ε Commercial in Confidence Unmanned Aircraft System (UAS) Safety Case Development Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems Reference: P09005.10.5 Date: 04 September 2009 Issue: v1.0 Prepared by: Hayley Burdett Checked by: Joanne Stoker Authorised by: Alan Simpson Distribution: EUROCONTROL Ebeni Holger Matthiesen Hayley Burdett Chris Machin Joanne Stoker Don Harris Alan Simpson
81
Embed
Functional Hazard Assessment (FHA) Report for Unmanned ... · ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5 Commercial in Confidence Page
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ε
Commercial in Confidence
Unmanned Aircraft System (UAS) Safety Case Development
Functional Hazard Assessment (FHA) Report for Unmanned
Appendix A UAS Safety Assessment Workshop Agenda and Participants 37
A.1 UAS Workshop Agenda 37
A.2 UAS Workshop Participants 38
Appendix B Unmanned Aircraft System Models 39
B.1 Flight Profiles 39
B.2 Functional Models 41
Appendix C Functional Failure Analysis 42
Appendix D UAS Fault Trees 50
D.1 UAS Scenario 1 Fault Trees 50
D.2 UAS Scenario 2 Fault Trees 62
Appendix E Severity Classification 69
Appendix F Consequence Models 70
F.1 HAZ001 – Inability to comply with Separation Provision Instruction from ATC 70
F.2 HAZ002 – Incorrect response to Separation Provision Instruction from ATC 71
F.3 HAZ003 – Intentional deviation from Separation Provision Instruction from ATC 72
F.4 HAZ004 – Delayed response to Separation Provision Instruction from ATC 73
F.5 HAZ005 – Loss of Separation Provision from ATC 75
F.6 HAZ006 – ATC Separation Provision Error 77
F.7 HAZ007 – Loss of Separation Provision from the Pilot in Command 78
F.8 HAZ008 – Pilot in Command Separation Provision Error 79
F.9 HAZ009 – Pilot in Command Separation Provision Instruction too late 80
F.10 HAZ010 – Separation Provision minima is breached by other aircraft 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 6 of 81
1 Introduction
1.1 Background
The evolution of aerospace technologies in the field of Unmanned Aircraft Systems
(UAS), including automatic/autonomous operations, will impact European Air Traffic
Management (ATM) as regards new military and civil UAS applications. UAS will
represent new challenges as well as new opportunities for ATM design in the future in
the context of both SESAR and beyond (vision 2050), for the benefit of both manned
and unmanned aviation.
The EUROCONTROL Agency, in executing its responsibilities associated with the
management of the pan-European ATM network, must ensure that UAS do not
negatively impact overall levels of ATM security, safety, capacity and efficiencies.
This work will result in the development of an ATM safety assessment for UAS that will
identify a set of ATM safety requirements, over and above existing ATM regulatory
safety requirements, which, if implemented, will ensure that the introduction of UAS
into non-segregated airspace will be acceptably safe.
1.2 UAS Safety Assessment
The primary aim of this task is to develop an ATM safety assessment for UAS so as to
identify a set of ATM safety requirements, over and above the existing ATM regulatory
safety requirements, which, if implemented, will ensure that the introduction of UAS
into non-segregated airspace will be acceptably safe. The safety assessment is to
consider two defined UAS operating scenarios in order to provide a realistic context
into which UAS will be operated.
• Scenario 1 – covers UAS operations in Class A, B or C en-route airspace flying Instrument Flying Rules (IFR) beyond the visual line of sight of the pilot-in-
command
• Scenario 2 – covers UAS operations in Class C – G airspace operating under Visual Flying Rules (VFR) and the pilot-in-command has direct visual line of
sight of the Unmanned Aircraft (UA)
The work currently being undertaken by EUROCAE Working Group 73 on Unmanned
Aircraft Systems will also provide input and review effort to the safety assessment
work.
A UAS Safety Assessment Workshop was carried out to satisfy the process
requirements of the EUROCONTROL ANS Safety Assessment Methodology (SAM) [1]
which provides a means of compliance with the EUROCONTROL Safety and Regulatory
Requirement (ESARR) 4 [2].
1.3 UAS Today
Current UAS operations are largely constrained to designated areas or within
temporary restricted areas of airspace, commonly known as segregated airspace, or
are flown under special arrangements over the sea or high altitude. On some
occasions, UAS operations are permitted in an extremely limited environment outside
segregated airspace. To exploit fully the unique potential of UAS there is a desire to
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 7 of 81
be able to access all classes of non-segregated airspace and operate across national
borders and airspace boundaries. Such operations must be acceptably safe but
regulation should not become so inflexible or burdensome that the benefits are
unnecessarily lost. The viability of the civil market for UAS especially, is heavily
dependent on unfettered access to the same airspace as manned civil aircraft
operations, at least on like for like operations, for example in aerial surveillance
applications.
Whilst it is essential that UAS demonstrate an equivalent level of safety compared to
manned operations the current regulatory framework has evolved around the concept
of the pilot-in-the-cockpit. There is a need to develop UAS solutions that assure an
equivalent level of safety for UAS operations, which in turn could require some
adaption of the current ATM regulatory framework to allow for the concept of the pilot-
not-in-the-cockpit without compromising the safety of other airspace users.
1.4 Aim
This document comprises the Functional Hazard Assessment (FHA) for Unmanned
Aircraft Systems operation in non-segregated airspace and provides an independent
assessment of the hazards related to operating UAS in non-segregated airspace.
The aim of this FHA is derived from the following top level safety argument claim,
which implies a relative safety argument approach:
• UAS operations in ECAC Airspace are and will be acceptably safe;
• where ECAC airspace is defined as the airspace of the 44 ECAC Member States,
and
• acceptably safe is defined as ‘risks’ to other airspace users are:
o No higher than for equivalent manned operations; and
o Reduced to As Far As Reasonably Practicable (AFARP), as required by
ESARR 3 [3] and European Air Traffic Management Programme
(EATMP) Safety Policy [4].
The initial step in addressing the above claim is to specify safety requirements such
that, subject to complete and correct implementation, UAS operations in non-
segregated airspace are acceptably safe.
The aim of this FHA is therefore to understand the risk of UAS via the derivation of
hazards and an analysis of the consequences of those hazards. The Functional Hazard
Assessment work will support the development of a UAS Preliminary System Safety
Assessment Report (PSSA) which will document UAS safety requirements and provide
traceability to detailed safety requirements.
