At DLR (German Aerospace Center) novel concepts and technologies are investigated focusing on automated air cargo delivery for up to 1 t of cargo payload. The DLR project ALAADy (Automated Low Altitude Air Delivery) addresses a large scope of challenges that come along with such an unmanned aircraft for cargo operations. This presentation will provide an update on the project as well as a status on latest developments, i.e. from use cases and towards our demonstration goal. The discussed aspects comprise a blend of use case requirements and a discussion of onboard functional requirements such that a safe operation under the prospective EASA specific category would be admissible and feasible in very low level flight.
Unmanned Low-altitude Air Cargo, Towards Demonstration With A Specific Operational Risk Assessment
1. Unmanned Low-altitude Air Cargo:
Towards Demonstration With
A Specific Operational Risk Assessment
Johann Dauer, Sven Lorenz, Jörg Dittrich, Florian Adolf, Christoph Torens, Florian Nikodem
DLR - German Aerospace Center, Institute of Flight Systems
Department Unmanned Aircraft
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 1
Unmanned Cargo Aircraft Conference, 5th edition
23 November 2017, Avio Aero, Rivalta di Torino, Italy
2. > UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 2
DLR Project on Unmanned Cargo Aircraft
Automated Low Altitude Air Delivery
Pre-/Post-Flight ChecksCargo HandlingAutomated Flight
Aircraft Configurations Hazard Avoidance
3. Configurations
Economical and
Technical
Requirements
Initial Idea
1 t payload
Simple
Short take-off / landing
600 km range
Cruise speed 200 km/h
VLL flight
Risk based approach
Use Cases
Proof of Concept
Technical feasibility
Airspace Integration
Autom. mission control
HMI / Control Station
Safety assessment
Safety monitoring
Yield models
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 3
4. Altitude : < 150 m
Cruise Speed: 120 km/h
Endurance: 2 h
Range: 250 km
Payload: 200 kg
Realization
MTOfree Basis Housing 200 kg Payload Cargo Handling
Technology
Demonstrator
Vision
Electric Propulsion Wings 1 t Payload Cargo Bay
2500 kg / 14 mVision
400 kg / 8 m
Realisation
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 4
5. EASA Classes of Operation for Drones
Specific Operations Risk Assessment (SORA)
𝑃𝑐𝑟𝑎𝑠ℎ < 10−7
?
Direct visual line of sight
< 150 m altitude
Uncritical Areas
No certification
Risks comparable to
manned aviation
Complete certification
Beyond line of sight
> 150 m altitude
Increased Risks
Operation Risk based
certification
open certifiedspecific
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 5
𝑃𝑐𝑟𝑎𝑠ℎ < 10−3
𝑃𝑣𝑖𝑜𝑙𝑎𝑡𝑒 < 10−4
𝑃𝑡𝑜𝑡𝑎𝑙 < 10−7
Minimize Risk:
e.g. Geofencing as containment
EASA NPA 05/2017:
Introduction of a regulatory framework for the operation of
drones - Unmanned aircraft system operations in the
open and specific category
6. Scaling Certification Rigor to Specific Level of Risk
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 6
Open Specific Certified
SAIL
I
SAIL
II
SAIL
III
SAIL
IV
SAIL
V
SAIL
VI
Intrinsic risk of UAV operation
Recommended
level of rigor
robustness of containment
low
mediumhigh
Source: JARUS guidelines on Specific Operations Risk Assessment (SORA), JARUS, Jun. 2017
SAIL:
Safety Assurance and
Integrity Level
7. Threat Barriers vs. Harm Barriers
Bow-Tie Diagram
UAS Operation
out of control
Technical issue
Deterioration of
external systems
Human error
Aircraft on collision course
Adverse operating conditions
Fatal injuries
on the ground
Fatal injuries
in the air
Damage to critical
infrastructure
Threat barrier
Harm barrier
!
Source: JARUS guidelines on Specific Operations Risk Assessment (SORA), JARUS, Jun. 2017
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 7
8. SORA Process
Intrinsic Ground Risk
Class
Intrinsic Air Risk Class
Specific
Assurance and
Integrity Level
(SAIL)
1-6
Harm Barriers
Strategic
Mitigations
Threat
Barriers
CONOPS
(Concept of
Operations)
Robustness
optional/ low/
medium/ high
?
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 8
Source: JARUS guidelines on Specific Operations Risk Assessment (SORA), JARUS, Jun. 2017
9. Harm Barriers
ERP: Emergency Response
Plan
Ground Impact Containment
Emergency Procedures
• Seize 10+ yrs experience in
flight experiments
• Procedures documented
• Procedures trained
(simulation & ground tests)
Spiral Emergency Landing
• Engine off
• Actuator positioning
• Impact velocity comparable to a
human parachute landing
Geofencing
• Safety Buffer depends on
altitude (reaction time,
maximum glide path)
• Termination by trained crew
member
Medium Robustness Robustness to be shown: Goal
of 1st flight tests
Minimum: Medium robustness
? ?
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 9
10. • UAS maintained by competent and/or
proven entity (low)
• Inspection of the UAS (product inspection)
to ensure consistency to the ConOps (low)
• Operational procedures are defined,
validated and adhered to (low)
• Remote crew trained and current and able
to control the abnormal situation (low)
• Safe recovery from technical issue (low)
• Multi crew coordination (low)
• Adequate resting times are defined and
followed (low)
• Environmental conditions for safe
operations are defined, measurable and
adhered to (low)
• Procedures are in place to handle the
deterioration of external systems supporting
UAS operation (low)
• The UAS is designed to manage the
deterioration of external systems supporting
UAS operation (low)
Threat Barriers
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 10
11. First Flight Test: Manual Flight
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23
• Intermediate step towards automated flight
• Validation of Procedures and Concepts
• Data acquisition of
• Sensors
• Flight mechanical model
• Real-World-Effects and stress level
• Flight performance, handling and visibility
• Infrastructure robustness
Goals
DLR.de • Chart 11
12. H
S
Flight Tests: Termination Concept
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23
Decision
Logic
GCS
RC link
Emerg.
