Shared Skies: Safe Integration of Remotely Piloted Aircraft

Challenges for Safely Operating in the National Airspace System

Submitted by Captain Sean Cassidy, ALPA First Vice President

During the past 100+ years of aviation history, several innovations have greatly advanced the progress of aviation such as radar, the jet engine, and the Global Positioning System (GPS). While Remotely Piloted Aircraft (RPA) show equal promise to become an extremely transformative “game changing” technology, in order for RPAs to meet their full potential there are many challenges that must be met to ensure an integrated world of RPA operations meets or exceeds the high level of safety we currently realize in our national air space system today. For the purposes of this discussion the term RPA will be used interchangeably with those associated with Unmanned Aircraft Systems (UAS) and Unmanned Aerial Vehicles (UAV) as well as other variations of those terms.

Background

The development and use of RPA has a history that exceeds fifty years. Throughout this timeframe, however, the development and use of such systems has been primarily limited to military organizations. Operations were conducted in either segregated airspace, such as Special Activity Airspace (SAA), in combat areas, or other hostile environments. Since the terrorist attacks of September 11, 2001, technological advances in electronics, airframe construction, surveillance techniques, and other related areas have resulted in unprecedented growth in the interest in and development of RPA for both military and commercial purposes.

The RPA currently used by the military services, other government agencies, and civil enterprises are significantly advanced in both size and operational capabilities when compared to their predecessors. They have an operational envelope ranging from extremely low level flying to altitudes and endurance well beyond that of typical civil aviation aircraft. The airframes of these aircraft vary from fixed- and rotary-wing aircraft the size of the smallest hobby aircraft, to fixed-wing turbojet and propeller-driven aircraft with wingspans in excess of 100 feet. In addition, there are lighter-than-air and vertical thrust designs, adding to the challenge of developing standards for operation. These aircraft are used primarily for surveillance, border patrol, anti-terrorist surveillance, military strategic and tactical missions, and weapons delivery. Proponents have advocated using RPA for highway traffic control, search and rescue, pipeline and critical infrastructure surveillance, environmental monitoring, agricultural application, medical supply and pathology sample transport, small package delivery and a host of other civil uses yet to be developed.

The benefits RPA provide, especially for national defense and law enforcement, are significant. However, the introduction of such aircraft into an integrated national airspace system represents an entirely new concept that has the potential, if not done correctly, to degrade the safety of both commercial and general aviation flight operations. Consequently, the desire to use new technologies or concern for national security alone cannot be the rationale that dictates the operational concepts and procedures for mixing public use and commercial civilian RPA with existing civil flight operations without implementing the required safeguards.

The scope of the interest in RPA is now expansive, with aggressive development efforts underway in a number of nations. This is most clearly demonstrated by the FAA Modernization and Reform Act of 2012 in which the U.S. Congress directed the FAA to provide an interim “road map,” commission six test sites in the U.S. to evaluate non-segregated RPA operations and ultimately come up with a regulatory plan for integrated RPA operations by September 30th, 2015. Although there is considerable activity to develop standards, there are no internationally agreed upon standards for the design or manufacturing of aircraft, control stations or control devices, operating software, means of communications between the pilot and aircraft or pilot and air traffic management system, and the training and certification of pilots.

To that end, the International Civil Aviation Organization (ICAO) has published Circular 328 to help guide the development of harmonized standards and practices for RPA. That document states in pertinent part:

The goal of ICAO in addressing unmanned aviation is to provide the fundamental international regulatory framework through Standards and Recommended Practices (SARPs), with supporting Procedures for Air Navigation Services (PANS) and guidance material, to underpin routine operation of RPA throughout the world in a safe, harmonized and seamless manner comparable to that of manned operations. This circular is the first step in reaching that goal.

While we are aware of a number of accidents and significant incidents involving RPA, accessibility to public-use RPA accident/incident data is limited. Inasmuch as the non-governmental use of RPA is in its infancy, there is no detailed publicly available data on accident or incident rates for RPA. However, the accident/incident history that is public, regardless of rate, suggests the need for more robust safety standards before RPA can be considered “as safe” as other users of the airspace. This leads us to highlight some of the challenges to safe integration.

