Functional Hazard Assessment (FHA) Report for Unmanned Aircraft · PDF file · 2014-08-14ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5 Commercial

ε

Commercial in Confidence

Unmanned Aircraft System (UAS) Safety Case Development

Functional Hazard Assessment (FHA) Report for Unmanned

Aircraft Systems

Reference: P09005.10.5

Date: 04 September 2009

Issue: v1.0

Prepared by:

Hayley Burdett

Checked by:

Joanne Stoker

Authorised by:

Alan Simpson

Distribution: EUROCONTROL Ebeni

Holger Matthiesen Hayley Burdett

Chris Machin Joanne Stoker

Don Harris Alan Simpson

ε Functional Hazard Assessment (FHA)

Report for Unmanned Aircraft Systems P09005.10.5

Commercial in Confidence Page 2 of 81

Mike Strong Project File




© Copyright

The layout, style, logo and contents of this document are copyright of Ebeni Limited 2009. No part

of this document may be reproduced without the prior written permission of Ebeni Limited. All

rights reserved.

Configuration Control

Issue Date Comments

v0.1 10 June 2009 Initial draft for internal review

v0.2 10 July 2009 Draft issue following internal review

v0.3 22 July 2009 Provisional issue for EUROCONTROL review

v1.0 04 Sept 2009 Definitive issue incorporating EUROCONTROL review comments




Table of Contents

1 Introduction 6

1.1 Background 6

1.2 UAS Safety Assessment 6

1.3 UAS Today 6

1.4 Aim 7

1.5 Scope 7

1.6 Structure 8

2 Functional Hazard Assessment Overview 9

2.1 Introduction 9

2.2 FHA Process 9

2.3 FHA Objectives 10

2.4 UAS Safety Assessment Workshop 10

3 System Definition and Scope of Analysis 11

3.1 UAS Operational Scenarios 11

3.2 Defining the Scope for the FHA Activity 12

3.3 Air Traffic Management Concept 13

3.3.1 Separation Provision Component 14

3.3.2 Collision Avoidance Component 15

3.4 Operational Perspectives 15

3.5 UAS Characteristics 17

3.6 Scoping Statements 19

3.7 Assumptions 20

3.8 Unmanned Aircraft System Models 21

3.8.1 Flight Profiles 21

3.8.2 Functional Models 21

4 Function Hazard Assessment Results 22

4.1 Overview 22

4.2 Hazard Identification Approach 22

4.3 Hazard Identification Results 24

4.4 Consequence Analysis 26

4.4.1 Mitigations for HAZ001 26










4.5 Analysis Conclusions 33




4.6 Safety Objectives 33

5 Conclusions 35

6 References 36

Appendix A UAS Safety Assessment Workshop Agenda and Participants 37

A.1 UAS Workshop Agenda 37

A.2 UAS Workshop Participants 38

Appendix B Unmanned Aircraft System Models 39

B.1 Flight Profiles 39

B.2 Functional Models 41

Appendix C Functional Failure Analysis 42

Appendix D UAS Fault Trees 50

D.1 UAS Scenario 1 Fault Trees 50

D.2 UAS Scenario 2 Fault Trees 62

Appendix E Severity Classification 69

Appendix F Consequence Models 70

F.1 HAZ001 – Inability to comply with Separation Provision Instruction from ATC 70

F.2 HAZ002 – Incorrect response to Separation Provision Instruction from ATC 71

F.3 HAZ003 – Intentional deviation from Separation Provision Instruction from ATC 72

F.4 HAZ004 – Delayed response to Separation Provision Instruction from ATC 73

F.5 HAZ005 – Loss of Separation Provision from ATC 75

F.6 HAZ006 – ATC Separation Provision Error 77

F.7 HAZ007 – Loss of Separation Provision from the Pilot in Command 78

F.8 HAZ008 – Pilot in Command Separation Provision Error 79

F.9 HAZ009 – Pilot in Command Separation Provision Instruction too late 80

F.10 HAZ010 – Separation Provision minima is breached by other aircraft 81




1 Introduction

1.1 Background

The evolution of aerospace technologies in the field of Unmanned Aircraft Systems

(UAS), including automatic/autonomous operations, will impact European Air Traffic

Management (ATM) as regards new military and civil UAS applications. UAS will

represent new challenges as well as new opportunities for ATM design in the future in

the context of both SESAR and beyond (vision 2050), for the benefit of both manned

and unmanned aviation.

The EUROCONTROL Agency, in executing its responsibilities associated with the

management of the pan-European ATM network, must ensure that UAS do not

negatively impact overall levels of ATM security, safety, capacity and efficiencies.

This work will result in the development of an ATM safety assessment for UAS that will

identify a set of ATM safety requirements, over and above existing ATM regulatory

safety requirements, which, if implemented, will ensure that the introduction of UAS

into non-segregated airspace will be acceptably safe.

1.2 UAS Safety Assessment

The primary aim of this task is to develop an ATM safety assessment for UAS so as to

identify a set of ATM safety requirements, over and above the existing ATM regulatory

safety requirements, which, if implemented, will ensure that the introduction of UAS

into non-segregated airspace will be acceptably safe. The safety assessment is to

consider two defined UAS operating scenarios in order to provide a realistic context

into which UAS will be operated.

• Scenario 1 – covers UAS operations in Class A, B or C en-route airspace flying Instrument Flying Rules (IFR) beyond the visual line of sight of the pilot-in-

command

• Scenario 2 – covers UAS operations in Class C – G airspace operating under Visual Flying Rules (VFR) and the pilot-in-command has direct visual line of

sight of the Unmanned Aircraft (UA)

The work currently being undertaken by EUROCAE Working Group 73 on Unmanned

Aircraft Systems will also provide input and review effort to the safety assessment

work.

A UAS Safety Assessment Workshop was carried out to satisfy the process

requirements of the EUROCONTROL ANS Safety Assessment Methodology (SAM) [1]

which provides a means of compliance with the EUROCONTROL Safety and Regulatory

Requirement (ESARR) 4 [2].

1.3 UAS Today

Current UAS operations are largely constrained to designated areas or within

temporary restricted areas of airspace, commonly known as segregated airspace, or

are flown under special arrangements over the sea or high altitude. On some

occasions, UAS operations are permitted in an extremely limited environment outside

segregated airspace. To exploit fully the unique potential of UAS there is a desire to




be able to access all classes of non-segregated airspace and operate across national

borders and airspace boundaries. Such operations must be acceptably safe but

regulation should not become so inflexible or burdensome that the benefits are

unnecessarily lost. The viability of the civil market for UAS especially, is heavily

dependent on unfettered access to the same airspace as manned civil aircraft

operations, at least on like for like operations, for example in aerial surveillance

applications.

Whilst it is essential that UAS demonstrate an equivalent level of safety compared to

manned operations the current regulatory framework has evolved around the concept

of the pilot-in-the-cockpit. There is a need to develop UAS solutions that assure an

equivalent level of safety for UAS operations, which in turn could require some

adaption of the current ATM regulatory framework to allow for the concept of the pilot-

not-in-the-cockpit without compromising the safety of other airspace users.

1.4 Aim

This document comprises the Functional Hazard Assessment (FHA) for Unmanned

Aircraft Systems operation in non-segregated airspace and provides an independent

assessment of the hazards related to operating UAS in non-segregated airspace.

The aim of this FHA is derived from the following top level safety argument claim,

which implies a relative safety argument approach:

• UAS operations in ECAC Airspace are and will be acceptably safe;

• where ECAC airspace is defined as the airspace of the 44 ECAC Member States,

and

• acceptably safe is defined as ‘risks’ to other airspace users are:

o No higher than for equivalent manned operations; and

o Reduced to As Far As Reasonably Practicable (AFARP), as required by

ESARR 3 [3] and European Air Traffic Management Programme

(EATMP) Safety Policy [4].

The initial step in addressing the above claim is to specify safety requirements such

that, subject to complete and correct implementation, UAS operations in non-

segregated airspace are acceptably safe.

The aim of this FHA is therefore to understand the risk of UAS via the derivation of

hazards and an analysis of the consequences of those hazards. The Functional Hazard

Assessment work will support the development of a UAS Preliminary System Safety

Assessment Report (PSSA) which will document UAS safety requirements and provide

traceability to detailed safety requirements.

1.5 Scope

This report covers the safety assurance activities undertaken to assess the safety of

UAS operation in non-segregated airspace using two operational scenarios, up to the

point where hazards have been identified and the consequence of those hazards

assessed.




• Scenario 1 covers UAS IFR operations in Class A, B or C en-route airspace only. The mode of operation considered for this baseline scenario uses a

command and control system architectures known as Radio Line Of Sight

(RLOS) or Beyond Radio Line Of Sight (BRLOS).

