Military Embedded Systems

Safety certification concerns for UAVs in national airspace


March 07, 2014

The transition to DO-178C continues to improve guidelines for avionics certification ? however, big questions still surround the regulation of Unmanned Aerial Vehicles (UAVs) in national airspace and how industry and government will go about ensuring that these drones are safe to fly daily in the same skies as passenger aircraft.

The Federal Aviation Administration (FAA), typically a stickler for documentation and certifications when it comes to avionics hardware and software, recently opened national airspace to UAVs with a “certificate of authorization” being the only prerequisite for domestic flight, says George Romanski, President and CEO of Verocel, Inc. in Westford, MA. The lack of guidelines has led to retroactive certification development so that UAVs can continue to be used in the future, he adds.

“There’s still a long way to go – some of these systems were not designed well, or the software was not designed well for certification,” Romanski continues. “Very often we have software in a control segment that may have a huge number of lines of code without proper partitioning into smaller parts, and when we have a huge system then it’s really difficult to certify. In the future, we’ll have architectures where you can split the software into critical components and non-critical components and then focus on the certification of the critical components. Until they are separated properly – or as we call it, robustly partitioned – then it’s going to be very difficult and expensive to certify these huge software systems.”

“We need a top-down approach that clearly identifies the safety critical elements in the architecture and thus allows you to focus on those elements for an eventual design upgrade,” says Wayne McGee, VP of Sales and General Manager of Creative Electronic Systems (CES) in Raleigh, NC. “Re-design from scratch is not an option for obvious economic reasons. In-service history can help to boost confidence in the safety of some components, but is not available in all cases. Current UAV designs tend to use [Commercial Off-The-Shelf] COTS solutions, which allows them to keep costs down in spite of relatively low volumes, and to benefit from rapidly evolving technology. Meeting safety criteria with these architectures, which are usually met by complete custom designs in commercial aviation, is a real challenge.”

Although a certificate of authorization is required from the FAA, is it safe for UAVs to fly in the national airspace alongside passenger airliners?

“The fact of the matter is, one serious accident in the airspace is going to mean the end of using UAVs for anything anywhere,” says Robert Dewar, Co-founder and CEO of AdaCore in New York City. “[However,] ‘UAV’ covers a huge range of what things actually are – some of them are no more than toy helicopters with a little camera aboard. If you’re an amateur, you can fly impressive gizmos around if you obey certain rules and keep them out of populated areas, and the low-end UAVs are little more than that. But at the top-end, something like a Predator drone is a full-blown aircraft, and there’s everything in between. We tend to lump everything together with UAVs without enough attention to that huge range of things – if it’s a tiny toy helicopter it’s unlikely to cause any real damage. It can likely be swallowed up by the jet engine. Is it more dangerous than a bird? Birds are quite dangerous to jets in flight, but we have plenty of those flying around, so I think you could argue that small UAVs are no more dangerous to fly than birds. It doesn’t mean there’s zero danger but it does mean it’s something we can tolerate and deal with as we have to.”

Law enforcement and UAV safety

Some believe that the FAA’s safety concern with UAVs is stronger than the police department’s or military’s because these organizations have casualties all the time, whereas if the FAA or private companies such as Amazon (who may implement potential drone delivery services) have accidents, it would be a huge liability and mark an end of UAV use in the national airspace.

“I think the FAA on its own would be inclined to be very conservative,” Dewar says. While there is pressure from police departments to gain access to UAVs, “police departments aren’t particularly fundamentally focused on safety,” continues Dewar. “They’re always willing to accept a little bit of collateral damage in effort to get the bad guys. Whether civilians are killed in high speed chases, or accidentally shot – it’s very regrettable, but it happens. Of course that’s even more true of military applications. The people who most want to use the UAVs are not really the people who you can most trust with safety concerns.”

The future of UAV safety certification

“The small Unmanned Air Systems (UASs) might be a lot easier to approve. It may be that we’ll start getting lots of tiny aircraft being approved ahead of the medium and large aircraft,” Romanski says.

