The rapid evolution of unmanned aerial systems has ushered in a new era for aviation, with civilian drones taking on increasingly complex and critical roles, from logistics and surveying to infrastructure inspection. Regulatory frameworks worldwide categorize these civilian drones broadly into three classes: Open, Specific, and Certified. For those in the Certified category—typically larger, more complex systems operating in non-segregated airspace—a formal type certification process is mandatory. A cornerstone of this process is the safety assessment, which demonstrates that the drone’s design meets an acceptable level of safety. However, traditional safety assessment methodologies, developed for manned aircraft, require significant adaptation to address the unique “crew-on-the-ground” architecture of civilian drones.
This article explores the adaptation of the Functional Hazard Assessment (FHA) process, a foundational system safety technique, for the airworthiness certification of large civilian drones. Drawing from experience with certification pilot projects, we outline a tailored approach that redefines safety objectives and hazard boundaries to address the distinct risks posed by unmanned aircraft systems (UAS).
The Safety Assessment Challenge for Civilian Drones
For manned aircraft, design regulations like 14 CFR Part 23/25 (FAR), CS-23/25, and their Chinese counterpart CCAR-23/25, contain explicit safety requirements, most notably §1309. Supporting advisory material, such as FAA Advisory Circular AC 23.1309-1E, and industry standards like SAE ARP4761 and ARP4754A, prescribe a comprehensive set of analysis methods including Functional Hazard Assessment (FHA), Fault Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA), and Common Cause Analysis (CCA).
These established practices, however, are not fully transferable to civilian drones. The fundamental paradigm of “human-machine separation” creates novel failure scenarios. The safety analysis must now explicitly account for two primary hazard domains that are inherently different from manned aviation:
- Ground Collision: The impact of the drone on people and property on the ground.
- Mid-Air Collision: The hazard the drone poses to other airspace users.
Consequently, the hazard analysis boundary must be expanded beyond the aircraft and its remote crew to include third parties on the ground and in the air. International regulatory bodies like the European Union Aviation Safety Agency (EASA) and the Joint Authorities for Rulemaking on Unmanned Systems (JARUS) have recognized this need, issuing tailored documents such as the EASA Special Condition SC.RPAS.1309 and the JARUS Acceptable Means of Compliance AMC RPAS.1309. These documents guide the adaptation of safety assessment processes for Remotely Piloted Aircraft Systems (RPAS). This article focuses on the first and pivotal step in this adapted process: the Aircraft-Level Functional Hazard Assessment.
Aircraft-Level Functional Hazard Assessment (FHA) for Drones
The Aircraft-Level FHA is a systematic, top-down examination of the functions the civilian drone is intended to perform. Its primary objectives are to identify potential failure conditions associated with these functions, assess the severity of their effects, and establish top-level safety objectives and requirements. The key activities within an Aircraft-Level FHA for a drone include:
- Defining Aircraft-Level Functions: Identifying all essential functions, including internal vehicle functions and interactive functions between the drone, the Remote Pilot Station (RPS), and the Command and Control (C2) link.
- Identifying Failure Conditions: Postulating how these functions can be lost or degraded, considering single and multiple failures under both normal and adverse operating conditions.
- Assessing Effects and Classifying Severity: For each failure condition, determining its impact during relevant flight phases on: 1) The drone itself, 2) The remote crew, 3) Persons on the ground, and 4) Other aircraft in the airspace. Based on these combined effects, assigning a hazard severity classification.
- Establishing Safety Objectives: Defining qualitative and quantitative probability targets for each failure condition based on its severity class.
- Providing Rationale and Validation Methods: Documenting the justification for the assigned classifications and proposing means of compliance for the derived safety requirements.
Defining Safety Targets for Civilian Drones
A critical adaptation for civilian drones is the establishment of appropriate safety probability budgets. For manned general aviation aircraft, historical data suggests a total accident rate from all causes on the order of $$1 \times 10^{-4}$$ per flight hour. Only a fraction of these, perhaps 10%, are attributable to system failures. By considering the design complexity and intended operation of a certified civilian drone, one can allocate a probability budget for catastrophic failure conditions.
For instance, if we estimate that a certain drone design might have on the order of 10 potential failure conditions that could lead to a catastrophic event, the average probability for each must be more stringent than the overall system budget. Following the rationale in documents like AC 23.1309-1E, we can define both qualitative and quantitative safety objectives tailored for the drone’s operation. The quantitative probability ranges per flight hour for a large cargo civilian drone might be established as follows:
| Qualitative Term | Probability Range (per flight hour) | Mathematical Expression |
|---|---|---|
| Probable | $$\geq 1 \times 10^{-5}$$ and $$< 1 \times 10^{-3}$$ | $$ 10^{-5} \leq P < 10^{-3} $$ |
| Remote | $$\geq 1 \times 10^{-5}$$ and $$< 1 \times 10^{-4}$$ | $$ 10^{-5} \leq P < 10^{-4} $$ |
| Extremely Remote | $$\geq 1 \times 10^{-7}$$ and $$< 1 \times 10^{-5}$$ | $$ 10^{-7} \leq P < 10^{-5} $$ |
| Extremely Improbable | $$< 1 \times 10^{-7}$$ | $$ P < 10^{-7} $$ |
These numerical targets are illustrative and must be justified based on the specific operation, environment, and risk model accepted by the certification authority for the civilian drone project.