• Scenario 2 covers UAS VFR operations based upon VLOS command and

control systems in classes of airspace where VFR flight is permitted (Class C-

G). VLOS operation requires the PIC to keep the UA in direct visual

observation for the duration of the flight.

This safety assessment work is carried out from an Air Traffic Management (ATM)

perspective with the aim of requirement setting but is not concerned with the

implementation of any such safety requirements.

1.6 Structure

The Functional Hazard Assessment Report is structured as follows:

Section 1 Introduction – presents the scope and purpose of the report.

Section 2 Functional Hazard Assessment Overview – documents the objectives of the

Functional Hazard Assessment along with the hazard identification and risk

assessment methodology.

Section 3 System Scope and Scope of Analysis – provides an overview of the system

under consideration and defines the scope of the analysis.

Section 4 Functional Hazard Assessment Results – documents the results of the

Functional Hazard Assessment activity.

Section 5 Conclusions – presents the conclusions of the Functional Hazard

Assessment.

Section 6 References – provides a list of referenced documents used in the report.




2 Functional Hazard Assessment Overview

2.1 Introduction

The EUROCONTROL Air Navigation Services (ANS) Safety Assessment Methodology [1]

defines the objectives of a FHA as:

“a top-down iterative process, initiated at the beginning of the development or

modification of an Air Navigation System. The objective of the FHA process is to

determine: how safe does the system need to be?

The process identifies potential functional failures modes and hazards. It assesses

the consequences of their occurrences on the safety of operations, including

aircraft operations, within a specified operational environment.

The FHA process specifies overall Safety Objectives of the system, i.e. specifies the

safety level to be achieved by the system.”

2.2 FHA Process

This FHA was performed in order to support a relative safety argument. The analysis

aims to derive a set of hazards relating to UAS operating in non-segregated airspace.

The first step in performing the FHA was to establish the scope and boundary of the

system, understanding that the system covers all aspects of the ATM environment

including people, procedures and equipment. In the context of the defined scope and

system boundary, the analysis has focused specifically on the identification of:

• A Functional and Logical Safety Model representing UAS operations in each

Scenario.

• Hazards that could arise from inter alia; functional failure, inadequacies,

limitations, etc.

• The potential consequences of those hazards.

The FHA process began with the construction of a number of models. Given the

requirement to present a relative safety argument, it was important to fully appreciate

the current situation with no UAS (referred to as ‘without-UAS’) as compared to the

proposed situation with UAS flying in non-segregated airspace (referred to as ‘with-UAS’). The models were constructed to aid the identification of potential hazards for

which mitigation is required, see section 3.8 for more detail.

The models along with the proposed scope, boundary and assumptions for the analysis

were presented at a UAS Safety Assessment Workshop for validation and verification

by domain experts. A hazard identification verification activity was also carried out as

part of the UAS Safety Assessment Workshop.

A number of issues, statements and discussion points were raised at the UAS Safety

Assessment Workshop which were minuted in [5]. A number of these points have

been used to justify or substantiate analysis decisions; these are referred to

specifically throughout this document as originating from the workshop participants.




The output from the UAS Safety Assessment Workshop has been taken and used to

perform a more detailed analysis which has included consideration of consequences

and mitigations. These hazard models will subsequently be used as the basis of the

UAS Preliminary System Safety Assessment, which will derive the safety requirements

for UAS operations in non-segregated airspace.

2.3 FHA Objectives

The overall aims for the Functional Hazard Assessment as defined in section 1.4 are

further refined to specific task objectives as discussed in the following list. Some of

the objectives were addressed as part of the pre-workshop and workshop activities and

others as part of the post workshop activities. The results of these activities are

captured in this report. The objectives listed below apply to both scenarios. The

detailed objectives were:

• review and agree the overarching UAS Safety Argument Strategy

• verify the scope and boundaries of the analysis being undertaken

• validate the Scenario, Functional and logical models

• identify the hazards as applicable to current manned operations (without-

UAS) and proposed UAS operations (with-UAS) in non-segregated airspace

• identify, the possible consequences of each hazard, taking into account the

available mitigations, using Event Tree Analysis.

2.4 UAS Safety Assessment Workshop

A UAS Safety Assessment Workshop was held at EUROCONTROL HQ, Brussels on

Wednesday 29th April and Thursday 30th April 2009. Minutes from the workshop are

recorded in [5]. The Agenda for the UAS Safety Assessment Workshop and a list of

participants is provided in Appendix A.

With respect to the above objectives, the UAS Safety Assessment Workshop achieved

the following:

• Reviewed and agreed the overarching UAS Safety Argument Strategy.

• Verified the scope and boundaries of the analysis being undertaken.

• Validated the Scenario, Functional and Logical models for each UAS scenario.

• Identified the hazards associated with each scenario and the possible

mitigations that are in place.

The remaining objectives are all captured as part of the FHA results in section 4.

Work from a previous EUROCONTROL project involving Military UAV as Operational Air

Traffic (OAT) outside Segregated Airspace [6] was presented at the UAS Workshop as

it was felt this was still applicable and provided a good starting point. This is discussed

in more detail in section 4.1




3 System Definition and Scope of Analysis

3.1 UAS Operational Scenarios

The concept of operating UAS in non-segregated airspace is expected to be

transparent to the ATM environment. There are obvious differences between manned

and unmanned aircraft, but in principle the UAS should operate to the same rules of

the air and procedures that apply to manned aircraft. The safety of other airspace

users depends on the UAS operations achieving at least an equivalent level of safety to

manned aircraft. There are a wide variety of possible UAS operations and the safety

aspects across the whole flight profile need to be assessed in order to assure those

operations are acceptably safe. However, in order to focus this initial safety

assessment, two UAS scenarios have been defined as described below. They were

identified by the EUROCAE Working Group 73 as two of the most relevant near-term

operational scenarios for UAS. The scenarios cover non-segregated operations but not

for all flight stages and are subject to the assumptions listed later in section 3.7.

• Scenario 1 – covers UAS IFR operations in Class A, B or C en-route airspace only. The mode of operation considered for this baseline scenario uses a

command and control system known as either Radio Line Of Sight (RLOS) or

Beyond Radio Line Of Sight (BRLOS). The operations shall take place beyond

visual line of sight (BVLOS) of the UAS Pilot. The duration of any UAS

operation is dictated by the demands of the task but under Scenario 1 can

range from a few hours to a number of days. Figure 1 below represents

Scenario 1

Figure 1 – Scenario 1




• Scenario 2 – covers UAS VFR operations based upon VLOS command and

control systems in classes of airspace where VFR flight is permitted (Class C-

G). Operations in classes C-E airspace could include CTR and/or TMA. Class B

CTRs and TMAs, where VFR is also permitted, have been intentionally not

considered. VLOS operation requires the PIC to keep the UA in direct visual

observation for the duration of the flight. The duration of any UAS operation is

dictated by the demands of the task but under Scenario 2 range from a few

minutes up to the available hours of daylight. Figure 2 below represents

Scenario 2.

Figure 2 – Scenario 2

3.2 Defining the Scope for the FHA Activity

Prior to the FHA activity it was important to understand the differences between the

‘without-UAS’ and ‘with-UAS’ situations for each of the defined scenarios above in order to structure the analysis and support the relative assessment of risk.

The scope of the safety assessment has thus been defined by:

• understanding the ATM concept and environment in which UAS will operate,

see section 3.3.

• a number of operational perspectives, see section 3.4.

• understanding the characteristics of UAS, see section 3.5.




• a series of identified scoping statement and assumptions, see sections 3.6 and

3.7.

• a number of UAS models, see section 3.8

3.3 Air Traffic Management Concept

There are three main components of ATM, defined within the ATM Operational Concept

Document [7] endorsed at ANC/11 in September 2003:

• Strategic Conflict Management

• Separation Provision and

• Collision Avoidance.

Strategic Conflict Management encapsulates all pre-flight planning activities that take

place to ensure demand, capacity and conflicts are managed prior to the real time

situation. Figure 3 below shows the principle interactions between the Strategic

Conflict Management, Separation Provision, Collision Avoidance components and the

Airspace. Note that [7] also states that any Collision Avoidance System should be

separate from but compatible with the Separation Provision component. Collision

avoidance systems cannot be included in determining the calculated level of safety

required for Separation Provision with regards the ESARR4 Target Level of Safety

(TLS), however the Collision Avoidance function has been taken into account within

this relative safety assessment due to the significant difference between the ‘with-UAS’ and ‘without-UAS’ situations.




Figure 3 – High Level Functional Model

The use of these terms is important within this analysis and has thus been defined in

the following sections in relation to the defined UAS Scenarios.