Safe RPAIntegration Means Equivalent Flight Standards

Safe integration means meeting the equivalent of well proven manned flight standards. In late 2004, the Aircraft Owners and Pilots Association (AOPA) asked RTCA and the FAA to convene special committee (SC) 203 on RPA which has since been replaced in 2013 by SC-228. Industry participants include RPA manufacturers, potential operators, general aviation, and other airspace users who were tasked with developing performance standards for overall RPA systems and subsystems. In particular, the group is now developing standards for detect-and-avoid equipment that is expected to allow compliance with the 14CFR Part 91 requirement for “see and avoid” and another for the minimum standards for RPA command and control and communications. While some manufacturers contend that RPA are not aircraft and that the “operator of the RPA in flight” is not a pilot, the FAA has not supported these concepts. Nick Sabatini, former Associate Administrator for Aviation Safety, stated at the opening of RTCA SC-203:

“…the aviation version of the Hippocratic Oath must also apply here: First, do no harm. In introducing unmanned aircraft systems to civil airspace we must first do no harm — have no adverse impact to those thousands of aircraft already operating in the NAS. …With the burgeoning civil market, and the desire to “file and fly” these aircraft in a manner so that they are transparent to other airspace users, a new FAA paradigm must emerge. This paradigm includes a methodical introduction of civil RPA into the NAS demonstrating a level of safety equal to or exceeding that which exists today.”

To attain the Target Level of Safety, an evolving process of understanding the design and limitations of the aircraft will be required so that appropriate levels of safety assurance can be developed. Most importantly, authorities must not limit the scope of approval to certification of just the aircraft, but also the complete system, including the data link infrastructure, ground control station, as well as the pilot/controller communication components. The list of mandatory areas must include:

  • Licensing and medical certification standards for pilots,
  • Certification standards for RPA and associated equipment
  • Assurance of compliance with rules of the air,
  • Ability to safely operate during periods of degraded or lost control and communication between the ground station and the RPA,
  • Ability to Sense and avoidall other traffic in order to comply with existing FARs,
  • Ability to maneuver to maintain required separation and avoid collisions with other aircraft,
  • Ability to perform and maneuver comparably to other aircraft,
  • Ability to operate in congested air traffic areas without requiring extraordinary surveillance or control, thus taxing an already overburdened ATC system, and
  • Ability to detect and avoid weather. This is a more acute problem for RPA than other aircraft because RPAare not designed with the same all-weather-capability systems to deal with thunderstorms, wind shear, icing, hail, etc., as are other aircraft in the airspace.

Safe RPA Operations Must be Multi-Layered and Team Focused

Moving beyond the establishment of technical and regulatory standards, safe RPA integration must embody a multi-layered approach to operations with a focus that goes beyond just the airborne portion of the flight to recognize the importance of all phases of the operation. In current manned commercial operations, the pilot, who plays a critical role, is still only one member of an extensive team of professionals which is part of a comprehensive safety process, and that process begins well in advance of when the engines are started. In commercial aviation, which has repeatedly set the high mark worldwide for transportation safety, that team includes operations representatives, licensed maintainers, dispatchers and controllers, and other support staff too numerous to mention. The net result is that a comprehensive safety assurance system, one which embodies many checks and balances and constant oversight, is in motion well in advance of when the pilot starts performing his pre-flight duties. That safety assurance system includes airworthiness inspections, routing and weather evaluation, aircraft performance calculations, etc. This multi-layered approach to safety is a system which has evolved over many decades and embodies many lessons learned, and it involves literally hundreds of steps taken toensurea safe and successful flight.

Ground operations are often more risk prone than they appear and thus the safety issues are easy to overlook. Consequently, the team overseeing the RPA operations must be ready to encounter a host of often complex challenges. Congested ramp operations, changing ground clearances and runway assignments, and impromptu aircraft service requirements add additional layers of complexity before the aircraft ever leaves the ground. And for the extremely dynamic airborne phase of operations, even with the significant benefits that improved technology in command, control and onboard detection systems will provide in meeting operating restrictions and mitigating risk factors, those are just the entry point in ensuring safe and successful RPA operations. This is due to the high level of complexity inherent in normal flight operations, not to mention irregular ones. This means that whoever is tasked with flying and supporting the RPA must be fully engaged throughout the entire operation to replicate the same level of detail, continuous requirement for decision making and constant need for information that manned pilots deploy in addition of course to the basic requirements of operating the flight controls and flight management systems. Simply put, for all their benefits, these technologies should not be viewed as devices that get the operators closer to being able to “set and forget” due to their capabilities but rather valuable tools in a fully integrated, multi-layer approach to flight operations that can draw valuable lessons from those in operation today.