Hazard Severity Classification for Drone Failure Conditions
The classification of failure condition severity must reflect the expanded hazard scope of civilian drones. The effects are evaluated across four dimensions, and the most severe consequence among them dictates the overall classification. The standard five-level severity scale is adapted as follows:
| Severity Class | Effects on the Drone & Crew | Effects on Ground Persons & Other Airspace Users | Typical Probability Objective (per flight hour) |
|---|---|---|---|
| No Safety Effect | No impact on safety. May involve minor convenience or maintenance issues. | No impact. | No Requirement |
| Minor | Slight reduction in safety margins or functional capabilities. Slight increase in crew workload. Manageable with normal procedures. | No expected impact or negligible risk increase. | $$ P < 10^{-3} $$ |
| Major | Significant reduction in safety/functionality. Significant increase in crew workload, requiring abnormal procedures. May necessitate a precautionary landing at a planned site. | No expected serious injury. Property damage possible but controlled. | $$ P < 10^{-4} $$ |
| Hazardous | Large reduction in safety/functionality. Crew workload increases drastically, requiring emergency procedures. May lead to a controlled flight termination or forced landing likely causing drone damage. | Potential for serious injury to individuals on the ground or in other aircraft is not expected. Potentially fatal hazard is not anticipated from the event. | $$ P < 10^{-6} $$ |
| Catastrophic | Loss of control, uncontrollable flight path (including deviation from planned/emergency area), or uncontrolled ground impact. | High probability of fatal injuries to multiple persons on the ground or in other aircraft. | $$ P < 10^{-7} $$ |
This adapted classification is central to conducting a meaningful FHA for civilian drones, as it forces explicit consideration of third-party risks.
Conducting the Aircraft-Level FHA: An Illustrative Example
The process begins with a clear, hierarchical definition of the aircraft’s top-level functions. For a large cargo civilian drone, functions are derived from its operational concept. A partial functional breakdown is shown below:
| Base Function | Primary Function | Function | Sub-Function (Example) |
|---|---|---|---|
| Transport from Origin to Destination | Remote Command & Control | Uplink of Remote Commands | Uplink of Flight Control Commands |
| Downlink of UAV State Data | Downlink of Navigation Data | ||
| Downlink of System Health Parameters | |||
| Manage Propulsion | Provide Thrust |
For each sub-function, potential failure conditions are identified and analyzed. Taking the “Uplink of Flight Control Commands” sub-function as an example, the FHA proceeds as shown in the table below. This analysis highlights how the loss of a fundamental control link—a scenario with limited analogy in manned aviation—is evaluated across the four effect domains.
| Function & Description | Failure Condition & Flight Phase | Effects and Classification | Validation Method |
|---|---|---|---|
| Function: Uplink of Flight Control Commands. Desc: Transmission of pilot commands from the Ground Control Station (GCS) to the drone (C2 Uplink). |
Failure Condition: Total loss of C2 uplink function. Phases: Take-off (T), Cruise (F1-F4), Landing (L). |
Drone: Unable to receive external flight control commands. Vehicle reverts to full autonomous mode per predefined logic. Safety margins and operational capability are greatly reduced. Damage or loss of the drone is possible. Crew: Unable to command the drone directly. Must monitor autonomous contingency actions (e.g., return-to-home, emergency landing). Workload and stress increase drastically. Ground Persons: The worst-case credible outcome is a controlled flight termination or forced landing. A fatal ground impact is not anticipated from this single failure, given autonomous safety functions. Other Airspace Users: Same as for ground persons. A catastrophic mid-air collision is not the anticipated direct outcome of this failure. Overall Classification: HAZARDOUS. The most severe effect among all domains is the large reduction in safety for the drone and the drastic increase in crew workload, coupled with the potential for significant property damage. |
FTA, FMEA, Link Reliability Analysis, Simulation of Autonomous Contingency Maneuvers. |
| Function: Downlink of Navigation Data. Desc: Transmission of primary navigation state (position, altitude, heading) from the drone to the GCS. |
Failure Condition: Total loss of navigation data downlink. Phases: T, F1-F4, L. |
Drone: Operates normally but its primary state data is not visible to the crew. Safety margins are significantly reduced. Crew: Loss of primary situational awareness. Must rely on secondary means (e.g., ATC radar position reports, last known data) to monitor the flight, significantly increasing workload. Ground Persons / Other Airspace Users: The worst-case credible outcome is a precautionary landing at a planned site. Serious hazards are not anticipated. Overall Classification: MAJOR. The significant reduction in crew situational awareness and increased workload are the driving factors. |
FMEA, FTA, CCA (to ensure independence from uplink), Analysis of Secondary Surveillance Means. |
This analysis yields several critical safety requirements. For the “Loss of C2 Uplink” classified as Hazardous, the system design must ensure its probability is below $$1 \times 10^{-6}$$ per flight hour. This will drive the redundancy, integrity, and reliability requirements for the C2 link system and the design robustness of the autonomous contingency flight control system. The FHA thus directly feeds into the system design and verification plan, guiding subsequent detailed analyses like FTA and FMEA.
Conclusion
The airworthiness certification of advanced civilian drones demands a rigorous yet adaptable safety assessment methodology. The Aircraft-Level Functional Hazard Assessment serves as the essential starting point, setting the safety tone for the entire program. By explicitly defining aircraft functions, adapting safety probability budgets to the unmanned paradigm, and, most importantly, expanding the hazard severity classification to encompass effects on ground personnel and other airspace users, a robust and relevant FHA can be conducted. This tailored approach ensures that the unique risks of “human-machine separation” are systematically identified and addressed from the earliest design stages. The resulting top-level safety objectives provide a clear, traceable foundation for all subsequent system-level assessments, ultimately supporting the demonstration of an equivalent level of safety for civilian drones operating in shared airspace. This methodology, as illustrated, provides a practical framework for engineers and regulators working on the type certification of large, complex civilian drones.