3.3.1 Separation Provision Component

Separation Provision (SP) is the tactical process of keeping aircraft away from other

airspace users, obstacles, restricted airspace, etc. Depending upon the type of

airspace and, where applicable the Air Traffic Control (ATC) service being provided,

separation provision can be performed either by ATC (as regards separation assurance

from other aircraft/airspace by at least an appropriate separation minimum) or by the

Pilot in Command, dependent on the class of Airspace, the type of ATC service

provided or the flight rules in force. Separation minima are defined for application by

ATC in accordance with the airspace classification and the flight rules of each individual

aircraft concerned. Manned operations where the PIC is responsible for SP generally

have no specified minima, although the overarching rules of the air apply as the basic

requirements. However, the MIL UAV specifications [8] have defined minima for

unmanned operations whilst the PIC is responsible for SP.

• Scenario 1 - ATC is responsible for providing Separation Provision between the

UAS and other airspace users. The SP Monitoring and Instruction functions are

provided by an Air Traffic Controller. The pilot is wholly responsible for




ensuring the UA Trajectory Compliance function of SP. The pilot is also

responsible for separation from obstacles and terrain.

• Scenario 2 – the PIC is responsible for Separation Provision. The Separation

Provision monitoring and instruction functions are performed by the PIC,

whereas Trajectory Compliance is performed by the UA.

3.3.2 Collision Avoidance Component

The Collision Avoidance (CA) component is responsible for identifying when a potential

collision threat is imminent, then identifying and implementing an avoidance action.

The CA objective is to ensure that collision threats are avoided. The CA function acts

irrespective of airspace classification, flight rules or who is responsible for SP.

• Scenario 1 - When Separation Provision is the responsibility of ATC, the CA is

intended to act independently from the SP functions. In principle, the CA

function should only act when SP has failed (i.e. there is a loss of separation)

and then only to take collision avoidance action1 if the actual distance is

assessed as representing a collision risk. Equally, loss of separation assurance

by ATC may not represent cause for initiation of a collision avoidance

manoeuvre. The CA function is the responsibility of the PIC; however, the PIC

may be supported by a CA system such as TCAS II2. Note that ATC may still

instigate collision avoidance action from a PIC but the responsibility remains

with the PIC.

• Scenario 2 - When the PIC is responsible for SP then the independence

between SP and CA functions is blurred as the pilot is effectively responsible

for both. For manned operations the Closest Point of Approach (CPA) and

separation minima are effectively the same, as minima are not usually

specified. NOTE: The impact of this on mixed UAS and manned operations

needs to be further assessed within the PSSA. If found to be problematic a

safety issue will be raised.

In relation to Scenario 1 SRC Policy Document [9] states that Collision Avoidance

systems (referred to as Safety Nets) are not part of Separation Provision so must not

be included in determining the acceptable level of safety required for Separation

Provision. The SRC Policy Document statement implies that UAS must provide an

equivalent level of interaction with the Separation Provision function as provided by

Pilots. Furthermore the UAS Separation Provision System must maintain the level of

safety (with respect to the scope of ESARR 4 [2]) without the need for a Safety Net.

3.4 Operational Perspectives

Consideration of UAS operations in non-segregated airspace can be understood from a

number of operational perspectives.

• Scenario 1

1 There are scenarios where the time needed to identify, resolve and take avoiding

action is such that separation minima may not yet have been breached. 2 As a rule TCAS II Resolution Advisories take precedence over ATC instructions.




o Separation Provision – ICAO Airspace Classifications are contained in ICAO Annex 11 Air Traffic Services [10]. Table 1 below shows the

level of ATC service provided for each airspace classification.

Class Type of

Flight

Separation

provided

Service provided Radio communication requirements

ATC Clearance

A IFR only All aircraft Air traffic control service Continuous two-way

Yes

IFR All aircraft Air traffic control service Continuous two-way

Yes B

VFR All aircraft Air traffic control service Continuous two-way

Yes

IFR IFR from IFR

IFR from VFR

Air traffic control service Continuous two-way

Yes C

VFR VFR from IFR

1) Air traffic control service for separation from IFR

2) VFR/VFR traffic information

Continuous two-way

Yes

Table 1 – Level of ATC Service Provided

o Collision Avoidance – is the PICs responsibility regardless of the airspace within which the UA is operating.

o ATS UAS Operational Flight Planning - it is required that a flight plan be filed to ATS for all Scenario 1 operations as they will be IFR in

Class A, B or C airspace. Indication to ATC that the flight is unmanned

will be through the use of specific UAS aircraft type designators.

o Communications – voice communications are required between the

PIC and ATC.

o Other airspace users – will include manned IFR and VFR aircraft as

well as other IFR UA.

• Scenario 2

o Separation Provision – ICAO Airspace Classifications are contained in ICAO Annex 11 Air Traffic Services [10]. Table 2 below shows the

level of ATC service provided for each airspace classification.

Class Type of

Flight

Separation

provided

Service provided Radio communication requirements

ATC Clearance

C IFR IFR from IFR

IFR from VFR

Air traffic control service Continuous two-way

Yes




VFR VFR from IFR

1) Air traffic control service for separation from IFR

2) VFR/VFR traffic information

Continuous two-way

Yes

IFR IFR from IFR Air traffic control service including information about VFR flights (traffic avoidance on request)

Continuous two-way

Yes D

VFR Nil Traffic information between VFR and IFR (traffic avoidance on request)

Continuous two-way

Yes

IFR IFR from IFR Air traffic control service and traffic information about VFR flights

Continuous two-way

Yes E

VFR Nil Traffic information as far as practical

No No

IFR IFR from IFR as far as practicable

Air traffic advisory service; flight information service

Continuous two-way

No F

VFR Nil Flight information service No No

IFR Nil Flight information service Continuous two-way

No G

VFR Nil Flight information service No No

Table 2 – Level of ATC Service Provided

o Collision Avoidance – is the PICs responsibility regardless of the airspace within which the UA is operating.

o ATS UAS Operational Flight Planning – it may not be necessary

that a flight plan be filed with an ATS unit for VLOS operations

o Communications – UAs under VLOS operation will communicate to all

relevant parties through appropriate means according to the airspace

classification.

o Other Airspace Users – may include many users, such as hot air

balloons, gliders, micro lights or other manned VFR as well as other

VLOS UA.

3.5 UAS Characteristics

UAS encapsulates the Unmanned Aircraft (UA) itself, the entirety of systems, people

and procedures involved in the launch, control and recovery of the AV, including the

ground station, the UAS crew, operational processes and flight crew procedures. To

establish the potential differences in manned and unmanned operations, it is important

to understand the specific characteristics of UAS that are potentially relevant to

operations in non-segregated airspace. The UAS characteristics are depicted in Figure

4.




A principle characteristic is that the means of UA Control is functionally separate from

the UA. The Pilot in Command (PIC) of the UA will be remote from the UA in a UAS

Ground Control Station (GCS). The PIC maintains control of the UA through a UAS

Control System (UCS) and a UAS Control Link (UCL). This method of control is the

same for Scenario 1 and Scenario 2.

Figure 4 – UAS Characteristics Model

The key characteristics that can effect UAS operations are as follows:

• Conspicuity - the visibility of the UAV to other airspace users is an important

component in the Collision Avoidance component as well as when Separation

Provision is the responsibility of the PIC. This could be an issue for UAs that

are smaller than manned aircraft, or UAs that present a poor signature for

Primary Surveillance Radar. This may be especially relevant for Scenario 2 as

the UA will be operating under 2000ft and may be small.

• Automatic Operations – One of the key characteristics of a UAS is the ability to operate under various conditions without human interaction. The necessity

for human interaction, along with other factors such as safety, mission

complexity and environmental difficulty determines the level of automation

that the UAS can achieve. .

o Fully automatic – A mode of operation of a UAS wherein the UA is

expected to accomplish its mission, within a defined scope, without

human intervention.

o Semi-automatic - A mode of operation of a UAS wherein the human

operator and/or the UAS plan(s) and conduct(s) a mission and require

various levels of human interaction.

o Teleoperation - A mode of operation of a UAS wherein the human

operator, using video feedback and/or other sensory feedback, either




directly controls the actuators or assigns incremental goals, waypoints

in mobility situations, on a continuous basis, from off the UA and via a

tethered or radio linked control device. In this mode, the UAS may

take limited initiative in reaching the assigned incremental goals.

o Remote control - A mode of operation of a UAS wherein the human

operator, without benefit of video or other sensory feedback, directly

controls the actuators of the UAS on a continuous basis, from off the

vehicle and via a tethered or radio linked control device using visual

line-of-sight cues. In this mode, the UA takes no initiative and relies on

continuous or nearly continuous input from the user.

