

coul

d be

lo

st a

nd th

e lo

ss o

f de

tect

ion

and

this

wou

ld

NO

T re

sult

in a

two-

failu

re sc

enar

io.

4.

3.1.

d C

onve

y sy

stem

stat

us

enro

ute

Deg

rade

d fu

nctio

n -

incl

udin

g no

repo

rt fr

om so

me

syst

ems,

loss

of p

reci

sion

, or l

ate

arriv

al o

f inf

orm

atio

n.

Onl

y pa

rt of

the

stat

e of

the

UA

S is

av

aila

ble.

Flig

ht c

rew

has

a sl

ight

ly

incr

ease

d w

orkl

oad.

min

or

This

haz

ard

clas

sific

atio

n is

not

hi

gher

, bec

ause

any

da

nger

ous s

cena

rio

requ

ires a

mul

tiple

-fa

ilure

con

ditio

n. N

ote

that

und

etec

ted

loss

of

C2

func

tions

is c

over

ed

in 4

.3.1

.c.

68

4.3.

1.e

Con

vey

syst

em st

atus

en

rout

e R

epor

ting

failu

re w

hen

ther

e is

non

e Fl

ight

cre

w/U

AS

will

bel

ieve

the

UA

S is

mal

func

tioni

ng w

hen

in fa

ct it

is n

ot.

Flig

ht c

rew

/UA

S m

ay m

ake

a di

vers

ion

base

d on

this

fals

e in

form

atio

n. F

light

cr

ew h

as a

slig

htly

incr

ease

d w

orkl

oad.

min

or

4.3.

1.f

Con

vey

syst

em st

atus

en

rout

e R

epor

ting

no fa

ilure

w

hen

ther

e is

one

TB

D

TBD

Th

is is

a m

ultip

le-f

ailu

re

scen

ario

, fai

lure

of

syst

em a

nd fa

ilure

of

stat

us.

Thes

e m

ultip

le-

failu

res m

ust b

e ex

amin

ed in

det

ail.

4.3.

2 D

eter

min

e co

ntin

genc

y co

mm

and

This

is a

flig

ht c

rew

or

UA

S in

itiat

ed re

ques

t fo

r a c

ontin

genc

y.

4.3.

2.a

Det

erm

ine

cont

inge

ncy

com

man

d en

rout

e Lo

ss o

r mal

func

tion

whe

n C

2 lin

k is

up.

Fl

ight

cre

w/U

AS

will

not

be

able

to

initi

ate

a co

ntin

genc

y. S

ince

C2

link

is

up, v

ehic

le is

still

con

trolla

ble.

Si

gnifi

cant

loss

of s

afet

y m

argi

n re

sults

.

maj

or

Situ

atio

ns w

here

this

fa

ilure

has

mor

e di

re

cons

eque

nces

invo

lve

othe

r sys

tem

s fai

ling.

Th

ese

mul

tiple

-fai

lure

sc

enar

ios m

ust b

e de

alt

with

late

r. 4.

3.2.

b D

eter

min

e co

ntin

genc

y co

mm

and

enro

ute

Loss

or m

alfu

nctio

n w

hen

C2

link

is d

own.

Fl

ight

cre

w/U

AS

will

not

be

able

to

initi

ate

a co

ntin

genc

y. S

ince

C2

link

is

dow

n, th

en th

e ve

hicl

e is

unc

omm

ande

d.

cata

stro

phic

4.3.

2.c

Det

erm

ine

cont

inge

ncy

com

man

d en

rout

e D

egra

ded

oper

atio

n -

dela

yed

initi

atio

n of

co

ntin

genc

y w

hen

C2

link

is u

p

Flig

ht c

rew

/UA

S in

itiat

es c

ontin

genc

y w

hich

take

s sig

nific

antly

long

er th

an

norm

al. E

xpec

t the

re is

a ti

me

buff

er

betw

een

initi

atio

n an

d ha

zard

ous

situ

atio

n. L

oss o

f saf

ety

mar

gin

resu

lts.

maj

or

69

4.3.

2.d

Det

erm

ine

cont

inge

ncy

com

man

d en

rout

e D

egra

ded

oper

atio

n -

dela

yed

initi

atio

n of

co

ntin

genc

y w

hen

C2

link

is d

own

Flig

ht c

rew

/UA

S in

itiat

es c

ontin

genc

y w

hich

take

s sig

nific

antly

long

er th

an

norm

al. E

xpec

t the

re is

a ti

me

buff

er

betw

een

initi

atio

n an

d th

e da

nger

ous

situ

atio

n. L

oss o

f saf

ety

mar

gin

resu

lts.

haza

rdou

s

4.3.

3 Pr

oduc

e m

itiga

tion

com

man

d en

rout

e

4.3.

3.a

Prod

uce

miti

gatio

n co

mm

and

enro

ute

Loss

or m

alfu

nctio

n w

hen

C2

link

is u

p.

Flig

ht c

rew

/UA

S w

ill n

ot b

e ab

le to

fo

rmul

ate

a m

itiga

tion

actio

n. S

ince

C2

link

is u

p, v

ehic

le is

still

con

trolla

ble.

