![cFS Architecture for Testing In-Time Safety Assurance System Concepts [5].](https://www.researchgate.net/profile/Ersin-Ancel/publication/333807329/figure/fig4/AS:774580260065281@1561685733336/cFS-Architecture-for-Testing-In-Time-Safety-Assurance-System-Concepts-5_Q320.jpg)
Content uploaded by Ersin Ancel
Author content
All content in this area was uploaded by Ersin Ancel on Jun 28, 2019
Content may be subject to copyright.
In-Time Non-Participant Casualty Risk Assessment to Support
Onboard Decision Making for Autonomous Unmanned Aircraft
Ersin Ancel∗, Francisco M. Capristan†and John V. Foster ‡
NASA Langley Research Center, Hampton, VA, 23681
Ryan C. Condotta§
Analytical Mechanics Associates, Inc., Hampton, VA, 23666, USA
Numerous operational paradigms, technologies, and missions are emerging as newcomers
to the National Airspace System (NAS) develop small Unmanned Aircraft Systems (sUAS),
personal air vehicles and other Urban Air Mobility (UAM) concepts. As the list of applica-
tions expands, maintaining the safety of the current airspace system remains one of the core
concerns preventing widespread commercial implementation of these concepts. Further, the
risks associated with unmanned aircraft operations themselves have to be recognized and mit-
igated in a timely manner. Safety-critical risks include, but are not limited to, flight outside
of approved airspace, unsafe proximity to people or property, critical system failures, loss-of-
control, and cyber-security related risks. Instead of reacting to accidents, a set of predictive
and data-driven risk monitoring, assessment, and mitigation capabilities are envisioned to
help capture and eliminate hazards as these systems become operational. NASA’s System-wide
Safety project is performing R&D on such a safety assurance concept. As part of this con-
cept, this paper describes an architecture that continuously monitors a diverse set of onboard
and ground-based sources to estimate and predict non-participant casualty risk during flight.
Timely identification of the changing nature of this risk can inform decision making processes
to mitigate current and impending situations.
I. Nomenclature
AC= Casualty Area
AP= Populated Area
C= Casualties
Cx= Aerodynamic Force or Moment Coefficient
γ= Impact Angle
δ= Control Effector Input
F= Aerodynamic Force
Hp= Height of Person
J= Rotor Advance Ratio
Luav = UAV Length
M= Aerodynamic Moment
N= Number of People in the Area of Interest
P(C)= Expected Casualty Probability
Q= Vector of Random Variables
q= Possible Outcome of a Random Vector
Ruav = Effective UAV Radius
Rp= Radius of Person
wspan = Wing span
X= Vehicle State Parameters
∗Aerospace Engineer, Aeronautics System Analysis Branch, 1 N Dryden St, MS 442, Hampton, VA 23681, AIAA Member.
†Aerospace Engineer, Aeronautics System Analysis Branch, 1 N Dryden St, MS 442, Hampton, VA 23681, AIAA Member.
‡Aerospace Engineer, Flight Dynamics Branch, 8 Langley Blvd, MS 308, Hampton, VA 23681, AIAA Associate Fellow.
§Software Developer, Aeronautics System Analysis Branch, 1 N Dryden St, MS 442, Hampton, VA 23681, AIAA Member.
1
II. Introduction
New
airspace operations such as those involving small Unmanned Aircraft Systems (sUAS) are rapidly emerging
within the commercial domain thanks to their anticipated benefits; potentially increasing security, safety and
productivity within law enforcement, emergency rescue, environmental and infrastructure monitoring, agriculture, and
other fields. Fueled by significant market interest, the industry, academia, and the government have been working
towards a seamless integration of sUAS into the National Airspace System (NAS) [
1
–
3
]. Demonstrating the safety of
these applications will be one of the key factors in wide-spread implementation. One of the major challenges for urban
UAS operations is to minimize the risk to the population on the ground in case of an aircraft malfunction that leads to
a crash. Timely hazard identification and proactive risk mitigation capabilities are critical in ensuring the safety of
these operations. NASA’s Aeronautics Research Mission Directorate (ARMD) strategic plan directs the development of
advanced in-time safety assurance tools that can monitor, assess and mitigate risks [
4
]. Within this plan, it is envisioned
that advanced safety assurance tools can be developed to leverage the increasing availability of data and the speed
and accuracy of associated data analysis tools. Consequently, an in-time safety assurance concept of operations was
introduced by the System-wide Safety (SWS) project for emerging autonomous low altitude operations near and over
populated urban areas [
5
]. This concept assumes a UAS Traffic Management (UTM) ecosystem to enable sharing of
safety-relevant information [
5
,
6
]. As an element of the SWS concept, this paper provides an overview of an architecture
that utilizes various onboard and ground-based data to assess the potential for non-participant casualties when unmanned
aircraft operations are conducted over densely populated urban settings. The underlying work for this architecture was
based on the Unmanned Risk Assessment Framework (URAF) which was originally developed within NASA’s UTM
project [
7
]. An instantiation of the modular URAF architecture was developed and implemented for onboard execution
within the in-time safety assurance concept of operations
∗
. This paper outlines a baseline onboard risk assessment
capability that monitors and assesses a set of hazards throughout the flight. The identified risks are incorporated into
onboard contingency action selection and risk mitigation functions. The organization of this paper is as follows: Section
III provides the components of in-time risk assessment software developed from the URAF concept, Section IV presents
an overview of the core Flight System (cFS) architecture and the implementation of in-time risk assessment software
within the cFS environment, and Section V discusses potential onboard risk-informed decision making applications that
may be considered as future work.
