Conference PaperPDF Available

In-Time Non-Participant Casualty Risk Assessment to Support Onboard Decision Making for Autonomous Unmanned Aircraft

In-Time Non-Participant Casualty Risk Assessment to Support
Onboard Decision Making for Autonomous Unmanned Aircraft
Ersin Ancel, Francisco M. Capristanand John V. Foster
NASA Langley Research Center, Hampton, VA, 23681
Ryan C. Condotta§
Analytical Mechanics Associates, Inc., Hampton, VA, 23666, USA
Numerous operational paradigms, technologies, and missions are emerging as newcomers
to the National Airspace System (NAS) develop small Unmanned Aircraft Systems (sUAS),
personal air vehicles and other Urban Air Mobility (UAM) concepts. As the list of applica-
tions expands, maintaining the safety of the current airspace system remains one of the core
concerns preventing widespread commercial implementation of these concepts. Further, the
risks associated with unmanned aircraft operations themselves have to be recognized and mit-
igated in a timely manner. Safety-critical risks include, but are not limited to, flight outside
of approved airspace, unsafe proximity to people or property, critical system failures, loss-of-
control, and cyber-security related risks. Instead of reacting to accidents, a set of predictive
and data-driven risk monitoring, assessment, and mitigation capabilities are envisioned to
help capture and eliminate hazards as these systems become operational. NASA’s System-wide
Safety project is performing R&D on such a safety assurance concept. As part of this con-
cept, this paper describes an architecture that continuously monitors a diverse set of onboard
and ground-based sources to estimate and predict non-participant casualty risk during flight.
Timely identification of the changing nature of this risk can inform decision making processes
to mitigate current and impending situations.
I. Nomenclature
AC= Casualty Area
AP= Populated Area
C= Casualties
Cx= Aerodynamic Force or Moment Coefficient
γ= Impact Angle
δ= Control Effector Input
F= Aerodynamic Force
Hp= Height of Person
J= Rotor Advance Ratio
Luav = UAV Length
M= Aerodynamic Moment
N= Number of People in the Area of Interest
P(C)= Expected Casualty Probability
Q= Vector of Random Variables
q= Possible Outcome of a Random Vector
Ruav = Effective UAV Radius
Rp= Radius of Person
wspan = Wing span
X= Vehicle State Parameters
Aerospace Engineer, Aeronautics System Analysis Branch, 1 N Dryden St, MS 442, Hampton, VA 23681, AIAA Member.
Aerospace Engineer, Aeronautics System Analysis Branch, 1 N Dryden St, MS 442, Hampton, VA 23681, AIAA Member.
Aerospace Engineer, Flight Dynamics Branch, 8 Langley Blvd, MS 308, Hampton, VA 23681, AIAA Associate Fellow.
§Software Developer, Aeronautics System Analysis Branch, 1 N Dryden St, MS 442, Hampton, VA 23681, AIAA Member.
II. Introduction
airspace operations such as those involving small Unmanned Aircraft Systems (sUAS) are rapidly emerging
within the commercial domain thanks to their anticipated benefits; potentially increasing security, safety and
productivity within law enforcement, emergency rescue, environmental and infrastructure monitoring, agriculture, and
other fields. Fueled by significant market interest, the industry, academia, and the government have been working
towards a seamless integration of sUAS into the National Airspace System (NAS) [
]. Demonstrating the safety of
these applications will be one of the key factors in wide-spread implementation. One of the major challenges for urban
UAS operations is to minimize the risk to the population on the ground in case of an aircraft malfunction that leads to
a crash. Timely hazard identification and proactive risk mitigation capabilities are critical in ensuring the safety of
these operations. NASAs Aeronautics Research Mission Directorate (ARMD) strategic plan directs the development of
advanced in-time safety assurance tools that can monitor, assess and mitigate risks [
]. Within this plan, it is envisioned
that advanced safety assurance tools can be developed to leverage the increasing availability of data and the speed
and accuracy of associated data analysis tools. Consequently, an in-time safety assurance concept of operations was
introduced by the System-wide Safety (SWS) project for emerging autonomous low altitude operations near and over
populated urban areas [
]. This concept assumes a UAS Traffic Management (UTM) ecosystem to enable sharing of
safety-relevant information [
]. As an element of the SWS concept, this paper provides an overview of an architecture
that utilizes various onboard and ground-based data to assess the potential for non-participant casualties when unmanned
aircraft operations are conducted over densely populated urban settings. The underlying work for this architecture was
based on the Unmanned Risk Assessment Framework (URAF) which was originally developed within NASA’s UTM
project [
]. An instantiation of the modular URAF architecture was developed and implemented for onboard execution
within the in-time safety assurance concept of operations
. This paper outlines a baseline onboard risk assessment
capability that monitors and assesses a set of hazards throughout the flight. The identified risks are incorporated into
onboard contingency action selection and risk mitigation functions. The organization of this paper is as follows: Section
III provides the components of in-time risk assessment software developed from the URAF concept, Section IV presents
an overview of the core Flight System (cFS) architecture and the implementation of in-time risk assessment software
within the cFS environment, and Section V discusses potential onboard risk-informed decision making applications that
may be considered as future work.
III. In-Time Non-Participant Casualty Risk Assessment Framework
There are several publications relating to characterization of the impact of unmanned aircraft or its components to
the population or structures on the ground [
]. The risk assessment estimation model presented in this paper is an
extension of the UTM Risk Assessment Framework (URAF) development which was previously documented in [
The framework consists of separate modules that utilize real-time aircraft health and environmental data to estimate the
risk to populated areas on the ground due to flight-critical failure on-board the aircraft. These modules include:
A probabilistic graphical model that outputs mishap likelihood,
An off-nominal trajectory and impact point prediction model that estimates the trajectory following a failure and
mishap location, and
A severity estimation model that uses a combination of impact point location, high-resolution dynamic population
density data, roof penetration models and other onboard databases to determine the probability of experiencing
one or more casualties.
The URAF components given above were revisited to manage the potentially increased ground casualty risk
associated with low altitude urban operations within the SWS in-time safety assurance concept. Compared to the
previous iteration, the software was designed to be executed onboard which enables access to higher frequency,
more accurate, and more types of aircraft health and state vector data. This allows for the use of high-fidelity 6
Degrees-of-Freedom (6-DoF) vehicle trajectory prediction models to estimate the impact point throughout the flight.
Additionally, the use of high-resolution dynamic demographic data assists in estimating the movement of the population
of interest for more accurate potential casualty estimation. Finally, probabilistic failure likelihood estimation and
contingency prioritization models were added that execute in time to be delivered to the onboard autonomous decision
making algorithms. The following sections provide more details on key elements of the framework.
URAF components are also being incorporated into other pre-flight and in-flight risk assessment applications within the UTM project.
