Probabilistic Safety Assessment for UAS Separation Assurance and Collision Avoidance Systems

Article Probabilistic Safety Assessment for UAS Separation Assurance and Collision Avoidance Systems

Asma Tabassum 1 , Roberto Sabatini 2,* and Alessandro Gardi 2

1 Department of Mechanical Engineering, University of North Dakota, Grand Forks, ND 58202, USA; [email protected] 2 School of Engineering, Aerospace Engineering and Aviation, RMIT University, Bundoora, VIC 3083, Australia; [email protected] * Correspondence: [email protected]; Tel.: +61-399-258-015

Received: 6 September 2018; Accepted: 17 January 2019; Published: 14 February 2019

Abstract: The airworthiness certification of aerospace cyber-physical systems traditionally relies on the probabilistic safety assessment as a standard engineering methodology to quantify the potential risks associated with faults in system components. This paper presents and discusses the probabilistic safety assessment of detect and avoid (DAA) systems relying on multiple cooperative and non-cooperative tracking technologies to identify the risk of collision of unmanned aircraft systems (UAS) with other flight vehicles. In particular, fault tree analysis (FTA) is utilized to measure the overall system unavailability for each basic component failure. Considering the inter-dependencies of navigation and surveillance systems, the common cause failure (CCF)-beta model is applied to calculate the system risk associated with common failures. Additionally, an importance analysis is conducted to quantify the safety measures and identify the most significant component failures. Results indicate that the failure in traffic detection by cooperative surveillance systems contribute more to the overall DAA system functionality and that the probability of failure for ownship locatability in cooperative surveillance is greater than its traffic detection function. Although all the sensors individually yield 99.9% operational availability, the implementation of adequate multi-sensor DAA system relying on both cooperative and non-cooperative technologies is shown to be necessary to achieve the desired levels of safety in all possible encounters. These results strongly support the adoption of a unified analytical framework for cooperative/non-cooperative UAS DAA and elicits an evolution of the current certification framework to properly account for artificial intelligence and machine-learning based systems.

Keywords: unmanned aircraft systems; sense and avoid; uniﬁed analytical framework; ADS-B; surveillance sensor; fault tree analysis; importance measure

1. Introduction While a steady growth of manned aviation has driven the advancement of communication, navigation and sensing (CNS) technologies to support a denser airspace exploitation, various technological and regulatory challenges have affected the development of autonomous separation assurance and collision avoidance (SA&CA) capabilities for unmanned aircraft systems (UAS). Surveillance systems such as transponders, trafﬁc collision avoidance system (TCAS), and automatic dependent surveillance-broadcast (ADS-B) are conceived to support the in-ﬂight SA&CA while also incorporating, to the extent possible, the pilot’s situational assessment, training, experience, and aircraft capabilities. The detect and avoid (DAA) function in a non-segregated UAS operational context, however, demands transitions from the pilot’s decision-making to a fully autonomous decision-making, which is one of the largest challenges faced by the UAS sector today. An accurate performance

Aerospace 2019, 6, 19; doi:10.3390/aerospace6020019 www.mdpi.com/journal/aerospace Aerospace 2019, 6, 19 2 of 20 modelling of current airborne surveillance technologies for maintaining SA&CA without the pilot onboard is critical to evaluate and certify the criteria of equivalent level of safety in the UAS platform. The International Civil Aviation Organization (ICAO) outlined successive steps towards the integration of UAS in controlled airspace as well as into the aerodrome areas, which are identified in the Aviation System Block Upgrades (ASBU) [1]. The United States (US) Federal Aviation Administration (FAA) also provisioned to integrate UAS into the National Airspace System (NAS) in two different phases [2–4]. Phase 1 incorporates rural, Class Golf (G) airspace and is compatible with agricultural, mapping and survey applications, whereas phase 2 comprises controlled airspace that requires technologies to maintain safe separation from cooperative and non-cooperative air traffic [5]. The European Commission’s Directorate General for Mobility and Transport (DG MOVE), the European Defence Agency (EDA), the European Aviation Safety Agency (EASA), and the Single European Sky Air Traffic Management (ATM) Research (SESAR) Joint Undertaking (SJU) are also stepping up the efforts to safely accommodate UAS into the European aviation and ATM system [6]. In parallel with these government and industry-led initiatives, the aerospace research community has been continuously working on several challenges of integrating UAS into non-segregated airspaces including separation thresholds and methods for small UAS [7,8], UAS encounter modelling and collision avoidance [9–11], 3D obstacle avoidance strategies for UAS [12–15] dynamic model augmentation [16], Global Navigation Satellite Systems (GNSS) integrity augmentation for UAS [17], surveillance sensor integration in the UAS platform [18,19] and well-clear boundary models for UAS DAA [20–24].

1.1. Detect and Avoid (DAA) Safety Assessment Although adequate performance standards were established for various surveillance equipment, to date the impacts of surveillance system failures in terms of separation degradation, specifically in the UAS platform, have not been defined. Moreover, traditional radar and Mode-A/C transponder technologies show inherent deficiencies in different airspace and equipage scenarios especially in the presence of high air traffic densities [25–33]. The failure modes for different cooperative sensors such as Mode S, TCAS, ADS-B are well defined and safety assessments have been carried out on the individual surveillance sensor considering functions in the manned aircraft. While the availability of ATM deconfliction service provides mitigation to these faults when available, the risk is still notably higher when considering highly autonomous UAS operations. The FAA conducted a safety assessment on the TCAS application in the unmanned platforms [34–36]. A thorough probabilistic safety assessment has been carried out on ADS-B system considering both the ground and airborne segment in [37]. Safety assessment of the surveillance sensor failure in the UAS platform was carried out in [38] with an encounter analysis considering the unmanned aircraft platform only. A simplified model is developed in [39] to assess and predict the risk associated with a given UAS operation. In [40], the authors provided a framework that consists of a target level of safety (TLS) approach using an event tree format to develop specific SAA effectiveness standards based on UAS weight and airspace class combinations. The provision of certified autonomous DAA capabilities is an indispensable milestone for the certification of UAS for safe non-segregated and beyond line of sight (BLOS) operations. This is a widely recognized issue in the aerospace research community but to date, despite the extensive efforts, the various proposed DAA approaches have not satisfactorily addressed the overall safety risks. In this paper, a comprehensive safety assessment is conducted considering the sensitivities, failures and degraded operations of systems and components of the overall DAA architecture. Both qualitative and quantitative analysis are performed to identify and derive the risks of different component failure in both airborne and ground control platform using probabilistic safety assessment. Probabilistic safety assessment is a technique to quantify risk measures numerically by identifying the specific events that lead to hazards [41]. Fault tree analysis (FTA) relates the logical relationship between component failures which are the basic failures and their contributions to the system failures and the importance analysis provides the importance ranks of the components to the overall risk. Therefore, the combination of these two techniques provides an overall approach to determine Aerospace 2019, 6, 19 3 of 20 Aerospace 2018, 5, x FOR PEER REVIEW 3 of 20

95 thedetermine impacts the of individualimpacts of sensorindividual failure sensor as well failure as the as significancewell as the ofsignificance individual of risk individual contributors. risk 96 Incontributors. particular, In a caseparticular, study fora case ADS-B study as for a candidate ADS-B as technology a candidate to technology support DAA to support is addressed DAA inis 97 thisaddressed paper. in The this safety paper. analysis The safety indicates analysis the indicates validity of the ADS-B validity for of cooperative ADS-B for approachcooperative providing approach a 98 pathwayproviding for a certificationpathway for of thecertification unified framework. of the unif Sectionied framework.2 describes theSection unified 2describes analytical the framework unified 99 andanalytical overall framework DAA architecture and overall and Section DAA3 outlinesarchitecture the assessment and section methodology. 3 outlines The the risk assessment measure 100 andmethodology. importance The analysis risk measure are presented and importance in Section4. analysis A case study are presented of ADS-B asin asection cooperative 4. A case surveillance study of 101 meansADS-B inas specifieda cooperative UAS surveillance flight envelope means is illustrated in specified in UAS Sections flight5 and envelope6 contains is illustrated the discussion in section of 102 overall5 and section findings. 6 contains the discussion of overall findings.

103 2. Unified Uniﬁed Analytical FrameworkFramework andand DAADAA ArchitectureArchitecture 104 In recent researchresearch [[42,43],42,43], aa uniﬁedunified analyticalanalytical frameworkframework hashas beenbeen proposed,proposed, and aa novelnovel 105 methodology is demonstrated to integrate the data provided by cooperative systems (reliance on own 106 and intruder aircraft avionics) and non-cooperative sensors (reliance on own aircraft avionics only). 107 Figure 11 illustrates illustrates thethe conceptualconceptual top-leveltop-level architecturearchitecture ofof thethe proposed proposed DAA DAA system, system, whichwhich uses uses 108 active and passive forward-looking sensors (FLS) in addition to ADS-B and Mode-S transponders. 109 Navigation data is extracted from GNSS, inertial measurement units (IMU) and vision-based vision-based sensors. sensors.

110 111 Figure 1. Conceptual high-level detect and avoid (DAA)(DAA) system architecture adapted from [[43].43].

112 State-of-the-art active and passive FLSFLS includeinclude visual/infraredvisual/infrared cameras, cameras, RADAR RADAR and LIDAR. 113 Mode S transponderstransponders are cooperativecooperative surveillance employ ground components and anan airborneairborne 114 transponder. Mode Mode S Shas has been been designed designed as an as evolutionary an evolutionary addition addition to the to Air the Traffic Air Traffic Control Control Radar 115 RadarBeacon Beacon System System (ATCRBS) (ATCRBS) [44] [for44] forthe theprovisio provisionn of ofenhanced enhanced surveillance surveillance and and communication 116 capability whichwhich isis requiredrequired for for the the automation automation of of air air traffic traffic control. control. TCAS TCAS was was developed developed as as a back-up a back- 117 airborneup airborne collision collision avoidance avoidance system system (ACAS) (ACAS) which which provides provides vertical vertical maneuvering maneuvering guidance guidance to the to 118 pilotthe pilot in the in the event event of aof possible a possible collision collision threat threat [45 [45].]. ADS-B ADS-B is is a a system system that that periodicallyperiodically transmitstransmits 119 its state vectorvector includingincluding horizontal and vertical position, and velocity as well asas somesome otherother intentintent 120 information [[46].46]. The system comprises two separateseparate components, ADS-BADS-B OutOut andand ADS-BADS-B In.In. ADS-B 121 is called dependent surveillance as it requires that the aircraft state vector and additional information 122 be derived from the on-board navigationnavigation equipment.equipment. It is automated in the sense that it doesn’t need 123 pilot or controller controller input input to to transmit transmit information. information. Cooperative/non-cooperative Cooperative/non-cooperative tracking tracking datadata and host and 124 hostplatform platform navigation navigation data dataare areprocessed processed using using a dedicated a dedicated algorithm algorithm within within the the central central DAA 125 processor onboardonboard the the UAS UAS to produceto produce avoidance avoidance volumes volumes in the airspacein the surroundingairspace surrounding each conflicting each 126 intruder/obstacleconflicting intruder/obstacle track. This track. algorithm This algorithm ensures theensures rigorous the rigorous mathematical mathematical treatment treatment of the errorsof the 127 errors affecting the state measurements (correlated and uncorrelated measurements) and accounts 128 for the host–obstacle relative dynamics, with due consideration for the environmental conditions

Aerospace 2019, 6, 19 4 of 20

affecting the state measurements (correlated and uncorrelated measurements) and accounts for the Aerospace 2018, 5, x FOR PEER REVIEW 4 of 20 host–obstacle relative dynamics, with due consideration for the environmental conditions (wind, 129 (wind,turbulence, turbulence, etc.) affecting etc.) affecting the aircraft the aircraft dynamics. dynami A conceptualcs. A conceptual representation representation of this approachof this approach for the 130 forcase the of case a single of aaerial single encounter aerial encounter is depicted is depicted in Figure in2 Figure. 2.

