Safety / Security
Safety is the highest priority consideration driving the design and planning of the AAM system, and of integrating new technologies into the NAS.
Safety manifests in technical, regulatory, and societal acceptance issues throughout this space.
Safety is a fundamental condition in order for UAM or AAM activities to be accepted by regulators, users and the general public.
Automation means there is no pilot onboard an unmanned aircraft to “see and avoid” other traffic, to avoid potential collisions with other airspace users, obstacles, severe weather conditions, as well as other dangerous situations.
As a consequence, detect and avoid (DAA) capability is one of the key enablers, among many others, for the safe integration of unmanned aircraft into non-segregated airspace.
With respect to aircraft themselves, ongoing so-called “flying taxi” projects are aimed at the development and introduction within a few years of highly automated UAS available for use as taxis by the general public.
Such new types of aircraft designed to carry passengers will require a combination of certification requirements from both manned and unmanned aircraft categories, and considerable work will be required to define the adequate combination of such certification requirements.
AAM must demonstrate the high safety levels expected by the public for modern air transportation systems.
Safety in today’s NAS is very high for commercial air travel.
However, the smaller airplanes and rotorcraft in the general aviation fleet trail commercial aviation in safety, with a fatality rate that exceeds automobile travel (on the basis of passenger miles traveled).
Many of the causes of fatalities in general aviation are operational and are due to human factors or inherent vulnerabilities of legacy aircraft such as their age.
The ultimate goal for new systems is the best possible safety.
AAM systems that only achieve general aviation safety rates will not be viable.
Safety management in the NAS today builds margin around these vulnerabilities.
Placing trained humans in the loop to manage safety and building in procedural safeguards such as traffic spacing requirements are both examples.
AAM introduces several underlying changes that correspondingly require new methods to be brought to bear in the approach to safety.
Electric propulsion and increasing levels of automation may reduce the instances of certain causal factors but increase instances of other factors or introduce new causes altogether.
Similarly, new technology introduced in ATM may experience a similar effect.
The system-wide-level complexity of an airspace system supporting AAM can introduce unforeseen interactions that create new hazards to plan for and mitigate.
Safely implementing this new capability in the NAS will first require gaining experience in a low-risk environment and gathering data with which to learn and improve.
Software does not fail like hardware. Instead, it almost always executes the instructions it was given.
UAM Operation Safety: The invulnerability level of the aircraft ecosystem, and respectively of the society.
AAM will have to demonstrate the high safety levels expected by the public for modern air transportation systems.
Emerging technologies present new cybersecurity risks and vulnerabilities that will have to be managed.
Architectural decisions include specifications sufficient for future standards and implementation development in areas such as the following:
- System architecture framework—defining the principal elements, functions, and interfaces of the system;
- Communications—assumed communications capabilities, including decisions for spectrum, data exchange,and cybersecurity standards;
- Approaches to adapting architectural function and components over time; and
- Evolution of existing safety evaluation approaches.
Key attributes of urban flight management comprises the ability to operate safely and efficiently in the UOE.environment:
-obstacle-challenged urban UAM aerodromes
- wind fields that may approach aircraft operational limits
- in proximity to areas where winds may exceed these limits (e.g., certain urban canyons with adverse wind patterns)
- high-tempo operations when utilizing key system resources (e.g., takeoff and landing area of high-utilization aerodromes)
- precise 3D and 4D trajectory operations
- operation at close to separation minima from obstacles
- limited opportunities for emergency landings away from aerodromes and designated emergency landing sites
Aircraft cabins are designed to provide high levels of safety for passengers and cargo in both nominal operations and off-nominal and contingency events.
This encompasses seat belts that are both effective and simple to use and, ergonomically designed spaces that reduce accidents and injuries.
Aircraft are designed with integrated crashworthiness principles.
Airframe structural designs and other safety technologies (e.g.,energy-absorbing seats) support occupant survivability in crash landings.
Passenger comfort considerations, such as cabin noise and vibrations, are also critical for cabin acceptability.
Aircraft are designed so that necessary maneuvers do not provide significant adverse impact to passenger comfort.
For example, they will minimize cabin vibration and noise, provide effective climate control , and assure passenger safety and to minimize discomfort during turbulence.
Cabins are developed based on extensive consumer research and testing to develop strong understanding of metrics for passenger acceptance (e.g., ambient noise, natural and powered illumination, vibration, temperature, seating acceptability, and ride quality).
Designs also account for safe and efficient access to the cabin by passengers, including children and persons with disabilities.
Cabin designs support communication between passengers by reducing ambient noise (e.g., through active noise cancellation) and/or providing headsets, and cabins generally support other conveniences, such as personal communication devices and room for luggage.
Security is already a high priority in today’s NAS, but the approach and technologies employed will need to change and expand their footprint as AAM systems are scaled.
There exists a security gap around the need to prevent disruption to operations via attacks on digital communications links, the data that flows over them, or satellite-based positioning systems.