A. Failure Probability Estimation and Contingency Prioritization
One of the challenges associated with sUAS risk management is the limited amount of historical/operational data
which prohibits adequate UAS component and system reliability estimations. Due to rapidly changing system designs,
lack of quality assurance procedures, and the use of non-standardized components, the sUAS fleet carry a considerable
amount of uncertainty when it comes to establishing airworthiness assessments and regulatory procedures [
]. In
order to characterize the uncertainties within the system, the Bayesian approach was selected as the method to estimate
various hazardous conditions and the likelihood of these hazards to develop into accidents [
]. Besides the probabilistic
estimation of imminent failure occurrence, the Bayesian model also provides the list of alternative contingency actions
(e.g., flight termination, immediate landing, and return-to-launchpoint) and an assessment of their suitability considering
internal and external parameters (available power capacity, presence of wind/turbulence, contingency actions’ impact on
ground risk, etc.). Fig. 1 provides a generic Bayesian Belief Network (BBN) model designed for an octocopter UAS
in order to visualize the concept. In the current version, the BBN model receives vehicle health parameters (battery
charge level, GPS parameters, communication drop rate, individual electronic speed control (ESC) current and motor
temperatures) which is used to inform the status of major systems such as navigation, propulsion, communication, and
power system. Subsequently, the status of the main aircraft functions allows the prioritization of contingency alternatives
as well as estimation of loss of control probability
. The data for conditional probability tables (CPTs) behind each node
is populated by a combination of subject matter expert opinions and vehicle specific reliability data, where applicable.
The model outputs, namely, the LOC probability and mitigation prioritization is delivered back to the cFS data bus as
decision making support, which is discussed in Section V.
Fig. 1 Mishap Likelihood and Contingency Prioritization Bayesian Belief Model.
B. Off-Nominal Trajectory and Impact Point Prediction
An important component of risk assessment is the ability to predict off-nominal flight trajectories and respective
impact points caused by influences such as atmospheric disturbances, control anomalies or propulsion failures. An “off-
nominal” condition can be defined as a significant deviation from the intended flight path or an extended loss-of-control
that results in extreme vehicle attitudes beyond the normal flight envelope. Of particular interest are those trajectories
that may impact an object or person, thereby increasing the probability of damage or injury. Some trajectories that
are a result of complete loss of propulsion or control can be predicted by low-order, ballistic methods. However,
many complex events, such as partial loss-of-control resulting in erratic and/or extended trajectories, may only be
adequately predicted by a six degree-of-freedom (6-DoF) flight dynamics simulation. The current research was aimed at
demonstrating high-fidelity trajectory estimation methods that are implementable in the URAF environment. Specific
objectives were assessing computational requirements, trajectory prediction accuracy, and data/database requirements
Recent NASA research has assessed the feasibility and data requirements for accurate trajectory predictions of
small UAS vehicles for off-nominal conditions using 6-DoF simulation methods [
]. These efforts have focused
Additional failure modes such as degraded aircraft control or aircraft flyaway situations can also be estimated using BBN models.
on multirotor vehicles because of the sparsity of validated models for this class of vehicle especially for off-nominal
conditions. The approach was to develop a high-fidelity simulation aerodynamic database from existing ground-based
wind tunnel methods. Specifically this database was designed to be accurate for a wide range of flow incidence angles
and vehicle angular rates that could occur in an extreme loss-of-control event. The database was defined using a modular
architecture where separate aerodynamic models were developed for an isolated rotor and the bare airframe and then
merged to enable an n-rotor architecture. Photos of the wind tunnel test setup are shown in Fig. 2.
(a) Bare airframe testing in NASA LaRC 12-Foot wind tunnel
(b) Isolated propeller test configuration in NASA LaRC 12-Foot wind
Fig. 2 Wind tunnel test apparatus for aerodynamic database development.
The aerodynamic model structure can be represented as;
+F/Mbinteraction (1)
where Frepresent aerodynamic forces and Mdenotes aerodynamic moments on the respective body axes.
This structure assumes that the propulsion and airframe can be modeled independently and any interactions between
individual rotors or between the rotors and airframe can be accounted for separately. This approach enables the potential
for generic modeling where different propulsion systems or airframes can be substituted or the geometric location for
each rotor can be changed using the same propulsion model. It is recognized that interactions can be difficult to measure
and/or result in complex models and therefore the potential limitations to this approach should be considered.
Each term in Eq.(1) is a nonlinear function of non-dimensional similitude parameters which allows geometric and
mass scaling to various model sizes. For example, as represented in Eq.(2), propulsion forces and moments can be
modeled as a buildup of static terms (effect of steady flow angle and advance ratio) plus dynamic terms (effect of body
axis angular rates) plus any interactions between individual rotors where
denotes aerodynamic force and moments
on the body axes.
xrotor interaction (2)
While this “build-up” approach is often used for modeling of fixed-wing configurations, the use of this modeling
architecture remains a research area for multirotor aircraft.
The modeling approach described above allows for the inclusion of highly nonlinear phenomena unique to rotors.
For example, this database included a model of “vortex ring state”, a well-known behavior of rotary wing vehicles, that
produce large oscillations in thrust during descending flight. The model development method of this phenomena is
described in [16].
The nonlinear equations of motion used in the 6-DoF simulation are of the form in Eq.(3) and are described in detail
in [3]. Trajectories are computed by numerical integration of Eq.(3) where
denotes vehicle state parameters,
given as control effector input, and J is the rotor advance ratio.
X=fXb, δb,J,F/Mb(3)
Results of simulation testing to date have demonstrated the ability to predict highly non-linear trajectories due to
propulsion failures, vortex ring state encounters, and control failures [
]. Research is continuing in several areas to
further advance the feasibility and determine modeling and simulation requirements for onboard/in-time trajectory
prediction. Aerodynamic modeling research is continuing to address the effects of high vehicle angular rates on
propulsion performance and on aerodynamic interactions between the propulsion system and airframe. Modeling of
other critical off-nominal conditions such as turbulence, sensor failures and control degradation remains the subject of
ongoing research with the goal of further advancing the range of off-nominal events that can be predicted. Efforts are in
progress to demonstrate the feasibility of a generic n-rotor simulation approach which will allow trajectory prediction for
a large range of multirotor vehicles. Additional research will include probabilistic methods for characterizing trajectory
dispersions and ground impact areas. A challenge in this approach is the development of realistic parameter dispersions
unique to multirotor vehicles such as those applicable to environmental disturbances, aerodynamic behaviors, and
avionics anomalies.
C. Severity Estimation
Within the context of this paper, risk of casualty following a sUAS crash is used as a proxy for severity estimation.
In order to estimate likelihood of casualty several components are needed; 1) a predicted off-nominal trajectory and
impact point or area (described in Section III.B), 2) estimation of population density within the flight/impact area,
and 3) impact characteristics including impact angle, velocity, and consideration of sheltering effects. The following
subsections provide the formulation for severity estimation.
