4

Evolving the Decision-Making Paradigm

When unmanned aircraft system (UAS) integration into the National Airspace System was first being seriously discussed about 15 years ago, the focus was on UAS with similar size and flight characteristics to manned aircraft. The Federal Aviation Administration’s (FAA’s) first set of expectations for UAS airspace integration was (1) an insistence that there would be no new segregated airspace class for UAS operations, (2) the integration of UAS could not cause any changes to air traffic management and operations for manned aircraft, and (3) UAS operations must demonstrate an “equivalent level of safety” to manned aircraft. The FAA approach was to require UAS to be “remotely piloted,” meaning that the unmanned aircraft was expected to behave in the airspace system exactly like a manned aircraft, including communications between air traffic control (ATC) and the (remote) pilot, and the expectation that UAS would respond to ATC voice commands exactly as if the remote pilot was on board the aircraft. The emergence of small UAS over the past 15 years, accompanied by a multitude of unanticipated applications beyond those performed by manned aircraft, has been the primary driver behind the need to develop standards and regulations to address a class of aircraft with which FAA has no regulatory experience.

UAS OFFER MANY BENEFITS

In 2007 and 2008, the NASA Ikhana UAS completed remote-sensing missions that helped firefighters as part of the Wildfire Research and Applications Partnership, a joint effort between NASA and the U.S. Department of Agriculture Forest Service. These highly publicized missions represented the potential benefits of a carefully operated public safety mission, even with the restrictions of a public UAS operating under Certificates of Authorization (COAs).¹ A more common story of an opportunity lost, where the public safety benefits clearly outweighed the potential risk to the National Airspace System, was the denial by the FAA of Global Hawk flights over the post-Hurricane Katrina disaster area in 2005. In that case, the Global Hawk was described as “fully fueled and ready to fly”; however, the FAA’s perceived risk to the airspace prevented its flights.²

The ability to use UAS in emergency response has improved in recent years. For example, during the aftermath of Hurricane Harvey in 2017, the FAA issued COAs to oil and gas companies, the Union Pacific Railroad, local governments, the Red Cross, and insurance companies to assess damage to facilities and the extent of flooding in

___________________

¹ See https://www.nasa.gov/offices/ipp/centers/dfrc/news_events/SS-Ikhana.html.

² L.M. Totten, 2012, “Remotely Piloted Aircraft: An Integrated Domestic Disaster Relief Plan,” Air Command and Staff College, Air University, Maxwell AFB, Ala.

and around Houston, Texas. Even so, the many examples of opportunities for UAS missions to contribute to the public good that were prevented by the risk-averse regulatory environment far outnumber the stories of opportunities realized. The FAA recognizes this concern and has embarked on a deliberate path to modernize its approach to regulating UAS operations in the nation’s airspace. New entrants bring with them unique opportunities that have the potential to benefit many, pose a different risk profile from traditional transport manned aviation, and also pose a new set of risks to those with whom they propose to share the airspace as well as those on the ground.

Both the FAA and the aviation industry have recognized the need to progress from current-day proscriptive or performance-based safety assessments to risk-based assessment when determining whether to allow an operation in the airspace. The diverse nature of the UAS industry, along with the lack of empirical data in this relatively young field, hampers the ability to develop quantitative bases for performance requirements.

Numerous approaches have been proposed, each with distinct benefits as well as challenges and disadvantages. The FAA has established an approach to safety assessment that is risk-based. While it is a substantial step in the right direction, it suffers from relying too heavily on subjective evaluations that are inherently limited by the expertise of the specific reviewer and subject to different evaluations by different reviewers. It is not yet the robust, repeatable process that is needed to enable the nascent UAS industry to prosper while keeping the skies safe and secure for all.

Based on the competing yet insistent needs to enable efficient operations as quickly as possible while ensuring their safety and security, the committee believes that the FAA must address key issues as presented in this chapter. In the pages that follow, this report describes the FAA philosophy and policy and the resulting regulatory environment and processes honed over decades by the FAA to ensure safety while enabling aviation to flourish. The report then explains the inappropriateness of simply applying processes developed for manned transport aviation to the smaller UAS industry and encourages the FAA to move as quickly as possible beyond issuing quick rules with little quantitative analysis behind them, as this leads to the need for many waivers and an indefensible, unrepeatable, and confusing process. The report then recommends quickly transitioning to a process that is based on quantitative risk assessment. This report endorses a more holistic approach to assessing UAS integration into the airspace based directly on risk (using other factors such as size, weight, and location only as inputs to the assessment of risk, rather than as broad-brush constraints). This holistic approach should also account for mitigations to potential risks within the entire UAS system (including its interactions with a human operator and ground control stations) and operational factors constructed to mitigate potential risks. The committee recommends starting with a comparative risk analysis until enough operational data are collected to provide a basis for safety assessments. Last, this chapter addresses the FAA’s culture and the need to engage in top-to-bottom change management to usher in and inculcate the FAA’s workforce with the risk-based approach recommended by the committee, and to appropriately delegate assessments of comparatively standard and low-risk operations.

FAA SAFETY MANAGEMENT POLICY

FAA Order 8000.369 (FAA, 2016), Safety Management System (SMS), establishes safety management policy and requirements that FAA organizations must follow. This order mandates that safety risk management (SRM) must include the following steps:

• Conduct systems analysis to establish an understanding of systems design performance;
• Identify and document hazards that have the potential to affect safety risk;
• Analyze safety risk to determine the severity and likelihood of potential effects;
• Assess safety risk to establish safety performance targets or rank hazards on risk; and
• Control safety risk by implementing controls for hazards with unacceptable risk.

FAA Order 8040.4B (FAA, 2017), Safety Risk Management Policy, supports Order 8000.369 by establishing requirements on conducting SRM, which is a part of the larger SMS.

This process is abbreviated as DIAAT: describe, identify, analyze, assess, and treat. The DIAAT approach, which is described in more detail in Chapter 5, is implemented using a panel of experts and affected stakeholders.

Using this approach of data-informed, expertise-driven management to integrate safety into operations and decision making, the FAA has achieved an impressive level of aviation safety for the National Airspace System.

DIAAT is a systematic approach to safety risk management, but it is fundamentally qualitative and subjective. The FAA Extension, Safety, and Security Act of 2016, Section 2213, calls for a study of probabilistic assessments of risks to streamline the integration of unmanned aircraft systems into the National Airspace System. The current DIAAT approach is not (quantitative) probabilistic risk analysis (PRA) in the sense of the FAA Act.

