Upload
dotuyen
View
285
Download
9
Embed Size (px)
Citation preview
ε
Commercial in Confidence
Unmanned Aircraft System (UAS) Safety Case Development
Functional Hazard Assessment (FHA) Report for Unmanned
Aircraft Systems
Reference: P09005.10.5
Date: 04 September 2009
Issue: v1.0
Prepared by:
Hayley Burdett
Checked by:
Joanne Stoker
Authorised by:
Alan Simpson
Distribution: EUROCONTROL Ebeni
Holger Matthiesen Hayley Burdett
Chris Machin Joanne Stoker
Don Harris Alan Simpson
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 2 of 81
Mike Strong Project File
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 3 of 81
© Copyright
The layout, style, logo and contents of this document are copyright of Ebeni Limited 2009. No part
of this document may be reproduced without the prior written permission of Ebeni Limited. All
rights reserved.
Configuration Control
Issue Date Comments
v0.1 10 June 2009 Initial draft for internal review
v0.2 10 July 2009 Draft issue following internal review
v0.3 22 July 2009 Provisional issue for EUROCONTROL review
v1.0 04 Sept 2009 Definitive issue incorporating EUROCONTROL review comments
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 4 of 81
Table of Contents
1 Introduction 6
1.1 Background 6
1.2 UAS Safety Assessment 6
1.3 UAS Today 6
1.4 Aim 7
1.5 Scope 7
1.6 Structure 8
2 Functional Hazard Assessment Overview 9
2.1 Introduction 9
2.2 FHA Process 9
2.3 FHA Objectives 10
2.4 UAS Safety Assessment Workshop 10
3 System Definition and Scope of Analysis 11
3.1 UAS Operational Scenarios 11
3.2 Defining the Scope for the FHA Activity 12
3.3 Air Traffic Management Concept 13
3.3.1 Separation Provision Component 14
3.3.2 Collision Avoidance Component 15
3.4 Operational Perspectives 15
3.5 UAS Characteristics 17
3.6 Scoping Statements 19
3.7 Assumptions 20
3.8 Unmanned Aircraft System Models 21
3.8.1 Flight Profiles 21
3.8.2 Functional Models 21
4 Function Hazard Assessment Results 22
4.1 Overview 22
4.2 Hazard Identification Approach 22
4.3 Hazard Identification Results 24
4.4 Consequence Analysis 26
4.4.1 Mitigations for HAZ001 26
4.4.2 Mitigations for HAZ002 28
4.4.3 Mitigations for HAZ003 28
4.4.4 Mitigations for HAZ004 29
4.4.5 Mitigations for HAZ005 30
4.4.6 Mitigations for HAZ006 30
4.4.7 Mitigations for HAZ007 31
4.4.8 Mitigations for HAZ008 32
4.4.9 Mitigations for HAZ009 32
4.4.10 Mitigations for HAZ010 33
4.5 Analysis Conclusions 33
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 5 of 81
4.6 Safety Objectives 33
5 Conclusions 35
6 References 36
Appendix A UAS Safety Assessment Workshop Agenda and Participants 37
A.1 UAS Workshop Agenda 37
A.2 UAS Workshop Participants 38
Appendix B Unmanned Aircraft System Models 39
B.1 Flight Profiles 39
B.2 Functional Models 41
Appendix C Functional Failure Analysis 42
Appendix D UAS Fault Trees 50
D.1 UAS Scenario 1 Fault Trees 50
D.2 UAS Scenario 2 Fault Trees 62
Appendix E Severity Classification 69
Appendix F Consequence Models 70
F.1 HAZ001 – Inability to comply with Separation Provision Instruction from ATC 70
F.2 HAZ002 – Incorrect response to Separation Provision Instruction from ATC 71
F.3 HAZ003 – Intentional deviation from Separation Provision Instruction from ATC 72
F.4 HAZ004 – Delayed response to Separation Provision Instruction from ATC 73
F.5 HAZ005 – Loss of Separation Provision from ATC 75
F.6 HAZ006 – ATC Separation Provision Error 77
F.7 HAZ007 – Loss of Separation Provision from the Pilot in Command 78
F.8 HAZ008 – Pilot in Command Separation Provision Error 79
F.9 HAZ009 – Pilot in Command Separation Provision Instruction too late 80
F.10 HAZ010 – Separation Provision minima is breached by other aircraft 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 6 of 81
1 Introduction
1.1 Background
The evolution of aerospace technologies in the field of Unmanned Aircraft Systems
(UAS), including automatic/autonomous operations, will impact European Air Traffic
Management (ATM) as regards new military and civil UAS applications. UAS will
represent new challenges as well as new opportunities for ATM design in the future in
the context of both SESAR and beyond (vision 2050), for the benefit of both manned
and unmanned aviation.
The EUROCONTROL Agency, in executing its responsibilities associated with the
management of the pan-European ATM network, must ensure that UAS do not
negatively impact overall levels of ATM security, safety, capacity and efficiencies.
This work will result in the development of an ATM safety assessment for UAS that will
identify a set of ATM safety requirements, over and above existing ATM regulatory
safety requirements, which, if implemented, will ensure that the introduction of UAS
into non-segregated airspace will be acceptably safe.
1.2 UAS Safety Assessment
The primary aim of this task is to develop an ATM safety assessment for UAS so as to
identify a set of ATM safety requirements, over and above the existing ATM regulatory
safety requirements, which, if implemented, will ensure that the introduction of UAS
into non-segregated airspace will be acceptably safe. The safety assessment is to
consider two defined UAS operating scenarios in order to provide a realistic context
into which UAS will be operated.
• Scenario 1 – covers UAS operations in Class A, B or C en-route airspace flying Instrument Flying Rules (IFR) beyond the visual line of sight of the pilot-in-
command
• Scenario 2 – covers UAS operations in Class C – G airspace operating under Visual Flying Rules (VFR) and the pilot-in-command has direct visual line of
sight of the Unmanned Aircraft (UA)
The work currently being undertaken by EUROCAE Working Group 73 on Unmanned
Aircraft Systems will also provide input and review effort to the safety assessment
work.
A UAS Safety Assessment Workshop was carried out to satisfy the process
requirements of the EUROCONTROL ANS Safety Assessment Methodology (SAM) [1]
which provides a means of compliance with the EUROCONTROL Safety and Regulatory
Requirement (ESARR) 4 [2].
1.3 UAS Today
Current UAS operations are largely constrained to designated areas or within
temporary restricted areas of airspace, commonly known as segregated airspace, or
are flown under special arrangements over the sea or high altitude. On some
occasions, UAS operations are permitted in an extremely limited environment outside
segregated airspace. To exploit fully the unique potential of UAS there is a desire to
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 7 of 81
be able to access all classes of non-segregated airspace and operate across national
borders and airspace boundaries. Such operations must be acceptably safe but
regulation should not become so inflexible or burdensome that the benefits are
unnecessarily lost. The viability of the civil market for UAS especially, is heavily
dependent on unfettered access to the same airspace as manned civil aircraft
operations, at least on like for like operations, for example in aerial surveillance
applications.
Whilst it is essential that UAS demonstrate an equivalent level of safety compared to
manned operations the current regulatory framework has evolved around the concept
of the pilot-in-the-cockpit. There is a need to develop UAS solutions that assure an
equivalent level of safety for UAS operations, which in turn could require some
adaption of the current ATM regulatory framework to allow for the concept of the pilot-
not-in-the-cockpit without compromising the safety of other airspace users.
1.4 Aim
This document comprises the Functional Hazard Assessment (FHA) for Unmanned
Aircraft Systems operation in non-segregated airspace and provides an independent
assessment of the hazards related to operating UAS in non-segregated airspace.
The aim of this FHA is derived from the following top level safety argument claim,
which implies a relative safety argument approach:
• UAS operations in ECAC Airspace are and will be acceptably safe;
• where ECAC airspace is defined as the airspace of the 44 ECAC Member States,
and
• acceptably safe is defined as ‘risks’ to other airspace users are:
o No higher than for equivalent manned operations; and
o Reduced to As Far As Reasonably Practicable (AFARP), as required by
ESARR 3 [3] and European Air Traffic Management Programme
(EATMP) Safety Policy [4].
The initial step in addressing the above claim is to specify safety requirements such
that, subject to complete and correct implementation, UAS operations in non-
segregated airspace are acceptably safe.
The aim of this FHA is therefore to understand the risk of UAS via the derivation of
hazards and an analysis of the consequences of those hazards. The Functional Hazard
Assessment work will support the development of a UAS Preliminary System Safety
Assessment Report (PSSA) which will document UAS safety requirements and provide
traceability to detailed safety requirements.
1.5 Scope
This report covers the safety assurance activities undertaken to assess the safety of
UAS operation in non-segregated airspace using two operational scenarios, up to the
point where hazards have been identified and the consequence of those hazards
assessed.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 8 of 81
• Scenario 1 covers UAS IFR operations in Class A, B or C en-route airspace only. The mode of operation considered for this baseline scenario uses a
command and control system architectures known as Radio Line Of Sight
(RLOS) or Beyond Radio Line Of Sight (BRLOS).
• Scenario 2 covers UAS VFR operations based upon VLOS command and
control systems in classes of airspace where VFR flight is permitted (Class C-
G). VLOS operation requires the PIC to keep the UA in direct visual
observation for the duration of the flight.