1. High-resolution Population Density Data
The benefit of employing a high-fidelity impact point estimation model can be sensitive to the resolution of the
available population density data for the given location and point in time. Acquiring quality population density data is
often the bottleneck in estimating casualty risk due to its dynamic nature. Ground risk assessment studies often employ
median population density values for rural, suburban, and urban settings [
]. However, this constitutes a gross
estimation which does not take several important parameters into consideration such as time of the day, day of the
week, or time of the year. Especially for high density urban settings, the population density can differ significantly
throughout the day (e.g. during commuting and lunch periods) or grow substantially due to an open air assembly (e.g.
sporting events and concerts) [
]. A more accurate representation of population density and movement is paramount for
several areas of research including food security, climate change, natural disasters, and city planning [
]. Recently,
geolocation data obtained from mobile phones has been shown to overcome the limitations of census based solutions
given the ubiquitous use of smart phones [
]. In order to better capture and demonstrate the dynamic aspects of
population density within an urban environment, the concept provided in this paper employs a dataset acquired from a
commercial company which specializes in population analytics and location-based data solutions
. The commercially
available population activity density data provides movements of population within the area of interest at a 10m x 10m
resolution in one hour increments, typically with a two month processing delay. However, it is important to note that
although the population density data remains historical, it provides a dynamic and higher resolution representation of
expected population density. For instance, population activity data observed on July 4
, 2017 for a given hour can be
used to approximate the 2018 values. A sample dataset for downtown San Francisco for July 4
, 2017 between 7PM
and 8PM is given in heat map representation in Fig. 3.
2. Probability of Casualties
As stated previously, the probability of casualties due to a UAS crash over an urban environment needs to be
estimated in order to fully account for the risks associated with the flight. Because of the hard to predict nature of
population dynamics and the large number of uncertainties, a probabilistic model is best suited for this task. For this
reason, the severity estimation module was developed within the URAF framework to estimate the expected number of
casualties and the probability of casualties
. This model uses population density, sheltering effects, casualty impact
area, and the kinetic energy at impact to determine the severity of a mishap. This work expands on the previous
probabilistic model within the URAF architecture [
] (where only the expected number of casualties was compared) by
For testing, population density activity data was acquired for Reno, NV, San Francisco Metropolitan Statistical Area, CA, and Corpus Christi,
TX from AirSage, Inc.
These estimates can be computed prior to flight (based on a flight plan and failure scenarios), or continuously during flight (based on real-time
Fig. 3 Sample Population Density Data for the City of San Francisco.
adding information regarding the probability of impacting one or more casualties. This type of approach enhances the
formulation in regards to the severity of the mishap as well as being useful in hypothetical scenarios where the exact
location of people is known.
Within the context of this paper, the metric to quantify the risk to 3
party or uninvolved public is the probability of
causing one or more casualties. In order to compute this metric, first, the casualty area for people in the open (i.e., not in
buildings or otherwise sheltered) is considered as:
AC=(wspan +2Rp)(Luav +
represents the wing span,
is the radius of a person,
is the length of the UAV,
is the person’s
height, and
is the impact angle with respect to the ground [
]. This formulation serves well for fixed wing UAVs;
however, a more general formulation that includes quadcopters is given by
AC=π(Rp+Ruav )2+2Rp+RuavHp
where Ruav is the characteristic radius that is used to define the UAV geometry as a circle.
The casualty area is defined such that any person inside it can be considered a casualty. By assuming that people can
be randomly located anywhere inside a populated area,
, the probability that a specific person will be a casualty is
simply expressed by AC/AP. Figure 4 illustrates the casualty area with respect to the populated area.
Fig. 4 Casualty Area Schematic
Note that
, as seen in Eqs.(4) and (5), is a function of the trajectory, which in turn is a function of the uncertain
parameters due to the malfunction mode, vehicle aerodynamics, and atmospheric conditions. For simplicity, these
uncertain parameters are grouped together and represented by the variable
, where
Q=(Q1,Q2,· · · Qk)
. The
probability of ccasualties given a set of parameters, q, follows a binomial distribution and is given by:
represents the number of people in the populated area. The subscript
shows the dependency on the uncertain
. This dependency is due to the fact that the impact point and trajectory approach angle, which affect the
number of people in the population density, are a function of different uncertain parameters. By using the law of total
probability, the equation becomes:
represents the joint distribution of
. This can be approximated by using Monte Carlo techniques such that
P(C) ≈ 1
Finally, the probability of having
or more casualties in a populated area
can be expressed by computing the
cumulative distribution of
. This formulation can be easily extended to the different sheltering categories by
modifying the casualty area formulation. The effects of sheltering on casualty estimation for various roof styles was
previously demonstrated in [7]. The methodology shown in this paper can be modified to reflect sheltering effects.
D. Risk Construct
As previously stated in Sections III.A and III.C, the risk assessment module estimates mishap likelihood and
probability of causing one or more casualties, respectively. Onboard, these values are transmitted to the cFS
communication bus (discussed in Section V) along with a quantized risk value (i.e., low, medium, high) which is
based on a modified FAA Risk Matrix [
]. However, at the time of writing, FAA does not provide specific guidance
on likelihood and severity definitions for unmanned aircraft flight operation risk over populated areas [
], thus, it
is important to note that the acceptable thresholds for severity (minimal, minor, major, catastrophic) and likelihood
(frequent, probable, remote, and improbable) were chosen arbitrarily here for the purposes of concept evaluation and
demonstration (Fig. 5). As an extension to the current approach, a modified version of the Specific Operation Risk
Assessment (SORA) methodology developed by Joint Authorities for Rulemaking on Unmanned Systems (JARUS)
could be considered. JARUS SORA methodology was based on the principle of a holistic/total system safety risk-based
assessment model used to evaluate ground and air risks related to a given operation [
]. The SORA methodology also
provides guidance on assessing residual risks following the use of strategic and tactical mitigations. These aspects will
be incorporated into future versions of the framework presented here.
Fig. 5 Notional Risk Matrix.
IV. core Flight System (cFS) Architecture Integration
The framework discussed in Section III was designed to be operated onboard the aircraft to support risk-informed
decision making throughout the flight. This decision-making function may be performed by a remote operator or pilot,
but this framework particularly focuses on supporting autonomous/automated decision-making functions onboard. A
baseline capability was tested as part of the larger SWS system construct which made use of NASA’s cFS architecture.
cFS was originally developed by Goddard Space Flight Center for spacecraft flight software systems.