1.5 Scope
This report covers the safety assurance activities undertaken to assess the safety of
UAS operation in non-segregated airspace using two operational scenarios, up to the
point where hazards have been identified and the consequence of those hazards
assessed.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 8 of 81
• Scenario 1 covers UAS IFR operations in Class A, B or C en-route airspace only. The mode of operation considered for this baseline scenario uses a
command and control system architectures known as Radio Line Of Sight
(RLOS) or Beyond Radio Line Of Sight (BRLOS).
• Scenario 2 covers UAS VFR operations based upon VLOS command and
control systems in classes of airspace where VFR flight is permitted (Class C-
G). VLOS operation requires the PIC to keep the UA in direct visual
observation for the duration of the flight.
This safety assessment work is carried out from an Air Traffic Management (ATM)
perspective with the aim of requirement setting but is not concerned with the
implementation of any such safety requirements.
1.6 Structure
The Functional Hazard Assessment Report is structured as follows:
Section 1 Introduction – presents the scope and purpose of the report.
Section 2 Functional Hazard Assessment Overview – documents the objectives of the
Functional Hazard Assessment along with the hazard identification and risk
assessment methodology.
Section 3 System Scope and Scope of Analysis – provides an overview of the system
under consideration and defines the scope of the analysis.
Section 4 Functional Hazard Assessment Results – documents the results of the
Functional Hazard Assessment activity.
Section 5 Conclusions – presents the conclusions of the Functional Hazard
Assessment.
Section 6 References – provides a list of referenced documents used in the report.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 9 of 81
2 Functional Hazard Assessment Overview
2.1 Introduction
The EUROCONTROL Air Navigation Services (ANS) Safety Assessment Methodology [1]
defines the objectives of a FHA as:
“a top-down iterative process, initiated at the beginning of the development or
modification of an Air Navigation System. The objective of the FHA process is to
determine: how safe does the system need to be?
The process identifies potential functional failures modes and hazards. It assesses
the consequences of their occurrences on the safety of operations, including
aircraft operations, within a specified operational environment.
The FHA process specifies overall Safety Objectives of the system, i.e. specifies the
safety level to be achieved by the system.”
2.2 FHA Process
This FHA was performed in order to support a relative safety argument. The analysis
aims to derive a set of hazards relating to UAS operating in non-segregated airspace.
The first step in performing the FHA was to establish the scope and boundary of the
system, understanding that the system covers all aspects of the ATM environment
including people, procedures and equipment. In the context of the defined scope and
system boundary, the analysis has focused specifically on the identification of:
• A Functional and Logical Safety Model representing UAS operations in each
Scenario.
• Hazards that could arise from inter alia; functional failure, inadequacies,
limitations, etc.
• The potential consequences of those hazards.
The FHA process began with the construction of a number of models. Given the
requirement to present a relative safety argument, it was important to fully appreciate
the current situation with no UAS (referred to as ‘without-UAS’) as compared to the
proposed situation with UAS flying in non-segregated airspace (referred to as ‘with-UAS’). The models were constructed to aid the identification of potential hazards for
which mitigation is required, see section 3.8 for more detail.
The models along with the proposed scope, boundary and assumptions for the analysis
were presented at a UAS Safety Assessment Workshop for validation and verification
by domain experts. A hazard identification verification activity was also carried out as
part of the UAS Safety Assessment Workshop.
A number of issues, statements and discussion points were raised at the UAS Safety
Assessment Workshop which were minuted in [5]. A number of these points have
been used to justify or substantiate analysis decisions; these are referred to
specifically throughout this document as originating from the workshop participants.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 10 of 81
The output from the UAS Safety Assessment Workshop has been taken and used to
perform a more detailed analysis which has included consideration of consequences
and mitigations. These hazard models will subsequently be used as the basis of the
UAS Preliminary System Safety Assessment, which will derive the safety requirements
for UAS operations in non-segregated airspace.
2.3 FHA Objectives
The overall aims for the Functional Hazard Assessment as defined in section 1.4 are
further refined to specific task objectives as discussed in the following list. Some of
the objectives were addressed as part of the pre-workshop and workshop activities and
others as part of the post workshop activities. The results of these activities are
captured in this report. The objectives listed below apply to both scenarios. The
detailed objectives were:
• review and agree the overarching UAS Safety Argument Strategy
• verify the scope and boundaries of the analysis being undertaken
• validate the Scenario, Functional and logical models
• identify the hazards as applicable to current manned operations (without-
UAS) and proposed UAS operations (with-UAS) in non-segregated airspace
• identify, the possible consequences of each hazard, taking into account the
available mitigations, using Event Tree Analysis.
2.4 UAS Safety Assessment Workshop
A UAS Safety Assessment Workshop was held at EUROCONTROL HQ, Brussels on
Wednesday 29th April and Thursday 30th April 2009. Minutes from the workshop are
recorded in [5]. The Agenda for the UAS Safety Assessment Workshop and a list of
participants is provided in Appendix A.
With respect to the above objectives, the UAS Safety Assessment Workshop achieved
the following:
• Reviewed and agreed the overarching UAS Safety Argument Strategy.
• Verified the scope and boundaries of the analysis being undertaken.
• Validated the Scenario, Functional and Logical models for each UAS scenario.
• Identified the hazards associated with each scenario and the possible
mitigations that are in place.
The remaining objectives are all captured as part of the FHA results in section 4.
Work from a previous EUROCONTROL project involving Military UAV as Operational Air
Traffic (OAT) outside Segregated Airspace [6] was presented at the UAS Workshop as
it was felt this was still applicable and provided a good starting point. This is discussed
in more detail in section 4.1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 11 of 81
3 System Definition and Scope of Analysis
3.1 UAS Operational Scenarios
The concept of operating UAS in non-segregated airspace is expected to be
transparent to the ATM environment. There are obvious differences between manned
and unmanned aircraft, but in principle the UAS should operate to the same rules of
the air and procedures that apply to manned aircraft. The safety of other airspace
users depends on the UAS operations achieving at least an equivalent level of safety to
manned aircraft. There are a wide variety of possible UAS operations and the safety
aspects across the whole flight profile need to be assessed in order to assure those
operations are acceptably safe. However, in order to focus this initial safety
assessment, two UAS scenarios have been defined as described below. They were
identified by the EUROCAE Working Group 73 as two of the most relevant near-term
operational scenarios for UAS. The scenarios cover non-segregated operations but not
for all flight stages and are subject to the assumptions listed later in section 3.7.
