Setting the target level of safety for unmanned operations has been causing difficulties across the industry for a while. This article seeks to go back to the basics of safety-risk management and build up a series of arguments in defining what should be acceptable. In its most simplistic manner, risk management seeks to answer the questions: how many people can I kill and how often can I kill that number of people? This is rather different from the “safety by compliance” argument that has been followed by some high-consequence industries and some elements of the incomplete aviation jigsaw of safety regulation.
There are various different population groups that might be affected by UAM operations. Those inside the vehicle may be killed when the vehicle impacts the ground after a structural failure. The regulation of this risk in conventional aviation falls to the national aviation safety regulator. Their remit is to consider an aircraft’s occupants. Rarely are they given powers to oversee the risk exposure of those not intending to fly on-board the machine itself. A maintenance worker at a vertiport may be killed when swapping the batteries around between flights or a ground worker might be killed when walking into a propeller. The regulation of these risks in many countries falls under the national agency for industrial accidents, not transport accidents. A person living underneath the intended flightpath might be killed by blunt force trauma having been hit by a crashing vehicle or by an article (such as a cargo pod) dropped from the vehicle. This may be regulated by local or regional government planning policy makers but it could fall under the industrial or transport risk regulators in other countries. There is also a regulatory issue when it comes to the transport of hazardous materials.
There is no doubt that the use of UAM for transport of medical supplies and test samples is a high-benefit area to be exploited. However, if there were to be a crash and the sample containers broke, then the possibility of blood-borne pathogens being released at the crash site will be present. If this were to happen at a crowded market then many people could be infected. This is one example of the low probability, high consequence operation that may have to be considered by many government agencies. The workers for the agency that investigates UAM transport accidents may also be exposed to harm, as may other first-responders, if the materials within the UAM generate post-crash problems. Carbon fibre ingestion into the lungs, battery explosions, etc., all need to be controlled. Regulation may again be a multi-agency problem.
To complicate the multi-agency regulation of UAM operations, there is of course the problem of trans-national boundary operation of the vehicle and/or by a commercial operator. Mutual recognition of competency to regulate can help but what if the national target level of safety in the country issuing the operating licence is lower than the target level of safety in the country of operation? Flags of convenience, similar to shipping, might start to pop-up for UAM operators.
Having defined the basic areas to consider, then further sub-division may be necessary to establish the target level of safety. The occupants of the vehicle fall into different groups. There may be a driver/pilot/operator on-board to take over control if required. This person would fall into a risk bracket of an industrial worker who derives financial benefit from the risk exposure. This might be the boundary condition for establishing their risk exposure. It is unlikely that they would be in a special category of worker, such as a classified nuclear worker, so standard limits would apply. This would then determine the number of flights and/or accumulated flight time that they could operate for.
The passengers on-board derive some benefit from the flight, such as reduced transit times, although they have the disadvantage of having to pay for the flight. The passenger group may need to be split between high frequency users (super commuters) and occasional users. The super commuter category may need to travel using the vehicles on a frequent basis but may be expected to have some knowledge of the risks involved whereas taking a one-off flying taxi ride for a birthday thrill may be a once in a lifetime experience. There can be regulatory divergence at this point. Regulators that use a public policy to reduce overall risk exposure might say that if using the flying vehicle is safer than the road vehicle then that will be acceptable as the first measure. Regulators that take the aviation targets for commercial airliners might refuse the same proposed operation. This question has arisen in several different forms across the decades. Offshore workers in the oil and gas extraction industry have to travel to rigs. There are significant risks associated with port to rig transfer and vice versa using a ship. These risks were higher than the heliport to rig and vice versa transfer by helicopter. Helicopter commercial flight operations pose a more significant risk than normal fixed-wing flying. Eventually, the public policy debate of the safest way to transport the workers came out with helicopter operations being approved. Over the decades, significant advances were made in helicopter safety to help close the gap towards fixed-wing targets.
There are two other aspects to managing the risk of UAM operations that will pose limits on the operation. The first of these is risk aversion. The public acceptability of an accident may have some variation with the numbers affected by an accident. A single accident with hundreds of fatalities that occurs once in a decade may be less acceptable than multiple accidents that kill one or two people in each event but reaches the same total numbers of deaths spread across the decade. Should small UAMs be regulated in the same manner as large commercial jet airliners or smaller regional airliners?
The second aspect is that of considering the peak to average ratio of risk exposure for an individual operation. Aviation operations usually consider the average risk exposure of a flight. The concept of peak risk is useful for defining operational limitations for safety related reasons. A flight in daylight, with blue sky and very light winds, between two vertiports in flat terrain areas and with good navigation coverage might constitute a below-average probability of fatal accident. The opposite may be true that a flight at night, with thick low cloud, rain, turbulence, lightning, and operations from congested city rooftops with plenty of man-made obstacles in a high elevation city during a GPS outage might constitute an above-average probability of a fatal accident. How much higher than the average risk is it reasonable to expect the passengers to tolerate?
There is also a final question lurking in the wings about risk acceptability. The legal acceptability of risk may be a higher standard than the regulatory standard. It may be possible to meet the aviation safety regulatory requirements but still be caught by the legal expected duty of care trap.
Having set out the basic questions in this blog, the follow up articles will address each of these items in turn.
David Gleave is an aviation safety investigator with over 25 years’ experience in predictive hazard identification, human error identification and the definition of organizational responsibilities within aviation safety management systems. He has contributed to several major aviation accident and incident investigations on six continents.