A. core Flight System (cFS)
NASAs cFS is a platform, a software framework, and an environment that is designed to develop and re-use flight
software applications. The stable and robust cFS architecture allows the communication of independently-executing
functions over a shared information bus, similar to applications communicating through a cloud based structure
(Fig. 6). This allows independent development and testing of various applications that will perform as monitoring,
assessment and mitigation functions within the SWS safety assurance system concept [
]. The in-time non-participant
risk assessment software described in this paper is packaged as an application that performs monitoring (via sensor data
fusion and interpretation), assessment (development of the dynamic risk construct) and contingency action/mitigation
(via suggestions developed by Bayesian models) functions. The dynamic risk and associated contingency actions
are broadcast within the cFS bus to other applications that are tasked with decision making and execution of these
B. Onboard In-Time Risk Assessment Software
1. Structure
The onboard risk assessment capability presented in this paper was initially implemented and tested on the cFS
architecture which was in turn implemented on a small multi-rotor UAS platform. Within the cFS architecture, besides
applications, users can also develop libraries. The term library refers to functions that can only be called within other
applications present in the cFS architecture. The libraries do not interact with the cFS software bus and they run
independently. This structure not only enables simultaneous use of the functionality by multiple applications but also
allows relatively faster execution time which proves to be essential for proactive decision making capability. The in-time
risk assessment software was developed as a library, allowing for other onboard applications to call the core functionality
as well as the underlying models of the software, individually (i.e., trajectory, severity, likelihood). Additionally, an
application was developed to use this library so that the combined functionality of the risk assessment software can be
executed and broadcast on the software bus.
2. Inputs and Outputs
The components of the framework described in Section III are implemented within the cFS architecture as given
in Fig. 7. The risk assessment software receives dynamic aircraft position and health information via standard
See for further information on cFS.
Fig. 6 cFS Architecture for Testing In-Time Safety Assurance System Concepts [5].
onboard systems within the Micro Air Vehicle Link (MAVLink) structure
. Additionally, within the in-time safety
assurance concept, the UTM ecosystem components
(Supplemental Data Service Providers (SDSPs) and UAS Service
Supplier (USS) among others) provide weather, traffic and other pertinent flight information which is accessible via cFS
architecture. Using the data sources obtained from cFS and carried onboard, the in-time risk application constructs
and combines the submodels (population density, likelihood, trajectory, and severity models) to estimate instantaneous
mishap risk, the preferred contingency action considering available resources as well as the predicted impact point.
These output variables in addition to the individual model outputs and data are broadcast to the software bus for other
applications to use (e.g. decision-making functions regarding executing contingencies). The software output parameters
are also accessible via the library functionality, if preferred (e.g. to overcome bus speed limitations).
Fig. 7 In-Time Risk Assessment interactions with the cFS Architecture.
MAVLink is a protocol developed for communication between unmanned vehicles and the ground control stations as well as the inter-
communcation among the subsystems of the vehicle. See for further documentation.
∗∗See Refs.[5,6] for further information on SDSPs and USSs.
3. Software-in-the-Loop and Flight Testing
As previously stated, the non-participant risk assessment software resides on the aircraft and is primarily designed to
inform other onboard decision making and trajectory guidance software. At this time, there is no in-flight visualization
for the ground control station operator consumption, however, the output of the risk application which is transmitted over
the cFS bus is recorded and available for post-flight analysis. Additionally, a software-in-the-loop (SITL) simulation
is developed to visualize the flight environment and observe/record the interactions among the cFS applications, risk
application functions and MAVlink messages. SITL provides a simulation environment where the capabilities of
the code can be tested without the need to use flight hardware to run ArduPilot
software. The SITL is capable of
generating vehicle-specific flight dynamic data as well as simulated aircraft sensor data which are relayed through a
telemetry port connection. The cFS architecture receives the aircraft state vectors and sensor data via the telemetry port
and subsequently disseminates the information throughout the system to all of the resident cFS applications, including
the risk assessment software. This process is continued until the simulation is ended or the connection is broken.
Figure 8 provides the SITL setup used to test the software. A command line interface is used to deliver commands
to the autopilot (upper-left corner). A map is employed to define and display the flight mission for testing (lower-left
corner). A console displays the general characteristics of mode and progression features (upper-right corner). Finally,
command prompt display provides the cFS data stream and risk assessment software outputs, namely, the contingency
action probabilities (abort, land, return-to-base, or continue flight), loss of control probability, casualty probability, and
notional risk matrix outputs (lower-right corner).
Fig. 8 User Interfaces for Software-in-the-Loop Testing
Ardupilot is an open source unmanned aircraft flight software capable of controlling numerous autonomous aircraft and is used as a research
platform for this effort, see for further details.
V. Decision Making Support
The components of the risk assessment software described in the previous sections were primarily developed to
explore the design space toward enabling the concept described in [
] which envisions a scalable system that can
be tailored to a specific domain and its inherent risks. This system should be capable of integrating a diverse set of
operational and environmental data to monitor and assess the likelihood of risk and hazard states. Once potential risks
are identified and evaluated, the objective is to mitigate these hazardous conditions via automated planning and execution
of timely responses. The software architecture discussed in this paper is initially aimed at monitoring and assessment
functions associated with non-participant casualties. The sections below discuss planned R&D and approaches that
would apply this risk assessment software and framework to autonomous risk mitigation.
A. Path Planning
One of the planned uses of the onboard assessment of ground impact risk is to assist the autonomous path planning
function. It is envisioned that future autonomous UAS systems will be equipped with obstacle-avoidance functionality
which will re-route or follow pre-determined contingency measures. In cases where the aircraft has to be diverted
due to a detected obstacle or aircraft, the re-routing algorithm would primarily ensure that the obstacle or aircraft is
cleared while selecting and executing the mitigation action. During the diversion, the path planning algorithm could
be informed of the ground casualty risk of alternative paths in addition to existing parameters (available resources,
airspace/geofence limitations, etc.). Alternatively, given that the risk assessment software collects, analyses, and
disseminates aircraft health data, the decision making algorithm can have access to the available aircraft resources prior
to selecting a particular action (e.g., detect and avoid, geofence conformance, return to base, and return to mission). An
example detect-and-avoid technology called ICAROUS (Integrated Configurable Algorithms for Reliable Operations of
Unmanned Systems) provides a flexible autonomous decision making platform that allows modular integration with
other onboard hardware and software [
]. Initial research is underway to apply the risk assessment functions described
previously in concert with ICAROUS-based functions (also implemented within the cFS architecture). ICAROUS can
proactively query the risk of alternative paths, allowing the integration of the non-participant casualty risk capability
into determination and direction of detect-and-avoid or other contingency maneuvers (e.g. land, return-to-launchpoint).
B. Contingency Planning
As part of the risk assessment process, the onboard BBN model considers raw aircraft telemetry values as well as
potential SDSP-based health and environmental assessment services to produce two outputs: off-nominal condition
probabilities (e.g., loss-of-control risk for the current iteration of the architecture) and a suggested mitigation action
based on the current and projected aircraft health. If the safety margins deteriorate below acceptable levels, the risk
software outputs the preferred mitigation action (abort, land, return-to-base, or continue flight) to the cFS bus. This
information can be used to inform the autopilot or the ground control station (GCS) operator of the imminent risk and
recommended action within the aircraft’s capability.