The future of safety certifications for UAVs is still unknown, but making civil airspace certification part of the initial requirements is key, McGee says. “This way, safety considerations have been taken into account from the start, so that a formal certification process can be filed based on current regulations and best engineering practices. By taking safety considerations into account early, the effort of carrying through the actual certification process can be spread over time.”

DO-178C update

Retroactive certifying for UAVs is made a little easier by the safety certification improvements to DO-178C. DO-178C was officially implemented in January 2012; however, work is still being done to transition avionics systems to the new standard.

The transition is going to be gradual, Dewar says. “There are certainly some important advantages to DO-178C and I think what’s happening at least in some cases is people are taking some of the inspiration from DO-178C and applying it even now to certifications using DO-178B,” he continues.

Some methods that have been included in DO-178C are five additional tool qualification levels, objectives to be met if model-based or object-oriented design methods are used, and objectives to be met if formal verification methods are used, McGee says. “The step from DO-178B to DO-178C represents good progress in addressing tools and best practices in certification; nevertheless, safety will always come with a price tag attached in terms of additional development costs.”

Model-based and object-oriented development

There seems to be a lean towards model-based and object-oriented development in DO-178C, Romanski says. Many people are moving towards developing systems using a model, and then simply using tools to convert that to code, he adds.

“The model-based supplement describes how to certify software when using a model-based approach and the FAA has added some clarification, or at least emphasis, on how the model-based supplement should be used,” Romanski explains. “So they’ve added some emphasis that there has to be a clear separation between the representation of models and the implementation with models. Some people tried to use a model to represent requirements and design and then they would do auto-code generation from the design and then try and take credit for testing the model and then not doing much testing on the hardware itself, on the final software. The FAA has now made it very clear there has to be a clear separation between the different representations, which is good.”

One trending technique for simplifying certification and reducing costs is code reuse. “Certification involves two things – it involves generating all the materials for certification, and then actually doing the testing. There’s a lot of interest in combining artifacts with code so that they travel as a package. You’re not going to escape the need to run at least full integration tests on the new environment, but if you can replace unit tests with formal proofs, the formal proofs don’t change from one target to another,” Dewar says.


Figure 1: AdaCore’s CodePeer automatic code review and validation tool assesses potential bugs prior to program execution to find and report errors early in the software development lifecycle. Photo courtesy of AdaCore.

(Click graphic to zoom by 1.9x)




An example of code reuse is the idea of Integrated Modular Avionics (IMA). Romanski explains that several companies may work together to develop separate components that are all tested individually within a system, which is the approach being used by the Future Airborne Capability Environment (FACE) Consortium. An advantage here, Romanski continues, is if someone has a component and they say, “‘I have certification evidence that my component satisfies DO-178C’ then that becomes a valuable commodity which doesn’t have to be regenerated for every application, it could simply be taken and plugged into any application that you need. That’s the direction that we’re moving in and that’s the new type of business model that the Department of Defense (DoD) is pushing.”

FACE Consortium

FACE essentially enables software applications that have the common FACE Application Programming Interface (API) to have portability across multiple avionics platforms – from rotary wing to fixed wing to unmanned aircraft. In other words, the software can be reused without expensive recertification.

Code reuse is a key factor in this effort. FACE looks to bring commonality and reuse through common interfaces and data descriptions. Work on this standard is progressing and enthusiasm for it is high, but there is still much to be done. Once it defined the base architecture for FACE systems, the FACE Consortium began alpha/beta testing with FACE conformants, says Dudrey Smith, Senior Consultant for AdaCore in New York City. Conformant testing will ensure that connecting interfaces with FACE-compliant systems is not like “connecting oil and water,” he adds.

“What’s important to realize is no one has really [yet] architected their systems for [FACE], so now they have to convince industry and others” to take existing systems and see what is necessary to make them FACE conformant and then run the appropriate tests, Smith continues. “The big questions that we can’t answer right now is how much of a performance hit are we going to take for this? How much is it going to cost to go through and re-architect a legacy system into a FACE architecture?”

Smith projects that the FACE standard will not be ready for deployment for another one to five years. The most current update to FACE – FACE Edition 2.0 – is published and available on the FACE website at