III. In-Time Non-Participant Casualty Risk Assessment Framework
There are several publications relating to characterization of the impact of unmanned aircraft or its components to
the population or structures on the ground [
3
,
8
–
13
]. The risk assessment estimation model presented in this paper is an
extension of the UTM Risk Assessment Framework (URAF) development which was previously documented in [
7
].
The framework consists of separate modules that utilize real-time aircraft health and environmental data to estimate the
risk to populated areas on the ground due to flight-critical failure on-board the aircraft. These modules include:
•A probabilistic graphical model that outputs mishap likelihood,
•
An off-nominal trajectory and impact point prediction model that estimates the trajectory following a failure and
mishap location, and
•
A severity estimation model that uses a combination of impact point location, high-resolution dynamic population
density data, roof penetration models and other onboard databases to determine the probability of experiencing
one or more casualties.
The URAF components given above were revisited to manage the potentially increased ground casualty risk
associated with low altitude urban operations within the SWS in-time safety assurance concept. Compared to the
previous iteration, the software was designed to be executed onboard which enables access to higher frequency,
more accurate, and more types of aircraft health and state vector data. This allows for the use of high-fidelity 6
Degrees-of-Freedom (6-DoF) vehicle trajectory prediction models to estimate the impact point throughout the flight.
Additionally, the use of high-resolution dynamic demographic data assists in estimating the movement of the population
of interest for more accurate potential casualty estimation. Finally, probabilistic failure likelihood estimation and
contingency prioritization models were added that execute in time to be delivered to the onboard autonomous decision
making algorithms. The following sections provide more details on key elements of the framework.
∗URAF components are also being incorporated into other pre-flight and in-flight risk assessment applications within the UTM project.
2
A. Failure Probability Estimation and Contingency Prioritization
One of the challenges associated with sUAS risk management is the limited amount of historical/operational data
which prohibits adequate UAS component and system reliability estimations. Due to rapidly changing system designs,
lack of quality assurance procedures, and the use of non-standardized components, the sUAS fleet carry a considerable
amount of uncertainty when it comes to establishing airworthiness assessments and regulatory procedures [
14
]. In
order to characterize the uncertainties within the system, the Bayesian approach was selected as the method to estimate
various hazardous conditions and the likelihood of these hazards to develop into accidents [
7
]. Besides the probabilistic
estimation of imminent failure occurrence, the Bayesian model also provides the list of alternative contingency actions
(e.g., flight termination, immediate landing, and return-to-launchpoint) and an assessment of their suitability considering
internal and external parameters (available power capacity, presence of wind/turbulence, contingency actions’ impact on
ground risk, etc.). Fig. 1 provides a generic Bayesian Belief Network (BBN) model designed for an octocopter UAS
in order to visualize the concept. In the current version, the BBN model receives vehicle health parameters (battery
charge level, GPS parameters, communication drop rate, individual electronic speed control (ESC) current and motor
temperatures) which is used to inform the status of major systems such as navigation, propulsion, communication, and
power system. Subsequently, the status of the main aircraft functions allows the prioritization of contingency alternatives
as well as estimation of loss of control probability
†
. The data for conditional probability tables (CPTs) behind each node
is populated by a combination of subject matter expert opinions and vehicle specific reliability data, where applicable.
The model outputs, namely, the LOC probability and mitigation prioritization is delivered back to the cFS data bus as
decision making support, which is discussed in Section V.
Fig. 1 Mishap Likelihood and Contingency Prioritization Bayesian Belief Model.
B. Off-Nominal Trajectory and Impact Point Prediction
An important component of risk assessment is the ability to predict off-nominal flight trajectories and respective
impact points caused by influences such as atmospheric disturbances, control anomalies or propulsion failures. An “off-
nominal” condition can be defined as a significant deviation from the intended flight path or an extended loss-of-control
that results in extreme vehicle attitudes beyond the normal flight envelope. Of particular interest are those trajectories
that may impact an object or person, thereby increasing the probability of damage or injury. Some trajectories that
are a result of complete loss of propulsion or control can be predicted by low-order, ballistic methods. However,
many complex events, such as partial loss-of-control resulting in erratic and/or extended trajectories, may only be
adequately predicted by a six degree-of-freedom (6-DoF) flight dynamics simulation. The current research was aimed at
demonstrating high-fidelity trajectory estimation methods that are implementable in the URAF environment. Specific
objectives were assessing computational requirements, trajectory prediction accuracy, and data/database requirements
[15].