131 132 Figure 2. Conceptual depiction of the proposed DAA approach (single aerial encounter).

133 In particular, the figurefigure showsshows bothboth thethe overalloverall avoidanceavoidance volumevolume andand thethe optimaloptimal avoidanceavoidance 134 trajectory, whichwhich is is computed computed by aby real-time a real-time trajectory trajec optimizationtory optimization algorithm. algorithm. If the original If the trajectory original 135 trajectoryof the DAA of system the DAA host system platform host intersects platform the inte calculatedrsects the avoidance calculated volume, avoidance a risk volume, of collision a risk (RoC) of 136 collisionflag is generated (RoC) flag [47 is,48 generated]. This RoC [47,48]. flag initiates This Ro theC flag real-time initiates trajectory the real-time optimization trajectory process optimization and the 137 processassociated and steering the associated commands steering are provided commands to theare aircraftprovided flight to the controls. aircraft flight controls.

138 2.1.DAA DAA Reference Reference Architecture Architecture 139 The components of the UAS DAA DAA system system are are part partlyly located located onboard onboard the the unmanned unmanned aircraft aircraft (UA) 140 platform and partly in its ground control station (G (GCS).CS). In particular, all non-cooperative sensors and 141 cooperative surveillance systems as well as autonomous collision avoidance functions are installedinstalled 142 onboard, whereaswhereas allall the the human–machine human–machine interfaces interfaces (HMI) (HMI) are are integrated integrated in thein the GCS. GCS. Both Both the UAthe andUA 143 andthe GCS the GCS are equipped are equipped with Command with Command and Control and Control (C2) data (C2) link data transceivers link transceivers to transmit to thetransmit data from the 144 datathe UA from platform the UA to platform GCS and commandsto GCS and from command GCS tos UAfrom platform. GCS to TheUA UASplatform. pilot-in-command The UAS pilot-in- (PIC) 145 commandmanning the (PIC) GCS manning is responsible the GCS for is the responsible safe operation for the of safe the operation UAS and forof the executing UAS and ATM for directivesexecuting 146 ATMunless directives they pose aunless hazard they to thepose UAS. a hazard Figure 3to provides the UAS. a simpliﬁed Figure 3 schematicprovides a diagram simplified of the schematic overall 147 diagramDAA system of the architecture. overall DAA system architecture. The UA platform includes four major elements namely the surveillance components, DAA 148 The UA platform includes four major elements namely the surveillance components, DAA processor, onboard navigation system, and the C2 datalink. The state-of-the-art of cooperative 149 processor, onboard navigation system, and the C2 datalink. The state-of-the-art of cooperative surveillance sensors include Active Mode S surveillance, TCAS II, and ADS-B. The non-cooperative 150 surveillance sensors include Active Mode S surveillance, TCAS II, and ADS-B. The non-cooperative surveillance sensors comprise Radar, Light Detection and Ranging (LIDAR), cameras such as thermal 151 surveillance sensors comprise Radar, Light Detection and Ranging (LIDAR), cameras such as thermal camera, infrared cameras etc. Air-to-air radar systems operate in the C, X, or Ku-frequency bands of the 152 camera, infrared cameras etc. Air-to-air radar systems operate in the C, X, or Ku-frequency bands of aeronautical radio navigation spectrum (ARNS) [49]. Usage of a frequency will be depending on the 153 the aeronautical radio navigation spectrum (ARNS) [49]. Usage of a frequency will be depending on type of operation. LIDAR is another prominent surveillance sensor which shows great promise 154 the type of operation. LIDAR is another prominent surveillance sensor which shows great promise for non-cooperative UAS collision avoidance [50]. LIDAR is a remote sensing technology that 155 for non-cooperative UAS collision avoidance [50]. LIDAR is a remote sensing technology that scans scans the environment and the 3D image of the environment is constructed from the individual 156 the environment and the 3D image of the environment is constructed from the individual distance distance points within an aggregate of points gathered during the scanning process. Some different 157 points within an aggregate of points gathered during the scanning process. Some different laser laser scanning techniques are available to steer the beam and achieve very wide ﬁelds of vision 158 scanning techniques are available to steer the beam and achieve very wide fields of vision (FoV). (FoV). Although current LIDAR systems are still of considerable size, weight, power and cost 159 Although current LIDAR systems are still of considerable size, weight, power and cost (SWaP-C), 160 considerable progresses are being made thanks to their extensive usage in the autonomous driving 161 domain. The availability of advanced cameras and development of vision-algorithms made them 162 popular for use in the unmanned platform especially in low altitude operation. These non-

Aerospace 2019, 6, 19 5 of 20

(SWaP-C), considerable progresses are being made thanks to their extensive usage in the autonomous drivingAerospace domain.2018, 5, x FOR The PEER availability REVIEW of advanced cameras and development of vision-algorithms5 of 20 made them popular for use in the unmanned platform especially in low altitude operation. These 163 non-cooperativecooperative sensors sensors complement complement otherother on-board on-board airborne airborne surveillance surveillance sensors sensors by providing by providing detection 164 detectionof non-cooperative of non-cooperative traffic. trafﬁc.

Onboard UA Platform Navigation Location Information via Surveillance Surveillance Sensors Sensor

Command DAA Processor Datalink

Datalink ATM Communication and/or Voice Command Communication DAA Processor Datalink

Display PIC

Mode Control GCS Platform 165 Figure 3. Simplified schematic diagram of the overall DAA system architecture. 166 Figure 3. Simplified schematic diagram of the overall DAA system architecture. The equipage of surveillance sensors depends on the type of unmanned aircraft system, 167 the airspaceThe equipage and the of certification. surveillance sensors According depends to DO-365 on the [ 49type] which of unmanned was developed aircraft bysystem, Special the 168 Committee-228airspace and the [51 certification.], UA surveillance According equipment to DO-365 will [49] minimally which was include: developed by Special Committee- 169 228 [51], UA surveillance equipment will minimally include: • active Mode S surveillance that use 1030/1090 MHz frequencies; 170 • active Mode S surveillance that use 1030/1090 MHz frequencies; • ADS-B In to detect the broadcast directly from the intruder aircraft ADS-B Out or through ADS-R • 171 orADS-B TIS-B channel;In to detect the broadcast directly from the intruder aircraft ADS-B Out or through ADS- 172 • air-to-airR or TIS-B radar channel; system to detect the non-cooperative traffic. 173 • air-to-air radar system to detect the non-cooperative traffic. This equipage is referred to as Class 1 DAA system. The Class 2 DAA system will include TCAS 174 II alongThis with equipage class 1 is DAA referred system. to as AsClass for 1 the DAA manned system. aircraft The Class TCAS 2 DAA serves syst toem improve will include the pilot’s TCAS 175 awarenessII along with of other class air1 DAA traffic, system. in UAS As it for would the manne be servingd aircraft the PIC TCAS [35 ]serves and no to maneuversimprove the will pilot’s be 176 initiatedawareness automatically of other air only traffic, on thisin UAS guidance. it would be serving the PIC [35] and no maneuvers will be 177 initiatedThe UA automatically onboard processor only on receivesthis guidance. onboard navigation sensor data, data from onboard active 178 surveillanceThe UA airborne onboard to processor detect transponder receives onboard equipped naviga intruders,tion sensor ADS-B data, receiving data equipmentfrom onboard to detect active 179 ADS-Bsurveillance equipped airborne intruders, to detect and transponder radar data toequippe detectd non-cooperativeintruders, ADS-B intruders. receiving equipment The intruder to detect data 180 receivedADS-B equipped by multiple intruders, sensors areand thenradar processed data to detect by the non-cooperative UA processor.From intruders. the intruder The intruder stateand data 181 intentreceived data, by the multiple UA processor sensors initiallyare then evaluates processed the by intended the UA processor. track of the From intruder. the intruder The initial state track and 182 andintent other data, information the UA processor are then initially sent to evaluates the command the intended and non-payload track of the communications intruder. The initial datalink track 183 forand transmission other information to the are GCS. then The sent ATM to the can comma locatend the and UAS non-payload via ADS-B commu out messagesnications and datalink Active for 184 Modetransmission S transponder. to the GCS. At all The times, ATM PIC can can locate maintain the UAS communication via ADS-B out with messages ATM via and datalink Active or Mode voice S 185 communication.transponder. At In all the times, GCS, thePIC processor can maintain receives communication prioritized track with data ATM and DAAvia datalink status data or fromvoice 186 thecommunication. UA platform and In the DAA GCS, mode the controlprocessor commands receives fromprioritized the GCS track control. data and It then DAA processes status data the data from 187 andthe forwardsUA platform the and information DAA mode to the control DAA commands display. The from mode the GCS control control. is the It interfacethen processes between the thedata 188 and forwards the information to the DAA display. The mode control is the interface between the PIC, 189 the UA, and GCS DAA processors. The command functions are executed through this interface and 190 then sent to the GCS processors and then via data link to UA platform. The command is then executed 191 by the UA platform. In order to obtain the certification, surveillance sensors need to provide 192 equivalent level of safety as of manned aircraft. This include providing surveillance support suitable

