Probabilistic Methods of Risk Assessment: Industry Views

Dr. Allison Ferguson Director, Airspace Research

Summary

1. Introduction o Problem Statement

2. Operational Risk Assessment in Practice

o Pathfinder (Focus Area Two) • EVLOS • Localized BVLOS

o Lessons learned (so far)

3. Moving Forward

o Building the data pool o Engaging with industry

Reduce risk of drone operations

Enable advanced operations such as

BVLOS and package delivery through

technology

Build “backbone” datasets

PrecisionHawk LATAS: Our Goals

1

2

3

Data

Mitigating Risk through Information

• 3D Obstacle Maps

• Buildings

• Trees

• Terrain

• Manned Aircraft

• Radar / ADS-b

• UAS

Surveillance

• Airspace

• Cellular Coverage

Infrastructure

• Cloud services

• Cellular

• Security

• Bandwidth

considerations

Services

• Registration

• Tracking

• Reporting

• Flight planning

• Flight authorization

• Operator validation

But with each new additional component we introduce new failure modes…how to assess

impact on overall system risk?

Mitigating Risk through Information o All risk statements are probabilistic. The problem is getting to those

probabilities: • Evaluating total system risk (target level of safety) inferentially is….probably not a good idea. • There are distributions we CAN access inferentially that have an impact on overall system

risk (e.g. metrics of operator response to manned aircraft in operational area).

o How “good” are the models that link what we can measure with overall system

risk? • Especially in the presence of real-world (i.e. messy) data

o How good do they have to be? • Can we mitigate the risk of using a risk model?

Throwback…Tuesday?

• Weibel, Roland E., and R. John Hansman. "Safety considerations for operation of different classes of

UAVs in the NAS." AIAA 4th Aviation Technology, Integration and Operations Forum, AIAA 3rd

Unmanned Unlimited Technical Conference, Workshop and Exhibit. 2004

Risk Models and “Real” Data

Field Data

Simulation

Historical

o A risk modelling approach isn’t about ignoring “real” sources of information, it’s about collating them in a way that has some logical backing.

• These are problems with lots of variables. The temptation is to assume that all sources of variation are equally important to the final outcome (they are not).

Pathfinder Phase I & II Overview: EVLOS

Phase I Research focused on identifying the

range where an intruder aircraft could be visually identified.

Phase II Research focused on the PIC ability to react to an intruder aircraft within the

EVLOS range.

• EVLOS is an Unmanned Aircraft System (UAS) operation whereby the Unmanned Aircraft (UA) may

be operated marginally beyond the visual range of the remote pilot in command (hereafter referred to

as the PIC) provided he or she maintains uninterrupted visual surveillance for manned aircraft within

the planned UA operating airspace. Within the EVLOS construct, the UA must remain within the preplanned operating area and UA control authority must be maintained by the PIC at all times.

Focus is on collection of quantitative data to support a general operational

risk assessment

Phase I & II Overview: EVLOS

• Industry Impact: Commercial waiver to Part 107 VLOS requirement issued to PrecisionHawk (August 2016). Operational risk assessment based on Phase I/early Phase II results. Full Phase II results to be incorporated into ASTM F38 standard (2017) to support rulemaking efforts.

Pathfinder Phase III: “Localized” BVLOS

EVLOS (2.5 nm)

EVLOS with RVO (5 nm)

• Wide industry applicability. This same picture applies to:

• Emergency response • Insurance • Forestry/Natural Resource

Management

Localized BVLOS

Current operations to understand risk: • Pathfinder, UAS test sites, ASSURE

BUILD ON RESULTS TO DEFINE RISK PROFILE ON NATIONAL SCALE

Drive creation of localized beyond visual line of sight concept of operations in Class G

Towards operating on a National Level

• Shift focus from visual base case to technology assisted case

Phase III: “Localized” BVLOS

Phase III Mission Statement

Evaluate the impact of assistive technology (i.e. LATAS) on operational risk associated with flight of sUAS in BVLOS

applications in the NAS.

What does the technology need to do to achieve an acceptable level of safety? In what ways can it fail?

How do we mitigate the risk of failure?

Quantitative answers to these questions provide regulators with the information they require to define an operational

standard for rulemaking.