Recent NASA research has assessed the feasibility and data requirements for accurate trajectory predictions of
small UAS vehicles for off-nominal conditions using 6-DoF simulation methods [
16
–
18
]. These efforts have focused
†Additional failure modes such as degraded aircraft control or aircraft flyaway situations can also be estimated using BBN models.
3
on multirotor vehicles because of the sparsity of validated models for this class of vehicle especially for off-nominal
conditions. The approach was to develop a high-fidelity simulation aerodynamic database from existing ground-based
wind tunnel methods. Specifically this database was designed to be accurate for a wide range of flow incidence angles
and vehicle angular rates that could occur in an extreme loss-of-control event. The database was defined using a modular
architecture where separate aerodynamic models were developed for an isolated rotor and the bare airframe and then
merged to enable an n-rotor architecture. Photos of the wind tunnel test setup are shown in Fig. 2.
(a) Bare airframe testing in NASA LaRC 12-Foot wind tunnel
(b) Isolated propeller test configuration in NASA LaRC 12-Foot wind
tunnel
Fig. 2 Wind tunnel test apparatus for aerodynamic database development.
The aerodynamic model structure can be represented as;
F/Mb=F/Mbpropulsion
+F/Mbairframe
+F/Mbinteraction (1)
where Frepresent aerodynamic forces and Mdenotes aerodynamic moments on the respective body axes.
This structure assumes that the propulsion and airframe can be modeled independently and any interactions between
individual rotors or between the rotors and airframe can be accounted for separately. This approach enables the potential
for generic modeling where different propulsion systems or airframes can be substituted or the geometric location for
each rotor can be changed using the same propulsion model. It is recognized that interactions can be difficult to measure
and/or result in complex models and therefore the potential limitations to this approach should be considered.
Each term in Eq.(1) is a nonlinear function of non-dimensional similitude parameters which allows geometric and
mass scaling to various model sizes. For example, as represented in Eq.(2), propulsion forces and moments can be
modeled as a buildup of static terms (effect of steady flow angle and advance ratio) plus dynamic terms (effect of body
axis angular rates) plus any interactions between individual rotors where
Cx
denotes aerodynamic force and moments
on the body axes.
Cb
x=Cb
xairframe
+Cb
xpropulsion
+Cb
xrotor interaction (2)
While this “build-up” approach is often used for modeling of fixed-wing configurations, the use of this modeling
architecture remains a research area for multirotor aircraft.
The modeling approach described above allows for the inclusion of highly nonlinear phenomena unique to rotors.
For example, this database included a model of “vortex ring state”, a well-known behavior of rotary wing vehicles, that
produce large oscillations in thrust during descending flight. The model development method of this phenomena is
described in [16].
The nonlinear equations of motion used in the 6-DoF simulation are of the form in Eq.(3) and are described in detail
in [3]. Trajectories are computed by numerical integration of Eq.(3) where
X
denotes vehicle state parameters,
δ
is
given as control effector input, and J is the rotor advance ratio.
Û
X=fXb, δb,J,F/Mb(3)
4
Results of simulation testing to date have demonstrated the ability to predict highly non-linear trajectories due to
propulsion failures, vortex ring state encounters, and control failures [
16
]. Research is continuing in several areas to
further advance the feasibility and determine modeling and simulation requirements for onboard/in-time trajectory
prediction. Aerodynamic modeling research is continuing to address the effects of high vehicle angular rates on
propulsion performance and on aerodynamic interactions between the propulsion system and airframe. Modeling of
other critical off-nominal conditions such as turbulence, sensor failures and control degradation remains the subject of
ongoing research with the goal of further advancing the range of off-nominal events that can be predicted. Efforts are in
progress to demonstrate the feasibility of a generic n-rotor simulation approach which will allow trajectory prediction for
a large range of multirotor vehicles. Additional research will include probabilistic methods for characterizing trajectory
dispersions and ground impact areas. A challenge in this approach is the development of realistic parameter dispersions
unique to multirotor vehicles such as those applicable to environmental disturbances, aerodynamic behaviors, and
avionics anomalies.
C. Severity Estimation
Within the context of this paper, risk of casualty following a sUAS crash is used as a proxy for severity estimation.
In order to estimate likelihood of casualty several components are needed; 1) a predicted off-nominal trajectory and
impact point or area (described in Section III.B), 2) estimation of population density within the flight/impact area,
and 3) impact characteristics including impact angle, velocity, and consideration of sheltering effects. The following
subsections provide the formulation for severity estimation.