Aerospace 2019, 6, 19 6 of 20

Aerospace 2018, 5, x FOR PEER REVIEW 6 of 20 Aerospace 2018, 5, x FOR PEER REVIEW 6 of 20 AerospacePIC, 2018 the, UA,5, x FOR and PEER GCS REVIEW DAA processors. The command functions are executed through this6 interface of 20 193 for the entire operational flight envelope. The UA operational flight envelope may include five 193 Aerospacefor andthe 2018 thenentire, 5 sent, xoperational FOR to PEER the GCSREVIEW flight processors envelope. and The then UA via operational data link to flight UA platform. envelope The may command include6 offive is 20 then 194 phases;Aerospace 2018namely, 5, x FORtakeoff, PEER climb, REVIEW cr uise, descent and landing where the takeoff and landing phase6 ofwill 20 193194 forphases; executedthe namelyentire by operational thetakeoff, UA platform.climb, flight cr uise, Inenvelope. order descent to The obtain and UA landing the operational certification, where theflight surveillance takeoff envelope and sensors landing may needinclude phase to providewillfive 193195 forrequire the lowentire altitude operational flying andflight ground envelope. roll. TheThe taUAkeoff operational and landing flight may envelope take place may on airportinclude and five a 194195 phases;requireequivalent lownamely altitude level takeoff, offlying safety climb, and as crground ofuise, manned descent roll. aircraft. The and ta keofflanding This and include where landing providing the may takeoff take surveillance and place landing on airport support phase and suitablewill a 194196193 phases;separatefor the namelyentire launch/recovery operational takeoff, climb, zone.flight cr uise,Dueenvelope. descentto the The differentand UA landing operational traffic where mix the flightat takeoffeach envelope altitude, and landing may different include phase flight willfive 195196 requireseparatefor the low launch/recovery entire altitude operational flying zone.and flight ground Due envelope. to roll. the The The different ta UAkeoff operational trafficand landing mix flight at may each envelope take altitude, place may on includedifferent airport five andflight phases; a 195197194 requiredynamicsphases; lownamely characteristics altitude takeoff, flying climb, and and differentcrgrounduise, descent roll. conflict The and tageometrieskeoff landing and where landingcharacterizing the may takeoff take each and place landingphase, on airport the phase safety- and will a 196197 separatedynamicsnamely launch/recovery characteristics takeoff, climb, and cruise,zone. different Due descent to conflictthe and different landing geometries wheretraffic characterizing themix takeoff at each and altitude,each landing phase, different phase the will safety- flight require 196198195 separatecriticalityrequire low launch/recoveryof altitudeDAA sensors flying and zone.and systems ground Due towill roll. the likely The different ta changekeoff traffic and as a landing function mix at may ofeach the take altitude,flight place phase. ondifferent airport The unified flightand a 197198 dynamicscriticalitylow altitude ofcharacteristics DAA flying sensors and and ground systemsdifferent roll. will The conflict likely takeoff geometrieschange and landing as a functioncharacterizing may take of the place flighteach on airportphase.phase, The andthe unified asafety- separate 197199196 dynamicsanalyticalseparate launch/recovery frameworkcharacteristics and andthezone. associated different Due to DAA conflictthe differentsystem geometries safety traffic analysis characterizing mix at allows each toaltitude,each either phase, define different the the safety- safelyflight 198199 criticalityanalyticallaunch/recovery offramework DAA sensors zone.and andthe Due associated systems to the will differentDAA likely system change traffic safety mix as a analysis atfunction each allows altitude, of the to flight either different phase. define flight The the unified dynamics safely 198200197 criticalityflyabledynamics envelope ofcharacteristics DAA as sensors a func andtion systemsofdifferent the available will conflict likely sensors geometrieschange and as atheir functioncharacterizing reliability of the or flighteach to identify phase.phase, Thethethe sensorsunifiedsafety- 199200 analyticalflyablecharacteristics envelope framework as and a andfunc different thetion associated of conflict the available DAA geometries system sensors characterizing safety and their analysis reliability eachallows phase, orto eitherto theidentify define safety-criticality the the sensors safely of 201198 andcriticality their requiredof DAA sensors reliability and as systems a function will of likely the desired change safeas a functionenvelope. of the flight phase. The unified 199200 analyticalflyableDAA envelope sensors framework as and a and systemsfunc thetion associated willof the likely available DAA change system sensors as a functionsafety and theiranalysis of thereliability allows flight phase. orto eitherto identify The define unified the the sensors analyticalsafely 201199 andanalytical their required framework reliability and the as associated a function DAA of the system desired safety safe analysis envelope. allows to either define the safely 200201 flyableandframework their envelope required and as reliability thea func associatedtion as of a thefu DAAnction available system of the sensors safetydesired analysisand safe their envelope. allows reliability to either or to define identify the the safely sensors flyable 202200 3.flyable Safety envelope Assessment as a funcMethodologytion of the available sensors and their reliability or to identify the sensors 201202 and3. Safetyenvelope their Assessmentrequired as a function reliability Methodology of theas a available function sensorsof the desired and their safe reliability envelope. or to identify the sensors and their 201 and their required reliability as a function of the desired safe envelope. 203202 3. SafetyrequiredAs already Assessment reliability mentioned Methodology as a functionin Section of 1.1, the desiredthe qualitative safe envelope. analysis involved in the FTA methodology 202203 3. SafetyAs already Assessment mentioned Methodology in Section 1.1, the qualitative analysis involved in the FTA methodology 204203 lists all the possible combinations of factors, normal events and component failures resulting in a top 204202 lists3. Safety3. allAs Safety the already Assessment possible Assessment mentioned combinations Methodology Methodology in Section of factors, 1.1, the normal qualitative events analysis and component involved failuresin the FTA resulting methodology in a top 203205 event,As whereas already thementioned quantitative in Section evaluation 1.1, the allows qualitative to determine analysis the involved probability in the of FTA failure methodology of the top 204205 listsevent, all whereas the possible the quantitativecombinations evaluation of factors, allowsnormal to events determine and component the probability failures of failureresulting of inthe a top 204206203 listsevent allAs from the Asalready possible alreadythe failure mentioned mentionedcombinations probability in Section in Sectionof values factors, 1.1, 1.1 ofthe normal,basic thequalitative qualitative events events analysisthat and analysis prop component involvedagated involved up failuresin throughthe in theFTA resulting FTA themethodology methodologyfault in atree. top 205206 event,event fromwhereas the failurethe quantitative probability evaluation values of allows basic events to determine that prop theagated probability up through of failure the offault the tree. top 205207204 event,Thelistslists reliabilityall whereas the all thepossible possible datathe quantitativecombinationsor combinationsthe failure evaluation ofrate factors, of of factors, the allows normal co normalmponents to events determine events andis crucial and component the component probability for FTA failures and failures of failureisresulting obtained resulting of inthe froma in top a top 206207 eventThe reliability from the datafailure or probabilitythe failure valuesrate of ofthe basic components events that is crucialpropagated for FTA up throughand is obtained the fault fromtree. 206208205 eventcomponentevent,event, from whereas whereas themanufacturers failurethe thequantitative probability quantitative (typically evaluation values evaluation in the of form allowsbasic allows of events meanto determine to time determinethat betweenprop theagated theprobability failures—MTBF) probability up through of failure of failurethe and/or faultof the of fromtree. thetoptop 207208 Thecomponent reliability manufacturers data or the (typicallyfailure rate in theof the form co ofmponents mean time is crucialbetween for failures—MTBF) FTA and is obtained and/or from 207209206 Thetheevent eventliterature, reliability from from the including the datafailure failure or probabilitythe among probability failure others ratevalues values Aviation of ofthe of basic basicco Standardmponents events events Documents that that is crucialprop propagatedagated by for RTCA, FTA up through andFAA is and obtained thethe Eurocontrol faultfault tree. fromtree. The 208209 componentthe literature, manufacturers including among (typically others in Aviation the form Standard of mean Documentstime between by failures—MTBF) RTCA, FAA and and/orEurocontrol from 208210207 component[37,49,52–56].Thereliability reliability manufacturers dataThe data orbasic or the theevents failure (typicallyfailure repr rate rateesent of in the theof component componentsthe form co ofmponents mean failures is crucialtime is and betweencrucial for the FTA logic for failures—MTBF) and FTA gates is obtainedand dictate is obtained how from and/or faults component from of 209210 the[37,49,52–56]. literature, includingThe basic eventsamong reprothersesent Aviation component Standard failures Documents and the bylogic RTCA, gates FAA dictate and how Eurocontrol faults of 211208 thecomponent particular manufacturers component within (typically the systemin the form can combof meanine timeto result between in the failures—MTBF) failure in the top and/or event. from 209210 the[37,49,52–56]. manufacturersliterature, includingThe (typicallybasic amongevents in the reprothers formesent Aviation of component mean Standard time betweenfailures Documents and failures—MTBF) the bylogic RTCA, gates and/or FAA dictate and from how Eurocontrol the faults literature, of 211209 the literature,particular includingcomponent among within others the system Aviation can Standard combine Documents to result in bythe RTCA, failure FAA in the and top Eurocontrol event. 210212211 [37,49,52–56].the includingparticularIn this study, amongThecomponent basicFaultTree++ others events within Aviation reprfrom theesent Standardsystemisograph component can [57] Documents comb is failuresutilizedine to by resultand RTCA,to carry the in logic FAAthe out failure andgatesthe safety Eurocontrol indictate the assessment top how event. [37 faults,49 and, 52 of– 56]. 212210 [37,49,52–56].In this study, The basicFaultTree++ events reprfromesent isograph component [57] is failuresutilized and to carry the logic out thegates safety dictate assessment how faults and of 211213 thecalculate Theparticular basic the events top-levelcomponent represent event within probabilities. component the system failures Before can comb andconstructingine the to logic result gatesthe in faultthe dictate failure tree, how based in faults the ontop of the event. the system particular 212213211 calculatethe particularIn this the study, top-levelcomponent FaultTree++ event within probabilities. from the systemisograph Before can [57] comb isconstructing utilizedine to result to carrythe in fault the out failure tree,the safety based in the assessment ontop the event. system and 212214 overviewcomponentIn this provided study, within FaultTree++ in Section the system 2, from intermediate can isograph combine even [57] to resultts is leading utilized in the to to failure failure carry in inout the onboard the top safety event. DAA assessment capability and are 213214 calculateoverview theprovided top-level in Section event probabilities.2, intermediate Before events constructing leading to failure the fault in onboard tree, based DAA on capability the system are 213215212 calculateidentified.In thisIn the We this study, top-level note study, FaultTree++ that FaultTree++ event the navigation probabilities. from from isograph and isograph Beforeguidan [57] [ 57constructingisce ] utilizedfunctionality is utilized to thecarry to failures carryfault out out tree,the have thesafety based not safety assessment beenon assessment the presented system and and 214215 overviewidentified. provided We note inthat Section the navigation 2, intermediate and guidan eventsce leading functionality to failure failures in onboard have notDAA been capability presented are 214216213 overviewincalculate detailcalculate as theprovided this thetop-level would top-level in Section beevent beyond event 2,probabilities. intermediate probabilities. the scope Beforeof even th Beforeets article,constructing leading constructing except to failure the for thefaultthe in faultonboardsubsystems tree, tree, based DAA based on on capability which onthe thesystem DAAsystem are 215216 identified.in detail as We this note would that be the beyond navigation the scope and guidanof the article,ce functionality except for failures the subsystems have not onbeen which presented DAA 215217214 identified.componentsoverviewoverview provided We provideddirectly note inthat dependSection in the Section navigation 2,such intermediate2, intermediate as onboardand guidan even eventsGlobaltsce leading functionality leading Positioning to failure to failure failures Systemin onboard in onboardhave (GPS) notDAA DAA andbeen capability barometric capabilitypresented are are 216217 incomponents detail as this directly would depend be beyond such the as scope onboard of th Globale article, Positioning except for theSystem subsystems (GPS) andon which barometric DAA 218215 altimeter.identified.identified. The We symbolsWenote note that that the thearenavigation navigationused to createand and guidan the guidance faultce functionality tree functionality are illustrated failures failures in have Table have not 1. notbeen been presented presented 216217 incomponents detail as this directly would depend be beyond such the as scope onboard of th eGlobal article, Positioning except for theSystem subsystems (GPS) andon which barometric DAA 218216 altimeter.in detailin detail as The this as symbols thiswould would bethat beyond are be beyondused the to scope create the scopeof the th efault ofarticle, the tree article,except are illustrated for except the subsystems forin Table the subsystems 1. on which on DAA which 217218 componentsaltimeter. The directly symbols depend that are such used asto createonboard the Global fault tree Positioning are illustrated System in Table (GPS) 1. and barometric 219217 componentsDAA components directlyTable directlydepend 1. Fault dependsuch tree symbolsas such onboard as used onboard inGlobal this Globalstudy Positioning and Positioning their Systemsignificance. System (GPS) (GPS) and andbarometric barometric 218219 altimeter. The symbolsTable that 1. Faultare used tree symbolsto create used the infault this treestudy are and illustrated their significance. in Table 1. 218 altimeter.altimeter. The The symbols symbols that that are areused used to create to create the thefault fault tree tree are are illustrated illustrated in Table in Table 1. 1. 219 Symbol Table Name1. Fault tree symbols used in this study Significance and their significance. 219 Symbol Table Name1. Fault tree symbols used in this study Significance and their significance. 219 Symbol TableTable NameBasic1. Fault 1. Fault treetree symbols symbols used used in this inthis study Significance study and and their their significance. significance. Basic An initiating event to which reliability model is associated. Symbol NameEvent An initiating event to which Significance reliability model is associated. EventBasic Symbol Name NameAn initiating event to which Significance reliability model Significance is associated. UndevelopedEventBasic An event that cannot be developed further or for which the UndevelopedBasic An initiatingevent that event cannot toAn bewhich initiatingdeveloped reliability event further model to which or isfor associated. reliabilitywhich the model Event BasicreliabilityAn Event initiating data event cannot to whichbe found. reliability model is associated. UndevelopedEvent Anreliability event thatdata cannot cannotis be associated.be developed found. further or for which the UndevelopedEvent Anreliability event that data cannot cannotAn be be eventdeveloped found. that cannot further be or developed for which furtherthe or for UndevelopedTransferUndeveloped IndicatesAn event Event athat transfer cannot continuation be developed to afurther subtree. or for which the TransferEvent reliability Indicates adata transfer cannot continuationwhich be found. the reliability to a subtree. data cannot be found. Event reliability data cannot be found. Transfer Transfer Indicates a transfer continuation Indicates a transfer to a subtree. continuation to a subtree. AND Indicates the occurrence of all the input events cause the Transfer Indicates a transfer continuation to a subtree. AND Indicates the occurrenceIndicates of all thethe occurrenceinput events of cause all the the input events cause TransferGate ANDoutput Indicates Gate event a transfer to occur. continuation to a subtree. ANDGate Indicatesoutput event the occurrenceto occur.the output of all the event input to occur.events cause the ANDGateOR Indicatesoutput event the occurrenceto occur.Indicates of aleitherl thethe occurrenceinputinput eventevents of causes cause either thethe input event causes OR Gate ANDGateOR outputIndicates event the occurrenceto occur.the output of eialtherl the event inputinput to event occur.events causes cause thethe GateOR Indicatesoutput event the occurrenceto occur. of either input event causes the k out of n Gate output event to occur.Indicates the output event occurs if a certain number k out of n VOTINGGateOR ORVOTING Indicatesoutput OR Gateevent the outputoccurrenceto occur. event of occurs either inputif a certain event number causes theof the k out of n of the input events occur. VOTINGGateOR OR outputIndicates event the outputtooccurrence occur. event of occurs either inputif a certain event number causes theof the k out of n Gate input events occur. VOTINGGate OR Indicatesinputoutput events event the occur.outputto occur. event occurs if a certain number of the