Subject matter expert opinions are relied upon to characterize the probabilities and consequences of potential risks. An insufficient empirical history of adverse incidents precludes the use of purely actuarial data in establishing risks, while the use of quantitative engineering-risk modeling along the lines of the bowtie method or stochastic simulation has been hindered by the breadth of the issue. FAA personnel are aware of this issue, pointing out to the committee the need for objective data, analytical approaches based on geometry and density, and the prospect for increased use of modeling.

The nature of risk matrices is also problematic. Risk matrices or heat charts are used to categorize and to communicate probabilities and consequences associated with risks. While these diagrams are widely used in federal practice, their principal benefit is communication and not risk assessment. A fundamental issue is that the classification schemes for probability and consequence are commonly based on ordinal scales, such as low-medium-high. Common mathematical operations like differences and ratios are inadmissible on these scales. Further, such scales are normally subjective interpretations. Different subject matter experts may come to different ratings for the same quantitative risk. The results often fail to be repeatable, predictable, and transparent. Risk matrices should be used only with caution and only with careful explanations of embedded judgments (Cox, 2008).

The Joint Authorities for Rulemaking of Unmanned Systems (JARUS)³ Specific Operations Risk Assessment (SORA) approach is in large measure similar to the present DIAAT approach and thus fails to offer an alternative. This methodology divides UAS classes into weights and kinetic energy bins, and similarly harm barrier classes related to robustness. Ground risk is categorized by safety assurance and integration levels. While the JARUS approach is more detailed than that used by the FAA, the categorizations of probabilities and consequences are still inherently subjective.

Finding: The current FAA Order 8040 approach to risk management is based on fundamentally qualitative and subjective risk analysis. The Specific Operations Risk Assessment approach of the Joint Authorities for Rulemaking of Unmanned Systems is conceptually the same. These subjective approaches require a depth and breadth of subject matter expertise for the approval process that FAA does not possess. The qualitative nature of the current approach might lead to results that fail to be repeatable, predictable, and transparent. Evolution to an approach more reliant on applicant expertise and investment in risk analysis, modeling, and engineering assessment, as is practiced in many other areas of federal regulation, might better achieve a quantitative probabilistic risk analysis basis for decisions.

THE CURRENT UAS ENVIRONMENT: REGULATORY CONSTRAINTS AND MISSED OPPORTUNITIES

As explained in Chapter 2, there are five ways in which drones may be operated in the National Airspace System. Drones flown purely for recreational purposes (“model aircraft”) may be operated under Part 101.41 and require no further operational approval. Part 107 and its two associated waiver processes provide three ways for small drones under 55 pounds to obtain operational approval under specific, limited conditions. All other drone operations must use the manned aircraft COA process.

___________________

³ JARUS provides a forum for experts from dozens of national aviation authorities (such as the FAA) and regional safety organizations to facilitate development of technical, safety, and operational requirements for the certification and safe integration of UAS into regulated airspace. JARUS has published a document, JARUS Guidelines on Specific Operations Risk Assessment (SORA), that recommends a risk assessment methodology to ensure that a specific operation can be conducted safely. See JARUS, 2017, http://jarus-rpas.org/sites/jarus-rpas.org/files/jar_doc_06_jarus_sora_v1.0.pdf.

Part 101.41, by its nature and intent, permits only a very limited, noncommercial, set of operations. Part 107 is the first Federal Aviation Regulation to address directly the certification of small UAS and UAS pilots and their operations.⁴ The Part 107 rule enables daytime operations by visual line of sight of small (less than 55 pounds) UAS in Class G airspace for altitudes less than 400 feet above the ground or obstacles, with additional restrictions that include the prohibition of flying over people. The FAA estimated that the benefit of this regulation would be between $733 million and $9.0 billion in 5 years by allowing some operations such as real estate surveying, news media, some first responder activity, localized precision agriculture, and research and development of further small UAS technologies and applications. However, all other small UAS operations require a waiver. Few data exist to support requests for such waivers, making the outcome of such requests highly uncertain.

As noted in Chapter 3, larger drones (greater than 55 pounds) provide significant market opportunities, but obtaining operational approval is particularly difficult because of the elevated risk posed by the size and performance of the vehicles and because relevant missions will require these aircraft to share airspace with passenger aircraft.

Applicants must use the same COA application that is required for public aircraft operations. This application is onerous, requiring, among other things, detailed descriptions of items of varying relevance to UAS operations, including proponent information, program objectives, operational summary, aircraft description, performance characteristics, airworthiness statement, procedures for lost link, lost communications, emergencies, avionics, lights, spectrum analysis, ATC communications, electronic surveillance/detection capability, visual surveillance capability, aircraft performance recording capability, flight plans, flight crew qualifications, and special circumstances.

Further, the largest challenge in obtaining a COA is the requirement for an airworthiness certification. Public entities such as NASA or public universities may issue their own airworthiness certificates, but commercial entities must first apply for and obtain an FAA airworthiness certificate. There are very few commercial unmanned aircraft with airworthiness certificates. Experimental, Restricted Category, or Special Airworthiness certification is normally required, with the last two being the only options for beyond visual line of sight. All are difficult to obtain and have restrictions and limitations associated with them, and none guarantee access to airspace. Special Class certification under CFR 14 Part 21.17(b) has yet to be granted to any UAS after more than 2 years of effort by the applicants. In practice, the COA process is mainly used by public entities that can grant their own airworthiness certificates.

Overall, the COA process is still opaque and the outcome uncertain. COAs are granted only after nontransparent internal FAA discussion and risk assessment. Because there are few specific standards or rules available on which to base the approval decisions, the outcome can never be assured and certainly is not repeatable. If COAs are granted, they are valid only for specific operations over a finite period, subject to continued FAA subjective scrutiny, and require data sharing with the agency. The only exception is for emergency approval issuance in the case of significant threat to life or property (natural disasters or other emergency applications). The result of this opaque and uncertain COA process is that routine “file and fly” operations of commercial UAS are still essentially prohibited or rendered financially impossible.

The committee concurs with the views of many in industry that applying regulations intended for manned aviation to unmanned aviation is inappropriate and will not meet the needs of the burgeoning industry. The FAA appears to agree, at least when it comes to small UAS. The FAA’s Final Rule for Operation and Certification of Small Unmanned Aircraft Systems, published in 2016,⁵ acknowledges that applying regulations developed for manned aircraft to unmanned aircraft systems is inappropriate:

___________________

⁴ The FAA has issued Technical Standard Orders for detect and avoid (DAA) and C2, referencing RTCA DO-362, DO-365, and DO-366 for large UAS.

⁵ Department of Transportation, FAA, 2016, Operation and Certification of Small Unmanned Aircraft Systems; Final Rule, Federal Register, Vol. 81, No. 124, Tuesday, June 28, 2016 (p. 42069).