• Scenario 1 – covers UAS IFR operations in Class A, B or C en-route airspace only. The mode of operation considered for this baseline scenario uses a
command and control system known as either Radio Line Of Sight (RLOS) or
Beyond Radio Line Of Sight (BRLOS). The operations shall take place beyond
visual line of sight (BVLOS) of the UAS Pilot. The duration of any UAS
operation is dictated by the demands of the task but under Scenario 1 can
range from a few hours to a number of days. Figure 1 below represents
Scenario 1
Figure 1 – Scenario 1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 12 of 81
• Scenario 2 – covers UAS VFR operations based upon VLOS command and
control systems in classes of airspace where VFR flight is permitted (Class C-
G). Operations in classes C-E airspace could include CTR and/or TMA. Class B
CTRs and TMAs, where VFR is also permitted, have been intentionally not
considered. VLOS operation requires the PIC to keep the UA in direct visual
observation for the duration of the flight. The duration of any UAS operation is
dictated by the demands of the task but under Scenario 2 range from a few
minutes up to the available hours of daylight. Figure 2 below represents
Scenario 2.
Figure 2 – Scenario 2
3.2 Defining the Scope for the FHA Activity
Prior to the FHA activity it was important to understand the differences between the
‘without-UAS’ and ‘with-UAS’ situations for each of the defined scenarios above in order to structure the analysis and support the relative assessment of risk.
The scope of the safety assessment has thus been defined by:
• understanding the ATM concept and environment in which UAS will operate,
see section 3.3.
• a number of operational perspectives, see section 3.4.
• understanding the characteristics of UAS, see section 3.5.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 13 of 81
• a series of identified scoping statement and assumptions, see sections 3.6 and
3.7.
• a number of UAS models, see section 3.8
3.3 Air Traffic Management Concept
There are three main components of ATM, defined within the ATM Operational Concept
Document [7] endorsed at ANC/11 in September 2003:
• Strategic Conflict Management
• Separation Provision and
• Collision Avoidance.
Strategic Conflict Management encapsulates all pre-flight planning activities that take
place to ensure demand, capacity and conflicts are managed prior to the real time
situation. Figure 3 below shows the principle interactions between the Strategic
Conflict Management, Separation Provision, Collision Avoidance components and the
Airspace. Note that [7] also states that any Collision Avoidance System should be
separate from but compatible with the Separation Provision component. Collision
avoidance systems cannot be included in determining the calculated level of safety
required for Separation Provision with regards the ESARR4 Target Level of Safety
(TLS), however the Collision Avoidance function has been taken into account within
this relative safety assessment due to the significant difference between the ‘with-UAS’ and ‘without-UAS’ situations.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 14 of 81
Figure 3 – High Level Functional Model
The use of these terms is important within this analysis and has thus been defined in
the following sections in relation to the defined UAS Scenarios.
3.3.1 Separation Provision Component
Separation Provision (SP) is the tactical process of keeping aircraft away from other
airspace users, obstacles, restricted airspace, etc. Depending upon the type of
airspace and, where applicable the Air Traffic Control (ATC) service being provided,
separation provision can be performed either by ATC (as regards separation assurance
from other aircraft/airspace by at least an appropriate separation minimum) or by the
Pilot in Command, dependent on the class of Airspace, the type of ATC service
provided or the flight rules in force. Separation minima are defined for application by
ATC in accordance with the airspace classification and the flight rules of each individual
aircraft concerned. Manned operations where the PIC is responsible for SP generally
have no specified minima, although the overarching rules of the air apply as the basic
requirements. However, the MIL UAV specifications [8] have defined minima for
unmanned operations whilst the PIC is responsible for SP.
• Scenario 1 - ATC is responsible for providing Separation Provision between the
UAS and other airspace users. The SP Monitoring and Instruction functions are
provided by an Air Traffic Controller. The pilot is wholly responsible for
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 15 of 81
ensuring the UA Trajectory Compliance function of SP. The pilot is also
responsible for separation from obstacles and terrain.
• Scenario 2 – the PIC is responsible for Separation Provision. The Separation
Provision monitoring and instruction functions are performed by the PIC,
whereas Trajectory Compliance is performed by the UA.
3.3.2 Collision Avoidance Component
The Collision Avoidance (CA) component is responsible for identifying when a potential
collision threat is imminent, then identifying and implementing an avoidance action.
The CA objective is to ensure that collision threats are avoided. The CA function acts
irrespective of airspace classification, flight rules or who is responsible for SP.
• Scenario 1 - When Separation Provision is the responsibility of ATC, the CA is
intended to act independently from the SP functions. In principle, the CA
function should only act when SP has failed (i.e. there is a loss of separation)
and then only to take collision avoidance action1 if the actual distance is
assessed as representing a collision risk. Equally, loss of separation assurance
by ATC may not represent cause for initiation of a collision avoidance
manoeuvre. The CA function is the responsibility of the PIC; however, the PIC
may be supported by a CA system such as TCAS II2. Note that ATC may still
instigate collision avoidance action from a PIC but the responsibility remains
with the PIC.
• Scenario 2 - When the PIC is responsible for SP then the independence
between SP and CA functions is blurred as the pilot is effectively responsible
for both. For manned operations the Closest Point of Approach (CPA) and
separation minima are effectively the same, as minima are not usually
specified. NOTE: The impact of this on mixed UAS and manned operations
needs to be further assessed within the PSSA. If found to be problematic a
safety issue will be raised.
In relation to Scenario 1 SRC Policy Document [9] states that Collision Avoidance
systems (referred to as Safety Nets) are not part of Separation Provision so must not
be included in determining the acceptable level of safety required for Separation
Provision. The SRC Policy Document statement implies that UAS must provide an
equivalent level of interaction with the Separation Provision function as provided by
Pilots. Furthermore the UAS Separation Provision System must maintain the level of
safety (with respect to the scope of ESARR 4 [2]) without the need for a Safety Net.
3.4 Operational Perspectives
Consideration of UAS operations in non-segregated airspace can be understood from a
number of operational perspectives.
• Scenario 1
1 There are scenarios where the time needed to identify, resolve and take avoiding
action is such that separation minima may not yet have been breached. 2 As a rule TCAS II Resolution Advisories take precedence over ATC instructions.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 16 of 81
o Separation Provision – ICAO Airspace Classifications are contained in ICAO Annex 11 Air Traffic Services [10]. Table 1 below shows the
level of ATC service provided for each airspace classification.
Class Type of
Flight
Separation
provided
Service provided Radio communication requirements
ATC Clearance
A IFR only All aircraft Air traffic control service Continuous two-way
Yes
IFR All aircraft Air traffic control service Continuous two-way
Yes B
VFR All aircraft Air traffic control service Continuous two-way
Yes
IFR IFR from IFR
IFR from VFR
Air traffic control service Continuous two-way
Yes C
VFR VFR from IFR
1) Air traffic control service for separation from IFR
2) VFR/VFR traffic information
Continuous two-way
Yes
Table 1 – Level of ATC Service Provided
o Collision Avoidance – is the PICs responsibility regardless of the airspace within which the UA is operating.
o ATS UAS Operational Flight Planning - it is required that a flight plan be filed to ATS for all Scenario 1 operations as they will be IFR in
Class A, B or C airspace. Indication to ATC that the flight is unmanned
will be through the use of specific UAS aircraft type designators.
o Communications – voice communications are required between the
PIC and ATC.
o Other airspace users – will include manned IFR and VFR aircraft as
well as other IFR UA.