This safety assessment work is carried out from an Air Traffic Management (ATM)
perspective with the aim of requirement setting but is not concerned with the
implementation of any such safety requirements.
1.6 Structure
The Functional Hazard Assessment Report is structured as follows:
Section 1 Introduction – presents the scope and purpose of the report.
Section 2 Functional Hazard Assessment Overview – documents the objectives of the
Functional Hazard Assessment along with the hazard identification and risk
assessment methodology.
Section 3 System Scope and Scope of Analysis – provides an overview of the system
under consideration and defines the scope of the analysis.
Section 4 Functional Hazard Assessment Results – documents the results of the
Functional Hazard Assessment activity.
Section 5 Conclusions – presents the conclusions of the Functional Hazard
Assessment.
Section 6 References – provides a list of referenced documents used in the report.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 9 of 81
2 Functional Hazard Assessment Overview
2.1 Introduction
The EUROCONTROL Air Navigation Services (ANS) Safety Assessment Methodology [1]
defines the objectives of a FHA as:
“a top-down iterative process, initiated at the beginning of the development or
modification of an Air Navigation System. The objective of the FHA process is to
determine: how safe does the system need to be?
The process identifies potential functional failures modes and hazards. It assesses
the consequences of their occurrences on the safety of operations, including
aircraft operations, within a specified operational environment.
The FHA process specifies overall Safety Objectives of the system, i.e. specifies the
safety level to be achieved by the system.”
2.2 FHA Process
This FHA was performed in order to support a relative safety argument. The analysis
aims to derive a set of hazards relating to UAS operating in non-segregated airspace.
The first step in performing the FHA was to establish the scope and boundary of the
system, understanding that the system covers all aspects of the ATM environment
including people, procedures and equipment. In the context of the defined scope and
system boundary, the analysis has focused specifically on the identification of:
• A Functional and Logical Safety Model representing UAS operations in each
Scenario.
• Hazards that could arise from inter alia; functional failure, inadequacies,
limitations, etc.
• The potential consequences of those hazards.
The FHA process began with the construction of a number of models. Given the
requirement to present a relative safety argument, it was important to fully appreciate
the current situation with no UAS (referred to as ‘without-UAS’) as compared to the
proposed situation with UAS flying in non-segregated airspace (referred to as ‘with-UAS’). The models were constructed to aid the identification of potential hazards for
which mitigation is required, see section 3.8 for more detail.
The models along with the proposed scope, boundary and assumptions for the analysis
were presented at a UAS Safety Assessment Workshop for validation and verification
by domain experts. A hazard identification verification activity was also carried out as
part of the UAS Safety Assessment Workshop.
A number of issues, statements and discussion points were raised at the UAS Safety
Assessment Workshop which were minuted in [5]. A number of these points have
been used to justify or substantiate analysis decisions; these are referred to
specifically throughout this document as originating from the workshop participants.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 10 of 81
The output from the UAS Safety Assessment Workshop has been taken and used to
perform a more detailed analysis which has included consideration of consequences
and mitigations. These hazard models will subsequently be used as the basis of the
UAS Preliminary System Safety Assessment, which will derive the safety requirements
for UAS operations in non-segregated airspace.
2.3 FHA Objectives
The overall aims for the Functional Hazard Assessment as defined in section 1.4 are
further refined to specific task objectives as discussed in the following list. Some of
the objectives were addressed as part of the pre-workshop and workshop activities and
others as part of the post workshop activities. The results of these activities are
captured in this report. The objectives listed below apply to both scenarios. The
detailed objectives were:
• review and agree the overarching UAS Safety Argument Strategy
• verify the scope and boundaries of the analysis being undertaken
• validate the Scenario, Functional and logical models
• identify the hazards as applicable to current manned operations (without-
UAS) and proposed UAS operations (with-UAS) in non-segregated airspace
• identify, the possible consequences of each hazard, taking into account the
available mitigations, using Event Tree Analysis.
2.4 UAS Safety Assessment Workshop
A UAS Safety Assessment Workshop was held at EUROCONTROL HQ, Brussels on
Wednesday 29th April and Thursday 30th April 2009. Minutes from the workshop are
recorded in [5]. The Agenda for the UAS Safety Assessment Workshop and a list of
participants is provided in Appendix A.
With respect to the above objectives, the UAS Safety Assessment Workshop achieved
the following:
• Reviewed and agreed the overarching UAS Safety Argument Strategy.
• Verified the scope and boundaries of the analysis being undertaken.
• Validated the Scenario, Functional and Logical models for each UAS scenario.
• Identified the hazards associated with each scenario and the possible
mitigations that are in place.
The remaining objectives are all captured as part of the FHA results in section 4.
Work from a previous EUROCONTROL project involving Military UAV as Operational Air
Traffic (OAT) outside Segregated Airspace [6] was presented at the UAS Workshop as
it was felt this was still applicable and provided a good starting point. This is discussed
in more detail in section 4.1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 11 of 81
3 System Definition and Scope of Analysis
3.1 UAS Operational Scenarios
The concept of operating UAS in non-segregated airspace is expected to be
transparent to the ATM environment. There are obvious differences between manned
and unmanned aircraft, but in principle the UAS should operate to the same rules of
the air and procedures that apply to manned aircraft. The safety of other airspace
users depends on the UAS operations achieving at least an equivalent level of safety to
manned aircraft. There are a wide variety of possible UAS operations and the safety
aspects across the whole flight profile need to be assessed in order to assure those
operations are acceptably safe. However, in order to focus this initial safety
assessment, two UAS scenarios have been defined as described below. They were
identified by the EUROCAE Working Group 73 as two of the most relevant near-term
operational scenarios for UAS. The scenarios cover non-segregated operations but not
for all flight stages and are subject to the assumptions listed later in section 3.7.
• Scenario 1 – covers UAS IFR operations in Class A, B or C en-route airspace only. The mode of operation considered for this baseline scenario uses a
command and control system known as either Radio Line Of Sight (RLOS) or
Beyond Radio Line Of Sight (BRLOS). The operations shall take place beyond
visual line of sight (BVLOS) of the UAS Pilot. The duration of any UAS
operation is dictated by the demands of the task but under Scenario 1 can
range from a few hours to a number of days. Figure 1 below represents
Scenario 1
Figure 1 – Scenario 1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 12 of 81
• Scenario 2 – covers UAS VFR operations based upon VLOS command and
control systems in classes of airspace where VFR flight is permitted (Class C-
G). Operations in classes C-E airspace could include CTR and/or TMA. Class B
CTRs and TMAs, where VFR is also permitted, have been intentionally not
considered. VLOS operation requires the PIC to keep the UA in direct visual
observation for the duration of the flight. The duration of any UAS operation is
dictated by the demands of the task but under Scenario 2 range from a few
minutes up to the available hours of daylight. Figure 2 below represents
Scenario 2.
Figure 2 – Scenario 2
3.2 Defining the Scope for the FHA Activity
Prior to the FHA activity it was important to understand the differences between the
‘without-UAS’ and ‘with-UAS’ situations for each of the defined scenarios above in order to structure the analysis and support the relative assessment of risk.
The scope of the safety assessment has thus been defined by:
• understanding the ATM concept and environment in which UAS will operate,
see section 3.3.
• a number of operational perspectives, see section 3.4.
• understanding the characteristics of UAS, see section 3.5.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 13 of 81
• a series of identified scoping statement and assumptions, see sections 3.6 and
3.7.
• a number of UAS models, see section 3.8
3.3 Air Traffic Management Concept
There are three main components of ATM, defined within the ATM Operational Concept
Document [7] endorsed at ANC/11 in September 2003:
• Strategic Conflict Management
• Separation Provision and
• Collision Avoidance.
Strategic Conflict Management encapsulates all pre-flight planning activities that take
place to ensure demand, capacity and conflicts are managed prior to the real time
situation. Figure 3 below shows the principle interactions between the Strategic
Conflict Management, Separation Provision, Collision Avoidance components and the
Airspace. Note that [7] also states that any Collision Avoidance System should be
separate from but compatible with the Separation Provision component. Collision
avoidance systems cannot be included in determining the calculated level of safety
required for Separation Provision with regards the ESARR4 Target Level of Safety
(TLS), however the Collision Avoidance function has been taken into account within
this relative safety assessment due to the significant difference between the ‘with-UAS’ and ‘without-UAS’ situations.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 14 of 81
Figure 3 – High Level Functional Model
The use of these terms is important within this analysis and has thus been defined in
the following sections in relation to the defined UAS Scenarios.
3.3.1 Separation Provision Component
Separation Provision (SP) is the tactical process of keeping aircraft away from other
airspace users, obstacles, restricted airspace, etc. Depending upon the type of
airspace and, where applicable the Air Traffic Control (ATC) service being provided,
separation provision can be performed either by ATC (as regards separation assurance
from other aircraft/airspace by at least an appropriate separation minimum) or by the
Pilot in Command, dependent on the class of Airspace, the type of ATC service
provided or the flight rules in force. Separation minima are defined for application by
ATC in accordance with the airspace classification and the flight rules of each individual
aircraft concerned. Manned operations where the PIC is responsible for SP generally
have no specified minima, although the overarching rules of the air apply as the basic
requirements. However, the MIL UAV specifications [8] have defined minima for
unmanned operations whilst the PIC is responsible for SP.