Finding: The FAA’s current and evolving process for conducting risk assessments for UAS operations in the National Airspace System includes numerous cross-agency panels and a complex decision-making process. Thus, this process takes an excessive amount of time to complete, particularly given the number of requests that the FAA is asked to consider. Attempts are being made to streamline the process outlined in the regulations, but the process is not repeatable and does not provide applicants with clearly articulated criteria. Lack of transparency and data render the process and its outcomes difficult to defend.

The FAA briefed the committee on its current plans as well as its risk assessment processes. The committee was struck by the absence of specific dates in the FAA’s plans. For example, the FAA is working on an Advisory Circular to provide guidance on preparing for the risk assessment, yet could not offer a date for its publication. All charts presented with timelines were notional and either contained no dates or commitments or had notional dates. The FAA seems more focused on processes and activities than on outcomes.

The FAA did provide briefing charts to the committee describing a waiver processing tool for drones, called Waiver Wizard. It is described as applying to low-risk operations, although “low risk” is not defined. It aims to automate and thus streamline the process of granting waivers for low-risk operations. The committee identified several concerns about using SORA as the basis for this process. Automation to support the process is not yet developed, and it proposes to base the risk assessment on the JARUS SORA method. It does allow for incorporation of FAA and industry standards as a means of compliance. The outcomes of this process will be only as good as the data used to assess risk, and to the extent that such assessments are qualitative and subjective, the outcomes will be questionable at best.

ONE SIZE DOES NOT FIT ALL: MISSING DIMENSIONS IN CONSIDERATIONS OF UAS RISKS AND BENEFITS

The FAA’s comprehensive set of analysis methods and processes for safety risk management and system safety assessment has long served to ensure safety within the manned aircraft sector. However, unmanned systems present many new and unique challenges and opportunities, and thus it is important to recognize that a broader view on risk analysis is needed, in at least four ways:

1. Consider broader societal benefits in addition to risk when conducting safety assessment.
2. Do not simply treat UAS risk in the same manner as the single probability assessed when evaluating risk of manned aircraft operations: consider risk as a multivariate measure.
3. Performance requirements for UAS should be commensurate with risk and backed by performance-based standards.
4. Consider new institutional mechanisms for conducting, or delegating, risk analysis.

UAS BROADER COST BENEFIT

UAS have the potential to take on new roles in society that bring tremendous societal benefit. Yet these roles will not be realized unless the system safety assessment process admits a broader view of risk and, in particular, considers the notion of safety-benefit-risk trade-offs.

The current risk assessment process employed by the FAA when determining whether to allow an operation addresses only the risk added to the National Airspace System by that proposed operation, without considering the safety benefit provided beyond the National Airspace System. In some cases, this one-sided approach has led to disallowing operations that would actually enhance safety and save lives. For example, reductions in the number

of film and TV workers killed by helicopter accidents can reasonably be predicted to outweigh the risks to the aviation system in using UAS as airborne camera platforms.⁶

Finding: Drones have and will continue to be used to carry out missions of measurable economic and safety benefit to society. Examples include such activities as inspection of critical infrastructure that pose tangible danger to human inspectors, humanitarian delivery of medicines and other lifesaving cargo to rural areas or areas hard to reach by other transportation means, emergency response, search and rescue, and agricultural sensing, leading to reduction in use of pesticides, water, and other chemicals. These benefits to society may outweigh the (typically small) risks added to the National Airspace System by their operations.

UAS VERSUS MANNED AIRCRAFT

There are no general metrics or commonly agreed upon definitions of what outcome should be used to define risk. Some studies/analyses define risk as the probability of a fatal injury, while others define risk through the probability of failure, and again others as a probability of an accident, and so on. The definition of risk cannot simply be transferred from the manned aircraft case to UAS. There is substantial variability in the hazards and potential consequences across different kinds of UAS operations as well as potential mitigations. It is advisable to consider risk as a multivariate measure in order to allow comparison across various aircraft types without having to hold all UAS to the same standard (or to the same standard as larger aircraft).

In some cases, the FAA actually imposes even higher standards on UAS than on manned aircraft. In particular, the FAA has chosen to only lightly scrutinize manned aircraft in many circumstances, such as experimental aircraft, but they have chosen to regulate 4-pound flying objects to a much more stringent requirement. Their actions with respect to small drones would indicate that they have decided that 4-pound flying robots are more dangerous and require more stringent standards than a light sport airplane.

Finding: Traditionally in manned aviation, assessments of risk focused on probability of crew and passenger fatalities. This measure clearly does not correspond well to UAS operations. Further, given the substantial variety of types of UAS and UAS operations, in order to properly characterize the benefit and risk of all UAS operations, we will need multivariate measures that include as co-variates the mission type, characteristics of the vehicle (e.g., weight) and other environment variables.

UAS VERSUS OTHER UAS

The FAA is responsible for ensuring the safe integration of all sizes of UAS in all airspace classes conducting many diverse missions. No matter the size, the performance required should be commensurate with the risk posed. As shown in Figure 4.1, UAS operations span a broad range, from low-risk, low-consequence to high-consequence operations, thereby requiring different approaches depending upon the size and mission of the UAS.

Over the past 12-24 months, the FAA has shifted its focus on UAS integration from full integration of larger, predominately military UAS into the National Airspace System to the integration of small commercial and consumer drones operating at lower altitude and lower risk. With this shift to smaller aircraft, the FAA has paid less attention to the needs of the larger UAS that do or will operate in Class A, B, and C airspace (i.e., in controlled airspace, including in the vicinity of airports). RTCA Special Committee-228 (Standards for UAS) continues to develop minimum performance-based standards for end-to-end systems and equipment for detect and avoid and command and control for UAS operating in all airspace, with a solid foundation in quantitative safety and hazard assessments. RTCA is integrating these assessments into the FAA’s risk matrix to ensure that standards are commensurate with not only the intended operational environment but also the level of risk. It is the understanding

___________________

⁶ From 1980 through 2014, helicopter accidents in the United States killed 14 film and TV workers. Deadline Hollywood, April 8, 2014, “Safety on Set: Helicopter Crashes Have Taken Most Lives on TV and Film Sets,” http://deadline.com/2014/04/helicopter-crash-deathshollywood-safety-history-709487/.

of the committee that this work will continue and that SC-228 will complete the standards for UAS DAA and C2 for Classes A, B, C, and G airspace and all sizes and missions.

UAS RISK ANALYSTS VERSUS MANNED ANALYSTS

The unique nature of UAS operations opens the door to reconsider who is best suited to conduct the risk analysis for different classes of UAS, as well as what regulatory institutional mechanism is best suited to ensure and incentivize safety. This is in stark contrast to the air transport category, where the FAA is the final authority on performance requirements and safety and risk assessment. But even in this higher-risk transport category, where RTCA conducts and incorporates detailed safety assessments into the performance standards that the FAA subsequently references in its Technical Standard Orders and Advisory Circulars, in many cases the FAA conducts its own safety assessments even after RTCA has completed them.