• Airworthiness – the Airworthiness Certification of a UAS is outside scope of

this analysis. However, it is assumed within the analysis that UAS will be fitted

with certified equipment equivalent to that for manned operation in the

intended non-segregated airspace, unless otherwise specifically stated, i.e. the

UA will meet the defined minimum equipment requirements for the airspace

and flight rules in force.

• Flight Performance – the manoeuvrability of a UA is important to

understand. Currently, Air Traffic Controllers are required to understand flight

performance characteristics of the types of aircraft that come under their

control and provide separation provision instructions based on this

understanding. This requirement for understanding will also need to apply to

unmanned operations to ensure ATC instructions can be implemented. Flight

performance is particularly important when understanding if an UA could

comply with an ATC Separation provision instruction or collision avoidance

manoeuvre.

3.6 Scoping Statements

The following scoping statements have been made to further support the safety

assurance activity. Statements S0001 to S0007 were validated during the FHA

workshop.

Scope S0001 The aim of the safety assessment is for seamless integration of

UAS operations into the current European ATM system.

Scope S0002 Only single (not in formation) UAs in non-segregated airspace are

considered.

Scope S0003 Payload is considered external to the UAS system from an ATM

perspective and is therefore outside scope.

Scope S0004 Only IFR En-Route operations in Classes A, B, or C airspace are

considered (Scenario 1).

Scope S0005 Only day VFR operations are considered (Scenario 2).

Scope S0006 Class G airspace above Classes A, B or C airspace are not

considered under Scenario 2.




Scope S0007 Eyeball Visual Line Of Sight (VLOS) operations only are within

scope of the safety assessment, no command link VLOS are

considered (Scenario 2).

Scope S0008 If ATC are involved in Scenario 2, they will not give specific

trajectory instructions, but may stipulate airspace limitations, such

as to remain below a specified level.

3.7 Assumptions

The following assumptions have also been made to further scope and support the

safety assurance activity:

Assumption A0001 Current equivalent manned operations are tolerably safe.

Assumption A0002 A pilot is only ever in control of one single UA.

Assumption A0003 Airworthiness approval criteria are available and UAS have

been approved by a competent authority.

Assumption A0004 UAS operations comply with applicable ICAO standards,

except where explicitly stated.

Assumption A0005 All other airspace users intend to be seen.

Assumption A0006 Where an Air Traffic Control (ATC) service is offered to a

UAS Pilot, that ATC service is assumed to be fully licensed

(Scenario 1 and Scenario 2).

Assumption A0007 The UA Pilot-in-Command and associated Ground Control

Station are assumed to be co-located for the duration of

UA operations (Scenario 1).

Assumption A0008 TCAS II Version 7 is not available for a UA, as stated by

ICAO, but may be in operation with other airspace users

(Scenario 1).

Assumption A0009 UA operations are assumed to range in duration from a few

hours to a number of days (Scenario 1).

Assumption A0010 UA operations are assumed to range in duration from a few

minutes up to the hours of available daylight (Scenario 2).

Assumption A0011 UA Launch and Recovery operations are assumed to take

place from locations away from aerodromes/airports

(Scenario 2).

Assumption A0012 Where no flight plan is available, an airborne flight plan will

be created (Scenario 1).




3.8 Unmanned Aircraft System Models

The following models have been constructed for each scenario based on the defined

scope of the FHA for each of the operational perspectives of UAS:

• Flight Profiles – captures all likely ATM environments and situations in which

the UAS may be required to operate.

• Functional Models – derived from the components defined within the ICAO

Strategic Conflict Model.

3.8.1 Flight Profiles

The flight profile model for each scenario aims to capture all phases of flight within the

scope of analysis and likely ATM environments in which the UAS may be required to

operate.

• Scenario 1 - Flight Profile Model is presented in Appendix B.1.1 and

encapsulates IFR En-Route operations, crossing FIR boundaries, emergency

operations and early descent.

• Scenario 2 - Flight Profile Model is presented in Appendix B.1.2 and

encapsulates pre-flight planning, launch of the UA, VFR operations, crossing

FIR boundaries, approach, recovery and any post landing actions.

3.8.2 Functional Models

The following functional models are presented within the appendices. The aim of these

models is to identify the primary functions performed by each system functional

element for each of the two scenarios.

• Scenario 1 Functional Model with ATC Responsible for Separation Provision is

shown in Appendix B.2.1.

• Scenario 2 Functional Model with Pilot in Command Responsible for Separation

Provision is shown in Appendix B.2.2.

The functional models developed for UAS are based on Figure 3 – High Level Functional

Model in section 3.2, it should be noted that the primary ATM functions are the same

for both the ‘with-UAS’ and ‘without-UAS’ operations.

More detailed models identifying logical elements of the ‘with-UAS’ and ‘without-UAS’ situations will be documented within the Preliminary System Safety Assessment

(PSSA) Report.




4 Function Hazard Assessment Results

4.1 Overview

In order to establish the relative change in risk as a result of introducing UAS

operations in non-segregated airspace, the initial step in the analysis was to identify

the hazards at a common boundary point for the ‘without-UAS’ and ‘with UAS’ for each of the two scenarios. It was then necessary to establish if these hazards were

common the both situations and whether there were any news hazards in the ‘with UAS’ situation. This was analysed for both scenarios.

Previous work involving the safety assessment of Military UAV as Operational Air

Traffic outside segregated Airspace [6] had identified a list of hazards that were

common to both the without-UAS and with-UAS scenarios. Due to the experience of the UAS workshop facilitators and the similarities in the two projects, the previous list

of hazards was presented to the UAS workshop participants as a starting point. It was

agreed that these hazards were considered to be applicable to military and civil

operations. Therefore the previous list of hazards was reviewed and discussed during

the UAS Workshop to identify if the hazards were still valid for the UAS safety

assessment work and to identify any gaps. As a result a full functional analysis was

conducted as part of the post workshop FHA activity as detailed below.

4.2 Hazard Identification Approach

Each function depicted in the High Level Function Model (Figure 3 in section 3.2) was

reviewed against a set of guidewords to ensure that the list of hazards captured all

failure scenarios. Each guideword was applied to each function and considered in more

detail, as shown in Appendix C. The functions considered are as listed below:

• Separation Provision

1. Separation Provision Instruction

2. Separation Provision Monitor

3. Trajectory Compliance

• Collision Avoidance

4. Observe

5. Resolve/Decide

6. Act

• Other Aircraft

7. Trajectory Compliance

• UAV Operator

8. Flight Planning




The functional failure guidewords applied to each of the above functions are listed

below:

• Loss – complete negation of an intention. No part of the intention is achieved

and nothing else happens, i.e. ATC inability to provide separation provision.

• Error – any action that is undesirable regardless of cause, e.g. incorrect response to ATC instruction, partial response to ATC instruction or

unintentional actions.

• Intentional deviation – a different action than that intended occurs as a result of an external input i.e. ATC instruction ignored (e.g. due to Traffic

Collision Avoidance System (TCAS) Resolution Advisory (RA)).

• Too early – an action occurs earlier than expected either relative to UTC,

order or sequence.

• Too late – an action occurs later than expected whether relative to UTC, order or sequence.

• Other (completeness check).

The high level functional model presented in Figure 3 represents a closed loop control

system, with the airspace as the element under control. By breaking the control loop

at the point where the separation provision compliance function interfaces with the

airspace it can be observed that:

• The primary control function is Separation Provision.

• Collision Avoidance can mitigate Separation Provision failure (although the

Trajectory Compliance function is a potential for common cause failure).

• Collision Avoidance actions can interfere with Separation Provision.

As such the analysis of hazards focuses on the Separation Provision Function, and

models the Collision Avoidance functional failure scenarios either as mitigations in the

consequence of the SP hazards or as potential causes of the SP hazards. It should also

be noted that, for the purpose of the FHA, UA failures subsequent to link loss are

modelled as PIC hazards on the basis that the PIC is responsible for defining the

contingency action.

The following high-level hazards were identified and are common to both the with-UAS and without-UAS situation:

• Loss of Separation Provision.

• Error in Separation Provision.

• Delayed Separation Provision.

• Intentional Deviation from Separation Provision Instruction.




The Fault Trees in Appendix D show how the functional failure scenarios identified from

applying the guidewords relate to the ten hazards identified in the UAS Safety

Assessment workshop. The Fault Trees have thus been drawn for the purpose of

showing this linking only; more specific, detailed FTAs will be produced to support the

causal analysis in the Preliminary System Safety Assessment (PSSA). Each of the

hazards has been grouped with one of the high-level hazards outlined above in Table 3

below.

UAS Workshop Hazard No.

