Military Embedded Systems

Certifying and securing UASs for civilian airspace is more about rules than technology

Story

July 27, 2012

John M. McHale III

Editorial Director

Military Embedded Systems

Federal Aviation Administration (FAA) officials have started clearing the way for UASs to enter national airspace, causing a stir about how to assure they are just as safe and secure as manned aircraft.

Military Unmanned Aircraft System (UAS) designers for the most part have been able to design their aircraft free of Federal Aviation Administration (FAA) regulations for safety certification and other design regulations.

The FAA has become more open to UASs flying in the national airspace. The agency requires that “federal, state, and local government entities must obtain an FAA Certificate of Waiver or Authorization (COA) before flying a UAS in the national airspace. The FAA is also required to streamline that process. Meanwhile, some law enforcement and military aircraft already are flying in civilian space.

“At the FAA we required a chase plane when a UAS was flying in controlled airspace,” says Bobby Sturgell, Senior Vice President of Washington Operations at Rockwell Collins in Cedar Rapids, Iowa and former Administrator of the FAA. “Once the UAS entered restricted space – typically military controlled – the chase plane was not required while it flew in restricted airspace. What the FAA also will do is dedicate an air traffic controller to watch that UAS while it flies over civilian airspace.”

“There also are specific rules for smaller UASs – dubbed Class 1 – such as the tiny robotic helicopters that weigh only a pound or two or three,” says George Romanski, President and CEO of Verocel in Westford, MA. These are just starting to enter service for applications such as law enforcement and users “have to ask FAA permission and comply with various other rules such as they can only fly less than 400 feet high and have to maintain a line of sight and be more than 5 miles from the nearest airports.”

“The concern with UASs in the national airspace revolves around what happens when something goes wrong in the aircraft or its resident airspace and there are no pilots onboard to handle the situation,” says Chip Downing, Senior Director, Business Development, Aerospace & Defense at Wind River Systems in Alameda, CA. “If you have just one person, i.e., a military pilot, in an aircraft, he can avoid danger by manually flying the aircraft away from populated areas. With unmanned aircraft, it is more critical to have autonomous systems in place based upon a reliable safety and security foundation, which will enable the aircraft to react safely when things go wrong. Unmanned aircraft will need to have higher levels of response in emergency situations.”

Later this year FAA officials are expected to release a proposed rule that will establish procedures, policies, and standards for UAS users, according to the FAA website. In the meantime, there is still concern about how to get UASs to be equal with manned aircraft when it comes to operating safely in civilian airspace.

Safety certification for UASs

Rules are also the biggest question mark when it comes to safety certification of UAS flight software. The expertise is out there, but how, when, and where UASs need to comply is still murky.

“The biggest challenge to work out is what the rules are,” Romanski says. “Today they are not clear. We know the rules for manned aircraft so we want equivalent safety for unmanned aircraft. However, what does that mean? We still need to work out the rules.”

“The certification issues regarding DO-178B, DO-254, etc., will play out in different ways for different classes of aircraft,” Sturgell says. “The transport category will have the highest levels of certification requirements, while the ultra-light and experimental aircraft have a lot fewer layers of certification. Operational requirements are what will drive certification levels in the long run. For example, if an experimental UAS is flying over populated areas, it will need to have higher levels of certification than one that does not.

“When you get to bigger and more sophisticated UASs such as the Predator, their communication and electrical systems have much redundancy built in for reliability and safety,” Sturgell continues. “In that way, they kind of mirror business and air transport aircraft. The certification efforts in these vehicles are consistent with the way manned aircraft go about ensuring certification and reliability.”

Economics are also an issue. “Budgets are an issue for Office of the Secretary of Defense (OSD) personnel when it comes to adding safety and security certification for UASs,” says David Sequino, Vice President and General Manager of the INTEGRITY Security Services business unit at Green Hills Software in Santa Barbara, CA. “They go through their budgets and know that everybody wants it, but also know that there is no money to spend on it right now.”

“Eventually every component will undergo safety analysis with a category level worked out for each component,” Romanski says. “If a failure could cause a catastrophic event, some components will need to be certified to Level A, while others may be able to be certified to lower levels as they are in manned aircraft, where every component is certified to its prescribed level. To get where we want to go, we need to make sure we have a safe and secure platform where we can compose a system made up of certified components. Even though we don’t know all the components, we do know that the platform will have to have a safe and secure foundation.”