1. High-resolution Population Density Data
The benefit of employing a high-fidelity impact point estimation model can be sensitive to the resolution of the
available population density data for the given location and point in time. Acquiring quality population density data is
often the bottleneck in estimating casualty risk due to its dynamic nature. Ground risk assessment studies often employ
median population density values for rural, suburban, and urban settings [
3
,
19
,
20
]. However, this constitutes a gross
estimation which does not take several important parameters into consideration such as time of the day, day of the
week, or time of the year. Especially for high density urban settings, the population density can differ significantly
throughout the day (e.g. during commuting and lunch periods) or grow substantially due to an open air assembly (e.g.
sporting events and concerts) [
3
]. A more accurate representation of population density and movement is paramount for
several areas of research including food security, climate change, natural disasters, and city planning [
21
,
22
]. Recently,
geolocation data obtained from mobile phones has been shown to overcome the limitations of census based solutions
given the ubiquitous use of smart phones [
23
]. In order to better capture and demonstrate the dynamic aspects of
population density within an urban environment, the concept provided in this paper employs a dataset acquired from a
commercial company which specializes in population analytics and location-based data solutions
‡
. The commercially
available population activity density data provides movements of population within the area of interest at a 10m x 10m
resolution in one hour increments, typically with a two month processing delay. However, it is important to note that
although the population density data remains historical, it provides a dynamic and higher resolution representation of
expected population density. For instance, population activity data observed on July 4
th
, 2017 for a given hour can be
used to approximate the 2018 values. A sample dataset for downtown San Francisco for July 4
th
, 2017 between 7PM
and 8PM is given in heat map representation in Fig. 3.
2. Probability of Casualties
As stated previously, the probability of casualties due to a UAS crash over an urban environment needs to be
estimated in order to fully account for the risks associated with the flight. Because of the hard to predict nature of
population dynamics and the large number of uncertainties, a probabilistic model is best suited for this task. For this
reason, the severity estimation module was developed within the URAF framework to estimate the expected number of
casualties and the probability of casualties
§
. This model uses population density, sheltering effects, casualty impact
area, and the kinetic energy at impact to determine the severity of a mishap. This work expands on the previous
probabilistic model within the URAF architecture [
7
] (where only the expected number of casualties was compared) by
‡
For testing, population density activity data was acquired for Reno, NV, San Francisco Metropolitan Statistical Area, CA, and Corpus Christi,
TX from AirSage, Inc.
§
These estimates can be computed prior to flight (based on a flight plan and failure scenarios), or continuously during flight (based on real-time
conditions).
5
Fig. 3 Sample Population Density Data for the City of San Francisco.
adding information regarding the probability of impacting one or more casualties. This type of approach enhances the
formulation in regards to the severity of the mishap as well as being useful in hypothetical scenarios where the exact
location of people is known.
Within the context of this paper, the metric to quantify the risk to 3
rd
party or uninvolved public is the probability of
causing one or more casualties. In order to compute this metric, first, the casualty area for people in the open (i.e., not in
buildings or otherwise sheltered) is considered as:
AC=(wspan +2Rp)(Luav +
Hp
tanγ
+2Rp)(4)
where
wspan
represents the wing span,
Rp
is the radius of a person,
Luav
is the length of the UAV,
HP
is the person’s
height, and
γ
is the impact angle with respect to the ground [
24
,
25
]. This formulation serves well for fixed wing UAVs;
however, a more general formulation that includes quadcopters is given by
AC=π(Rp+Ruav )2+2Rp+RuavHp
tanγ(5)
where Ruav is the characteristic radius that is used to define the UAV geometry as a circle.
The casualty area is defined such that any person inside it can be considered a casualty. By assuming that people can
be randomly located anywhere inside a populated area,
Ap
, the probability that a specific person will be a casualty is
simply expressed by AC/AP. Figure 4 illustrates the casualty area with respect to the populated area.
6
Fig. 4 Casualty Area Schematic
Note that
γ
, as seen in Eqs.(4) and (5), is a function of the trajectory, which in turn is a function of the uncertain
parameters due to the malfunction mode, vehicle aerodynamics, and atmospheric conditions. For simplicity, these
uncertain parameters are grouped together and represented by the variable
Q
, where
Q=(Q1,Q2,· · · Qk)
. The
probability of ccasualties given a set of parameters, q, follows a binomial distribution and is given by:
P(C=c|Q=q)=
Nq!
(Nq−c)!ACq
APqc1−ACq
APqNq−c
(6)
where
N
represents the number of people in the populated area. The subscript
q
shows the dependency on the uncertain
parameters
Q
. This dependency is due to the fact that the impact point and trajectory approach angle, which affect the
number of people in the population density, are a function of different uncertain parameters. By using the law of total
probability, the equation becomes:
P(C)=∫P(C|Q)f(Q)dQ(7)
where
f(Q)
represents the joint distribution of
Q
. This can be approximated by using Monte Carlo techniques such that
P(C) ≈ 1
M
M
Õ
i=1
P(C|Q(i))(8)
Finally, the probability of having
n
or more casualties in a populated area
AP
can be expressed by computing the
cumulative distribution of
P(C)
. This formulation can be easily extended to the different sheltering categories by
modifying the casualty area formulation. The effects of sheltering on casualty estimation for various roof styles was
previously demonstrated in [7]. The methodology shown in this paper can be modified to reflect sheltering effects.