• Scenario 2
o Separation Provision – ICAO Airspace Classifications are contained in ICAO Annex 11 Air Traffic Services [10]. Table 2 below shows the
level of ATC service provided for each airspace classification.
Class Type of
Flight
Separation
provided
Service provided Radio communication requirements
ATC Clearance
C IFR IFR from IFR
IFR from VFR
Air traffic control service Continuous two-way
Yes
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 17 of 81
VFR VFR from IFR
1) Air traffic control service for separation from IFR
2) VFR/VFR traffic information
Continuous two-way
Yes
IFR IFR from IFR Air traffic control service including information about VFR flights (traffic avoidance on request)
Continuous two-way
Yes D
VFR Nil Traffic information between VFR and IFR (traffic avoidance on request)
Continuous two-way
Yes
IFR IFR from IFR Air traffic control service and traffic information about VFR flights
Continuous two-way
Yes E
VFR Nil Traffic information as far as practical
No No
IFR IFR from IFR as far as practicable
Air traffic advisory service; flight information service
Continuous two-way
No F
VFR Nil Flight information service No No
IFR Nil Flight information service Continuous two-way
No G
VFR Nil Flight information service No No
Table 2 – Level of ATC Service Provided
o Collision Avoidance – is the PICs responsibility regardless of the airspace within which the UA is operating.
o ATS UAS Operational Flight Planning – it may not be necessary
that a flight plan be filed with an ATS unit for VLOS operations
o Communications – UAs under VLOS operation will communicate to all
relevant parties through appropriate means according to the airspace
classification.
o Other Airspace Users – may include many users, such as hot air
balloons, gliders, micro lights or other manned VFR as well as other
VLOS UA.
3.5 UAS Characteristics
UAS encapsulates the Unmanned Aircraft (UA) itself, the entirety of systems, people
and procedures involved in the launch, control and recovery of the AV, including the
ground station, the UAS crew, operational processes and flight crew procedures. To
establish the potential differences in manned and unmanned operations, it is important
to understand the specific characteristics of UAS that are potentially relevant to
operations in non-segregated airspace. The UAS characteristics are depicted in Figure
4.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 18 of 81
A principle characteristic is that the means of UA Control is functionally separate from
the UA. The Pilot in Command (PIC) of the UA will be remote from the UA in a UAS
Ground Control Station (GCS). The PIC maintains control of the UA through a UAS
Control System (UCS) and a UAS Control Link (UCL). This method of control is the
same for Scenario 1 and Scenario 2.
Figure 4 – UAS Characteristics Model
The key characteristics that can effect UAS operations are as follows:
• Conspicuity - the visibility of the UAV to other airspace users is an important
component in the Collision Avoidance component as well as when Separation
Provision is the responsibility of the PIC. This could be an issue for UAs that
are smaller than manned aircraft, or UAs that present a poor signature for
Primary Surveillance Radar. This may be especially relevant for Scenario 2 as
the UA will be operating under 2000ft and may be small.
• Automatic Operations – One of the key characteristics of a UAS is the ability to operate under various conditions without human interaction. The necessity
for human interaction, along with other factors such as safety, mission
complexity and environmental difficulty determines the level of automation
that the UAS can achieve. .
o Fully automatic – A mode of operation of a UAS wherein the UA is
expected to accomplish its mission, within a defined scope, without
human intervention.
o Semi-automatic - A mode of operation of a UAS wherein the human
operator and/or the UAS plan(s) and conduct(s) a mission and require
various levels of human interaction.
o Teleoperation - A mode of operation of a UAS wherein the human
operator, using video feedback and/or other sensory feedback, either
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 19 of 81
directly controls the actuators or assigns incremental goals, waypoints
in mobility situations, on a continuous basis, from off the UA and via a
tethered or radio linked control device. In this mode, the UAS may
take limited initiative in reaching the assigned incremental goals.
o Remote control - A mode of operation of a UAS wherein the human
operator, without benefit of video or other sensory feedback, directly
controls the actuators of the UAS on a continuous basis, from off the
vehicle and via a tethered or radio linked control device using visual
line-of-sight cues. In this mode, the UA takes no initiative and relies on
continuous or nearly continuous input from the user.
• Airworthiness – the Airworthiness Certification of a UAS is outside scope of
this analysis. However, it is assumed within the analysis that UAS will be fitted
with certified equipment equivalent to that for manned operation in the
intended non-segregated airspace, unless otherwise specifically stated, i.e. the
UA will meet the defined minimum equipment requirements for the airspace
and flight rules in force.
• Flight Performance – the manoeuvrability of a UA is important to
understand. Currently, Air Traffic Controllers are required to understand flight
performance characteristics of the types of aircraft that come under their
control and provide separation provision instructions based on this
understanding. This requirement for understanding will also need to apply to
unmanned operations to ensure ATC instructions can be implemented. Flight
performance is particularly important when understanding if an UA could
comply with an ATC Separation provision instruction or collision avoidance
manoeuvre.
3.6 Scoping Statements
The following scoping statements have been made to further support the safety
assurance activity. Statements S0001 to S0007 were validated during the FHA
workshop.
Scope S0001 The aim of the safety assessment is for seamless integration of
UAS operations into the current European ATM system.
Scope S0002 Only single (not in formation) UAs in non-segregated airspace are
considered.
Scope S0003 Payload is considered external to the UAS system from an ATM
perspective and is therefore outside scope.
Scope S0004 Only IFR En-Route operations in Classes A, B, or C airspace are
considered (Scenario 1).
Scope S0005 Only day VFR operations are considered (Scenario 2).
Scope S0006 Class G airspace above Classes A, B or C airspace are not
considered under Scenario 2.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 20 of 81
Scope S0007 Eyeball Visual Line Of Sight (VLOS) operations only are within
scope of the safety assessment, no command link VLOS are
considered (Scenario 2).
Scope S0008 If ATC are involved in Scenario 2, they will not give specific
trajectory instructions, but may stipulate airspace limitations, such
as to remain below a specified level.
3.7 Assumptions
The following assumptions have also been made to further scope and support the
safety assurance activity:
Assumption A0001 Current equivalent manned operations are tolerably safe.
Assumption A0002 A pilot is only ever in control of one single UA.