THE HUMAN-MACHINE TEAM

The current risk assessment procedures typically focus on the technology and on the operation, without properly capturing the human-machine teaming aspects of UAS operations in which the entire system includes a human operator not located near the vehicle. Thus, there seems to be attention on “system failures” associated with small UAS, but each of these UAS comprises a team of humans and machine technologies. U.S. airlines have used teaming and humans and machines to achieve and maintain their current high levels of safety: technology failures can be detected and resolved by human pilots, and the technology is structured to prevent many forms of slips and mistakes by humans and to detect and help resolve those human slips and mistakes that do occur.

The UAS community has not consistently demonstrated proper use of this teaming concept, and current risk assessment methods do not adequately identify problems in teaming beyond labeling breakdowns as either machine failures or human error. Many UAS accidents are caused by technology failures that the human operator could not detect or resolve. Likewise, the technology does not gracefully accommodate foreseeable human slips and mistakes, allowing them to evolve into single-source system failures without mitigation. (For example, anecdotes by speakers to the committee described numerous accidents with small UAS resulting from confusion by the operator about the state of the machine and from lack of error-reduction design methods such as guards on key switches.)

Finding: Concerns related to the teaming of humans and machines can be reflected in the risk analysis methods applied to UAS. They reflect the unfortunate reality that there are no broad-brush statements that can be reliably made about the role of the human and machine technologies within UAS. Instead, those design variables that determine system sensitivity to likely machine failures, and to foreseeable inadvertent slips and mistakes by humans, can be accounted for within each system. Further, this risk analysis, by examining how the human-machine team

interacts, can better capture how the UAS will detect and resolve hazards that arise within the team. This risk analysis would also determine the extent to which humans and machine technologies are able to coordinate to resolve hazards arising in the broader operational environment outside the UAS.

Recommendation: The FAA should expand its perspective on a quantitative risk assessment to look more holistically at the total safety risk. Safety benefits, including those outside of aviation (e.g., the benefit of cell tower inspections without a human climbing a cell tower), should be part of the equation. UAS operations should be allowed if they decrease safety risks in society—even if they introduce new aviation safety risks—as long as they result in a net reduction in total safety risk.

Figure 4.2 illustrates one way that a holistic consideration of safety benefits could be introduced to the risk assessment process, together with a more streamlined approval process.

A NEW TOOLBOX FOR UAS RISK ASSESSMENT

Given the nascent nature of the UAS industry, it is not surprising that there is a lack of data on the safety of operations. Still, to continue the enviable safety record of the National Airspace System, some method(s) must be established to determine whether to allow a new operation that could change the National Airspace System.

Such determinations cannot be based solely on opinion or subject matter expertise. When data are lacking or non-conclusive, other approaches such as simulation, test site experimentation, and pathfinders can help fill in the gaps. RTCA’s SC-228 UAS committee has relied heavily on NASA’s simulation and testing to develop and validate the safety assessments that serve as the foundation of their standards for detect and avoid and command and control.

For the fast-paced small UAS industry, comparative risk analysis (CRA) offers a way forward. CRA is a tool for comparing and ranking risks and for identifying strategies for managing risk. It has been applied widely in U.S. government practice (Environmental Protection Agency, Occupational Safety and Health Administration, U.S. Nuclear Regulatory Commission, U.S. Army Corps of Engineers, Consumer Product Safety Commission, and other agencies), especially with regard to environmental and technogenic risk. The World Bank notes that CRA can assist in setting priorities, promoting coordination, and promoting consensus (Ijjasz and Tlaiye, 1999). CRA is especially useful when, as is the case with UAS, simple common metrics are not appropriate. For example, the National Research Council, in its Review of the Department of Homeland Security’s Approach to Risk Analysis (NRC, 2010), recommended a comparative risk analysis approach, arguing that for the Department of Homeland Security, “a fully integrated analysis that aggregates widely disparate risks by use of a common metric [was not at the time] a practical goal.” Risk ranking can be made within a portfolio of regulated risks (Florig et al., 2001), or in comparison to generic risks that society routinely faces (Fischhoff and Morgan, 2008). In the case of UAS, which in contrast to manned aviation pose primarily third-party risk, potential appropriate comparative risks include the risk of automobile-to-pedestrian accidents, death or injury from other common activities such as falling tree branches, or the impact of birds with flying aircraft. The FAA could undertake research studies to better understand these common daily risks, and other de minimis risks, as a point of comparison (Melnick and Everitt, 2008), without necessitating a precisely specified target level of risk.

Another, complementary approach to CRA is to use applicant-driven risk assessments. Here, the applicant or licensee takes on the financial burden and provides a probabilistic risk analysis (PRA), which is then evaluated and approved or rejected by the regulatory authority (e.g., the U.S. Nuclear Regulatory Commission, the Federal Energy Regulatory Commission, and the U.S. Food and Drug Administration).

The FAA can have the applicant perform a detailed engineering and operational risk assessment using modern quantitative tools and possibly simulation models by which to demonstrate the safety of its proposed use cases. The applicant or vendor may have risk analysis expertise superior to that available to the FAA in the normal course of its operations. There are many different methods—using countless different algorithms—for conducting PRA. Each of these methods and algorithms has advantages and disadvantages for a particular analytical problem. The applicant’s PRA can be evaluated by FAA experts for its conformance with modern engineering and safety standards. Comparative risks, as discussed earlier in this section, can be used to determine whether a proposed operation poses acceptable risk. This would be in keeping with the FAA’s approach of enabling industry either to show compliance with existing standards or to provide an alternative means of compliance.

For the applicant-driven PRA to lead to predictable outcomes that encourage innovation and do not compromise safety, applications need to be grounded in a common framework. For the myriad manufacturers and operators to coexist and bring innovation to the skies, it would behoove them to establish a common language and a common risk-based framework for developing minimum performance requirements. Such a framework and associated risk-based minimum performance standards could serve as a means of compliance and make it easier for the applicant to know what the FAA requires.