D. Risk Construct
As previously stated in Sections III.A and III.C, the risk assessment module estimates mishap likelihood and
probability of causing one or more casualties, respectively. Onboard, these values are transmitted to the cFS
communication bus (discussed in Section V) along with a quantized risk value (i.e., low, medium, high) which is
based on a modified FAA Risk Matrix [
26
]. However, at the time of writing, FAA does not provide specific guidance
on likelihood and severity definitions for unmanned aircraft flight operation risk over populated areas [
19
], thus, it
is important to note that the acceptable thresholds for severity (minimal, minor, major, catastrophic) and likelihood
(frequent, probable, remote, and improbable) were chosen arbitrarily here for the purposes of concept evaluation and
demonstration (Fig. 5). As an extension to the current approach, a modified version of the Specific Operation Risk
Assessment (SORA) methodology developed by Joint Authorities for Rulemaking on Unmanned Systems (JARUS)
could be considered. JARUS SORA methodology was based on the principle of a holistic/total system safety risk-based
assessment model used to evaluate ground and air risks related to a given operation [
19
]. The SORA methodology also
provides guidance on assessing residual risks following the use of strategic and tactical mitigations. These aspects will
be incorporated into future versions of the framework presented here.
7
Fig. 5 Notional Risk Matrix.
IV. core Flight System (cFS) Architecture Integration
The framework discussed in Section III was designed to be operated onboard the aircraft to support risk-informed
decision making throughout the flight. This decision-making function may be performed by a remote operator or pilot,
but this framework particularly focuses on supporting autonomous/automated decision-making functions onboard. A
baseline capability was tested as part of the larger SWS system construct which made use of NASA’s cFS architecture.
cFS was originally developed by Goddard Space Flight Center for spacecraft flight software systems¶.
A. core Flight System (cFS)
NASA’s cFS is a platform, a software framework, and an environment that is designed to develop and re-use flight
software applications. The stable and robust cFS architecture allows the communication of independently-executing
functions over a shared information bus, similar to applications communicating through a cloud based structure
(Fig. 6). This allows independent development and testing of various applications that will perform as monitoring,
assessment and mitigation functions within the SWS safety assurance system concept [
5
]. The in-time non-participant
risk assessment software described in this paper is packaged as an application that performs monitoring (via sensor data
fusion and interpretation), assessment (development of the dynamic risk construct) and contingency action/mitigation
(via suggestions developed by Bayesian models) functions. The dynamic risk and associated contingency actions
are broadcast within the cFS bus to other applications that are tasked with decision making and execution of these
contingencies.
B. Onboard In-Time Risk Assessment Software
1. Structure
The onboard risk assessment capability presented in this paper was initially implemented and tested on the cFS
architecture which was in turn implemented on a small multi-rotor UAS platform. Within the cFS architecture, besides
applications, users can also develop libraries. The term library refers to functions that can only be called within other
applications present in the cFS architecture. The libraries do not interact with the cFS software bus and they run
independently. This structure not only enables simultaneous use of the functionality by multiple applications but also
allows relatively faster execution time which proves to be essential for proactive decision making capability. The in-time
risk assessment software was developed as a library, allowing for other onboard applications to call the core functionality
as well as the underlying models of the software, individually (i.e., trajectory, severity, likelihood). Additionally, an
application was developed to use this library so that the combined functionality of the risk assessment software can be
executed and broadcast on the software bus.
2. Inputs and Outputs
The components of the framework described in Section III are implemented within the cFS architecture as given
in Fig. 7. The risk assessment software receives dynamic aircraft position and health information via standard
¶See http://cfs.gsfc.nasa.gov for further information on cFS.
8
Fig. 6 cFS Architecture for Testing In-Time Safety Assurance System Concepts [5].
onboard systems within the Micro Air Vehicle Link (MAVLink) structure
‖
. Additionally, within the in-time safety
assurance concept, the UTM ecosystem components
∗∗
(Supplemental Data Service Providers (SDSPs) and UAS Service
Supplier (USS) among others) provide weather, traffic and other pertinent flight information which is accessible via cFS
architecture. Using the data sources obtained from cFS and carried onboard, the in-time risk application constructs
and combines the submodels (population density, likelihood, trajectory, and severity models) to estimate instantaneous
mishap risk, the preferred contingency action considering available resources as well as the predicted impact point.
These output variables in addition to the individual model outputs and data are broadcast to the software bus for other
applications to use (e.g. decision-making functions regarding executing contingencies). The software output parameters
are also accessible via the library functionality, if preferred (e.g. to overcome bus speed limitations).
Fig. 7 In-Time Risk Assessment interactions with the cFS Architecture.
‖
MAVLink is a protocol developed for communication between unmanned vehicles and the ground control stations as well as the inter-
communcation among the subsystems of the vehicle. See https://mavlink.io/en/ for further documentation.
∗∗See Refs.[5,6] for further information on SDSPs and USSs.