UAS Workshop Hazard Title

Loss of Separation Provision

HAZ001 Inability to comply with separation provision instruction from ATC

HAZ005 Loss of separation provision from ATC

HAZ007 Loss of separation provision from Pilot in Command

Separation Provision error

HAZ002 Incorrect response to separation provision instruction from ATC

HAZ006 ATC separation provision error

HAZ008 Pilot in Command separation provision error

HAZ010 Separation Provision Minima is breached by other aircraft

Delayed Separation Provision

HAZ004 Delayed response to separation provision instruction from ATC

HAZ009 Pilot in Command separation provision too late

Intentional Deviation from Separation Provision Instruction

HAZ003 Intentional deviation from separation provision instruction from

ATC

Table 3 – Hazard Identification

4.3 Hazard Identification Results

The functional failure analysis confirmed the conclusion of the UAS Safety Assessment

workshop that UAS operations for Scenario 1 and Scenario 2 do not introduce any new

hazards at the ATM concept level. The assessment also concluded that the resultant

hazards are not all applicable to both scenarios hence the workshop agreed the

following scenario assignments.

• Scenario 1

o HAZ001 - Inability to comply with separation provision instruction

from ATC

Aircraft is unable to comply with a separation provision instruction from

air traffic control.

o HAZ002 - Incorrect response to separation provision instruction from

ATC

Aircraft responds incorrectly to a separation provision instruction from

air traffic control.




o HAZ003 - Intentional deviation from separation provision instruction

from ATC

Aircraft makes intentional deviation from separation provision

instruction provided by air traffic control for reasons such as weather

avoidance and RAs (not for malicious reasons) and informs air traffic

control of the deviation.

o HAZ004 - Delayed response to separation provision instruction from

ATC

Aircraft delayed response to separation provision instruction from air

traffic control, where delay is within the pre determined limit before air

traffic control assumes loss and issue new separation provision

instructions to surrounding aircraft.

o HAZ005 - Loss of separation provision from ATC

Loss of separation provision function from air traffic control due to the

inability of air traffic control to provide the function to the pilot

o HAZ006 - ATC separation provision error

Air traffic control issue a separation provision instruction containing an

error.

• Scenario 2

o HAZ001 to HAZ006

These were considered to be applicable to Scenario 2 only in so far as

there are certain circumstances where for example initial ATC

clearance is required or a temporary operating area is defined by ATC.

It should be noted that causes were only found for HAZ006 on the

basis of scoping statement S0008 (see Fault Tree Analysis, Appendix

D.2)

o HAZ007 – Loss of separation provision from the Pilot in Command

Loss of separation provision instruction from pilot in command due to

the inability of the pilot in command to provide the function i.e. no

separation provision instruction provided to the UA from the pilot in

command.

o HAZ008 – Pilot in Command separation provision error

Pilot in command on the ground issues separation provision instruction

containing an error to the UA.

o HAZ009 – Pilot in Command separation provision instruction too late

Pilot in command on the ground provides a separation instruction too

late.




o HAZ010 - Separation Provision Minima is breached by other aircraft

Separation provision minima are reduced due to the actions of other

aircraft.

4.4 Consequence Analysis

The next step in the analysis is to assess the consequences associated with each

hazard for both in ‘without-UAS’ and ‘with UAS’ situations for both scenarios. The relative impact of the change was then assessed with respect to risk. The FHA

considered the consequence of hazards associated with UAS operation in non-

segregated airspace. The consequence analysis was conducted to the point where

there is the potential for an accident. The columns in the event tree are defined as

follows:

• First Column – Initiating Hazard.

• Middle Columns – potential mitigations that would prevent the hazard resulting

in an end consequence.

• Last Column – the end consequence.

A number of mitigations within the event trees are generic to all hazards; these are

highlighted in the appropriate place.

Given the requirement to present a relative qualitative safety argument for UAS

operations in non-segregated airspace and the justification for an improved level of

risk reduction than the current ‘without-UAS’ situation, the table in Appendix C presents a qualitative severity classification scheme applicable for this safety analysis.

The scheme is based on ESARR 4 [2] for ATM and JAR25-1309 [11] for aircraft related

consequences.

4.4.1 Mitigations for HAZ001

The event tree for HAZ001 (Inability to comply with Separation Provision Instruction

from ATC) is shown in Appendix F.1, Figure 5. The mitigations for this hazard are

explained in Table 4 below. Note that whilst Air Traffic Control may be involved with

UAS operations within Scenario 2, it is unlikely this will be the case as the UA will be

flown under VLOS operation. The descriptions provided within the following tables are

based on the output from the UAS Safety Assessment Workshop. The FHA workshop

also identified a PIC mitigation for this hazard and HAZ002 and HAZ004; “PIC notices

error”. This was removed from the Event Tree as some of the causes identified in the

Functional Failure Analysis (FFA) would negate this mitigation. The PIC mitigation will

be remodelled in the FTA as part of the PSSA activity.




Event Tree

Mitigation

Description Scenario 1

Air Traffic Control awareness

An Air Traffic Controller may be able to identify an aircraft that has failed to comply with a separation provision

instruction.

The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has failed to comply with a separation provision

instruction will remain the same for without-UAS and with-UAS situations. Although Air Traffic Controllers in the future may be provided with information to enable them to distinguish between manned and unmanned aircraft, this should not change their ability to provide separation provision.

Revised ATC Instruction

If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s inability to comply with a separation provision instruction, it was considered very likely that ATC would provide an amended instruction or attempt to reinforce the instruction. This could be to either that specific aircraft, or dependent upon the circumstances, i.e. an inability to control the aircraft, provide appropriate instructions to surrounding aircraft.

There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation.

Generic Mitigations applicable to all hazards without-UAS and with-UAS

Other Aircraft Once all the mitigations listed above have failed, and assuming worst case that there is another aircraft in close vicinity, the immediate mitigation is that the other aircraft takes avoiding action.

It should be noted that the use of remote observers was discussed but it was decided that the use of a remote observer was a possible variant in scenario 2 and not considered as a mitigation, therefore is not included in the consequence analysis.

It was considered that there will be little or no change in the likelihood of another aircraft taking avoiding action for the without-UAS to the with-UAS situation. However, this may depend on the conspicuity of the UA itself in the with-UAS situation and wither the other aircraft is able to move at speed to avoid the UAV.

Collision Avoidance

The CA function is not provided (whether with-UAS or without-UAS when it is required. This mitigation is stated in the negative as it is the top gate of the corresponding Fault Tree.

Ideally CA should function in all scenarios, however in reality there are limitations on any CA system in terms of how many CA scenarios can be detected e.g. TCAS when fully working will not resolve all CA correctly and sometimes may indeed create an accident situation which may not have previously existed.

As part of the success case argument the conditions under which CA is required to operate must be defined, this will be drawn out further within the Preliminary Safety Case.

Collision Avoidance Systems - See Fault Tree analysis in Appendix D.1.1.




Table 4 – HAZ001 Event Tree Mitigations


The event tree for HAZ002 (Incorrect response to Separation Provision Instruction

from ATC) is presented in Appendix F.2, Figure 6. The mitigations for this hazard are

explained in Table 5.

Event Tree

Mitigation



An Air Traffic Controller may be able to identify an incorrect

response from an aircraft to a separation provision instruction.

Although Air Traffic Controllers in the future may be provided with information to enable them to distinguish between manned and unmanned aircraft, this should not change their ability to provide separation provision.

The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has

incorrectly complied with a separation provision instruction will remain the same for without-UAS and with-UAS situations.

Revised ATC Instruction If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s incorrect compliance with a separation provision instruction, it is very likely that ATC would query the Pilot in Commands response and provide an amended instruction.


Other Aircraft and Collision Avoidance mitigations as per HAZ001



The event tree for HAZ003 (Intentional deviation from Separation Provision

Instruction from ATC) is presented in Appendix F.3, Figure 7. The mitigations for this

hazard are explained in Table 6.




Event Tree Mitigation Description Scenario 1

Pilot in Command In either the without-UAS or with-UAS situation, if a Pilot in Command intentionally deviated from a separation provision instruction it was considered highly likely that he will communicate this to ATC as soon as possible. This mitigation was thought to

have a very high likelihood given that procedures state, specifically for collision avoidance manoeuvres that are contradictory to an ATC separation provision instructions, that a Pilot informs ATC as soon as possible.

It was considered potentially more likely that a UAS Pilot in Command would communicate an intentional deviation from an instruction quicker than for a manned aircraft.

It is assumed that all intentional deviations are for genuine reasons, e.g. weather avoidance and not due to malicious actions.


An Air Traffic Controller may query the deviation from an instruction, but may also assume that the instruction will be followed and focus attention elsewhere.

The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has intentionally deviated from a separation provision instruction will remain the same for the without-UAS and with-UAS situation.