k out of n VOTINGGate OR Indicatesinput events the occur.output event occurs if a certain number of the 220 In orderk out to of identify n the basic events that lead to the failure of the onboard surveillance sensors, 220 In orderIn order to identify to identifyVOTING the thebasic OR basic eventsIndicates events that thatthe lead output lead to the to event thefailure failureoccurs of ifthe of a certain theonboard onboard number surveillance surveillance of the sensors, sensors, 221 complete knowledge of theGate complex inputarchitecture events occur. of each of the sensors along with the understanding 220 In order to identify theGate basic eventsinput that events lead occur. to the failure of the onboard surveillance sensors, 221 completecomplete knowledge knowledge of the of thecomplex complex architecture architecture of each of each of the of thesensors sensors along along with with the theunderstanding understanding 220222 of integratedIn order tonavigation identify theand basic communication events that leadsystem to thecomponents failure of theis required. onboard Thissurveillance is because sensors, some 221222 completeof integratedof integrated knowledge navigation navigation of the and complex and communication communication architecture system of system each components of components the sensors is required. isalong required. with This the This is understanding because is because some some 221223220 completeonboardIn order knowledgestate to data identify areof the thefed complex basic into eventsmultiple architecture that surv lead ofeillance to each the offailure sensors the sensors of theand alongonboard some with of surveillance thethem understanding share sensors, same 222223 ofonboard integratedonboard state state navigation data data are are and fed intocommunicationinto multiple multiple surveillance surv systemeillance components sensors sensors and someisand required. some of them ofThis share them is samebecause share transponder somesame 222224221 oftranspondercomplete integrated knowledge datalink. navigation of For the and example, complex communication barometric architecture system altime of each tercomponents ofdata the is sensors used is required.by along both with Active This the isMode understanding because S and some the 223224 onboardtransponder state datalink. data are For fed example, into multiplebarometric surv altimeeillanceter data sensors is used and by someboth Active of them Mode share S and same the 225222 ADS-Bof integrated Out system. navigation Hence, and errorcommunication in the barometric system componentsaltimeter will is required.affect both This systems. is because Figure some 4 223224 onboardtransponder state datalink. data are For fed example, into multiplebarometric surv altimeeillanceter data sensors is used and by someboth Activeof them Mode share S and same the 225223 ADS-Bonboard Out state system. data areHence, fed errorinto multiplein the barometric surveillance altimeter sensors will and affect some both of systems.them share Figure same 4 224225 transponderADS-B Out datalink.system. Hence, For example, error inbarometric the barometric altimeter altimeter data is usedwill byaffect both both Active systems. Mode SFigure and the 4 225224 ADS-Btransponder Out system.datalink. Hence, For example, error inbarometric the barometric altime teraltimeter data is usedwill byaffect both both Active systems. Mode SFigure and the 4 225 ADS-B Out system. Hence, error in the barometric altimeter will affect both systems. Figure 4

Aerospace 2019, 6, 19 7 of 20

Aerospace 2018, 5, x FOR PEER REVIEW 7 of 20 datalink. For example, barometric altimeter data is used by both Active Mode S and the ADS-B Out 226 illustratessystem. Hence, the dependency error in the between barometric onboard altimeter naviga willtion affect and both surveillance systems. systems Figure4 inillustrates a high-level the 227 architecture.dependency between onboard navigation and surveillance systems in a high-level architecture.

Barometric Onboard GPS Altimeter + Air Data Computer

ADS-B System Mode S TCAS (In/Out) Transponder 228 229 Figure 4. Top-level data ﬂowflow diagramdiagram showingshowing the dependenciesdependencies between onboard navigation and 230 surveillance systems.

231 To properlyproperly capture capture failures failures that that affect affect multiple multiple systems, systems, the common the common cause failurecause (CCF)failure analysis (CCF) 232 analysisis utilized. is utilized. The CCF The is aCCF failure is a eventfailure that event affects that affects multiple multiple components components or functions or functions [58]. In[58]. CCF In 233 CCFanalysis, analysis, there there are two are relevant two relevant factors: factors: the root the cause, root whichcause,is which a single is a failure single event, failure and event, the coupling and the 234 couplingfactor. The factor. coupling The coupling factor describes factor describes the dependency the dependency of multiple of multiple systems systems on a common on a common data source. data 235 Whilesource. calculating While calculating the overall the overall risk for risk surveillance for surveillan systemce system failure, failure, it is crucialit is crucial to take to take care care of the of 236 theCCF CCF because, because, as shownas shown in thein the architecture architecture in in Figure Figure4, some4, some of of the the basic basic events events affect affect a a multiple multiple 237 surveillance systemsystem atat the the same same time. time. The The most most commonly-used commonly-used method method to accountto account for CCFfor CCF is the is beta the 238 betafactor factor method method [59,60 [59,60].]. To calculate To calculate the failure the failur ratee due rate to due common to common causes, caus thees, beta the factor beta isfactor simply is 239 simplymultiplied multiplied by the component by the component failure rate. failure In essence, rate. Inthe essence, beta factor the beta simply factor represents simply therepresents percentage the 240 percentageof component of component failures that failures are due that to common are due causes.to common A beta causes. factor A of beta 0.05 factor is chosen of 0.05 for is this chosen analysis for 241 thisbased analysis on the based literature on the and literature the International and the International Electrotechnical Electrotechnical Commission Commission (IEC) method (IEC) checklist. method 242 checklist.In this work, the contribution of individual failure events to their related system failure are 243 determinedIn this basedwork, onthe the contribution specific functional of individual dependencies. failure events For example, to their while related in thesystem event failure of ADS-B are 244 determinedout failure, thebased ownship on the is specific not locatable functional by other depend platformsencies. throughFor example, ADS-B, while it still in the can event detect of intruder ADS-B 245 outtraffic failure, with the a working ownship ADS-B is not locatable In. Hence, by theother detection platforms capability through willADS-B, not it be still compromised can detect intruder due to 246 trafficthe failure with ofa working ADS-B out ADS-B system In. Hence, and can the still detection avoid intruders. capability Therefore,will not be onlycompromised the failure due in trafficto the 247 failuredetection of capabilityADS-B out is consideredsystem and in can the DAAstill avoid functionality. intruders. The Therefore, ownship surveillance only the failure function in failure,traffic 248 detectionreferred to capability as a failure is inconsidered ownship locatabilityin the DAA function, functionality. is deduced The ownship in a different surveillance tree. Figures function5–7 249 failure,illustrate referred the DAA to as capability a failure failure in ownship considering locatability the function function, of is traffic deduced detection in a different and avoid tree. capability Figures 250 5–7and illustrate Figures8– 12the demonstrate DAA capability the failure failure in consider ownshiping locatability the function function. of traffic detection and avoid 251 capabilityAs depicted and Figures in Figure 8–125, demonstrate the failure in the DAA failure capability in ownship onboard locatability can be the function. result of five alternative events. Three of them are intermediate events: DAA 1A-failure in traffic detection function by 252 cooperativeAs depicted sensors, in Figure DAA 2-failure5, the failure on non-cooperative in DAA capability sensors onboard and DAAcan be 3-evaluation the result of functionfive alternative failure. 253 events.DAA 1A Three and DAA of them 2 are are transferred intermediate to separate events: trees DAA and illustrated1A-failure inin Figures traffic6 detectionand7. The function evaluation by 254 cooperativefunction failure sensors, traces DAA the data 2-fail processingure on non-cooperative function failure whichsensors indicates and DAA the failure3-evaluation in multi-sensor function 255 failure.data fusion DAA and 1A the and track DAA evaluation 2 are transferred failure indicates to separate the failuretrees and probability illustrated of intruderin Figure track 6 and evaluation. Figure 7. 256 The executeevaluation function function failure failure is the traces failure the probability data processing to execute function appropriate failure wh maneuversich indicates as commanded. the failure 257 inDAA multi-sensor 5 is the failure data of fusion the data and link the that track is used evalua to transfertion failure data and indicates receive commandthe failure from probability the ground of 258 intrudercontrol station. track evaluation. The execute function failure is the failure probability to execute appropriate 259 maneuversFigure 6as outline commanded. the intermediate DAA 5 is eventsthe failure DAA of 1A. the Asdata stated link earlier,that is used this subtree to transfer specifies data theand 260 receivefailure probabilitycommand from of traffic the ground detection control function station. by cooperative surveillance. In this work, a voting OR 261 gate isFigure utilized 6 outline to calculate the intermediate the failure probability events DAA of DAA 1A. As 1. VOTINGstated earlier, OR indicates this subtree that the specifies event willthe 262 failureoccur of probability k out of n of events traffic occur. detection In the function fault tree by cooperative presented in surveillance. Figure6, the In DAA this work, occurs a ifvoting two out OR 263 gateof three is utilized surveillance to calculate sensors the failed failure to probability detect a traffic. of DAA VOTING 1. VOTING OR gate OR is indicates considered that to the account event will the 264 occurcurrent of equipagek out of n scenario events occur. for unmanned In the fault as welltree presented as manned in aircraft Figure system.6, the DAA Using occurs a universal if two out AND of 265 three surveillance sensors failed to detect a traffic. VOTING OR gate is considered to account the 266 current equipage scenario for unmanned as well as manned aircraft system. Using a universal AND 267 gate would give a lower failure rate whereas using a universal OR gate would provide a higher failure