9
3. Software-in-the-Loop and Flight Testing
As previously stated, the non-participant risk assessment software resides on the aircraft and is primarily designed to
inform other onboard decision making and trajectory guidance software. At this time, there is no in-flight visualization
for the ground control station operator consumption, however, the output of the risk application which is transmitted over
the cFS bus is recorded and available for post-flight analysis. Additionally, a software-in-the-loop (SITL) simulation
is developed to visualize the flight environment and observe/record the interactions among the cFS applications, risk
application functions and MAVlink messages. SITL provides a simulation environment where the capabilities of
the code can be tested without the need to use flight hardware to run ArduPilot
††
software. The SITL is capable of
generating vehicle-specific flight dynamic data as well as simulated aircraft sensor data which are relayed through a
telemetry port connection. The cFS architecture receives the aircraft state vectors and sensor data via the telemetry port
and subsequently disseminates the information throughout the system to all of the resident cFS applications, including
the risk assessment software. This process is continued until the simulation is ended or the connection is broken.
Figure 8 provides the SITL setup used to test the software. A command line interface is used to deliver commands
to the autopilot (upper-left corner). A map is employed to define and display the flight mission for testing (lower-left
corner). A console displays the general characteristics of mode and progression features (upper-right corner). Finally,
command prompt display provides the cFS data stream and risk assessment software outputs, namely, the contingency
action probabilities (abort, land, return-to-base, or continue flight), loss of control probability, casualty probability, and
notional risk matrix outputs (lower-right corner).
Fig. 8 User Interfaces for Software-in-the-Loop Testing
††
Ardupilot is an open source unmanned aircraft flight software capable of controlling numerous autonomous aircraft and is used as a research
platform for this effort, see http://ardupilot.org for further details.
10
V. Decision Making Support
The components of the risk assessment software described in the previous sections were primarily developed to
explore the design space toward enabling the concept described in [
5
] which envisions a scalable system that can
be tailored to a specific domain and its inherent risks. This system should be capable of integrating a diverse set of
operational and environmental data to monitor and assess the likelihood of risk and hazard states. Once potential risks
are identified and evaluated, the objective is to mitigate these hazardous conditions via automated planning and execution
of timely responses. The software architecture discussed in this paper is initially aimed at monitoring and assessment
functions associated with non-participant casualties. The sections below discuss planned R&D and approaches that
would apply this risk assessment software and framework to autonomous risk mitigation.
A. Path Planning
One of the planned uses of the onboard assessment of ground impact risk is to assist the autonomous path planning
function. It is envisioned that future autonomous UAS systems will be equipped with obstacle-avoidance functionality
which will re-route or follow pre-determined contingency measures. In cases where the aircraft has to be diverted
due to a detected obstacle or aircraft, the re-routing algorithm would primarily ensure that the obstacle or aircraft is
cleared while selecting and executing the mitigation action. During the diversion, the path planning algorithm could
be informed of the ground casualty risk of alternative paths in addition to existing parameters (available resources,
airspace/geofence limitations, etc.). Alternatively, given that the risk assessment software collects, analyses, and
disseminates aircraft health data, the decision making algorithm can have access to the available aircraft resources prior
to selecting a particular action (e.g., detect and avoid, geofence conformance, return to base, and return to mission). An
example detect-and-avoid technology called ICAROUS (Integrated Configurable Algorithms for Reliable Operations of
Unmanned Systems) provides a flexible autonomous decision making platform that allows modular integration with
other onboard hardware and software [
27
]. Initial research is underway to apply the risk assessment functions described
previously in concert with ICAROUS-based functions (also implemented within the cFS architecture). ICAROUS can
proactively query the risk of alternative paths, allowing the integration of the non-participant casualty risk capability
into determination and direction of detect-and-avoid or other contingency maneuvers (e.g. land, return-to-launchpoint).
B. Contingency Planning
As part of the risk assessment process, the onboard BBN model considers raw aircraft telemetry values as well as
potential SDSP-based health and environmental assessment services to produce two outputs: off-nominal condition
probabilities (e.g., loss-of-control risk for the current iteration of the architecture) and a suggested mitigation action
based on the current and projected aircraft health. If the safety margins deteriorate below acceptable levels, the risk
software outputs the preferred mitigation action (abort, land, return-to-base, or continue flight) to the cFS bus. This
information can be used to inform the autopilot or the ground control station (GCS) operator of the imminent risk and
recommended action within the aircraft’s capability.
C. Highly Autonomous Low Altitude Urban Operation Support
Within the emerging urban operations domain, the in-time safety assurance concept assumes that an information
sharing infrastructure will be present. This infrastructure would be able to collect, disseminate and update large-scale
data obtained from on-board and off-board sensors and services as required to meet mission-specific safety requirements.
The SWS ConOps highlights pre-flight, in-flight, and post-flight utilization of the architecture. During the pre-flight
phase, GCS operators would reach out to generally available broadcast data or opt in to mission-specific or request-reply
type information. The data which could be obtained from recent observations or forecast models would advise the
operator and/or onboard safety software before the flight. For instance trajectory-specific, low-altitude wind gust and
turbulence data or expected population density surrounding the flight plan provided by SDSPs will inform the operator,
potentially resulting in a revised flight plan or launch window [
5
]. Alternatively, an SDSP providing a pre-flight
non-participant casualty assessment service could be used
‡‡
. During the flight, via pre-loaded data, observed variables,
models, and dynamic SDSPs, the aircraft will continuously monitor and assess current and future flight risks. The
architecture provided within this paper would be one implementation of such an onboard risk assessment capability.