• Scenario 1 - ATC is responsible for providing Separation Provision between the
UAS and other airspace users. The SP Monitoring and Instruction functions are
provided by an Air Traffic Controller. The pilot is wholly responsible for
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 15 of 81
ensuring the UA Trajectory Compliance function of SP. The pilot is also
responsible for separation from obstacles and terrain.
• Scenario 2 – the PIC is responsible for Separation Provision. The Separation
Provision monitoring and instruction functions are performed by the PIC,
whereas Trajectory Compliance is performed by the UA.
3.3.2 Collision Avoidance Component
The Collision Avoidance (CA) component is responsible for identifying when a potential
collision threat is imminent, then identifying and implementing an avoidance action.
The CA objective is to ensure that collision threats are avoided. The CA function acts
irrespective of airspace classification, flight rules or who is responsible for SP.
• Scenario 1 - When Separation Provision is the responsibility of ATC, the CA is
intended to act independently from the SP functions. In principle, the CA
function should only act when SP has failed (i.e. there is a loss of separation)
and then only to take collision avoidance action1 if the actual distance is
assessed as representing a collision risk. Equally, loss of separation assurance
by ATC may not represent cause for initiation of a collision avoidance
manoeuvre. The CA function is the responsibility of the PIC; however, the PIC
may be supported by a CA system such as TCAS II2. Note that ATC may still
instigate collision avoidance action from a PIC but the responsibility remains
with the PIC.
• Scenario 2 - When the PIC is responsible for SP then the independence
between SP and CA functions is blurred as the pilot is effectively responsible
for both. For manned operations the Closest Point of Approach (CPA) and
separation minima are effectively the same, as minima are not usually
specified. NOTE: The impact of this on mixed UAS and manned operations
needs to be further assessed within the PSSA. If found to be problematic a
safety issue will be raised.
In relation to Scenario 1 SRC Policy Document [9] states that Collision Avoidance
systems (referred to as Safety Nets) are not part of Separation Provision so must not
be included in determining the acceptable level of safety required for Separation
Provision. The SRC Policy Document statement implies that UAS must provide an
equivalent level of interaction with the Separation Provision function as provided by
Pilots. Furthermore the UAS Separation Provision System must maintain the level of
safety (with respect to the scope of ESARR 4 [2]) without the need for a Safety Net.
3.4 Operational Perspectives
Consideration of UAS operations in non-segregated airspace can be understood from a
number of operational perspectives.
• Scenario 1
1 There are scenarios where the time needed to identify, resolve and take avoiding
action is such that separation minima may not yet have been breached. 2 As a rule TCAS II Resolution Advisories take precedence over ATC instructions.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 16 of 81
o Separation Provision – ICAO Airspace Classifications are contained in ICAO Annex 11 Air Traffic Services [10]. Table 1 below shows the
level of ATC service provided for each airspace classification.
Class Type of
Flight
Separation
provided
Service provided Radio communication requirements
ATC Clearance
A IFR only All aircraft Air traffic control service Continuous two-way
Yes
IFR All aircraft Air traffic control service Continuous two-way
Yes B
VFR All aircraft Air traffic control service Continuous two-way
Yes
IFR IFR from IFR
IFR from VFR
Air traffic control service Continuous two-way
Yes C
VFR VFR from IFR
1) Air traffic control service for separation from IFR
2) VFR/VFR traffic information
Continuous two-way
Yes
Table 1 – Level of ATC Service Provided
o Collision Avoidance – is the PICs responsibility regardless of the airspace within which the UA is operating.
o ATS UAS Operational Flight Planning - it is required that a flight plan be filed to ATS for all Scenario 1 operations as they will be IFR in
Class A, B or C airspace. Indication to ATC that the flight is unmanned
will be through the use of specific UAS aircraft type designators.
o Communications – voice communications are required between the
PIC and ATC.
o Other airspace users – will include manned IFR and VFR aircraft as
well as other IFR UA.
• Scenario 2
o Separation Provision – ICAO Airspace Classifications are contained in ICAO Annex 11 Air Traffic Services [10]. Table 2 below shows the
level of ATC service provided for each airspace classification.
Class Type of
Flight
Separation
provided
Service provided Radio communication requirements
ATC Clearance
C IFR IFR from IFR
IFR from VFR
Air traffic control service Continuous two-way
Yes
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 17 of 81
VFR VFR from IFR
1) Air traffic control service for separation from IFR
2) VFR/VFR traffic information
Continuous two-way
Yes
IFR IFR from IFR Air traffic control service including information about VFR flights (traffic avoidance on request)
Continuous two-way
Yes D
VFR Nil Traffic information between VFR and IFR (traffic avoidance on request)
Continuous two-way
Yes
IFR IFR from IFR Air traffic control service and traffic information about VFR flights
Continuous two-way
Yes E
VFR Nil Traffic information as far as practical
No No
IFR IFR from IFR as far as practicable
Air traffic advisory service; flight information service
Continuous two-way
No F
VFR Nil Flight information service No No
IFR Nil Flight information service Continuous two-way
No G
VFR Nil Flight information service No No
Table 2 – Level of ATC Service Provided
o Collision Avoidance – is the PICs responsibility regardless of the airspace within which the UA is operating.
o ATS UAS Operational Flight Planning – it may not be necessary
that a flight plan be filed with an ATS unit for VLOS operations
o Communications – UAs under VLOS operation will communicate to all
relevant parties through appropriate means according to the airspace
classification.
o Other Airspace Users – may include many users, such as hot air
balloons, gliders, micro lights or other manned VFR as well as other
VLOS UA.
3.5 UAS Characteristics
UAS encapsulates the Unmanned Aircraft (UA) itself, the entirety of systems, people
and procedures involved in the launch, control and recovery of the AV, including the
ground station, the UAS crew, operational processes and flight crew procedures. To
establish the potential differences in manned and unmanned operations, it is important
to understand the specific characteristics of UAS that are potentially relevant to
operations in non-segregated airspace. The UAS characteristics are depicted in Figure
4.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 18 of 81
A principle characteristic is that the means of UA Control is functionally separate from
the UA. The Pilot in Command (PIC) of the UA will be remote from the UA in a UAS
Ground Control Station (GCS). The PIC maintains control of the UA through a UAS
Control System (UCS) and a UAS Control Link (UCL). This method of control is the
same for Scenario 1 and Scenario 2.
Figure 4 – UAS Characteristics Model
The key characteristics that can effect UAS operations are as follows:
• Conspicuity - the visibility of the UAV to other airspace users is an important
component in the Collision Avoidance component as well as when Separation
Provision is the responsibility of the PIC. This could be an issue for UAs that
are smaller than manned aircraft, or UAs that present a poor signature for
Primary Surveillance Radar. This may be especially relevant for Scenario 2 as
the UA will be operating under 2000ft and may be small.
• Automatic Operations – One of the key characteristics of a UAS is the ability to operate under various conditions without human interaction. The necessity
for human interaction, along with other factors such as safety, mission
complexity and environmental difficulty determines the level of automation
that the UAS can achieve. .
o Fully automatic – A mode of operation of a UAS wherein the UA is
expected to accomplish its mission, within a defined scope, without
human intervention.
o Semi-automatic - A mode of operation of a UAS wherein the human
operator and/or the UAS plan(s) and conduct(s) a mission and require
various levels of human interaction.
o Teleoperation - A mode of operation of a UAS wherein the human
operator, using video feedback and/or other sensory feedback, either
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 19 of 81
directly controls the actuators or assigns incremental goals, waypoints
in mobility situations, on a continuous basis, from off the UA and via a
tethered or radio linked control device. In this mode, the UAS may
take limited initiative in reaching the assigned incremental goals.
o Remote control - A mode of operation of a UAS wherein the human
operator, without benefit of video or other sensory feedback, directly
controls the actuators of the UAS on a continuous basis, from off the
vehicle and via a tethered or radio linked control device using visual
line-of-sight cues. In this mode, the UA takes no initiative and relies on
continuous or nearly continuous input from the user.
• Airworthiness – the Airworthiness Certification of a UAS is outside scope of
this analysis. However, it is assumed within the analysis that UAS will be fitted
with certified equipment equivalent to that for manned operation in the
intended non-segregated airspace, unless otherwise specifically stated, i.e. the
UA will meet the defined minimum equipment requirements for the airspace
and flight rules in force.
• Flight Performance – the manoeuvrability of a UA is important to
understand. Currently, Air Traffic Controllers are required to understand flight
performance characteristics of the types of aircraft that come under their
control and provide separation provision instructions based on this
understanding. This requirement for understanding will also need to apply to
unmanned operations to ensure ATC instructions can be implemented. Flight
performance is particularly important when understanding if an UA could
comply with an ATC Separation provision instruction or collision avoidance
manoeuvre.
3.6 Scoping Statements
The following scoping statements have been made to further support the safety
assurance activity. Statements S0001 to S0007 were validated during the FHA
workshop.
Scope S0001 The aim of the safety assessment is for seamless integration of
UAS operations into the current European ATM system.
Scope S0002 Only single (not in formation) UAs in non-segregated airspace are
considered.
Scope S0003 Payload is considered external to the UAS system from an ATM
perspective and is therefore outside scope.
Scope S0004 Only IFR En-Route operations in Classes A, B, or C airspace are
considered (Scenario 1).
Scope S0005 Only day VFR operations are considered (Scenario 2).
