Safety analysis paradigm for UAS: Development and use of a common architecture and fault tree model

Unmanned Aerial Systems (UAS, a.k.a., drones) are a compelling technology with numerous possibilities for highly productive new airspace operations. Safety of operators and bystanders is of paramount concern, and a common, accepted, safety methodology is a pressing need to enable widespread adoption of UAS. This paper provides a methodology for safety analyses that can be conducted for multiple applications using common models and a suggested standardized architecture for small UAS. To date, in the US, safety analyses have been done on an individualized, custom basis, mainly in support of waivers for specific, limited UAS operations. For example, safety analyses have been conducted in the Federal Aviation Administration's (FAA) Pathfinder Program for use of drones in three focus areas: beyond visual line of sight for infrastructure inspections, extended visual line of sight in rural areas, and flight over people. In addition, approximately 400 waivers have been granted for multiple individual applicants [1]. The waiver process is highly specific to an individual applicant's operation and a special safety analysis must be conducted for each waiver request. This is an inefficient use of resources for both the FAA and industry. It would be more efficient if a common model for UAS safety analysis could be employed that was adaptable to varied applications. An important subclass of UAS operations which currently requires waivers are operations termed Beyond Visual Line of Sight (BVLOS). BVLOS operations allow for UAS flight operations which are out of the visual line of sight of the UAS operator. BVLOS will allow multiple economically beneficial applications, for example, infrastructure inspection and agriculture. Our approach seeks to begin providing an adaptable framework for analyses, focusing on Beyond Visual Line of Sight operations, that allows rapid assurance of operational safety. The benefits of this approach are twofold: first, in the near term, the workload involved in applying for waivers, both for the FAA and for applicants, would be significantly reduced, and second, the approach can be used to inform industry standards on key system requirements. This would give industry an important start in the development of common standards for equipment requirements, as is typically done in standards bodies such as RTCA. To provide a UAS reference model, a common small UAS architecture is proposed to conduct analyses across UAS platforms and operations. The architecture enables the safety model's inputs to be adapted to target UAS platforms and operational scenarios. This approach allows for large scale simulations that can analyze the impact of various vehicle performance configurations in differing operational scenarios. This paper also provides a fault-tree analysis model that is customizable to specific operations, and shows some initial results that help provide insights into tradeoffs and potential requirements. The paper explores these tradeoffs in the context of previous analysis conducted by Patterson et al. [2] which identifies a top-level requirement for “Loss of Controlled Flight for any Reason.” The fault-tree analysis helps to identify the various root causes (basic events) of the model's system failure condition (top event) — loss of controlled flight of the UAS vehicle. The attractiveness of the model is that it is easily adaptable to different operations, safety guidelines, reliability requirements, equipment standards, etc. The paper demonstrates a sensitivity analysis to assess the varying impact of the basic events on system failure at different error levels. The fault-tree model and sensitivity analysis results, along with the accompanying common architecture, together provide a flexible approach to UAS safety analyses.