Finally, following the flight, data observed throughout the mission would be uploaded to the relevant service providers.
The post-flight information would be used to update the SDSPs (e.g., observed wind or population density activity) and
‡‡Ground Risk Assessment Risk Provider (GRASP) SDSP is currently being developed under the UTM project plan.
11
to validate the supporting models (e.g. aerodynamic models) [
5
]. Within the SWS ConOps, the pre-flight and in-flight
risk assessment instantiations would continuously co-operate and work towards providing the most up-to-date ground
risk information via the information sharing infrastructure.
VI. Concluding Remarks and Next Steps
As projected demand for unmanned aircraft operations increases, assuring the safety of such operations will play
a significant role in determining the degree of widespread use - it will become either the enabler or the constraint.
This will also be the case for future concepts like personal air vehicles and UAM concepts. As part of an overarching
approach to safety assurance for emerging highly-autonomous operations, this paper presents an onboard architecture
that monitors vehicle-specific parameters by integrating aircraft health data as well other data carried onboard (e.g.
population density and wind speed/gust information). The information is used to assess casualty risk with regards to the
current aircraft position and its future path. Research will continue toward improving the components of the onboard
risk assessment service by incorporating additional failure models into the Bayesian network as well as the 6DoF
model, providing dynamic updating capability to population density and environmental factors models. Additionally,
the framework will be expanded to estimate property/building damage. Finally, the risk assessment capability will be
integrated with decision making functions (such as are intended to activate fail-safe contingencies when off-nominal
conditions occur or are predicted to occur).
Acknowledgments
The work presented here was supported by NASA System-wide Safety (SWS) and Unmanned Aircraft System
(UAS) Traffic Management (UTM) projects.
References
[1]
Ten Harmsel, A. J., Olson, I. J., and Atkins, E. M., “Emergency Flight Planning for an Energy-Constrained Multicopter,”
Journal of Intelligent & Robotic Systems, Vol. 85, No. 1, 2017, pp. 145–165. doi:10.1007/s10846-016- 0370-z.
[2]
National Academies of Sciences, E., and Medicine, Assessing the Risks of Integrating Unmanned Aircraft Systems (UAS) into
the National Airspace System, The National Academies Press, 2018. doi:10.17226/25143.
[3]
Breunig, J., Forman, J., Sayed, S., Audenaerd, L., Branch, A., and Hadjimichael, M., “Modeling Ground Collision Severity of
Small Unmanned Aircraft Systems,” 2018 Aviation Technology, Integration, and Operations (ATIO) Conference, American
Institute of Aeronautics and Astronautics, 2018. doi:10.2514/6.2018- 3349.
[4]
National Aeronautics and Space Administration, “NASA Aeronautics Strategic Implementation Plan: 2017 Update,” 2017.
URL https://www.nasa.gov/aeroresearch/strategy.
[5]
Young, S. D., Quach, C. P., Goebel, K., and Nowinski, J., “In-Time Safety Assurance Systems for Emerging Autonomous Flight
Operations,” IEEE/AIAA 37th Digital Avionics Systems Conference (DASC), 2018.
[6]
Kopardekar, P., Rios, J., Prevot, T., Johnson, M., Jung, J., and III, J. E. R., “Unmanned Aircraft System Traffic Management
(UTM) Concept of Operations,” 16
th
AIAA Aviation Technology, Integration, and Operations (ATIO) Conference, American
Institute of Aeronautics and Astronautics, 2016. doi:10.2514/6.2016- 3292.
[7]
Ancel, E., Capristan, F., Foster, J. V., and Condotta, R., “Real-time Risk Assessment Framework for Unmanned Aircraft System
(UAS) Traffic Management (UTM),” Aviation Technology, Integration, and Operations (ATIO) Conference, American Institute
of Aeronautics and Astronautics, 2017. doi:10.2514/6.2017- 3273.
[8]
Washington, A., Clothier, R. A., and Silva, J., “A Review of Unmanned Aircraft System Ground Risk Models,” Progress in
Aerospace Sciences, Vol. 95, 2017, pp. 24 – 44. doi:/10.1016/j.paerosci.2017.10.001.
[9]
Clothier, R. A., and Walker, R. A., Safety Risk Management of Unmanned Aircraft Systems, Springer Netherlands, Dordrecht,
2015, pp. 2229–2275. doi:10.1007/978-90-481- 9707-1_39.
[10]
Ford, A., and McEntee, K., “Assessment of the Risk to Ground Population Due to an Unmanned Aircraft In-Flight Failure,” 10
th
AIAA Aviation Technology, Integration, and Operations (ATIO) Conference, American Institute of Aeronautics and Astronautics,
2010. doi:10.2514/6.2010-9056.