Assumption A0003 Airworthiness approval criteria are available and UAS have
been approved by a competent authority.
Assumption A0004 UAS operations comply with applicable ICAO standards,
except where explicitly stated.
Assumption A0005 All other airspace users intend to be seen.
Assumption A0006 Where an Air Traffic Control (ATC) service is offered to a
UAS Pilot, that ATC service is assumed to be fully licensed
(Scenario 1 and Scenario 2).
Assumption A0007 The UA Pilot-in-Command and associated Ground Control
Station are assumed to be co-located for the duration of
UA operations (Scenario 1).
Assumption A0008 TCAS II Version 7 is not available for a UA, as stated by
ICAO, but may be in operation with other airspace users
(Scenario 1).
Assumption A0009 UA operations are assumed to range in duration from a few
hours to a number of days (Scenario 1).
Assumption A0010 UA operations are assumed to range in duration from a few
minutes up to the hours of available daylight (Scenario 2).
Assumption A0011 UA Launch and Recovery operations are assumed to take
place from locations away from aerodromes/airports
(Scenario 2).
Assumption A0012 Where no flight plan is available, an airborne flight plan will
be created (Scenario 1).
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 21 of 81
3.8 Unmanned Aircraft System Models
The following models have been constructed for each scenario based on the defined
scope of the FHA for each of the operational perspectives of UAS:
• Flight Profiles – captures all likely ATM environments and situations in which
the UAS may be required to operate.
• Functional Models – derived from the components defined within the ICAO
Strategic Conflict Model.
3.8.1 Flight Profiles
The flight profile model for each scenario aims to capture all phases of flight within the
scope of analysis and likely ATM environments in which the UAS may be required to
operate.
• Scenario 1 - Flight Profile Model is presented in Appendix B.1.1 and
encapsulates IFR En-Route operations, crossing FIR boundaries, emergency
operations and early descent.
• Scenario 2 - Flight Profile Model is presented in Appendix B.1.2 and
encapsulates pre-flight planning, launch of the UA, VFR operations, crossing
FIR boundaries, approach, recovery and any post landing actions.
3.8.2 Functional Models
The following functional models are presented within the appendices. The aim of these
models is to identify the primary functions performed by each system functional
element for each of the two scenarios.
• Scenario 1 Functional Model with ATC Responsible for Separation Provision is
shown in Appendix B.2.1.
• Scenario 2 Functional Model with Pilot in Command Responsible for Separation
Provision is shown in Appendix B.2.2.
The functional models developed for UAS are based on Figure 3 – High Level Functional
Model in section 3.2, it should be noted that the primary ATM functions are the same
for both the ‘with-UAS’ and ‘without-UAS’ operations.
More detailed models identifying logical elements of the ‘with-UAS’ and ‘without-UAS’ situations will be documented within the Preliminary System Safety Assessment
(PSSA) Report.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 22 of 81
4 Function Hazard Assessment Results
4.1 Overview
In order to establish the relative change in risk as a result of introducing UAS
operations in non-segregated airspace, the initial step in the analysis was to identify
the hazards at a common boundary point for the ‘without-UAS’ and ‘with UAS’ for each of the two scenarios. It was then necessary to establish if these hazards were
common the both situations and whether there were any news hazards in the ‘with UAS’ situation. This was analysed for both scenarios.
Previous work involving the safety assessment of Military UAV as Operational Air
Traffic outside segregated Airspace [6] had identified a list of hazards that were
common to both the without-UAS and with-UAS scenarios. Due to the experience of the UAS workshop facilitators and the similarities in the two projects, the previous list
of hazards was presented to the UAS workshop participants as a starting point. It was
agreed that these hazards were considered to be applicable to military and civil
operations. Therefore the previous list of hazards was reviewed and discussed during
the UAS Workshop to identify if the hazards were still valid for the UAS safety
assessment work and to identify any gaps. As a result a full functional analysis was
conducted as part of the post workshop FHA activity as detailed below.
4.2 Hazard Identification Approach
Each function depicted in the High Level Function Model (Figure 3 in section 3.2) was
reviewed against a set of guidewords to ensure that the list of hazards captured all
failure scenarios. Each guideword was applied to each function and considered in more
detail, as shown in Appendix C. The functions considered are as listed below:
• Separation Provision
1. Separation Provision Instruction
2. Separation Provision Monitor
3. Trajectory Compliance
• Collision Avoidance
4. Observe
5. Resolve/Decide
6. Act
• Other Aircraft
7. Trajectory Compliance
• UAV Operator
8. Flight Planning
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 23 of 81
The functional failure guidewords applied to each of the above functions are listed
below:
• Loss – complete negation of an intention. No part of the intention is achieved
and nothing else happens, i.e. ATC inability to provide separation provision.
• Error – any action that is undesirable regardless of cause, e.g. incorrect response to ATC instruction, partial response to ATC instruction or
unintentional actions.
• Intentional deviation – a different action than that intended occurs as a result of an external input i.e. ATC instruction ignored (e.g. due to Traffic
Collision Avoidance System (TCAS) Resolution Advisory (RA)).
• Too early – an action occurs earlier than expected either relative to UTC,
order or sequence.
• Too late – an action occurs later than expected whether relative to UTC, order or sequence.
• Other (completeness check).
The high level functional model presented in Figure 3 represents a closed loop control
system, with the airspace as the element under control. By breaking the control loop
at the point where the separation provision compliance function interfaces with the
airspace it can be observed that:
• The primary control function is Separation Provision.
• Collision Avoidance can mitigate Separation Provision failure (although the
Trajectory Compliance function is a potential for common cause failure).
• Collision Avoidance actions can interfere with Separation Provision.
As such the analysis of hazards focuses on the Separation Provision Function, and
models the Collision Avoidance functional failure scenarios either as mitigations in the
consequence of the SP hazards or as potential causes of the SP hazards. It should also
be noted that, for the purpose of the FHA, UA failures subsequent to link loss are
modelled as PIC hazards on the basis that the PIC is responsible for defining the
contingency action.
The following high-level hazards were identified and are common to both the with-UAS and without-UAS situation:
• Loss of Separation Provision.
• Error in Separation Provision.
• Delayed Separation Provision.
• Intentional Deviation from Separation Provision Instruction.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 24 of 81
The Fault Trees in Appendix D show how the functional failure scenarios identified from
applying the guidewords relate to the ten hazards identified in the UAS Safety
Assessment workshop. The Fault Trees have thus been drawn for the purpose of
showing this linking only; more specific, detailed FTAs will be produced to support the
causal analysis in the Preliminary System Safety Assessment (PSSA). Each of the
hazards has been grouped with one of the high-level hazards outlined above in Table 3
below.