Scope S0006 Class G airspace above Classes A, B or C airspace are not
considered under Scenario 2.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 20 of 81
Scope S0007 Eyeball Visual Line Of Sight (VLOS) operations only are within
scope of the safety assessment, no command link VLOS are
considered (Scenario 2).
Scope S0008 If ATC are involved in Scenario 2, they will not give specific
trajectory instructions, but may stipulate airspace limitations, such
as to remain below a specified level.
3.7 Assumptions
The following assumptions have also been made to further scope and support the
safety assurance activity:
Assumption A0001 Current equivalent manned operations are tolerably safe.
Assumption A0002 A pilot is only ever in control of one single UA.
Assumption A0003 Airworthiness approval criteria are available and UAS have
been approved by a competent authority.
Assumption A0004 UAS operations comply with applicable ICAO standards,
except where explicitly stated.
Assumption A0005 All other airspace users intend to be seen.
Assumption A0006 Where an Air Traffic Control (ATC) service is offered to a
UAS Pilot, that ATC service is assumed to be fully licensed
(Scenario 1 and Scenario 2).
Assumption A0007 The UA Pilot-in-Command and associated Ground Control
Station are assumed to be co-located for the duration of
UA operations (Scenario 1).
Assumption A0008 TCAS II Version 7 is not available for a UA, as stated by
ICAO, but may be in operation with other airspace users
(Scenario 1).
Assumption A0009 UA operations are assumed to range in duration from a few
hours to a number of days (Scenario 1).
Assumption A0010 UA operations are assumed to range in duration from a few
minutes up to the hours of available daylight (Scenario 2).
Assumption A0011 UA Launch and Recovery operations are assumed to take
place from locations away from aerodromes/airports
(Scenario 2).
Assumption A0012 Where no flight plan is available, an airborne flight plan will
be created (Scenario 1).
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 21 of 81
3.8 Unmanned Aircraft System Models
The following models have been constructed for each scenario based on the defined
scope of the FHA for each of the operational perspectives of UAS:
• Flight Profiles – captures all likely ATM environments and situations in which
the UAS may be required to operate.
• Functional Models – derived from the components defined within the ICAO
Strategic Conflict Model.
3.8.1 Flight Profiles
The flight profile model for each scenario aims to capture all phases of flight within the
scope of analysis and likely ATM environments in which the UAS may be required to
operate.
• Scenario 1 - Flight Profile Model is presented in Appendix B.1.1 and
encapsulates IFR En-Route operations, crossing FIR boundaries, emergency
operations and early descent.
• Scenario 2 - Flight Profile Model is presented in Appendix B.1.2 and
encapsulates pre-flight planning, launch of the UA, VFR operations, crossing
FIR boundaries, approach, recovery and any post landing actions.
3.8.2 Functional Models
The following functional models are presented within the appendices. The aim of these
models is to identify the primary functions performed by each system functional
element for each of the two scenarios.
• Scenario 1 Functional Model with ATC Responsible for Separation Provision is
shown in Appendix B.2.1.
• Scenario 2 Functional Model with Pilot in Command Responsible for Separation
Provision is shown in Appendix B.2.2.
The functional models developed for UAS are based on Figure 3 – High Level Functional
Model in section 3.2, it should be noted that the primary ATM functions are the same
for both the ‘with-UAS’ and ‘without-UAS’ operations.
More detailed models identifying logical elements of the ‘with-UAS’ and ‘without-UAS’ situations will be documented within the Preliminary System Safety Assessment
(PSSA) Report.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 22 of 81
4 Function Hazard Assessment Results
4.1 Overview
In order to establish the relative change in risk as a result of introducing UAS
operations in non-segregated airspace, the initial step in the analysis was to identify
the hazards at a common boundary point for the ‘without-UAS’ and ‘with UAS’ for each of the two scenarios. It was then necessary to establish if these hazards were
common the both situations and whether there were any news hazards in the ‘with UAS’ situation. This was analysed for both scenarios.
Previous work involving the safety assessment of Military UAV as Operational Air
Traffic outside segregated Airspace [6] had identified a list of hazards that were
common to both the without-UAS and with-UAS scenarios. Due to the experience of the UAS workshop facilitators and the similarities in the two projects, the previous list
of hazards was presented to the UAS workshop participants as a starting point. It was
agreed that these hazards were considered to be applicable to military and civil
operations. Therefore the previous list of hazards was reviewed and discussed during
the UAS Workshop to identify if the hazards were still valid for the UAS safety
assessment work and to identify any gaps. As a result a full functional analysis was
conducted as part of the post workshop FHA activity as detailed below.
4.2 Hazard Identification Approach
Each function depicted in the High Level Function Model (Figure 3 in section 3.2) was
reviewed against a set of guidewords to ensure that the list of hazards captured all
failure scenarios. Each guideword was applied to each function and considered in more
detail, as shown in Appendix C. The functions considered are as listed below:
• Separation Provision
1. Separation Provision Instruction
2. Separation Provision Monitor
3. Trajectory Compliance
• Collision Avoidance
4. Observe
5. Resolve/Decide
6. Act
• Other Aircraft
7. Trajectory Compliance
• UAV Operator
8. Flight Planning
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 23 of 81
The functional failure guidewords applied to each of the above functions are listed
below:
• Loss – complete negation of an intention. No part of the intention is achieved
and nothing else happens, i.e. ATC inability to provide separation provision.
• Error – any action that is undesirable regardless of cause, e.g. incorrect response to ATC instruction, partial response to ATC instruction or
unintentional actions.
• Intentional deviation – a different action than that intended occurs as a result of an external input i.e. ATC instruction ignored (e.g. due to Traffic
Collision Avoidance System (TCAS) Resolution Advisory (RA)).
• Too early – an action occurs earlier than expected either relative to UTC,
order or sequence.
• Too late – an action occurs later than expected whether relative to UTC, order or sequence.
• Other (completeness check).
The high level functional model presented in Figure 3 represents a closed loop control
system, with the airspace as the element under control. By breaking the control loop
at the point where the separation provision compliance function interfaces with the
airspace it can be observed that:
• The primary control function is Separation Provision.
• Collision Avoidance can mitigate Separation Provision failure (although the
Trajectory Compliance function is a potential for common cause failure).
• Collision Avoidance actions can interfere with Separation Provision.
As such the analysis of hazards focuses on the Separation Provision Function, and
models the Collision Avoidance functional failure scenarios either as mitigations in the
consequence of the SP hazards or as potential causes of the SP hazards. It should also
be noted that, for the purpose of the FHA, UA failures subsequent to link loss are
modelled as PIC hazards on the basis that the PIC is responsible for defining the
contingency action.
The following high-level hazards were identified and are common to both the with-UAS and without-UAS situation:
• Loss of Separation Provision.
• Error in Separation Provision.
• Delayed Separation Provision.
• Intentional Deviation from Separation Provision Instruction.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 24 of 81
The Fault Trees in Appendix D show how the functional failure scenarios identified from
applying the guidewords relate to the ten hazards identified in the UAS Safety
Assessment workshop. The Fault Trees have thus been drawn for the purpose of
showing this linking only; more specific, detailed FTAs will be produced to support the
causal analysis in the Preliminary System Safety Assessment (PSSA). Each of the
hazards has been grouped with one of the high-level hazards outlined above in Table 3
below.
UAS Workshop Hazard No.
UAS Workshop Hazard Title
Loss of Separation Provision
HAZ001 Inability to comply with separation provision instruction from ATC
HAZ005 Loss of separation provision from ATC
HAZ007 Loss of separation provision from Pilot in Command
Separation Provision error
HAZ002 Incorrect response to separation provision instruction from ATC
HAZ006 ATC separation provision error
HAZ008 Pilot in Command separation provision error
HAZ010 Separation Provision Minima is breached by other aircraft
Delayed Separation Provision
HAZ004 Delayed response to separation provision instruction from ATC
HAZ009 Pilot in Command separation provision too late
Intentional Deviation from Separation Provision Instruction
HAZ003 Intentional deviation from separation provision instruction from
ATC
Table 3 – Hazard Identification
4.3 Hazard Identification Results
The functional failure analysis confirmed the conclusion of the UAS Safety Assessment
workshop that UAS operations for Scenario 1 and Scenario 2 do not introduce any new
hazards at the ATM concept level. The assessment also concluded that the resultant
hazards are not all applicable to both scenarios hence the workshop agreed the
following scenario assignments.
• Scenario 1
o HAZ001 - Inability to comply with separation provision instruction
from ATC
Aircraft is unable to comply with a separation provision instruction from
air traffic control.
o HAZ002 - Incorrect response to separation provision instruction from
ATC
Aircraft responds incorrectly to a separation provision instruction from
air traffic control.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 25 of 81
o HAZ003 - Intentional deviation from separation provision instruction
from ATC
Aircraft makes intentional deviation from separation provision
instruction provided by air traffic control for reasons such as weather
avoidance and RAs (not for malicious reasons) and informs air traffic
control of the deviation.
o HAZ004 - Delayed response to separation provision instruction from
ATC
Aircraft delayed response to separation provision instruction from air
traffic control, where delay is within the pre determined limit before air
traffic control assumes loss and issue new separation provision
instructions to surrounding aircraft.
o HAZ005 - Loss of separation provision from ATC
Loss of separation provision function from air traffic control due to the
inability of air traffic control to provide the function to the pilot
o HAZ006 - ATC separation provision error
Air traffic control issue a separation provision instruction containing an
error.