ATC verifies situation If the Air Traffic Controller is made aware, or notices, the intentional deviation from a separation provision instruction, it is very likely that ATC would query the Pilot in Command’s response and provide an amended

instruction.





The event tree for HAZ004 (Delayed response to Separation Provision Instruction from ATC) is presented in Appendix F.4, Figure 8. The mitigations for this hazard are




It is possible that an Air Traffic Controller may notice a delayed response from an aircraft to a separation provision instruction.

The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has a delayed response to a separation provision instruction will remain the same for the without-UAS and with-UAS situation. An Air Traffic Controller may query that there is no initial response to his instruction.





Revised ATC Instruction If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s delayed response and understands the reasons for it, it was considered very likely that ATC would either provide an amended instruction or manoeuvre other aircraft

accordingly.

There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation




The event tree for HAZ005 (Loss of Separation Provision from ATC) is presented in

Appendix F.5, Figure 9. The mitigations for this hazard are explained in Table 8.


Pilot in Command A Pilot in Command may be able to notice the loss of separation provision from Air Traffic Control and will initially attempt to contact Air Traffic Control and if this is not possible will instigate lost communication procedures.

The likelihood in the ability of the Pilot in Command to notice the loss of separation provision will remain the same for the without-UAS and with-UAS situation.

The likelihood of a UAS following lost communication procedures is more likely than for manned aircraft. However, loss of communication with Air Traffic Control was considered less significant for the with-UAS situation due to the additional communication systems potentially available to a pilot of a UAS.




The event tree for HAZ006 (ATC Separation Provision Error) is presented in Appendix F.6, Figure 10. The mitigations for this hazard are explained in Table 9.




Event Tree Mitigation Description Scenario 1 Scenario 2


An Air Traffic Controller may be made aware of or notice an error in a separation provision instruction.

The likelihood of the ability of an Air Traffic Controller to notice an error in a separation provision instruction provided to a Pilot in Command was considered to be no different for the without-UAS to with-

UAS situation.

The likelihood of the ability of an Air Traffic Controller to notice an error in a separation provision instruction provided to a Pilot in Command was considered to be no different for the without-UAS to with-

UAS situation.

Air Traffic Control Revised Instruction

If the Air Traffic Controller is made aware, or notices, an error with a separation provision instruction, it was considered very likely that ATC would provide an amended instruction.

The likelihood in the ability of an Air Traffic Controller to identify an error in the separation provision instruction provided to a Pilot in Command is considered to be no different for the without-UAS to with-UAS situation.

Air Traffic Control are less likely to be involved, however the likelihood in the ability of an Air Traffic Controller to identify an error in the separation provision instruction provided to a Pilot in Command is considered to be no different for the without-UAS to with-UAS situation.




Mitigations for HAZ007 (Loss of Separation Provision from the Pilot in Command) are

only applicable to Scenario 2 due to the Pilot in Command being responsible for his

own Separation Provision as the UA is under VLOS operation. The event tree for

HAZ007 is presented in Appendix F.7, Figure 11. The mitigations for this hazard are


Event Tree Mitigation


Pilot in Command Where a Pilot in Command is responsible for providing his own separation provision, he may identify a loss of separation whether a result of PIC error or UA failure.

Where a Pilot in Command is responsible for providing his own separation provision, the likelihood of him realising an action or UA failure has resulted in a loss of separation was considered to be very low. This is because it may be difficult for a Pilot in Command on the ground to correctly identify the distance and trajectory of a nearby aircraft depending on where the Pilot in Command is located.

Revised Instruction Once the Pilot in Command notices a loss in separation provision, it is was considered very likely that he would revise and execute a new instruction as soon as possible.

The likelihood for this mitigation was considered no different for the without-UAS to the with-UAS situation.






Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)



Mitigations for HAZ008 (Pilot in Command Separation Provision Error) are only applicable

to Scenario 2 due to the Pilot in Command being responsible for his own Separation

Provision as the UA is under VLOS operation. The event tree for HAZ008 is presented in Appendix F.8, Figure 12. The mitigations for this hazard are explained in Table 11.

Event Tree

Mitigation


Pilot in Command

Where a Pilot in Command is responsible for providing his own separation provision, he may identify an error in separation provision.

Where a Pilot in Command is responsible for providing his own separation provision, the likelihood of him noticing an error in a separation provision instruction was considered to be very low.

Revised Instruction

Once the Pilot in Command notices an error in a separation provision instruction, it was considered very likely that he would rectify this through a revised instruction and execute this as soon as possible.

The likelihood for this mitigation was considered no different for the without-UAS to the with-UAS situation.




Mitigations for HAZ009 (Pilot in Command Separation Provision Instruction too late) are

only applicable to Scenario 2 due to the Pilot in Command being responsible for his own

Separation Provision as the UA is under VLOS operation. The event tree for HAZ009 is presented in Appendix F.9, Figure 13. The mitigations for this hazard are explained in

Table 12.



Pilot in Command

Where a Pilot in Command is responsible for his own separation provision, he may provide a separation instruction too late.

Where the Pilot in Command is responsible for providing his own separation provision instructions, and one of these is implemented too late, the first mitigation will be if there is an aircraft in the vicinity, followed by initiation of collision avoidance systems.







Mitigations for HAZ010 (Separation Provision Minima is breached by Other Aircraft) are

only applicable to Scenario 2 due to the Pilot in Command being responsible for his own

separation provision as the UA is under VLOS operation. The event tree for HAZ010 is presented in Appendix F.10, Figure 14. The mitigations for this hazard are explained in

Table 13.



Revised PIC instruction

If the PIC is made aware, or notices, a loss in separation provision, it was considered very likely that the PIC would provide an amended instruction to the UA.

There is no change in the likelihood for either without-UAS or with-UAS situations fort this mitigation but it should be noted that it may be difficult for a PIC on the ground to correctly identify the distance and trajectory of a nearby aircraft depending on where the PIC is located.



4.5 Analysis Conclusions

The consequence analysis identified a series of mitigations for each of the hazards

assigned to Scenario 1 and Scenario 2. The mitigations are essentially the same for

the with-UAS and without-UAS situations however; there are specific areas where

UAS operations have the potential to affect the probability of success of some specific

mitigations, such as:

• The pilot in command in Scenario 1 is likely to identify situational awareness

issues more easily or quickly based on the additional potential range of

information available to them.

• The pilot in command in Scenario 1 may have more communication equipment

at hand to verify potential issues with ATC.

• The capability, performance and integrity of the CA function in Scenario 1 is

likely to be greater than in Scenario 2 given the PIC’s relative position to the

UA under VLOS and the potential lack of automated support systems. This will

be assessed further as part of the PSSA activity.

The analysis also identified that there are some common failure scenarios between the

causes of some hazards and the effectiveness of some mitigations, in particular for

collision avoidance. For example, aircraft height keeping and navigational equipment

is essential to separation provision and collision avoidance and failure of these would

be common to both. These common failure scenarios will be addressed as part of the

PSSA activity.

4.6 Safety Objectives

The purpose of the FHA is to identify a set of high level hazards and derive the

associated safety objectives, such that, if satisfied, an acceptable level of safety can be




demonstrated. The safety objectives are derived from the safety criteria, which in this

case are relative, i.e. not based on an absolute Target Level of Safety (TLS).

Given that the analysis has not identified any unique hazards for UAS operations, the

safety objective set out below is based on ensuring that the safety criteria (as stated in

section 1.4) are achieved, i.e. the risk from UAS operations is:

• No higher than for equivalent manned operations; and

• Reduced to As Far As Reasonably Practicable (AFARP), as required by ESARR 3

[3] and European Air Traffic Management Programme (EATMP) Safety Policy

[4].

For the criteria to be met the occurrence rate for each hazard must be no greater for

UAS operations (in Scenario 1 or Scenario 2) than for manned operations3. In both

cases where practicable the risk from UAS operations should be further reduced. The

potential for and feasibility of further risk reduction for each UAS hazard will be

considered as part of the PSSA.

3 Since there is no direct equivalent to VLOS operations in manned operations then the occurrence

rate must be equivalent to VFR operations in Class G airspace.




5 Conclusions

The Functional Hazard Assessment activity has identified ten hazards that fall within

the defined scope of the safety analysis. Six hazards apply to Scenario 1 and ten

hazards to Scenario 2. The UAS hazards are defined at the boundary of UAS

Operations and reflect functional failure scenarios that could potentially lead to

hazardous situations. All ten hazards are common to the ‘with-UAS’ and ‘without-UAS’ situations.