“We have a lot of experience with DO-178B, and no deaths have been attributed to software using this guidance document,” Romanski continues. “The FAA mandates that you do safety analysis and work out [the] level and certify to that level. The problem with UASs is that many currently flying were produced quickly to serve a purpose in theater and not required to meet DO-178B-type processes. Now if they are flying in national airspace, they will have to follow the same rules as the rest and government [will] take the time to make sure the software and hardware meets the proper safety certification levels. For UASs, the Ground Control Station (GCS) is an extension of the cockpit and must have equivalent levels of safety; in other words, a UAS flown on a Windows operating system probably won’t be compliant. A fault in GCS software could quite easily send bad data into the aircraft, which could result in catastrophic failure.”

“Most commercial aircraft already have very sophisticated autopilot controls, so the next steps for UASs are gaining public trust and having a reliable safety and security record for the software and hardware flying the aircraft,” Downing says.

Security

“In addition to safety, security is also paramount for military UAS operations and for when UASs enter civilian airspace,” Sequino says. “The data links need to be encrypted to and from the ground control station to the UAS so there are not more security and reliability problems. They need to get 99.999 percent reliability with the data links. A lot of ground stations today are not secure.”

“The National Security Agency (NSA) typically recommends that Suite B security standards be applied for defining the cryptography used in all government classified communications,” Sequino continues. The Green Hills ISS business unit offers an embedded cryptographic product – ISS Security Solutions – which consists of Suite B-Compliant Security Protocol Toolkits and a Device Lifecycle Management (DLM) system. (For more information, visit www.ghs.com.) “We’ve got some customers implementing the solution and are working on an ISS solution for the Army for UAS programs.”

Security is also a key part of the DoD’s effort to create a universal control station architecture for UASs – the UAS Control Segment (UCS) (www.ucsarchitecture.org/page/home).

“They are still in negotiations on what types of security levels and other standards will be used, but the Multiple Independent Levels of Security (MILS) approach is one being looked at,” Romanski says. “One of the objectives of UCS is to have the ability to provide mixed levels of security and to make it also dynamic. Video feeds coming through to the analyst observing video at the ground station most of the time are benign. However, once he sees something that is important, it now becomes secure information. So he presses a button to tag the data as top secret, then he distributes it around the proper channels where it can only be decrypted by those with the proper clearance. There is a fair amount of work still to be done in this area.”

FACE can help

Compliance with safety and security regulations could go more smoothly and cost effectively by getting the UAS community to adopt common standards. They could take a hint from the military avionics community, which is doing just that within the Future Airborne Capability Environment (FACE) Consortium.

“I’m seeing crossing over between FACE and the UAS community in the military,” Sequino says. “FACE is classic avionics, and now the FACE Consortium really has its act together and [is] telling the UAS community to just adopt FACE. It is a matter of changing the culture and a little bit like herding cats to get the different vendors, OSD, and various program offices to move away from using competing standards and get everyone on the same page. They are beginning to converge, but it is a long process.”

UCS is also being built along a similar philosophy to FACE. “With UCS, the government is trying to encourage an ecosystem of suppliers as these services are published and find what interfaces exist that you can get from different suppliers,” Romanski says. “If there is not a service available, the government can pay someone to supply one and get it put into the repository. These services then can be sold and plugged in the new type of model the government wants. It is a different type of business model, an open business model that fosters innovation and grows the market so people can supply components to the UCS architecture.”

FACE, with more than “40 members from both industry and government, has developed safety and security operating system profiles for military avionics systems,” Downing says. “The FACE technical standard is an open, modular, multivendor software environment enabling portability and reuse of software components across multiple programs and platforms. Next-generation military avionics platforms will require a common compute platform based upon open industry architectures to enable portability across aircraft types. Because these platforms will be sharing a common infrastructure, FACE systems should be able to lower the cost and risk of achieving safety and security objectives.”

“Common core platforms such as those based upon ARINC 653 have been very effective in Integrated Modular Avionics (IMA) in commercial aircraft, but these advancements have simply not occurred in military avionics systems,” Downing says. Wind River’s ARINC 653 product, VxWorks 653, has enabled IMAs on 55 different aircraft. (For more information visit, www.windriver.com.)