• Scenario 2
o HAZ001 to HAZ006
These were considered to be applicable to Scenario 2 only in so far as
there are certain circumstances where for example initial ATC
clearance is required or a temporary operating area is defined by ATC.
It should be noted that causes were only found for HAZ006 on the
basis of scoping statement S0008 (see Fault Tree Analysis, Appendix
D.2)
o HAZ007 – Loss of separation provision from the Pilot in Command
Loss of separation provision instruction from pilot in command due to
the inability of the pilot in command to provide the function i.e. no
separation provision instruction provided to the UA from the pilot in
command.
o HAZ008 – Pilot in Command separation provision error
Pilot in command on the ground issues separation provision instruction
containing an error to the UA.
o HAZ009 – Pilot in Command separation provision instruction too late
Pilot in command on the ground provides a separation instruction too
late.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 26 of 81
o HAZ010 - Separation Provision Minima is breached by other aircraft
Separation provision minima are reduced due to the actions of other
aircraft.
4.4 Consequence Analysis
The next step in the analysis is to assess the consequences associated with each
hazard for both in ‘without-UAS’ and ‘with UAS’ situations for both scenarios. The relative impact of the change was then assessed with respect to risk. The FHA
considered the consequence of hazards associated with UAS operation in non-
segregated airspace. The consequence analysis was conducted to the point where
there is the potential for an accident. The columns in the event tree are defined as
follows:
• First Column – Initiating Hazard.
• Middle Columns – potential mitigations that would prevent the hazard resulting
in an end consequence.
• Last Column – the end consequence.
A number of mitigations within the event trees are generic to all hazards; these are
highlighted in the appropriate place.
Given the requirement to present a relative qualitative safety argument for UAS
operations in non-segregated airspace and the justification for an improved level of
risk reduction than the current ‘without-UAS’ situation, the table in Appendix C presents a qualitative severity classification scheme applicable for this safety analysis.
The scheme is based on ESARR 4 [2] for ATM and JAR25-1309 [11] for aircraft related
consequences.
4.4.1 Mitigations for HAZ001
The event tree for HAZ001 (Inability to comply with Separation Provision Instruction
from ATC) is shown in Appendix F.1, Figure 5. The mitigations for this hazard are
explained in Table 4 below. Note that whilst Air Traffic Control may be involved with
UAS operations within Scenario 2, it is unlikely this will be the case as the UA will be
flown under VLOS operation. The descriptions provided within the following tables are
based on the output from the UAS Safety Assessment Workshop. The FHA workshop
also identified a PIC mitigation for this hazard and HAZ002 and HAZ004; “PIC notices
error”. This was removed from the Event Tree as some of the causes identified in the
Functional Failure Analysis (FFA) would negate this mitigation. The PIC mitigation will
be remodelled in the FTA as part of the PSSA activity.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 27 of 81
Event Tree
Mitigation
Description Scenario 1
Air Traffic Control awareness
An Air Traffic Controller may be able to identify an aircraft that has failed to comply with a separation provision
instruction.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has failed to comply with a separation provision
instruction will remain the same for without-UAS and with-UAS situations. Although Air Traffic Controllers in the future may be provided with information to enable them to distinguish between manned and unmanned aircraft, this should not change their ability to provide separation provision.
Revised ATC Instruction
If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s inability to comply with a separation provision instruction, it was considered very likely that ATC would provide an amended instruction or attempt to reinforce the instruction. This could be to either that specific aircraft, or dependent upon the circumstances, i.e. an inability to control the aircraft, provide appropriate instructions to surrounding aircraft.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation.
Generic Mitigations applicable to all hazards without-UAS and with-UAS
Other Aircraft Once all the mitigations listed above have failed, and assuming worst case that there is another aircraft in close vicinity, the immediate mitigation is that the other aircraft takes avoiding action.
It should be noted that the use of remote observers was discussed but it was decided that the use of a remote observer was a possible variant in scenario 2 and not considered as a mitigation, therefore is not included in the consequence analysis.
It was considered that there will be little or no change in the likelihood of another aircraft taking avoiding action for the without-UAS to the with-UAS situation. However, this may depend on the conspicuity of the UA itself in the with-UAS situation and wither the other aircraft is able to move at speed to avoid the UAV.
Collision Avoidance
The CA function is not provided (whether with-UAS or without-UAS when it is required. This mitigation is stated in the negative as it is the top gate of the corresponding Fault Tree.
Ideally CA should function in all scenarios, however in reality there are limitations on any CA system in terms of how many CA scenarios can be detected e.g. TCAS when fully working will not resolve all CA correctly and sometimes may indeed create an accident situation which may not have previously existed.
As part of the success case argument the conditions under which CA is required to operate must be defined, this will be drawn out further within the Preliminary Safety Case.
Collision Avoidance Systems - See Fault Tree analysis in Appendix D.1.1.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 28 of 81
Table 4 – HAZ001 Event Tree Mitigations
4.4.2 Mitigations for HAZ002
The event tree for HAZ002 (Incorrect response to Separation Provision Instruction
from ATC) is presented in Appendix F.2, Figure 6. The mitigations for this hazard are
explained in Table 5.
Event Tree
Mitigation
Description Scenario 1
Air Traffic Control awareness
An Air Traffic Controller may be able to identify an incorrect
response from an aircraft to a separation provision instruction.
Although Air Traffic Controllers in the future may be provided with information to enable them to distinguish between manned and unmanned aircraft, this should not change their ability to provide separation provision.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has
incorrectly complied with a separation provision instruction will remain the same for without-UAS and with-UAS situations.
Revised ATC Instruction If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s incorrect compliance with a separation provision instruction, it is very likely that ATC would query the Pilot in Commands response and provide an amended instruction.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 5 – HAZ003 Event Tree Mitigations
4.4.3 Mitigations for HAZ003
The event tree for HAZ003 (Intentional deviation from Separation Provision
Instruction from ATC) is presented in Appendix F.3, Figure 7. The mitigations for this
hazard are explained in Table 6.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 29 of 81
Event Tree Mitigation Description Scenario 1
Pilot in Command In either the without-UAS or with-UAS situation, if a Pilot in Command intentionally deviated from a separation provision instruction it was considered highly likely that he will communicate this to ATC as soon as possible. This mitigation was thought to
have a very high likelihood given that procedures state, specifically for collision avoidance manoeuvres that are contradictory to an ATC separation provision instructions, that a Pilot informs ATC as soon as possible.
It was considered potentially more likely that a UAS Pilot in Command would communicate an intentional deviation from an instruction quicker than for a manned aircraft.
It is assumed that all intentional deviations are for genuine reasons, e.g. weather avoidance and not due to malicious actions.
Air Traffic Control awareness
An Air Traffic Controller may query the deviation from an instruction, but may also assume that the instruction will be followed and focus attention elsewhere.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has intentionally deviated from a separation provision instruction will remain the same for the without-UAS and with-UAS situation.
ATC verifies situation If the Air Traffic Controller is made aware, or notices, the intentional deviation from a separation provision instruction, it is very likely that ATC would query the Pilot in Command’s response and provide an amended
instruction.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 6 – HAZ003 Event Tree Mitigations
4.4.4 Mitigations for HAZ004
The event tree for HAZ004 (Delayed response to Separation Provision Instruction from ATC) is presented in Appendix F.4, Figure 8. The mitigations for this hazard are
explained in Table 7.
Event Tree Mitigation Description Scenario 1
Air Traffic Control awareness
It is possible that an Air Traffic Controller may notice a delayed response from an aircraft to a separation provision instruction.
The likelihood in the ability of an Air Traffic Controller to identify that an aircraft has a delayed response to a separation provision instruction will remain the same for the without-UAS and with-UAS situation. An Air Traffic Controller may query that there is no initial response to his instruction.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 30 of 81
Event Tree Mitigation Description Scenario 1
Revised ATC Instruction If the Air Traffic Controller is made aware, or notices, the Pilot in Command’s delayed response and understands the reasons for it, it was considered very likely that ATC would either provide an amended instruction or manoeuvre other aircraft
accordingly.
There is no change in the likelihood for either without-UAS or with-UAS situations for this mitigation
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 7 – HAZ004 Event Tree Mitigations
4.4.5 Mitigations for HAZ005
The event tree for HAZ005 (Loss of Separation Provision from ATC) is presented in
Appendix F.5, Figure 9. The mitigations for this hazard are explained in Table 8.
Event Tree Mitigation Description Scenario 1
Pilot in Command A Pilot in Command may be able to notice the loss of separation provision from Air Traffic Control and will initially attempt to contact Air Traffic Control and if this is not possible will instigate lost communication procedures.
The likelihood in the ability of the Pilot in Command to notice the loss of separation provision will remain the same for the without-UAS and with-UAS situation.
The likelihood of a UAS following lost communication procedures is more likely than for manned aircraft. However, loss of communication with Air Traffic Control was considered less significant for the with-UAS situation due to the additional communication systems potentially available to a pilot of a UAS.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 8 – HAZ005 Event Tree Mitigations
4.4.6 Mitigations for HAZ006
The event tree for HAZ006 (ATC Separation Provision Error) is presented in Appendix F.6, Figure 10. The mitigations for this hazard are explained in Table 9.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 31 of 81
Event Tree Mitigation Description Scenario 1 Scenario 2
Air Traffic Control awareness
An Air Traffic Controller may be made aware of or notice an error in a separation provision instruction.