Exporting the Flight Deck to the Ground

A pilot on board an aircraft can see, feel, smell and hear many indications of an impending problem and begin to formulate a course of action before even the most sophisticated sensors and indicators provide positive indications of trouble, so he is naturally equipped to handle many of the operational complexities that accompany every flight. The challenge for safe, integrated RPA operations thus becomes how to capture the situational awareness and sensory cues one develops through experience in the flight deck and export those to the pilot flying the RPA. It also involves developing a keen understanding of the attendant human factors and decision making process involved in manned and unmanned flight and the sense of gravitas that all manned pilots understand since they have “skin in the game” when they are in the flight deck. The U.S. Air Force has taken a very proactive approach in meeting this need through an ab initio training syllabus that has their RPA pilots begin their training in a manned aircraft where they develop basic airmanship and instrument skills, and get a first-hand understanding of the performance limits of their aircraft. This approach to training unfortunately is not the norm, for in contrast to the highly skilled military pilots and selected manufacturers’ pilots that operate platforms such as the Global Hawk and Predator in the NAS, the Army and Marines fly their smaller RPA using non-pilot “operators” who often have little to no traditional pilot training. Some currently discussed plans for RPA operations also would allow a single pilot to control more than one aircraft, leading to an increased potential for being distracted from trouble on one simply by having to conduct normal operations on another. This would introduce unnecessary, unacceptable and completely avoidable risk into the airspace system. All these issues must be better understood and resolved as part of any road map to integrated operations.

Safe Integrated RPA Operations Must be Physically and Digitally Secure

After the unforgettable events of 9-11, in which we witnessed the deliberate use of commercial airliners as weapons of mass destruction, the government along and the aviation industry were compelled to develop a different mindset about the potential uses of aircraft and adjust their security measures accordingly. This lead to new regulatory requirements for fortified flight deck doors on airliners as well as the creation of an armed pilot protective force and new crew training measures designed to counter threats inflight, to name just a few of the changes.

As RPA operations grow in size and complexity, if they are to safely cohabitate airspace with manned operations and fly over densely populated and sensitive areas, the entities seeking to operate them will have to pursue a plan of action that creates an overall level of security equivalent to that which currently exists in the NAS, because unmanned aircraft, even those of a fairly modest size, clearly have the capability to inflict significant damage if flown into a sensitive area, a structure or another aircraft. The act of simply flying through a very high traffic zone such as class B airspace around a major airport without any authorization and coordination also can create significant system disruptions and reduce the levels of safety in those extremely dense operating areas.

In many respects this security challenge may be even more daunting because unlike manned operations where there is a process of training, certification and checks that serve as gates to getting access to bigger and more complex aircraft, not to mention some of the physical aspects of airports that create additional layers of physical protection, the controls to an RPA could much more easily end up in the wrong hands if proper precautions are not taken. This means that operators must not only safeguard against unauthorized access while the controls and RPA are unattended, but they also must safeguard against the very real possibility that a pilot or pilots flying an RPA could be forced against their will to use the RPA for very insidious purposes.

Turning towards cyberspace, since the RPA is essentially a flying computer which communicates with another ground-based computer system tasked with carrying out commands input by the pilot, an emerging threat which has recently come into focus is that of cyberwarfare. While the military has dedicated considerable resources in security assurance programs designed to lock down software and protect against signal corruption, these kinds of resources and technology will likely not be as readily accessible to commercial operators who wish to gain access to integrated airspace. In manned operations, the pilot on board always retains the ability to take over manually if the automation is not performing as intended. The fact that normal (non-lost link/fail safe mode) RPA flight operations are wholly dependent on the digital communications must be evaluated for potential risk factors, and those risk factors must be understood and where necessary mitigated as part of any plan for safe RPA integration.

Conclusion

The benefits of RPA are obvious, and we are clearly entering the age in which we will witness a significant increase in unmanned flight operations. A primary focus of this transition, if it is to be done in the most effective manner possible, is that the term “unmanned” flight must not be misconstrued to mean “unpiloted” flight because of the critical role pilots play regardless of whether they are physically located in the flight deck or in a ground control station. Safe RPA integration means that we must continue to seek or improve upon the current level of technical standards, operations plans, pilot training and security that is the hallmark of the safest form of transportation in the world-- a system that took many decades to create and continues to evolve. Safe RPA integration means that demonstrably equivalent standards must be the underlying driver behind any implementation timeline or roadmap for operations in the NAS.

1