The goal of an applicant-driven PRA approach, based on industry standards, cannot be achieved immediately. Thus, an interim solution is desirable. This solution could build on the current DIAAT (describe, identify, analyze, assess, and treat) concept while making the individual steps in the process more quantitative, subject less to the qualitative opinions of subject matter experts. The following recommendations suggest one such evolutionary path:

Recommendation: Within the next 12 months, the FAA should establish and publish specific guidelines for implementing a predictable, repeatable, quantitative, risk-based process for certifying UAS systems and aircraft and granting operations approval. These guidelines should interpret the Safety Risk Management Policy process described in Order 8040.4B (and in accordance with International Civil Aviation Organization Doc. 9859) in the unique context of UAS. This should include the following: (1) Provide within 18-24 months

risk-based quantitative performance standards that can serve to establish compliance with FAA rules and regulations. (2) In the interim, encourage applicants to provide quantitative probabilistic risk analyses (PRAs) to demonstrate that their operation achieves the requisite level of safety. (3) Within 18-36 months, update FAA rules to reference new performance standards with the goal of minimizing the need to grant waivers or Certificates of Authorization (COAs).

Recommendation: Where operational data are insufficient to credibly estimate likelihood and severity components of risk, the FAA should use a comparative risk analysis approach to compare proposed UAS operations to comparable existing or de minimis levels of risk. The FAA should research and publish applicable quantitative levels of acceptable risk in comparison to other societal activities that pose de minimis risk to people. Risk level and risk mitigation strategies should consider not only aircraft collisions but also third-party risks (e.g., to people on the ground).

It appears to the committee that developments by current FAA contractors and research centers (e.g., Virginia Tech, MIT Lincoln Labs, the Volpe Center) may provide directions for making such adjustments.

Recommendation: Over the next 5 years, the FAA should evolve away from subjectivities present in portions of the Order 8040.4B process for UAS to a probabilistic risk analysis (PRA) process based on acceptable safety risk. In the interim, the FAA should improve the 8040.4B process to conform better with quantitative PRA practice. For the new acceptable risk process, the FAA should consider relying on the applicant to provide a PRA demonstrating the achieved level of safety, as is common in other regulatory sectors such as nuclear, dam, or drug safety.

• The FAA should screen applicant PRAs by comparison to existing or de minimis levels of risk. The FAA needs to research applicable quantitative levels of acceptable risk in comparison to other societal activities in establishing a level of de minimis risk for aviation.
• These acceptable levels of risk need to include risk to people on the ground and risk of collision with a manned aircraft, particularly with regard to collision with a large commercial transport.
• In evaluating applicant-generated PRA, the FAA should value the importance of risk mitigation opportunities and their potential for simplifying the analysis of risk.
• In situations where the risk is low enough, the FAA should encourage applicants to obtain insurance for UAS operations in lieu of having a separate risk analysis.

QUANTIFYING HUMAN FACTORS AND SOFTWARE CONTRIBUTIONS TO RISK FOR UAS

In recommending the PRA approach, the committee was cognizant that some contributors to risk are difficult to quantify, yet contribute substantially to the overall operational risk. Human factors, for example, were prominent in the Nogales Predator B crash.⁷ Because pilot awareness and response is affected by several factors (e.g., visual displays, aural warnings, rest, training), it is difficult to quantify with confidence the contribution of pilot awareness to probabilistic risk analysis. Nevertheless, the implementation of a training program and pilot experience gives some level of confidence in estimating the contribution of the human pilot (and air traffic controllers, maintenance staff, etc.) to the overall probabilistic risk.

Another such contributor is software. Because many of the onboard pilot functions on UAS are instead implemented by software, UAS are by nature software-intensive systems. Therefore, the contribution of the software to the overall PRA needs to be well understood. While there have been some attempts to quantify the reliability of software and its contribution to the PRA,⁸ an overarching standard methodology has not been established. Addition-

___________________

⁷ See https://www.ntsb.gov/safety/safety-recs/recletters/A07_70_86.pdf.

⁸ See https://www.ncbi.nlm.nih.gov/pubmed/16268949 and https://www.researchgate.net/publication/254407479_Software_Failure_Probability_Quantification_for_System_Risk_Assessment.

ally, many of the models used in research to date are based on safety-critical software that has been cordoned off from networks and in a stable, locked-down configuration. Many UAS manufacturers have a vision for managing software in a similar manner to that of consumer electronics software, where updates are frequently available and “pushed” to the end user platform. While these updates may improve safety by fixing known bugs and vulnerabilities, they also make UAS more vulnerable to cybersecurity risks, as there are increased attack surfaces and additional vulnerabilities that pose new safety risks.

For traditional manned aviation, software behavior is ensured through the use of prescriptive standards with regard to requirements decomposition, development process, testing, configuration management, and other practices (e.g., see RTCA DO-178C). The degree of rigor of these processes for a specific module of code is based on a system-level functional risk assessment, directly tied to the consequence of failure of function on the aircraft that the software is implementing. In implementing the recommended PRA approach, a similar—but scalable—construct could be useful for UAS software. One such approach has been proposed by ASTM Standard F3201 “Standard Practice for Ensuring Dependability of Software Used in Unmanned Aircraft Systems,”⁹ which bases the required software assurance activities on an operational risk assessment—and which takes into account the concept of operation of the UAS—rather than the traditional functional risk assessment. In assessing the risk of software to the overall operational risk, areas to consider include the development methodology, evaluation of cyber vulnerabilities to include deliberate attacks, missing/spoofed data, incompatible software, frequency of software updates, and so on.

In summary, it is important that the recommended PRA approach address the contribution of human factors and software to overall operational risk. As the FAA moves toward implementation of the recommended PRA approach, it may consider the following:

• Establishing and publishing a standard, repeatable methodology for calculating the quantitative risk contribution of software and human factors so that they can be included in the PRA;
• Establishing and publishing processes and procedures for managing the risks due to software and human factors so that they do not have to be included in the PRA; or
• Some combination of these two approaches that would yield a rough estimate into the PRA calculation without necessitating a detailed assessment and calculation of the exact risk contribution.

EMPOWERING THE WORKFORCE

The FAA has inculcated its workforce with processes steeped in its safety-critical, risk-averse culture. These processes have evolved over decades along with the growth of manned aviation into the safest air transportation system in the world. In many ways, the FAA is defined more by its processes than its outcomes. Now, new unmanned aircraft of all shapes, sizes, and missions are rapidly emerging, demanding to share the airspace. In response, the FAA must also rapidly evolve its processes to accommodate manned aircraft to new approaches that will enable timely introduction of drones without compromising safety, security, or efficiency of the nation’s airspace system.

The move to risk-based decision making will require a top-to-bottom change management initiative, championed and driven by the top-level executive in the FAA and that individual’s management team. This will not be easy, nor will it happen overnight. A clear delineation of authority, accountability, and responsibility is essential to successful decision making in any organization, but especially so for the regulator and provider of the nation’s air traffic management system. Appropriate empowerment to make decisions at all levels of the FAA is also a critical element of success. Such empowerment can happen only when all decision makers are fully versed in the new risk paradigm.

