Unmanned aircraft lack stringent certification processStory
March 07, 2016
All types of unmanned aircraft systems (UASs) are popping into the national airspace, resulting in increasing numbers of accidents and near misses. Safety incidents are getting more frequent with military unmanned aircraft as well. This environment is forcing military commercial and aviation officials to speed up efforts to create the strict safety certification rules for unmanned aircraft as exist for manned aircraft.
UASs provide a compelling alternative to sending personnel on manned missions that may be too dangerous or difficult to access. However, UASs – military and civil – do not currently undergo the same rigorous safety certification process as that of manned aircraft. That situation may change in the near future due to the increase in safety incidents involving military and commercial UASs.
“As more and more flights will be in civilian airspace instead of military or foreign conflict airspace, there’s a need for a more stringent safeguard to prevent casualties resulting from a malfunction,” says Wayne McGee, vice president of sales and general manager of Creative Electronic Systems, North America (CES) in Raleigh, NC. “The rate of malfunction is substantially higher than for civilian certified aircraft.” If you drop a UAS on a civilian installation in a war zone they call that collateral damage; if you drop that on elementary school while it’s in session someone’s head is going to roll. More and more of these UASs are being used in civilian airspace, and they are going to have to meet far more stringent guidelines than they do currently.”
“The trend in the industry is a lot of near misses due to lack of regulations and integration into airspace,” says Gary Gilliland, technical marketing manager at DDC-I in Phoenix, Arizona. “The Federal Aviation Administration (FAA) has taken the action to have these regulations integrated. They can see this is a growing trend. I was just reading about one, where a UAS came within a 20 meters of a commercial jet over the Houses of Parliament in the U.K. That’s 60 feet, that’s very close. This is a huge safety concern for the flying public and the people on the ground.”
Commercial and military drones have increased in numbers in the national airspace. During a training session, Marines were forced to land an unarmed RQ-7B Shadow UAV in the Neuse River, just north of Marine Corps Air Station Cherry Point, North Carolina on September 10, 2015. According to a Marine Corps Times article, the aircraft was recovered six hours later after a search and rescue effort.
“The military, especially the Army, are using UASs for surveillance and intelligence. They are often operating in open zones, not always in military zones,” says Thierry Wastiaux, senior vice president of sales of Interface Concept in Quimper, France. “For the military, the rules on UAVs are a little bit less stringent because they were only allowed to fly in military zones. Civil aviation was not entitled to impose its restrictions on the military zone. As soon as military UAVs started going into the civilian zones, however, then the aviation authorities requested certification.”
UASs are not only “lost in action,” as several past incidents show that drones do malfunction for one reason or another. In 2013, an aerial target drone malfunctioned and crashed into the guided-missile cruiser USS Chancellorsville during an exercise, according to Navy officials. Two sailors were treated for minor burns and the ship sustained damage and had to return to port. In October of 2014, an Air Force MQ-1B Predator crashed in southern Turkey; Air Force officials say that the Predator experienced mechanical failure, and no civilian or military injuries resulted from the crash.
Military buying into safety certification
“Even military UASs are looking at DO-178B/C [certification] as a process. They are not as concerned about interacting in national airspace. Even though the military has a very defined, very mature way of developing software, it is not as stringent as DO-178,” says Gilliland.
Engineers use guidelines such as the DO-178B/C and DO-254 as a de facto standard to verify that the safety-critical software and hardware in manned airborne systems will not fail.
“However, the military has a real problem with losing drones due to software or mechanical failures. In research for a presentation last year, I found that about 400 were lost due to these failures in the past 10 years. Those guys are a million-plus apiece. It’s a cost-saving measure to keep them intact,” Gilliland continues. “What the military was doing was putting things together quick to meet a certain need. We were going into wars and we needed capabilities. The drones were built on foundations of general-purpose software, a lot of cases using Linux – not a platform you would consider safe.
“[They do] see the value in the DO-178 process,” Gilliland continues. Over the past 10 years they have been adopting the commercial DO-178 process as the basis for development; prior to that, it was just industry practices to get functionality. For the most critical systems, they are already adopting standards. The military has a stricter process for the aircraft than they do for UASs, but they are looking to reevaluate this process. It’s real expensive to lose one of these things. I believe they know what they need to do, I just don’t think they have had the requirements to develop their UAS with the same rigor they need to.”