C. Highly Autonomous Low Altitude Urban Operation Support
Within the emerging urban operations domain, the in-time safety assurance concept assumes that an information
sharing infrastructure will be present. This infrastructure would be able to collect, disseminate and update large-scale
data obtained from on-board and off-board sensors and services as required to meet mission-specific safety requirements.
The SWS ConOps highlights pre-flight, in-flight, and post-flight utilization of the architecture. During the pre-flight
phase, GCS operators would reach out to generally available broadcast data or opt in to mission-specific or request-reply
type information. The data which could be obtained from recent observations or forecast models would advise the
operator and/or onboard safety software before the flight. For instance trajectory-specific, low-altitude wind gust and
turbulence data or expected population density surrounding the flight plan provided by SDSPs will inform the operator,
potentially resulting in a revised flight plan or launch window [
]. Alternatively, an SDSP providing a pre-flight
non-participant casualty assessment service could be used
. During the flight, via pre-loaded data, observed variables,
models, and dynamic SDSPs, the aircraft will continuously monitor and assess current and future flight risks. The
architecture provided within this paper would be one implementation of such an onboard risk assessment capability.
Finally, following the flight, data observed throughout the mission would be uploaded to the relevant service providers.
The post-flight information would be used to update the SDSPs (e.g., observed wind or population density activity) and
‡‡Ground Risk Assessment Risk Provider (GRASP) SDSP is currently being developed under the UTM project plan.
to validate the supporting models (e.g. aerodynamic models) [
]. Within the SWS ConOps, the pre-flight and in-flight
risk assessment instantiations would continuously co-operate and work towards providing the most up-to-date ground
risk information via the information sharing infrastructure.
VI. Concluding Remarks and Next Steps
As projected demand for unmanned aircraft operations increases, assuring the safety of such operations will play
a significant role in determining the degree of widespread use - it will become either the enabler or the constraint.
This will also be the case for future concepts like personal air vehicles and UAM concepts. As part of an overarching
approach to safety assurance for emerging highly-autonomous operations, this paper presents an onboard architecture
that monitors vehicle-specific parameters by integrating aircraft health data as well other data carried onboard (e.g.
population density and wind speed/gust information). The information is used to assess casualty risk with regards to the
current aircraft position and its future path. Research will continue toward improving the components of the onboard
risk assessment service by incorporating additional failure models into the Bayesian network as well as the 6DoF
model, providing dynamic updating capability to population density and environmental factors models. Additionally,
the framework will be expanded to estimate property/building damage. Finally, the risk assessment capability will be
integrated with decision making functions (such as are intended to activate fail-safe contingencies when off-nominal
conditions occur or are predicted to occur).
The work presented here was supported by NASA System-wide Safety (SWS) and Unmanned Aircraft System
(UAS) Traffic Management (UTM) projects.
Ten Harmsel, A. J., Olson, I. J., and Atkins, E. M., “Emergency Flight Planning for an Energy-Constrained Multicopter,”
Journal of Intelligent & Robotic Systems, Vol. 85, No. 1, 2017, pp. 145–165. doi:10.1007/s10846-016- 0370-z.
National Academies of Sciences, E., and Medicine, Assessing the Risks of Integrating Unmanned Aircraft Systems (UAS) into
the National Airspace System, The National Academies Press, 2018. doi:10.17226/25143.
Breunig, J., Forman, J., Sayed, S., Audenaerd, L., Branch, A., and Hadjimichael, M., “Modeling Ground Collision Severity of
Small Unmanned Aircraft Systems,2018 Aviation Technology, Integration, and Operations (ATIO) Conference, American
Institute of Aeronautics and Astronautics, 2018. doi:10.2514/6.2018- 3349.
National Aeronautics and Space Administration, “NASA Aeronautics Strategic Implementation Plan: 2017 Update,” 2017.
Young, S. D., Quach, C. P., Goebel, K., and Nowinski, J., “In-Time Safety Assurance Systems for Emerging Autonomous Flight
Operations,” IEEE/AIAA 37th Digital Avionics Systems Conference (DASC), 2018.
Kopardekar, P., Rios, J., Prevot, T., Johnson, M., Jung, J., and III, J. E. R., “Unmanned Aircraft System Traffic Management
(UTM) Concept of Operations,” 16
AIAA Aviation Technology, Integration, and Operations (ATIO) Conference, American
Institute of Aeronautics and Astronautics, 2016. doi:10.2514/6.2016- 3292.
Ancel, E., Capristan, F., Foster, J. V., and Condotta, R., “Real-time Risk Assessment Framework for Unmanned Aircraft System
(UAS) Traffic Management (UTM),” Aviation Technology, Integration, and Operations (ATIO) Conference, American Institute
of Aeronautics and Astronautics, 2017. doi:10.2514/6.2017- 3273.
Washington, A., Clothier, R. A., and Silva, J., “A Review of Unmanned Aircraft System Ground Risk Models,” Progress in
Aerospace Sciences, Vol. 95, 2017, pp. 24 – 44. doi:/10.1016/j.paerosci.2017.10.001.
Clothier, R. A., and Walker, R. A., Safety Risk Management of Unmanned Aircraft Systems, Springer Netherlands, Dordrecht,
2015, pp. 2229–2275. doi:10.1007/978-90-481- 9707-1_39.
Ford, A., and McEntee, K., “Assessment of the Risk to Ground Population Due to an Unmanned Aircraft In-Flight Failure,10
AIAA Aviation Technology, Integration, and Operations (ATIO) Conference, American Institute of Aeronautics and Astronautics,
2010. doi:10.2514/6.2010-9056.
Lazatin, J., “A Method for Risk Estimation Analysis for Unmanned Aerial System Operation over Populated Areas,” 14
Aviation Technology, Integration, and Operations (ATIO) Conference, American Institute of Aeronautics and Astronautics,
2014. doi:10.2514/6.2014-2284.
Lum, C., Gauksheim, K., Deseure, C., Vagners, J., and McGeer, T., “Assessing and Estimating Risk of Operating Unmanned
Aerial Systems in Populated Areas,11
Aviation Technology, Integration, and Operations (ATIO) Conference, American
Institute of Aeronautics and Astronautics, 2011. doi:10.2514/6.2011- 6918.
Olson, I., and Atkins, E. M., “Qualitative Failure Analysis for a Small Quadrotor Unmanned Aircraft System,” AIAA Guidance,
Navigation, and Control (GNC) Conference, American Institute of Aeronautics and Astronautics, 2013. doi:10.2514/6.2013- 4761.
Washington, A., Clothier, R., and Silva, J., “Managing Uncertainty in Unmanned Aircraft System Safety Performance
Requirements Compliance Process,20
International Conference on Unmanned Aircraft Systems (ICUAS 2018), 2018.
Corbetta, M., Banerjee, P., Okolo, W., Gorospe, G., and Luchinsky, D. G., “Real-time UAV Trajectory Prediction for Safety
Monitoring in Low-Altitude Airspace,Aviation Forum 2019, American Institute of Aeronautics and Astronautics, 2019.