Recommendation: The FAA should create the following two mechanisms that empower and reward safety risk management decisions that consider the broad charter of the Department of Transportation to “serve

___________________

⁹ See https://www.astm.org/Standards/F3201.htm.

the United States by ensuring a fast, safe, efficient, accessible and convenient transportation system that meets our vital national interests and enhances the quality of life of the American people, today and into the future” (DOT, 2018):

• The FAA administrator should establish an incentive system that measures, promotes, and rewards individuals who support balanced comparative risk assessments.
• Within the next 6 months, the FAA administrator should publicly commit to ensuring time-bound reviews of risk assessments so that proponents receive timely feedback.

Recommendation: Within 6 months, the FAA should undertake a top-to-bottom change management process aimed at moving smartly to a risk-based decision-making organization with clearly defined lines of authority, responsibility, and accountability. To that end, the FAA should establish and maintain technical training programs to ensure that agency risk decision professionals can fully comprehend the assumptions and limitations of the probabilistic risk analysis techniques appropriate to current and future UAS operations.

As highlighted above, the FAA administrator recognized several years ago the need for government to move faster in addressing the burgeoning UAS industry. But how should that recognition be put into action? The first step is to listen to industry and to collaborate with industry. The FAA is doing that through many venues, including the National Academies and this committee. It has established the Drone Advisory Committee and numerous aviation rulemaking committees through which it works closely with its stakeholders.

The FAA works with organizations such as RTCA to develop minimum performance standards that serve as a means of compliance with FAA regulations. By insisting on performance standards rather than proscriptive design standards, the FAA encourages industry to develop innovative designs and solutions, all of which comply with the standards. This approach has never been as important and pertinent as it is now when applied to new entrants into the airspace such as small drones.

The FAA should carry these innovative and collaborative approaches further into its internal culture. FAA personnel charged with any part of the regulatory process should be encouraged to take reasonable risk rather than avoiding action as a way to avoid accountability and negative impacts on their careers. The FAA should take measures to create a proactive safety culture that looks for how to get to “yes” without compromising safety, rather than one that dwells solely on what might go wrong. A system that rewards finding ways to enable new operations and penalizes inaction is the best way to jump-start the needed culture change. Responsibility, authority, and accountability should be clearly articulated for each member of the safety organization.

INSURANCE FOR LOW-RISK OPERATIONS

At this time, some types of UAS operations have sufficiently low risk that they may neither warrant individualized assessment nor require detailed regulatory oversight on those aspects of the operation that use well-established technologies and operating concepts. In such cases, rather than require detailed evaluation by the regulator, the regulator can instead choose to require insurance at a sufficient level of coverage for liability and indemnity. Precedents exist in many other countries (including Canada, China, Germany, Poland, Sweden, South Africa, and the United Kingdom) for requiring UAS operators to acquire liability insurance (Law Library of Congress, 2016). The specifics vary from country to country. Canadian Aviation Regulations, for example, establish requirements for insurance that vary based on the type of operation and vehicle size, where the parameters behind the insurance are also regulated (Transport Canada, 2018; Canadian Aviation Regulations, 2018).

Insurance agencies with detailed expertise and experience in a particular field are inherently situated to examine the holistic risk and other relevant factors. For example, an insurance agent for a commercial entity responsible for inspecting large infrastructure (e.g., communications towers) can compare the risks (and commensurate cost of insurance) of manned inspections incurring risks to the human inspectors versus the aviation system risks of using UAS without placing human inspectors at risk.

As demonstrated in many other domains, the market forces of the underwriting community can ensure sound oversight and routine data collection, and can provide detailed instructions by insurers to UAS operators as to what risk (as reflected in the cost of insurance) is predicted to correspond to different technologies and types of operations. For example, it is common practice in manned aviation for underwriters to adjust insurance rates based on a number of factors ranging from the technology, to the type of operation, and to other operational factors including maintenance and inspection protocols, operator training, and the implementation of safety management systems and processes in the operation. In addition, in the automotive industry insurance rates are influenced by many factors, including risk associated with the vehicle type, vehicle location, the nature of vehicle operations (commercial or private), operating hours (as indicated by expected miles driven per annum), safety features incorporated into the vehicle, and the safety record of the driver. This variability in rates is an inducement for drivers to reduce risk. In the extreme, insurance rates can become so high for some drivers that they are unable to afford insurance—or insurance companies will refuse to issue insurance to them—which generally makes it illegal for a driver to operate a vehicle.

Initially, given the lack of historical data, insurance rates would likely be set somewhat subjectively. For example, conservative insurance companies would likely set rates based on a conservative estimate of accident rates and liability costs. Over time, as data accumulate, insurance companies will be able to adjust insurance costs based on demonstrated accident rates and liability. Rates could also change as new types of technologies, vehicles, and operations are introduced. The underwriting community is inherently more capable of agile responses to such changes than regulatory bodies such as the FAA. Further, the underwriting community is well situated to establish insurance rates for different types of operations (with and without a UAS) that account for broader societal risks. For example, insurance rates could serve as a comparison between using UAS versus manned helicopters for filming, as noted earlier.

Recommendation: The FAA should identify classes of operations where the level of additional risk is expected to be so low that it is appropriate to base approval of those operations on requiring insurance in lieu of having a separate risk analysis.

DRIVING DECISIONS WITH DATA

There is no doubt that UAS integration into the National Airspace System could greatly benefit from rigorous PRA. Currently, very little consideration, if any, is being given to uncertainties in the reported risk and estimated loss. While point estimates are useful, without a quantification of the corresponding uncertainties, they can be very misleading. It is important to understand both the uncertainties involved in the risk estimation procedure and the variability of such estimates. The latter in principle can be reduced by taking more data, whereas the former requires better models and deeper understanding. In any case, understanding the degree of certainty of the risk estimates and how they vary across populations is essential for decision making and risk management.

The problem is that a fundamental component of probabilistic risk analysis is the existence and ready availability of the relevant data. Because UAS operations are very diverse, still relatively new, and limited, data are expensive to collect, scarce or nonexistent, and in some instances still not very reliable (e.g., number of UAS sightings near manned aircraft).

Nevertheless, the number of UAS users is rapidly growing and expected to reach over 3 million UAS hobbyists and about half a million commercial drones by 2020, making it imperative on one hand to speed up and streamline the current operations approval procedures, while maintaining reasonable safety standards, and on the other, to improve and speed up as well the data collection processes and the related risk analysis assessments.

On top of this, UAS is a fast-evolving technology with a growing set of applications and operational use. Today’s security envelope will change, as will the commercial and societal benefits of UAS use. In this dynamic environment of evolving use patterns and application areas, continuous data acquisition and evaluation and adaptation of decision rules are required to balance risk and benefits.