Figure 1: Soldier does preflight checks on RQ-7B Shadow. Photo courtesy of U.S. Army/Photo by Spc. Margaret Taylor.
Military drones and the friendly skies
UASs are classified into different categories (the information can be found on the FAA’s website.) The FAA issues a Certificate of Waiver or Authorization (COA), which enables public agencies and government organizations, including for military training, to operate a particular aircraft in a particular area. UASs do not have strict regulations to follow, while a manned aircraft has to “prove by human reasoning that it will not fail,” Wastiaux notes.
“The current practice today is that the FAA issues a Certificate of Waiver or Authorization (COA),” says Joe Wlad, senior director of product management at Wind River in Alameda, California. “This would allow an operator to get permission to operate their unmanned drone in a specified area. The FAA has issued many COAs to organizations such as the Defense Health Agency (DHA), FBI, U.S. Air Force, and universities. The COAs carry substantial operational restrictions.”
The way to operational approval has essentially three paths,” Wlad says. “One can either use the standard airworthiness requirements and process just like conventional aircraft, or use an experimental aircraft certification process – for research and development only – or use the COA process. The FAA has not yet defined a process by which unmanned vehicles can operate in national airspace in the same way private and commercial aircraft do. Improvements in hardware and software technology on unmanned aircraft will be required to demonstrate an equivalent level of safety that we now enjoy with piloted aircraft. One day, I believe they will be allowed to operate in the same way as certified aircraft do today.”
Function determines certification type
As they embrace certification, military UAS designers, like their commercial counterparts, are leveraging automated tools to help with the certification of manned aircraft. The design plays a role in ultimately deciding which certification process the UAS will follow. “You have to start out with assessing each subsystem on the vehicle to assess the criticality,” says CES’s McGee. “At that point you then develop a plan for each subsystem to determine how it’s going to meet that level in which to certify.
“Once you’ve developed a plan, at each step of the design and manufacturing process including component selection, every step has to be documented as to how it meets the plan and all the evidence is collected,” he continues. “When this is all assembled, it becomes a certification package. It’s the airframe integrator’s responsibility to obtain a certification. They collect all the different certification packages with the evidence and artifacts from the designs for every subsystem on the airframe and they have to present that evidence to the certifying body, which could be the Federal Aviation Administration (FAA), it could be the European Aviation Safety Agency (EASA), or it could be the U.S. Naval Air Systems Command (NAVAIR), among others. All the evidence has to be assembled and presented to apply for the safety certification or airworthiness certification.”
MIL-STD vs DO-178 & DO-254
Many military specifications start with MIL-STD-882, but many in the industry believe that “does not meet stringent requirements in DO-178 and DO-254,” McGee says. “The process from beginning to end – each subsystem on the UAS has to be studied, along with the function that it’s going to provide and the level of criticality. Typically with DO-178 and DO-254, there are five levels of criticality, called a design assurance level. No effect is allowed to be at level ‘DAL-E’ and it works all the way up to ‘DAL-A,’; at ‘DAL-A,’ if the system fails, the craft comes out of the air.”
The certification process is time-consuming and detail-oriented. Therefore, “we use industry standard configuration management software,” Gilliland says. “Our internal testing infrastructure is also automated. There are requirements for level A software to do what they call MCDC, which is modified condition decision coverage. When you develop your software, you must trace to all your requirements. Through all your testing, you have to verify that every path, for every logic decision that is exercised, operates the way you expect it to operate. We provide tools to verify what levels of coverage you have on the software.”
In the long run the biggest hurdles will be in the design process with collision-avoidance technology. In order to get these UASs in the air safely, Wlad says, “So far, no one has obtained approval to operate an unmanned vehicle in the national airspace without restriction. One can imagine that the significant obstacles in obtaining this kind of approval might include demonstrating that the vehicle could detect and actively avoid other aircraft as well as verification of all potential failure modes including loss of function, navigation, or control among other things. More research and development is required before the FAA will formulate further policy.
“Most of the larger unmanned aircraft today are being built by either the military or the social-networking companies,” he continues. “This means the operation of these vehicles is confined to either controlled airspace (such as Beale Air Force Base in California) or remote, restricted areas. In order to allow unmanned and manned aircraft to share the same airspace, new FAA regulations are required. For now, designers are trying to target conventional certification regulations used by Boeing and Airbus. It’s a tall order, given that many of the current regulations assume that a pilot can intervene as a last resort.”