Foster, J. V., and Hartman, D. C., “High-Fidelity Multi-Rotor Unmanned Aircraft System Simulation Development for Trajectory
Prediction Under Off-Nominal Flight Dynamics,Aviation Technology, Integration, and Operations (ATIO) Conference,
American Institute of Aeronautics and Astronautics, 2017. doi:10.2514/6.2017-3271.
Foster, J. V., Hartman, D. C., and Miller, L. J., “Recent NASA Research on Multirotor Flight Dynamics in Off-Nominal
Conditions,” Presented at the Aerospace Control and Guidance System Committee (ACGSC) Meeting, 11-13 April, 2018.
Hartman, D. C., “Identification of Hazardous Flight Conditions to Establish a Safe Flight Envelope for Autonomous Multirotor
Aircraft,” AIAA SciTech Forum 2019, American Institute of Aeronautics and Astronautics, 2019. doi:10.2514/6.2019- 1292.
Joint Authorities for Rulemaking of Unmanned Systems, “JARUS Guidelines on Specific Operations Risk Assessment (SORA),”
JAR-DEL-WG6-D.04, 2017.
Melnyk, R., Schrage, D., Volovoi, V., and Jimenez, H., “A Third-Party Casualty Risk Model for Unmanned Aircraft System
Operations,” Reliability Engineering & System Safety, Vol. 124, 2014, pp. 105–116. doi:10.1016/j.ress.2013.11.016.
Calka, B., Costa, J. N. D., and Bielecka, E., “Fine Scale Population Density Data and its Application in Risk Assessment,
Geomatics, Natural Hazards and Risk, Vol. 8, No. 2, 2017, pp. 1440–1455. doi:10.1080/19475705.2017.1345792.
Deville, P., Linard, C., Martin, S., Gilbert, M., Stevens, F. R., Gaughan, A. E., Blondel, V. D., and Tatem, A. J., “Dynamic
population mapping using mobile phone data,” Proceedings of the National Academy of Sciences, Vol. 111, No. 45, 2014, pp.
15888–15893. doi:10.1073/pnas.1408439111.
Dan, Y., and He, Z., “A Dynamic Model for Urban Population Density Estimation Using Mobile Phone Location Data,” 5
IEEE Conference on Industrial Electronics and Applications, 2010, pp. 1429–1433. doi:10.1109/ICIEA.2010.5514844.
Clothier, R. A., Palmer, J. L., Walker, R. A., and Fulton, N. L., “Definition of Airworthiness Categories for Civil Unmanned
Aircraft Systems (UAS),” 27th International Congress of the Aeronautical Sciences, ICAS, 2010.
Lum, C., and Waggoner, B., “A Risk Based Paradigm and Model for Unmanned Aerial Systems in the National Airspace,
Infotech@Aerospace Conferences, American Institute of Aeronautics and Astronautics, 2011. doi:10.2514/6.2011-1424.
[26] Federal Aviation Administration, “Safety Management Risk Policy (FAA Order 8040.4B),” 2017.
Consiglio, M., Muñoz, C., Hagen, G., Narkawicz, A., and Balachandran, S., “ICAROUS: Integrated Configurable Algorithms for
Reliable Operations of Unmanned Systems,35
Digital Avionics Systems Conference (DASC 2016), Sacramento, California,
US, 2016.
... Below are findings and an assessment of these services as tested. For additional details see [12]. ...
... Onboard in-flight risk assessment function: An instance of the core NPCRA functionality was also flown onboard the test aircraft to provide a real-time risk assessment capability (such as described in Refs. [12,13]. In addition to the casualty/severity estimation capability described above to support pre-flight planning, the real-time version also includes a dynamic Bayesian Belief Network (BBN) which estimates the likelihood of off-nominal conditions based on inputs from onboard systems and sensors. ...
... For this work, algorithm and models originally designed for a fixedwing UAV are adapted for multi-rotor sUAS and 1 Hz SoC and RUL estimates are reported to the cFS software bus to support risk assessment and contingency selection [36]. • Risk assessment -A function that uses a Bayesian belief network technique to assess safety risk in terms of likelihood and severity; likelihood estimates may be for various user-selected outcomes (e.g., loss of control due to loss of power), while severity estimates are based on casualty risk to people on the ground (i.e., based on potential impact areas in the event of loss-of-control) [12,13,36]. See also Sec II-B. ...
Conference Paper
Full-text available
View Video Presentation: Ongoing research at NASA is driven by a strategic plan defined by the Aeronautics Research Mission Directorate and a vision for future In-Time Aviation Safety Management Systems (IASMS) as described by the National Academies. In both visions, system safety awareness and provision are expanded through increased access to relevant data; integrated analysis and predictive capabilities; improved real-time detection and alerting of domain-specific hazards; decision support, and in some cases, automated risk mitigation strategies. One primary research focus is to develop means by which more timely (i.e., “in-time”) actions may be taken to mitigate precursors, anomalies, or trends that are observed during operations. In this paper, we describe such means as a collection of Services, Functions, and Capabilities (SFCs) that are supported by an underlying information system. For example, an integrated risk assessment capability is envisioned that continuously monitors safety-related metrics and margins and recommends timely operational changes. Assessment functions and/or services can be based on data analytics and predictive models derived from heterogeneous data sets that span relevant indicator metrics and their time histories. Likewise, on-board functions can identify and reduce susceptibility to precursor conditions that have led (and can lead) to aircraft loss-of-control or out-of-control accidents. This paper summarizes development and testing of such an information system tailored to hazards anticipated for future highly autonomous flight missions near and over densely populated areas. Testing is accomplished via simulation and by using small, unmanned aircraft operating over a test range at NASA’s Langley Research Center. Flight plans and test scenarios are defined to emulate several use-cases, including package delivery; reconnaissance; fire management; and urban air taxi vertiport operations. Two test phases are summarized with Phase 1 occurring in (2019-2020) and Phase 2 ongoing (2021-present). Results focus on SFC performance, technology readiness level assessment, and requirements discovery/validation. Companion papers are cited throughout for additional details on the recent testing.
... Below are findings and an assessment of these services as tested. For additional details see [12]. ...
... Onboard in-flight risk assessment function: An instance of the core NPCRA functionality was also flown onboard the test aircraft to provide a real-time risk assessment capability (such as described in Refs. [12,13]. In addition to the casualty/severity estimation capability described above to support pre-flight planning, the real-time version also includes a dynamic Bayesian Belief Network (BBN) which estimates the likelihood of off-nominal conditions based on inputs from onboard systems and sensors. ...
... For this work, algorithm and models originally designed for a fixedwing UAV are adapted for multi-rotor sUAS and 1 Hz SoC and RUL estimates are reported to the cFS software bus to support risk assessment and contingency selection [36]. • Risk assessment -A function that uses a Bayesian belief network technique to assess safety risk in terms of likelihood and severity; likelihood estimates may be for various user-selected outcomes (e.g., loss of control due to loss of power), while severity estimates are based on casualty risk to people on the ground (i.e., based on potential impact areas in the event of loss-of-control) [12,13,36]. See also Sec II-B. ...