Robust and consistent data collection with concurrent updated risk assessment processes will in time move us from a pattern that currently calls for more mitigation with less data. Over time as data volume and quality

increase, mitigation decreases. In areas where there are insufficient data, preliminary and temporary approvals can be made with the requirement to provide specific data. As more data become available, the estimates can be refined. Agency decision risk is reduced by refining the time period of operations. This of course is not a solution that supports routine operations.

While any new technology that puts participants, third parties, or property at risk requires engineering safety analysis, the extent of that analysis should be in parity with potential outcomes. In one limiting case, analysis might end with a convincing argument that the worst-case scenario poses de minimis risk. At the other extreme, the safety analysis might mirror that required for a passenger transport aircraft. On the spectrum between these limiting cases, data are needed to support the safety case. For risks that have a very low probability of occurrence, it may be difficult to collect enough data to make risk assessments in a timely fashion. In those cases, it could be useful to draw upon research being conducted for other applications that is exploring how to use limited data in combination with simulations to draw conclusions about safety.

The need for data should not automatically preclude an operational approval, however, if the uncertain risk can be mitigated. Moreover, if the mitigations are not overly restrictive, the operational approval may accelerate the collection of relevant data to support a stronger safety case and a corresponding reduction in mitigations and limitations. Operations beyond visual line of sight for which an aircraft maintains proximity to a structure, such as a powerline or pipeline, for example, provide the opportunity to document hazards and hazard statistics while providing a valuable commercial service. In some cases, safety data may then support other, less-restricted operations. For example, the analysis of data on detect-and-avoid system performance during linear infrastructure inspection operations may support package delivery operations.

The UAS Traffic Management (UTM) program is a potential source of critical data on small UAS operations. This program is led by NASA in collaboration with the FAA and other partners. The goal of the UTM program is to identify services, roles, responsibilities, information architecture, data exchange protocols, software functions, infrastructure, and performance requirements for enabling large-scale operations of UAS in low-altitude uncontrolled airspace. UTM is intended to support operations of UAS operating within visual line of sight as well as UAS operating beyond visual line of sight. Development of the UTM system will use a risk-based approach to achieve four key milestones (Kopardekar, 2017):

1. Demonstrate how to enable multiple operations under constraints (e.g., operations over unpopulated land or water).
2. Demonstrate how to enable expanded multiple operations (e.g., operations beyond visual line of sight and sparsely populated areas).
3. Focus on how to enable multiple heterogeneous operations (e.g., operations over moderately populated land and operations involving some interaction with manned aircraft).
4. Enable multiple heterogeneous high-density urban operations.

The data, analytical models, and assessments that are needed to achieve these milestones, as well as the data that will be acquired as UAS operate within the UTM system, could greatly facilitate efforts to assess the risks of UAS operating in the National Airspace System.

The FAA-established UAS test sites can be another useful source of data, and one purpose of establishing the test sites was to implement the UAS Test Site Data Collection and Analysis Program (FAA, 2018). Yet, to date, the committee is unaware of a concerted or comprehensive effort by the FAA to collect or disseminate such data, despite known requests from research organizations as well as standards development organizations such as RTCA and the Drone Advisory Committee. The FAA established six of these sites in response to the FAA Modernization and Reform Act of 2012 (a seventh site at New Mexico State University existed prior to the establishment of these six). These test sites support the integration of UAS into the National Airspace System by making it easier for the UAS industry and other interested parties to field-test UAS systems and operational concepts. The FAA also implemented the Unmanned Aircraft Systems Test Site Data Collection and Analysis program to collect operational and test data from all of the test sites (FAA, 2018).

Finding: Additional empirical data are needed to support probabilistic risk analyses for UAS collision modeling. Some examples where relevant data are lacking or are being reported only on a voluntary basis include the following:

• UAS-encounter statistics to inform the assessment of midair collision risk,
• Low-altitude environmental data to inform the assessment of flight performance in cluttered environments, and
• Performance data for UAS detect-and-avoid technologies in conditions relevant to proposed operations beyond visual line of sight (e.g., the Center for UAS has established a public repository for voluntary reporting of detect and avoid data: https://sites.google.com/vt.edu/safe-repository).

Finding: Accepting risk is far easier when the risk is well quantified by relevant empirical data. Uncertain risk does not equate to high risk, however. By accepting the uncertain risk associated with a new technology, with reasonable mitigations, one can obtain the data needed to better quantify that risk. As the uncertainty diminishes, one can remove or augment the mitigations as appropriate. In the current environment, uncertain risk has made operational approvals for routine civil UAS operations difficult to obtain and, when issued, unnecessarily restrictive. As a result, the ability to collect data that might reduce uncertainty in the risk has been severely limited.

The previously acknowledged lack of empirical data and a methodology to obtain, protect, and analyze the data has been recognized by the FAA and industry. To the credit of both, the Unmanned Aircraft Safety Team (UAST) has been formed as a joint effort to begin addressing these issues and tasked to develop safety recommendations and enhancements relative to UAS operations based on the data.

The UAST and its charter are modeled after the very successful Commercial Aviation Safety Team and from the General Aviation Joint Steering Committee efforts to collect voluntarily submitted safety-related data from the manned aircraft community. Both groups have processes to obtain, analyze, and protect information gathered. Key to the success is transparency and the availability of findings and recommendations to the aviation community.

The UAST is developing a governance plan modeled after processes in place by these groups and includes the following core goals:

• Establish a systemic assessment process.
• Define stakeholder organization commitment.
• Define roles and responsibilities.
• Operate the UAST as a consensus-based collaborative effort.
• Foster voluntary participation.
• Ensure nonpunitive use of UAST information.
• Deidentify data (i.e., remove information on data origin).
• Ensure data quality.
• Ensure transparency of UAST process.

There is no publicly published timeline for the UAST to complete its work.

Finding: Processes and plans for the collection, retention, analysis, and protection of UAS operational and risk-related data are currently under development by the UAST.

Acquisition of better and timelier data is possible through the integration of smart sensor deployments and data analytics to provide improved situational awareness. This, when combined with uncertainty quantification, will improve our predictive ability for probabilistic risk analyses for UAS collision modeling.

Finding: Rapid advances in autonomous vehicles are providing effective integration of sensors and analytics. This presents an opportunity for the FAA to learn and test new models for better data collection and analysis with the aim of improving overall safety.