The analysis has been performed based on the output of the UAS Safety Assessment

Workshop held at EUROCONTROL HQ, Brussels, and is bound by a number of scoping

statements and assumptions as detailed in sections 3.6 and 3.7 . The results of the

Functional Hazard Assessment enable an understanding of the risks associated with

the operation of UAS in non-segregated airspace via the derivation of the hazards

identified and analysis of the consequences of those hazards. The output of this report

and further analysis will enable a separate PSSA Report to be produced that will

document the safety requirements and provide traceability to detailed safety

requirements.




6 References

No Reference Document Title Issue/Date

[1] SAF.ETI.ST03.

1000-MAN-01

Air Navigation System Safety Assessment

Methodology

Edition: 2.1

03 October 2006

[2] ESARR4 Risk Assessment and Mitigation in ATM Edition: 1.0

05 April 2001

[3] ESARR3 ESARR3: Use of Safety Management Systems

by ATM Service Providers

Edition: 1.0

17 July 2000

[4] SAF.ETI.ST01.1000

-POL-01-00

EATMP Safety Policy Edition: 1.1

25 August 1999

[5] P09005.10.4 UAS Safety Assessment Workshop Minutes Edition 0.2

18 May 2009

[6] P05005.10.4 Functional Hazard Assessment/Preliminary

System Safety Assessment (FHA/PSSA) Report

for Military UAV as OAT outside Segregated

Airspace

Edition 1.0

23 August 2003

[7] AN-Conf/11-WP/4 Appendix A to ATM Operational Concept

Document

September 2003

[8] EUROCONTROL-

SPEC-0102

EUROCONTROL Specifications For The Use For

Military Unmanned Aerial Vehicles As

Operational Air Traffic Outside Segregated

Airspace

Edition 1.0

26 July 2007

[9] SRC POL DOC 2 SRC Policy Document 2: Use of Safety Nets in

Risk Assessment and Mitigation in ATM

Edition 1.0

19 April 2002

[10] ICAO Annex 11 Air Traffic Services Edition: 11

Date: July 1997

[11] JAA JAR25-1309 Classification of Airborne Equipment Failures -

Table 14 – Table of References




Appendix A UAS Safety Assessment Workshop Agenda and

Participants

A.1 UAS Workshop Agenda

Agenda: UAS Safety Assessment Workshop

Location: EUROCONTROL HQ, Brussels, Pegase (29th April) & Jupiter (30th April)

Time: 10.00 Wednesday 29th April to 15.00 Thursday 30th April

ADENDA

1. Introductions and Logistics

a. Ebeni Team

b. UAS Safety Assessment Workshop Participants

2. Overview of the UAS Safety Assessment Workshop

a. Objectives

b. Scope

c. Technical Approach Summary

3. Review of UAS Scenarios

4. Review of UAS Functional and Logical Architecture Models

5. Identification of hazards

6. What If Analysis

7. Consequence Analysis

8. Discussion

9. Questions/AOB




A.2 UAS Workshop Participants

Name Title/Role Organisation Contact Details

Michael Strong ATM Expert EUROCONTROL [email protected]

+3227293051

Jean-Michel De

Rede (29th

only)

Safety Expert EUROCONTROL jean-michel.de-

[email protected]

Andrew Jones ATM Expert Thales Aerospace [email protected].

com

Hans Brants Project Manager/Flight

Instruction

National Aerospace

Lab (NLR)

[email protected]

+31205113782

Mike Wildin ATM Expert EUROCONTROL [email protected]

+01489616565

Andy Edmunds ATM Expert NATS, UK [email protected]

Don Harris ATM Expert EUROCONTROL [email protected]

+3227093386

Michael Haim

(29th only)

Navigator SHAPE [email protected]

Marc Deboeck Senior ATM Safety

Expert

EUROCONTROL,

DG/SRU

[email protected]

Tony Henley Product Manager BAE Systems [email protected]

441634203392

Alan Simpson Safety Engineer Ebeni Limited [email protected]

Jo Stoker Safety Engineer Ebeni Limited [email protected]

Hayley Burdett Safety Engineer Ebeni Limited [email protected]




Appendix B Unmanned Aircraft System Models

B.1 Flight Profiles

B.1.1 Flight Profile: Scenario 1




B.1.2 Flight Profile : Scenario 2




B.2 Functional Models

B.2.1 Functional Model: Scenario 1

B.2.2 Functional Model: Scenario 2

ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5


Appendix C Functional Failure Analysis

Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard

1.1 Separation

Provision

Instruction

Loss Pilot no longer receives ATC Instruction.

This is a hazard if the Pilot fails to revert

to lost communications procedure and

follows agreed contingency plan

HAZ005 ATC: In certain circumstances it may be

necessary to receive an ATC instruction to

proceed. This would be a hazard if the PIC

commences operation without an ATC

clearance

PIC: PIC no longer gives separation instruction to the aircraft, e.g. loss of situational

awareness, pilot error etc. This is a hazard if

the aircraft has no safe contingency plan in the

event of VLOS control failure

HAZ008

HAZ007

1.2 Error Pilot given incorrect instruction regarding

separation, e.g. wrong course change,

invalid permission to approach, danger

area open, etc.

HAZ006 ATC: Pilot given incorrect instruction regarding clearance.

PIC: PIC issues a separation provision instruction to the aircraft containing an error

HAZ006

HAZ008

1.3 Intentional

Deviation

PIC makes intentional deviation from

separation provision instruction provided

by ATC, e.g. weather avoidance,

emergency alerts, etc. This is a potential

hazard if the subsequent action is not

coordinated with ATC

HAZ003 UA makes intentional deviation from separation

provision instruction provided by PIC, e.g.

override event (terrain avoidance) or

emergency

HAZ007

1.4 Too Early Pilot is given instruction too early leading

to the aircraft being in the wrong

position at a particular time, e.g. pilot is

told to climb too early and separation is

reduced

HAZ006 ATC: as 1.2 above

PIC: UA is given instruction too early from

PIC, leading to the UA being in the wrong

position at a particular time, e.g. UA is told to

climb too early and separation is reduced

HAZ006

HAZ008




1.5 Too Late Pilot is given separation provision

instruction from ATC too late leading to

the aircraft being in the wrong position

at a particular time, e.g. pilot is told to

climb too late and separation is reduced


PIC: Pilot in command provides instruction too

late leading to the aircraft being in the wrong

position at a particular time

HAZ006

HAZ009

2.1 Separation

Provision

Monitor

Loss Separation is not monitored, potentially

increasing probability of a loss of or

incorrect separation provision instruction

from ATC. Also undermines the ability of

the ATC to mitigate certain ATC hazards

HAZ005 ATC: Assumed that ATC will still be able to

provide correct clearance

PIC: Pilot loses situational awareness and is

unable to correctly control the UA in relation to

other aircraft

None

HAZ007

2.2 Error Separation is incorrectly monitored

leading to incorrect separation provision

instruction from ATC


PIC: Pilot has an incorrect situational awareness and may give an incorrect

separation provision instruction to the UA

HAZ006

HAZ008

2.3 Intentional

Deviation

Not applicable None Not applicable None

2.4 Too Early Not valid None Not valid None

2.5 Too Late As 2.2, Separation provision is

monitored too late, leading to the wrong

picture of air traffic and a delayed or

incorrect separation instruction from ATC


PIC: Pilot not paying attention to situational awareness and may give an incorrect

separation provision instruction to the UA

HAZ006

HAZ008




3.1 Trajectory

Compliance

Loss PIC or UA is unable to comply with

separation provision instruction from

ATC, e.g. due to system performance

limitations, aircraft equipment failure,

etc. this is a hazard if PIC is unable to

coordinate loss with ATC

HAZ001 ATC: The scenario is based on ATC not providing specific trajectory instructions (see

Scope S008). However, ATC may stipulate

airspace limitations (e.g. stay below 2000 ft)

PIC: UA is unable to comply with separation

provision instruction from PIC, e.g. due to

critical equipment failure, etc.

HAZ007

3.2 Error PIC responds incorrectly to separation

provision instruction from ATC, e.g. pilot

error, incorrect read back, equipment

failure, etc.

