2

Background

Safety has been ingrained in the aviation culture from its earliest days. Aviation is often held up as the model for how to improve safety in other domains, from health care to the automotive industry.¹

In the context of aviation, safety is defined as a state where the possibility of harm to people or property is reduced to and maintained at or below an acceptable level of risk. Because of actions by regulators, manufacturers, and operators, the aviation system provides a transportation capability that has the lowest safety risk of any mode of motorized transportation. While accidents involving large commercial aircraft do occasionally happen, the rate of occurrence is so low that safety experts no longer focus on corrective actions associated with accidents or incidents but are now focused on proactive safety initiatives based on analysis of precursors of potential accidents.

Since its inception, the Federal Aviation Administration (FAA) has been charged as the federal agency responsible for regulating civil aviation to ensure safety. The FAA promotes safety by issuing and enforcing regulations and minimum standards covering manufacturing, operating, and maintaining aircraft.² For the most part, the FAA focuses on ensuring the safety of the occupants of aircraft (i.e., crew and passengers) in the belief that if first-party participants are safe, third-party participants (e.g., the public on the ground) will also be safe. As a means of ensuring that aviation operations are within acceptable levels of risk, the FAA, as the regulator, generally requires the following three elements:

1. A certified aircraft,
2. A licensed pilot, and
3. Operational approval to access specific airspace.

For remotely piloted aircraft that would operate in the National Airspace System, the requirements are the same. It is important to note that unmanned aircraft including model aircraft flown for recreational purposes are considered “aircraft” under federal regulation.

___________________

¹ L.S.G.L. Wauben, J.F. Lange, and R.H.M. Goossens, 2012, Learning from aviation to improve safety in the operating room: A systematic literature review, Journal of Healthcare Engineering 3(3):373-380; M. Young, N. Stanton, and D. Harris, 2007, Driving automation: Learning from aviation about design philosophies, International Journal of Vehicle Design, https://doi.org/10.1504/IJVD.2007.014908; NHTSA Press Release, 2016, “U.S. Department of Transportation Convenes Aviation and Automobile Industry Forum on Safety,” https://www.nhtsa.gov/press-releases/us-department-transportation-convenes-aviation-and-automobile-industry-forum-safety.

² See FAA website, https://www.faa.gov/about/mission/activities/.

Today, there are effectively five ways in which an unmanned aircraft system (UAS) can legally operate in the National Airspace System:

1. Model aircraft. Under 14 Code of Federal Regulations (CFR) Part 101.41, an aircraft that is “flown strictly for hobby or recreational use” can operate in the National Airspace System if it follows “safety guidelines” and other processes under the auspices of a “community-based organization” (e.g., the Academy of Model Aeronautics). The operations should not interfere with and should give way to manned aircraft, in addition to some other operational limits. Certified aircraft and licensed pilots are not required. No operational approval is needed to operate a model aircraft, but notification of air traffic control (ATC) may be required.
2. Small UAS rule compliant. In 2016, the FAA made 14 CFR Part 107 final, which enabled UAS to be operated without the need for an airworthiness certificate for hobby, recreational, commercial, public safety, or any other purpose in the National Airspace System. Part 107 lays out requirements for the licensing of UAS pilots as well as operational limitations (e.g., operating below 400 feet above ground level) and airspace (e.g., class G [uncontrolled] airspace) where operations are permitted (see Figure 2.1). Aircraft operating under Part 107 do not require an airworthiness certificate or operational approval if they follow all of the operating provisions outlined in the rule.
3. Small UAS rule waivers. 14 CFR §107.205 lists a number of provisions (i.e., operational limitations that the FAA can waive), including the following: prohibition of operation from a moving vehicle, daytime-only operations, requirement to remain in visual line of sight, and prohibition of operation over people and operation of multiple aircraft by one person. Aircraft operating under Part 107 Waiver do not require an airworthiness certificate but may need to follow additional operational provisions as defined in the waiver application.
4. Small UAS rule airspace authorization. 14 CFR §107.41 makes it clear that small UAS cannot be operated “in Class B, Class C, or Class D airspace [i.e., in the vicinity of airports] or within the lateral boundaries of the surface area of Class E [en route] airspace that has been designated for an airport unless that person has prior authorization from ATC.” For some operations, both a Part 107 Waiver and a Part 107 Airspace Authorization will be required. In some cases, the FAA could waive the need for airspace authorization by issuing an “Airspace Waiver” that is usually for longer duration (i.e., 6 months to 2 years). Applicants are encouraged to apply 90 days prior to flight. The FAA is working to streamline this approval process through the creation of facility maps³ and the Low Altitude Authorization and Notification Capability (LAANC) prototype.⁴ The airspace authorization is operational approval to operate in the specified airspace.
5. Certificate of Authorization (COA) or waiver. Operational approval is available for aircraft operating under 14 CFR Part 91⁵ that have an airworthiness certificate⁶ and are operated by a licensed pilot. Since there are very few commercial unmanned aircraft with an airworthiness certificate (e.g., special airworthiness certificate—experimental category), the COA process is mainly used by public entities (e.g., the military services, NASA, public universities) that have the authority to designate their own aircraft as airworthy.