Aspects of security today that are based on trust between humans such as voice communications between pilots and ATC will need to be approached differently as digital links proliferate and potential points of attack from the cyber realm are introduced.
Technology gaps also exist with respect to safely managing fallback navigation methods for autonomous systems in the event of global navigation satellite system outages or spoofing.
Other areas of system-wide security exist for specific applications such as UAM, including security at vertiports or for air taxi passengers in flight.
UAM aerodromes are designed and built with safety and security infrastructure in place so trusted travelers can move through the system with ease, passenger’s safety is ensured, and bad actors are prevented from doing harm. Access is limited both for passenger waiting areas and for access to the physical aircraft. Passenger and cargo screening are expeditious, as long wait times would detract from the value of UAM being a time -saving mode of transportation. UAM is a popular mode of transporting people to larger airports, so some UAM aerodromes may be outfitted with Transportation Security Administration (TSA) security so that passengers can be cleared for boarding their flight prior to reaching the airport.
Security consists of both physical security and cybersecurity.
In the UOE, cybersecurity takes an even more outsized role than it does today given the reliance on automated systems to control aircraft.
Physical security entails, for example, security of the aircraft, UAM aerodrome, and allowing only ticketed passengers beyond a security checkpoint.
Because of the dependence of AAM on software, cybersecurity will be a potential critical vulnerability.
While cybersecurity efforts in the past have focused primarily on information security and privacy, the safety-critical element here changes the consequences and amplifies the challenge.
For example, the cybersecurity challenge in AAM is not to prevent the theft of information from vehicles or passengers but to prevent outsiders from making the system and software behave unsafely.
AAM faces several cybersecurity concerns: threats to onboard networks and code, attacks on vehicle/ATC datalinks, and introduction of adversarial or incorrect data potentially used for safety-critical decisions and/or machine learning.
Research in cybersecurity for onboard networks and traditional flight software is required to improve automated analysis and test to reduce software and data handling costs.
Datalink security will require diversity and redundancy in communication links and new strategies for capturing cutting-edge cryptography strategies into living standards capable of assuring data authenticity despite evolving network attacks.
Research is also needed to recognize and minimize the impacts of adversarial training examples in learning systems capable of adapting to new or unexpected percepts or data sets.
It is almost impossible to keep hackers out of any systems today, and AAM systems will not be an exception.
In terms of vulnerability, AAM will depend on the operation of other complex software-intensive systems such as ATC, Global Positioning System, and various types of shared communication systems.
If AAM becomes an important infrastructure component in the US, adversaries will find it a tempting target in any attack scenarios.
Current cybersecurity approaches that rely on threat analysis, maintaining impenetrable boundaries, and focusing primarily on information security will not be adequate for AAM missions involving safety-critical operations performed by automated systems.
Current airworthiness hardware and software cybersecurity techniques do not accommodate AAM platforms.
NASA has initiated research into the area of complex autonomous systems to include leveraging of cybersecurity-related investigations performed by other agencies.
NASA does not establish standards, which are the purview of the FAA.
Nevertheless, NASA demonstrates techniques, which are then incorporated into certification policy or standards, and those in turn are adopted by FAA.
In the process of sensing and modeling physical world systems, practitioners have evolved the idea of creating validated digital models of the physical system, often called “digital twin.”
A digital twin is a model that is designed to accomplish a specific, limited, engineering purpose—for example, predictive maintenance. It is codesigned with the physical system that must be instrumented to provide behavior and performance information to be delivered intermittently to the model’s database—but only that information that is required for the purpose of the model.
Digital twins are already proven to be viable for predictive maintenance.
A digital twin for that purpose need not receive updates second by second.
Maintenance is typically only performed when the system is out of service and on the ground.
Digital twins have proven to be a viable engineering tool for select purposes, and those purposes are important in aviation.
Such models allow developers and operators to analyze system behaviors in various conditions and with various failure modes to generate the data necessary to assess end-goal objectives.
For the airspace system, the digital model can serve multiple objectives including safety assurance, system performance, failure tolerance/ resilience, resource efficiency, and accommodating new applications and air operations.
The use of “digital twins” is an important part of modern digital control and system development technologies and thus can be used to guide airspace design and vehicle integration in urban settings.
However, the digital model is constantly at risk of losing coherence with its physical ground-truth counterpart.
Divergence can lead to digital model performance degradation and loss of validity.
Underlying this is the fact that regardless of whether the software model keeps pace, the state of the physical world moves forward through time.
In the aviation case, aircraft move forward through the airspace, the weather changes, and operators take action every second.
For this reason, metrics to establish and continuously track digital model validity are essential.
In addition, this continuous coherence requirement also establishes the need for the physical system to produce its own data as a normal system output in suitable form to allow the digital modal validity tracking.
Cyber-physical security plays a critical role in the safety and resilience of any AAM system.
Achieving cyber-physical security will require new methods, and it will have to be implemented throughout the system in order to support actual security as well as to build public trust in AAM.