Phase III Operational Risk Assessment

• Risks in the technology-assisted case can be loosely grouped into three categories:

Ove

rall

Ris

k

Risks associated with technology not functioning as designed

Risks associated with improper use of the technology (human factors)

Risks inherent in the environment

+ Similarly to the ORA for the EVLOS case, we will ideally define a series of performance-based requirements ANY assistive technology would have to meet.

+ “Environmental” risk is related to conditions that feed into the risk model. For example:

+ Low altitude traffic patterns

+ Population density

Already we see the need for collaboration amongst researchers!

Phase III Operational Risk Assessment

• Risks associated with the technology not functioning as designed (software & hardware):

Tech

no

logy

Ris

k

Phase III Operational Risk Assessment

• Risks associated with the technology not functioning as designed (software & hardware):

Tech

no

logy

Ris

k + From a map of the process we can begin to itemize the potential hazards at each process step.

+ One specific set of hazards is related to GPS & cellular service at altitude:

+ Cellular service (and LTE in particular) is one of the bigger open questions: + Lag? + Intermittency? + How much of either of these is acceptable?

Process Step Hazard

Transmit

telemetry until

operation

complete

i. Device experiences mechanical or electrical failure

ii. GPS issues: GPS service becomes unavailable or intermittently

available during operation, invalid GPS string (improperly

formed), incorrect GPS data (properly formed string)

iii. Cellular issues: No cellular service, poor cellular reception due to

local conditions, intermittent connectivity due to LTE handover

issues

Risk models need to inform the initial

answer here.

Phase III Operational Risk Assessment

• Risks associated with improper use of the technology:

Hu

man

Fac

tors

Ris

k + Important to ask questions about how and when information should be displayed to the operator:

Phase III Operational Risk Assessment

• Risks associated with improper use of the technology:

Hu

man

Fac

tors

Ris

k + MITRE will evaluate a set of proposed assistive technology displays via Human-in-the-Loop (HITL) simulation, followed by field experiment:

Phase III Operational Risk Assessment

• Risks associated with improper use of the technology:

Hu

man

Fac

tors

Ris

k + MITRE will evaluate a set of proposed assistive technology displays via Human-in-the-Loop (HITL) simulation, followed by field experiment:

Well Clear Zone

Blocked Headings

(“Cone of Death”)

Intruder w/ Amber

Highlight

Altitude Meter:

• Blue dot is

your AGL

altitude

• Amber band is

altitude

blocked by

intruder

Relative altitude

and distance

Risk Models and “Real” Data: Part Deux

Field Data

Simulation

Historical

o This process is non-trivial.

• Real data is messy (especially if humans are part of the study).

• It’s not just science…it’s politics. Different CAAs will have different opinions about which variables are important.

o We don’t exactly have a target risk. • We were able to start measuring without

it, but coming up with this limit will be important soon.

o If computational and research

complexity now leads to regulatory and operational simplicity later, it’s worth it.

• But let’s get all the help we can.

Some Views FROM Industry…

o Technology is moving rapidly.

• Gathering flight heritage on rare events to assess risk is problematic. So we need variables we can measure over shorter cycles to assess the risk – conditional probability based risk models are a good way to determine what those variables should be.

o Mitigations need to be palatable. That may ALSO depend on the rate of a particular risk occurring.

• If the mitigation results in total loss of the UAS, whether or not that is acceptable depends on how often that would be likely to occur.

o If computational and research complexity now leads to regulatory and

operational simplicity later, it’s worth it. • But let’s get all the help we can.

Some Views FOR Industry…

o Is your technology is moving too rapidly? Or in the wrong direction?

• Adding “features” doesn’t help (and can overcomplicate the safety case) unless you’re actually solving a key problem at this point. Risk modelling can help identify those blockers.

o We are ALL in a data-starved environment right now. • “We did it that one time and nobody died” is not a sufficient evaluation of long

term risk. • There are opportunities for participation for all sizes of industrial partner (i.e.

ASSURE)

o If computational and research complexity now leads to regulatory and

operational simplicity later, it’s worth it. • But let’s get all the help we can.

Thank You

Ally Ferguson – a.ferguson@precisionhawk.com