UAS Workshop Hazard No.
UAS Workshop Hazard Title
Loss of Separation Provision
HAZ001 Inability to comply with separation provision instruction from ATC
HAZ005 Loss of separation provision from ATC
HAZ007 Loss of separation provision from Pilot in Command
Separation Provision error
HAZ002 Incorrect response to separation provision instruction from ATC
HAZ006 ATC separation provision error
HAZ008 Pilot in Command separation provision error
HAZ010 Separation Provision Minima is breached by other aircraft
Delayed Separation Provision
HAZ004 Delayed response to separation provision instruction from ATC
HAZ009 Pilot in Command separation provision too late
Intentional Deviation from Separation Provision Instruction
HAZ003 Intentional deviation from separation provision instruction from
ATC
Table 3 – Hazard Identification
4.3 Hazard Identification Results
The functional failure analysis confirmed the conclusion of the UAS Safety Assessment
workshop that UAS operations for Scenario 1 and Scenario 2 do not introduce any new
hazards at the ATM concept level. The assessment also concluded that the resultant
hazards are not all applicable to both scenarios hence the workshop agreed the
following scenario assignments.
• Scenario 1
o HAZ001 - Inability to comply with separation provision instruction
from ATC
Aircraft is unable to comply with a separation provision instruction from
air traffic control.
o HAZ002 - Incorrect response to separation provision instruction from
ATC
Aircraft responds incorrectly to a separation provision instruction from
air traffic control.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 25 of 81
o HAZ003 - Intentional deviation from separation provision instruction
from ATC
Aircraft makes intentional deviation from separation provision
instruction provided by air traffic control for reasons such as weather
avoidance and RAs (not for malicious reasons) and informs air traffic
control of the deviation.
o HAZ004 - Delayed response to separation provision instruction from
ATC
Aircraft delayed response to separation provision instruction from air
traffic control, where delay is within the pre determined limit before air
traffic control assumes loss and issue new separation provision
instructions to surrounding aircraft.
o HAZ005 - Loss of separation provision from ATC
Loss of separation provision function from air traffic control due to the
inability of air traffic control to provide the function to the pilot
o HAZ006 - ATC separation provision error
Air traffic control issue a separation provision instruction containing an
error.
• Scenario 2
o HAZ001 to HAZ006
These were considered to be applicable to Scenario 2 only in so far as
there are certain circumstances where for example initial ATC
clearance is required or a temporary operating area is defined by ATC.
It should be noted that causes were only found for HAZ006 on the
basis of scoping statement S0008 (see Fault Tree Analysis, Appendix
D.2)
o HAZ007 – Loss of separation provision from the Pilot in Command
Loss of separation provision instruction from pilot in command due to
the inability of the pilot in command to provide the function i.e. no
separation provision instruction provided to the UA from the pilot in
command.
o HAZ008 – Pilot in Command separation provision error
Pilot in command on the ground issues separation provision instruction
containing an error to the UA.
o HAZ009 – Pilot in Command separation provision instruction too late
Pilot in command on the ground provides a separation instruction too
late.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 26 of 81
o HAZ010 - Separation Provision Minima is breached by other aircraft
Separation provision minima are reduced due to the actions of other
aircraft.
4.4 Consequence Analysis
The next step in the analysis is to assess the consequences associated with each
hazard for both in ‘without-UAS’ and ‘with UAS’ situations for both scenarios. The relative impact of the change was then assessed with respect to risk. The FHA
considered the consequence of hazards associated with UAS operation in non-
segregated airspace. The consequence analysis was conducted to the point where
there is the potential for an accident. The columns in the event tree are defined as
follows:
• First Column – Initiating Hazard.
• Middle Columns – potential mitigations that would prevent the hazard resulting
in an end consequence.
• Last Column – the end consequence.
A number of mitigations within the event trees are generic to all hazards; these are
highlighted in the appropriate place.
Given the requirement to present a relative qualitative safety argument for UAS
operations in non-segregated airspace and the justification for an improved level of
risk reduction than the current ‘without-UAS’ situation, the table in Appendix C presents a qualitative severity classification scheme applicable for this safety analysis.
The scheme is based on ESARR 4 [2] for ATM and JAR25-1309 [11] for aircraft related
consequences.
4.4.1 Mitigations for HAZ001
The event tree for HAZ001 (Inability to comply with Separation Provision Instruction
from ATC) is shown in Appendix F.1, Figure 5. The mitigations for this hazard are
explained in Table 4 below. Note that whilst Air Traffic Control may be involved with
UAS operations within Scenario 2, it is unlikely this will be the case as the UA will be
flown under VLOS operation. The descriptions provided within the following tables are
based on the output from the UAS Safety Assessment Workshop. The FHA workshop
also identified a PIC mitigation for this hazard and HAZ002 and HAZ004; “PIC notices
error”. This was removed from the Event Tree as some of the causes identified in the
Functional Failure Analysis (FFA) would negate this mitigation. The PIC mitigation will
be remodelled in the FTA as part of the PSSA activity.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 27 of 81
Event Tree
Mitigation
Description Scenario 1
Air Traffic Control awareness
An Air Traffic Controller may be able to identify an aircraft that has failed to comply with a separation provision
instruction.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has failed to comply with a separation provision
instruction will remain the same for without-UAS and with-UAS situations. Although Air Traffic Controllers in the future may be provided with information to enable them to distinguish between manned and unmanned aircraft, this should not change their ability to provide separation provision.
Revised ATC Instruction
If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s inability to comply with a separation provision instruction, it was considered very likely that ATC would provide an amended instruction or attempt to reinforce the instruction. This could be to either that specific aircraft, or dependent upon the circumstances, i.e. an inability to control the aircraft, provide appropriate instructions to surrounding aircraft.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation.
Generic Mitigations applicable to all hazards without-UAS and with-UAS
Other Aircraft Once all the mitigations listed above have failed, and assuming worst case that there is another aircraft in close vicinity, the immediate mitigation is that the other aircraft takes avoiding action.
It should be noted that the use of remote observers was discussed but it was decided that the use of a remote observer was a possible variant in scenario 2 and not considered as a mitigation, therefore is not included in the consequence analysis.
It was considered that there will be little or no change in the likelihood of another aircraft taking avoiding action for the without-UAS to the with-UAS situation. However, this may depend on the conspicuity of the UA itself in the with-UAS situation and wither the other aircraft is able to move at speed to avoid the UAV.
Collision Avoidance
The CA function is not provided (whether with-UAS or without-UAS when it is required. This mitigation is stated in the negative as it is the top gate of the corresponding Fault Tree.