For proponents planning to operate in compliance with either the model aircraft rule or the small UAS rule, no additional scrutiny or review by the FAA is required, and they have operational approval as long as they remain within the operational limits expressed in 14 CFR Part 101 and 14 CFR Part 107. All other proponents must submit a request to the FAA for a waiver or authorization. The FAA has attempted to assist proponents by publishing

___________________

³ UAS facility maps show the maximum altitudes around airports where the FAA may authorize Part 107 UAS operations without additional safety analysis. The maps should be used to inform requests for Part 107 airspace authorizations and waivers in controlled airspace (see https://www.faa.gov/uas/request_waiver/uas_facility_maps/).

⁴ LAANC is an industry-developed application with the goal of providing drone operators near-real-time processing of airspace notifications and automatic approval of requests that are below approved altitudes in controlled airspace. LAANC meets the regulatory requirements of the small UAS rule (14 CFR Part 107) and the model aircraft notification requirement (14 CFR 101.41). See https://www.faa.gov/uas/programs_partnerships/uas_data_exchange/.

⁵ Efforts are under way to also exempt aircraft operated under 14 CFR Part 135.

⁶ Public Law 112-095 Section 333 and Public Law 114-190 Section 2210 exempt certain aircraft from requiring an airworthiness certificate.

guidelines⁷ on what information is required and by providing electronic means to facilitate interactions, including the “DroneZone”⁸ and the LAANC. These electronic tools are intended to streamline requests for waivers that can be considered routine (e.g., authorization to operate in Class C airspace below the altitude defined in the published facility maps while remaining otherwise in compliance with the operational limitations in 14 CFR Part 107).

The DroneZone website also provides a means for reporting UAS accidents and incidents. These reports should be filed within 10 days of an event if a UAS causes a serious injury or damage in excess of $500. The number of incident reports has increased from about 25 monthly in 2014 to about 125 monthly in 2016. As of September 2017, however, there has only been one confirmed collision between a UAS and a manned aircraft in the United States.⁹ Research using data from incident reports is ongoing. Key goals include quantifying how unique hazards affect risk and methods for evaluating specific risks and how to mitigate them (FAA, 2017).

For new, novel, and more complex waiver requests, the evaluation process by the FAA can be significantly less predictable and not sufficiently responsive (i.e., it takes too long). FAA Order 8040.4 specifies a safety risk management (SRM) policy for the agency. As guidance to all FAA lines of business, it establishes common terms and processes used to analyze, assess, mitigate, and accept safety risk in the aerospace system. It is the intent of the order to allow flexibility in how safety risk management is conducted and the tools and techniques that are employed and at the same time help to establish some consistency in the application of key principles.

Although there is consistency, the processes implemented by the lines of business are qualitative and highly dependent on the subjective perspective of subject matter experts who may be involved. While the policy establishes a clear analytic approach, it is fundamentally operating on qualitative/subjective data. The approach requires substantial details from proponents and significant effort by FAA personnel. Consequently, the process is not timely, it is not necessarily repeatable, and proponents cannot readily predict the outcome.

This committee was charged with considering safety risk management approaches that would include quantitative methods that may be performed by proponents and then reviewed by those responsible for regulatory oversight (i.e., the FAA). Quantitative approaches would use objective data to predict potential risk as measured in adverse outcome (e.g., fatalities) per some operational unit (e.g., flight hours, flights). This predicted quantitative risk can be calculated using a combination of empirical data, simulation studies, and systems analysis. The calculated safety risk can then be compared with a target level of safety, the safety risk of the operations it replaces, or other benefits.