Aerospace 2019, 6, 19 8 of 20 Aerospace 2018, 5, x FOR PEER REVIEW 8 of 20

268 gaterate wouldthan in give an aactual lower encounte failure rater scenario. whereas For using example, a universal if onboard OR gate active would surveillance provide a higher system failure and 269 rateTCAS than system in an fails actual and encounter the intruder scenario. which can For be example, manned if or onboard unmanned, active is surveillancenot equipped system with ADS- and 270 TCASB, in spite system of having fails and a working the intruder ADS-B which In ownship can be manned will fail or to unmanned,detect the intruder. is not equipped Also, it is with considered ADS-B, 271 inthat spite without of having any acatastrophic working ADS-B power In failure ownship onboar will faild or to without detect theany intruder. external Also, attack it isthree considered systems 272 thatwill withoutnot be down any catastrophic at the same powertime. Thus, failure VOTING onboard OR or withoutencompasses any external all the scenarios. attack three systems will 273 not beFigure down 7 at presents the same the time. intermediate Thus, VOTING event ORDAA encompasses 2-failure in allnon-cooperative the scenarios. sensor which is the 274 resultFigure of two7 presents alternatives the intermediatesensors failure: event one DAA is air-to-air 2-failure radar in non-cooperative failure, and another sensor is whichvision-based is the 275 resultsensor of failure. two alternatives While tracing sensors the events failure: for one vision is air-to-air-based sensor, radar a failure, component and another wise failure is vision-based probability 276 sensoris adopted failure. as the While component tracing the is assumed events for to vision-based be acquired sensor,off the shelf a component with a specified wise failure MTBF. probability is adopted as the component is assumed to be acquired off the shelf with a speciﬁed MTBF. 277 AsAs statedstated earlier, earlier, a separate a separate fault fault tree istree constructed is constructed to determine to determine the failure the in ownshipfailure in locatability ownship 278 functionlocatability due function to failure due of cooperativeto failure of surveillance cooperative system. surveillance Figures system.8–12 illustrate Figures the8–12 faults illustrate trees ofthe 279 mainfaults event trees andof main intermediate event and events. intermediate As detailed events. in As Figure detailed8, the in failure Figure in 8, cooperative the failure in surveillance cooperative 280 functionsurveillance occurs function if either occurs Mode if S either or ADS-B Mode out S failed.or ADS- ThisB out is a failed. conservative This is choicea conservative that assumes choice mixed that 281 equipageassumes requirements.mixed equipage The requirements. ownship ADS-B The out owns systemhip ADS-B depends out on system the onboard depends satellite on the navigation onboard 282 andsatellite pressure navigation altimeter. and Figures pressure9 and altimeter. 10 present Figure thes transferred 9 and 10 present trees from the thetransferred ADS-B out;trees Figure from 10the 283 outlinesADS-B out; the failureFigure in10 ADS-Boutlines due the to failure onboard in ADS-B satellite due navigation to onboard loss satellite and Figure navigation 11 outlines loss and the failureFigure 284 11 outlines the failure due to corrupted data from navigation sources. Finally, Figure 12 shows the due to corrupted data from navigation sources. Finally, Figure 12 shows the fault tree for Mode S 285 fault tree for Mode S surveillance only. surveillance only. 286

287 288 FigureFigure 5.5. FaultFault treetree forfor failurefailure inin DAADAA capability.capability. TheThe failurefailure subtreessubtrees forfor DAADAA 1A1A andand DAADAA 22 areare 289 detaileddetailed inin thethe followingfollowing ﬁgures.figures.

Aerospace 2019, 6, 19 9 of 20 Aerospace 2018, 5, x FOR PEER REVIEW 9 of 20

290 291 Figure 6. Fault subtree for cooperative surveillance (trafﬁc(traffic detection).

292 293 Figure 7. Fault subtree for non-cooperative surveillance.

Aerospace 2019, 6, 19 10 of 20 Aerospace 2018, 5, x FOR PEER REVIEW 10 of 20 Aerospace 2018, 5, x FOR PEER REVIEW 10 of 20

294 294 295 Figure 8. FaultFault subtree subtree for for cooperative cooperative surveillance surveillance (ownsh (ownshipip locatability). locatability). The The subtrees subtrees for for failure failure in 295 Figure 8. Fault subtree for cooperative surveillance (ownship locatability). The subtrees for failure in 296 automaticin automatic dependent dependent surveillance-broadcast surveillance-broadcast (ADS-B) (ADS-B) Out Out and and failure failure in in Mode Mode S S surveillance are 296 automatic dependent surveillance-broadcast (ADS-B) Out and failure in Mode S surveillance are 297 presented in the following ﬁgures.figures. 297 presented in the following figures.

298 298 299 Figure 9. Fault subtree for ADS-B Out system. 299 Figure 9. Fault subtree for ADS-B Out system.

Aerospace 2018, 5, x FOR PEER REVIEW 11 of 20 AerospaceAerospace2019 2018, ,6 5,, 19 x FOR PEER REVIEW 11 ofof 2020

300300 301 FigureFigure 10. 10. FaultFault subtree subtree for the for loss the of loss Global of Global Positioning Positioning System (GPS) System data, (GPS) partially data, adopted partially from adopted [37]. 301 Figure 10. Fault subtree for the loss of Global Positioning System (GPS) data, partially adopted from [37]. from [37].

302302 Figure 11. Fault subtree for misleading navigation information. 303 Figure 11. Fault subtree for misleading navigation information. 303 Figure 11. Fault subtree for misleading navigation information.

Aerospace 2019, 6, 19 12 of 20 Aerospace 2018, 5, x FOR PEER REVIEW 12 of 20

304 Figure 12. Fault subtree for Mode S failure. 305 Figure 12. Fault subtree for Mode S failure. The reliability data for the basic events used in the fault tree are extracted from the literature, 306 The reliability data for the basic events used in the fault tree are extracted from the literature, aviation standard documents and Original Equipment Manufacturer (OEM) and presented in Table2. 307 aviation standard documents and Original Equipment Manufacturer (OEM) and presented in Table 308 2. Table 2. Failure probability associated to the basic events.

309 BasicTable Events 2. Failure probability associated Description to the basic events. Note: the acronyms used in Failure the Basic Probability, Events q 310 DAAcolumn 3A are defined in Figures Data5 to Processing12. Failure 1 × 10−13 as in [61] DAA 3B Track Evaluation Failure 1 × 10−13 as in [61] DAABasic 4 Events Description Execution Function Failure Failure1 × 10 Probability,−6 as in [49] q DAADAA 5A 3A Data Processing Command Failure Datalink Failure (Loss of Function) 1×101 ×10− 6 asas in in [61] [49] −7 DAADAA 5B 3B Track Evaluation Command Failure Datalink Failure (Unannounciated Failure) 1×101 ×10 asas in in [61] [49] −4 AS 1/TC-3/AO 3A /AO 3B/MS-3 Transponder Failure (Main/Backup) 1 ×10 as in [61] DAA 4 Execution Function Failure 1×10 − as5 in [49] AS 2/MS-2 Misleading Information from Mode S Function 1 ×10 as in [38] AI 1DAA 5A Command Failure Datalink in ADS-B Failure In Receiver (Loss of Function) 1×101 × 10 − as4 as in in [49] [37 ] AI 2DAA 5B Command Failure Datalink in Report Failure Assembly (Unannounciated Module Failure) 1×101 × 10 − as7 as in in [49] [37 ] −5 AI 3/AOAS 1/TC-3/AO 2 3A Loss of Function of ADS-B System 1 ×10 as in [38] Transponder Failure (Main/Backup) 1×10 − as4 in [61] TC/AO 1 3B/MS-3 Failure in Radio Altimeter 1 × 10 as in [38] Failure in Trafﬁc Collison Avoidance System TCAS 2 2/MS-2 Misleading Information from Mode S Function 1×101 ×10 − as5 as in in [38] [36 ] (TCAS) Function AARAI 1 1 Failure in Air-to-Air ADS-B In Radar Receiver (Loss of Function) 1×101 × 10 − as7 as in in [37] [62 ] AARAI 2 2 Failure in Air-to-Air Report Assembly Radar (Unannounciated Module Function) 1×101 × 10 − as6 as in in [37] [62 ] VS 1AI 3/AO 2 Loss of Func Electronicstion of Failure ADS-B System 1×101 ×10 − as7 as in in [38] [63 ] −6 VS 2TC 1 Failure in Optical Radio Failure Altimeter 1×101 ×10 asas in in [38] [64 ] × −13 VS 3Failure in Vision Traffic Logic Collison Failure Avoidance (Data processing System failure) (TCAS) 1 10 as in [61] AOTC 4 2 Misleading Information from ADS-B Function 1×101 ×10 − as5 as in in [36] [38 ] AO 6Function Transponder Jamming 1 × 10−13 as in [37] AOAAR 1A 1 Air-to-Air Loss Radar of Geometry (Loss of from Function) Satellite 1×101 × 10 − as8 as in in [62] [37 ] AOAAR 1B 2 Air-to-Air GPS Radar Receiver (Unannounciated Malfunction Function) 1×101 ×10 − as4 as in in [62] [37 ] − AOVS 1C 1 Electronics GPS Failure Antenna Failure 1×101 ×10 as4 as in in [63] [37 ] −13 AOVS 1D 2 Optical Failure Jamming of Satellite 1×101 ×10 as inas in[64] [37 ] AO 1E Satellite Failure 1 × 10−13 as in [37] VS 3 Vision Logic Failure (Data processing failure) 1×10 as in [61] AO 5AI/AO 5AII Horizontal Position Error (Latitude/Longitude) 1 × 10−5 as in [38] AOAO 5BI 4 Misleading Misleading Information Information from ADS-B from Barometric Function Altimeter 1×101 × 10 − as9 as in in [38] [63 ] AOAO 5BII 6 Transponder GPS Vertical Jamming Error 1×101 ×10− 5 asas in in [37] [38] MSAO 1 1A Loss of Geometry Failure in Barometric from Satellite Altimeter 1×101.1 ×10 as−7 inas [37] in [63 ] AO 1B Note: the GPS acronyms Receiver used Malfunction in the Basic Events column are deﬁned in Figures1×105–12. as in [37] AO 1C GPS Antenna Failure 1×10 as in [37] AOFor 1D the failure probability Jamming value of Satellite of command datalink and air to air radar,1×10 the value as is in taken [37] from AO 1E Satellite Failure 1×10 as in [37] technical standard orders, which state the loss of function (air to air radar and command datalink) AO 5AI/AO 5AII Horizontal Position Error (Latitude/Longitude) 1×10 as in [38] AO 5BI Misleading Information from Barometric Altimeter 1×10 as in [63] AO 5BII GPS Vertical Error 1×10 as in [38]