Ideally CA should function in all scenarios, however in reality there are limitations on any CA system in terms of how many CA scenarios can be detected e.g. TCAS when fully working will not resolve all CA correctly and sometimes may indeed create an accident situation which may not have previously existed.
As part of the success case argument the conditions under which CA is required to operate must be defined, this will be drawn out further within the Preliminary Safety Case.
Collision Avoidance Systems - See Fault Tree analysis in Appendix D.1.1.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 28 of 81
Table 4 – HAZ001 Event Tree Mitigations
4.4.2 Mitigations for HAZ002
The event tree for HAZ002 (Incorrect response to Separation Provision Instruction
from ATC) is presented in Appendix F.2, Figure 6. The mitigations for this hazard are
explained in Table 5.
Event Tree
Mitigation
Description Scenario 1
Air Traffic Control awareness
An Air Traffic Controller may be able to identify an incorrect
response from an aircraft to a separation provision instruction.
Although Air Traffic Controllers in the future may be provided with information to enable them to distinguish between manned and unmanned aircraft, this should not change their ability to provide separation provision.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has
incorrectly complied with a separation provision instruction will remain the same for without-UAS and with-UAS situations.
Revised ATC Instruction If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s incorrect compliance with a separation provision instruction, it is very likely that ATC would query the Pilot in Commands response and provide an amended instruction.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 5 – HAZ003 Event Tree Mitigations
4.4.3 Mitigations for HAZ003
The event tree for HAZ003 (Intentional deviation from Separation Provision
Instruction from ATC) is presented in Appendix F.3, Figure 7. The mitigations for this
hazard are explained in Table 6.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 29 of 81
Event Tree Mitigation Description Scenario 1
Pilot in Command In either the without-UAS or with-UAS situation, if a Pilot in Command intentionally deviated from a separation provision instruction it was considered highly likely that he will communicate this to ATC as soon as possible. This mitigation was thought to
have a very high likelihood given that procedures state, specifically for collision avoidance manoeuvres that are contradictory to an ATC separation provision instructions, that a Pilot informs ATC as soon as possible.
It was considered potentially more likely that a UAS Pilot in Command would communicate an intentional deviation from an instruction quicker than for a manned aircraft.
It is assumed that all intentional deviations are for genuine reasons, e.g. weather avoidance and not due to malicious actions.
Air Traffic Control awareness
An Air Traffic Controller may query the deviation from an instruction, but may also assume that the instruction will be followed and focus attention elsewhere.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has intentionally deviated from a separation provision instruction will remain the same for the without-UAS and with-UAS situation.
ATC verifies situation If the Air Traffic Controller is made aware, or notices, the intentional deviation from a separation provision instruction, it is very likely that ATC would query the Pilot in Command’s response and provide an amended
instruction.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 6 – HAZ003 Event Tree Mitigations
4.4.4 Mitigations for HAZ004
The event tree for HAZ004 (Delayed response to Separation Provision Instruction from ATC) is presented in Appendix F.4, Figure 8. The mitigations for this hazard are
explained in Table 7.
Event Tree Mitigation Description Scenario 1
Air Traffic Control awareness
It is possible that an Air Traffic Controller may notice a delayed response from an aircraft to a separation provision instruction.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has a delayed response to a separation provision instruction will remain the same for the without-UAS and with-UAS situation. An Air Traffic Controller may query that there is no initial response to his instruction.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 30 of 81
Event Tree Mitigation Description Scenario 1
Revised ATC Instruction If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s delayed response and understands the reasons for it, it was considered very likely that ATC would either provide an amended instruction or manoeuvre other aircraft
accordingly.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 7 – HAZ004 Event Tree Mitigations
4.4.5 Mitigations for HAZ005
The event tree for HAZ005 (Loss of Separation Provision from ATC) is presented in
Appendix F.5, Figure 9. The mitigations for this hazard are explained in Table 8.
Event Tree Mitigation Description Scenario 1
Pilot in Command A Pilot in Command may be able to notice the loss of separation provision from Air Traffic Control and will initially attempt to contact Air Traffic Control and if this is not possible will instigate lost communication procedures.
The likelihood in the ability of the Pilot in Command to notice the loss of separation provision will remain the same for the without-UAS and with-UAS situation.
The likelihood of a UAS following lost communication procedures is more likely than for manned aircraft. However, loss of communication with Air Traffic Control was considered less significant for the with-UAS situation due to the additional communication systems potentially available to a pilot of a UAS.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 8 – HAZ005 Event Tree Mitigations
4.4.6 Mitigations for HAZ006
The event tree for HAZ006 (ATC Separation Provision Error) is presented in Appendix F.6, Figure 10. The mitigations for this hazard are explained in Table 9.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 31 of 81
Event Tree Mitigation Description Scenario 1 Scenario 2
Air Traffic Control awareness
An Air Traffic Controller may be made aware of or notice an error in a separation provision instruction.
The likelihood of the ability of an Air Traffic Controller to notice an error in a separation provision instruction provided to a Pilot in Command was considered to be no different for the without-UAS to with-
UAS situation.
The likelihood of the ability of an Air Traffic Controller to notice an error in a separation provision instruction provided to a Pilot in Command was considered to be no different for the without-UAS to with-
UAS situation.
Air Traffic Control Revised Instruction
If the Air Traffic Controller is made aware, or notices, an error with a separation provision instruction, it was considered very likely that ATC would provide an amended instruction.
The likelihood in the ability of an Air Traffic Controller to identify an error in the separation provision instruction provided to a Pilot in Command is considered to be no different for the without-UAS to with-UAS situation.
Air Traffic Control are less likely to be involved, however the likelihood in the ability of an Air Traffic Controller to identify an error in the separation provision instruction provided to a Pilot in Command is considered to be no different for the without-UAS to with-UAS situation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 9 – HAZ006 Event Tree Mitigations
4.4.7 Mitigations for HAZ007
Mitigations for HAZ007 (Loss of Separation Provision from the Pilot in Command) are
only applicable to Scenario 2 due to the Pilot in Command being responsible for his
own Separation Provision as the UA is under VLOS operation. The event tree for
HAZ007 is presented in Appendix F.7, Figure 11. The mitigations for this hazard are
explained in Table 10.
Event Tree Mitigation
Description Scenario 2
Pilot in Command Where a Pilot in Command is responsible for providing his own separation provision, he may identify a loss of separation whether a result of PIC error or UA failure.
Where a Pilot in Command is responsible for providing his own separation provision, the likelihood of him realising an action or UA failure has resulted in a loss of separation was considered to be very low. This is because it may be difficult for a Pilot in Command on the ground to correctly identify the distance and trajectory of a nearby aircraft depending on where the Pilot in Command is located.
