As the range of operations and participants in aviation increases, the challenge of effective risk management across the aviation system will grow. How can we successfully manage the risks associated with these new aviation entrants, particularly the growing variety of drones/Unmanned Aircraft Systems (UAS) operations?

In this latest blog in our ‘drone integration’ series, we look at UAS operations from a safety perspective using an enhanced bowtie modelling approach as part of a new approach to safety assessment. We start in the UK, looking at the safety analysis of the future aviation system (introduced by Richard Derrett-Smith in a previous blog), and then draw conclusions from recent work undertaken for an ANSP looking at incorporating first-stage UAS Traffic Management (UTM) services into its existing risk models.

Safety analysis of the future aviation system

The impact of new aircraft, new operators and new operating models will challenge our understanding of aviation risk and poses significant questions on how best to manage risk in the future. For example:

  • A typical drone mission will probably use a hybrid navigation system, maybe even including machine learning algorithms in the background, so its performance is dependent on a collection of systems not just one.
  • The UTM system will incorporate more inputs than an ATM system, at a faster rate, on a larger scale, and integrate with ATM. This will stretch the mental modelling abilities of ATCOs.
  • The number of interfaces and interactions in the overall aviation system will increase, this means boundary assumptions (which are critical to most safety cases/standards/certifications) are harder to define, and existing ones likely to be invalidated).

There is no overarching consolidated record of aviation risk (in the UK) and no single risk baseline from which to make risk informed judgements about the impact of changes to the aviation system. Aviation system changes at a local level can be managed, e.g. a change in runway usage at an airport, a change to an Air Traffic Control (ATC) system at a specific Air Traffic Service Unit (ATSU), or a change in aircraft systems, as the number of interactions are limited and can be understood. But this approach does not scale effectively when you are introducing thousands of new aircraft of many different types, operating in uncontrolled airspace, and where the existing surveillance and navigation technology will not function to the required level of accuracy to ensure safe operations for all airspace users.

Added to this, there are potentially tens or hundreds of organisations entering the aviation industry with no/limited corporate history in aviation and the associated standards and culture that drive exemplary safety performance.

Today’s aviation safety case is based primarily on the lessons learned from incidents and accidents. It uses traditional safety methods to explore ways of identifying problems and developing mitigations to address them. With an expansion of aviation operations comes a demand for parallel improvements in safety, keeping the number of accidents as low as has been achieved today, and the risk as low as reasonably practicable. This means a different approach to assessing aviation safety is needed.

The UK’s Future Flight Initial Safety Framework includes safety analysis that uses a new approach to assessing total future aviation safety. The safety analysis is based on understanding risk by looking at the different stakeholder interactions within the future aviation system, not just future aircraft and associated technologies, but also the operators, airspace environment, ground infrastructure, control systems or operational system lifecycle.

Let’s take a closer look at the initial steps in that analysis.

Step 1 – Understand the risk picture

Safety has always been the highest priority for the aviation industry and aviation is rightfully considered one of the safest modes of transport. To understand how we deliver high levels of safety performance, we can map the numerous stakeholders, with interactions occurring between many of them and try to understand what the key activities are, the hazards and controls currently in place, and why they are successful. Then we can assess the impact of new entrants on the system, by looking at how the interfaces, interactions, hazards and controls change. The bowtie modelling concept is helpful for defining the current aviation system and visualising it in an understandable way. It depicts risk, providing an opportunity to identify and assess the key controls either in place or lacking between a Threat and Consequences.

In our work for Future Flight, we used the ‘’Significant Seven’’ bowties developed by the UK CAA as a credible basis for the current aviation system. These are however limited to CAT aircraft operations and therefore extending this to encompass all airspace users is a key priority.

Step 2 – Analyse the impact of changes 

To analyse potential change in future risk, the new elements brought by the future aviation system can be mapped to the baseline. This enables us to understand whether controls are more or less effective as a result. For example:

  • What is the overall impact on flight safety risk, in terms of the change in Hazard frequency and Consequence severity and likelihood?
  • Are any new threats or hazards are introduced by UAS operations.

Now the question that arises is: how will the new hazards be managed? Do we have sufficient controls in place? Do we need some additional controls? In this case, the bowtie notation provides a mechanism to enable a wide range of stakeholders to engage in discussions about total system safety and bring together different types of threats and controls. This is a key input to the decision-making process to determine whether the existing controls are sufficient and whether new controls or improvements to existing controls are needed.