Switch
Receiver
Receiver
Receiver
450 MHz, 1 W
2,4 GHz, 100 mW
400 MHz, 200 W
Actuators
Ignition
DLR.de • Chart 12
13. Automated Flight: Safe Operation Monitoring
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 13
ir
UAV
Guidance
Control
Safety-Monitoring
TerminationContingency
Safety Critical ComponentsConventional UAV
Notification to
GCS / Pilot
Ground Control Station
Navigation
Safety
Requirements
Direct Pilot
Control Fallback
Optional
element
Mandatory
element
14. Geofencing Characteristics and Taxonomy
Literature based analysis
• Safe containment to defined area
• Geofencing as instance of monitoring
• Coherent terminology for
geofencing definition and discussion
• Start point for more discussion on
SORA robustness requirements
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 14
Geofence
characteristics
Level of assurance
Level of ATM
integration
Buffer type
Level of
independence
Mitigation type
Decision strategy
Integrity
Assurance
15. LoC Mitigation Type(s)
• Termination as extreme but safe mitigation against loss of control
• Additional contingencies possible
• Loiter pattern as fixed contingency
• Contingencies for individual failure conditions and scenarios
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 15
Mitigation type
Mitigation action
Level of autonomy
Termination
Fixed contingency
Variable contingency
Manual
Semi-autonomous
Fully autonomous
16. LoC Buffer Type(s)
• No safety buffer
• Allows for mitigation
• But may ultimately be unsafe
• Generic safety buffer
• May be safe
• But maybe be inefficient
• Operation specific safety buffer
• Safe and efficient
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 16
Buffer type Buffer complexity
Buffer accuracy Static
Dynamic
Predictive
No safety buffer
Generic safety buffer
Operation specific
safety buffer
17. Geofence Monitoring Requirements
High Robustness over Sparsely Populated Area of Operation
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 17
Characteristic Requirement
Level of assurance Use of industry standards and formal methods
Design assurance level in accordance to risk
Buffer type –
Buffer complexity
Generic safety buffer or
Operation specific safety buffer
Buffer type –
Buffer accuracy
No safety effect
Decreasing operational limitations
Level of independence At least independent hardware system to prevent single failures to cause a breach of the
geofence
Mitigation type -
Mitigation action
Safe termination of the UAS to ensure containment of the geofence
Contingencies optional
Mitigation type -
Level of autonomy
(Semi-) Autonomous, assuring containment of the geofence even without further pilot
interaction
Level of ATM integration Trigger an automated notification to ATM
Decision strategy No safety effect
Decreasing operational limitations
18. • Resulting Airspace G + between Hanover-South and Wolfsburg
• Motorway A2 is crossed only once
• Control zones of both airports are avoided
• Other roads have to be crossed, overfly time is minimized by crossing perpendicular
• All settlements are avoided (with safety distance> 400m)
• Route distance is 78 km (vs. 60 km direct connection), i.e. +30%.
Example Route: Automated Risk Minimization
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 18
19. Conclusion and Future Work
• Automated supervision and in-flight monitoring
• Key enabler of increasing autonomy
• Supporting safe operation of unmanned aircraft
• Compatible to safety concept of EASA specific category
• Safe operation monitoring as harm and threat barrier
• Hands on SORA:
• Practical integration with EASA “Specific” building blocks
• Geofencing characteristics and assessment based on literature
• Coherent terminology for geofencing definition and discussion
• Starting point for discussion on SORA robustness requirements
• Future work
• Develop high integrity & availability monitoring component (soft- & hardware)
• Discuss robustness criteria for geofencing
• Discuss reduction of SAIL level with authorities
> UCA 2017 > Dauer, Lorenz, Dittrich, F. Adolf, Torens, Nikodem • Unmanned Low-altitude Air Cargo: Towards Demonstration With A Specific Operational Risk Assessment > 2017-11-23DLR.de • Chart 19
ir
UAV
Guidance
Control
Safety-Monitoring
TerminationContingency
Safety Critical ComponentsConventional UAV
Notification to
GCS / Pilot
Ground Control Station
Navigation
Safety
Requirements
Direct Pilot
Control Fallback
Ground Control Station
ATM
Notification to
ATM
CONOPS
Notes de l'éditeur
Basis der Untersuchungen sind verschiedene Konfigurationen auf der einen Seite und die Anwendungsfälle auf der anderen.
Beide werden in ALAADy fundiert entworfen.
Basierend auf beiden werden dann alle Entwicklungen und Bewertungen vorgenommen.
Zuletzt steht ein simulativer Nachweis. Es wird sowohl der Normalfall simuliert, das heißt es wird ein normaler lieferverkehr simulitert und bewertet ob die Anforderungen eingehalten werden.
Darüber hinaus wird eine Störungssimulation durchgeführt. Das heißt im Falle, das etwas ungeplant schief läuft – externe Störungen, Komponentenausfall, u.ä. – wird geprüft ob das Sicherheitskonzept tragbar ist.
Einführen von Details über den Demonstrator
Erklärung der Harm und Thread Barriers
SORA Prozess darstellen
Conops als eingang vorstellen
Hinter den Bildern steht noch Text. Die Bilder werden erst nach dem Text eingeblendet.
Der Emergancy Response Plan passt da nicht so richtig rein. Ich hab auch kein sinvolles Bild dafür. Vielleicht erwähnst du den einfach kurz?
Einen ERP zu haben ist ja sowieso irgendwie selbstverständlich…