Revised Instruction Once the Pilot in Command notices a loss in separation provision, it is was considered very likely that he would revise and execute a new instruction as soon as possible.
The likelihood for this mitigation was considered no different for the without-UAS to the with-UAS situation.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 32 of 81
Event Tree Mitigation
Description Scenario 2
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 10 – HAZ007 Event Tree Mitigations
4.4.8 Mitigations for HAZ008
Mitigations for HAZ008 (Pilot in Command Separation Provision Error) are only applicable
to Scenario 2 due to the Pilot in Command being responsible for his own Separation
Provision as the UA is under VLOS operation. The event tree for HAZ008 is presented in Appendix F.8, Figure 12. The mitigations for this hazard are explained in Table 11.
Event Tree
Mitigation
Description Scenario 2
Pilot in Command
Where a Pilot in Command is responsible for providing his own separation provision, he may identify an error in separation provision.
Where a Pilot in Command is responsible for providing his own separation provision, the likelihood of him noticing an error in a separation provision instruction was considered to be very low.
Revised Instruction
Once the Pilot in Command notices an error in a separation provision instruction, it was considered very likely that he would rectify this through a revised instruction and execute this as soon as possible.
The likelihood for this mitigation was considered no different for the without-UAS to the with-UAS situation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 11 – HAZ008 Event Tree Mitigations
4.4.9 Mitigations for HAZ009
Mitigations for HAZ009 (Pilot in Command Separation Provision Instruction too late) are
only applicable to Scenario 2 due to the Pilot in Command being responsible for his own
Separation Provision as the UA is under VLOS operation. The event tree for HAZ009 is presented in Appendix F.9, Figure 13. The mitigations for this hazard are explained in
Table 12.
Event Tree Mitigation
Description Scenario 2
Pilot in Command
Where a Pilot in Command is responsible for his own separation provision, he may provide a separation instruction too late.
Where the Pilot in Command is responsible for providing his own separation provision instructions, and one of these is implemented too late, the first mitigation will be if there is an aircraft in the vicinity, followed by initiation of collision avoidance systems.
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 12 – HAZ009 Event Tree Mitigations
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 33 of 81
4.4.10 Mitigations for HAZ010
Mitigations for HAZ010 (Separation Provision Minima is breached by Other Aircraft) are
only applicable to Scenario 2 due to the Pilot in Command being responsible for his own
separation provision as the UA is under VLOS operation. The event tree for HAZ010 is presented in Appendix F.10, Figure 14. The mitigations for this hazard are explained in
Table 13.
Event Tree Mitigation
Description Scenario 2
Revised PIC instruction
If the PIC is made aware, or notices, a loss in separation provision, it was considered very likely that the PIC would provide an amended instruction to the UA.
There is no change in the likelihood for either without-UAS or with-UAS situations fort this mitigation but it should be noted that it may be difficult for a PIC on the ground to correctly identify the distance and trajectory of a nearby aircraft depending on where the PIC is located.
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 13 – HAZ010 Event Tree Mitigations
4.5 Analysis Conclusions
The consequence analysis identified a series of mitigations for each of the hazards
assigned to Scenario 1 and Scenario 2. The mitigations are essentially the same for
the with-UAS and without-UAS situations however; there are specific areas where
UAS operations have the potential to affect the probability of success of some specific
mitigations, such as:
• The pilot in command in Scenario 1 is likely to identify situational awareness
issues more easily or quickly based on the additional potential range of
information available to them.
• The pilot in command in Scenario 1 may have more communication equipment
at hand to verify potential issues with ATC.
• The capability, performance and integrity of the CA function in Scenario 1 is
likely to be greater than in Scenario 2 given the PIC’s relative position to the
UA under VLOS and the potential lack of automated support systems. This will
be assessed further as part of the PSSA activity.
The analysis also identified that there are some common failure scenarios between the
causes of some hazards and the effectiveness of some mitigations, in particular for
collision avoidance. For example, aircraft height keeping and navigational equipment
is essential to separation provision and collision avoidance and failure of these would
be common to both. These common failure scenarios will be addressed as part of the
PSSA activity.
4.6 Safety Objectives
The purpose of the FHA is to identify a set of high level hazards and derive the
associated safety objectives, such that, if satisfied, an acceptable level of safety can be
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 34 of 81
demonstrated. The safety objectives are derived from the safety criteria, which in this
case are relative, i.e. not based on an absolute Target Level of Safety (TLS).
Given that the analysis has not identified any unique hazards for UAS operations, the
safety objective set out below is based on ensuring that the safety criteria (as stated in
section 1.4) are achieved, i.e. the risk from UAS operations is:
• No higher than for equivalent manned operations; and
• Reduced to As Far As Reasonably Practicable (AFARP), as required by ESARR 3
[3] and European Air Traffic Management Programme (EATMP) Safety Policy
[4].
For the criteria to be met the occurrence rate for each hazard must be no greater for
UAS operations (in Scenario 1 or Scenario 2) than for manned operations3. In both
cases where practicable the risk from UAS operations should be further reduced. The
potential for and feasibility of further risk reduction for each UAS hazard will be
considered as part of the PSSA.
3 Since there is no direct equivalent to VLOS operations in manned operations then the occurrence
rate must be equivalent to VFR operations in Class G airspace.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 35 of 81
5 Conclusions
The Functional Hazard Assessment activity has identified ten hazards that fall within
the defined scope of the safety analysis. Six hazards apply to Scenario 1 and ten
hazards to Scenario 2. The UAS hazards are defined at the boundary of UAS
Operations and reflect functional failure scenarios that could potentially lead to
hazardous situations. All ten hazards are common to the ‘with-UAS’ and ‘without-UAS’ situations.
The analysis has been performed based on the output of the UAS Safety Assessment
Workshop held at EUROCONTROL HQ, Brussels, and is bound by a number of scoping
statements and assumptions as detailed in sections 3.6 and 3.7 . The results of the
Functional Hazard Assessment enable an understanding of the risks associated with
the operation of UAS in non-segregated airspace via the derivation of the hazards
identified and analysis of the consequences of those hazards. The output of this report
and further analysis will enable a separate PSSA Report to be produced that will
document the safety requirements and provide traceability to detailed safety
requirements.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 36 of 81
6 References
No Reference Document Title Issue/Date
[1] SAF.ETI.ST03.
1000-MAN-01
Air Navigation System Safety Assessment
Methodology
Edition: 2.1
03 October 2006
[2] ESARR4 Risk Assessment and Mitigation in ATM Edition: 1.0
05 April 2001
[3] ESARR3 ESARR3: Use of Safety Management Systems