Public trust in autonomous systems involves security as well as transparency for the public, and this will be a pervasive theme as more autonomous systems (e.g., air, ground, and other) deploy in society.
RESILIENCE - CONTINGENCY MANAGEMENT
Resilience - Contingency management: the ability to manage the expected and the capability to recover from the unexpected, will be a key to success.
Resilience of a system is a measure of the ability to recover quickly from random or intentional disruptions while maintaining an appropriate degree of functionality.
Fault tolerance and recoverability in today’s NAS is based on a combination of redundant systems in aircraft and throughout the flight environment, as well as processes that rely on trained humans to respond to contingencies.
Thus, fault tolerance and recoverability today are handled in some cases through design of systems and in other cases through operational procedures.
AAM systems must be able to maintain required minimal functionality when components of the system suffer degradation or outage and have the ability to efficiently recover from contingency events or situations.
This applies both at the vehicle level and across the airspace and throughout mobility systems where degradation in one part can have knock-on effects elsewhere.
In the initial implementations, the approach will be similar to today, through design of redundant systems as well as processes with humans in the loop to cover various functions throughout the system. However, as scale and complexity increase, this capability will increasingly need to be handled by systems designed for the task as scale and complexity pass thresholds exceeding the ability for humans to intervene directly.
Collection, analysis, and dissemination of sound system reliability data will play an important supporting role here.
Additionally, it will be important to consider security and human factor aspects in any potential solutions.
Due to the expected increase in the number of aircraft operations per day, and an observed steady-to-decreasing pilot training pipeline, autonomy for contingency management will be an essential component of AAM.
Contingency management is the capability to manage, reduce, or eliminate unanticipated risk to persons, property, or other aircraft due to off-nominal events associated with vehicle operations.
Encoding well-established contingency management procedures into autonomy will provide a rich baseline capability for automated con- tingency management in the near term.
These procedures can be certified using a combination of existing and emerging certification practices to provide assurance that they will activate and execute safely and correctly.
Software-based evaluation tools can be applied to rigorously evaluate autonomy for well-defined deterministic contingency management to reduce the manpower and cost required to use today’s certification practices.
Real-time data processing will be required to enable appropriate autonomous perception, decision-making, and action outcomes in contingency management cases not recognized and matched with established procedures. In such cases, pilots, especially inexperienced pilots, would also be required to ingest real-time data and adapt their situational understanding and decisions in real time. No guarantees of correct response are possible when either autonomy or pilots must learn in real time, yet learning and acting offers a better chance of survival or recovery than shutting down.
AAM will typically rely on a variety of real-time data sources for detect and avoid, traffic coordination, and access to data updates—for example, weather and winds.
Cyber resilience, the ability for a vehicle or local vehicle group to safely continue a flight operation despite loss or corruption of one or more datalinks or server connections, is an essential component of AAM contingency management.
PSUs provide preflight strategic deconfliction.
Strategic deconfliction includes planning operations to consider anticipated traffic density, aerodrome takeoff and landing capacities, forecasted weather, available emergency landing areas, as well as areas where permanent and temporary flight restrictions may be in place.
This strategic deconfliction is performed with input from and in coordination with multiple participants including the FAA (e.g., NOTAMs), other PSUs, fleet operators (via operationsplans), UAM aerodrome operators (e.g., available landing areas), and SDSPs (e.g., weather and other information) who all share relevant data over the PSU Network.
Entities providing data to or accessing data from the PSU Network adhere to appropriate data authentication and cybersecurity standards.
The data shared over the PSU Network, which includes information such as departure time, desired flight path, intended arrival destination, and alternate UAM aerodromes, is defined by industry consensusand approved by the FAA.
This data coversthe entire UOE and data sharing enables other fleet operators and PSUs to develop accurate operations plan routings based on traffic density and other elements.
Information from the PSU Network, detect-and-avoid (DAA) capabilities, and V2V information exchange enable tactical deconfliction and separation assurance in nominal situations, such as maintaining safe separation when following another aircraft or sequencing for landing.
They also support safety during off-nominal situations such as aircraft experiencing an emergency.
Due to the time constraints, DAA and onboard aircraft crew (when applicable), augmented by V2V information exchange, are the primary means of collision avoidance in situations where response times need to be in seconds, such as avoiding flocks of large birds or non-cooperative aircraft.
European Plan for Aviation Safety (EPAS) 2023-2025
Sarah Nilsson, J.D., Ph.D., MAS
602 561 8665
You can also fill out my
The information on this website is for EDUCATIONAL purposes only and DOES NOT constitute legal advice.
While the author of this website is an attorney, she is not YOUR attorney, nor are you her client, until you enter into a written agreement with Nilsson Law, PLLC to provide legal services.
In no event shall Sarah Nilsson be liable for any special, indirect, or consequential damages relating to this material, for any use of this website, or for any other hyperlinked website.
I endorse the following products