___________________

⁷ See https://www.faa.gov/uas/request_waiver/waiver_safety_explanation_guidelines/.

⁸ See https://faadronezone.faa.gov/.

⁹ On September 21, 2017, a small civilian UAS entered the rotor system of a U.S. Army UH-60 Blackhawk helicopter. The helicopter continued to its intended destination, and the collision caused no injuries.

ASSUMPTIONS AND GUIDING PRINCIPLES

The following list of assumptions and guiding principles was used by the committee to steer its efforts and helped shape the findings and recommendations that are discussed later in this report. Although these are not findings and recommendations, they guided the committee in developing its findings and recommendations.

• The introduction of UAS into the airspace will not degrade safety or security.
• Rules, regulations, and restrictions for UAS operations should be commensurate with the risk posed by the specific operation.
• Regulations and standards should avoid being proscriptive, allowing for innovation.
• Potential safety risks of UAS operations primarily include collisions with other aircraft and injury to people on the ground.
• It is beyond the scope of this study to consider the risks created by UAS operated by intentional bad actors.
• UAS are here to stay and will grow in numbers, missions, diversity, and complexity. The effectiveness of rules, regulations, standards, procedures, data collection systems, risk assessment methods, simulations, and so on, will be very limited unless they are able to scale up to accommodate UAS vehicles and missions that are more numerous, more diverse, and more complex.
• UAS operations have the potential to provide societal benefits such as job creation, economic growth, reductions in environmental impacts, increased productivity, and improved safety and security.
• UAS operations can reduce safety risks by replacing operations that occur today¹⁰ that put people in danger with a flight by an unmanned aircraft.
• Data can be collected from simulation, safety assessments, and existing operations to help quantify benefits against risks.
• The regulatory framework and practices established by other countries can inform the process of integration of UAS into the National Airspace System.¹¹
• Safety is a high priority for the FAA as well as the UAS industry (i.e., manufacturers, suppliers, and operators).

DEFINITIONS

In this report the following terms are used:

• Aircraft manufacturer—An organization that has been recognized by its certifying authority as having manufactured the aircraft, at the time of completion.
• Beyond visual line-of-sight operation—An operation in which the remote crew is not able to remain in visual contact with the aircraft to manage its flight and meet separation and collision avoidance responsibilities.
• Comparative risk analysis—Involves contrasting risks produced by two activities using a common scale.
• Hazard—A condition that could foreseeably cause or contribute to an aircraft accident (FAA Order 8040.4B).
• Likelihood—The estimated probability or frequency, in quantitative or qualitative terms, of a hazard’s effect or outcome (FAA Order 8040.4B).
• Operator—The individual or organization that operates aircraft.
• Qualitative analysis—Analysis through relative or subjective measures without specific quantities.
• Quantitative analysis—Numerical analysis based on empirical or modeled data.
• Remote crew member—A licensed crew member charged with duties essential to the operation of a remotely piloted aircraft, during flight time (International Civil Aviation Organization [ICAO] Circular 328-AN/190).

___________________

¹⁰ As an example, UAS “technology has the potential to reduce unnecessary climbing and can avoid putting employees at risk.” OSHA/FCC Communications Tower Best Practices, https://www.osha.gov/Publications/OSHA3877.pdf.

¹¹ For example, Regulation of Drones, published by the Law Library of Congress in 2016, describes UAS regulations in 12 countries: Australia, Canada, China, France, Germany, Israel, Japan, New Zealand, Poland, South Africa, Sweden, Ukraine, United Kingdom, and the European Union. https://www.loc.gov/law/help/regulation-of-drones/regulation-of-drones.pdf.