The persistent development of modeling and simulation tools in every engineering domain, and integration tools for multiphysics modeling, makes it possible to synthesize data sets where empirical data are impossible or infeasible to obtain. Physics-based air traffic simulations that incorporate unmanned aircraft, for example, can inform encounter models and perhaps reveal rare hazards that require scrutiny. The generation and analysis of simulation data can be as costly as flight-testing, however, and the results may provide false security, given inevitable deficiencies in simulation fidelity. Despite these caveats, computational analysis can provide evidence to support initial operational approval when empirical data are unavailable.

Simulation studies can further improve system safety by helping to identify unanticipated, emergent hazards. Exhaustive human- and hardware-in-the-loop simulations of operational scenarios, for example, can reveal problematic interactions that require remediation. For example, simulation studies/desktop games can be used to bring together the various stakeholders and serve as communication tools.

Finding: Computational models are being used scarcely and are not being fully taken advantage of to address with increasing accuracy and cost-effectiveness some of the current data deficiencies that might otherwise impede probabilistic risk analysis. In addition, even when computational models are being used, model prediction uncertainties are not always being calculated and no distinction is being made to distinguish between uncertainties due to lack of knowledge and those due to natural variability of the data.

A web-based repository for data is needed that includes empirical data as well as data resulting from simulation studies, risk analysis methodologies relevant to UAS integration, and other case and testing studies. Such a repository would benefit the whole community working on UAS integration by allowing collaborations, testing different methodologies on existing data sets, and allowing future users to better understand existing operations. The repository could also hold the data that will be collected as recommended by the UAST.

Other benefits of the repository include easily being able to update existing risk assessment analysis as new data become available and as data change, possibly due to newer risk mitigation implementations and changes in technology, speeding up the needed risk reassessment.

Such a repository would also present an opportunity for meta-analysis that combines the results from multiple studies to improve our understanding. By analogy to other data repositories (e.g., HIV database¹⁰), it would be useful to make analysis methods available within the repository). By controlling the analysis methodology, one can help to ensure the validity of the analysis methods and provide reproducibility of the results. In principle, there is a wealth of opportunistic data available by which to quantify/estimate risk and loss. Having a good central repository can help with the development and application of modern data science tools and machine learning algorithms to improve our understanding of risk factors and provide better predictions.

Finding: Currently, the FAA assumes responsibility for safety evaluation and delegates to the applicant assessing the risk of the proposed operation, without ensuring that the analysis tools are available to all proponents to guarantee a transparent process.

Finding: Guidance on how FAA’s UAS risk assessment process is used in decision making is undocumented, and the process is not broadly communicated. Documentation, including Order 8040.4B and Part 107.200, is inconsistent, lacks specific numeric guidance, and does not provide sufficient guidance for proponents.

Finding: Organizations like VaTech’s Mid-Atlantic Aviation Partnership have leveraged existing FAA guidance together with information from other sources like the U.S. Coast Guard’s Spread out, Transfer, Avoid, Accept, and

___________________

¹⁰ See https://www.hiv.lanl.gov/content/index.

Reduce (STAAR) model to elaborate on how the guidance might be used successfully and in a repeatable fashion. In addition, the pathfinder and partnership for public safety efforts have determined successful approaches.

Recommendation: The FAA should, within 6 months, collaborate with industry to define a minimum operational safety data set and develop a plan for the voluntary collection and retention by the operators in a central repository, following the model of the Commercial Aviation Safety Team (CAST) and the General Aviation Joint Steering Committee (GAJSC), with a goal of full implementation within 1 year. The FAA should also consult with the Drone Advisory Committee to help define the minimum operational safety data set and plan for collecting, archiving, and disseminating the data.

Recommendation: For operations approvals for which there are no standards, as operational data are collected and analyzed, the FAA should, as part of Improved Safety Risk Management,

• Publish requirements for operational approvals with associated restrictions that can be adjusted and scaled based on industry past experience and the accumulation of related data;
• Expand single operation approvals as experiential data accumulate and risks are assessed;
• Permit repeated or routine operations based on the accumulation and analysis of additional data; and
• Continuously update operational approval practices to incorporate emerging safety enhancements based on industry lessons learned until standards have been established.

The committee’s objective of recommending collecting data is to (1) develop data-driven models and not models based on subject matter experts and (2) to move to quantitative PRA methods instead of qualitative ones.

REFERENCES

Canadian Aviation Regulations. 2018. SOR/96-433, Aeronautics Act, Subpart 6, ¶606.02, Liability Insurance. http://laws-lois.justice.gc.ca/eng/regulations/SOR-96-433/FullText.html#s-606.02.

Cox, L.A. 2008. What’s wrong with risk matrices? Risk Analysis 28(2):497-512. https://doi.org/10.1111/j.1539-6924.2008.01030.x.

DOT (Department of Transportation). 2018. “Mission.” https://www.transportation.gov/tags/about-us. Accessed August 31, 2018.

FAA (Federal Aviation Administration). 2016. Order 8000.369, Safety Management System (SMS). Federal Aviation Administration, Washington, D.C.

FAA. 2017. Order 8040.4B, Safety Risk Management Policy. Federal Aviation Administration, Washington, D.C.

FAA. 2018. UAS Test Sites. https://www.faa.gov/uas/research/test_sites/.

Fischhoff, B., and M.G. Morgan. 2008. The science and practice of risk ranking. Horizons 10(3):40-47.

Florig, H. K., M.G. Morgan, K.M. Morgan, K.E. Jenni, B. Fischhoff, P.S. Fischbeck, and M.L. DeKay. 2001. A deliberative method for ranking risks (1): Overview and test bed development. Risk Analysis 21(5):913-921.

Ijjasz, E., and L. Tlaiye. 1999. “Comparative Risk Assessment.” Pollution Management in Focus, The World Bank Discussion Note 2 (February).

Kopardekar, P. 2017. “Unmanned Aircraft Systems Traffic Management (UTM): Safety Enabling UAS Operations in Low-Altitude Airspace,” presentation by P. Kopardekar to the Committee on Assessing the Risks of UAS Integration, Irvine, CA, December 13.

Law Library of Congress. 2016. Regulation of Drones: Australia, Canada, China, France, Germany, Israel, Japan, New Zealand, Poland, South Africa, Sweden, Ukraine, United Kingdom, European Union. https://www.loc.gov/law/help/regulation-ofdrones/regulation-of-drones.pdf.

Melnick, E.L., and B. Everitt, eds. 2008. Encyclopedia of Quantitative Risk Analysis and Assessment. John Wiley, Chichester, UK/Hoboken, N.J.

NRC (National Research Council). 2010. Review of the Department of Homeland Security’s Approach to Risk Analysis. The National Academies Press, Washington, D.C.

Transport Canada. 2018. “Proposed Rules for Drones in Canada.” www.tc.gc.ca/eng/civilaviation/opssvs/proposed-rulesdrones-canada.html.