Aerospace 2019, 6, 19 13 of 20 cannot be greater than 1 × 10−6 per fight hour and unannounciated failure can be greater than 1 × 10−7 per flight hour. Although vision-based sensors are widely accepted as a means of UAS non-cooperative surveillance, so far, no specific technical standard defined the reliability requirements for DAA-grade vision sensors. Hence, the vision sensor failure is deduced considering its main component and the reliability data for airborne electronics / optical instruments during nominal condition is considered in the study.

4. Result and Analysis Based on the FTA presented in Section3, two different further analyses have been carried out in this study. In Section 4.1, we present the results related to the top events failure and the system availability that can be calculated from it. In the second analysis, the results of which are presented in Section 4.2, the importance measure is discussed, which relates the component signiﬁcance to the top event failure.

4.1. System Availability For the safety assessment in this study, a general model is used, which considers the failure probability as constant across the lifespan of the component. Denoting basic failure probability as Qi with i = 1 ... n and the top event failure as Q, assuming all basic events are independent, the model can be expressed as: Q(t) = f (Q1(t), Q2(t),... Qn(t)) (1) This implies that if the state of each component in the fault tree is known at time t, then the state of the top event can also be determined regardless of what has happened up to time t. The top event probability is calculated by logically tracing the failure of basic events. Q(t), the probability of the hazard/top event occurrence is also known as the risk measure or unavailability [52]. Thus, the availability of the system can be obtained as:

Operational Availability = 1 − Q(t) (2)

The failure in the DAA capability onboard deduced in Figure5 is 9.356 × 10−6, which implies operational availability of higher than 99.99%. For the fault tree presented in Figure5, two most important intermediate events are failure in cooperative and non-cooperative surveillance sensor failure. Tables3–5 summarize the results of intermediate events fault trees.

Table 3. Result summary for DAA capability fault tree analysis (FTA) as per Figure5.

Function Failure Probability Operational Availability Failure in Cooperative System 5.056 × 10−6 0.999994944 (Trafﬁc Detection Function), DAA 1 Failure in Non-cooperative 2.2 × 10−6 0.9999978 Surveillance System, DAA 2 Command Datalink Failure, DAA 5 1.1 × 10−6 0.9999989 Execution Function Failure, DAA 4 1 × 10−6 0.999999 Evaluation Function Failure, DAA 3 2 × 10−13 ~1

Table 4. Result summary for the cooperative surveillance (traffic detection function) FTA as per Figure6 .

Function Failure Probability Operational Availability Failure in Active Surveillance System, AS 0.00011 0.99989 Failure in ADS-B In, AS 0.0001101 0.9998899 Failure in TCAS system, TC 0.00021 0.99979 Aerospace 2019, 6, 19 14 of 20

Table 5. Result summary for the non-cooperative surveillance FTA as per Figure7.

Function Failure Probability Operational Availability Failure in Air-to-Air Radar, DAA 2A 1.1 × 10−6 0.9999989 Failure in Vision Based Sensor, DAA 2B 1.1 × 10−6 0.9999989

From the results presented in Table4, the probability of cooperative surveillance system trafﬁc detection capability is in order of 10−6 which can be referred to as remote [65]. From Figure 12 it can be seen that Mode S has the lowest failure probability where TCAS has most likely to failure (referred to Figure6). Also, in Figure6 it is also illustrated that ADS-B In failure probability is intermediate between Mode S and TCAS system. For all of three systems, the operational availability is higher than 99.9%. The failure in non-cooperative surveillance is also in the order of 10−6 as detailed in Table5, but the value is lower than that of surveillance sensor failure. The lower level fault trees are generated based on the very basic reliability data and need future work to incorporate system speciﬁc information. The failure of the cooperative surveillance to successfully locate ownship to intruder as well as ATM is deduced in a separate tree. This way the impact of particular system failure does not affect the failure of certain functionality. Table6 summarizes the results.

Table 6. Result summary for ADS-B Out system FTA as per Figure8.

Function Failure Probability Operational Availability Failure in Active Surveillance, MS 0.0003601 0.9996399 Failure in ADS-B Out, AO 0.00025 0.99975 Note: the acronyms MS and AO are consistent with Figures5–12 and Table2.

Comparing Tables4 and6, it can be noted that the surveillance system may fail to locate ownship more than it may fail to detect the intruder. This may occur because any misleading information or loss of data from intruder aircraft was not considered, while the ownship surveillance sensor are bound to corrupted data error from onboard navigation.

4.2. Importance Measure A component or cut set’s contribution to the top event occurrence is termed as importance [66]. Importance measures of the basic events are associated with the risk-significance and safety-significance of the related components. They are normally used to rank the system’s components with respect to their contribution to the reliability and availability of the overall system. In this study, three different importance measures are used to quantify the risks. The first one is the Fussell–Vessely factor (F–V). The Fussell–Vessely factor measures the overall percent contribution of cut sets containing a basic event of interest to the total risk.

(Probability of top event due only to cutsets of interest) FV = (3) (Probability of top event)

The second one is Risk Reduction Worth (RRW), a measure of the change in risk of the system when the system component is perfect, or failure probability is zero. This measure helps to identify the components that are the best candidates to improve for overall safety.

(Probability of top event) RRW = (4) (Probability of top event with component failure probability = 0) Aerospace 2019, 6, 19 15 of 20

The third factor is risk achievement worth (RAW) measure of the increase in risk when a system is unavailable. Mathematically,

(probability of top event with component failure probability = 1) RAW = (5) (probability of top event)

Table7 summarizes the importance analysis for each of platform failure and ranked them according to their signiﬁcance on the total failure.

Table 7. Risk measure and importance analysis for the DAA capability FTA as per Figure5.

Events F–V RRW RAW DAA 1 0.5404 2.176 1.069 × 104 DAA 2 0.2351 1.307 1.069 × 104 DAA 3 2.683 × 10−8 1 1.069 × 104 DAA 4 0.1069 1.12 1.069 × 104 DAA 5 0.11 1.133 1.069 × 104

The F–V value for DAA 1 failure in cooperative surveillance system is higher than all the events indicating that it contributes most to the system failure. Any improvement in the reliability of DAA 1 will decrease the risk with RRW = 2.176. Failure in non-cooperative surveillance system is the second highest effect on the DAA failure. The ability of airborne processor is rigid, and the failure of processor is considered extremely improbable, therefore its contribution is minimal to the DAA failure. Table8 summarize the importance measure value for the fault tree presented in Figure8.

Table 8. Risk measure and importance analysis for the ADS-B Out System FTA as per Figure8.

Events F–V RRW RAW MS 0.6942 3.12 1.341 × 104 AO 0.3058 2.211 1.341 × 104 Note: the acronyms MS and AO are consistent with Figures5–12 and Table2.

The results summarize in Table8, depicts that Mode S failure affects and contribute more to the overall system failure. This can also be concluded from the failure probability value of each system. The failure probability was higher for mode S surveillance than the ADS-B Out system.

5. Pathway to DAA Certification: ADS-B Suitability DAA systems capable of consistently and reliably performing equally or exceed the see-and-avoid performance of a human pilot are indispensable to mitigate the risks associated with possible errors/failures in the command and control (C2) loops involving the remote pilot and to support safe autonomous operations. Previous undertakings in the domain only managed to establish the safety cases for UAS operating within the line-of-sight (LOS) of their pilots or segregated from other traffic and well clear of public infrastructure and major urban settlements. For BLOS operation and safe integration of UAS into the non-segregated airspace, the provision of certified autonomous DAA capabilities is an indispensable milestone. The current LOS operations/segregated airspace constraints are preventing further exploitations of UAS technology and impeding many practical uses. For instance, the use of UAS to survey large areas, to deliver essential goods in remote locations and to provide communication services over wide geographic regions, to name a few, all require non-segregated BLOS operational capabilities. From the FTA carried out in this study, the system availability is greater than 99.98% for both ADS-B Out and ADS-B In systems. The availability of ADS-B In system is solely based on the host platform and any failure or malfunction from the intruder platform is not considered. The Minimum Aviation System Performance Standards for ADS-B [67] Aerospace 2018, 5, x FOR PEER REVIEW 16 of 20