The likelihood of the ability of an Air Traffic Controller to notice an error in a separation provision instruction provided to a Pilot in Command was considered to be no different for the without-UAS to with-
UAS situation.
The likelihood of the ability of an Air Traffic Controller to notice an error in a separation provision instruction provided to a Pilot in Command was considered to be no different for the without-UAS to with-
UAS situation.
Air Traffic Control Revised Instruction
If the Air Traffic Controller is made aware, or notices, an error with a separation provision instruction, it was considered very likely that ATC would provide an amended instruction.
The likelihood in the ability of an Air Traffic Controller to identify an error in the separation provision instruction provided to a Pilot in Command is considered to be no different for the without-UAS to with-UAS situation.
Air Traffic Control are less likely to be involved, however the likelihood in the ability of an Air Traffic Controller to identify an error in the separation provision instruction provided to a Pilot in Command is considered to be no different for the without-UAS to with-UAS situation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001
Table 9 – HAZ006 Event Tree Mitigations
4.4.7 Mitigations for HAZ007
Mitigations for HAZ007 (Loss of Separation Provision from the Pilot in Command) are
only applicable to Scenario 2 due to the Pilot in Command being responsible for his
own Separation Provision as the UA is under VLOS operation. The event tree for
HAZ007 is presented in Appendix F.7, Figure 11. The mitigations for this hazard are
explained in Table 10.
Event Tree Mitigation
Description Scenario 2
Pilot in Command Where a Pilot in Command is responsible for providing his own separation provision, he may identify a loss of separation whether a result of PIC error or UA failure.
Where a Pilot in Command is responsible for providing his own separation provision, the likelihood of him realising an action or UA failure has resulted in a loss of separation was considered to be very low. This is because it may be difficult for a Pilot in Command on the ground to correctly identify the distance and trajectory of a nearby aircraft depending on where the Pilot in Command is located.
Revised Instruction Once the Pilot in Command notices a loss in separation provision, it is was considered very likely that he would revise and execute a new instruction as soon as possible.
The likelihood for this mitigation was considered no different for the without-UAS to the with-UAS situation.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 32 of 81
Event Tree Mitigation
Description Scenario 2
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 10 – HAZ007 Event Tree Mitigations
4.4.8 Mitigations for HAZ008
Mitigations for HAZ008 (Pilot in Command Separation Provision Error) are only applicable
to Scenario 2 due to the Pilot in Command being responsible for his own Separation
Provision as the UA is under VLOS operation. The event tree for HAZ008 is presented in Appendix F.8, Figure 12. The mitigations for this hazard are explained in Table 11.
Event Tree
Mitigation
Description Scenario 2
Pilot in Command
Where a Pilot in Command is responsible for providing his own separation provision, he may identify an error in separation provision.
Where a Pilot in Command is responsible for providing his own separation provision, the likelihood of him noticing an error in a separation provision instruction was considered to be very low.
Revised Instruction
Once the Pilot in Command notices an error in a separation provision instruction, it was considered very likely that he would rectify this through a revised instruction and execute this as soon as possible.
The likelihood for this mitigation was considered no different for the without-UAS to the with-UAS situation.
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 11 – HAZ008 Event Tree Mitigations
4.4.9 Mitigations for HAZ009
Mitigations for HAZ009 (Pilot in Command Separation Provision Instruction too late) are
only applicable to Scenario 2 due to the Pilot in Command being responsible for his own
Separation Provision as the UA is under VLOS operation. The event tree for HAZ009 is presented in Appendix F.9, Figure 13. The mitigations for this hazard are explained in
Table 12.
Event Tree Mitigation
Description Scenario 2
Pilot in Command
Where a Pilot in Command is responsible for his own separation provision, he may provide a separation instruction too late.
Where the Pilot in Command is responsible for providing his own separation provision instructions, and one of these is implemented too late, the first mitigation will be if there is an aircraft in the vicinity, followed by initiation of collision avoidance systems.
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 12 – HAZ009 Event Tree Mitigations
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 33 of 81
4.4.10 Mitigations for HAZ010
Mitigations for HAZ010 (Separation Provision Minima is breached by Other Aircraft) are
only applicable to Scenario 2 due to the Pilot in Command being responsible for his own
separation provision as the UA is under VLOS operation. The event tree for HAZ010 is presented in Appendix F.10, Figure 14. The mitigations for this hazard are explained in
Table 13.
Event Tree Mitigation
Description Scenario 2
Revised PIC instruction
If the PIC is made aware, or notices, a loss in separation provision, it was considered very likely that the PIC would provide an amended instruction to the UA.
There is no change in the likelihood for either without-UAS or with-UAS situations fort this mitigation but it should be noted that it may be difficult for a PIC on the ground to correctly identify the distance and trajectory of a nearby aircraft depending on where the PIC is located.
Other Aircraft and Collision Avoidance mitigations as per HAZ001 (Scenario 2)
Table 13 – HAZ010 Event Tree Mitigations
4.5 Analysis Conclusions
The consequence analysis identified a series of mitigations for each of the hazards
assigned to Scenario 1 and Scenario 2. The mitigations are essentially the same for
the with-UAS and without-UAS situations however; there are specific areas where
UAS operations have the potential to affect the probability of success of some specific
mitigations, such as:
• The pilot in command in Scenario 1 is likely to identify situational awareness
issues more easily or quickly based on the additional potential range of
information available to them.
• The pilot in command in Scenario 1 may have more communication equipment
at hand to verify potential issues with ATC.
• The capability, performance and integrity of the CA function in Scenario 1 is
likely to be greater than in Scenario 2 given the PIC’s relative position to the
UA under VLOS and the potential lack of automated support systems. This will
be assessed further as part of the PSSA activity.
The analysis also identified that there are some common failure scenarios between the
causes of some hazards and the effectiveness of some mitigations, in particular for
collision avoidance. For example, aircraft height keeping and navigational equipment
is essential to separation provision and collision avoidance and failure of these would
be common to both. These common failure scenarios will be addressed as part of the
PSSA activity.
4.6 Safety Objectives
The purpose of the FHA is to identify a set of high level hazards and derive the
associated safety objectives, such that, if satisfied, an acceptable level of safety can be
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 34 of 81
demonstrated. The safety objectives are derived from the safety criteria, which in this
case are relative, i.e. not based on an absolute Target Level of Safety (TLS).
Given that the analysis has not identified any unique hazards for UAS operations, the
safety objective set out below is based on ensuring that the safety criteria (as stated in
section 1.4) are achieved, i.e. the risk from UAS operations is:
• No higher than for equivalent manned operations; and
• Reduced to As Far As Reasonably Practicable (AFARP), as required by ESARR 3
[3] and European Air Traffic Management Programme (EATMP) Safety Policy
[4].
For the criteria to be met the occurrence rate for each hazard must be no greater for
UAS operations (in Scenario 1 or Scenario 2) than for manned operations3. In both
cases where practicable the risk from UAS operations should be further reduced. The
potential for and feasibility of further risk reduction for each UAS hazard will be
considered as part of the PSSA.
3 Since there is no direct equivalent to VLOS operations in manned operations then the occurrence
rate must be equivalent to VFR operations in Class G airspace.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 35 of 81
5 Conclusions
The Functional Hazard Assessment activity has identified ten hazards that fall within
the defined scope of the safety analysis. Six hazards apply to Scenario 1 and ten
hazards to Scenario 2. The UAS hazards are defined at the boundary of UAS
Operations and reflect functional failure scenarios that could potentially lead to
hazardous situations. All ten hazards are common to the ‘with-UAS’ and ‘without-UAS’ situations.
The analysis has been performed based on the output of the UAS Safety Assessment
Workshop held at EUROCONTROL HQ, Brussels, and is bound by a number of scoping
statements and assumptions as detailed in sections 3.6 and 3.7 . The results of the
Functional Hazard Assessment enable an understanding of the risks associated with
the operation of UAS in non-segregated airspace via the derivation of the hazards
identified and analysis of the consequences of those hazards. The output of this report
and further analysis will enable a separate PSSA Report to be produced that will
document the safety requirements and provide traceability to detailed safety
requirements.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 36 of 81
6 References
No Reference Document Title Issue/Date
[1] SAF.ETI.ST03.