Si

gnifi

cant

loss

of s

afet

y m

argi

n re

sults

.

maj

or

Situ

atio

ns w

here

this

fa

ilure

has

mor

e di

re

cons

eque

nces

invo

lve

othe

r sys

tem

s fai

ling.

Th

ese

mul

tiple

-fai

lure

sc

enar

ios m

ust b

e de

alt

with

late

r. 4.

3.3.

b Pr

oduc

e m

itiga

tion

com

man

d en

rout

e Lo

ss o

r mal

func

tion

whe

n C

2 lin

k is

dow

n.

Flig

ht c

rew

/UA

S w

ill n

ot b

e ab

le to

fo

rmul

ate

a m

itiga

tion

actio

n. S

ince

C2

link

is d

own,

then

the

vehi

cle

is

unco

mm

ande

d.

cata

stro

phic

4.3.

3.c

Prod

uce

miti

gatio

n co

mm

and

enro

ute

Deg

rade

d op

erat

ion

- de

laye

d in

itiat

ion

of

cont

inge

ncy

whe

n C

2 lin

k is

up

Flig

ht c

rew

/UA

S fo

rmul

ates

a

miti

gatio

n ac

tion

whi

ch ta

kes

sign

ifica

ntly

long

er th

an n

orm

al. E

xpec

t th

ere

is a

tim

e bu

ffer

bet

wee

n in

itiat

ion

and

haza

rdou

s situ

atio

n. L

oss o

f saf

ety

mar

gin

resu

lts.

min

or

Situ

atio

ns w

here

this

fa

ilure

has

mor

e di

re

cons

eque

nces

invo

lve

othe

r sys

tem

s fai

ling.

Th

ese

mul

tiple

-fai

lure

sc

enar

ios m

ust b

e de

alt

with

late

r. 4.

3.3.

d Pr

oduc

e m

itiga

tion

com

man

d en

rout

e D

egra

ded

oper

atio

n -

dela

yed

initi

atio

n of

co

ntin

genc

y w

hen

C2

link

is d

own

Flig

ht c

rew

/UA

S fo

rmul

ates

a

miti

gatio

n ac

tion

whi

ch ta

kes

sign

ifica

ntly

long

er th

an n

orm

al. E

xpec

t th

ere

is a

tim

e bu

ffer

bet

wee

n in

itiat

ion

and

haza

rdou

s situ

atio

n. M

ore

than

a

sign

ifica

nt lo

ss o

f saf

ety

mar

gin

resu

lts.

haza

rdou

s

4.3.

4 Pr

iorit

ize

miti

gatio

n co

mm

and

enr

oute

70

4.3.

4.a

Prio

ritiz

e m

itiga

tion

com

man

d e

nrou

te

Any

failu

re w

hen

C2

link

is u

p.

The

mos

t im

porta

nt m

itiga

tion

com

man

d w

ill n

ot b

e us

ed a

nd th

e fli

ght

crew

/UA

S kn

ow a

bout

this

. Si

nce

C2

link

is u

p, v

ehic

le is

still

con

trolla

ble.

A

sign

ifica

nt lo

ss o

f saf

ety

mar

gin

resu

lts.

maj

or

The

expe

ctat

ion

is th

at

all m

itiga

tion

com

man

ds

that

hav

e be

en p

rodu

ced

will

be

exec

uted

, jus

t in

a di

ffer

ent o

rder

from

w

hat i

s exp

ecte

d. I

f a

miti

gatio

n co

mm

and

is

neve

r exe

cute

d, th

en th

is

is a

failu

re o

f the

"p

rodu

ce m

itiga

tion

com

man

d" fu

nctio

n.

Situ

atio

ns w

here

this

fa

ilure

has

mor

e di

re

cons

eque

nces

invo

lve

othe

r sys

tem

s fai

ling.

Th

ese

mul

tiple

-fai

lure

sc

enar

ios m

ust b

e de

alt

with

late

r. 4.

3.4.

b Pr

iorit

ize

miti

gatio

n co

mm

and

enr

oute

A

ny fa

ilure

whe

n C

2 lin

k is

dow

n.

The

mos

t im

porta

nt m

itiga

tion

com

man

d w

ill n

ot b

e us

ed a

nd th

e fli

ght

crew

/UA

S kn

ow a

bout

this

. Si

nce

C2

link

is d

own,

then

the

vehi

cle

is

unco

mm

ande

d.

cata

stro

phic

4.3.

5 C

onve

y st

atus

of c

omm

ands

en

rout

e

4.3.

5.a

Con

vey

stat

us o

f com

man

ds

enro

ute

Det

ecte

d lo

ss o

f fu

nctio

n Sy

stem

succ

essf

ully

form

ulat

es a

nd

exec

utes

a m

itiga

tion

com

man

d, th

e fli

ght c

rew

/UA

S do

es n

ot k

now

wha

t ha

ppen

ed, a

nd is

aw

are

that

they

do

no

know

. Sm

all l

oss o

f saf

ety

mar

gin,

sm

all i

ncre

ase

in w

orkl

oad

min

or

71

4.3.