In our work for Future Flight, we explored strategic defences against aviation risk and identified the following:

  • Design features (airspace, aircraft, system) providing inherent protection against the hazard and/or consequences.
  • Strategic controls such as flow management as provided by Air Traffic Management.
  • Tactical controls such as separation provided by Air Traffic Control.
  • Pilot see-and-avoid.
  • ACAS (an automated collision avoidance system).
  • Emergency response planning.

The bowtie diagrams helped to identify these strategic defences and enabled us to conduct a high-level review to ensure that a suitable number of strategic defences are employed against each threat and consequence. Where gaps were identified, controls could then be proposed to provide additional mitigation against the risk. As an example, the control Pilot see-and-avoid will not be applicable for UAS operations and thus an equivalent control, such as Detect and avoid will need to be implemented in the future.

Given that the future aviation system was being analysed at a conceptual level, the identified controls could be considered as potential safety requirements for the future, giving decision makers an early opportunity to influence and determine what the future aviation risk picture will look like.

Integration of UTM services into ANSP risk models

Innovation is changing the way aviation operates and with the introduction of new entrants such as UAS, not only are aircraft operations expected to change, but broader changes to airspace structures and traffic management provision will also be needed.

As the number of UAS operations increases, more and more ANSPs will implement UTM applications to allow instant authorisation of UAS operations by third parties. These will be based on contextual airspace rules designated by airspace authorities for a given jurisdiction. This means that UAS operations subject to an ANSP approval, which were previously manually approved by a specialised office, will be approved or rejected automatically by the new UTM application.

As part of our wider safety support to one ANSP, we were commissioned to integrate first-stage UTM services – comprising a new UTM application – into existing risk models, to assess safety impact on operations.

In this case, human-centred controls were to be replaced by an automatic function and thus the interactions within the defined system would change and need to be assessed. Again, the bowtie modelling approach provided good visualisation of the current ANSP risk models representing all elements of the current ATM system and allowed mapping of the new UTM elements into the current models through identifying changes to threats, controls and consequences as needed.

It is important to ensure that any changes to the current ATM system and the interactions within it are understood and that any new automated functions that replace human-centred controls are at least as effective as the previous ones. What’s more, the focus should not only be on the new technologies. Existing actors must also understand the safety requirements of the future aviation system, especially as more automated components are integrated into their workspace. If only one human role is replaced by the application, but others such as ATCOs remain the same, how will the communication links within the ATM system change? Or how will the UTM system integrate with the ATM system? These are some of the questions that need to be answered before implementing UTM services, to ensure that the service remains acceptably safe.

As part of our work, we explored the integration of the UTM application into the existing ATM system in detail, and it comes to no surprise that we encountered several challenges.  For example, the aim of the UTM application is to make it easier for UAS operators to be authorised to operate in controlled airspace and for ANSPs to handle requests for UAS operations. However, if this new process results in an exponential increase in the number of UAS operations, the mental capacity of Supervisors and ATCOs may no longer be capable of processing these volumes of information, leading to excessive workload in the long-term. Furthermore, looking at the hazard consequences, a mid-air collision (MAC) between two UAS is clearly less severe than MAC between two commercial aircraft. However, if the number of UAS operations gradually increases, the likelihood of a collision between two UAS will also increase and the overall risk (a combination of severity and likelihood) of the consequence might be the same as for MAC between two commercial aircraft. This could imply that in the near future, regulators might need to consider setting a target level of safety for the risk of MAC between two UAS.

Final words

New technology, new methods of safety analysis and new approaches are needed to achieve current levels of safety performance in the future aviation system and this applies to the transition to this new future as much as it does the future itself.

Our brain likes to classify things and create structured links because it makes information more easily understood. When we understand the current situation and all the activities, controls and interactions that take place within the aviation system, then it is easier to comprehend what might potentially happen if one of those elements, e.g. a human-control, is removed or if the interaction between other elements is diverted through a third element, e.g. an automated function.

The future aviation system with UAS operations will bring challenges and change the structure of the aviation environment. This brings safety management challenges, such as the impact of complex systems, effective risk management, the role of the human and use of automation, and the implications for other infrastructure. If we understand the current risk picture and the future risk picture early at the conceptual level, then we can identify a strategic set of mitigations that will require further research, development, testing and agreement between stakeholders. Once the outlook of the future aviation system is clearer, then we should be better prepared to put mitigations in place and ensure that aviation remains acceptably safe.

Share on