1000-MAN-01
Air Navigation System Safety Assessment
Methodology
Edition: 2.1
03 October 2006
[2] ESARR4 Risk Assessment and Mitigation in ATM Edition: 1.0
05 April 2001
[3] ESARR3 ESARR3: Use of Safety Management Systems
by ATM Service Providers
Edition: 1.0
17 July 2000
[4] SAF.ETI.ST01.1000
-POL-01-00
EATMP Safety Policy Edition: 1.1
25 August 1999
[5] P09005.10.4 UAS Safety Assessment Workshop Minutes Edition 0.2
18 May 2009
[6] P05005.10.4 Functional Hazard Assessment/Preliminary
System Safety Assessment (FHA/PSSA) Report
for Military UAV as OAT outside Segregated
Airspace
Edition 1.0
23 August 2003
[7] AN-Conf/11-WP/4 Appendix A to ATM Operational Concept
Document
September 2003
[8] EUROCONTROL-
SPEC-0102
EUROCONTROL Specifications For The Use For
Military Unmanned Aerial Vehicles As
Operational Air Traffic Outside Segregated
Airspace
Edition 1.0
26 July 2007
[9] SRC POL DOC 2 SRC Policy Document 2: Use of Safety Nets in
Risk Assessment and Mitigation in ATM
Edition 1.0
19 April 2002
[10] ICAO Annex 11 Air Traffic Services Edition: 11
Date: July 1997
[11] JAA JAR25-1309 Classification of Airborne Equipment Failures -
Table 14 – Table of References
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 37 of 81
Appendix A UAS Safety Assessment Workshop Agenda and
Participants
A.1 UAS Workshop Agenda
Agenda: UAS Safety Assessment Workshop
Location: EUROCONTROL HQ, Brussels, Pegase (29th April) & Jupiter (30th April)
Time: 10.00 Wednesday 29th April to 15.00 Thursday 30th April
ADENDA
1. Introductions and Logistics
a. Ebeni Team
b. UAS Safety Assessment Workshop Participants
2. Overview of the UAS Safety Assessment Workshop
a. Objectives
b. Scope
c. Technical Approach Summary
3. Review of UAS Scenarios
4. Review of UAS Functional and Logical Architecture Models
5. Identification of hazards
6. What If Analysis
7. Consequence Analysis
8. Discussion
9. Questions/AOB
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 38 of 81
A.2 UAS Workshop Participants
Name Title/Role Organisation Contact Details
Michael Strong ATM Expert EUROCONTROL [email protected]
+3227293051
Jean-Michel De
Rede (29th
only)
Safety Expert EUROCONTROL jean-michel.de-
Andrew Jones ATM Expert Thales Aerospace [email protected].
com
Hans Brants Project Manager/Flight
Instruction
National Aerospace
Lab (NLR)
+31205113782
Mike Wildin ATM Expert EUROCONTROL [email protected]
+01489616565
Andy Edmunds ATM Expert NATS, UK [email protected]
Don Harris ATM Expert EUROCONTROL [email protected]
+3227093386
Michael Haim
(29th only)
Navigator SHAPE [email protected]
Marc Deboeck Senior ATM Safety
Expert
EUROCONTROL,
DG/SRU
Tony Henley Product Manager BAE Systems [email protected]
441634203392
Alan Simpson Safety Engineer Ebeni Limited [email protected]
Jo Stoker Safety Engineer Ebeni Limited [email protected]
Hayley Burdett Safety Engineer Ebeni Limited [email protected]
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 39 of 81
Appendix B Unmanned Aircraft System Models
B.1 Flight Profiles
B.1.1 Flight Profile: Scenario 1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 40 of 81
B.1.2 Flight Profile : Scenario 2
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 41 of 81
B.2 Functional Models
B.2.1 Functional Model: Scenario 1
B.2.2 Functional Model: Scenario 2
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 42 of 81
Appendix C Functional Failure Analysis
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
1.1 Separation
Provision
Instruction
Loss Pilot no longer receives ATC Instruction.
This is a hazard if the Pilot fails to revert
to lost communications procedure and
follows agreed contingency plan
HAZ005 ATC: In certain circumstances it may be
necessary to receive an ATC instruction to
proceed. This would be a hazard if the PIC
commences operation without an ATC
clearance
PIC: PIC no longer gives separation instruction to the aircraft, e.g. loss of situational
awareness, pilot error etc. This is a hazard if
the aircraft has no safe contingency plan in the
event of VLOS control failure
HAZ008
HAZ007
1.2 Error Pilot given incorrect instruction regarding
separation, e.g. wrong course change,
invalid permission to approach, danger
area open, etc.
HAZ006 ATC: Pilot given incorrect instruction regarding clearance.
PIC: PIC issues a separation provision instruction to the aircraft containing an error
HAZ006
HAZ008
1.3 Intentional
Deviation
PIC makes intentional deviation from
separation provision instruction provided
by ATC, e.g. weather avoidance,
emergency alerts, etc. This is a potential
hazard if the subsequent action is not
coordinated with ATC
HAZ003 UA makes intentional deviation from separation
provision instruction provided by PIC, e.g.
override event (terrain avoidance) or
emergency
HAZ007
1.4 Too Early Pilot is given instruction too early leading
to the aircraft being in the wrong
position at a particular time, e.g. pilot is
told to climb too early and separation is
reduced
HAZ006 ATC: as 1.2 above
PIC: UA is given instruction too early from
PIC, leading to the UA being in the wrong
position at a particular time, e.g. UA is told to
climb too early and separation is reduced
HAZ006
HAZ008
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 43 of 81
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
1.5 Too Late Pilot is given separation provision
instruction from ATC too late leading to
the aircraft being in the wrong position
at a particular time, e.g. pilot is told to
climb too late and separation is reduced
HAZ006 ATC: as 1.2 above
PIC: Pilot in command provides instruction too
late leading to the aircraft being in the wrong
position at a particular time
HAZ006
HAZ009
2.1 Separation
Provision
Monitor
Loss Separation is not monitored, potentially
increasing probability of a loss of or
incorrect separation provision instruction
from ATC. Also undermines the ability of
the ATC to mitigate certain ATC hazards
HAZ005 ATC: Assumed that ATC will still be able to
provide correct clearance
PIC: Pilot loses situational awareness and is
unable to correctly control the UA in relation to
other aircraft
None
HAZ007
2.2 Error Separation is incorrectly monitored
leading to incorrect separation provision
instruction from ATC
HAZ006 ATC: as 1.2 above
PIC: Pilot has an incorrect situational awareness and may give an incorrect
separation provision instruction to the UA
HAZ006
HAZ008
2.3 Intentional
Deviation
Not applicable None Not applicable None
2.4 Too Early Not valid None Not valid None
2.5 Too Late As 2.2, Separation provision is
monitored too late, leading to the wrong
picture of air traffic and a delayed or
incorrect separation instruction from ATC
HAZ006 ATC: as 1.2 above
PIC: Pilot not paying attention to situational awareness and may give an incorrect
separation provision instruction to the UA
HAZ006
HAZ008
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 44 of 81
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
3.1 Trajectory
Compliance
Loss PIC or UA is unable to comply with
separation provision instruction from
ATC, e.g. due to system performance
limitations, aircraft equipment failure,
etc. this is a hazard if PIC is unable to
coordinate loss with ATC
HAZ001 ATC: The scenario is based on ATC not providing specific trajectory instructions (see
Scope S008). However, ATC may stipulate
airspace limitations (e.g. stay below 2000 ft)
PIC: UA is unable to comply with separation
provision instruction from PIC, e.g. due to
critical equipment failure, etc.
HAZ007
3.2 Error PIC responds incorrectly to separation
provision instruction from ATC, e.g. pilot
error, incorrect read back, equipment
failure, etc.
If the UA does not respond correctly
then is a hazard if the PIC is unable to
coordinate with ATC
HAZ002
HAZ001
ATC: as 3.1
PIC: UA responds incorrectly to separation provision instruction from PIC, e.g. pilot error,
equipment failure, etc
HAZ008
3.3 Intentional
Deviation
PIC makes intentional deviation from
separation provision instruction provided
by ATC, e.g. weather avoidance,
emergency alerts, etc. Is a hazard if PIC
is unable to coordinate loss with ATC
HAZ003 ATC: as 3.1
PIC: UA makes intentional deviation from
separation provision instruction provided by
PIC, e.g. terrain avoidance, emergency alerts,
etc
HAZ008
3.4 Too Early PIC carries out separation provision
instruction too early leading to an
incorrect response
The UA may perform a manoeuvre out of
sequence; this is a hazard if the PIC is
unable to coordinate with ATC
HAZ002
HAZ001
ATC: as 3.1
PIC: UA carries out separation provision instruction too early leading to an incorrect
response (depends on how instructions are
given to UA, not credible where instructions
are live)
HAZ008
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 45 of 81
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
3.5 Too Late PIC delayed response to a separation
provision instruction, e.g.
communication link latency, pilot input
delayed, etc
HAZ004 ATC: as 3.1
PIC: UA delayed response to a separation provision instruction, e.g. communication link
latency, pilot input delayed, etc
HAZ009
4.1 Observe
Loss No observation of air traffic takes place
therefore no collision threats are
detected so CA inoperative
CA will not
act when
required
PIC: PIC fails to monitor for collision threats so
CA not performed
CA does
not act
when
required
4.2 Error An error is made when observing other
traffic leading to either:
• Missing a collision threat, hence CA
does not act
• False identification of a collision
threat hence the CA may activate
when not required
CA does not act when required
Cause of HAZ004 if PIC unaware otherwise HAZ003
PIC: PIC misjudges collision threats so CA not
performed correctly
CA acts
incorrectly
4.3 Intentional
Deviation
CA may not be able to detect certain
threats due to limitations of sensors or
due to characteristics of threat (e.g.