398 capabilities is an indispensable milestone. The current LOS operations/segregated airspace 399 constraints are preventing further exploitations of UAS technology and impeding many practical 400 uses. For instance, the use of UAS to survey large areas, to deliver essential goods in remote locations 401 and to provide communication services over wide geographic regions, to name a few, all require non- 402 segregated BLOS operational capabilities. From the FTA carried out in this study, the system 403 availability is greater than 99.98% for both ADS-B Out and ADS-B In systems. The availability of 404 AerospaceADS-B In2019 system, 6, 19 is solely based on the host platform and any failure or malfunction from the intruder16 of 20 405 platform is not considered. The Minimum Aviation System Performance Standards for ADS-B [67] 406 specify the availability of ADS-B to be greater than 99.9% if used as primary means of surveillance 407 andspecify greater the availabilitythan 95% if used of ADS-B as supplementary to be greater means than 99.9% of surveillance. if used as The primary Civil meansAviation of Certification surveillance 408 Authorityand greater (CASA) than 95% in ifAustralia used as supplementaryhas mandated using means ADS-B of surveillance. for aircraft The flying Civil above Aviation FL285 Certification and also 409 Authorityfor Instrument (CASA) Flight in Australia Rule (IFR) has traffic mandated as specified using ADS-B in CAO for 20.18. aircraft The flying FAA above also FL285mandated andalso all the for 410 generalInstrument aviation Flight aircraft Rule (IFR) to be traffic equipped as specified with ADS-B in CAO within 20.18. The2020 FAA [68]. also Although mandated the allfailure the general of the 411 ADS-Baviation system aircraft (1.2 to be × 10 equipped−3) is lower with comparative ADS-B within to 2020other [ 68surveillance]. Although sensors, the failure researcher of the ADS-B working system on −3 412 (1.2DAA× capability10 ) is lower concluded comparative that toonly other an surveillance adequate exploitation sensors, researcher of multi-se workingnsor on architecture DAA capability will 413 potentiallyconcluded thatmeet only the safety an adequate requirements exploitation in all flig of multi-sensorht phases. Therefore, architecture depending will potentially on the operational meet the 414 flightsafety envelope requirements ADS-B in all data flight shall phases. be fused Therefore, with ot dependingher cooperative on the and operational non-cooperative flight envelope surveillance ADS-B 415 data.data shallTherefore, be fused ADS-B with systems other cooperative can be used and as non-cooperative a cooperative sensor surveillance especially data. in Therefore,the airspace ADS-B with 416 IFRsystems traffic can allowing be used asthe a cooperativesafe operation sensor of especiallyunmanned in theplatforms airspace in with non-segregated IFR traffic allowing airspace. the safeThe 417 mathematicaloperation of unmanned approach platformsproposed inin non-segregatedthe unified framework airspace. allows The mathematical us to determine approach the safe-to-fly proposed 418 portionsin the unified of the framework host UAS operational allows us to flight determine envelo thepe based safe-to-fly on the portions avionics of sensors/systems the host UAS operational available 419 onboardflight envelope or, alternatively, based on the to identify avionics the sensors/systems required sensors/systems available onboard required or, fo alternatively,r operating in to a identify certain 420 predefinedthe required portion sensors/systems of the host required UAS operational for operating flight in envelope. a certain predefinedFigure 13 conceptually portion of the depicts host UAS the 421 two-wayoperational certification flight envelope. approach. Figure 13 conceptually depicts the two-way certification approach.

422 423 Figure 13. Two-way approach to certiﬁcation.certification.

424 In particular, considering the nominalnominal flightflight envelopesenvelopes ofof thethe hosthost UAS/intrudersUAS/intruders and the 425 characteristics of the on-board sensors/systems,sensors/systems, th thee algorithms algorithms will will determine the applicable safety 426 envelope restrictions.restrictions. Conversely, Conversely, based based on aon predefined a predefined (required) (required) flight envelopeflight envelope and on theand intruder on the 427 intruderdynamics, dynamics, the algorithms the algorithms will allow will an allow identification an identification of the specificof the specific avionics avionics sensors/systems sensors/systems that must be integrated in the UAS. This approach will lay the foundations for the development of an airworthy DAA capability and a pathway for manned/unmanned aircraft coexistence in all classes of airspace. Moreover, the research community determined that only the exploitation of machine learning and artificial intelligence technologies will allow to develop a DAA capability that can perform reliably with the predicted levels of traffic density and the infinite combination of possible encounter characteristics, which already exceed the cognitive capabilities of human operators. This has been the chosen path, for Aerospace 2019, 6, 19 17 of 20 instance, in the development of the ACAS-Xu variant. However, the current regulatory framework does not cater for the certification of non-deterministic avionics systems, hence significant evolutions will be required to the framework [69], which shall also account for the ever-increasing air-ground functional integration as part of the so-called CNS+A (i.e., CNS/ATM and Avionics) paradigm, which demands that cohesive safety certification requirements are adopted for both airborne and ground-based systems [69,70].

6. Conclusions The reliability of a DAA system for UAS flying beyond line of sight (BLOS) based on ADS-B and other cooperative/non-cooperative sensors was analyzed in this paper. The unified analytical framework has been utilised for the mathematical fusion of navigation and tracking errors, supporting the development of low SWaP-C DAA systems exploiting cooperative and non-cooperative surveillance technologies. The paper also briefly discussed the need for an evolution of the certification framework to accommodate the adoption of non-deterministic systems and to encompass the ever-increasing functional integration between airborne and ground-based systems. The analysis highlighted the safety significance and importance of the onboard surveillance equipment. The cooperative surveillance system failure contributes most to the DAA capability failure. Another important finding is that for the cooperative surveillance system, the failure in ownship surveillance capability is higher than the failure in traffic detection capability. The adequacy of ADS-B as a cooperative surveillance system for conventional one-to-one encounters was also discussed. The calculated failure probability is in the order of 10−6, which is remote. Although the severity analysis has not been included in this study, the implications of the failure will depend on the airspace characteristics. In particular, in uncontrolled airspace, where ATM deconfliction service is not available or limited, the consequences will be likely more severe than in controlled airspace. Additionally, the severity also depends on the intruder equipage, as inadequate maneuvers can be initiated due to CNS performance limitations in the intruder platform. Hence, depending on airspace and UAS performance characteristics, specific avionics sensors/systems will have to be integrated. In conclusion, ADS-B has a good potential to be utilized as the main cooperative system especially in airspace with IFR traffic. Further evaluation will have to consider intruder equipage failures as well as different airspace and conflict scenarios. This future work will prompt an evolution of the conventional probabilistic safety assessment methodology.

Author Contributions: Conceptualization, R.S. and A.T.; Methodology and Formal Analysis, A.T.; Investigation, R.S. and A.T.; Writing-Original Draft Preparation, A.T. and A.G.; Writing-Review and Editing, R.S. and A.G.; Supervision, R.S. Funding: This research received no external funding. Conﬂicts of Interest: The authors declare no conﬂict of interest.

References

1. 2016-2030 Global Air Navigation Plan. Available online: https://www.icao.int/airnavigation/documents/ ganp-2016-interactive.pdf (accessed on 18 July 2018). 2. U.S. Army Unmanned Aircraft System Roadmap 2010–2035. Available online: https://www.army.mil/ article/37470/us_army_roadmap_for_unmanned_aircraft_systems_2010_2035 (accessed on 18 July 2018). 3. Unmanned Aircraft Systems Integration in the National Airspace System. Available online: https://www. nasa.gov/centers/armstrong/news/FactSheets/FS-075-DFRC.html (accessed on 18 July 2018). 4. Ribeiro, L.; Giles, S.; Katkin, R.; Topiwala, T.; Minnix, M. Challenges and opportunities to integrate UAS in the National Airspace System. In Proceedings of the IEEE 2017 Integrated Communications, Navigation and Surveillance Conference (ICNS), Herndon, VA, USA, 18–20 April 2017; pp. 6C3-1–6C3-13. 5. Avionics. Integrating UAS in the NAS. Available online: https://www.aviationtoday.com/2013/08/01/ integrating-uas-in-the-nas/ (accessed on 18 July 2018). Aerospace 2019, 6, 19 18 of 20

6. EASA. Partners Step Up Efforts to Address the Integration of Drones into European Airspace. Available online: https://www.easa.europa.eu/newsroom-and-events/news/partners-step-efforts-address-integration- drones-european-airspace (accessed on 18 July 2018). 7. Wood, D. Collision Avoidance System and Method Utilizing Variable Surveillance Envelope. U.S. Patent 10,125,918, 17 April 2002. 8. Mullins, M.; Holman, M.W.; Foerster, K.M.; Kaabouch, N.; Semke, W. Dynamic Separation Thresholds for a Small Airborne Sense and Avoid System. In AIAA Infotech @ Aerospace Conference; American Institute of Aeronautics and Astronautics: Reston, VA, USA, 2013. [CrossRef] 9. Smith, A.; Coulter, D.; Jones, C. UAS Collision Encounter Modeling and Avoidance Algorithm Development for Simulating Collision Avoidance. In AIAA Modeling and Simulation Technologies Conference and Exhibit; American Institute of Aeronautics and Astronautics: Reston, VA, USA, 2008. 10. Smith, A.; Harmon, F. UAS Collision Avoidance Algorithm Minimizing Impact on Route Surveillance. In AIAA Guidance, Navigation, and Control Conference; American Institute of Aeronautics and Astronautics: Reston, VA, USA, 2009. 11. Seo, J.; Kim, Y.; Kim, S.; Tsourdos, A. Collision Avoidance Strategies for Unmanned Aerial Vehicles in Formation Flight. IEEE Trans. Aerosp. Electron. Syst. 2017, 53, 2718–2734. [CrossRef] 12. De Crescenzio, F.; Persiani, F.; Miranda, G.; Bombardi, T. 3D Obstacle Avoidance Strategies for UASs (Uninhabited Aerial Systems) Mission Planning and Re-Planning. In The 26th Congress of ICAS and 8th AIAA ATIO; American Institute of Aeronautics and Astronautics: Reston, VA, USA, 2008. 13. Yang, X.; Alvarez, L.M.; Bruggemann, T. A 3D Collision avoidance strategy for UAVs in a non-cooperative environment. J. Intell. Robot. Syst. 2013, 70, 315–327. [CrossRef] 14. Sabatini, R.; Richardson, M.; Bartel, C.; Shaid, T.; Ramasamy, S. A Low-cost vision based navigation system for small size unmanned aerial vehicle applications. J. Aeronaut. Aerosp. Eng. 2013, 2.[CrossRef] 15. Sanfourche, M.; Delaune, J.; Besnerais, G. Perception for UAV: Vision-based navigation and environment modeling. Aerosp. Lab J. 2012, 1–19. Available online: http://www.aerospacelab-journal.org/sites/www. aerospacelab-journal.org/files/AL04-04_1.pdf (accessed on 18 July 2018). 16. Cappello, F.; Bijjahalli, S.; Ramasamy, S.; Sabatini, R. Aircraft dynamics model augmentation for RPAS navigation and guidance. J. Intell. Robot. Syst. 2017, 1–15. [CrossRef] 17. Sabatini, R.; Moore, T.; Hill, C. GNSS avionics-based integrity augmentation for RPAS detect-and-avoid applications. In Proceedings of the Fourth Australasian Unmanned Systems Conference (ACUS 2014), Melbourne, Australia, 15–16 December 2014. [CrossRef] 18. Sabatini, R.; Rodríguez, L.; Kaharkar, A.; Bartel, C.; Shaid, T.; Zammit-Mangion, D. Low-cost navigation and guidance systems for unmanned aerial vehicles—Part 2: Attitude determination and control. Annu. Navig. 2013, 20.[CrossRef] 19. Cappello, F.; Ramasamy, S.; Sabatini, R. A low-cost and high performance navigation system for small RPAS applications. Aerosp. Sci. Technol. 2016, 58, 529–545. [CrossRef] 20. Stephen, P.; Cook, S.P.; Brooks, D.; Cole, R.; Hackenberg, D.; Raska, V. Defining Well Clear for Unmanned Aircraft Systems. In AIAA Infotech@Aerospace; American Institute of Aeronautics and Astronautics: Reston, VA, USA, 2015. [CrossRef] 21. Walker, D. FAA Position on Building Consensus Around the SaRP Well-Clear Definition; RTCA Inc.: Washington, DC, USA, 2014. 22. Johnson, M.; Mueller, E.R.; Santiago, C. Characteristics of a well clear definition and alerting criteria for encounters between UAS and manned aircraft in class E airspace. In Proceedings of the 11th USA/Europe Air Traffic Management Research and Development Seminar (ATM2015), Lisbon, Portugal, 23–26 June 2015. 23. Cone, A.C.; Thipphavong, D.P.; Lee, S.M.; Santiago, C.; Langley, N.; Jack, D.P.; Group, A.A.; Vincent, M.J.; Group, A.A.; Myer, R.R. UAS Well Clear Recovery against Non-Cooperative Intruders using Vertical Maneuvers. In Proceedings of the 17th AIAA Aviation Technology, Integration, and Operations Conference, Denver, CO, USA, 5–9 June 2017; pp. 1–17. [CrossRef] 24. Monk, K.J.; Roberts, Z. Maintain and Regain Well Clear: Maneuver Guidance Designs for Pilots Performing the Detect-and-Avoid Task. In Proceedings of the 8th International Conference on Applied Human Factors and Ergonomics (AHFE 2017), Los Angeles, CA, USA, 17–21 July 2017. Aerospace 2019, 6, 19 19 of 20