Conference Paper
View Video Presentation: An onboard risk management automation design is presented based on run-time assurance principles, as well as the concept for In-Time Aviation Safety Management Systems (IASMS) as described by the National Academies. The automation is designed to operate independently of the autopilot and perform real-time risk assessment spanning multiple classes of hazards, predict constraint violations, and track autopilot states. In the event of elevated risk conditions or predicted constraint violations, the automation will select from a set of available contingencies and trigger autopilot mode changes if necessary to mitigate risk exposure. The onboard automation also informs the remote operator/pilot of what the independent monitor is observing and any contingency decisions or actions that may arise during flight. Details of an implementation of this design and results of verification and validation activities, as required to meet stringent NASA software and system assurance standards, are also presented. This includes simulation and flight testing using small unmanned aircraft systems.
... In addition to the safety assurance system, several other studies propose technical means to deal with these safety risks. These technical means include geo-fencing systems [30][31][32], autonomous collision avoidance systems such as the ICAROUS system [33,34], real-time risk assessment frameworks [35,36], flying time prediction algorithms [37,38], or a real-time software health management system for UAS [39]. ...
... In case of a severe system malfunction leading to a crash, timely hazard identification and proactive risk mitigation capabilities are needed to avoid endangering the public. Ancel et al. [35,36] developed a casualty risk assessment algorithm that includes three estimation models. The first one is a probabilistic model for computing the current failure probability and thus the mishap likelihood based on current vehicle health parameters, such as battery charge level or motor temperatures. ...
... An estimation of the current casualty risk during UAS operation can be computed using real-time risk assessment. One example for such a risk assessment framework for UAS UTM was developed by Ancel et al. [35,36]. They developed an algorithm that computes the current mishap likelihood based on current system parameters. ...
Full-text available
The envisioned introduction of autonomous Small Unmanned Aircraft Systems (sUAS) into low-altitude urban airspace necessitates high levels of system safety. Despite increased system autonomy, humans will most likely remain an essential component in assuring safety. This paper derives, applies, and evaluates a display design concept that aims to support safety risk monitoring of multiple sUAS by a human operator. The concept comprises of five design principles. The core idea of the concept is to limit display complexity despite increasing the number of sUAS monitored by primarily visualizing highly abstracted information while hiding detailed information of lower abstraction, unless specifically requested by the human operator. States of highly abstracted functions are visualized by function-specific icons that change hue in accordance to specified system states. Simultaneously, the design concept aims to support the human operator in identifying off-nominal situations by implementing design properties that guide visual attention. The display was evaluated in a study with seven subject matter experts. Although preliminary, the results clearly favor the proposed display design concept. The advantages of the proposed design concept are demonstrated, and the next steps for further exploring the proposed display design concept are outlined.
... Lin & Shao (2020) compute the expected level of safety (ELS) of a path as a function of mean time between failures, the area of exposure in square meters (assuming a ground impact), the population density, and accident severity. Ancel et al. (2017) and Ancel et al. (2019) present a real-time risk assessment framework that quantifies the risks to bystanders for operations in populated areas. They consider three separate modules: ...
... Therefore, we define the risk of mission failure as: the product of the likelihood of mission failure and the consequences of mission failure. With this proposed framework, we can seamlessly integrate with modules for impact point prediction and casualty estimation developed by (Ancel et al., 2017(Ancel et al., , 2019 and (Primatesta et al., 2019). ...
Full-text available
As the potential for deploying low-flying unmanned aerial vehicles (UAVs) in urban spaces increases, ensuring their safe operations is becoming a major concern. Given the uncertainties in their operational environments caused by wind gusts, degraded state of health, and probability of collision with static and dynamic objects, it becomes imperative to develop online decision-making schemes to ensure safe flights. In this paper, we propose an online decision-making framework that takes into account the state of health of the UAV, the environmental conditions, and the obstacle map to assess the probability of mission failure and re-plan accordingly. The online re-planning strategy considers two situations: (1) updating the current trajectory to reduce the probability of collision; and (2) defining a new trajectory to find a new safe landing spot, if continued flight would result in risk values above a pre-specified threshold. The re-planning routine uses the differential evolution optimization method and takes into account the dynamics of the UAV and its components as well as the environmental wind conditions. The new trajectory generation routine combines probabilistic road-maps with B-spline smoothing to ensure a dynamically feasible trajectory. We demonstrate the effectiveness of our approach by running UAV flight simulation experiments in urban scenarios.
... The concept of constructing a trajectory based on the assessment of multiple risks in the U-space was also proposed in [11]. The authors proposed an extended structure of the UTM Risk Assessment Framework (URAF), which implies its use just for predicting the occurrence of the risk of an incident within the boundaries of a densely populated urban area from a multi-rotor VTOL-UAV. ...
Full-text available
The safety of unmanned aerial vehicle (UAV) flights depends on many factors, such as the absence of failures or malfunctions of aviation equipment, the absence of exposure to adverse environmental phenomena, and the absence of errors by the aircraft crew and engineering personnel. In uncontrolled airspace by the internal affairs authorities, when the flight is carried out at altitudes below 500 feet above ground level (AGL), this task is even more complicated, since at the moment there are no monitoring services and procedures for monitoring VTOL-UAV (Vertical TakeOff and Landing unmanned aerial vehicle) performing operations at the specified altitude range. In this case, the only link of control is the remote pilot, who directly monitors his unmanned aerial vehicle (UAV) when flying in Visual Line-of-Sight (VLOS) mode. Some components of an unmanned vehicle are difficult to control from the point of view of preventing the risk of the likelihood of an incident, which is difficult to prevent due to its high potential danger and the speed of its occurrence. In this paper, we propose an algorithm that is simple for software implementation and does not require mathematical calculations, the implementation of which requires the presence of devices for measuring the speed of rotation of engines, which are proposed to use Hall sensors installed on each engine of a multi-rotor VTOL-UAV. To prevent the program from crashing when polling sensors, a double redundancy of sensor readings is provided. Also, in case of confirmation of an engine failure, a module has been introduced into the algorithm that provides for a preliminary shutdown of an engine that is symmetrical to the one whose failure is confirmed. After turning off the remaining engines, the parachute compartment is activated for an accurate landing at low speed.
... Hence to realize a factor 10 improvement in UAS system failure rate requires much more than the design by [46] alone. An important development is the mitigation of remaining TPR risks by safety management systems integrated on-board UAs [47,48] and ground-based support [49]. ...