inconspicuous)
CA does not
act when
required
Not applicable N/A
4.4 Too Early Not a hazard but early CA activation may
be construed a nuisance. Excessive
occurrence of nuisance events may
result in ATC workload issues
None Not applicable N/A
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 46 of 81
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
4.5 Too Late Impact the same as Loss (4.1 above) CA does not
act when
required
Impact the same as Loss (4.1 above) Loss of CA
mitigation
5.1 Resolve/
Decide
Loss No decision on collision avoidance is
made or no CA resolution is possible
CA will not
act when
required
PIC: PIC unable to determine collision
avoidance action so CA not performed
CA does
not act
when
required
5.2 Error An error is made when deciding what
collision avoidance action is necessary,
either
• Wrong avoidance action decided for
a collision threat, hence CA does
acts incorrectly
• False identification of a CA action
hence the CA may activate when
not required
CA acts incorrectly
Cause of HAZ004 if PIC unaware otherwise HAZ003
PIC: PIC misjudges collision resolution so CA
not performed correctly
CA acts
incorrectly
5.3 Intentional
Deviation
Not applicable N/A Not applicable N/A
5.4 Too Early As 4.4 None Not applicable N/A
5.5 Too Late Collision avoidance decision is taken too
late
CA does not
act when
required
PIC: Collision avoidance decision is taken too late
CA does
not act
when
required
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 47 of 81
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
6.1 Act Loss PIC or UA does not execute collision
avoidance manoeuvre
CA action
ignored
PIC: UA does not execute collision avoidance manoeuvre from PIC
CA does
not act
when
required
6.2 Error PIC or UA makes an error when
executing collision avoidance manoeuvre
CA acts
incorrectly
PIC: UA does not execute collision avoidance manoeuvre from PIC correctly
CA acts
incorrectly
6.3 Intentional
Deviation
PIC or UA does not comply with a
collision avoidance action due to override
or critical failure
None Not applicable N/A
6.4 Too Early As 4.4 None Not Applicable N/A
6.5 Too Late PIC or UA executes collision avoidance
manoeuvre too late
CA does not
act when
required
UA executes collision avoidance manoeuvre too
late
CA does
not act
when
required
7.1 Other
Aircraft
Trajectory
Compliance4
Loss Other aircraft does not follow ATC
instructions which if unresolved by the
ATC would lead to a loss of separation
from ATC.
Alternatively, ATC could issue an
incorrect instruction to the UA for
example as a result of workload or
misjudging the correct resolution
HAZ005
HAZ006
PIC: The other aircraft may breach the
separation minima or closest point of approach
from the UA perspective, which the UA PIC
must still attempt to avoid
HAZ010
4 Note this also applies to the Separation Provision Monitor and Instruction functions in Scenario 2.
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 48 of 81
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
7.2 Error Other aircraft responds incorrectly to
separation provision instruction which if
unresolved by the ATC would lead to a
loss of separation from ATC.
Alternatively, ATC could issue an
incorrect instruction to the UA for
example as a result of workload or
misjudging the correct resolution
HAZ005
HAZ006
PIC: The other aircraft may breach the
separation minima or closest point of approach
from the UA perspective, which the UA PIC
must still attempt to avoid
HAZ010
7.3 Intentional
Deviation
PIC makes intentional deviation from
separation provision instruction provided
by ATC e.g. Other aircraft does not
comply with trajectory compliance which
if unresolved by the ATC would lead to a
loss of separation from ATC.
Alternatively, ATC could issue an
incorrect instruction to the UA for
example as a result of workload or
misjudging the correct resolution
HAZ005
HAZ006
PIC: The other aircraft may breach the
separation minima or closest point of approach
from the UA perspective, which the UA PIC
must still attempt to avoid
HAZ010
7.4 Too Early Other aircraft carries out separation
provision instruction too early which if
unresolved by the ATC would lead to a
loss of separation from ATC.
Alternatively, ATC could issue an
incorrect instruction to the UA for
example as a result of workload or
misjudging the correct resolution
HAZ005
HAZ006
PIC: The other aircraft may breach the
separation minima or closest point of approach
from the UA perspective, which the UA PIC
must still attempt to avoid
HAZ010
ε Functional Hazard Assessment (FHA) Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 49 of 81
Ref Function Guideword Scenario 1 Impact Hazard Scenario 2 Impact Hazard
7.5 Too Late If unresolved by ATC would lead to a
loss of separation from ATC.
Alternatively, ATC could issue an
incorrect instruction to the UA for
example as a result of workload or
misjudging the correct resolution
HAZ005
HAZ006
PIC: The other aircraft may breach the
separation minima or closest point of approach
from the UA perspective, which the UA PIC
must still attempt to avoid
HAZ010
8.1 Flight
Planning
Loss ATC/PIC: Assumption A0013: Where
no FPL is available an airborne FPL will
be created.
UA: Where the FPL is lost then the UA
will not follow an agreed contingency
plan following data link loss
None
HAZ001
UA: Possibility that UA may perform unsafe
manoeuvres or landing following data link loss
HAZ007
8.2 Error ATC/PIC: Errors in FPLs usually
addressed during ATC - PIC RT,
however, could lead to confusion.
UA: Errors in the flight plan could lead to incorrect implementation of
contingency plans following data link loss
Potential
cause of
HAZ002/
HAZ006
HAZ002
UA: Possibility that UA may perform unsafe
manoeuvres or landing following data link loss
HAZ008
8.3 Intentional
Deviation
Not a hazard if coordinated with ATC None Not applicable N/A
8.4 Too Early As 8.2 See 8.2 As 8.2 See 8.2
8.5 Too Late As 8.2 See 8.2 As 8.2 See 8.2
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 50 of 81
Appendix D UAS Fault Trees
D.1 UAS Scenario 1 Fault Trees
D.1.1 Collision Avoidance Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 51 of 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 52 of 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 53 of 81
D.1.2 HAZ001 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 54 of 81
D.1.3 HAZ002 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 55 of 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 56 of 81
D.1.4 HAZ003 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 57 of 81
D.1.5 HAZ004 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 58 of 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 59 of 81
D.1.6 HAZ005 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 60 of 81
D.1.7 HAZ006 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 61 of 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 62 of 81
D.2 UAS Scenario 2 Fault Trees
D.2.1 Collision Avoidance Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 63 of 81
D.2.2 HAZ006 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 64 of 81
D.2.3 HAZ007 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 65 of 81
D.2.4 HAZ008 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 66 of 81
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 67 of 81
D.2.5 HAZ009 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 68 of 81
D.2.6 HAZ010 Fault Tree
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 69 of 81
Appendix E Severity Classification
Severity Classification Scheme
Consequence ATC Definition Examples of consequences include
1. Complete loss of safety margins
Collision Accidents, including:-
• one or more catastrophic accidents;
• one or more mid-air collisions;
• Total loss of flight control.
No independent source of recovery mechanism, such as
surveillance or ATC and/or flight crew procedures can
reasonably be expected to prevent the accident(s).
2. Large reduction in
safety margins
Total loss of ability
to maintain
separation
Serious incidents, including:
• large reduction in separation (e.g., more than
half the separation minima), without crew or ATC
fully controlling the situation or able to recover
from the situation;
• abrupt collision or terrain avoidance manoeuvres are required to avoid an accident (or when an avoidance action would be appropriate);
• a probability of structural damage (or serious injury) to crew or passengers.
3. Major
reduction in
safety margins
Ability to maintain
separation is
severely
compromised
Major incidents, including:
• large reduction in separation (e.g., more than
half the separation minima) with crew or ATC fully
controlling the situation and able to recover from
the situation;
• major reduction in separation (e.g., less than half the separation minima) without crew or ATC
fully controlling the situation, hence jeopardising
the ability to recover from the situation (without the
use of collision avoidance manoeuvres).
4. Slight reduction in
safety margins
Ability to maintain
separation is
impaired
Significant incidents, including:
• no direct impact on safety but indirect impact by
increasing the workload of the ATCO or aircraft
flight crew, or slightly degrading the functional capability of the enabling CNS system;
• major reduction in separation (e.g., less than half the separation minima) with crew or ATC
controlling the situation and fully able to recover
from the situation.
5. No effect on safety
No impact on ability
to maintain
separation
No hazardous condition i.e. no direct or indirect impact
to the operations.
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 70 of 81
Appendix F Consequence Models
F.1 HAZ001 – Inability to comply with Separation Provision Instruction from ATC
Figure 5 – HAZ001 Event Tree: Scenario 1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 71 of 81
F.2 HAZ002 – Incorrect response to Separation Provision Instruction from ATC
Figure 6 – HAZ002 Event Tree: Scenario 1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 72 of 81
F.3 HAZ003 – Intentional deviation from Separation Provision Instruction from ATC
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 73 of 81
Figure 7 – HAZ003 Event Tree: Scenario 1
F.4 HAZ004 – Delayed response to Separation Provision Instruction from ATC
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 74 of 81
Figure 8 – HAZ004 Event Tree – Scenario 1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 75 of 81
F.5 HAZ005 – Loss of Separation Provision from ATC
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 76 of 81
Figure 9 – HAZ005 Event Tree – Scenario 1
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 77 of 81
F.6 HAZ006 – ATC Separation Provision Error
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 78 of 81
Figure 10 – HAZ006 Event Tree: Scenario 1
F.7 HAZ007 – Loss of Separation Provision from the Pilot in Command
Figure 11 – HAZ007 Event Tree: Scenario 2
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 79 of 81
F.8 HAZ008 – Pilot in Command Separation Provision Error
Figure 12 – HAZ008 Event Tree: Scenario 2
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 80 of 81
F.9 HAZ009 – Pilot in Command Separation Provision Instruction too late
Figure 13 – HAZ009 Event Tree: Scenario 2
ε Functional Hazard Assessment (FHA)
Report for Unmanned Aircraft Systems P09005.10.5
Commercial in Confidence Page 81 of 81
F.10 HAZ010 – Separation Provision minima is breached by other aircraft
Figure 14 – HAZ010 Event Tree: Scenario 2