• Remote pilot—The person who manipulates the flight controls of a remotely piloted aircraft during flight time (ICAO Circular 328-AN/190).
• Remotely piloted—Control of an aircraft from a pilot station that is not on board the aircraft (ICAO Circular 328-AN/190).
• Remotely piloted aircraft—An aircraft where the flying pilot is not on board the aircraft (ICAO Circular 328-AN/190).
• Safety—The state in which the risk of harm to persons or property damage is acceptable (FAA Order 8040.4B).
• Safety risk—The composite of predicted severity and likelihood of the potential effect of a hazard (FAA Order 8040.4B).
• Safety risk acceptance—The decision by the appropriate management official to authorize the operation without additional safety risk mitigation (FAA Order 8040.4B).
• Safety risk analysis—The first three steps of the SRM process (analyze the system, identify hazards, and analyze safety risk) (FAA Order 8040.4B).
• Safety risk assessment—The first four steps of the SRM process (analyze the system, identify hazards, analyze safety risk, and assess safety risk) (FAA Order 8040.4B).
• Severity—The consequence or impact of a hazard’s effect or outcome in terms of degree of loss or harm (FAA Order 8040.4B).
• Unmanned aircraft—An aircraft that is operated without the possibility of direct human intervention from within or on the aircraft (Public Law 112-95). For the purpose of this report, it is assumed that unmanned aircraft have no humans on board—neither crew nor passengers.
• Unmanned aircraft system—An unmanned aircraft and associated elements (including communication links and the components that control the unmanned aircraft) that are required for the pilot in command to operate safely and efficiently in the National Airspace System (Public Law 112-95).
• Visual line-of-sight operation—An operation in which the remote crew maintains direct visual contact with the aircraft to manage its flight and meet separation and collision avoidance responsibilities.

This report also refers to automation or automatic systems and autonomy or autonomous systems. It is difficult to provide concise definitions for these terms because there is not a definitive boundary between the two. Indeed, “the attempt to define autonomy has resulted in a waste of both time and money spent debating and reconciling different terms and may be contributing to fears of unbounded autonomy” (Defense Science Board, 2012). Furthermore, “automation changes the type of human involvement required and transforms but does not eliminate it. For any apparently autonomous system, we can always find the wrapper of human control that makes it useful and returns meaningful data” (Mindell, 2015).

One approach to understanding the difference between automation and autonomy is to consider the differences (and similarities) in their characteristics, as shown in Table 2.1. Automation and autonomy exist along a spectrum of capabilities and parameters, such as those listed in the table. As a result, referring to a system as either automated or autonomous is typically an oversimplification, although it is often convenient to do so. Generally speaking, both automated and autonomous systems have the ability to execute assigned tasks over some period of time without direct human direction. Consider, for example, the use of a UAS to survey a farmer’s field overnight. With an automated system, the farmer might need to program the flight path and the parameters to be monitored (e.g., soil moisture, insect infestation, or crop yield). With an autonomous system, the farmer might simply give a verbal command to survey the crops, and the UAS would identify the crops planted in the various fields, an optimum flight path, the parameters to monitor, and the range of acceptable values based on the crop, recent and forecast weather, where the crops are in their life cycle, past experience, and so on. In this example, the basic task is within the capability of both automated and autonomous systems. Many other missions, of course, include tasks that are beyond the capabilities of an automated system.

With the definitions and assumptions listed above in mind, the committee turned its attention to the subject of current practices, looking at the relatively recent (i.e., less than 20 years) efforts to introduce UAS into the National Airspace System. That is the subject of Chapter 3.

TABLE 2.1 Characteristics of Advanced Automation and Autonomy

SOURCE: NRC (2014).

REFERENCES

Defense Science Board. 2012. Task Force Report on the Role of Autonomy in DoD Systems. Office of the Secretary of Defense, Washington, D.C. https://fas.org/irp/agency/dod/dsb/autonomy.pdf.

FAA (Federal Aviation Administration). 2012. Safety Risk Management Policy, Order 8040.4A, effective April 2012.

FAA. 2017. “Investigation of UAS Accidents and Incidents,” presentation by M. O’Donnell, FAA, to the National Academies Committee on Assessing the Risks of UAS Integration, September 26.

FAA. 2018. “Unmanned Aircraft Systems (UAS) National/Regional Programs,” presentation by M. Wilson, FAA, to the 2018 ASO Airports Conference, April 3.

Mindell, D.A. 2015. Our Robots, Ourselves: Robotics and the Myths of Autonomy. Viking, New York.

NRC (National Research Council). 2014. Autonomy Research for Civil Aviation: Toward a New Era of Flight. The National Academies Press, Washington, D.C.