5.b

Con

vey

stat

us o

f com

man

ds

enro

ute

Und

etec

ted

loss

of

func

tion

Syst

em su

cces

sful

ly fo

rmul

ates

and

ex

ecut

es a

miti

gatio

n co

mm

and,

the

fligh

t cre

w/U

AS

does

not

kno

w w

hat

happ

ened

, and

is u

naw

are

that

they

do

no k

now

. Fl

ight

cre

w/U

AS

may

initi

ate

mor

e ac

tions

atte

mpt

ing

to c

ompe

nsat

e fo

r the

per

ceiv

ed n

on-r

espo

nse

to th

e m

itiga

tion

com

man

d. M

ore

than

a

sign

ifica

nt lo

ss o

f saf

ety

mar

gin.

Flig

ht

crew

will

be

focu

sed

on th

is e

vent

and

m

ay n

ot b

e ab

le to

per

form

oth

er

requ

ired

task

s.

haza

rdou

s

4.3.

5.c

Con

vey

stat

us o

f com

man

ds

enro

ute

Deg

rade

d op

erat

ion

- de

laye

d or

inco

mpl

ete

info

rmat

ion

abou

t st

atus

of

cont

inge

ncy/

miti

gatio

n co

mm

ands

Syst

em su

cces

sful

ly fo

rmul

ates

and

ex

ecut

es a

miti

gatio

n co

mm

and,

the

fligh

t cre

w/U

AS

only

has

a p

artia

l kn

owle

dge

of w

hat h

appe

ned.

Si

gnifi

cant

loss

of s

afet

y m

argi

n, so

me

incr

ease

in w

orkl

oad

maj

or

4.3.

5.d

Con

vey

stat

us o

f com

man

ds

enro

ute

Mal

func

tion/

mis

lead

ing

oper

atio

n Sy

stem

succ

essf

ully

form

ulat

es a

nd

exec

utes

a m

itiga

tion

com

man

d, th

e fli

ght c

rew

/UA

S do

es n

ot k

now

wha

t ha

ppen

ed, a

nd is

una

war

e th

at th

ey d

o no

kno

w.

Flig

ht c

rew

/UA

S m

ay in

itiat

e m

ore

actio

ns a

ttem

ptin

g to

com

pens

ate

for t

he p

erce

ived

non

-res

pons

e to

the

miti

gatio

n co

mm

and.

Mor

e th

an a

si

gnifi

cant

loss

of s

afet

y m

argi

n. F

light

cr

ew w

ill b

e fo

cuse

d on

this

eve

nt a

nd

may

not

be

able

to p

erfo

rm o

ther

re

quire

d ta

sks.

haza

rdou

s

REPORT DOCUMENTATION PAGE Form ApprovedOMB No. 0704-0188

2. REPORT TYPE Technical Memorandum

4. TITLE AND SUBTITLE

Preliminary Considerations for Classifying Hazards of Unmanned AircraftSystems

5a. CONTRACT NUMBER

6. AUTHOR(S)

Hayhurst, Kelly J.; Maddalon, Jeffrey M.; Miner, Paul S.; Szatkowski,George N.; Ulrey, Michael L.; DeWalt, Michael P.; and Spitzer, Cary R.

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)

NASA Langley Research CenterHampton, VA 23681-2199

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)

National Aeronautics and Space AdministrationWashington, DC 20546-0001

8. PERFORMING ORGANIZATION REPORT NUMBER

L-19299

10. SPONSOR/MONITOR'S ACRONYM(S)

NASA

13. SUPPLEMENTARY NOTESAn electronic version can be found at http://ntrs.nasa.gov

12. DISTRIBUTION/AVAILABILITY STATEMENTUnclassified - UnlimitedSubject Category 01Availability: NASA CASI (301) 621-0390

19a. NAME OF RESPONSIBLE PERSON

STI Help Desk (email: help@sti.nasa.gov)

14. ABSTRACT

The use of unmanned aircraft in national airspace has been characterized as the next great step forward in the evolution ofcivil aviation. To make routine and safe operation of these aircraft a reality, a number of technological and regulatorychallenges must be overcome. This report discusses some of the regulatory challenges with respect to deriving safety andreliability requirements for unmanned aircraft. In particular, definitions of hazards and their classification are discussed andapplied to a preliminary functional hazard assessment of a generic unmanned system.

15. SUBJECT TERMSReliability; Requirements engineering; Unmanned aircraft system

18. NUMBER OF PAGES

7819b. TELEPHONE NUMBER (Include area code)

(301) 621-0390

a. REPORT

U

c. THIS PAGE

U

b. ABSTRACT

U

17. LIMITATION OF ABSTRACT

UU

Prescribed by ANSI Std. Z39.18Standard Form 298 (Rev. 8-98)

3. DATES COVERED (From - To)

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

457280.02.07.07

11. SPONSOR/MONITOR'S REPORT NUMBER(S)

NASA/TM-2007-214539

16. SECURITY CLASSIFICATION OF:

The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.

1. REPORT DATE (DD-MM-YYYY)

02 - 200701-