Full-text available
Commercial aviation distinguishes three indicators for third party risk (TPR): i) Expected number of ground fatalities per aircraft flight hour; ii) Individual risk; and iii) Societal risk. The latter two indicators stem from TPR posed to population by operation of hazardous installations. Literature on TPR of Unmanned Aircraft System (UAS) operations have focused on the development of the first TPR indicator. However the expected increase of commercial UAS operations requires an improved understanding of third party risk (TPR). To support such improvement, this paper extends the existing TPR model for UAS operations with societal and individual risk indicators. The extension is developed both at modelling level and at assessment level. Subsequently the extended approach is applied to a hypothetical UAS based parcel delivery service in the city of Delft. The results obtained for the novel UAS TPR indicators show that this aligns commercial UAS operations with land use policies and standing TPR regulation for airports and hazardous facilities.
... NASA's Aeronautics Research Mission Directorate (ARMD) strategic plan directs the development of advanced in-time safety assurance tools that can monitor, assess and mitigate risks for UAV operations (Aeronautics & Administration, 2017). Under that initiative, several studies have been directed to prediction of future trajectory (Corbetta, Banerjee, Okolo, Gorospe, & Luchinsky, 2019;Banerjee & Corbetta, 2020), estimation of remaining battery life , estimation of vibrational anomalies (Banerjee, Okolo, & Moore, 2020) as well as assessment of risk to population on ground in the event of a crash (Ancel, Capristan, Foster, & Condotta, 2019). Weibel & Hansman (Weibel & Hansman, 2004) and Clothier et al (Clothier, Walker, Fulton, & Campbell, 2007) estimated expected rate of casualties per flight hour based on population density, area of exposure and failure rate. ...
Full-text available
Enabling operations of unmanned aerial vehicles (UAVs) in low-altitude airspace, As widespread applications emerge, the need of risk assessment becomes increasingly important for UAV flights beyond visual line-of-sight, especially subjected to off-nominal conditions introduced by component failures, degraded controllability or environmental disturbances such as wind gusts in an urban canyon. From a safety perspective, collision with obstacles can be detrimental not only to the vehicle and payload, but also to the structure and people on ground. Although it is safe to assume that approved UAVs would be equipped with collision avoidance systems, . In this paper, a framework is presented for computing the risk of collision with obstacle based on a UAV's predicted trajectory, . The conditional probability of trajectory deviation is generated using a Bayesian Belief Network (BBN) based on on-board sensor measurements. Further, a kinematic 3-DOF model is implemented to compute deviation in UAV's trajectory subjected to one case study of off-nominal condition i.e. wind gusts. Finally, the integrated risk factor is demonstrated on real data from experimental flights of an octocopter at NASA Langley Research Center, in presence of simulated obstacles and wind conditions. The proposed approach would enable risk-informed decision making process for timely mitigation of current and future unsafe events.
Conference Paper
Numerous research papers propose the operation of highly automated or autonomous small Unmanned Aircraft Systems (UAS) in low-altitude urban airspace. However, the operation of autonomous UAS introduces safety risks, such as unsafe proximity to people and property or collision with other traffic and obstacles. In order to approach these safety risks, technical means were proposed, including geo-fencing systems and autonomous collision avoidance systems. Humans will most likely stay an essential component in assuring safety during autonomous UAS operations, analyzing and supervising the output of the technical safety assurance systems. In a previous study, a Human Machine Interface (HMI) was developed, aiming to comprehensively visualize information stemming from the aforementioned safety assurance systems. The HMI enables an operator to simultaneously supervise multiple autonomous UAS in low-altitude urban airspace. An evaluation of the HMI was conducted with an online study using mock-ups of the HMI. Seven UAS pilots took part in the evaluation study and completed four experimental scenarios. This paper focuses on the usability and acceptability of the HMI. Further, its main advantages, disadvantages and suggestions for improvement obtained in an online questionnaire are presented. The findings of the evaluation show satisfying results for usability and acceptability. Even though, various suggestions for improvement of the HMI were obtained. Based on the results, the HMI will be improved for future studies and will ultimately be integrated into a simulation environment.
Conference Paper
Full-text available
System Safety Regulations (SSR) are a central component to the airworthiness certification of Unmanned Aircraft Systems (UAS). There is significant debate on the setting of appropriate SSR for UAS. Putting this debate aside, the challenge lies in how to apply the system safety process to UAS, which lack the data and operational heritage of conventionally piloted aircraft. The limited knowledge and lack of operational data result in uncertainty in the system safety assessment of UAS. This uncertainty can lead to incorrect compliance findings and the potential certification and operation of UAS that do not meet minimum safety performance requirements. The existing system safety assessment and compliance processes, as used for conventional piloted aviation, do not adequately account for the uncertainty, limiting the suitability of its application to UAS. This paper discusses the challenges of undertaking system safety assessments for UAS and presents current and envisaged research towards addressing these challenges. It aims to highlight the main advantages associated with adopting a risk based framework to the System Safety Performance Requirement (SSPR) compliance process that is capable of taking the uncertainty associated with each of the outputs of the system safety assessment process into consideration. Based on this study, it is made clear that developing a framework tailored to UAS, would allow for a more rational, transparent and systematic approach to decision making. This would reduce the need for conservative assumptions and take the risk posed by each UAS into consideration while determining its state of compliance to the system safety regulations.
Full-text available
There is much effort being directed towards the development of safety regulations for unmanned aircraft systems (UAS). National airworthiness authorities have advocated the adoption of a risk-based approach, whereby regulations are driven by the outcomes of a systematic process to assess and manage identified safety risks. Subsequently, models characterising the primary hazards associated with UAS operations have now become critical to the development of regulations and in turn, to the future of the industry. Key to the development of airworthiness regulations for UAS is a comprehensive understanding of the risks UAS operations pose to people and property on the ground. A comprehensive review of the literature identified 33 different models (and component sub models) used to estimate ground risk posed by UAS. These models comprise failure, impact location, recovery, stress, exposure, incident stress and harm sub-models. The underlying assumptions and treatment of uncertainties in each of these sub-models differ significantly between models, which can have a significant impact on the development of regulations. This paper reviews the state-of-the-art in research into UAS ground risk modelling, discusses how the various sub-models relate to the different components of the regulation, and explores how model-uncertainties potentially impact the development of regulations for UAS.
Full-text available
Population density is one of the key parameters for assessing the magnitude of population exposed to risk, and the better quality data we have, the better the assessment of risk. The aim of this study is to elaborate a high-resolution spatially distributed population density grid, which estimates population at the commune scale with a reliability of over 90%. The novelty of the approach is population density estimation in a regular European grid, based on buildings vector data collected in the national topographic database. Using abductive reasoning in combination with statistics and spatial analysis, the authors extract approximate information about a population from the large-scale topographic data. Moreover, linking the obtained population data with the cadastral data – by unique building identifier – allows for regular, quick and census survey-independent updates of the population surface. A shortcoming of the approach is the issue of the possible existence of two houses per family, which leads to an overestimation of population. However, in the study area it affected only two of the total 14 communes by 7%–9%.