25. Syd Ali, B.; Majumdar, A.; Ochieng, W.Y.; Schuster, W.; Chiew, T.K. A causal factors analysis of aircraft incidents due to radar limitations: The Norway case study. J. Air Transp. Manag. 2015, 44–45, 103–109. [CrossRef] 26. Hammer, J.; Calgaris, G.; Llobet, M. Safety analysis methodology for ADS-B based surveillance applications. In Proceedings of the 7th USA/Europe Air Traffic Management Research and Development Seminar, Barcelona, Spain, 2–5 July 2007; pp. 1–11. 27. Ali, B.S.; Ochieng, W.Y.; Zainudin, R. An analysis and model for Automatic Dependent Surveillance Broadcast (ADS-B) continuity. GPS Solut. 2017, 1–14. [CrossRef] 28. Ali, B.S.; Ochieng, W.; Majumdar, A.; Schuster, W.; Kian Chiew, T. ADS-B system failure modes and models. J. Navig. 2014, 67, 995–1017. [CrossRef] 29. Syd Ali, B.; Schuster, W.; Ochieng, W.; Majumdar, A. Analysis of anomalies in ADS-B and its GPS data. GPS Solut. 2016, 20, 429–438. [CrossRef] 30. Semke, W.; Allen, N.; Tabassum, A.; McCrink, M.; Moallemi, M.; Snyder, K.; Arnold, E.; Stott, D.; Wing, M. Analysis of radar and ADS-B influences on aircraft detect and avoid (DAA) systems. Aerospace 2017, 4, 49. [CrossRef] 31. Allen, N.; Tabassum, A.; Semke, W. Data abnormalities and drop outs in North Dakota air traffic control radar. In Proceedings of the 2017 IEEE/AIAA 36th Digital Avionics Systems Conference (DASC), St. Petersburg, FL, USA, 16–21 September 2017; pp. 1–9. 32. Tabassum, A.; Allen, N.; Semke, W. ADS-B message contents evaluation and breakdown of anomalies. In Proceedings of the 2017 IEEE/AIAA 36th Digital Avionics Systems Conference (DASC), St. Petersburg, FL, USA, 16–21 September 2017; pp. 1–8. 33. Tabassum, A.; Semke, W. UAT ADS-B data anomalies and the effect of flight parameters on dropout occurrences. Data 2018, 3, 19. [CrossRef] 34. Billingsley, T.B. Safety Analysis of TCAS on Global Hawk Using Airspace Encounter Models; Massachusetts Institute of Technology: Cambridge, MA, USA, 2006. 35. Federal Aviation Administration (FAA). Evaluation of Candidate Functions for Traffic Alert and Collision Avoidance System II (TCAS II) On Unmanned Aircraft System (UAS); FAA: Washington, DC, USA, 2011. 36. MITRE System Safety Study of Minimum TCAS II; Federal Aviation Administration: Washington, DC, USA, 1983; 376p. 37. Ali, B.S.; Ochieng, W.Y.; Majumdar, A. ADS-B: Probabilistic safety assessment. J. Navig. 2017, 70, 887–906. [CrossRef] 38. Snyder, K. UAS Surveillance Criticality Final Report; Federal Aviation Administration: Washington, DC, USA, 2016. 39. Lum, C.W.; Waggoner, B. A Risk Based Paradigm and Model for Unmanned Aerial Systems in the National Airspace. In Proceedings of the 2011 Infotech@Aerospace Conference, St. Louis, MI, USA, 29–31 March 2011. 40. Melnyk, R.; Schrage, D.; Volovoi, V.; Jimenez, H. Sense and avoid requirements for unmanned aircraft systems using a target level of safety approach. Risk Anal. 2014, 34, 1894–1906. [CrossRef][PubMed] 41. Nusbaumer, O. Introduction to Probabilistic Safety Assessments (PSA); Leibstadt NPP: Leibstadt, Switzerland, 2017. 42. Ramasamy, S.; Sabatini, R.; Gardi, A. A unified approach to separation assurance and collision avoidance for flight management systems. In Proceedings of the 2016 IEEE/AIAA 35th Digital Avionics Systems Conference (DASC), Sacramento, CA, USA, 25–29 September 2016; pp. 1–8. 43. Ramasamy, S.; Sabatini, R.; Gardi, A. A unified analytical framework for aircraft separation assurance and UAS sense-and-avoid. J. Intell. Robot. Syst. Theory Appl. 2017, 1–20. [CrossRef] 44. Orlando, V.A. The Mode S Beacon Radar System. Linc. Lab. J. 1989, 2, 345–362. 45. International Civil Aviation Organization (ICAO). Airborne Collision Avoidance System (ACAS) Manual; ICAO: Montreal, QC, Canada, 2006. 46. Guidance Material on Comparison of Surveillance Technologies (GMST); International Civil Aviation Organization Asia and Pacific: Bangkok, Thailand, 2007. 47. Sabatini, R.; Moore, T.; Hill, C. A New Avionics-Based GNSS Integrity Augmentation System: Part 1— Fundamentals. J. Navig. 2013, 66, 363–384. [CrossRef] 48. Sabatini, R.; Moore, T.; Hill, C. A New Avionics-Based GNSS Integrity Augmentation System: Part 2— Integrity flags. J. Navig. 2013, 66, 501–522. [CrossRef] Aerospace 2019, 6, 19 20 of 20

49. RTCA-SC-228 Draft Detect and Avoid (DAA) Minimum Operational Performance Standards for Verification and Validation; NASA: Washington, DC, USA, 2015. 50. Sabatini, R.; Gardi, A.; Richardson, M.A. LIDAR Obstacle Warning and Avoidance System for Unmanned Aircraft. Aerosp. Sci. Technol. 2016, 55, 344–358. 51. RTCA. SC-228, Minimum Operational Performance Standards for Unmanned Aircraft Systems. Available online: https://www.rtca.org/content/sc-228 (accessed on 22 July 2018). 52. Wide Area Multilateration Report on EATMP TRS 131/04 Version 1.1; National Aerospace Laboratory (NLR): Amsterdam, The Netherlands, 2005. 53. Bromberg, B.G.; Hill, R.D. Reliability of airborne electronic components. Proc. IRE 1953, 41, 513–516. [CrossRef] 54. Final Report for Software Service History and Airborne Electronic Hardware Service Experience in Airborne Systems; Federal Aviation Administration: Washington, DC, USA, 2016. 55. Kornecki, A.; Liu, M. Fault tree analysis for safety/security verification in aviation software. Electronics 2013, 2, 41–56. [CrossRef] 56. Technical Standard Order: Detect and Avoid (DAA) Systems; FAA TSO-C211; Federal Aviation Administration: Washington, DC, USA, 2017. 57. Isograph. Fault Tree Analysis Software. Available online: https://www.isograph.com/software/reliability- workbench/fault-tree-analysis-software/ (accessed on 18 July 2018). 58. Stott, J.E.; Britton, P.T.; Ring, R.W.; Hark, F.; Hatfield, G.S. Common Cause Failure Modeling: Aerospace vs. Nuclear. Available online: https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20100025991.pdf (accessed on 18 July 2018). 59. Sun, W. Determination of Beta-factors for Safety Instrumented Systems. Master’s Thesis, Norwegian University of Science and Technology, Trondheim, Norway, June 2013. 60. Amjad, Q.M.N.; Zubair, M.; Heo, G. Modeling of common cause failures (CCFs) by using beta factor parametric model. In Proceedings of the 2014 International Conference on Energy Systems and Policies (ICESP), Islamabad, Pakistan, 24–26 November 2014. [CrossRef] 61. European Organisation for the Safety of Air Navigation. Generic Safety Assessment for ATC Surveillance Using Wide Area Multilateration; Edition Number: 5.0; EUROCONTROL: Brussels, Belgium, 2008. 62. Technical Standard Order; TSO-C212; Federal Aviation Administration: Washington, DC, USA, 2017. 63. Kritzinger, D. Aircraft System Safety: Assessments for Initial Airworthiness Certification; Woodhead Publishing: Cambridge, UK, 2016; ISBN 0081009321. 64. Martin Marietta Aerospace. Laser Reliability Prediction; National Technical Information Service: Springfield, VA, USA, 1975. 65. Federal Aviation Administration (FAA). FAA System Safety Handbook, Chapter 3: Principles of System Safety; FAA: Washington, DC, USA, 2000. 66. Gomez Cobo, A. Importance Measures. In Proceedings of the Workshop on “PSA Applications”, Sofia, Bulgaria, 7–11 October 1996; pp. 17–27. 67. RTCA Minimum Aviation System Performance Standards for Automatic Dependent Surveillance Broadcast (ADS-B); RTCA, Inc: Washington, DC, USA, 2006. 68. Federal Aviation Administration. General Aviation ADS-B Rebate Program—Frequently Asked Questions. Available online: https://www.faa.gov/nextgen/equipadsb/rebate/faq/ (accessed on 18 May 2018). 69. Kistan, T.; Gardi, A.; Sabatini, R. Machine learning and cognitive ergonomics in air traffic management: Recent developments and considerations for certification. Aerospace 2018, 5, 103. [CrossRef] 70. Batuwangala, E.; Kistan, T.; Gardi, A.; Sabatini, R. Feature article: Certification challenges for next-generation avionics and air traffic management systems. IEEE Aerosp. Electron. Syst. Mag. 2018, 33, 44–53. [CrossRef]

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).