12
[11]
Lazatin, J., “A Method for Risk Estimation Analysis for Unmanned Aerial System Operation over Populated Areas,” 14
th
AIAA
Aviation Technology, Integration, and Operations (ATIO) Conference, American Institute of Aeronautics and Astronautics,
2014. doi:10.2514/6.2014-2284.
[12]
Lum, C., Gauksheim, K., Deseure, C., Vagners, J., and McGeer, T., “Assessing and Estimating Risk of Operating Unmanned
Aerial Systems in Populated Areas,” 11
th
Aviation Technology, Integration, and Operations (ATIO) Conference, American
Institute of Aeronautics and Astronautics, 2011. doi:10.2514/6.2011- 6918.
[13]
Olson, I., and Atkins, E. M., “Qualitative Failure Analysis for a Small Quadrotor Unmanned Aircraft System,” AIAA Guidance,
Navigation, and Control (GNC) Conference, American Institute of Aeronautics and Astronautics, 2013. doi:10.2514/6.2013- 4761.
[14]
Washington, A., Clothier, R., and Silva, J., “Managing Uncertainty in Unmanned Aircraft System Safety Performance
Requirements Compliance Process,” 20
th
International Conference on Unmanned Aircraft Systems (ICUAS 2018), 2018.
doi:10.1999/1307-6892/10008962.
[15]
Corbetta, M., Banerjee, P., Okolo, W., Gorospe, G., and Luchinsky, D. G., “Real-time UAV Trajectory Prediction for Safety
Monitoring in Low-Altitude Airspace,” Aviation Forum 2019, American Institute of Aeronautics and Astronautics, 2019.
[16]
Foster, J. V., and Hartman, D. C., “High-Fidelity Multi-Rotor Unmanned Aircraft System Simulation Development for Trajectory
Prediction Under Off-Nominal Flight Dynamics,” Aviation Technology, Integration, and Operations (ATIO) Conference,
American Institute of Aeronautics and Astronautics, 2017. doi:10.2514/6.2017-3271.
[17]
Foster, J. V., Hartman, D. C., and Miller, L. J., “Recent NASA Research on Multirotor Flight Dynamics in Off-Nominal
Conditions,” Presented at the Aerospace Control and Guidance System Committee (ACGSC) Meeting, 11-13 April, 2018.
[18]
Hartman, D. C., “Identification of Hazardous Flight Conditions to Establish a Safe Flight Envelope for Autonomous Multirotor
Aircraft,” AIAA SciTech Forum 2019, American Institute of Aeronautics and Astronautics, 2019. doi:10.2514/6.2019- 1292.
[19]
Joint Authorities for Rulemaking of Unmanned Systems, “JARUS Guidelines on Specific Operations Risk Assessment (SORA),”
JAR-DEL-WG6-D.04, 2017.
[20]
Melnyk, R., Schrage, D., Volovoi, V., and Jimenez, H., “A Third-Party Casualty Risk Model for Unmanned Aircraft System
Operations,” Reliability Engineering & System Safety, Vol. 124, 2014, pp. 105–116. doi:10.1016/j.ress.2013.11.016.
[21]
Calka, B., Costa, J. N. D., and Bielecka, E., “Fine Scale Population Density Data and its Application in Risk Assessment,”
Geomatics, Natural Hazards and Risk, Vol. 8, No. 2, 2017, pp. 1440–1455. doi:10.1080/19475705.2017.1345792.
[22]
Deville, P., Linard, C., Martin, S., Gilbert, M., Stevens, F. R., Gaughan, A. E., Blondel, V. D., and Tatem, A. J., “Dynamic
population mapping using mobile phone data,” Proceedings of the National Academy of Sciences, Vol. 111, No. 45, 2014, pp.
15888–15893. doi:10.1073/pnas.1408439111.
[23]
Dan, Y., and He, Z., “A Dynamic Model for Urban Population Density Estimation Using Mobile Phone Location Data,” 5
th
IEEE Conference on Industrial Electronics and Applications, 2010, pp. 1429–1433. doi:10.1109/ICIEA.2010.5514844.
[24]
Clothier, R. A., Palmer, J. L., Walker, R. A., and Fulton, N. L., “Definition of Airworthiness Categories for Civil Unmanned
Aircraft Systems (UAS),” 27th International Congress of the Aeronautical Sciences, ICAS, 2010.
[25]
Lum, C., and Waggoner, B., “A Risk Based Paradigm and Model for Unmanned Aerial Systems in the National Airspace,”
Infotech@Aerospace Conferences, American Institute of Aeronautics and Astronautics, 2011. doi:10.2514/6.2011-1424.
[26] Federal Aviation Administration, “Safety Management Risk Policy (FAA Order 8040.4B),” 2017.
[27]
Consiglio, M., Muñoz, C., Hagen, G., Narkawicz, A., and Balachandran, S., “ICAROUS: Integrated Configurable Algorithms for
Reliable Operations of Unmanned Systems,” 35
th
Digital Avionics Systems Conference (DASC 2016), Sacramento, California,
US, 2016.
13