If the UA does not respond correctly

then is a hazard if the PIC is unable to

coordinate with ATC

HAZ002

HAZ001

ATC: as 3.1

PIC: UA responds incorrectly to separation provision instruction from PIC, e.g. pilot error,

equipment failure, etc

HAZ008

3.3 Intentional

Deviation



by ATC, e.g. weather avoidance,

emergency alerts, etc. Is a hazard if PIC

is unable to coordinate loss with ATC

HAZ003 ATC: as 3.1

PIC: UA makes intentional deviation from

separation provision instruction provided by

PIC, e.g. terrain avoidance, emergency alerts,

etc

HAZ008

3.4 Too Early PIC carries out separation provision

instruction too early leading to an

incorrect response

The UA may perform a manoeuvre out of

sequence; this is a hazard if the PIC is

unable to coordinate with ATC

HAZ002

HAZ001

ATC: as 3.1

PIC: UA carries out separation provision instruction too early leading to an incorrect

response (depends on how instructions are

given to UA, not credible where instructions

are live)

HAZ008




3.5 Too Late PIC delayed response to a separation

provision instruction, e.g.

communication link latency, pilot input

delayed, etc

HAZ004 ATC: as 3.1

PIC: UA delayed response to a separation provision instruction, e.g. communication link

latency, pilot input delayed, etc

HAZ009

4.1 Observe

Loss No observation of air traffic takes place

therefore no collision threats are

detected so CA inoperative

CA will not

act when

required

PIC: PIC fails to monitor for collision threats so

CA not performed

CA does

not act

when

required

4.2 Error An error is made when observing other

traffic leading to either:

• Missing a collision threat, hence CA

does not act

• False identification of a collision

threat hence the CA may activate

when not required

CA does not act when required

Cause of HAZ004 if PIC unaware otherwise HAZ003

PIC: PIC misjudges collision threats so CA not

performed correctly

CA acts

incorrectly

4.3 Intentional

Deviation

CA may not be able to detect certain

threats due to limitations of sensors or

due to characteristics of threat (e.g.

inconspicuous)

CA does not

act when

required

Not applicable N/A

4.4 Too Early Not a hazard but early CA activation may

be construed a nuisance. Excessive

occurrence of nuisance events may

result in ATC workload issues

None Not applicable N/A




4.5 Too Late Impact the same as Loss (4.1 above) CA does not

act when

required

Impact the same as Loss (4.1 above) Loss of CA

mitigation

5.1 Resolve/

Decide

Loss No decision on collision avoidance is

made or no CA resolution is possible

CA will not

act when

required

PIC: PIC unable to determine collision

avoidance action so CA not performed

CA does

not act

when

required

5.2 Error An error is made when deciding what

collision avoidance action is necessary,

either

• Wrong avoidance action decided for

a collision threat, hence CA does

acts incorrectly

• False identification of a CA action

hence the CA may activate when

not required

CA acts incorrectly

Cause of HAZ004 if PIC unaware otherwise HAZ003

PIC: PIC misjudges collision resolution so CA

not performed correctly

CA acts

incorrectly

5.3 Intentional

Deviation

Not applicable N/A Not applicable N/A

5.4 Too Early As 4.4 None Not applicable N/A

5.5 Too Late Collision avoidance decision is taken too

late

CA does not

act when

required

PIC: Collision avoidance decision is taken too late

CA does

not act

when

required




6.1 Act Loss PIC or UA does not execute collision

avoidance manoeuvre

CA action

ignored

PIC: UA does not execute collision avoidance manoeuvre from PIC

CA does

not act

when

required

6.2 Error PIC or UA makes an error when

executing collision avoidance manoeuvre

CA acts

incorrectly

PIC: UA does not execute collision avoidance manoeuvre from PIC correctly

CA acts

incorrectly

6.3 Intentional

Deviation

PIC or UA does not comply with a

collision avoidance action due to override

or critical failure

None Not applicable N/A

6.4 Too Early As 4.4 None Not Applicable N/A

6.5 Too Late PIC or UA executes collision avoidance

manoeuvre too late

CA does not

act when

required

UA executes collision avoidance manoeuvre too

late

CA does

not act

when

required

7.1 Other

Aircraft

Trajectory

Compliance4

Loss Other aircraft does not follow ATC

instructions which if unresolved by the

ATC would lead to a loss of separation

from ATC.

Alternatively, ATC could issue an

incorrect instruction to the UA for

example as a result of workload or

misjudging the correct resolution

HAZ005

HAZ006

PIC: The other aircraft may breach the

separation minima or closest point of approach

from the UA perspective, which the UA PIC

must still attempt to avoid

HAZ010

4 Note this also applies to the Separation Provision Monitor and Instruction functions in Scenario 2.




7.2 Error Other aircraft responds incorrectly to

separation provision instruction which if

unresolved by the ATC would lead to a

loss of separation from ATC.





HAZ005

HAZ006





HAZ010

7.3 Intentional

Deviation



by ATC e.g. Other aircraft does not

comply with trajectory compliance which

if unresolved by the ATC would lead to a






HAZ005

HAZ006





HAZ010

7.4 Too Early Other aircraft carries out separation

provision instruction too early which if

unresolved by the ATC would lead to a






HAZ005

HAZ006





HAZ010




7.5 Too Late If unresolved by ATC would lead to a






HAZ005

HAZ006





HAZ010

8.1 Flight

Planning

Loss ATC/PIC: Assumption A0013: Where

no FPL is available an airborne FPL will

be created.

UA: Where the FPL is lost then the UA

will not follow an agreed contingency

plan following data link loss

None

HAZ001

UA: Possibility that UA may perform unsafe

manoeuvres or landing following data link loss

HAZ007

8.2 Error ATC/PIC: Errors in FPLs usually

addressed during ATC - PIC RT,

however, could lead to confusion.

UA: Errors in the flight plan could lead to incorrect implementation of

contingency plans following data link loss

Potential

cause of

HAZ002/

HAZ006

HAZ002

UA: Possibility that UA may perform unsafe

manoeuvres or landing following data link loss

HAZ008

8.3 Intentional

Deviation

Not a hazard if coordinated with ATC None Not applicable N/A

8.4 Too Early As 8.2 See 8.2 As 8.2 See 8.2

8.5 Too Late As 8.2 See 8.2 As 8.2 See 8.2




Appendix D UAS Fault Trees

D.1 UAS Scenario 1 Fault Trees

D.1.1 Collision Avoidance Fault Tree










D.1.2 HAZ001 Fault Tree

































D.2 UAS Scenario 2 Fault Trees

D.2.1 Collision Avoidance Fault Tree



























Appendix E Severity Classification

Severity Classification Scheme

Consequence ATC Definition Examples of consequences include

1. Complete loss of safety margins

Collision Accidents, including:-

• one or more catastrophic accidents;

• one or more mid-air collisions;

• Total loss of flight control.

No independent source of recovery mechanism, such as

surveillance or ATC and/or flight crew procedures can

reasonably be expected to prevent the accident(s).

2. Large reduction in

safety margins

Total loss of ability

to maintain

separation

Serious incidents, including:

• large reduction in separation (e.g., more than

half the separation minima), without crew or ATC

fully controlling the situation or able to recover

from the situation;

• abrupt collision or terrain avoidance manoeuvres are required to avoid an accident (or when an avoidance action would be appropriate);

• a probability of structural damage (or serious injury) to crew or passengers.

3. Major

reduction in

safety margins

Ability to maintain

separation is

severely

compromised

Major incidents, including:

• large reduction in separation (e.g., more than

half the separation minima) with crew or ATC fully

controlling the situation and able to recover from

the situation;

• major reduction in separation (e.g., less than half the separation minima) without crew or ATC

fully controlling the situation, hence jeopardising

the ability to recover from the situation (without the

use of collision avoidance manoeuvres).

4. Slight reduction in

safety margins

Ability to maintain

separation is

impaired

Significant incidents, including:

• no direct impact on safety but indirect impact by

increasing the workload of the ATCO or aircraft

flight crew, or slightly degrading the functional capability of the enabling CNS system;

• major reduction in separation (e.g., less than half the separation minima) with crew or ATC

controlling the situation and fully able to recover

from the situation.

5. No effect on safety

No impact on ability

to maintain

separation

No hazardous condition i.e. no direct or indirect impact

to the operations.




Appendix F Consequence Models

F.1 HAZ001 – Inability to comply with Separation Provision Instruction from ATC

Figure 5 – HAZ001 Event Tree: Scenario 1




F.2 HAZ002 – Incorrect response to Separation Provision Instruction from ATC





F.3 HAZ003 – Intentional deviation from Separation Provision Instruction from ATC





F.4 HAZ004 – Delayed response to Separation Provision Instruction from ATC




Figure 8 – HAZ004 Event Tree – Scenario 1




F.5 HAZ005 – Loss of Separation Provision from ATC




Figure 9 – HAZ005 Event Tree – Scenario 1




F.6 HAZ006 – ATC Separation Provision Error





F.7 HAZ007 – Loss of Separation Provision from the Pilot in Command





F.8 HAZ008 – Pilot in Command Separation Provision Error





F.9 HAZ009 – Pilot in Command Separation Provision Instruction too late





F.10 HAZ010 – Separation Provision minima is breached by other aircraft


Documents

Functional Hazard Assessment (FHA) Report for Unmanned Aircraft · PDF file · 2014-08-14ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5 Commercial